Legal

Terms of Service

Effective Date: February 21, 2026

Entity: Allava LLC d/b/a Offbrd

1. Agreement Structure

These Terms of Service ("Terms") govern access to and use of the Offbrd platform (the "Service").

If you are using the Service on behalf of a company or other legal entity ("Customer"), you represent that you have authority to bind that entity. In that case, "Customer" refers to that entity.

These Terms include and incorporate the Data Processing Addendum in Section 9.

2. The Service

Offbrd provides a software platform that facilitates digital exit interviews and generates analytics based on responses submitted by employees ("Respondents").

Offbrd acts solely as a data processor on behalf of Customer.

Customer determines:

• The purpose of processing
• The questions asked
• The employees invited
• Who may access results
• Retention settings

Offbrd does not act as a data controller with respect to Customer Data.

3. Customer Responsibilities

Customer represents and warrants that:

• It has lawful authority to collect and process Respondent data.
• It has provided required notices and obtained required consents.
• It determines the legal basis for processing.
• It is solely responsible for employment, compliance, and HR decisions.

Customer is responsible for responding to employee complaints, regulatory inquiries, or employment disputes arising from use of the Service.

4. Data Ownership

Customer retains all rights to:

• Interview responses
• Reports
• Analytics generated from Customer Data

Offbrd claims no ownership over Customer Data.

Offbrd may use aggregated, anonymized data that cannot reasonably identify a Customer or Respondent for service improvement and benchmarking.

5. AI and Automated Processing

The Service may use artificial intelligence tools to analyze responses and generate summaries.

Offbrd:

• Does not use identifiable Customer Data to train public AI models.
• Does not sell Customer Data.
• Does not use Customer Data for unrelated purposes.

AI outputs are informational and do not constitute legal or employment advice.

Customer retains full responsibility for decisions made using outputs.

6. Security

Offbrd implements reasonable and appropriate technical and organizational measures to protect Customer Data, including:

• Encryption in transit (TLS)
• Encryption at rest where supported
• Role-based access controls
• Access logging
• Secure cloud hosting
• Internal access restriction
• Regular security updates

Offbrd will notify Customer without undue delay and no later than 72 hours after confirming a Security Incident affecting Customer Data.

A "Security Incident" means unauthorized access, disclosure, or loss of Customer Data under Offbrd's control.

Offbrd shall not be liable for Security Incidents to the extent caused by Customer's configurations, misuse of the Service, failure to follow security best practices, or third-party integrations or systems not controlled by Offbrd.

7. Sub-processors

Customer provides general authorization for Offbrd to use sub-processors.

Current categories of sub-processors include:

• Cloud hosting providers
• Infrastructure providers
• Email delivery providers
• Analytics providers

Offbrd will impose data protection obligations on sub-processors that are substantially similar to those in these Terms.

Upon request, Offbrd will provide a current sub-processor list.

Customer may object to a new sub-processor on reasonable data protection grounds.

8. Data Retention and Deletion

Customer controls retention settings.

Unless otherwise agreed:

• Customer Data is retained for the duration of the subscription.
• Upon termination, Customer may export its data within 30 days.
• After 30 days, Offbrd may delete Customer Data unless legally required to retain it.

Backups may persist temporarily consistent with disaster recovery policies.

9. Data Processing Addendum (DPA)

This Section forms a Data Processing Addendum.

9.1 Roles

Customer is the Data Controller.

Offbrd is the Data Processor.

9.2 Scope of Processing

• Nature: Collection, storage, analysis, and reporting of exit interview responses.
• Purpose: Facilitation of exit interviews and analytics.
• Categories of data subjects: Employees or former employees.
• Categories of personal data: Name (if collected), employment details, written responses, metadata.

9.3 Processing Instructions

Offbrd processes Customer Data only:

• On documented instructions from Customer
• As necessary to provide the Service
• As required by applicable law

9.4 Data Subject Rights Assistance

Offbrd will assist Customer, upon request, in responding to data subject requests (access, deletion, correction) to the extent technically feasible.

9.5 Confidentiality

Personnel authorized to process Customer Data are subject to confidentiality obligations.

9.6 International Transfers

Customer Data may be processed in the United States or other jurisdictions where Offbrd or its sub-processors operate.

Offbrd will implement appropriate safeguards where required by applicable law.

9.7 Audit

Upon reasonable notice and no more than once annually, Customer may request information reasonably necessary to demonstrate compliance with this DPA.

On-site audits require mutual agreement and are at Customer's expense.

10. Fees and Payment

Fees are as described during signup or in an order form.

Failure to pay may result in suspension.

11. Confidentiality

Each party agrees to protect the other party's confidential information and use it solely for purposes of performing under this Agreement.

12. Warranties Disclaimer

The Service is provided "as is" and "as available."

Offbrd disclaims all implied warranties including merchantability and fitness for a particular purpose.

13. Limitation of Liability

Except for willful misconduct or breach of confidentiality:

Offbrd's total aggregate liability shall not exceed 50% of the fees paid by Customer in the twelve (12) months preceding the claim.

Offbrd shall not be liable for:

• Indirect or consequential damages
• Employment decisions
• Regulatory penalties resulting from Customer's actions
• Loss of profits or goodwill

14. Indemnification

Customer agrees to indemnify Offbrd against claims arising from:

• Customer's violation of law
• Customer's misuse of the Service
• Employment actions taken by Customer

Offbrd will indemnify Customer for claims directly arising from Offbrd's gross negligence or willful misconduct.

15. Termination

Either party may terminate for material breach.

Upon termination, Sections relating to liability, confidentiality, and data handling survive.

16. Governing Law

These Terms are governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of law principles.

Disputes shall be resolved by binding arbitration in Massachusetts.

17. Changes

Offbrd may update these Terms. Material changes will be posted with updated effective date.