Cloud Computing Services Agreement

This Cloud Computing Services Agreement (this “CCSA”) is entered into between ClearDATA Networks, Inc., a Delaware corporation (“ClearDATA”) and the company that signs an Order that incorporates this CCSA by reference (“you” or “Customer”) and is effective as of the date of your signature on the Order (“Effective Date”).

1. DEFINED TERMS.

Capitalized terms have the meanings given in this section, or in the section where they are used.

Acceptable Use Policy or AUP means the ClearDATA Acceptable Use Policy published on the Effective Date at https://www.cleardata.com/acceptable-use-policy/.

Administrative Contact means an individual who has authority to make changes to your Cloud Platform implementation and approve adoption of new features as further described in Section 6.3 (Access Control Lists and Account Information).

Agreement means, collectively, the Order(s), this CCSA, the RACI, the Service Level Agreement, the Business Associate Agreement or Subcontractor Business Associate Agreement as applicable, the Acceptable Use Policy, and any document referenced in or attached to any of them.

Build Sheet is a specification of your Cloud Platform implementation.

Business Associate Agreement or BAA is the Business Associate Agreement or Subcontractor Business Associate Agreement, as referenced in Subsection 3.1 (HIPAA BAA) or 3.2 (HIPAA Subcontractor BAA).

Business Associate has the meaning given in HIPAA.

Cloud Platform means ClearDATA’s proprietary platform for the deployment and management of healthcare compliant information technology infrastructure and related services.

Covered Service means a Public Cloud Provider Service that is eligible to process, transmit or store PHI/PII. Covered Services are listed in the Service Descriptions.

Customer Portal means the ClearDATA proprietary web portal or natural successor that is used for interaction with ClearDATA products and services currently found at https://foundation.cleardata.com.

Confidential Information means information disclosed by one party to the other party, on any media, whether before or after the Effective Date that: (i) the recipient should reasonably understand to be confidential, such as (A) for you, all information transmitted to or from, or stored on, your cloud environment, and (B) for ClearDATA, unpublished prices and other terms of service, audit and security reports, product features, functionality and development plans, network configuration, vendors and other proprietary information or technology, or (ii) is marked or otherwise conspicuously designated as confidential by the disclosing party. Confidential Information includes information disclosed by making tangible objects or premises available for inspection. Confidential Information does not include information that: (i) is or becomes publicly known through no fault of recipient or persons to whom recipient has disclosed the Confidential Information, (ii) is or becomes rightfully known by recipient without confidential or proprietary restriction from a source other than discloser who, to recipient’s knowledge, does not owe a duty of confidentiality to discloser with respect to such information; (iii) is or was developed by recipient without the use of or reference to the Confidential Information of discloser.

Covered Entity has the meaning given in HIPAA.

HIPAA means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services , as they may be amended from time to time, 45 C.F.R. part 164, subpart D.

HITRUST means the Health Information Trust Alliance, or its successor.

Intellectual Property Rights means, on a worldwide basis, any and all tangible and intangible: (i) copyrights; (ii) trademarks, service marks, logos, trade dress, trade names, and the goodwill associated therewith; (iii) rights relating to know-how or trade secrets; (iv) patents; (v) rights in domain names, universal resource locator addresses, telephone numbers (including toll free numbers), and similar identifiers; (vi) all other intellectual and industrial property rights of every kind and nature, however designated, whether arising by operation of law, contract, license or otherwise; and (vii) all registrations, initial applications (including intent to use applications), renewals, extensions, continuations, divisions, or reissues of any of the foregoing now or hereafter in force (including any rights in any of the foregoing).

Managed Services means ClearDATA’s provisioning and management of your access to and use of the Cloud Platform and your Public Cloud Provider’s platform as described in the Service Descriptions.

Order is any “Order” or “Service Order” that incorporates this CCSA by reference.

Personal Data or PII means information about an identified or identifiable natural person, including information that may be used to identify an individual or with respect to which there is a reasonable basis to believe the information can be used to identify an individual. Specifically, but without limitation, Personal Data includes all of the following: (i) “electronic protected health information” as that term is defined in HIPAA, (ii) name, part of a name, initials, (iii) contact information such as phone, email, or physical address, (iv) user names and access codes for online services, (v) health insurance account numbers and access information, (v) financial account numbers and access information, (vii) device numbers, IP addresses or other means of identification to a particular computing or communication device or Internet address, (viii) identification numbers such as social security or driver’s license numbers, (ix) unique identifiers that are intended to associate a record with an individual, (x) photographs, and (xi) biometric information.

Protected Health Information or PHI has the meaning given in HIPAA.

Public Cloud Provider means the provider of the cloud infrastructure and related services as identified in your Order, such as Amazon Web Services, Inc. for AWS®, Google, Inc. for GCP®, and Microsoft Corporation for Azure®.

Public Cloud Provider Service means software or service functionality delivered by a Public Cloud Provider.

Responsibility Matrix or RACI means the applicable RACI chart(s) or assignments of responsibility as described in the Service Descriptions that state which party is “responsible,” “accountable,” “consulted,” and “informed” as to activities or decisions for the Services.

Retained Services are ClearDATA services provided as part of a monthly subscription as defined in the Service Descriptions.

Security Safeguards means the security controls and safeguards in the relevant RACI and BAA and ClearDATA’s compliance with its HITRUST Certification.
Service Descriptions means the materials describing the features, functions and approved configurations of the Managed Services, Retained Services, Support and Software that ClearDATA makes generally available to its customers as described at https://www.cleardata.com/services/

Service Level Agreement or SLA is defined in the Service Descriptions.

Services means Managed Services, Retained Services and Software Support, as applicable per your Orders and as described in the Service Descriptions.

Service Term or Term is defined in Section 9 (Term, Termination, Suspension).

Software means ClearDATA software products listed in an Order and as described in a Service Description. Future features and functionality may be licensed separately.

Software Support means technical product assistance (such as bug-fixes) for Software as described at https://www.cleardata.com/services/

Statement of Work means a statement of work for professional services that references this CCSA.

Supported Services are Public Cloud Provider Services that are available for your use on the Cloud Platform and listed as a Supported Service in the Service Descriptions. Not all Supported Services are eligible to host, transmit or process PHI and PII. Only Covered Services are eligible to host, transmit or process PHI and PII.

Third Party Technology means a technology product or service that you purchase or license directly from a third party or through ClearDATA for use with your cloud environment that is not covered by the Service Description or RACI.

Unsupported Service means: (i) a Public Cloud Provider Service that is not listed as a Supported Service; (ii) any item designated in an Order or other agreement as “unsupported,” “one-off” “non-standard” “non-compliant,” “end of life,” “eol,” “custom service”; and (iii) a Public Cloud Provider Service used by you to store, transmit or process unencrypted PHI or PII.

Your Application means the software application(s) that you operate on a cloud environment and any related computer code or information, including any automation tools and third-party components.

Your Data means data and other information, including PHI and Personal Data, that you transfer to or from your Cloud Platform, or process or store on your Cloud Platform, by using the Services or Software including that created by using Your Application.

2. COMPLIANT CLOUD SERVICES

2.1 Ownership. As between you and ClearDATA, (i) you retain ownership of any technology, information or materials that you transmit to or from, or store or process using the Services and all related intellectual property, including derivative works thereof (“your IP”), and (ii) ClearDATA retains ownership of its Software, and any other technology, information, know how, methods, techniques or materials provided as part of the Services or as part of a professional services engagement and all related intellectual property, including derivative works thereof (“ClearDATA IP”). Neither party may reverse engineer, disassemble or decompile the other party’s intellectual property except to the extent necessary to use or provide the Services, or as permitted by applicable law notwithstanding this restriction. Neither party may remove any proprietary rights notices included by the other party on its licensed intellectual property.

2.2 Limited License. During the Term, subject to the terms and conditions of this Agreement, ClearDATA grants you, subject to the terms and conditions of this Agreement including but not limited to payment of the proper fees and compliance with the other obligations and limitations of the CCSA, a limited, non-exclusive, non-transferable, non-sublicensable license to use the ClearDATA IP for your internal business purposes only. All rights not expressly granted to you are reserved by ClearDATA, and you have no other or different rights or privileges (implied, by estoppel, or otherwise). You license Your IP to ClearDATA on a limited, basis solely as necessary to perform its obligations or exercise its rights under the Agreement. Neither party may reverse engineer, disassemble or decompile the other party’s intellectual property except as permitted by applicable law notwithstanding this restriction. Neither party may remove any proprietary rights notices included by the other party on its intellectual property.

2.3 Suggestions. If you provide any feedback, comments, or suggestions for the improvement of the Services (“Suggestions”) you hereby license the Suggestions and all related intellectual property to ClearDATA on a non-exclusive, worldwide, fully paid, perpetual, irrevocable basis for ClearDATA to use, disclose, modify, reproduce, license, distribute (through multiple tiers), commercialize and otherwise freely exploit without restriction of any kind, without obligation to account for or share revenue or profits.

2.4 Your Data and Applications. Software and Services do not include ClearDATA’s design, development or management of Your Application(s) or Your Data, transactions processing, or maintenance of a “designated record set,” as defined in HIPAA. ClearDATA will interact with Your Application(s) and Your Data only to the limited extent necessary to provide the Services and comply with the Agreement.

2.5 Changes to Software and Services. Over time, ClearDATA will employ different technologies and methods to satisfy our obligations to you. This may require ClearDATA to modify how we deliver Software and Services. Our changes will be based on reasonable commercial factors including those necessary to meet legal, regulatory or industry-standard requirements. ClearDATA will not modify the technology utilized in, or features or functionality of our systems in a manner that would have a significant adverse effect on the Services. If you provide us notice of any objection to a change within a thirty day notice period, we will discuss your objections and negotiate in good faith with you toward a prompt resolution.

2.6 GxP. Before using Services as part of a quality-regulated system, such as a process regulated by the United States Food, Drug and Cosmetic Act, you must sign an Addendum to cover that use. ClearDATA will provide the Addendum on request.

3. SPECIAL TERMS FOR SERVICES COVERED BY A BUSINESS ASSOCIATE AGREEMENT.

The following only apply to Software and Services that include BAA coverage as detailed in their Service Description:

3.1 Business Associate Agreement. If you are a HIPAA Covered Entity and ClearDATA is your Business Associate, then the HIPAA Business Associate Agreement published at https://www.cleardata.com/services/ as of the date that ClearDATA becomes your Business Associate is incorporated in this CCSA by this reference.

3.2 Business Associate Subcontractor Agreement. If you are a Business Associate of a Covered Entity and ClearDATA is your Business Associate Subcontractor, then the HIPAA Business Associate Subcontractor Agreement published at https://www.cleardata.com/subcontractor-business-associates-agreement/ as of the date that ClearDATA becomes your Business Associate Subcontractor is incorporated in this CCSA by this reference.

3.3 HITRUST, HIPAA Compliance and Security.

3.3.1 HITRUST. ClearDATA will maintain a certification of compliance with the HITRUST Common Security Framework (“HITRUST Certification”). ClearDATA may, at its option, substitute an equivalent security framework, such as the AICPA Service Organization Controls or ISO 27017, upon ninety (90) days’ advance written notice. As your sole remedy, you may terminate the Agreement for convenience if you object to the new framework by providing written notice any time prior to the effective date of the new framework.

3.3.2 HIPAA Compliance. ClearDATA will provide the Software and Services in compliance with HIPAA as specified in the applicable parts of its HITRUST Certification and the BAA.

3.3.3 Security. ClearDATA is responsible for a security breach to the extent it results from its failure to act in accordance with the Security Safeguards.

4. UNSUPPORTED SERVICES

Unsupported Services are provided AS IS. ClearDATA is not liable for any loss or damage from the use of Unsupported Services. Unsupported Services are not covered by ClearDATA’s indemnification obligations, the Security Safeguards, or a BAA. Unsupported Services may not be used to store, transmit or process PHI or PII and may not interoperate successfully with other Service elements, such as third-party backup and monitoring. ClearDATA has no obligation to provide Managed Services or Software Support for Unsupported Services, and if any are they are provided AS IS. SLAs do not apply to Unsupported Services or any other aspect of the Services that are adversely affected by an Unsupported Service.

5. SERVICE COMMITMENTS

5.1 Services. Services shall be provided in material conformity with the Service Descriptions.

5.2 Software. Software shall perform in material conformity with the Service Descriptions.

5.3 Software Support. ClearDATA will provide Software Support in a good and professional manner consistent with applicable industry standards.

5.4 Intellectual Property. ClearDATA warrants that Your use of the Services as permitted by the Agreement will not infringe the intellectual property rights of any unaffiliated third party, provided, however, that ClearDATA’s sole obligation with respect to a breach of this warranty, is indemnification for third party claims as provided in Subsection 11.1 (ClearDATA Indemnification of You).

5.5 Additional Services. If ClearDATA provides assistance that is not part of the Services it is provided on an AS IS, AS AVAILABLE basis.

5.6 Warranty Disclaimer. Except for the warranties expressly stated in this Section, ClearDATA, its suppliers, licensors and subcontractors make no representations or warranties whatsoever and expressly disclaim any implied warranty of merchantability, fitness for a particular purpose, and any warranty that would have otherwise arisen through a course of dealing. If applicable law requires a warranty notwithstanding this limitation, then the warranty is made for a period of 30 days from the date the warranty is deemed to have been made. Specifically, but without limitation, ClearDATA does not warrant the Services or Software operation will be uninterrupted, meet the requirements of you, your customers or any other party, be error free, OR PROVIDE PERFECT PROTECTION FROM ALL VULNERABILITIES OR SECURITY ATTACKS, INTRUSIONS, OR SECURITY INCIDENTS.

6. YOUR OBLIGATIONS

6.1 Account Security. You must comply with the encryption, security measures and other responsibilities documented in the RACI applicable to your Order, the Build Sheet and the relevant Service Description. You must otherwise use security precautions that satisfy HIPAA in connection with Services. For example, you must maintain the confidentiality of passwords and other access credentials, and you must follow ClearDATA’s procedures designed to prevent unauthorized access to your cloud environment. You must use reasonable care to avoid transmitting virus, spyware, ransomware, or other malware to your cloud environment. You must immediately contact ClearDATA if you believe the security of Your account or Cloud Platform has been compromised.

6.2 Compliance with Law, Privacy Policy, and Acceptable Use. You represent and warrant that you will comply with HIPAA and other laws governing the collection and management of Your Data, and your transmission, storage and processing of Your Data by means of Your Application. You must comply with your published privacy policy and the AUP. The ClearDATA services are only intended for use in a commercial or government context in connection with the provision of health care and related services. You represent and warrant that your use of Your Application, third-party Personal Data, and any other information, materials or technologies that you install, store, process, or transmit to or from your environment, and ClearDATA’s authorized use and disclosure of any of them as part of providing the Services, does not violate the rights of any third party, including but not limited to the rights of publicity or privacy of individuals whose Personal Data is part of Your Data (the “data subjects”) under data protection laws applicable to the Personal Data or data subjects. Specifically, but without limitation, you represent and warrant that, where required by the laws applicable to the Personal Data or the data subjects, you have obtained consent from the data subjects for ClearDATA’s use and disclosure of the Personal Data as required to provide Services under this Agreement.

6.3 Access Control Lists and Account Information. You are responsible for keeping your account access control permissions, administrative contact, billing, and other account information up to date using the Customer Portal. ClearDATA will use the information you provide to establish the initial account contacts and access permissions necessary to provide the Services and Software Support. Your administrative contact has authority to make changes to your cloud environment including but not limited to adoption of new free or chargeable features and terms and conditions, via the Customer Portal. You represent and warrant to ClearDATA that the information you provide for purposes of establishing and maintaining your account is true, correct and complete.

6.4 Backups. If data backup services are included in your Order, you must ensure that the Service is capturing and storing your Data properly, by among other things conducting periodic restoration tests. You must give prior notification to ClearDATA of any changes to Your Application, Your Data, or your encryption methods or other processes that might interfere with successful backups. You acknowledge that your use of back up services from ClearDATA does not, by itself, constitute compliance with the relevant portions of HIPAA.

6.5 Customer Responsibilities. Customer will: (i) provide qualified personnel capable of performing Customer’s duties and tasks; (ii) provide ClearDATA access to Customer’s sites, facilities and systems during Customer’s normal business hours and as otherwise reasonably required by ClearDATA to perform its obligations; (iii) provide ClearDATA with working space and office support (e.g., internet connectivity, printers) as ClearDATA may reasonably request; (iv) perform Customer’s duties and tasks under the Order Form or Statement of Work, and such other duties and tasks reasonably required to permit ClearDATA to perform its obligations; and (v) not provide any PHI as defined in HIPAA without ClearDATA’s prior written consent. Customer will also make available to ClearDATA any data, reports, information and any other materials required by ClearDATA to perform its obligations, including, but not limited to, any data, reports, information or materials specifically identified in the Order Form or Statement of Work (collectively, “Customer Materials”). Customer will be responsible to ensure the Customer Materials are accurate and complete and acknowledges that the quality of the Services deliverables depends on Customer providing accurate and complete information, including its management of ePHI or other sensitive information. ClearDATA is excused for delayed or insufficient performance of the Services to the extent they result from Customer’s failure or delay in providing requested cooperation, information, materials, or access. Customer acknowledges that its material or chronic delay is a material breach of the Agreement, giving rise to a right of termination without refund or credit. In addition to any other remedies available to ClearDATA in respect of such breach, ClearDATA may reschedule the Services and charge Customer rescheduling fees. If ClearDATA re-performs any part of the Professional Services due to inaccurate or incomplete information provided by Customer, ClearDATA’s fees may exceed the amounts stated in the Order Form or Statement of Work.

6.6 Acceptance. If the Order Form or Statement of Work requires Customer’s acceptance of Deliverables, Customer shall evaluate them for conformance within three (3) business days after delivery of: (i) a written notice stating that the deliverables (or an applicable milestone) are complete, and/or (ii) delivery of the deliverables, Customer must (i) accept the deliverables; or (ii) reject them for non-conformance by providing written notice describing the deficiency in reasonable detail. If Customer fails to provide notice of rejection within the specified timeframe, the deliverable shall be deemed accepted. If Customer rejects the deliverables, ClearDATA shall have a reasonable period to revise and re-deliver them, but no less than ten (10) business days. The parties will repeat the notice and acceptance process until the deliverables are accepted, provided that if Customer rightfully rejects the Deliverables two (2) or more times, Customer may terminate the Order Form or Statement of Work and, as its sole and exclusive remedy, receive a refund of any fees already paid for the affected deliverables. Where an Order Form or Statement of Work states acceptance requirements tied to milestones, ClearDATA may require the completion of the acceptance process for each milestone before beginning work on the next milestone.

6.7. Designated Contacts. For each Statement of Work, each party will designate one or more individuals who will serve as the point(s) of contact between the parties. A party may designate a new contact by written notice to the other party. Customer’s point of contact must understand Customer’s processes and procedures as they relate to the management of protected health information and have a reasonable technical understanding of Customer’s data management systems. Customer’s point of contact must be available during business hours to confer with ClearDATA.

6.8 Customer Cooperation.

6.8.1 ClearDATA Maintenance. ClearDATA will perform scheduled maintenance during the maintenance window as detailed in the Service Description. If ClearDATA is required to perform maintenance outside of the maintenance window to address an unforeseen issue, ClearDATA will use reasonable efforts to notify you at least one (1) business day in advance of the maintenance. Maintenance notices will be sent electronically to the technical contacts listed on your account. You agree to promptly allow and provide reasonable cooperation including providing access to Your Cloud Platform and other assistance so that ClearDATA can perform scheduled and emergency maintenance, including patching, in a prompt and timely manner.

6.8.2 Public Cloud Provider Maintenance. ClearDATA will promptly communicate information it receives from Public Cloud Providers regarding scheduled and unscheduled maintenance.

6.8.3 Remediation. You must cooperate with ClearDATA’s investigation or remediation of Services outages, suspected security problems, or breaches of this Agreement.

6.8.4 Invoicing. You also agree to provide access to your Public Cloud Provider invoices within 24 hours of our request so that ClearDATA can calculate your fees and issue invoices promptly.

7. RESTRICTIONS

7.1 Medical Devices/High Risk Use. You may not use the Services or Software where use or failure or fault of the could lead to death or serious bodily injury of any person, or to physical or environmental damage. For example, you may not use, or permit any other person to use, the Services or Software as a component of or to operate any medical device or in connection with any aircraft or other mode of human transportation, or nuclear or chemical facilities.

7.2 Services Management Agent. You may not interfere with any services management software agent(s) that ClearDATA installs on the cloud environment. ClearDATA may use the agents to track system information, manage various service issues, and identify security vulnerabilities. Your Services will be considered “Unsupported Services” as described in Section 4 (Unsupported Services) as soon as you disable or interfere with ClearDATA’s services management agent(s).

7.3 Authorized Users. Only your personnel and the personnel of your contractors who are contractually limited to using the Services or Software in support of your business operations may use or access the Services or Software.

7.4 Export. In addition to your obligation to comply with the export laws applicable to you, you may not use the Services or Software in a way that causes ClearDATA to be in violation of the export laws of the United States or other jurisdiction from which the Services or Software are provided. For example, you may not authorize any person to use the Services or Software that is on the list of Specially Designated Nationals and Blocked Persons issued by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) or who is located in or is a national of any country that is embargoed under United States export laws, or use or permit the use of the Services or Software to process or store any data that is subject to the International Traffic in Arms Regulations maintained by the U.S. Department of State.

8. FEES, PAYMENTS

8.1 Fees. You must pay the fees as stated in the Order. You must pay additional fees resulting from services you add through the Cloud Platform, auto-scaling systems or software defined capacity control mechanisms that increase your consumption or price of services. ClearDATA may pass through to you any fee increases from the Public Cloud Provider or other third party providers. ClearDATA may increase its fees after the Initial Term on 90 days notice. You may not offset any credit or other amount due to you from ClearDATA against fees due under this Agreement. Fees are non-refundable and must be paid in United States Dollars. You agree to provide ClearDATA prompt access to detailed cost and usage data from your Public Cloud Provider as it requires to calculate your fees.

8.2 Expenses. ClearDATA may require you to pay ClearDATA’s reasonable travel expenses for services performed onsite. Travel expenses include air and ground transportation, lodging and meals. ClearDATA will not incur any travel expenses unless you have approved them in advance in writing.

8.3 Invoices and Payments. Set up fees, required prepayments, and other one-time fees are due on the effective date of an Order. Recurring fees are invoiced monthly in arrears and are due upon receipt. Other fees are due upon receipt. ClearDATA may require you to pay its invoice for initial one-time fees prior to implementation or production use of the Services. ClearDATA may suspend all Services if your payment is refused and you do not pay the amount due within 4 business days of our written notice to your billing contact. You agree that if your Services are reinstated after a suspension for non-payment or otherwise, you will be required to pay then current list price for those Services going forward and ClearDATA may charge you $250 per hour for ClearDATA personnel’s time spent to reinstate the Services and you shall not be entitled to any discount for Services after reinstatement. ClearDATA may charge interest on overdue amounts at the lesser of 1.5% per month or the maximum legal rate. If any amount is overdue by more than 30 days and ClearDATA brings a legal action to collect, or engages a collection agency, you must also pay the reasonable costs of collection, including reasonable attorneys’ fees and court costs. Invoices not disputed within 90 days of invoice date are conclusively deemed accurate. ClearDATA is not obligated to issue any credit under an SLA while any fee is overdue or in dispute.

8.4 Fee Disputes. If you submit a reasonably detailed explanation of a good faith dispute of a fee and pay the undisputed amount of an invoice before it is overdue, ClearDATA will not exercise any rights or remedies available to it for non-payment for thirty days from your notice, provided that you continue to promptly cooperate with ClearDATA to resolve the dispute.

8.5 Taxes. All fees are stated exclusive of sales, use, VAT, GST or similar tax (“Sales Tax”) unless expressly stated otherwise in the Order. Unless you have provided an exemption certificate or direct pay permit, you must remit to ClearDATA any applicable Sales Tax. You represent and warrant that your address shown on the Order is the correct address for purposes of determining Sales Tax, and that all other information you have provided to ClearDATA for Sales Tax purposes is accurate and complete. If you are required by law to withhold from ClearDATA’ fees any amounts as a withholding or like tax, then the ClearDATA fees subject to this requirement are increased by an amount that results in ClearDATA’ payment net of the withholding being equal to the fee. You are not required to pay any tax that is assessed on the basis of ClearDATA’s net income.

9. TERM, TERMINATION, SUSPENSION

9.1 Term. The Term of the Agreement continues so long as an Order or Statement of Work is effective. The initial term for each Order begins on the start of implementation and continues for three (3) years. Orders automatically renew at the end of the initial term and each renewal term for an additional twelve (12) months. If ClearDATA terminates the Agreement or an Order for your breach, or you terminate the Agreement or an Order for convenience, you must pay an early termination fee as follows: (i) any implementation or set up fee that remains unpaid, plus (ii) the monthly recurring fees for the remaining part of the initial term or then-current renewal term, with monthly recurring fees to be determined by the higher of: (a) the initial estimated monthly recurring fees; and (b) the average of the fees for the prior months in the initial term or renewal term as the case may be.

9.2 Termination for Material Breach. Either party may terminate the Agreement if the other party is in violation of a material term of the Agreement and, if the breach is curable, has not cured the breach within thirty (30) days of the other party’s written notice describing the breach in reasonable detail. ClearDATA may terminate the Agreement if you violate the AUP more than once, even if each the breach is cured. Failure to pay amounts due for more than (60) sixty days is a material breach.

9.3 Termination Other than for Breach. ClearDATA may terminate the Agreement on ninety (90) days advance written notice if its Public Cloud Provider materially alters its services in a way that makes the ClearDATA service commercially infeasible, or if there is an infringement claim that makes the provision of the Services commercially infeasible and ClearDATA is not able to resolve the claim through the use of commercially reasonable efforts. Either party may terminate the Agreement if the other party is insolvent or files for bankruptcy or similar protection. Neither party has any liability with respect to a termination under this Subsection.

9.4 Reserved Services. A “reserved” Service is a Public Cloud Provider Service that is designated in the Order or other written agreement as “reserved,” “committed,” or with similar terminology. You must pay the fees for the entire term of a reserved service even if you do not use it and reserved services are not terminable during the committed period.

9.5 Suspension. ClearDATA may suspend access to the Software and Services, in whole or in part, during any period that you are in material breach of this Agreement or as reasonably necessary to address a serious potential security vulnerability that it discovers or reasonably suspects. ClearDATA will give you at least two (2) business days’ advance notice of the suspension, unless circumstances require suspension on less notice. ClearDATA will reinstate your access to the Software and Services when the grounds for suspension are cured unless ClearDATA has already terminated the Agreement as described in this Section 9.

9.6 Survival. The following terms survive expiration or termination of the Agreement: Section 1 (Definitions) to the extent the terms defined are used in other surviving sections, Section 7 (RESTRICTIONS), Section 8 (Fees, Payments), 9 (Term, Termination, Suspension), Section 10 (Confidential Information), Section 12 (Limits on Liability), Section 13 (Notices), Section 14 (General), other terms that are expressly stated to survive termination, and terms that by their nature should reasonably be expected to survive termination.

9.7 Preservation of Data. Unless earlier destruction of Your Data is required by HIPAA, ClearDATA will make Your Data available for a complete and secure (i.e. encrypted and appropriated authenticated) download for sixty (60) days after termination or expiration of the relevant Order or CCSA. After such sixty (60) day period, ClearDATA shall have no obligation to maintain or provide Your Data to You and shall, unless legally prohibited, delete all of Your Data in its systems or otherwise in its possession or under its control.

10. CONFIDENTIAL INFORMATION

Neither party may use the other party’s Confidential Information except in connection with the performance or use of the Services, as applicable, the exercise of the party’s legal rights under this Agreement, or as may be otherwise permitted under this Agreement or required by law. Each party agrees not to disclose the other party’s Confidential Information to any third person except as follows: (i) to the party’s respective service providers, agents and representatives, provided that such service providers, agents or representatives are bound by written confidentiality measures that are provide similar protection as these terms; (ii) in response to a subpoena or other compulsory legal process, provided that each of us agrees to give the other reasonable advance written notice under the circumstances prior to disclosure, unless the law or a reasonable interpretation of it, forbids such notice; or (iii) as required by law, such as a requirement under a data privacy regulation that a notice of data breach be given to a supervisory authority or regulatory agency. On expiration or earlier termination of the Agreement, each party will return or destroy the other party’s Confidential Information. ClearDATA’s obligations to safeguard Your Data and Your Application are defined and covered by obligations relating to the Security Safeguards not this Section. For Confidential Information other than Your Data and Your Application, ClearDATA will use commercially reasonable care to prevent its unauthorized use, disclosure, corruption and deletion. You will use commercially reasonable care to protect ClearDATA’s Confidential Information. Both parties are responsible for a breach of this Section by its service providers, agents and representatives to whom it has disclosed the other party’s Confidential Information. The parties’ obligations under this section are intended to be separate and distinct from their other obligations under this Agreement with respect to privacy, compliance and security.

11. INDEMNIFICATION

11.1 ClearDATA Indemnification of You. ClearDATA will defend, indemnify and hold harmless you, your affiliates, officers, directors and personnel (“Your Indemnitees”) from final judgments and related attorney fees and other third party litigation related expenses as incurred (“Losses”) that result from claims by a party not affiliated with you or Your Indemnitees, to the extent these claims: (i) arise from ClearDATA’s material breach of obligations covering the Security Safeguards, or Section 10 (Confidential Information) (provided however that this Section 11.1(i) does not apply to any Service not covered by a BAA) or (ii) assert that your use of the Services as permitted by the Agreement infringes their intellectual property rights in the United States or the European Economic Area. ClearDATA’s obligations under this subsection do not extend to a claim that is covered by your indemnification of ClearDATA, that is based on your failure to satisfy your obligations under this Agreement or your violation of Section 7 (“Restrictions”), your combination of the Services with technology not provided by ClearDATA, your unauthorized change to the Cloud Platform, Software, or Services, or ClearDATA’s compliance with your specific directives (the “Exclusions”).

11.2 Your Indemnification of ClearDATA. You will defend, indemnify and hold harmless ClearDATA, its affiliates, suppliers, and licensors, and each of their officers, directors and personnel (the “ClearDATA Indemnitees”) against Losses arising from claims by a party not affiliated with ClearDATA or the ClearDATA Indemnities: (i) by your customers, end users, providers of Your Application, or data subjects whose Personal Data is included in Your Data, except where such claim arises from ClearDATA’s material breach of obligations covering the Security Safeguards or Section 10 (Confidential Information), (ii) asserting Your Application, Your Data or an Unsupported Service, infringes or violates the intellectual property rights or other rights of a third party in the United States or the European Economic Area, (iii) that is an Exclusion (defined in Section 11.1) or (iv) asserts conduct that is a violation of the Agreement. Your obligations under this subparagraph include claims arising out of the acts or omissions of your personnel, agents, and authorized users, any other person to whom you have given access to the Cloud Platform, Software, or Services, and any person who gains access to any of them as a result of your failure to use reasonable security precautions, even if the acts or omissions of such persons were not authorized.

11.3 Procedures. The indemnified party must give notice of the indemnified claim to the indemnifying party within ten (10) days of the date the claim, or threat of a claim, is made in writing, provided that failure to give notice within the ten (10) day period does not relieve the indemnifying party of its obligations under this Section except to the extent the delay prejudices the defense of the claim. ClearDATA has the right to select counsel to defend any indemnified claim under this Section, and has the right to control the defense of the claim, except that you may participate in the defense of the claim at your option and expense, with counsel of your choice. You must comply with any ClearDATA request for information or cooperation regarding the defense of the claim. ClearDATA may settle any indemnified claim, in its discretion, provided that the settlement fully resolves your liability and does not require you or Your Indemnitees to make an admission of culpability.

12. LIMITATIONS OF LIABILITY

12.1 NO CONSEQUENTIAL, INDIRECT DAMAGES. EXCEPT FOR CLAIMS ARISING FROM A PARTY’S BREACH OF SECTION 10 (CONFIDENTIAL INFORMATION), OR CLAIMS BASED ON THE PARTY’S INTENTIONAL BREACH OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, NEITHER PARTY NOR ITS AFFILIATES, LICENSORS, SUPPLIERS OFFICERS, DIRECTORS, PERSONNEL, OR SUBCONTRACTORS IS LIABLE TO THE OTHER FOR ANY LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITY, OR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL LOSS OR DAMAGE OF ANY KIND, OR ANY LOSS OR DAMAGE THAT COULD HAVE BEEN AVOIDED BY THE CLAIMING PARTY’S REASONABLE MITIGATION, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF OR SHOULD BE AWARE OF THE POSSIBILITY OF SUCH DAMAGES. For avoidance of doubt, Losses covered under Section 11 (Indemnification) are not excluded by this Subsection.

12.2 MAXIMUM LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, EXCLUDING: (I) CLAIMS ARISING FROM A PARTY’S GROSS NEGLIGENCE, RECKLESSNESS, OR INTENTIONAL TORT, (II) CLAIMS ARISING FROM A PARTY’S BREACH OF SECTION 10 (CONFIDENTIAL INFORMATION), (III) CLAIMS BASED ON THE PARTY’S INTENTIONAL INFRINGEMENT OR MISAPPROPRIATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, AND (IV) PAYMENT OBLIGATIONS UNDER SECTION 8 (FEES, PAYMENTS), THE MAXIMUM AGGREGATE LIABILITY OF A PARTY AND ITS AFFILIATES, LICENSORS, SUPPLIERS AND SUBCONTRACTORS UNDER OR IN CONNECTION WITH THIS AGREEMENT FOR ANY TYPE OF DAMAGES SHALL NOT EXCEED THE GREATER OF ONE HUNDRED THOUSAND DOLLARS ($100,000.00) OR THE FEES PAID OR PAYABLE BY YOU UNDER THE ORDER GIVING RISE TO THE CLAIM FOR THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. the maximum aggregate monetary limit stated in this subsection is not “per incident” but is an aggregate limitation applicable to all claims arising under or regarding this Agreement.

12.3 Other. You acknowledge ClearDATA has set its prices and entered into this Agreement in reliance on the limitations of liability stated in this Section 12, and that these limitations reflect an agreed allocation of risk between the parties. These limitations apply from any cause of action whatsoever, whether in contract, tort, commercial code, strict liability or otherwise, even if a limited remedy fails of its essential purpose. Nothing in this Subsection precludes a party from seeking any available specific enforcement, injunctive relief or other non-monetary equitable remedy. If these limitations as written are not permitted by applicable law, they shall apply to the extent permitted.

13. NOTICES

Unless another method of notice is expressly required by this Agreement, notices must be given by electronic mail. ClearDATA’s notice to you must be given to your primary account contact. Your notices to ClearDATA must be given to support@cleardata.com. Your notice of breach of this Agreement, request for indemnification or other legal matters must be copied to legalnotice@cleardata.com with a copy mailed via 1^st class United States mail to ClearDATA Networks, Inc., ATTN CHIEF FINANCIAL OFFICER, 835 West 6^th Street, 12^th Floor, Austin, Texas 78703.

14. GENERAL

14.1 Order Process. You may offer to purchase ClearDATA services by signing and submitting an Order, service order or other document provided to you by ClearDATA for your signature. Your offer is legally binding on ClearDATA and becomes effective if ClearDATA accepts the offer, either by signing and returning the form to you, or beginning to provide the services described in the form you signed. No change to a ClearDATA order form binds ClearDATA unless it has been made by ClearDATA prior to your signature and then signed by ClearDATA.

14.2 Non-Solicitation. Neither party shall directly or indirectly solicit any personnel of the other party with whom it has interacted in connection with the Agreement to terminate their employment with the other party, provided however, that this Section does not restrict a party from employing an individual who responds to a general employment advertisement or notice. This restriction shall survive expiration or termination of the Agreement for a period of twelve (12) months.

14.3 General Warranty. Each party represents and warrants to the other that: (i) it has the right, power, and authority to enter into the Agreement and to fully perform its obligations under the Agreement; and (ii) the making of the Agreement does not violate any agreement existing between it and any third party. You represent to ClearDATA that the information you have provided to ClearDATA to establish your account is accurate and complete. The individual signing the Order represents that he or she has the authority to bind the entity named in the Order.

14.4 Rights in Data. ClearDATA may use your Personal Data to provide data aggregation services, in a manner that meets the HIPAA Privacy Rule de-identification requirements, and otherwise complies with the requirements for data aggregation services stated in HIPAA and the BAA.

14.5 Publicity. You agree ClearDATA may publicly disclose that it is providing Services to you and may use your name and logo in its online, printed and other marketing and publicity materials to identify you as a ClearDATA customer, subject to your reasonable trademark usage guidelines. ClearDATA may use any quotation provided or approved by you for marketing purposes in a press release or other publicity.

14.6 Assignment, Subcontractors. Either party may assign this Agreement without the other party’s prior written consent: (a) in connection with the sale of all or substantially all of its assets; (b) to the surviving entity in any merger or consolidation; (c) to an affiliate; or (d) to satisfy a regulatory requirement imposed upon a party by a governmental body with appropriate authority, provided, however, that as a predicate for an assignment by you, in each case your assignee must have a financial standing and creditworthiness equal to or better than yours, as reasonably determined by ClearDATA, through a generally accepted, third party credit rating index (i.e. D&B, S&P, etc). Any other assignment requires the prior written consent of the other party without which the assignment is null and void. ClearDATA may use subcontractors to perform all or any part of the Services, but remains responsible to you under this Agreement for Services performed by its subcontractors to the same extent as if ClearDATA performed the Services itself. Certain ClearDATA subcontractors require ClearDATA to include the following clauses: (i) none of ClearDATA’s subcontractors make any representations or warranties to you under this Agreement, and none of them has any liability directly to you in connection with the Services or any direct indirect, incidental or consequential damages arising from your use of the Services; (ii) you acknowledge that ClearDATA is not an agent for Amazon Web Services, Inc., Google, Inc., Microsoft Corporation, or its other subcontractors, and that ClearDATA and its subcontractors are independent contractors and not partners or joint venturers.

14.7 Third Party Technology and Services. Third Party Technologies are not part of the Services. Unless otherwise expressly agreed in an Order, ClearDATA has no obligation to support or maintain any Third Party Technology, and makes no warranty, covenant or representation whatsoever regarding any Third Party Technology including whether they are HIPAA compliant, or regarding the interoperability between the Third Party Technology and the Services. ClearDATA may, but is not obligated to, assist you in the use of a Third Party Technology, but any such assistance is provided AS IS. Your use of the third party’s services is governed by your separate agreement with the third party. ClearDATA may disclose to the third party information about you and your use of their services in accordance with the agreement between you and the third party to the same extent as if the third party collected information directly from you.

14.8 Disputes.

14.8.1 Mediation. Except for a request for temporary injunctive or other equitable relief, each party agrees that it shall not file a lawsuit or other legal action in connection with this Agreement unless it has first given the other party written notice of the dispute, and attempted to resolve the dispute through good faith negotiation. At the request of either party, the dispute will be submitted for non-binding mediation conducted by a mutually acceptable mediator in Travis County, Texas consent to not be unreasonably withheld, costs to be split evenly. If the dispute is not resolved through negotiation or mediation within forty-five (45) days of the date of the initial demand for mediation, the parties may file suit.

14.8.2 Jurisdiction, Venue, Law. Any lawsuit or other legal action related to this Agreement shall only be brought in state or federal courts having jurisdiction over Austin, Texas. Neither party shall dispute the jurisdiction, convenience, or venue of such courts. This Agreement is governed by and interpreted under the laws of the State of Texas, without giving effect to conflicts of law principles. The parties expressly waive the application of the United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act. Neither the Services nor the Software are “goods” covered by any version of the Uniform Commercial Code.

14.8.3 Waiver of Jury Trial. To the extent permitted by applicable law, each party waives the right to a trial by jury in respect of any dispute arising out of this Agreement.

14.8.4 Prevailing Party Entitled to Fees and Costs. The prevailing party in any action to enforce this Agreement, including an action for equitable relief, may recover its costs and expenses of the action from the other party, including reasonable attorney fees.

14.8.5 Expenses Arising from Legal Disputes, Subpoenas Regarding Your Account. In addition to your indemnification obligations, you must also pay or reimburse ClearDATA’s reasonable actual attorneys’ fees and other expenses incurred in connection with any dispute between persons having a conflicting claim to control of your account, or to comply with any third-party subpoena, warrant or other mandated disclosure that is unrelated to any claim between you and ClearDATA.

14.9 Force Majeure. Except for your payment obligations, neither party is in violation of the Agreement if the failure to perform is due to an event beyond that party’s reasonable control, such as a significant failure of the power grid or Internet, denial of service attacks, natural disaster, war, riot, insurrection, epidemic, strikes or other organized labor action, terrorism, or other acts or events for which precautions are not generally taken in the industry.

14.10 Interpretations of Certain Words. The term “person” refers to any legal person, and may mean a natural person (individual), a legally created person (entity, trustee, or executor), or an entity (corporation, partnership, or limited liability company). The term “law” refers to statutes, regulations, executive orders, and other legally binding rules issued by a government agency having jurisdiction. Unless otherwise defined, the words “business day” means Monday – Friday, 9:00 a.m. – 5:00 p.m., United States Central Time, excluding federal holidays in the United States. The word “affiliate” refers to an individual or entity that controls, is controlled by, or is under common control with the person referred to, where control means ownership of the majority of voting interests of an entity or the right to control the policies of the entity by means of a controlling number of seats on the entity’s governing body. Any requirement that a statement be written is satisfied by an email or other digital form of writing unless expressly stated otherwise. Section captions are for convenience only; they are not part of this Agreement and may not be used to interpret the terms of this Agreement.

14.11 Relationship Between the Parties. The parties are independent contractors, and neither party is the agent of the other or has the right to bind the other on any contract with a third party. The use of the words “partner” or “partnership” in this Agreement or otherwise refers only to a business relationship, and does not create or reflect any legal partnership, joint venture, or other fiduciary or other special relationship between the persons described as partners. Nothing in this Agreement creates an obligation of exclusivity or non-competition.

14.12 Modifications.

14.12.1 Changes to Online Terms. From time to time ClearDATA may modify the Web-published portions of the Agreement. Modifications are effective as to any Order that is signed after the date the modified version is published, and are effective as to existing Orders as of the first renewal term that begins after the modification is published. If you execute a new Order that modifies an existing cloud environment, then the version of the Agreement or any portion thereof that is published on or after the date of that new Order controls as to all Orders for Services for that cloud environment.

14.12.2 Changes to Customer Specific Documents. A document that is part of the Agreement, executed by the parties and includes terms that deviate from ClearDATA’s web-published terms may be modified only by an amendment that is signed by the parties.

14.13 Order of Precedence. If there is a conflict between the documents that comprise the “Agreement,” the documents control in the following decreasing order of precedence: the Order, this CCSA, the AUP, the SLA, and any other document that is part of the Agreement, except that, any Business Associate Agreement that is incorporated into the Agreement by means of an Order shall apply in lieu of any BAA referenced in this CCSA.

14.14 Federal Agency Users. The Services were developed solely at private expense and are commercial computer software and related Service Description within the meaning the Federal Acquisition Regulations and applicable agency supplements.

14.15 Third Party Beneficiaries. Unless and to the extent specifically stated otherwise in some other section of this Agreement, there are no third-party beneficiaries to this Agreement. Neither party’s customers, end users, suppliers, or other person shall have the right to enforce this Agreement.

14.16 Severability. In the event one or more of the terms of this Agreement are adjudicated as invalid, illegal, or unenforceable, the adjudicating body may either interpret this Agreement as if such terms had not been included, or may reform such terms to the limited extent necessary to make them valid, legal or enforceable, consistent with the economic and legal incentives underlying the Agreement.

14.17 Waiver. Except as otherwise provided herein, no right or remedy arising regarding this Agreement shall be waived by a course of dealing between the parties, or a party’s delay in exercising the right or remedy. A party may waive a right or remedy only by signing a written document that expressly identifies the right or remedy waived. Unless expressly stated in the waiver, a waiver of any right or remedy on one occasion will not be deemed a waiver of that right or remedy on any other occasion, or a waiver of any other right or remedy.

14.18 Counterparts, Signatures. This Agreement may be signed in multiple counterparts, which taken together shall be read as one Agreement. A signed agreement transmitted by facsimile, email attachment, or other electronic means shall be considered an original. The parties agree that electronic or digital signatures shall be given the same effect as a manual signature.

The Agreement is the complete and exclusive agreement between the parties regarding its subject matter and supersedes and replaces in their entirety any prior or contemporaneous agreement or understanding, written or oral. The parties represent to each other that they have not entered into the Agreement in reliance on any statement other than those included in the Agreement.

CCSA Revision Date November 2020