Legal

MSA terms, Data Processing Agreement, HIPAA BAA, and compliance artifacts.

All contracts are negotiated on a client-by-client basis. The documents described here reflect our standard starting positions. Contact hello@capped.ai to begin a contract review.

Master Service Agreement (MSA)

Capped AI's standard MSA governs all production engagements. Key terms include:

  • Scope of services: Infrastructure deployment, operation, monitoring, and support as described in the applicable Order Form.
  • Data ownership: Client retains all rights to data processed through the Capped AI environment. Capped AI does not claim any license to client data.
  • Confidentiality: Mutual NDA is included by reference. Capped AI does not disclose client identity, usage patterns, or business information.
  • Liability: Cap at 12 months of fees paid; carve-outs for gross negligence, willful misconduct, and IP indemnification.
  • SLA: 99.5% monthly uptime (Standard), 99.9% (Pro), 99.95% (Enterprise). Service credits for breaches.
  • Term: Annual minimum for production. Pilot contracts are fixed-term (30 or 60 days).
  • Termination for cause: 30-day cure period. Data export and environment teardown completed within 30 days of termination.

An MSA draft is available on request under NDA. Send requests to hello@capped.ai.

Data Processing Agreement (DPA)

For clients subject to GDPR or CCPA, Capped AI provides a DPA as an addendum to the MSA. Key provisions:

  • Capped AI acts as a data processor; client is the controller.
  • Processing is limited to operating the infrastructure as described in the MSA — no secondary use of personal data.
  • Subprocessor list provided and updated with 30-day advance notice before additions.
  • EU Standard Contractual Clauses (SCCs) included where applicable.
  • Data subject request assistance provided to the extent Capped AI has access to relevant data (typically limited to metadata).
  • Breach notification within 48 hours of Capped AI becoming aware of a confirmed breach involving personal data.

Contact compliance@capped.ai to request the DPA.

HIPAA Business Associate Agreement (BAA)

Capped AI's BAA capability is planned post-launch. AWS signs a BAA covering Bedrock and the underlying compute, which forms the infrastructure basis for Capped AI's BAA coverage. Additional technical controls (audit logging, encryption key management, minimum necessary access) are finalized ahead of BAA issuance.

Healthcare clients interested in HIPAA-eligible deployments should contact compliance@capped.ai to discuss timelines and controls requirements.

Compliance Artifacts Available on Request

DocumentStatusRequest via
SOC 2 Type 1 reportIn progress via Drata — attestation available pre-issuancecompliance@capped.ai
Policy pack (ISMP, Access Control, IR, Change Mgmt, BCP)Availablecompliance@capped.ai
Security questionnaire response (SIG Lite / CAIQ)Availablesecurity@capped.ai
Subprocessor listAvailablecompliance@capped.ai
AWS compliance artifacts (SOC 2, ISO 27001, PCI)Via AWS Artifactcompliance@capped.ai
Signed NDAAvailable on request before contract reviewhello@capped.ai
DPA / SCCsAvailablecompliance@capped.ai
HIPAA BAAPlanned post-launchcompliance@capped.ai

Florida OFR State Charter Path

Capped AI is based in Miami, FL and is familiar with Florida OFR (Office of Financial Regulation) supervisory expectations for state-chartered banks and credit unions. For Florida OFR-chartered institutions, we can:

  • Provide vendor due-diligence documentation tailored to Florida OFR examination requirements
  • Coordinate with your OFR examiner-facing compliance team on technology risk questionnaires
  • Execute a BAA covering Florida-specific requirements once our HIPAA program is complete (planned post-launch)

Contact compliance@capped.ai for Florida OFR-specific documentation requests.

Governing Law

Standard MSA: Delaware law, courts of New York County, NY. Negotiable for multi-jurisdictional enterprise agreements.