Terms of Service
PP-TX LLC d/b/a VitalRads (“Company”) offers a wide range of services (the “Services”) and these Terms of Service (the “Agreement”) apply to all Services. Customer accepts this Agreement upon the earlier of (a) Customer’s first use of the Services or (b) Customer’s signature on an applicable Order Form. This Agreement forms a binding contract between Company and Customer for a subscription to the applicable Service(s) and for the Term defined in the Order From (if applicable). This Agreement contains, among other things, warranty disclaimers, liability limitations and use limitations. There shall be no force or effect to any different terms of any related purchase order or similar form issued by Customer except where specified in an Order Form signed by the parties. Capitalized terms that are used in this Agreement but not defined herein shall have the meanings set forth in the Order Form (if applicable).
1. SERVICES AND SUPPORT
1.1 Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide the applicable Services to Customer in accordance with this Agreement. As part of the registration process, Customer will identify an administrative username and password for Customer’s account. Company reserves the right to refuse registration of or cancel passwords it deems inappropriate. Company has the right to make changes to the Services if such changes do not materially lessen the Service’s functionality, and Company may provide additional terms that apply to Customer’s use of updates or new features.
1.2 The Order Form (if any) will set forth the Services selected by Customer. Fees applicable to the Services (“Fees”) are specified on Company order forms, websites, directories of service, or as otherwise published by Company from time to time. Customer may elect for Company to perform data migration and/or conversion of existing medical record files from Customer’s existing radiology information system and/or pacs system into the Company Services (the “Migration Services”). Customer may also elect to enable other functionality within the Services at the then applicable pricing.
1.3 Subject to the terms hereof, during the term of a subscription to the Services, Company will provide Customer with reasonable technical support in accordance with the Support Policy set forth in Exhibit B.
1.4 Customer expressly acknowledges and holds Company harmless for any loss of data from the Data Migration Services. Customer also acknowledges and agrees that Company may use third parties to perform some or all of the Data Migration, which may involve such third parties accessing Customer’s Data (as defined herein). Customer further acknowledges and agrees that Company’s provision of the Migration Services will be contingent on Customer’s participation and providing appropriate guidance, resources, and decisions for set-up.
2. RESTRICTIONS AND RESPONSIBILITIES
2.1 Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software or data related to the Services (“Software”) or the documentation for the Software or Services (“Documentation”); modify, translate, or create derivative works based on the Services or any Software except to the extent expressly permitted by Company or authorized within the Services; use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; remove any proprietary notices or labels; or attach or integrate any third party equipment, interfaces or applications to the Service that have not been tested and approved in advance by Company. Customer is solely responsible for its use of any such third party equipment, interfaces and/or applications and shall indemnify, defend and hold harmless Company from any third party claims relating to or arising from such third party equipment, interfaces or applications. With respect to any Software that is distributed or provided to Customer for use on Customer premises or devices, Company hereby grants Customer a non-exclusive, non-transferable, non-sublicensable license to use such Software during the Term only and only in connection with the Services.
2.2 Customer is responsible for all export of the Services outside of the United States in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.227-7014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
2.3 Customer represents, covenants, and warrants that Customer’s use of the Services and Customer Data will be in compliance with this Agreement, Company’s standard published policies then in effect, and all applicable laws, regulations, and/or applicable industry standards (collectively “Applicable Laws”, and individually, “Applicable Law”). Customer hereby agrees to indemnify, defend, and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services or the Customer Data. Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or may be alleged to be) in violation of the foregoing.
2.4 Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”).
2.5 The following additional terms apply to images used with the Services:
a. Customer is responsible for maintaining automatic DICOM® routing from Customer’s location in order to back up Customer Data (i.e. images) to the Company servers. Customer is responsible for the cost for the hardware, supporting operating system, Internet access and appropriate network connectivity required to access the Services. Customer is solely responsible for determining which of Customer’s images will be backed up to the Company servers and for implementing Customer’s own records retention requirements and backup systems based on state or federal regulations applicable to Customer. Customer must maintain Internet connectivity adequate to transfer Customer Data; Company has no responsibility for images that are not successfully transmitted to Company, or which are not received by the data storage provider’s servers. Customer Data is deemed received and archived only after the data storage provider’s servers log their receipt. Customer agrees to monitor backups and work with Company to resolve any noted errors.
b. Customer may request a copy of archived images at any time, and Company will charge Customer the Company’s then current fee plus hardware and shipping cost, per request. Company will ship Customer a hard drive or flash drive with a copy of the images after receipt of the request and payment. The images/studies will be in .dcm (DICOM) format. Notwithstanding anything to the contrary in this Agreement, if Company is unable to deliver the Customer archived images due solely to Company’s own negligence, Company will compensate $0.05 per study, with any compensation not to exceed $500 in total. This compensation is Customer’s sole and exclusive remedy for Company’s loss of or inability to retrieve Customer images.
3 CONFIDENTIALITY; PROPRIETARY RIGHTS
3.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service. Proprietary Information of Customer includes non-public data provided by Customer to Company to enable the provision of the Services (“Customer Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, (ii) to only use the Disclosing Party’s Proprietary Data to exercise the Receiving Party’s rights or perform its obligations hereunder and (iii) not to disclose the Disclosing Party’s Proprietary Information to any person or entity, except to the Receiving Party’s employees, agents, subcontractors, service providers or affiliates who have a need to know and/or use the Proprietary Information for the Receiving Party to exercise its rights or perform its obligations hereunder and who are required to protect the Proprietary Information in a manner no less stringent than required under this Agreement. The Disclosing Party agrees that the foregoing shall not apply with respect to any information other than personally identifiable Customer Data after five (5) years following the expiration or termination of the subscription hereunder or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law. For the avoidance of doubt, Customer acknowledges and agrees that Company may need to share data (including certain Customer Data) with third parties for purposes of fulfilling Company’s rights and obligations under this Agreement, including for billing, accounting, invoicing and platform monitoring and improvement purposes. The confidentiality provisions of the Agreement shall otherwise apply in full force and effect for any such disclosure.
3.2 Customer shall own all right, title and interest in and to the Customer Data. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto (even if Customer pays fees for improvements or enhancements to the Services or Software, (b) any software, applications, inventions or other technology developed in connection with implementation services or support, (c) any medical research developed using the Services or Software, and (c) all intellectual property rights related to any of the foregoing. For clarity, Company may use Customer Data to provide, maintain, develop, and improve the Services, comply with applicable law, enforce our terms and keep our Services safe.
3.3 Subject to the terms and conditions of this Agreement, Customer grants to Company the royalty-free, worldwide, non-exclusive, perpetual license and right to copy, store, record, transmit, display, view, print, analyze, or otherwise use (a) Customer Data to the extent necessary to provide the Services to Customer and/or monitor Customer’s use of the Services, (b) any trademarks that Customer provides Company for the purpose of including them in Customer’s user interface of the Service or on any print materials generated by the Software, (c) De-Identified Customer Data (as defined below) to improve and enhance the Services, and (d) De-Identified Customer Data for purposes of Company or its licensors performing medical, veterinary, or pharmaceutical research, or for the development and research of new technologies and processes. Customer acknowledges that Company shall own and retain all right, title, and interest in and to the Services or commercial endeavors resulting from such use of the Customer’s Data. “De-Identified” means personal, health, or usage information from which all identifiers that could reasonably be anticipated to identify an individual by an anticipated recipient – such as individual’s name, contact information, or government identifiers – have been removed.
3.4 For the avoidance of doubt, and notwithstanding anything to the contrary in this Agreement, by using any Services that permit submission of or generate diagnostic images, including but not limited to VitalPacs, Customer grants Company a royalty-free, worldwide, non-exclusive, perpetual license to access, edit, modify, adapt, translate, exhibit, publish, transmit, participate in the transfer of, reproduce, create derivative works from, distribute, perform, display and otherwise use any diagnostic images submitted, archived, created, or accessed through such services. Customer acknowledges that this license does not terminate if Customer ceases to be a Company customer. Company’s use of such images may include use of De-Identified images (a) with other data (including data from other practices) for research and analysis, (b) to create and improve Company’s commercial products and services, (c) for educational uses, or (d) for inclusion in a reference image library for use by other Company customers. Company does not share such images with third parties without Customer’s consent except in a De-Identified format.
3.5 Any suggestions, enhancement requests, recommendations or other feedback to Customer related to improvement or future features of the Service (“Feedback”) are offered voluntarily, and Customer acknowledges that Company may have similar development ideas to the Feedback, the Feedback is not confidential or proprietary information of Customer or any third party, and Company shall have an unlimited right to use and/or incorporate such Feedback into the Services without any obligations or compensation to Customer.
3.6 Customer understands that the technical processing and transmission of Customer’s electronic communications is fundamentally necessary to Customer’s use of the Service. Customer agrees that Company is not responsible for any electronic communications and/or Customer Data that are lost, altered, intercepted or stored without authorization during the transmission of any data whatsoever across networks not owned and/or operated by Company.
3.7 Customer represents and warrants that its use of the Service and all Customer Data will comply with applicable law, including laws relating to the maintenance of the privacy, security, and confidentiality of patient and other health information. Customer will ensure that any use of the Service by Customer’s Users is in accordance with the terms of this Agreement. Customer agrees to notify Company immediately of any unauthorized use of any password or account or any other known or suspected breach of security or any known or suspected distribution of Customer Data.
3.8 Neither Company’s grant of the rights or licenses hereunder nor its performance of any Services or other obligations under this Agreement conflict with or violate any applicable law, including any law relating to data privacy, data security, or Personal Information. “Personal Information” means information relating to an identified or identifiable natural person and (if and as applicable) a household.
3.9 This Section 3 will supersede and terminate any separately signed non-disclosure agreement by and between the parties governing preliminary confidential discussions regarding the Services.
4 PAYMENT OF FEES
4.1 Unless otherwise specified on an applicable Order Form (if any), all Fees are due net thirty (30) days of an invoice. Company reserves the right to change the monthly subscription Fees and to institute new charges and Fees at the end of the Initial Service Term or then-current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email). Company may update any other Fees (e.g. texting rates) at any time during the Term, effective upon notice to Customer. If Customer believes in good faith that Company has billed Customer incorrectly, Customer must contact Company no later than 60 days after the closing date on the first billing statement in which the error or problem appeared in order to receive an adjustment or credit. Inquiries should be directed to Company’s customer support department. All fees are otherwise nonrefundable.
4.2 Company may choose to bill through an invoice (as may be indicated in an Order Form, if applicable), in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after the later of the date of the of the invoice or Customer’s receipt of the invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with Services other than U.S. taxes based on Company’s net income.
5 TERM AND TERMINATION
5.1 Subject to earlier termination as provided below, this Agreement begins on the Effective Date and continues until the end of the Initial Service Term. The “Initial Service Term” begins on the Effective Date and is either (a) specified on an applicable Order Form or (b) in the case of the VitalPacs Service, monthly, or (c) in the case of the SpectraRad Services, until such time as either party terminates this Agreement as permitted herein. The term shall be automatically renewed for additional periods of the same duration as the Initial Service Term (each, a “Renewal Term;” collectively, the Initial Service Term and any Renewal term, the “Term”), unless either party requests termination at least thirty (30) days prior to the end of the then-current term. Customer is liable for minimum monthly subscription Fees and other applicable Fees and charges, even if Customer requests early termination or ceases to use the Service during the Term. Service Fees are non-refundable and non-cancellable, regardless of the frequency of billing.
5.2 In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement and the breaching party does not cure within thirty (30) days. Furthermore, either party may terminate this Agreement at any time with respect to (a) the VitalPacs Service upon at least thirty (30) days’ advance written notice (which may include email) or (b) the SpectraRad Service upon written notice by Customer to Company, or upon at least fifteen (15) days’ advance written notice by Company to Customer (in both cases, which may include email).
5.3 Upon any termination, Company will make all Customer Data available to Customer for electronic retrieval for a period of thirty (30) days, but thereafter Company may, but is not obligated to, delete stored Customer Data. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, governing law, indemnity and limitations of liability.
6 Data Protection
6.1 Data Privacy. Some of the Customer Data may include Personal Information. To the extent Customer Data includes Personal Information, Company acknowledges and agrees that (a) Company is a processor/service provider, as applicable and as defined by Applicable Law, of such Personal Information and (b) Customer is a controller/business of such Personal Information. Company further agrees that it is acting as Customer’s “service provider” as that term is defined in California Civil Code section 1789.140(v). To the extent both Parties control the purposes and means of processing the Personal Information, they will do so independently. Company may only use Personal Information it obtains from, on behalf of, or in the course of performing the Services for Customer, to perform the Services for Customer, in accordance with Applicable Law and this Agreement. The Parties will comply with their obligations under Applicable Law with respect to such Personal Information. The Parties will comply with the terms of Company’s data processing addendum set forth in Exhibit D. The Parties acknowledge and agree that each Party will provide for all applicable notices and/or obtain all consents and authorizations required of that Party under Applicable Law to enable the collection, transfer, and processing between the Parties of Personal Information in connection with the provision of the Services.
6.2 Data Security. Company will take commercially reasonable precautions, including, without limitation, technical (e.g., firewalls and data encryption), organizational, administrative, and physical measures, to help safeguard Customer Data against unauthorized use, disclosure, or modification. Customer must protect all applications or devices using commercially reasonable security measures. Customer is solely responsible to keep all user identifications and passwords secure. Customer must monitor use of the Services for possible unlawful or fraudulent use. Customer must notify Company immediately if Customer becomes aware or has reason to believe that the Services are being used fraudulently or without authorization by any end user or third party. Failure to notify Company may result in the suspension or termination of the Services and additional charges to Customer resulting from such use. Company will not be liable for any charges resulting from unauthorized use of Customer’s Account.
6.3 Data Subject Requests. It is the Customer’s responsibility to respond to any data subject request involving Customer Data. Some of the Company Services may provide direct technical means to enable Customer to fulfil its duties to respond to requests from data subjects under applicable data protection laws. If Customer is unable to address the data subject’s request through such technical means, or where such functionality is not available, Company shall, taking into account the nature of the processing, provide reasonable assistance to Customer, to enable Customer to respond to such data subject requests. In the event that such request is made directly to Company, Company shall promptly direct the data subject to contact the Customer and will use commercially reasonable efforts to notify Customer. Company is not responsible for data subject requests received that pertain to Customer Data unless otherwise required by applicable law.
6.4 Other Customer Obligations and Responsibilities.
6.4.1 Customer shall be responsible for maintaining the security of the Equipment, Customer’s account, passwords (including but not limited to administrative and user passwords) and files, for all uses of Customer’s account or the Equipment with or without Customer’s knowledge or consent.
6.4.2 Customer will maintain appropriate security with regard to all personnel, systems, and administrative processes used by it to transmit, store and process Customer Data through the use of the Services. Furthermore, it is Customer’s responsibility to (i) create, monitor and manage each authorized user’s access rights to the Service and (ii) implement safeguards and processes that authorized users submit payment card information, personal information and other confidential information into the Service solely via designated fields or channels.
6.4.3 Customer and each authorized user may only access a person’s personal information contained in the Service if such person (i) has an appointment at an applicable location, (ii) previously had an appointment at an applicable location, (iii) is interested in modifying or confirming an appointment, (iv) in support of wellness plans or (v) requests modification or updating of such person’s account. In all such cases, Customer may only use such person’s Personal Information contained in the Service for the purposes of supporting the foregoing activities (6.4(c)(i)-(v). All other access to Personal Information is strictly prohibited.
6.5 Survival. Section 5 shall survive termination of this Agreement and each Party shall remain responsible for complying with all Applicable Laws related to the use, storage, and disclosure of Personal Information for as long as the Party retains such information or as long as required by Applicable Law, whichever is longer.
7 LIMITED WARRANTY
Company warrants that the Services shall operate in accordance with service level agreement set forth in Exhibit A. Professional Services will be provided in a good and workmanlike manner in accordance with the standards of service expected of professional services firms that provide services similar to the professional Services. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. Scheduled maintenance will be targeted during the periods of lowest anticipated usage, and Company will provide Customer with commercially reasonable advance notice of scheduled maintenance. Customer’s remedies for breach of this warranty are described in the SLA.
COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND MIGRATION SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
8 INDEMNITY
Company shall defend and hold Customer harmless against any third party claim against Customer that its use of the Service made available for a fee infringes any United States patent or copyright or misappropriates a trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement. Company will not be responsible for any settlement it does not approve in writing. The obligations set forth herein do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Service is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (A) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (B) obtain for Customer a license to continue using the Service, or (C) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Service.
9 LIMITATION OF LIABILITY
IN NO EVENT SHALL EITHER PARTY OR THEIR RESPECTIVE OFFICERS, DIRECTORS, PARTNERS OR EMPLOYEES, BE LIABLE TO THE OTHER PARTY FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, PUNITIVE, RELIANCE OR SPECIAL DAMAGES, OR ANY LOSS OF USE, DATA OR, BUSINESS, PROFITS, ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE UNDER THIS AGREEMENT; REGARDLESS OF THE FORM OF THE ACTION OR CLAIM AND REGARDLESS OF WHETHER THE ACTION OR CLAIM IS BASED ON ANY ALLEGED ACT OR OMISSION OF THE THIRD PARTY LICENSOR (OR ITS SUPPLIERS), INCLUDING BUT NOT LIMITED TO ANY ACTION BASED ON CONTRACT, TORT, NEGLIGENCE, BREACH OF WARRANTY, STRICT LIABILITY OR OTHERWISE, EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE AGGREGATE LIABILITY OF COMPANY AND ITS AFFILIATES, DIRECTORS, EMPLOYEES, AND AGENTS, AND THE SOLE REMEDY AVAILABLE FOR ANY CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES, PROVIDED HEREUNDER SHALL BE LIMITED TO TERMINATION OF THIS AGREEMENT AND DAMAGES NOT TO EXCEED THE TOTAL AMOUNT PAID OR PAYABLE TO COMPANY UNDER THIS AGREEMENT DURING THE TWELVE MONTHS PRIOR THE CAUSE OF ACTION GIVING RISE TO SUCH LIABILITY.
THE CUSTOMER ACKNOWLEDGES THAT THE COMPANY SERVICE DOES NOT TAKE INTO ACCOUNT THE UNIQUE NATURE OF A PATIENT ENCOUNTER. USE OF THE COMPANY SERVICE DOES NOT ABSOLVE THE CUSTOMER OF ITS PROFESSIONAL OBLIGATIONS TO EXERCISE INDEPENDENT MEDICAL JUDGMENT IN RENDERING VETERINARY CARE SERVICES TO PATIENTS (INCLUDING BILLING, CODING AND COMPLIANCE), AND SUCH OBLIGATIONS LIE SOLELY WITH THE CUSTOMER. THE CUSTOMER ACKNOWLEDGES THAT THE COMPANY SERVICE IS NOT A SUBSTITUTE FOR THE CARE PROVIDED BY LICENSED VETERINARY CARE PRACTITIONERS. COMPANY UNDERTAKES NO OBLIGATION TO SUPPLEMENT OR UPDATE CONTENT OF THE COMPANY SERVICE. THE COMPANY SERVICE IS AN INFORMATIONAL RESOURCE DESIGNED TO ASSIST LICENSED VETERINARY CARE PRACTITIONERS IN DOCUMENTING THE CARE OF THEIR PATIENTS. THE INFORMATION CONTAINED WITHIN THE COMPANY SERVICE IS INTENDED FOR USE ONLY BY CLINICIANS AND OTHER VETERINARY CARE PROFESSIONALS WHO SHOULD RELY ON THEIR CLINICAL DISCRETION AND JUDGMENT IN DIAGNOSIS AND TREATMENT. CUSTOMER FURTHER ACKNOWLEDGES THAT CUSTOMER IS SOLELY RESPONSIBLE FOR THE COMPLIANCE WITH ANY DATA COLLECTION, DISCLOSURE, AND RETENTION OBLIGATIONS.
10 MISCELLANEOUS
Notwithstanding anything to the contrary in this Agreement, Company may monitor Customer’s use of the Services and collect and compile data and information related to Customer’s use of the Services in and to the extent permitted under applicable law, including, without limitation, to monitor and/or review Customer’s use of the Services in order to establish whether Company’s usage is in accordance with this Agreement. All such monitoring shall be subject to any applicable confidentiality restrictions set forth in this Agreement. If Company determines that Customer’s usage of the Service exceeds the usage permitted by the Agreement, Customer shall pay to Company all fees due for such excess usage of the Service, plus any reasonable costs incurred by Company in verifying usage compliance, within thirty (30) days of the date of written notification of the compliance verification results. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. Neither party shall assign any of its rights, interests or obligations under this Agreement, without the other party’s prior written consent; provided, however, that Company may assign its rights or delegate its obligations, in whole or in part, without such consent, to an entity that is an affiliate or acquires all or substantially all of the business or assets of such party to which this Agreement pertains, whether by merger, reorganization, acquisition, sale or otherwise. Customer agrees that Company may list Customer on its customer list, use its name and logo for marketing purposes, and issue a mutually agreed press release regarding the parties working together. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and all waivers, amendments. Company may make modifications to this Agreement by posting the updated agreement on its website, and Customer, by its continued use of the Service after the updated terms have been posted, assets to such terms. No agency, partnership, joint venture, or employment is created as a result of this Agreement and neither party has any authority of any kind to bind the other party in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. Company shall not be responsible for any delay or failure to provide the Service or any associated services, in whole or in part, due to the following factors as they affect Company, its licensors, agents or representatives or the Service: federal, state or municipal action or regulation; strikes or other labor troubles; fire; damage; delay in transportation; shortages of raw materials, labor, fuel or supplies; sabotage; insurrection, riot or other acts of civil disobedience or public enemy; and failures or interruptions in Internet service or other communication failures (collectively, a “Force Majeure Event”). This Agreement shall be governed by the laws of the State of Delaware without regard to its conflict of laws provisions.
EXHIBIT A
Service Level Terms
The Services shall be available 99.9%, measured monthly, excluding scheduled maintenance. Any downtime calculation will exclude periods affected by such maintenance. Further, any downtime resulting from (a) outages of third party connections, (b) failure of Customer’s equipment, services, or other technology utilities need for use of the Services, (c) by reason of Customer’s acts, omissions, or misuse of the Services in violation of this Agreement, (d) a Force Majeure Event, or (e) other reasons beyond Company’s control will also be excluded from any such calculation.
Customer’s sole and exclusive remedy, and Company’s entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than one hour, Customer may request from Company a credit of 5% of Service fees for each period of 60 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day and a maximum of 25% of month’s fees per calendar quarter. Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place and continues until the availability of the Services is restored, unless the cause of such downtime is an exclusion from the calculation. To receive downtime credit, Customer must notify Company in writing within 30 days from the time of confirmed downtime, and failure to provide such notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash. Service credits will only be issued to Customers with no outstanding invoices, expire upon termination of this Agreement or expiration of a Service that is not renewed. Service credits may be used against future Service fees only. Unused Services Credits are forfeited. Service credits are the sole and exclusive remedy for any failure by Company to meet any obligations in this SLA.
EXHIBIT B
Support Policy
This Support Policy sets forth the target timing and procedures for response by Company’s technical support team for issues with the Services that affect Customer’s access to and/or use of the Services described below (“Errors”).
The following table sets forth Company’s target response times for Error by severity designations. Technical support will be available via phone, email and any future method of communication (which may include in-app chat) during normal business hours defined as between 9:00am and 5:00pm Central Time Monday through Friday.
Error Severity Level Impact Target Initial Response Time
Severity 1 (Critical) Renders the Services completely inoperative. One (1) hour
Severity 2 (High) High impact to key portions of the Services One (1) business day
Severity 3 (Medium to low) Medium to low impact on the Services, but Customer can still access and use some functionality of the Services up to seven (7) business day
Upon Company determination of the Severity Level of an Error, Company will use commercially reasonable efforts to provide an initial response to Customer within the applicable Target Initial Response Time indicated above. Thereafter, Company will provide Customer with periodic reports on the status of corrections.
Exhibit D
Data Processing Addendum
This Data Processing Addendum (“Addendum”) is entered into between Customer and Company in connection with Company’ provision the Services pursuant to the Agreement. This Addendum is effective as of the Effective Date of the Agreement and is hereby incorporated into the Agreement. All capitalized terms not defined in this Addendum will have the meaning given in the Agreement. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern.
1. DEFINITIONS.
“CCPA” means the California Consumer Privacy Act of 2018 and its implementing regulations.
“Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
“Personal Information” means information that Company Processes on behalf of Customer that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular Consumer or household.
“Process” or “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
“Verifiable Consumer Request” means a request that is made by a Consumer, by a Consumer on behalf of the Consumer’s minor child, or by a natural person or a person registered with the California Secretary of State, authorized by the Consumer to act on the Consumer’s behalf, and that Customer can reasonably verify to be the Consumer about whom Customer has collected Personal Information.
2. COMPANY RESPONSIBILITIES.
Company will:
(a) not collect, retain, use, disclose or otherwise Process the Personal Information for any purpose other than for the specific purpose of performing the Services on behalf of Customer. Without limiting the foregoing, Company will not (i) collect, retain, use or disclose the Personal Information for a commercial purpose other than providing the Services, (ii) sell the Personal Information, (iii) combine the Personal Information received from Customer with personal information received from other entities except to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity, and (iv) collect, retain, use or disclose the Personal Information outside the direct business relationship between Company and Customer;
(b) notwithstanding the limitations in clause (a), Process the Personal Information as necessary to (i) retain and employ subcontractors, subject to the requirements in clause (f) below, (ii) build or improve the quality of Company’ services, provided such use does not include building or modifying Consumer profiles that will be used to provide services to another business or to correct or augment data acquired from another source, (iii) detect data security incidents or protect against fraudulent or illegal activity, or (iv) comply with Company’ legal obligations;
(c) delete or provide access to Personal Information at Customer’s request;
(d) promptly notify Customer of any Verifiable Consumer Request Company receives;
(e) at Customer’s request, assist Customer in responding to Verifiable Consumer Requests;
(f) impose contractual obligations on its subcontractors that are at least equivalent to those obligations imposed on Company under this Addendum; and
(g) protect Personal Information in accordance with CCPA requirements. Without limiting the foregoing, Company will use measures to protect Personal Information that will meet or exceed the requirements specified in Attachment 1 attached hereto and incorporated herein.
Addendum Attachment 1 – Data Security Attachment
1. Program. Company will implement and maintain a comprehensive written information security program, which contains appropriate administrative, technical and organizational safeguards compliant with this Attachment 1.
2. Access Controls. Company will: (a) abide by the “principle of least privilege,” pursuant to which Company will permit access to Personal Information by its personnel (including subcontractors) solely on a need-to-know basis; and (b) promptly terminate its personnel’s access to Personal Information when such access is no longer required for performance under the Agreement.
3. Account Management. Company will use reasonable measures to manage the creation, use, and deletion of all account credentials used to access the facilities, systems, equipment, hardware, and software used in connection with any processing of Personal Information (“Company Systems”), including by implementing: (a) a segregated account with unique credentials for each user; (b) strict management of administrative accounts; (c) password best practices, including the use of strong passwords; and (d) periodic audits of accounts and credentials.
4. Vulnerability Management. Company will: (a) use automated vulnerability scanning tools to perform appropriate scans of the Company Systems; (b) log vulnerability scan reports; (c) conduct periodic reviews of vulnerability scan reports over time; (d) use appropriate patch management and software update tools for the Company Systems; (e) prioritize and remediate vulnerabilities by severity; and (f) use compensating controls if no patch or remediation is immediately available.
5. Security Segmentation. Company will monitor, detect and restrict the flow of information on a multilayered basis within the Company Systems using appropriate tools such as firewalls, proxies, and network-based intrusion detection systems.
6. Data Loss Prevention. Company will use reasonable data loss prevention measures to identify, monitor and protect Personal Information in use, in transit and at rest. Such data loss prevention processes and tools will include, at a minimum: (a) the prohibition of, or secure and managed use of, portable devices; (b) use of appropriate certificate-based security; and (c) secure key management policies and procedures.
7. Encryption. Company will encrypt, using industry-standard encryption tools, all Personal Information that Company: (a) transmits or sends wirelessly or across public networks; (b) stores on laptops or storage media, and (c) stores on portable devices or within the Company System. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Information.
8. Secure Software Development. Company represents and warrants that any software used in connection with the processing of Personal Information is or has been developed using secure software development practices, including by: (a) segregating development and production environments; (b) filtering out potentially malicious character sequences in user inputs; (c) using secure communication techniques, including encryption; (d) using sound memory management practices; (e) using web application firewalls to address common web application attacks such as cross-site scripting, SQL injection and command injection; (f) implementing the OWASP Top Ten recommendations, as applicable; (g) patching of software; (h) testing object code and source code for common coding errors and vulnerabilities using code analysis tools; and (i) testing of web applications for vulnerabilities using web application scanners.
9. PCI Compliance. To the extent any Personal Information includes “cardholder data,” as such term is defined by the Payment Card Industry Data Security Standard (“PCI DSS”), Company will: (a) comply with the PCI DSS and other applicable payment card issuer, brand or association rules and requirements; (b) fully cooperate with any security review or investigation as may be required by any payment card issuer, brand or association or law enforcement entity regarding compliance with the PCI DSS, including by providing data security reports; (c) pay any fines and penalties in the event Company or any of its subcontractors fail to comply with such rules or requirements; and (d) on no less than an annual basis, at its own expense, undergo a PCI DSS compliance audit or self-assessment, as applicable, and provide the results of such audit or self-assessment, along with evidence of compliance (in the form of an Attestation of Compliance) to Company upon request.
10. Physical Safeguards. Company will maintain physical access controls that secure relevant Company Systems used to process any Personal Information, including an access control system that enables Company to monitor and control physical access to each Company facility.
11. Administrative Safeguards. Prior to providing access to Personal Information to any of its personnel, Company will: (a) conduct appropriate reliability evaluations of such personnel, including by performing appropriate background screening; and (b) provide appropriate security training to such personnel. Company will periodically provide additional training to its personnel as may be appropriate to help ensure that Company’s information security program meets or exceeds prevailing industry standards.
