CAO Studio Terms of Use

Last updated: 2026-05-23
Provider: AgiliX Agile Development Consulting BV
Trading name: CAO Studio / Creating Agile Organizations
Registered address: Jacques Urlusstraat 54, 7558 JT Hengelo, The Netherlands
Company registration number: 51533901
VAT number: 8500.7246.3B01
Contact email: info@creatingagileorganizations.com
Website: www.creatingagileorganizations.com

These Terms of Use govern access to and use of CAO Studio, including the CAO Brain, CAO Guide, workshops, assessments, recommendations, generated reports, self-checks, and related services.

By creating an account, accessing CAO Studio, using a trial, redeeming an access code, or using the Service in any way, you agree to these Terms.

If you use CAO Studio on behalf of an organization, you confirm that you are authorized to accept these Terms on behalf of that organization.

1. Definitions

In these Terms:

“CAO Studio”, “Platform”, or “Service” means the online software platform provided by us for strategy-to-organization design work, including workshops, diagnostics, recommendations, reports, AI-supported guidance, engagement workspaces, and related services.

“CAO Brain” means the AI-supported knowledge functionality inside CAO Studio that uses Creating Agile Organizations content, platform data, user inputs, and approved knowledge sources to support guidance, recommendations, summaries, and reports.

“CAO Guide” means the in-app guidance assistant that helps Users understand how to use CAO Studio, which workflows to use, how to interpret outputs, and what next steps to take inside the Platform.

“Customer” means the person or organization that subscribes to, purchases, trials, or otherwise uses CAO Studio.

“User” means any individual who accesses CAO Studio through an account, invitation, self-check code, trial, Customer workspace, or other authorized access method.

“Customer Content” means all data, documents, notes, workshop inputs, assessment findings, uploaded materials, prompts, questions, reports, recommendations, design options, engagement data, and other content submitted to or generated through CAO Studio by or on behalf of the Customer or User.

“AI Output” means content generated by AI-supported functionality, including summaries, recommendations, reports, explanations, classifications, design implications, guidance, and suggested next steps.

“Self-Check” means a limited-access experience, such as a Strategic Focus or Star Model self-check, made available through a one-time access code or other restricted access mechanism.

“LLM Service Provider” means the external large-language-model (LLM) service provider that CAO Studio uses to provide AI-supported functionality inside the application. The identity of the current LLM Service Provider is published on the Subprocessors / LLM Providers page (/subprocessors) and may change over time; the responsibilities described in these Terms apply to whichever provider is current at the time.

“DPA” means the Data Processing Agreement or Data Processing Addendum that applies when CAO Studio processes personal data on behalf of a Customer.

2. About CAO Studio

CAO Studio is a strategy-to-organization design platform.

It helps Customers and Users connect strategic intent, capability development, organizational structure, governance, roles, workshops, assessments, recommendations, and reports.

CAO Studio may include, among other things:

• Strategic Focus workshops;
• Star Model workshops;
• Portfolio Framework workshops;
• Strategy Capability Map functionality;
• Functional Coupling workshops;
• Task Interdependencies workshops;
• Grouping DSM workshops;
• Heat Maps;
• Product Definition workshops;
• Functional Analysis;
• Go See Assessments;
• Recommendations;
• Design Options;
• generated reports;
• Documents and Notes;
• CAO Guide;
• CAO Brain;
• limited self-checks;
• audit functionality;
• AI safety alerts.

CAO Studio is a decision-support tool. It supports professional judgment but does not replace it.

CAO Studio does not provide legal, tax, financial, medical, employment-law, compliance, or regulated HR advice.

The Customer remains responsible for leadership decisions, organization design decisions, HR decisions, change decisions, implementation decisions, and use of outputs.

3. Who may use CAO Studio

You may use CAO Studio only if:

• you are at least 18 years old;
• you are legally able to enter into these Terms;
• you use CAO Studio for lawful business, educational, advisory, or organizational purposes;
• you comply with these Terms and applicable laws.

If you use CAO Studio on behalf of an organization, that organization is the Customer and is responsible for all use by its Users.

4. Accounts and access

To use CAO Studio, you may need an account, invitation, trial, paid plan, internal access, full access, or self-check access code.

You are responsible for:

• keeping login credentials secure;
• ensuring that account information is accurate;
• ensuring that Users under your account comply with these Terms;
• managing access rights for your organization;
• promptly removing Users who should no longer have access;
• all activity under your account, except where caused by our breach of these Terms.

You must notify us promptly if you suspect unauthorized access, credential compromise, or misuse of your account.

We may require additional authentication, verification, or security steps where appropriate.

5. Plans, trials, internal access, and self-check codes

CAO Studio may offer different access levels, including:

• Free Trial;
• Internal;
• Full Access;
• paid plans;
• beta access;
• limited self-check access;
• promotional or one-time access codes.

Plan features, limits, and prices may vary.

A self-check access code may provide access only to specific functionality, such as:

• the Strategic Focus workshop and CAO Guide;
• the Star Model workshop and CAO Guide.

Self-check codes may be single-use, time-limited, associated with a named person, and restricted to a specific workshop.

Users accessing CAO Studio through a self-check code do not receive access to the full Platform unless separately authorized.

We may change, limit, or withdraw free trials, beta access, promotional access, or self-check access at any time, provided this does not remove rights already paid for under an active agreement unless permitted by that agreement.

6. Acceptable use

You must use CAO Studio responsibly and lawfully.

You must not:

• violate applicable law or third-party rights;
• upload unlawful, discriminatory, defamatory, misleading, harmful, or infringing content;
• upload malware, malicious files, or unsafe content;
• attempt to disrupt, overload, scan, scrape, reverse engineer, or compromise the Service;
• bypass access controls, plan limits, self-check restrictions, or security controls;
• access another user’s account, workspace, engagement, audit data, or Customer Content without authorization;
• share access codes in a misleading, unauthorized, or abusive way;
• use CAO Studio to create a competing product, model, knowledge base, or methodology without permission;
• use CAO Studio to make fully automated decisions about individuals with legal or similarly significant effects without appropriate human review, lawful basis, and safeguards;
• enter unnecessary sensitive personal data;
• attempt prompt injection, jailbreaks, system-prompt extraction, or manipulation of AI safety controls;
• use CAO Studio to generate or support unlawful, discriminatory, harmful, or deceptive outputs.

We may suspend, restrict, or terminate access if we reasonably believe that CAO Studio is being misused, security controls are being bypassed, or Customer Content creates legal, operational, or security risk.

7. Sensitive and personal data

CAO Studio is intended for organization design, strategy, capability, workshop, assessment, and engagement data.

Users should apply data minimization.

You should not enter highly sensitive personal data unless it is necessary, lawful, proportionate, and covered by appropriate safeguards.

Examples of information that should generally not be entered unless strictly necessary include:

• health data;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic or biometric data;
• criminal offence data;
• national identification numbers;
• private employee disciplinary files;
• confidential HR case files;
• personal performance records not needed for organization design work;
• special-category personal data under GDPR.

The Customer is responsible for ensuring that any personal data entered into CAO Studio is processed lawfully and transparently.

8. Customer Content

The Customer retains ownership of Customer Content.

You grant us a limited right to host, store, process, transmit, analyze, display, secure, and generate outputs from Customer Content as necessary to:

• provide CAO Studio;
• operate the CAO Brain and CAO Guide;
• generate reports, summaries, recommendations, and design options;
• provide support;
• maintain security;
• troubleshoot issues;
• comply with legal obligations;
• enforce these Terms;
• improve the Service where permitted by applicable law and contract.

We do not sell Customer Content.

We will not use Customer Content to train third-party foundation models unless explicitly agreed or enabled by the Customer.

Generated outputs are made available to the Customer for use in its internal organization design, advisory, consulting, leadership, or transformation work, subject to these Terms and any plan restrictions.

9. AI-supported functionality and use of LLM Service Provider

CAO Studio includes AI-supported functionality, including the CAO Brain and CAO Guide.

These features may use LLM Service Provider technology, including LLM Service Provider services, to generate summaries, guidance, recommendations, reports, and other outputs.

When a User uses AI-supported functionality, relevant Customer Content may be sent to LLM Service Provider for processing. Depending on the feature, this may include:

• user prompts and questions;
• workshop inputs;
• uploaded documents or excerpts;
• notes;
• assessment findings;
• engagement context;
• report-generation context;
• prior outputs;
• audit and safety metadata where relevant.

LLM Service Provider processes this information to provide AI functionality used by CAO Studio.

Where LLM Service Provider processes personal data on behalf of CAO Studio or the Customer, LLM Service Provider acts as an AI service provider or subprocessor.

CAO Studio is configured so that Customer Content sent to LLM Service Provider through business/API functionality is not used to train LLM Service Provider models by default, unless an explicit opt-in or separate agreement applies.

AI Outputs may be incomplete, inaccurate, outdated, biased, or unsuitable for a specific context.

You are responsible for:

• reviewing AI Outputs;
• validating outputs before relying on them;
• applying professional judgment;
• ensuring that decisions remain human-led;
• ensuring that use of AI Outputs is lawful and appropriate.

CAO Studio does not make organization design decisions for you.

10. CAO Brain and CAO Guide limitations

The CAO Brain and CAO Guide are designed to support use of CAO Studio and the Creating Agile Organizations approach.

The CAO Guide is not a generic chatbot.

It is intended to help Users understand:

• which CAO Studio workflow to use;
• which workshop may fit a situation;
• how to use reports;
• how to interpret platform outputs;
• how to follow the CAO loop;
• how to turn evidence into recommendations;
• what next step to take inside CAO Studio.

The CAO Brain and CAO Guide may not always provide correct or complete guidance.

They should not be used as a substitute for:

• legal advice;
• employment law advice;
• financial advice;
• tax advice;
• regulated HR advice;
• medical advice;
• compliance advice;
• final executive decision-making.

11. AI safety and prompt-injection protection

CAO Studio includes safeguards designed to reduce misuse of AI-supported functionality.

These safeguards may include:

• prompt-injection detection;
• AI safety alerts;
• audit logging;
• access restrictions;
• review workflows;
• temporary blocking of CAO Guide access after repeated suspicious attempts;
• administrator review and unblock functionality;
• input and output validation;
• restrictions on access to unauthorized data.

Users must not attempt to manipulate CAO Studio, CAO Brain, CAO Guide, the LLM Service Provider's models, or related AI systems to:

• ignore system instructions;
• reveal hidden prompts;
• reveal internal configuration;
• expose confidential information;
• bypass access restrictions;
• retrieve another user’s data;
• override CAO Brain grounding;
• generate unauthorized outputs;
• disable security protections.

Repeated attempts to bypass AI safety controls may result in restricted access, suspension, or termination.

We may log and review AI safety events to protect the Service, Customers, Users, and Customer Content.

Where AI safety logs contain personal data, they are handled according to our Privacy Notice, DPA, and applicable data protection law.

12. Fraud, misuse, and restricted access

If suspicious, abusive, fraudulent, or unsafe behavior is detected, we may restrict or suspend access to all or part of CAO Studio.

For example, repeated prompt-injection attempts through the CAO Guide may result in the CAO Guide being blocked for the relevant User.

Where the Platform supports administrator review, an authorized administrator may review safety alerts and unblock access where appropriate.

We may retain security and audit records after a block, suspension, or unblock action for accountability, security, fraud prevention, and compliance purposes.

13. Confidentiality

Each party may receive confidential information from the other.

Confidential information includes non-public business, technical, organizational, strategic, commercial, customer, security, and platform information.

Customer Content is confidential information of the Customer.

Each party must:

• protect confidential information with reasonable care;
• use confidential information only for purposes related to these Terms;
• not disclose confidential information except to personnel, contractors, advisors, subprocessors, or affiliates who need access and are bound by appropriate confidentiality obligations.

Confidentiality obligations do not apply to information that:

• is publicly available without breach;
• was already known without restriction;
• is independently developed without use of confidential information;
• is lawfully received from another source;
• must be disclosed by law, court order, or regulatory authority.

14. Data protection and privacy

We process personal data in accordance with applicable data protection law, including the GDPR where applicable.

For account management, billing, security, analytics, platform administration, and service improvement data, we may act as an independent controller.

For personal data contained in Customer Content that we process on behalf of a Customer, we generally act as processor and the Customer acts as controller.

Where we act as processor, the DPA applies.

The Customer is responsible for:

• having a lawful basis for uploading and processing personal data in CAO Studio;
• providing required privacy information to data subjects;
• ensuring data minimization;
• managing User access;
• responding to data subject requests where the Customer is controller;
• ensuring that uploaded content is lawful and appropriate.

Our Privacy Notice explains:

• what personal data we collect;
• why we process it;
• the legal bases we rely on;
• how AI-supported processing works;
• which subprocessors we use;
• where data is hosted or processed;
• how long we retain data;
• who we share data with;
• what rights individuals have.

15. EU data hosting

Customer Content is hosted in the European Union / European Economic Area.

This includes, unless otherwise stated in a written agreement or subprocessor notice:

• workshop inputs;
• uploaded documents;
• notes;
• assessment findings;
• generated reports;
• recommendations;
• design options;
• CAO Guide interactions stored by CAO Studio;
• engagement data;
• audit data.

Although CAO Studio hosts Customer Content in the EU/EEA, certain subprocessors, including LLM Service Provider or other service providers, may access or process personal data from outside the EU/EEA where necessary to provide the Service.

Where such access or processing constitutes an international transfer under applicable data protection law, we will use appropriate safeguards, such as:

• an adequacy decision;
• Standard Contractual Clauses;
• a Data Processing Agreement;
• supplementary safeguards where required;
• another lawful transfer mechanism.

16. Data Processing Agreement

Where required by applicable data protection law, including GDPR Article 28, the DPA forms part of the agreement between the Customer and us.

The DPA governs our processing of Customer Personal Data on behalf of the Customer.

The DPA should include, among other things:

• subject matter and duration of processing;
• nature and purpose of processing;
• categories of personal data;
• categories of data subjects;
• obligations and rights of the Customer;
• documented instructions;
• confidentiality obligations;
• technical and organizational security measures;
• subprocessor terms;
• assistance with data subject rights;
• assistance with security incidents, DPIAs, and audits;
• deletion or return of data at the end of the Service;
• international transfer safeguards.

If there is a conflict between these Terms and the DPA regarding processing of Customer Personal Data, the DPA controls.

17. Subprocessors and third-party services

We use third-party service providers to operate CAO Studio.

These may include providers for:

• EU-based hosting;
• databases;
• file storage;
• authentication;
• email delivery;
• analytics;
• logging and monitoring;
• payment processing;
• AI model processing;
• security monitoring;
• customer support.

CAO Studio uses LLM Service Provider functionality as part of its AI-supported features.

LLM Service Provider may act as a subprocessor when processing Customer Content for AI-supported functionality.

We will maintain information about relevant subprocessors in our Privacy Notice, DPA, or subprocessor list.

Where subprocessors process personal data on our behalf, we use appropriate contractual, organizational, and technical safeguards.

18. Security

We use reasonable technical and organizational measures designed to protect Customer Content and personal data.

These may include, as appropriate:

• access controls;
• authentication;
• role-based authorization;
• encryption in transit;
• secure hosting;
• logging and monitoring;
• audit trails;
• prompt-injection protections;
• AI safety alerts;
• vulnerability management;
• backup and recovery measures;
• incident response procedures.

You are responsible for:

• using strong passwords;
• protecting devices and networks;
• managing User permissions;
• avoiding unnecessary personal data;
• promptly removing access for Users who no longer need it;
• reporting suspected security incidents.

No online service can guarantee absolute security.

19. Audit logging

CAO Studio may include audit functionality.

Audit logs may capture events such as:

• User login and access events;
• workshop activity;
• report generation;
• recommendation generation;
• CAO Guide usage;
• CAO Brain usage;
• self-check code generation and redemption;
• access restrictions;
• AI safety alerts;
• administrative review actions;
• unblock actions;
• other material platform events.

Audit logs are used for:

• security;
• accountability;
• compliance;
• troubleshooting;
• Customer administration;
• fraud and misuse prevention;
• platform integrity.

Audit logs may include personal data such as User identity, timestamp, engagement reference, event type, safe summaries, and security status.

Audit logs will not intentionally expose hidden system prompts, internal instructions, raw CAO Brain retrieval context, API keys, or sensitive security configuration.

Access to audit logs is restricted according to role, plan, tenant, and authorization settings.

20. Cookies and analytics

CAO Studio may use cookies or similar technologies for:

• authentication;
• security;
• session management;
• preferences;
• analytics;
• performance monitoring;
• service improvement.

Strictly necessary cookies may be used to operate the Service.

Non-essential cookies or analytics will be handled according to our Privacy Notice, Cookie Notice, and applicable consent requirements.

21. Intellectual property

We and our licensors retain all rights in CAO Studio, including:

• software;
• workflows;
• UI design;
• CAO Brain configuration;
• CAO Guide configuration;
• prompts and prompt architecture;
• templates;
• reports;
• documentation;
• platform content;
• methodology-related materials;
• Creating Agile Organizations content;
• trademarks;
• know-how.

Except as expressly permitted, you may not:

• copy the Platform;
• modify or reverse engineer the Platform;
• resell or sublicense the Platform;
• create derivative works from CAO Studio;
• extract CAO Brain content to create a competing product;
• use CAO Studio to train a competing AI system;
• reproduce the Creating Agile Organizations method as a competing product.

Customer Content remains owned by the Customer.

22. Creating Agile Organizations content

CAO Studio is based on the Creating Agile Organizations approach and related intellectual property.

Subject to your plan and these Terms, you may use CAO Studio outputs for:

• internal organization design work;
• consulting engagements;
• leadership discussions;
• transformation work;
• workshops;
• decision support;
• reports and recommendations for authorized clients or stakeholders.

You may not use CAO Studio to reproduce, package, resell, train, or commercialize the Creating Agile Organizations method as a competing product without written permission.

23. Generated outputs

Subject to these Terms, plan restrictions, and third-party rights, Customers may use AI Outputs and generated reports for their internal business, consulting, advisory, or organization design purposes.

You are responsible for reviewing outputs before using them.

We do not guarantee that AI Outputs are:

• accurate;
• complete;
• legally compliant;
• suitable for a specific organization;
• free from errors;
• free from bias;
• sufficient for decision-making without human review.

If an output is important, high-impact, or used for organizational decisions, it should be reviewed by qualified people.

24. Fees, payment, and taxes

Paid plans are billed according to the selected plan, order form, invoice, or written agreement.

Unless otherwise stated:

• fees are exclusive of VAT and other taxes;
• payment obligations are non-cancellable;
• fees are non-refundable except where required by law or agreed in writing;
• invoices are payable within the stated payment term;
• overdue amounts may result in suspension after reasonable notice.

We may change prices for future billing periods by giving reasonable notice.

Specific pricing, billing cycles, renewal terms, and cancellation rights may be set out at checkout, in the Platform, in an order form, or in a separate agreement.

25. Availability, maintenance, and changes

We aim to keep CAO Studio available and useful, but we do not guarantee uninterrupted or error-free operation.

We may modify, improve, suspend, or discontinue parts of the Service.

We may perform maintenance, updates, security changes, or emergency fixes without prior notice where needed.

Where a change materially reduces paid functionality, we will provide reasonable notice where practical.

26. Beta and experimental features

Some features may be marked or treated as beta, preview, experimental, or early access.

Beta features may:

• be changed;
• be limited;
• be removed;
• contain errors;
• produce unexpected outputs;
• be less reliable than generally available features.

Use beta features with appropriate caution.

27. Third-party links and services

CAO Studio may include links or integrations with third-party services.

We are not responsible for third-party websites, content, policies, or services unless expressly stated.

Use of third-party services may be governed by their own terms and privacy policies.

28. Customer responsibilities

The Customer is responsible for:

• ensuring lawful use of CAO Studio;
• managing User access;
• training Users where appropriate;
• reviewing AI Outputs;
• validating reports and recommendations;
• ensuring uploaded content is lawful;
• maintaining backups of important external materials;
• ensuring personal data is processed lawfully;
• ensuring CAO Studio is appropriate for the Customer’s intended use.

The Customer remains responsible for all organization design, HR, governance, leadership, and implementation decisions.

29. Suspension and termination

We may suspend or terminate access if:

• you breach these Terms;
• payment is overdue;
• use creates legal, security, privacy, or operational risk;
• you attempt to bypass AI safety or platform security controls;
• you misuse access codes;
• you access unauthorized data;
• we are required to do so by law.

Where practical, we will give notice and an opportunity to remedy before suspension, unless immediate action is needed for security, legal, operational, or misuse reasons.

You may stop using CAO Studio at any time.

Paid subscriptions remain subject to agreed billing and cancellation terms.

Upon termination, access to CAO Studio may end.

Deletion, return, or retention of Customer Content will be handled according to the applicable plan, Privacy Notice, DPA, written agreement, and legal obligations.

30. Data retention and deletion

We retain Customer Content and personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business purposes.

Retention periods may differ for:

• account data;
• Customer Content;
• uploaded documents;
• generated reports;
• AI interaction logs;
• audit logs;
• billing records;
• security logs;
• backups.

Where the Customer requests deletion and we are legally and technically able to delete the data, we will do so according to our Privacy Notice, DPA, and applicable retention procedures.

Backup copies may remain for a limited period before deletion according to standard backup cycles.

31. Disclaimers

CAO Studio is provided on an “as is” and “as available” basis to the maximum extent permitted by law.

We do not warrant that:

• the Service will be uninterrupted;
• the Service will be error-free;
• AI Outputs will always be accurate;
• recommendations will produce a specific organizational outcome;
• CAO Studio will meet every Customer requirement;
• all errors will be corrected;
• the Service will be suitable for every legal, HR, or organizational context.

You remain responsible for decisions, implementation choices, organizational changes, and use of outputs.

32. Limitation of liability

To the maximum extent permitted by law, we are not liable for:

• indirect damages;
• incidental damages;
• special damages;
• consequential damages;
• punitive damages;
• lost profits;
• loss of revenue;
• loss of goodwill;
• loss of business opportunity;
• loss caused by reliance on unreviewed AI Outputs;
• loss caused by Customer Content;
• loss caused by unauthorized use of credentials;
• loss caused by third-party services outside our reasonable control.

Our total liability for claims relating to the Service is limited to the amount paid by the Customer for the Service in the [three / six / twelve] months before the event giving rise to the claim.

Nothing in these Terms limits liability that cannot legally be limited, including liability for fraud, intentional misconduct, or death or personal injury caused by negligence where applicable.

33. Indemnity

The Customer agrees to indemnify and hold us harmless against claims, damages, losses, costs, and expenses arising from:

• unlawful use of CAO Studio;
• Customer Content;
• breach of these Terms;
• violation of third-party rights;
• misuse of AI Outputs;
• unauthorized disclosure of personal data caused by the Customer or its Users;
• use of CAO Studio in violation of applicable law.

34. Force majeure

Neither party is liable for failure or delay caused by events beyond reasonable control, including:

• natural disasters;
• war;
• terrorism;
• civil unrest;
• labor disputes;
• internet failures;
• cloud-provider outages;
• power failures;
• government actions;
• cyberattacks;
• pandemics;
• failures of third-party providers.

The affected party must take reasonable steps to reduce the impact.

35. Export controls and sanctions

You may not use CAO Studio in violation of applicable export control, sanctions, or trade restrictions.

You must not provide access to persons, organizations, or jurisdictions where prohibited by law.

36. Changes to these Terms

We may update these Terms from time to time.

If changes are material, we will provide reasonable notice through the Service, email, or another appropriate method.

Continued use of CAO Studio after the effective date of updated Terms means you accept the updated Terms.

If you do not agree to updated Terms, you must stop using the Service.

37. Governing law and jurisdiction

These Terms are governed by the laws of [the Netherlands], unless mandatory law requires otherwise.

The courts of [Amsterdam / the Netherlands] have exclusive jurisdiction, unless mandatory law provides otherwise.

Before starting formal proceedings, the parties will try to resolve disputes in good faith.

38. Notices

We may send notices by:

• email;
• in-app notification;
• posting in the Service;
• other reasonable means.

You must keep your account email address up to date.

Legal notices to us should be sent to:

[Legal company name]
[Address]
[Email]

39. Assignment

You may not assign or transfer your rights or obligations under these Terms without our prior written consent.

We may assign these Terms in connection with a merger, acquisition, restructuring, sale of assets, or transfer of business, provided that your rights are not materially reduced.

40. Severability

If any part of these Terms is found invalid or unenforceable, the remaining parts remain in effect.

The invalid or unenforceable part will be replaced by a valid provision that comes closest to the original intent.

41. Entire agreement

These Terms, together with any applicable order form, DPA, Privacy Notice, plan terms, and written agreement, form the entire agreement between the parties regarding CAO Studio.

If there is a conflict:

1 a signed written agreement controls over these Terms;

2 the DPA controls for personal data processing matters;

3 plan-specific or order-form terms control for commercial plan details;

4 these Terms control for general platform use.

Schedule 1 — Data Processing Addendum Summary

This Schedule summarizes key data processing terms. A full DPA should be made available to Customers where required.

1. Subject matter

Provision of CAO Studio as a SaaS platform for organization design, workshops, assessments, reports, recommendations, self-checks, audit functionality, and AI-supported guidance.

2. Duration

For the duration of the Customer’s use of CAO Studio, plus any retention period required for backups, legal obligations, security, auditability, dispute resolution, or compliance.

3. Nature and purpose of processing

We process Customer Personal Data to:

• provide the Service;
• host Customer Content;
• enable workshops;
• generate reports;
• generate recommendations;
• operate CAO Brain and CAO Guide;
• support self-check access;
• authenticate Users;
• provide customer support;
• maintain security;
• keep audit logs;
• detect misuse;
• comply with legal obligations.

4. Categories of personal data

Depending on Customer use, personal data may include:

• names;
• email addresses;
• business contact details;
• user account data;
• organization name;
• role or job title;
• workshop participant names;
• notes and observations;
• assessment findings;
• uploaded document content;
• prompts and questions;
• generated outputs;
• engagement context;
• audit logs;
• security alerts;
• billing information.

Customers should avoid uploading unnecessary sensitive data.

5. Categories of data subjects

Depending on Customer use, data subjects may include:

• Customer employees;
• consultants;
• workshop participants;
• managers;
• leaders;
• HR professionals;
• Agile coaches;
• transformation team members;
• client stakeholders;
• invited Users;
• self-check Users.

6. Processor obligations

Where we act as processor, we will:

• process Customer Personal Data only on documented Customer instructions;
• ensure confidentiality;
• use appropriate technical and organizational measures;
• assist with data subject requests where reasonably possible;
• assist with security incidents, DPIAs, and compliance obligations where required;
• use subprocessors under appropriate terms;
• notify Customers of relevant subprocessor changes where required;
• delete or return Customer Personal Data at the end of the Service, subject to legal and technical limitations;
• provide reasonable information to demonstrate compliance.

7. Customer obligations

The Customer is responsible for:

• providing lawful processing instructions;
• having a lawful basis for processing;
• providing required privacy information to data subjects;
• ensuring data minimization;
• managing User access;
• responding to data subject requests where the Customer is controller;
• ensuring personal data entered into CAO Studio is appropriate and lawful.

8. Use of LLM Service Provider as AI subprocessor

CAO Studio uses LLM Service Provider functionality to provide AI-supported features, including:

• CAO Brain;
• CAO Guide;
• recommendations;
• reports;
• summaries;
• document analysis;
• AI-supported guidance;
• related generated outputs.

When these features are used, Customer Personal Data may be sent to LLM Service Provider for processing.

The categories of Customer Personal Data processed by LLM Service Provider may include:

• names and business contact details;
• user prompts and questions;
• workshop inputs;
• assessment findings;
• uploaded document excerpts;
• notes;
• engagement context;
• generated outputs;
• audit and safety metadata where relevant.

The purpose of this processing is to provide AI-supported functionality inside CAO Studio.

CAO Studio is configured so that Customer Content sent to LLM Service Provider through business/API functionality is not used to train LLM Service Provider models by default, unless an explicit opt-in or separate agreement applies.

Where LLM Service Provider processes Customer Personal Data outside the EU/EEA, appropriate transfer safeguards will be applied where required.

9. Location of processing

Customer Content is hosted in the EU/EEA.

The primary hosting location for CAO Studio is the European Union / European Economic Area.

We will not transfer Customer Personal Data outside the EU/EEA unless:

• the transfer is necessary to provide the Service;
• the transfer is disclosed where required;
• an appropriate transfer mechanism is in place.

10. Subprocessors

We may use subprocessors for:

• hosting;
• storage;
• database infrastructure;
• authentication;
• email delivery;
• analytics;
• payment processing;
• logging;
• monitoring;
• security;
• AI processing;
• customer support.

Subprocessors will be bound by appropriate contractual obligations.

11. Security measures

Technical and organizational measures may include:

• EU-based hosting;
• access controls;
• role-based permissions;
• authentication;
• encryption in transit;
• logging and monitoring;
• audit trails;
• prompt-injection detection;
• AI safety alerts;
• secure development practices;
• vulnerability management;
• backups;
• incident response procedures.

12. Return and deletion

At the end of the Service, Customer Personal Data will be returned or deleted according to the applicable agreement, DPA, Privacy Notice, retention schedule, and legal obligations.

Backup copies may be retained for a limited period before deletion according to standard backup processes.

Schedule 2 — AI Use and Safety Rules

Users must not attempt to:

• override system instructions;
• perform prompt injection;
• reveal hidden prompts;
• extract internal CAO Brain context;
• access unauthorized data;
• bypass plan restrictions;
• bypass self-check restrictions;
• manipulate AI safety controls;
• use CAO Studio to generate unlawful, discriminatory, or harmful outputs.

CAO Studio may detect and log suspicious AI interactions.

Repeated attempts to bypass AI safety controls may result in:

• CAO Guide restriction;
• account restriction;
• administrator review;
• suspension;
• termination.

Schedule 3 — Self-Check Access Terms

CAO Studio may provide limited self-check access through one-time access codes.

A self-check code may be generated for a named person and a specific workshop.

Available self-checks may include:

• Strategic Focus;
• Star Model.

A self-check code may allow access only to:

• the selected workshop;
• CAO Guide guidance for that workshop;
• a completion screen;
• a call to action to explore CAO Studio, view plans, or contact us.

A self-check code does not provide access to the full CAO Studio Platform.

Self-check Users must not attempt to access:

• other workshops;
• reports;
• recommendations;
• design options;
• documents;
• notes;
• audit pages;
• administration pages;
• other engagements;
• other Users’ data;
• full CAO Studio functionality.

Self-check codes may be single-use and may be rejected if invalid, expired, already used, or revoked.

We may audit self-check code generation, redemption, completion, and misuse.

Schedule 4 — Privacy Notice Checklist

A separate Privacy Notice should explain:

• who the controller is;
• contact details;
• purposes of processing;
• legal bases;
• categories of personal data;
• categories of recipients;
• subprocessors;
• use of LLM Service Provider;
• EU hosting;
• international transfers and safeguards;
• retention periods;
• data subject rights;
• complaint rights with a supervisory authority;
• cookies and analytics;
• security and audit logs;
• AI-supported processing;
• how to contact us.

Schedule 5 — Subprocessor List Placeholder

The current subprocessor list should include, at minimum, where applicable:

Provider

Purpose

Location / transfer notes

[EU hosting provider]

Hosting and infrastructure

EU/EEA hosted

LLM Service Provider

AI processing for CAO Brain, CAO Guide, reports, recommendations, summaries

May involve processing outside EU/EEA; safeguards required

[Email provider]

Transactional email

[Insert location]

[Payment provider]

Billing and payments

[Insert location]

[Monitoring/logging provider]

Security and service monitoring

[Insert location]

[Analytics provider]

Product analytics, if used

[Insert location]

Keep this list accurate and updated.