CLOUD COMPUTING SERVICES AGREEMENT
This Cloud Computing Services Agreement (this “Agreement” or “CCSA”) is entered into between ClearDATA Networks, Inc., a Delaware corporation (“ClearDATA”) and the company identified in the signature block to this CCSA (“Customer”) (each a “Party” and collectively the “Parties”). This CCSA is effective as of the date this Agreement is executed by the last Party (“Effective Date”).
For good and valuable consideration, the receipt of which is hereby acknowledged, the Parties agree as follows:
- DEFINED TERMS. Capitalized terms have the meanings given in this section, or in the section where they are used.
Acceptable Use Policy or AUP means the ClearDATA Acceptable Use Policy published at https://www.cleardata.com/legal/acceptable-use-policy-032118.
Administrative Contact means an individual who has authority to make changes to Customer’s Public Cloud Provider Service implementation and approve adoption of new features as further described in Section 6.4(Access Control Lists and Account Information).
Agents means services management software that ClearDATA installs on the Public Cloud Provider environment.
Agreement means, collectively, this CCSA, the SOW(s)and any document referenced in or attached to any of them.
Authorized Users means Customer personnel and Customer contractor personnel authorized by Customer to use the Services or Software in support of Customer’s business operations.
Build Sheet is a specification of the implementation of Customer’s Public Cloud Provider Services.
Business Associate Agreement or BAA is the Business Associate Agreement or Subcontractor Business Associate Agreement, as referenced in Subsection 4.1 (HIPAA BAA) or Subsection 4.2 (HIPAA Subcontractor BAA), as applicable to Customer.
Business Associate has the meaning given in HIPAA.
ClearDATA Data means all data developed by ClearDATA in the course of providing Services pursuant to this Agreement, including but not limited to Usage Data and De-identified Data (as that term is defined by HIPAA). ClearDATA Data excludes any Customer Data.
Compliance Reference Architecture is a document or set of documents that provides recommended structures and integrations of cloud products and services, including diagrams, code, dependencies and instructions to ensure compliance with regulatory and security framework requirements to form a solution appropriate for PHI and PII.
Confidential Information means information disclosed by one Party to the other Party, on any media, whether before or after the Effective Date that: (i) the recipient should reasonably understand to be confidential, such as (A) for Customer, all information transmitted to or from, or stored on, the Public Cloud Provider Services, and (B) for ClearDATA, this Agreement, prices and other terms of service, audit and security reports, product features, functionality and development plans, network configuration, vendors and other proprietary information or technology, or (ii) is marked or otherwise conspicuously designated as confidential by the disclosing Party. Confidential Information includes information disclosed by making tangible objects or premises available for inspection. Confidential Information does not include information that: (i) is or becomes publicly known through no fault of recipient or persons to whom recipient has rightfully disclosed the Confidential Information, (ii) is or becomes rightfully known by recipient without confidential or proprietary restriction from a source other than discloser who, to recipient’s knowledge, does not owe a duty of confidentiality to discloser with respect to such information; (iii) is or was developed by recipient without the use of or reference to the Confidential Information of discloser.
Covered Entity has the meaning given in HIPAA.
Customer Application means the software application(s) that Customer operates on a cloud environment and any related computer code or information, including any automation tools and third-party components.
Customer Data means any PHI or Personal Data transferred by Customer to ClearDATA, or to which Customer provides access to ClearDATA through the use of Services.
Customer Portal means the ClearDATA proprietary web portal or its successor that is used for interaction with ClearDATA products and services currently found at https://foundation.cleardata.com.
De-Identified Data has the meaning ascribed to it in the HIPAA Privacy Rule.
Hardened Images a snapshot of a virtual machine (VM) used to create a running instance in a virtual environment hardened to reduce system vulnerabilities to help protect against denial of service, unauthorized data access and other cyber threats.
HIPAA means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. Part 160 and Part 164, Subpart A and C (the “Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services , as they may be amended from time to time, 45 C.F.R. Part 164, subpart D.
HIPAA Compliant Service means a Public Cloud Provider Service that is listed as a HIPAA Compliant Service in the Service Descriptions.
HIPAA Eligible Service means a Public Cloud Provider Service that the Public Cloud Provider has deemed eligible to host, transmit, or process PHI but ClearDATA has not listed as a HIPAA Compliant Service. However, if Customer hosts, transmits, or processes PHI with a HIPAA Eligible Service that is not listed as a HIPAA Compliant Service, Customer is responsible for deploying its own safeguards to ensure HIPAA compliance.
HITRUST means the Health Information Trust Alliance, or its successor.
Intellectual Property means, on a worldwide basis, any and all tangible and intangible: (i) copyrights; (ii) trademarks, service marks, logos, trade dress, trade names, and the goodwill associated therewith; (iii) rights relating to know-how or trade secrets; (iv) patents; (v) rights in domain names, universal resource locator addresses, telephone numbers (including toll free numbers), and similar identifiers; (vi) all other intellectual and industrial property rights of every kind and nature, however designated, whether arising by operation of law, contract, license or otherwise; and (vii) all registrations, initial applications (including intent to use applications), renewals, extensions, continuations, divisions, or reissues of any of the foregoing now or hereafter in force (including any rights in any of the foregoing).
Managed Services means ClearDATA’s provisioning and management of Customer’s access to and use of the Software and Customer’s Public Cloud Provider Services as described in the Service Descriptions.
Onboarding includes the initial deployment of the ClearDATA environment and configuration and provisioning of Public Cloud Provider Services. Scope and requirements will be reviewed during the Onboarding Kick-Off.
Personal Data or PII means information about an identified or identifiable natural person, including information that may be used to identify an individual or with respect to which there is a reasonable basis to believe the information can be used to identify an individual. Specifically, but without limitation, Personal Data includes all of the following: (i) “electronic protected health information” as that term is defined in HIPAA, (ii) name, (iii) contact information such as phone, email, or physical address, (iv) user names and access codes for online services, (v) health insurance account numbers and access information, (v) financial account numbers and access information, (vii) device numbers, IP addresses or other means of identification to a particular computing or communication device or Internet address, (viii) identification numbers such as social security or driver’s license numbers, (ix) unique identifiers that are intended to associate a record with an individual, (x) photographs, and (xi) biometric information.
Professional Services means configuration, installation and other services designated as professional services in a SOW.
Protected Health Information or PHI has the meaning given in HIPAA.
Public Cloud Provider means the provider of Public Cloud Provider Services and related services as identified in a SOW, such as Amazon Web Services, Inc. for AWS®, Google, Inc. for GCP®, and Microsoft Corporation for Azure®.
Public Cloud Provider Service means cloud infrastructure and related software or service functionality delivered by a Public Cloud Provider.
Responsibility Matrix or RACI means the applicable RACI chart(s) or assignments of responsibility as described in the Service Descriptions that state which Party or other entity is “responsible,” “accountable,” “consulted,” and “informed” as to activities or decisions for the Services.
Security Safeguards means the security controls and safeguards requirements set forth in the relevant RACI and the BAA.
Service Descriptions means the descriptions of the Services and of the features, functions and approved configurations of the Services.
Service Level Agreement or SLA means an agreement that describes the response times and other commitments with respect to the performance of the Managed Services and Software Support.
Services means Managed Services, Professional Services and Software Support provided by ClearDATA, as defined in their Service Descriptions.
Service Term or Term is defined in Section 9 (Term, Termination, Suspension).
Software means the ClearDATA software products listed in a SOW and as described in a Service Description.
Software Support means technical product assistance for Software as described at http://www.cleardata.com/services.
Statement of Work or SOW means a statement of work that references this CCSA.
Supported Services are Public Cloud Provider Services that are available for Customer’s use and listed as a Supported Service in the Service Descriptions. A Supported Service is eligible to host, transmit or process PHI and PII only if specifically described as such.
Third Party Technology means a technology product or service that Customer purchases or licenses directly from a third party or through ClearDATA for use with your Workload that is not covered by the Service Description or RACI.
Unsupported Service means: (i) Third Party Technology or a Public Cloud Provider Service that is not listed as a Supported Service; (ii) any item designated in a SOW or other agreement as “unsupported,” “one-off” “non-standard” “non-compliant,” “end of life,” “eol,” “custom service”; and (iii) a Public Cloud Provider Service used by Customer to store, transmit or process unencrypted PHI or PII.
Usage Data means statistical data and other information collected by ClearDATA with respect to Customer’s use of the Services, Software and/or the Customer Portal in aggregated or as De-identified Data.
Workload means a collection and configuration of customer resources, services, and code that is required for discretely enabling the execution of an application or technology process.
- OWNERSHIP, LICENSES AND INTELLECTUAL PROPERTY
2.1 Ownership. As between Customer and ClearDATA, Customer retains ownership of any Customer Data, Customer Confidential Information, and any Intellectual Property that Customer transfers to ClearDATA or to which ClearDATA has access in providing the Services. As between Customer and ClearDATA, ClearDATA retains ownership of ClearDATA Confidential Information, ClearDATA Data, the Software, ClearDATA Intellectual Property and the Customer Portal.
2.2 Limited License.
2.2.1 ClearDATA License to Customer. During the Term, ClearDATA grants Customer, subject to the terms and conditions of this CCSA and any SOW, including but not limited to payment of the proper fees and compliance with the other obligations and limitations of the CCSA, a limited, non-exclusive, non-transferable, non-sublicensable license to use the ClearDATA Confidential Information, the Customer Portal and Software solely for purposes of using ClearDATA Services. Customer may not, and may not authorize or allow any third-party, to use any of the foregoing to: (i) gain unauthorized access to any portion of them; (ii) copy, modify, change or otherwise prepare derivative works of any part of them; (iii) transmit malicious code through them; (iv) reverse engineer, disassemble, or decompile or otherwise attempt to reconstruct, identify or discover any source code, underlying ideas, user interface techniques, or algorithms used by any part of them; (v) use them for fraudulent or illegal activities; (vi) input, upload, transmit or otherwise provide to or through them, any information or materials that are unlawful or injurious to ClearDATA or the rights of any third parties; or (vii) use them for any purpose not expressly permitted by this Agreement. All rights not expressly granted to Customer are reserved by ClearDATA, and Customer has no other or different rights or privileges (implied, by estoppel, or otherwise).
2.2.2 Customer License to ClearDATA. Customer grants ClearDATA a worldwide, non-exclusive, perpetual, royalty-free, fully paid-up license to use Usage Data for business and marketing purposes, including improving the operation of the Services (including development, maintenance, support, and training services), developing products and services, creating benchmarks, performing research, conducting statistical analysis, and distributing aggregated statistics. Neither Party may remove any proprietary rights notices included by the other Party on its Intellectual Property.
2.3 Feedback. Customer hereby grants ClearDATA a perpetual, irrevocable, worldwide license to use any Feedback (as defined below) Customer communicates to ClearDATA during the Term, without compensation, without any obligation to report on such use, and without any other restriction. ClearDATA’s rights to Feedback include, without limitation, the right to commercially exploit Feedback in any way, as well as the right to grant sublicenses under copyright, patent, and any other form of intellectual property. Notwithstanding anything to the contrary in this Agreement or any SOW, Feedback will not be considered Customer’s Confidential Information or its trade secret. For purposes of this section, Feedback refers to any suggestion or idea for modifying or improving any of ClearDATA’s products, including but not limited to the Software and Services.
- CLEARDATA SERVICES
3.1 HIPAA Compliance. ClearDATA will provide the Software and Services in compliance with HIPAA as specified in the applicable parts of its HITRUST Certification and the BAA.
3.2 Security. ClearDATA is responsible for a security breach to the extent it results from its failure to act in accordance with the Security Safeguards.
3.3 Customer Data and Applications. Software and Services do not include ClearDATA’s design, development or management of Customer Application(s) or Customer Data, HIPAA standard transactions processing, or maintenance of a “designated record set” (as defined in HIPAA). ClearDATA will interact with Customer Application(s) Customer Data only to the extent necessary to provide the Services.
3.4 Changes to Software and Services. ClearDATA may, from time to time, in its sole discretion, make changes, updates or improvements to the Software, Services and any other offerings so long as any such changes do not materially reduce the core functionality set forth in the Service Description or any SOW. ClearDATA will use reasonable efforts to notify Customer prior to implementing any material changes. Customer agrees to utilize the most recent version of the Services and Software made available to Customer.
3.6 Unsupported Services are provided AS IS. ClearDATA is not liable for any loss or damage from the use of Unsupported Services. Customer will not use Unsupported Services to store, transmit or process PHI or PII, as Unsupported Services may not interoperate successfully with ClearDATA Services. ClearDATA has no obligation to provide Managed Services or Software Support for Unsupported Services. SLAs do not apply to Unsupported Services or any other aspect of the Services that are adversely affected by an Unsupported Service.
3.7 Third Party Technology and Services. Third Party Technologies that the Customer provides are not part of the Services. Unless otherwise expressly agreed in a SOW, ClearDATA has no obligation to support or maintain any Third Party Technology, and makes no warranty, covenant or representation whatsoever regarding any Third Party Technology including whether they are HIPAA compliant, or regarding the interoperability between the Third Party Technology and the Services. ClearDATA may, but is not obligated to, assist Customer in the use of a Third-Party Technology, but any such assistance is provided AS IS. Customer’s use of the third party’s services is governed by Customer’s separate agreement with the third party. ClearDATA may disclose to the third-party information about Customer and Customers’ use of their services in accordance with the agreement between Customer and the third party to the same extent as if the third party collected information directly from Customer.
3.8 Quality-Regulated Systems. Customer may not use the Software and Services as part of a quality-regulated system, such as a process regulated by the United States Food, Drug and Cosmetic Act, until Customer signs an Addendum for such use.
3.9 GDPR. Customer may not use the Software and Services for data that is subject to the European Union’s General Data Protection Regulation (“GDPR”) until Customer signs an Addendum for that use.
- HIPAA BUSINESS ASSOCIATE AGREEMENT AND HITRUST CERTIFICATION
4.1 Business Associate Agreement. If Customer is a HIPAA Covered Entity and ClearDATA is Customer’s Business Associate, then the HIPAA Business Associate Agreement published at http://www.cleardata.com/legal/business-associate-agreement/ shall be effective and fully incorporated herein as of the Effective Date of this CCSA.
4.2 Business Associate Subcontractor Agreement. If Customer is a Business Associate of a Covered Entity and ClearDATA is Customer’s Business Associate Subcontractor, then the HIPAA Business Associate Subcontractor Agreement published at http://www.cleardata.com/legal/subcontractor-business-associate-agreement/ shall be effective and fully incorporated herein as of the Effective Date of this CCSA.
4.3 HITRUST CERTIFICATION. ClearDATA will maintain a certification of compliance with the HITRUST Common Security Framework (“HITRUST Certification”). ClearDATA may, at its option, substitute an equivalent security framework, such as the AICPA Service Organization Controls or ISO 27017, upon ninety (90) days’ advance written notice to Customer. If Customer objects to the new framework, Customer’s sole remedy is to terminate the Agreement under Section 9 for convenience.
- SERVICE COMMITMENTS, WARRANTIES AND WARRANTY DISCLAIMERS
5.1 Services. Services shall be provided in material conformity with the SLA and Service Descriptions.
5.2 Software. Software shall perform in material conformity with the SLA and Service Descriptions.
5.3 Software Support. ClearDATA will provide Software Support in a good and professional manner consistent with the SLA and applicable industry standards.
5.4 Intellectual Property. ClearDATA warrants that Customer’s use of the Services as permitted by this Agreement and any applicable SOW will not infringe the intellectual property rights of any unaffiliated third party, provided, however, that ClearDATA’s sole obligation with respect to a breach of this warranty is indemnification for third party claims as provided in Subsection 11.1 (ClearDATA Indemnification of Customer).
5.5 Additional Services. If ClearDATA provides incidental or ad-hoc assistance that is not part of the Services it is provided on an AS IS, AS AVAILABLE basis.
5.6 WARRANTY DISCLAIMER. EXCEPT FOR THE WARRANTIES EXPRESSLY STATED IN THIS SECTION 5, CLEARDATA, ITS SUPPLIERS, LICENSORS AND SUBCONTRACTORS MAKE NO REPRESENTATIONS OR WARRANTIES WHATSOEVER AND EXPRESSLY DISCLAIM ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTY THAT WOULD HAVE OTHERWISE ARISEN THROUGH A COURSE OF DEALING. CLEARDATA DOES NOT WARRANT THAT THE SERVICES OR SOFTWARE OPERATION WILL BE UNINTERRUPTED, MEET THE REQUIREMENTS OF CUSTOMER OR ANY OTHER PARTY, BE ERROR FREE, OR PROVIDE PERFECT PROTECTION FROM ALL VULNERABILITIES OR SECURITY ATTACKS, INTRUSIONS, OR SECURITY INCIDENTS. IF APPLICABLE LAW REQUIRES A WARRANTY NOTWITHSTANDING THIS LIMITATION, THEN THE WARRANTY IS MADE FOR A PERIOD OF 30 DAYS FROM THE DATE THE WARRANTY IS DEEMED TO HAVE BEEN MADE.
- CUSTOMER OBLIGATIONS
6.1 Account Security. Customer will comply with the encryption, security measures and other responsibilities documented in the RACI applicable to a SOW, the Build Sheet and the relevant Service Description. Customer will use HIPAA compliant security precautions in connection with Services. Customer will use reasonable care to avoid transmitting virus, spyware, ransomware, or other malware to Customer’s Workload. Customer will immediately contact ClearDATA if Customer believes the security of Customer’s account or Customer’s Public Cloud Provider Services have been compromised.
6.3 Third Party Rights. Customer warrants that its use of a Customer Application, third-party Personal Data, and any other information, materials or technologies (“Third Party Materials”) that Customer installs, stores, processes, or transmits to ClearDATA, and ClearDATA’s authorized use and disclosure of any Third Party Materials as part of providing the Services, will not violate the rights of any third party, including but not limited to the rights of publicity or privacy of individuals whose Personal Data is part of Customer Data (the “Data Subjects”) under data protection laws applicable to the Personal Data or Data Subjects. Specifically, but without limitation, Customer represents and warrants that, where required by the laws applicable to the Personal Data or the Data Subjects, Customer has obtained consent from the Data Subjects for ClearDATA’s use and disclosure of the Personal Data as required to provide Services under this Agreement.
6.4 Access Control Lists and Account Information. Customer is responsible for keeping Customer account access control permissions, administrative contacts, billing, and other account information up to date using the Customer Portal. ClearDATA will use the information Customer provides to establish the initial account contacts and access permissions necessary to provide the Services and Software Support. Customer’s administrative contact has authority to make changes to Customer’s Workload and Public Cloud Provider Services including but not limited to adoption of new free or chargeable features and terms and conditions.
6.5 Backups. Customer will conduct periodic restoration tests as necessary (a) to verify the integrity and recoverability of Customer Data as necessary to create and maintain retrievable exact copies of Customer Data; and (b) to ensure that Customer meets disaster recovery and business continuity obligations required by the HIPAA Security Rule including but not limited to §164.308(a)(7)(ii)(A) and its own business continuity requirements. Customer will give ClearDATA prior notification of any changes to the Public Cloud Provider Service or Customer Application, data models, encryption methods or other processes that could interfere with successful backups conducted by ClearDATA. You acknowledge that your use of Public Cloud data backup services from ClearDATA does not, by itself, constitute compliance with HIPAA.
6.6 Customer Cooperation
6.6.1 Customer will: (i) provide qualified personnel capable of performing Customer’s duties and tasks; (ii) provide ClearDATA access to Customer’s sites, facilities and systems during Customer’s normal business hours and as otherwise reasonably required by ClearDATA to perform its obligations; (iii) provide ClearDATA with working space and office support (e.g., internet connectivity, printers) as ClearDATA may reasonably request; and (iv) perform Customer’s duties and tasks under a SOW, and such other duties and tasks reasonably required to permit ClearDATA to perform its obligations.
6.6.2 Customer will also make available to ClearDATA any data, reports, information and any other materials required by ClearDATA to perform its obligations (collectively, “Customer Materials”), including Customer Materials identified in a SOW. Customer is responsible for ensuring the Customer Materials are accurate and complete and Customer acknowledges that the quality of the Services deliverables depends on Customer providing accurate and complete information.
6.6.3 Customer will promptly allow and provide cooperation in providing access to Customer’s Public Cloud Provider Services and provide any other assistance necessary for ClearDATA to perform scheduled and emergency maintenance, including but not limited to patching, in a prompt and timely manner.
6.6.4 Customer will cooperate with ClearDATA’s investigation or remediation of Services outages, suspected security problems, or breaches of this Agreement.
6.7.5 ClearDATA is excused for delayed or insufficient performance of Services resulting from Customer’s failure or delay in providing requested cooperation, access, or Customer Materials, and Customer acknowledges that its material or chronic delay is a material breach of the Agreement or SOW as applicable, giving rise to a right of termination as applicable without refund or credit. In addition to any other remedies available, ClearDATA may reschedule the Services and charge Customer rescheduling fees. If ClearDATA re-performs Professional Services due to inaccurate or incomplete information provided by Customer, ClearDATA’s fees may exceed the amounts stated in a SOW.
6.6. Designated Contacts. For each SOW, each Party will designate one or more individuals who will serve as the point(s) of contact between the Parties. A Party may designate a new contact by written notice to the other Party.Customer’s point of contact must understand Customer’s processes and procedures as they relate to the management of protected health information and have a reasonable technical understanding of Customer’s data management systems. Customer’s point of contact must be available during business hours to confer with ClearDATA.
- Medical Devices/High Risk Use. The Software and Services are not designed, developed, tested, or intended to be reliable in the context of high-risk systems, including but not limited to those where use or failure could lead to death or serious bodily injury or result in property or environmental damage. ClearDATA has no responsibility for, and Customer will indemnify, defend and hold harmless ClearDATA, its affiliates and representatives from all claims, suits, demands, and proceedings alleging, claiming, seeking, or asserting, any liability, loss, obligation, risk, cost, damage, award, penalty, settlement, judgment, fine or expenses (including attorneys’ fees) arising from or in connection with Customer’s use of the Software and Services on or in a high-risk system.
7.2 Services Management Agent. Customer will not interfere with any Agents. ClearDATA may use Agents to track system information, manage various service issues, and identify security vulnerabilities. Customer’s Services will be considered “Unsupported Services” as described in Section 3.6 (Unsupported Services) if Customer disables or interferes with Agents.
7.3 Authorized Users. Customer is responsible for its Authorized Users’ compliance with this Agreement and for all acts or omissions of its Authorized Users. Customer is responsible for access to or use of the Software and Services through Authorized Users’ credentials or by anyone else to whom Customer or its Authorized Users allow such access or use.
7.4 Export. Customer will not use the Services or Software in a way that causes ClearDATA to be in violation of the export laws of the United States or other jurisdiction from which the Services or Software are provided. By way of example only, Customer may not authorize any person to use the Services or Software who is on the list of Specially Designated Nationals and Blocked Persons issued by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) or who is located in or is a national of any country that is embargoed under United States export laws, and Customer may not use or permit the use of the Services or Software to process or store any data that is subject to the International Traffic in Arms Regulations maintained by the U.S. Department of State.
- FEES, PAYMENTS
8.1 Fees. Customer will pay fees within the timeframe specified in a SOW. Customer is responsible for additional fees resulting from services Customer adds through the Public Cloud Provider Services, including auto-scaling systems or software defined capacity control mechanisms that increase Customer’s consumption or price of services. ClearDATA may pass through to Customer any fee increases from the Public Cloud Provider or other third-party providers. ClearDATA may increase its fees after the Initial Term on ninety (90) days’ notice. Customer may not offset any credit or other amount due to Customer from ClearDATA against fees due under this Agreement. Fees are non-refundable and must be paid in United States Dollars. Customer agrees to provide ClearDATA prompt access to detailed cost and usage data from your Public Cloud Provider as it requires to calculate your fees.
8.2 Expenses. Customer will pay ClearDATA’s reasonable travel expenses for Services performed onsite at Customer. Travel expenses include air and ground transportation, lodging and meals. ClearDATA will not incur any travel expenses unless Customer has approved them in advance in writing.
8.3 Payments. Set up fees, required prepayments, and other one-time fees are due on the effective date of a SOW or on the due date indicated on an invoice, whatever is earlier. All other fees are due upon receipt. ClearDATA may suspend all Services if Customer’s payment is refused, and Customer does not pay the amount due within four (4) business days of ClearDATA’s written notice to Customer’s billing contact. If Services are reinstated after a suspension for non-payment or otherwise, Customer will be required to pay the then-current list price for those Services going forward, ClearDATA may charge $250 per hour for ClearDATA personnel’s time spent to reinstate the Services, and Customer will not be entitled to any discount for Services after reinstatement. ClearDATA may charge interest on overdue amounts at the lesser of 1.5% per month or the maximum legal rate. If any amount is overdue by more than thirty (30) calendar days and ClearDATA brings a legal action to collect, or engages a collection agency, Customer will pay the reasonable costs of collection, including reasonable attorneys’ fees and court costs. Invoices not disputed within ninety (90) days of invoice date are conclusively deemed accurate. ClearDATA is not obligated to issue any credit under an SLA while any fee is overdue or in dispute.
8.4 Public Cloud Service Invoices. Customer agrees to provide access to Customer’s Public Cloud Provider invoices monthly and/or within 24 hours of ClearDATA’s request so that ClearDATA can calculate Customer’s fees.
8.4 Fee Disputes. If Customer disputes an invoice or portion thereof in good faith, it will timely pay any undisputed portion and provide ClearDATA with written notice of the dispute, in reasonable detail, all on or before the due date of the applicable invoice. The Parties will promptly meet to resolve such dispute in good faith. ClearDATA will not terminate the Agreement and/or delay or suspend the delivery of any Services or Deliverables while such good faith dispute is pending, so long as Customer continues timely paying all undisputed amounts and continues to provide timely cooperation to resolve the dispute.
8.4 Taxes. All fees are stated exclusive of sales, use, VAT, GST or similar tax (“Sales Tax”) unless expressly stated otherwise in the SOW. Unless Customer has provided an exemption certificate or direct pay permit, Customer will remit to ClearDATA any applicable Sales Tax. Customer represents and warrants that all information Customer has provided to ClearDATA for Sales Tax purposes is accurate and complete. If Customer is required by law to withhold from ClearDATA’ fees any amounts as a withholding or like tax, then the ClearDATA fees subject to this requirement are increased by an amount that results in ClearDATA’ payment net of the withholding being equal to the fee. Customer is not required to pay any tax that is assessed on the basis of ClearDATA’s net income.
- TERM, TERMINATION, SUSPENSION
9.1 Term. This Agreement will commence as of the Effective Date and continue in full force and effect for a term of three (3) years (“Initial Term”). Thereafter, this Agreement will automatically renew for subsequent twelve (12) month terms (each, a “Renewal Term” and together with the Initial Term, the “Term”), unless either Party provides at least ninety (90) days prior written notice of its intent not to renew this Agreement, in which case this Agreement will expire at the end of the Initial Term or latest Renewal Term, as applicable.
9.2 SOWs. Individual SOWs may have their own term and termination provisions. Expiration or termination of an individual SOW will not have any effect on any other SOW or this Agreement. Upon the termination or expiration of a SOW for any reason: (i) Customer will pay ClearDATA any fees set forth in the applicable SOW incurred up to and including the date of termination or expiration; (ii) Customer will cease using the Software and Services described in the applicable SOW, and (iii) if required by the SOW, Customer will promptly destroy any ClearDATA Confidential Information or Deliverables provided or acquired pursuant to the applicable SOW and all copies thereof (and provide written certification of such destruction).
9.3 Termination for Material Breach. If either Party materially breaches this Agreement, the other Party will provide an opportunity for the breaching Party to cure the breach. If the breaching Party does not cure the breach within thirty (30) days, the non-breaching Party may terminate this Agreement immediately by providing notice. ClearDATA may also terminate the Agreement, upon written warning to Customer following a violation, if Customer violates the AUP more than once, even if the earlier breach(es) is ultimately cured. Failure to pay undisputed amounts due for more than (60) sixty days is a material breach. If ClearDATA terminates the Agreement or a SOW for Customer’s breach, or Customer terminates the Agreement or a SOW for convenience, Customer must pay an early termination fee as follows: (i) any implementation or set up fee that remains unpaid, plus (ii) the monthly recurring fees for the remaining part of the initial term or then-current renewal term, with monthly recurring fees to be determined by the higher of: (a) the initial estimated monthly recurring fees; and (b) the average of the fees for the prior months in the initial term or renewal term as the case may be. Subject to payment of the early termination fee, You may terminate the Agreement for convenience on ninety (90) days advance written notice.
9.4. Termination for Violation of Law or Regulation. If either Party determines that its continued participation in this Agreement would cause it to violate any applicable law or would place it at material risk of suffering any sanction, penalty, or liability, then that Party may terminate this Agreement immediately upon written notice to the other Party.
9.5 Termination Other than for Breach. ClearDATA may terminate the Agreement on ninety (90) days advance written notice if Customer’s Public Cloud Provider materially alters its services in a way that makes the ClearDATA service commercially infeasible, or if there is an infringement claim that makes the provision of the Services commercially infeasible and ClearDATA is not able to resolve the claim through the use of commercially reasonable efforts. Either Party may terminate the Agreement if the other Party is insolvent or files for bankruptcy or similar protection.
9.6 Suspension. ClearDATA may suspend access to the Software and Services, in whole or in part, during any period that Customer is in material breach of this Agreement or as reasonably necessary to address a serious potential security vulnerability. ClearDATA will give Customer at least two (2) business days’ advance notice of the suspension, unless circumstances require suspension on less notice. ClearDATA will reinstate Customer access to the Software and Services when the grounds for suspension are cured unless ClearDATA has already terminated the Agreement as described in this Section 9.
9.7 Survival. The following terms survive expiration or termination of the Agreement: Section 1 (DEFINITIONS) to the extent the terms defined are used in other surviving sections, Section 7 (RESTRICTIONS), Section 8 (Fees, PAYMENTS), 9 (TERM, TERMINATION, SUSPENSION), Section 10 (CONFIDENTIAL INFORMATION), Section 12 (LIMITS ON LIABILITY), Section 13 (NOTICES), Section 14 (GENERAL), other terms that expressly state they survive termination, and terms that by their nature should reasonably be expected to survive termination.
9.8 Preservation of Data. Unless earlier destruction of Customer Data is required by HIPAA, ClearDATA will make Customer Data available for a complete and secure (i.e. encrypted and appropriated authenticated) download for sixty (60) days after termination or expiration of the relevant SOW or CCSA. After such sixty (60) day period, ClearDATA shall have no obligation to maintain or provide Customer Data to You and shall, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control.
9.9 Effect of Termination. Upon the termination or expiration of this Agreement: (i) all SOWs will terminate; (ii) Customer will cease using the Services and Software; and (iii) Customer will pay ClearDATA any fees incurred up to and including the date of termination or expiration. The termination or expiration of this Agreement will not affect or impair the rights, liabilities, and obligations of either Party that may have accrued prior to such termination or expiration. Except as otherwise provided, remedies described herein are cumulative, not exclusive, and will include all remedies available to a Party at law or in equity.
- CONFIDENTIAL INFORMATION
Neither Party may use the other Party’s Confidential Information except in connection with the performance or use of the Services, as applicable, the exercise of the Party’s legal rights under this Agreement, or as may be otherwise permitted under this Agreement or required by law. Each Party agrees not to disclose the other Party’s Confidential Information to any third person except as follows: (i) to the Party’s respective service providers, agents and representatives, provided that such service providers, agents or representatives are bound by written confidentiality measures that are provide similar protection as these terms; (ii) in response to a subpoena or other compulsory legal process, provided that each of us agrees to give the other reasonable advance written notice under the circumstances prior to disclosure, unless the law or a reasonable interpretation of it, forbids such notice; or (iii) as required by law, such as a requirement under a data privacy regulation that a notice of data breach be given to a supervisory authority or regulatory agency. On expiration or earlier termination of the Agreement, each Party will return or destroy the other Party’s Confidential Information. ClearDATA’s obligations to safeguard Customer Data are defined and covered by obligations in the HIPAA Business Associate Agreement, not this Section. Each Party will use commercially reasonable care to prevent the unauthorized use, disclosure, corruption and deletion of the other Party’s Confidential Information. Both Parties are responsible for a breach of this Section by its service providers, agents and representatives to whom it has disclosed the other Party’s Confidential Information. The Parties’ obligations under this section are intended to be separate and distinct from their other obligations under this Agreement with respect to privacy, compliance and security.
11.1 ClearDATA Indemnification of Customer. ClearDATA will defend, indemnify and hold harmless Customer and its affiliates, officers, directors and personnel (“Customer Indemnitees”) from final judgments, related attorney fees, and litigation-related third party expenses (“Losses”) that result from claims by a party not affiliated with Customer Indemnitees, to the extent these claims: (i) arise from ClearDATA’s material breach of the Security Safeguards, or Section 10 (Confidential Information) or (ii) assert that Customer’s use of the Services infringe Intellectual Property rights in the United States or the European Economic Area. ClearDATA’s obligations under this subsection do not extend to a claim that (i) is covered by Customer indemnification of ClearDATA, (ii) is based on Customer’s breach of this Agreement, including but not limited to or Customer’s violation of Section 7 (“Restrictions”), or (iii) results from Customer’s combination of the Services with technology not provided by ClearDATA, Customer’s use of Unsupported Services, Customer’s unauthorized change to the Public Cloud Provider Services, Software, or Services, or ClearDATA’s compliance with its specific directives (collectively referred to as the “Exclusions”).
11.2 Customer Indemnification of ClearDATA. Customer will defend, indemnify and hold harmless ClearDATA and its affiliates, suppliers, and licensors, and each of their officers, directors and personnel (the “ClearDATA Indemnitees”) against Losses that result from claims by a party not affiliated with ClearDATA Indemnities, to the extent those claims: (i) are raised by Customer’s personnel, end users, providers of Customer Application(s), or Data Subjects whose Personal Data is included in Customer Data, unless such claim arises from ClearDATA’s material breach of the Security Safeguards or Section 10 (Confidential Information), (ii) asserting the Customer Application, Customer Data or an Unsupported Service infringes or violates the Intellectual Property rights or other rights of a third party in the United States or the European Economic Area, or (iii) that are an Exclusion (defined in Section 11.1). Customer’s obligations under this Section 11.2 include claims arising out of the acts or omissions of its personnel, agents, Authorized Users, and any other person to whom Customer has given access to the Public Cloud Provider Services, the Software, or Services, and any person who gains access to any of them as a result of Customer’s failure to use reasonable security precautions, even if the acts or omissions of such persons were not authorized.
11.3 Procedures. The indemnified Party must give notice of the claim for indemnification to the indemnifying Party within ten (10) days of the date the claim, or threat of a claim, is made in writing, provided that failure to give notice within the ten (10) day period does not relieve the indemnifying Party of its obligations under this Section except to the extent the delay prejudices the defense of the claim. The indemnifying Party has the right to select counsel to defend any claim under this Section and has the right to control the defense of the claim, except that the indemnified Party may participate in the defense of the claim at its option and expense, with counsel of its choice. The indemnified Party must comply with any request for information or cooperation regarding the defense of the claim made by the indemnifying Party. The indemnifying Party may settle any indemnified claim, in its discretion, provided that the settlement fully resolves the indemnified Party’s liability and does not require the indemnified Party’s to make an admission of culpability.
- LIMITATIONS OF LIABILITY
12.1 NO CONSEQUENTIAL, INDIRECT DAMAGES. EXCEPT FOR CLAIMS BASED ON THE PARTY’S INTENTIONAL BREACH OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, OR CLAIMS FOR BREACH OF OBLIGATIONS REGARDING CONFIDENTIALITY IN SECTION 10, NEITHER PARTY NOR ITS AFFILIATES, LICENSORS, SUPPLIERS OFFICERS, DIRECTORS, PERSONNEL, OR SUBCONTRACTORS IS LIABLE TO THE OTHER PARTY FOR ANY LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITY, OR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL LOSS OR DAMAGE OF ANY KIND, OR ANY LOSS OR DAMAGE THAT COULD HAVE BEEN AVOIDED BY THE CLAIMING PARTY’S REASONABLE MITIGATION, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF OR SHOULD BE AWARE OF THE POSSIBILITY OF SUCH DAMAGES. For avoidance of doubt, Losses covered under Section 11(Indemnification) are not excluded by this Subsection.
12.2 MAXIMUM LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, EXCLUDING (I) CLAIMS ARISING FROM A PARTY’S GROSS NEGLIGENCE, RECKLESSNESS, OR INTENTIONAL TORT, (II) CLAIMS ARISING FROM A PARTY’S BREACH OF SECTION 10 (CONFIDENTIAL INFORMATION), (III) CLAIMS BASED ON A PARTY’S INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS, AND (IV) PAYMENT OBLIGATIONS UNDER SECTION 8 (FEES, PAYMENTS), ALL OF WHICH SHALL BE UNLIMITED, THE MAXIMUM AGGREGATE LIABILITY OF A PARTY AND ITS AFFILIATES, LICENSORS, SUPPLIERS AND SUBCONTRACTORS UNDER OR IN CONNECTION WITH THIS AGREEMENT FOR ANY TYPE OF DAMAGES SHALL NOT EXCEED THE GREATER OF ONE HUNDRED THOUSAND DOLLARS ($100,000.00) OR THE FEES PAID OR PAYABLE BY YOU FOR THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM UNDER THE RELEVANT SOW.
12.3 Other. Customer acknowledges ClearDATA has set its prices and entered into this Agreement in reliance on the limitations of liability stated in this Section 12, and that these limitations reflect an agreed allocation of risk between the Parties. These limitations apply from any cause of action whatsoever, whether in contract, tort, commercial code, strict liability or otherwise, even if a limited remedy fails of its essential purpose. Nothing in this Subsection precludes a Party from seeking any available specific enforcement, injunctive relief or other non-monetary equitable remedy. If these limitations as written are not permitted by applicable law, they shall apply to the extent permitted.
Unless another method of notice is expressly required by this Agreement, notices must be given by electronic mail. ClearDATA’s notice to Customer must be given to Customer’s primary account contact. Customer’s notices to ClearDATA must be given to email@example.com. Customer’s notice of breach of this Agreement, request for indemnification or other legal matters must be copied to firstname.lastname@example.org with a copy mailed via 1st class United States mail or overnight delivery to ClearDATA Networks, Inc., ATTN CHIEF FINANCIAL OFFICER, 835 West 6th Street, 12th Floor, Austin, Texas 78703. ClearDATA’s notice of breach of this Agreement, request for indemnification or other legal matters must be sent to the contact information of Customer in the signature block below.
14.1 Order Process. Customer may offer to purchase ClearDATA Services by signing and submitting a SOW, or other document provided to Customer by ClearDATA for your signature (collectively, “SOW”). No SOW is effective or binds ClearDATA unless executed by ClearDATA.
14.2 Non-Solicitation. Neither Party shall directly or indirectly solicit any personnel of the other Party with whom it has interacted in connection with the Agreement to terminate their employment with the other Party, provided however, that this Section does not restrict a Party from employing an individual who responds to a general employment advertisement or notice. This restriction shall survive expiration or termination of the Agreement for a period of twelve (12) months.
14.3 General Warranty. Each Party represents and warrants to the other that: (i) it has the right, power, and authority to enter into the Agreement and to fully perform its obligations under the Agreement; and (ii) the making of the Agreement does not violate any agreement existing between it and any third party. The individual signing the CCSA and any SOW represents that he or she has the authority to bind the entity named in the SOW.
14.4 Publicity. Customer agrees ClearDATA may publicly disclose that it is providing Services to Customer and may use Customer’s name and logo in its online, printed and other marketing and publicity materials to identify Customer as a ClearDATA customer, subject to reasonable trademark usage guidelines. ClearDATA may use any quotation provided or approved by Customer for marketing purposes in a press release or other publicity.
14.5 Assignment. Either Party may assign this Agreement without the other Party’s prior written consent: (a) in connection with the sale of all or substantially all of its assets; (b) to the surviving entity in any merger or consolidation; (c) to an affiliate; or (d) to satisfy a regulatory requirement imposed upon a Party by a governmental body with appropriate authority, provided, however, that as a predicate for an assignment by Customer, in each case Customer’s assignee must have a financial standing and creditworthiness equal to or better than Customer’s, as reasonably determined by ClearDATA, through a generally accepted, third party credit rating index (i.e. D&B, S&P, etc). Any other assignment requires the prior written consent of the other Party without which the assignment is null and void.
14.6 Subcontractors. ClearDATA may use subcontractors to perform all or any part of the Services but remains responsible to Customer under this Agreement for Services performed by its subcontractors to the same extent as if ClearDATA performed the Services itself. Certain ClearDATA subcontractors require ClearDATA to include the following clauses: (i) none of ClearDATA’s subcontractors make any representations or warranties to Customer under this Agreement, and none of them has any liability directly to Customer in connection with the Services or any direct indirect, incidental or consequential damages arising from Customer’s use of the Services; and (ii) Customer acknowledges that ClearDATA is not an agent for Amazon Web Services, Inc., Google, Inc., Microsoft Corporation, or its other subcontractors, and that ClearDATA and its subcontractors are independent contractors and not partners or joint venturers.
14.8.1 Mediation. Except for a request for temporary injunctive or other equitable relief, each Party agrees that it shall not file a lawsuit or other legal action in connection with this Agreement unless it has first given the other Party written notice of the dispute and attempted to resolve the dispute through good faith negotiation. At the request of either Party, the dispute will be submitted for non-binding mediation conducted by a mutually acceptable mediator in Travis County, Texas consent to not be unreasonably withheld, costs to be split evenly. If the dispute is not resolved through negotiation or mediation within forty-five (45) days of the date of the initial demand for mediation, a Party may file suit.
14.8.2 Jurisdiction, Venue, Law. Any lawsuit or other legal action related to this Agreement shall only be brought in state or federal courts having jurisdiction over Austin, Texas. Neither Party shall dispute the jurisdiction, convenience, or venue of such courts. This Agreement is governed by and interpreted under the laws of the State of Texas, without giving effect to conflicts of law principles. The Parties expressly waive the application of the United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act. Neither the Services nor the Software are “goods” subject to any version of the Uniform Commercial Code.
14.8.3 Waiver of Jury Trial. To the extent permitted by applicable law, each Party waives the right to a trial by jury in respect of any dispute arising out of this Agreement.
14.8.4 Expenses Arising from Legal Disputes, Subpoenas Regarding Customer’s Account. In addition to Customer’s indemnification obligations, Customer must also pay or reimburse ClearDATA’s reasonable and actual attorneys’ fees and other expenses incurred in connection with any dispute between persons having a conflicting claim to control of Customer’s account, or to comply with any third-party subpoena, warrant or other mandated disclosure that is unrelated to any claim between Customer and ClearDATA.
14.8 Force Majeure. Except for Customer’s payment obligations, neither Party is in violation of the Agreement if the failure to perform is due to an event beyond that Party’s reasonable control, such as a significant failure of the power grid or Internet, denial of service attacks, natural disaster, war, riot, insurrection, epidemic, strikes or other organized labor action, terrorism, or other acts or events for which precautions are not generally taken in the industry.
14.9 Interpretations of Certain Words. The term “person” refers to any legal person, and may mean a natural person (individual), a legally created person (entity, trustee, or executor), or an entity (corporation, partnership, or limited liability company). The term “law” refers to statutes, regulations, executive orders, and other legally binding rules issued by a government agency having jurisdiction. Unless otherwise defined, the words “business day” means Monday – Friday, 9:00 a.m. – 5:00 p.m., United States Central Time, excluding federal holidays in the United States. The word “affiliate” refers to an individual or entity that controls, is controlled by, or is under common control with the person referred to, where control means ownership of the majority of voting interests of an entity or the right to control the policies of the entity by means of a controlling number of seats on the entity’s governing body. Any requirement that a statement be written is satisfied by an email or other digital form of writing unless expressly stated otherwise. Section captions are for convenience only; they are not part of this Agreement and may not be used to interpret the terms of this Agreement.
14.10 Relationship Between the Parties. The Parties are independent contractors, and neither Party is the agent of the other or has the right to bind the other on any contract with a third party. The use of the words “partner” or “partnership” in this Agreement or otherwise refers only to a business relationship, and does not create or reflect any legal partnership, joint venture, or other fiduciary or other special relationship between the persons described as partners. Nothing in this Agreement creates an obligation of exclusivity or non-competition.
14.11 Modifications. Web-published portions of the Agreement are subject to modification whiuch are effective: (a) to any Order that is signed after the modification is published, and (b) to existing Orders, as of the first renewal term after the modification is published.
14.12 Whole Agreement and Order of Precedence. The following documents are incorporated by reference in the Agreement: all exhibits to the Agreement, SOW(s) and the AUP. If there is a conflict between the documents that comprise the “Agreement,” the documents control in the following decreasing order of precedence: (i) the Business Associate Agreement, (ii) the SOW, (iii) this CCSA including the exhibits and (iv) the AUP. No terms or conditions, other than those stated in the Agreement, and no prior agreements or understandings, oral or written, in any way purporting to modify or add to these terms and conditions, whether contained in any promotional materials, proposals, acknowledgements, sales or purchase orders, shipping forms, orally or elsewhere shall be binding on the Parties.
14.13 Federal Agency Users. The Services were developed solely at private expense and are commercial computer software and related Service Description within the meaning the Federal Acquisition Regulations and applicable agency supplements.
14.14 Third Party Beneficiaries. Unless and to the extent specifically stated otherwise in some other section of this Agreement, there are no third-party beneficiaries to this Agreement. Neither Party’s customers, end users, suppliers, Data Subjects, or other person shall have the right to enforce this Agreement.
14.15 Severability. In the event one or more of the terms of this Agreement are adjudicated as invalid, illegal, or unenforceable, the adjudicating body may either interpret this Agreement as if such terms had not been included or may reform such terms to the limited extent necessary to make them valid, legal or enforceable, consistent with the economic and legal incentives underlying the Agreement.
14.16 Waiver. Except as otherwise provided herein, no right or remedy arising regarding this Agreement shall be waived by a course of dealing between the Parties, or a Party’s delay in exercising the right or remedy. A Party may waive a right or remedy only by signing a written document that expressly identifies the right or remedy waived. Unless expressly stated in the waiver, a waiver of any right or remedy on one occasion will not be deemed a waiver of that right or remedy on any other occasion, or a waiver of any other right or remedy.
14.17 Counterparts; Signatures. This Agreement may be signed in multiple counterparts, which taken together shall be read as one Agreement. A signed agreement transmitted by facsimile, email attachment, or other electronic means shall be considered an original. The Parties agree that electronic or digital signatures shall be given the same effect as a manual signature.
The Agreement is the complete and exclusive agreement between the Parties regarding its subject matter and supersedes and replaces in their entirety any prior or contemporaneous agreement or understanding, written or oral. The Parties represent to each other that they have not entered into the Agreement in reliance on any statement other than those included in the Agreement.
© ClearDATA Networks, Inc. 2022
CCSA Revision Date April 1, 2022
In the news
10 Tips to Shrink Attack Surface by Prioritizing Digital Hygiene
ClearDATA’s founder and Chief Privacy & Security Officer Chris Bowen gives his take on digital threats associated with the pandemic and the risks and mitigation efforts.
5 ways IT vendors put customers’ PHI at risk
Warning to technology vendors that service the healthcare industry: nearly half of serious data breaches occur in the healthcare sector and the majority are caused by a third party. There are five common ways technology vendors set themselves up – and their healthcare customers – for a data breach that could be catastrophic to patients’ privacy and the vendor’s reputation.