Catalyst OrthoScience Inc.
End User Service Agreement

Last Updated: May 1, 2025

This End User Service Agreement, together with any attachments hereto or terms references herein, and, if applicable, any Service Order (as defined below), collectively constitute a binding agreement (the “Agreement”) between Catalyst OrthoScience Inc. (“Catalyst”) and the person, organization, or other legal entity that agrees to this Agreement (“Company” or “you“).

PLEASE READ THIS AGREEMENT CAREFULLY. THIS AGREEMENT GOVERNS YOUR USE OF THE SERVICES. BY CLICKING ON THE “CREATE ACCOUNT” BUTTON, COMPLETING THE REGISTRATION PROCESS, OR ACCESSING OR USING ANY OF THE SERVICES, YOU REPRESENT THAT (1) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THIS AGREEMENT, (2) YOU ARE OF LEGAL AGE TO FORM A BINDING CONTRACT WITH CATALYST, (3) THE INFORMATION YOU PROVIDED IN CONNECTION WITH YOUR REGISTRATION FOR THE SERVICES IS ACCURATE AND COMPLETE, AND (4) YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT PERSONALLY OR ON BEHALF OF THE ORGANIZATION YOU HAVE NAMED AS THE USER OF THE SERVICES, AND TO BIND YOURSELF AND/OR THAT ORGANIZATION TO THIS AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, YOU DO NOT HAVE SUCH AUTHORITY, OR YOUR ARE NOT OF LEGAL AGE TO FORM A BINDING CONTRACT WITH CATALYST, YOU MAY NOT ACCESS OR USE THE SERVICES.

1. Definitions. Terms not defined in this Section 1 shall have the meaning otherwise provided in this Agreement or in a Service Order.

1.1.       “Account Information” means information about Company or Company employees or contractors that Company provides to Catalyst in the creation or administration of a Services-related account, such as names, usernames, login credentials, phone numbers, email addresses and billing information.

1.2.       “Authorized User” means any individual who is an employee of Company or an affiliate, partner, service provider or such other person or entity as may be authorized by Company to access the Services pursuant to Company’s rights under this Agreement.

1.3.       “Company Communications” means communications sent through or via the Services by an Authorized User to another Authorized User or group of Authorized Users.

1.4.       “Company Data” means any data, information, programs, and other content provided or transmitted by Company or its Authorized Users to the Services, including, Company Communications. Company Data includes protected health information (PHI) and Company Personal Data. Company Data does not include Account Information.

1.5.       “Documentation” means, where available, the online user guides and other technical material relating to the use of the Services, including any applicable service descriptions that are made available by Catalyst to Company, as may be updated from time to time.

1.6.     “Intellectual Property Rights” means any and all intellectual property, industrial property, and other proprietary rights throughout the world, including all rights in, to, or arising out of patents, patent applications, inventions (whether patentable or not), invention disclosures, trade secrets, know-how, proprietary information, works of authorship, copyrights, mask works, moral rights, trademarks, service marks, software, data, technology, layout designs and design rights, and all registrations, applications, renewals, extensions, or reissues of any of the foregoing.

1.7.       “Services” means Catalyst’s Software, Documentation, and other online, web-based software applications, tools, and platforms available to Company and Authorized Users and any ancillary products and services.

1.8.       “Service Order” means any online or written form or other communication provided by Catalyst evidencing Company’s subscription to the Service.

1.9.       “Software” means Catalyst’s digital and computer-related programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution, including its artificial intelligence algorithms and similar technological features, contained therein.

1.10.     “Term” shall be ascribed the meaning set forth in Section 12.1 of this Agreement.

2. Modification. Catalyst may amend this Agreement from time to time and for any reason, including changes in the Services or to account for compliance obligations. When material modifications are made to this Agreement, Catalyst may (and where required by law, will) email Company of the same. Catalyst may require Company to provide consent to the updated Agreement before further use of the Services is permitted. If Company does not agree to any change(s) after receiving a notice of such change(s), Company shall stop using the Services. Otherwise, Company’s continued use of the Services constitutes Company’s acceptance of such change(s).

3. Access Rights and Restrictions.

3.1.       Access. Subject to the terms and conditions of this Agreement, Catalyst grants Company a non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Services during the Term. Company may permit its Authorized Users to use the Services provided that Company shall be responsible for each Authorized User’s compliance with and breach of this Agreement.

3.2.       Restrictions. Company will not, and will not permit any Authorized User or other party to: (i) modify, download, adapt, alter, translate, or create derivative works of the Services; (ii) sublicense, lease, rent, loan, distribute, or otherwise transfer the Services (including Documentation) to any third party; (iii) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Services, except to the extent expressly permitted by applicable law (and then only upon advance written notice to Catalyst); (iv) bypass, delete, circumvent, de-install, or disable any copy protection or security mechanisms of the Services or any access management routines, access codes or control programs included by Company as part of the Services; (v) use or demonstrate the Services in any other way that is in competition with Catalyst or for the purposes of competitive analysis of the Services or the development of a competing software product or service; (vi) remove any notice of proprietary rights from the Services; (vii) attempt to gain unauthorized access to, or misuse, abuse or disrupt the integrity, performance or security of the Services or the data contained therein or any other system, website, software, material or database offered by Catalyst with respect to which Company is not granted a license or right; (viii) use the Services to knowingly transmit or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or that violates third-party privacy rights; (ix) take any actions to circumvent any limit on the number of users or access restrictions; (x) misappropriate any of the Services; or, (xi) use, display or copy the Services (including Documentation), except as expressly allowed herein. Catalyst shall have the right, but not the obligation, to review, monitor, and record all use of the Services and to disclose any information as necessary or appropriate to satisfy any law, regulation or other governmental request, to operate the Services properly, or to protect itself (including its affiliates) or its subscribers from any liabilities,civil or criminal. Catalyst reserves the unconditional right to refuse to post or to remove any information or materials, in whole or in part, from the Services that, in the Catalyst’s sole discretion, are unacceptable, undesirable, inappropriate or in violation of this Agreement.

3.3.       Downtime. Company acknowledges that access to and use of the Services may be suspended for the duration of any scheduled or unscheduled downtime or unavailability of any portion or all of the Services for any reason, including as a result of power outages, system failures or other interruptions, or any other acts, omissions or failures on the part of Catalyst.

3.4.     Third-Party Products and Services. Except as otherwise provided for herein, Company may not use the Services to interact with non-Catalyst products or services (collectively, “Third-Party Services”). Notwithstanding the foregoing, Company acknowledges that use of certain Services may require the installation of certain software components owned or licensed by Catalyst from a third party (collectively “Third Party Software”) or that are subject to an open source license agreement, including components available under the GNU Affero General Public License (AGPL), GNU General Public License (GPL), GNU Lesser General Public License (LGPL), Mozilla Public License (MPL), Apache License, BSD licenses, or any other license that is approved by the Open Source Initiative (“Open Source Software” and collectively with Third Party Software, the “Third Party Components”). Any use of Third Party Components by Company shall be solely governed by the terms and conditions of the applicable license for the Third Party Components and not by the terms of this Agreement. IfCompany decides to use Third Party Services or Third Party Components, Company is responsible for reviewing and understanding the terms and conditions governing these Third Party Services or Third Party Components. Company agrees that the third party, and not Catalyst, isresponsible for the performance of the Third Party Services and Third Party Components. Any such Third Party Components’ license terms shall be set forth in the “readme” or “about” files of the Services or otherwise made available by Catalyst. Company hereby agrees to comply with any additional terms and conditions applicable to the Third Party Components and acknowledges that any links to websites operated by third parties (collectively hereinafter the “Third Party Websites”) maybe provided by Catalyst as a convenience only. Third Party Websites shall not be deemed as under the control or supervision of Catalyst, and Catalyst does not review, approve, monitor, endorse, warrant, or make any representations with respect to Third Party Websites and is not responsible for the content of any Third Party Website.

4. Use of the Services.

4.1.       Setup Responsibilities. Company shall be responsible for setting up and configuring the Services, including without limitation any provisioning of access to the Services to its Authorized Users. Company shall be responsible for obtaining and maintaining, at Company’s expense, all of the necessary telecommunications, computer hardware, software, services and Internet connectivity required by Company or any Authorized User to access the Services from the Internet. In the event that Catalyst assists or advises Company with any Services setup, configuration or support, in no event shall such assistance or advice be construed as legal advice.

4.2.       Company Account. Company is solely responsible for protecting and safeguarding Company’s account and passwords and/or keys or other access protocols that have been provided to Company or that are generated in connection with Company’s use of the Services. Company shall use commercially reasonable efforts to prevent unauthorized access to or use of its account and the Services. Company is solely and fully responsible for all activities, including data privacy compliance, accrued charges, that occur in connection with its account and its use of the Services. In the event Company believes Company’s account or the Services have been compromised, including any unauthorized use or access of the Services or any other known or suspected breach of security, Company shall immediately (and in any event within twenty-four (24) hours) notify Catalyst of the same by email to info@catalystortho.com. Company agrees to promptly: (i) provide complete, true, accurate, and up-to-date information about Company as prompted by the registration form, if applicable, and (ii) maintain and update this information to keep it true, accurate, up-to-date and complete.

4.3.      Suspension, Limitation and Termination of Access. Catalyst shall be entitled, without liability to Company and without notice, to immediately suspend, terminate or limit Company’s access to the Services at any time in the event that Catalyst determines, in its reasonable discretion, that (i) the Services are being used by Company, or its Authorized Users, in violation of any applicable laws or regulations or this Agreement; (ii) the Services are being used by Company in an unauthorized, inappropriate, or fraudulent manner; (iii) the use of the Services by Company adversely affects Catalyst’s equipment or service to others in Catalyst’s sole discretion; (iv) Catalyst is prohibited by an order of a court or other governmental agency from providing the Services; (v) there is a denial of service attack or any other event which Catalyst determines, in its sole discretion, may create a risk to the Services or to any other customers if the Services were not suspended; (vi) there is a security incident or other disaster that impacts the Services or the security of the Services, Company’s account or Company Data; (vii) any payment amount due under this Agreement is not received by Catalyst within ten (10) days after it was due, or (viii) Company fails to comply with any term (material or not) or condition of this Agreement. Without limiting the generality of this Section, Catalyst shall have no liability for any damages, liabilities or losses as a result of any suspension, limitation or termination of Company‘s right to use the Services pursuant to this Section 4.3. Company agrees to immediately cease and desist from using the Services and agrees not to try to access the Services in violation of this Section.

5. Intellectual Property.

5.1.       Ownership. Company agrees that the Services (including the Documentation) are protected by copyright and other laws relating to Intellectual Property Rights, and that the Services embody valuable confidential information of Catalyst and its suppliers, the development of which required the expenditure of considerable time and financial resources. All right, title, and interest in and to the Services, and all worldwide Intellectual Property Rights therein and associated therewith, are the exclusive property of Catalyst and its suppliers. All rights in and to the Services not expressly granted to Company in this Agreement are reserved by Catalyst and its suppliers. Except as expressly set forth herein, no express or implied license or right of any kind is granted to Company regarding the Services, or any part thereof, including any right to obtain possession of any software, source code, data or other technical material related to the Services.

5.2.       Continuous Development. Company acknowledges that Catalyst may continually develop, deliver and provide to Company on-going innovation to the Services in the form of new features, functionality, and efficiencies. Catalyst reserves the right to modify the Services from time to time. Some modifications will be provided to Company at no additional charge. In the event Catalyst adds additional functionality to a particular Service, Catalyst may condition the implementation of such modifications on Company’s payment of additional fees, provided that Company may continue to use the version of the Services that Catalyst makes generally available (without such features) without paying additional fees. Notwithstanding anything to the contrary in this Agreement, Catalyst has the right for itself and its affiliates, in its/their sole discretion, at any time and from time to time to change, modify or discontinue, temporarily or permanently, the Services or any part thereof. Under no circumstances shall Catalyst be liable to Company or any other third party for any such modification, suspension or discontinuance. If any of the Services are discontinued by Catalyst, this Agreement shall be terminated in accordance with Section 12.2 of this Agreement in relation to the Services that are discontinued.

5.3.       Feedback. In the event that Company or its Authorized Users provide any comments or suggestions in connection with the Services, whether written or oral (collectively, the “Feedback”), Catalyst, in its sole discretion, shall be entitled to use the Feedback without restriction, and such Feedback will not be treated as confidential to Company. Company hereby grants Catalyst, on behalf of itself and its Authorized Users, a worldwide, non-exclusive, irrevocable, perpetual, royalty-free right and license to incorporate the Feedback into Catalyst products and services.

5.4.       Aggregated Data. Catalyst may, to the extent permitted by applicable laws and regulations, collect and derive from Company Data aggregated data that does not identify Company, any third-party entity or any natural persons, (“Aggregated Data”) and use and disclose such Aggregated Data for Catalyst’s legitimate business purposes, which may include but is not limited to improve and enhance the Services, service and product development, research and marketing, and for other development, diagnostic and corrective purposes.

6. Fees and Payment Terms.

6.1.       Fees. In consideration for the Services, Company will pay to Catalyst the then-current fees, if any, set forth in the “Account” section of Company’s account in the Services, unless such payment terms are otherwise set forth in an applicable Service Order (the “Fees”). Catalyst shall be entitled to withhold performance and suspend or discontinue the Services until any and all outstanding Fees due are paid in full. In the event of a temporary suspension of Company’s access to the Services, applicable Fees will continue to accrue. For the avoidance of doubt, Company shall, at any and all times, comply with this Agreement, regardless of the amount of Fees, if any, Company pays to access and use the Services.

6.2.       Fee Increases. Catalyst will provide Company fourteen (14) days’ advance notice for any increase in fees. Any increases to the Fees shall apply at the beginning of Company’s following Term. Company’s continued use of the Services after a Fee increase will constitute Company’s agreement to the increase in Fees.

6.3.       Billing. Catalyst will charge Company the Fees for the Services in advance for each billing period on or after the first day of such billing period. All Fees for Services are due and payable in US Dollars and are non-refundable. If Company is paying by credit card or eCheck, then (i) Company hereby irrevocably authorizes Catalyst to charge the credit card or other payment method provided for any such amounts when due, (ii) amounts due will be automatically charged, (iii) if Company’s credit card is declined, Catalyst will attempt to reach out to Company for a new payment method, and (iv) if Company’s credit card expires, Company hereby gives Catalyst permission to submit the credit card charge with a later expiration date. If Catalyst fails to resolve an issue with Company resulting from a credit card decline or expiration, Catalyst may terminate the account due to non-payment. Company agrees to notify Catalyst of all billing disputes within fourteen (14) days of delivery of the billing statement or invoice, and disputes not made within that time are waived. Late payments, including those resulting from credit card declines, will accrue interest at a rate of one and one-half percent (1.5%) per month, or the highest rate allowed by applicable law, whichever is lower. If Catalyst must initiate a collections process to recover Fees due and payable hereunder, then Catalyst shall be entitled to recover from Company all costs associated with such collections efforts, including but not limited to reasonable attorneys’ fees. In the event Catalyst delivers to Company an invoice for any Fees or interest payments owed hereunder, such invoiced amounts shall be due upon receipt, unless otherwise set forth in the Service Order.

6.4.       Taxes. The Fees are exclusive of all applicable sales, use, value-added and other taxes, and all applicable duties, tariffs, assessments, export and import fees, or other similar charges, and Company will be responsible for payment of all such taxes (other than taxes based on Catalyst’s income), fees, duties, and charges and any related penalties and interest, arising from the payment of the Fees and the delivery of the Services. To the extent that Catalyst charges any of the aforementioned taxes, they are calculated using the tax rates that apply based on the billing address provided by Company. Such amounts are in addition to the Fees and will be billed to Company’s authorized payment method. If Company is exempt from payment of any such taxes, Company must provide Catalyst with evidence of exemption. If Company is not charged any of the aforementioned taxes by Catalyst, Company is responsible for determining if taxes are payable, and if so, self-remitting such taxes to the appropriate tax authorities in Company’s jurisdiction. Company will make all payments of Fees to Catalyst free and clear of, and without reduction for, any withholding taxes. Any such taxes imposed on payments of Fees to Catalyst will be Company’s sole responsibility, and Company will provide Catalyst with official receipts issued by the appropriate taxing authority, or such other evidence as Catalyst may reasonably request, to establish that such taxes have been paid. Company shall indemnify, defend, and hold Catalyst harmless in connection with any proceedings brought by any taxing authorities in connection with this Agreement.

6.5.       Expenses. Company shall reimburse Catalyst for reasonable out-of-pocket expenses (including travel and living) incurred in performing its obligations for specific Services under such Service Order. All costs and expenses incurred by Company in connection with this Agreement are the sole responsibility of Company.

7. Company Data and Processing.

7.1.       Company Data. Company Data, and all worldwide Intellectual Property Rights therein, is, as between Catalyst and Company, the exclusive property of Company. Company grants Catalyst a non-exclusive, sublicensable, transferable, worldwide, royalty-free and fully paid license to process and use Company Data as necessary for purposes of providing the Services and as otherwise permitted in this Agreement. Company warrants that Company is the owner or legal custodian of, or otherwise has the right and has or will obtain the necessary permissions, valid consents and releases to lawfully transmit, store and use all Company Data in connection with the Services and to grant the rights granted to Catalyst under this Agreement.

7.2.       Sensitive and Regulated Data. Catalyst shall collect, use, disclose and otherwise process: (i) protected health information in accordance with the Subcontractor Business Associate Agreement (attached hereto) and (ii) Company Personal Data in accordance with the Data Processing Addendum (attached hereto).

7.3.       Company Responsibilities. Company is encouraged to make its own back-ups of Company Data, and Company agrees that the Services are not intended to serve a back-up or archive system of Company Data. Company shall have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Company Data and the means by which Company acquired Company Data, and for the adequate security, protection and backup of Company’s Data. Company shall not use the Services, or allow others to use the Services, to collect directly or indirectly from individuals that access or use Company’s website any sensitive or special categories of Personal Data.

7.4.       Compliance; Company Communications. Company shall comply with all applicable laws and regulations applicable to Company’s use of the Services, including Company Communications, which laws and regulations shall include but not be limited to any applicable laws that govern wiretapping, data privacy and protection, intellectual property, and the use, sending, or transmission of electronic messages. Company acknowledges and agrees that Catalyst does not control or monitor Company Communications, or guarantee the accuracy, integrity, security or quality of such Company Communications and is not responsible for obtaining any necessary consents or permissions from recipients of Company Communications. Upon request, Company shall provide reasonable proof of compliance with the provisions set forth in this Section 7.4, and Catalyst shall have no obligation to provide Services where Catalyst reasonably believes that Company has not so complied.

8. Representations, Warranties, and Disclaimers.

8.1.       Mutual Representations and Warranties. Catalyst and Company each represents and warrants that it has full corporate right, power, and authority to enter into this Agreement and the execution of this Agreement by and the performance of its obligations and duties hereunder do not and will not violate any agreement to which it is a party or is otherwise bound.

8.2.       Company Representations and Warranties. Company represents and warrants to Catalyst that (i) Company Data and use of Company Data by Company and Catalyst (a) will not infringe, misappropriate, or otherwise violate the Intellectual Property Rights or other rights of any third party, (b) will not constitute defamation, invasion of privacy or publicity, or otherwise violate any similar rights of any third party, and (c) will not be used in any activity in violation of the law or to promote such activities, including, without limitation, in a manner that might be illegal or harmful to any person or entity; (ii) Company will not use the Services to intentionally or unintentionally distribute, share, or facilitate the distribution of unauthorized data, malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code; and (iii) Company will comply with all applicable laws, statutes, and regulations with respect to its access and use of the Services.

8.3.       Warranty Disclaimer. COMPANY AGREES THAT THE SERVICES ARE PROVIDED “AS IS,” “AS AVAILABLE,” AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT (NOT LIMITED TO) ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH WARRANTIES ARE HEREBY DISCLAIMED. COMPANY AGREES THAT THE SERVICES MAY NOT MEET COMPANY’S REQUIREMENTS, MAY NOT BE COMPATIBLE WITH ANY PARTICULAR INFORMATION SYSTEM, AND MAY NOT RESULT IN ANY ACTUAL BUSINESS OPPORTUNITIES, REVENUE OR SAVINGS. COMPANY FURTHER ACKNOWLEDGES AND AGREES THAT THE SERVICES MAY NOT BE CONTINUOUSLY AVAILABLE AND MAY CONTAIN ERRORS, BUGS, VIRUSES, AND OTHER GLITCHES THAT MAY NOT BE CORRECTED. THE SERVICES AND SUPPORT SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS AND CATALYST IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, VIRUSES, LOSS OR COMPROMISE TO COMPANY DATA, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS. THE ENTIRE RISK AS TO THE USE OF THE SERVICES IS ASSUMED BY COMPANY.

9. Allocation of Risk and Limitation of Liability.

9.1.       Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL CATALYST, NOR ANY OF ITS AFFILIATES, SUBCONTRACTORS, LICENSORS, VENDORS OR SUPPLIERS, NOR ANY OF ITS THIRD-PARTY PARTNERS (INCLUDING THIRD PARTY COMPONENT SUPPLIERS), BE LIABLE TO COMPANY OR ANY OTHER THIRD PARTY FOR LOST REVENUES, LOST PROFITS OR ANY SPECIAL, INCIDENTAL, INDIRECT, CONSEQUENTIAL, PUNITIVE, RELIANCE OR EXEMPLARY DAMAGES ARISING FROM COMPANY’S OR ANY OTHER THIRD PARTY’S USE OF OR INABILITY TO USE THE SERVICES INCLUDING, BUT NOT LIMITED TO, LOSS OF TECHNOLOGY, LOSS OF DATA OR INTERRUPTION OR LOSS OF USE, OR DAMAGES WHETHER OR NOT CATALYST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR LOSS. THE MAXIMUM AGGREGATE LIABILITY OF CATALYST, ITS LICENSORS AND VENDORS ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE, STRICT LIABILITY OR OTHERWISE), SHALL NOT EXCEED THE ACTUAL FEES PAID BY COMPANY FOR THE SERVICE FOR THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE INITIAL EVENT GIVING RISE TO LIABILITY HEREUNDER, LESS ANY DAMAGES PREVIOUSLY PAID BY CATALYST TO COMPANY IN THAT TWO (2) MONTH PERIOD.

9.2.     Basis of the Bargain. The parties agree that the limitations of liability set forth in this Section 9 shall survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the Fees have been set and this Agreement entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.

10. Confidentiality.

10.1.    Confidential Information. During the term of this Agreement, each party (the “Disclosing Party”) may provide the other party (the “Receiving Party”) with certain information regarding the Disclosing Party’s business, technology, products, or services, or other confidential or proprietary information (collectively, “Confidential Information”) in whatever form (written, oral or visual) that is furnished or made available to the Receiving Party by or on behalf of the Disclosing Party that (i) if in tangible form, the Disclosing Party has labeled in writing as proprietary or confidential, (ii) if in oral or visual form, the Disclosing Party has identified as proprietary or confidential at the time of disclosure, or (iii) is of a character that is commonly and reasonably regarded as confidential and/or proprietary. For the avoidance of doubt, the Services (including Documentation), and all enhancements and improvements thereto, will be considered Confidential Information of Catalyst. Confidential Information does not include protected health information or Company Personal Data, the confidentiality and privacy of which is governed by the Subcontractor Business Associate Agreement and the Data Processing Addendum, respectively.

10.2.    Protection of Confidential Information. The Receiving Party agrees that it will not use or disclose to any third party any Confidential Information of the Disclosing Party, except for exercising its rights and performing its obligations under this Agreement. The Receiving Party will limit access to the Confidential Information to its employees and contractors who have a need to know, who are subject to confidentiality obligations no less restrictive than those set forth herein and who have been informed of the confidential nature of such information. In addition, the Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner that it protects its own proprietary information of a similar nature, but in no event with less than reasonable care. At the Disclosing Party’s request or upon termination of this Agreement, the Receiving Party will return to the Disclosing Party or destroy (or permanently erase in the case of electronic files) all copies of the Confidential Information that the Receiving Party does not have a continuing right to use under this Agreement, and, upon request, the Receiving Party shall provide to the Disclosing Party written notice certifying compliance with this sentence, unless prohibited by applicable law. Notwithstanding anything to the contrary in this Agreement, Catalyst may retain and disclose Confidential Information of Company to the extent required by law or if it is required to protect Catalyst’s legitimate interests.

10.3.    Exceptions. The confidentiality obligations set forth in this Section 10 will not apply to any information that: (i) is or becomes generally available to the public through no fault of the Receiving Party; (ii) is lawfully provided to the Receiving Party by a third party free of any confidentiality duties or obligations; (iii) the Receiving Party can prove, by clear and convincing evidence, was already known to the Receiving Party without restriction at the time of disclosure; or (iv) the Receiving Party can prove, by clear and convincing evidence, was independently developed by employees and contractors of the Receiving Party who had no access to the Confidential Information. In addition, the Receiving Party may disclose Confidential Information to the extent that such disclosure is necessary for the Receiving Party to enforce its rights under this Agreement or is required by law or by the order of a court or similar judicial or administrative body, provided that the Receiving Party promptly (to the extent legally permitted) notifies the Disclosing Party in writing of such required disclosure and reasonably cooperates with the Disclosing Party if the Disclosing Party seeks an appropriate protective order.

10.4.    Remedies. Any breach or threatened or attempted breach of this Section 10 may result in immediate, irreparable harm for which monetary damages would be an inadequate remedy. If a court of competent jurisdiction finds that the Receiving Party has breached (or attempted or threatened to breach) any of the obligations set forth in this Section 10, the Receiving Party agrees that, without any additional findings of irreparable injury, posting a bond, or other conditions to injunctive relief, it will not oppose the entry of an appropriate order compelling its performance and restraining it from any further breaches (or attempted or threatened breaches).

11. Indemnification. Company will indemnify, defend and hold Catalyst, its officers, directors, affiliates, subsidiaries, licensors, agents and employees (each a “Catalyst Party”) harmless from and against any and all losses, damages, liability, costs and expenses awarded by a court or agreed upon in settlement, as well as all reasonable and related attorneys’ fees and court costs arising out of or relating to Company’s access to, or use of, the Services.

12. Term and Termination.

12.1.    Term. These Terms commence on the earlier of Company’s (i) registration of an account with Catalyst to use the Services, or (ii) access to, or use of, the Services, and shall continue until all Services subscriptions in all Service Orders have expired or have been terminated. Unless otherwise specified on an applicable Service Order, Company’s subscription to the Services commences on Company’s registration for an account, and shall continue in effect for one (1) year (the “Initial Term”). Thereafter, and unless otherwise specified in a Service Order, each applicable Service Order shall automatically renew for successive one (1) year terms (each a “Renewal Term”), unless either party provides notice to the other party of its intention not to renew at least sixty (60) days prior to expiration of the Initial Term or the then-current Renewal Term. The Initial Term and all Renewal Terms will collectively be referred to as the “Term”.

12.2.    Termination. Either party may terminate this Agreement immediately upon notice to the other party if the other party materially breaches this Agreement, and such breach remains uncured more than thirty (30) days after receipt of written notice of such breach. Catalyst may terminate this Agreement at any time without cause and without notice. In addition, Catalyst may terminate this Agreement upon notice to Company (i) if Company becomes the subject of a petition in bankruptcy or any proceeding relating to insolvency, receivership, or liquidation for the benefit of creditors; (ii) in the event of late or non-payment of Fees; (iii) if Company’s account is inactive for a period of three (3) months or more, or (iv) for any other reason set forth in this Agreement.

12.3.    Effect of Termination. Upon termination or expiration of this Agreement for any reason: (i) all rights and obligations of both parties, including all licenses granted hereunder, shall immediately terminate (except that all payment obligations accrued prior to termination or expiration shall survive); and (ii) each party shall comply with the obligations to return or destroy all Confidential Information of the other party, as set forth in Section 10.2. Additionally, Catalyst shall have no obligation to retain any Company Data after any termination or expiration of this Agreement and may delete all Company Data, unless required to do otherwise by applicable law. All liabilities accrued under this Agreement prior to the effective date of termination and the following Sections will survive expiration or termination of this Agreement for any reason: Sections 1-2, Sections 4-6, Sections 8-11, Section 12.3, and Section 13. Upon termination of this Agreement,Company will have no rights to use the Services and shall not have any rights or remedies to request any information stored with the use of Services.

13. Miscellaneous.

13.1.    Marketing. Company agrees that Catalyst may refer to Company by name, logo and trademark in Catalyst’s marketing materials and website. Company acknowledges and agrees that Catalyst does not certify or endorse, and has no obligation to certify or endorse, any of Company’s products, services, or content.

13.2.    Governing Law and Venue. This Agreement and any action related thereto will be governed and interpreted by and under the laws of the State of Florida, without giving effect to any conflicts of laws principles that require the application of the law of a different jurisdiction. Company hereby expressly consents to the personal jurisdiction and venue in the state and federal courts located in Miami-Dade County, Florida for any lawsuit arising from or related to this Agreement. The United Nations’ Convention on Contracts for the International Sale of Goods does not apply to this Agreement. Company may not bring any suit or action against Catalyst for any reason whatsoever more than one (1) year after the cause of action accrued.

13.3.    Export. Company agrees not to export, re-export, or transfer, directly or indirectly, any software, technology or information forming a part of the Services or the Documentation outside Canada or the United States of America, or in violation of any export control or other laws and regulations of Canada, the United States of America, or any other relevant jurisdiction. For the avoidance of doubt, the Services may only be used or accessed by Company or a Company’s client or prospective client from within the United States.

13.4.    Severability. If any provision of this Agreement is, for any reason, held to be invalid or unenforceable, the other provisions of this Agreement will remain enforceable and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. 

13.5.    Waiver. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.

13.6.    No Assignment. Company may not assign its rights or delegate any obligations hereunder without the express prior written consent of Catalyst. Any assignment by Company without the prior written consent of Catalyst shall be null and void. Catalyst may assign its rights or obligations hereunder without notice or consent; provided, however, that the Services shall continue to operate as specified in this Agreement. This Agreement shall inure to the benefit of each party’s permitted successors and assigns.

13.7.    Force Majeure. Without limiting any other provision in this Agreement, Catalyst, or any Catalyst Party, is not responsible or liable to any Company for delay or failure to perform its obligations hereunder in the event that any of Catalyst or Catalyst Parties’ operations or activities are affected by any cause or event beyond the sole and reasonable control of the applicable Catalyst Party (as determined by such party in its sole discretion), including, without limitation, by reason of any acts of God, equipment failure, threatened or actual terrorist acts, air raid, act of public enemy, war (declared or undeclared), civil disturbance, insurrection, riot, epidemic, pandemic, fire, explosion, earthquake, flood, hurricane, unusually severe weather, blackout, embargo, labor dispute or strike (whether legal or illegal), labor or material shortage, transportation interruption of any kind, work slowdown, any law, rule, regulation, action, order, or request adopted, taken, or made by any governmental or quasi-governmental entity (whether or not such governmental act proves to be invalid), or any other cause, whether or not specifically mentioned above.

13.8.    Independent Contractors. Each party’s relationship to the other party is that of an independent contractor, and neither party is an agent or partner of the other. Neither party will have, and will not represent to any third party that it has, any authority to act on behalf of the other.

13.9.    Third-Party Beneficiaries. There are no third-party beneficiaries under this Agreement.

13.10.    Notices. Except as otherwise expressly permitted in this Agreement, notices under this Agreement shall be in writing and shall be deemed to have been given (i) five (5) business days after mailing if sent by registered or certified U.S. mail, (ii) when personally delivered, or (iii) one (1) business day after deposit for overnight delivery with a recognized courier for U.S. deliveries (or three (3) business days for international deliveries). Company shall give notice to at the following address: Catalyst, ATTN: Legal Notice, 8305 Crespi Blvd #3A Miami Beach, FL 33141. Notwithstanding the forgoing, Catalyst may provide any and all notice required to Company under this Agreement via electronic communication (e.g., email, posting a notice on the orgemeter.com website) and such electronic communication shall be deemed to have been given one (1) minute after being sent from Catalyst to Company. Where Catalyst requires Company to provide an email address, Company is responsible for providing Catalyst with its most current email address. In the event that the last email address provided to Catalyst is not valid, or for any reason is not capable of delivering to Company any notices required or permitted by this Agreement, Catalyst’s dispatch of the email containing such notice will nonetheless constitute effective notice.

13.11.    Entire Agreement. This Agreement, any attachments hereto or terms references herein, and any applicable Service Order, constitute the final, complete and exclusive agreement of the parties with respect to the subject matters hereof and supersedes and merges all prior discussions between the parties with respect to such subject matters. Any terms and conditions that may be contained in any acknowledgement, invoice, purchase order or other Company-provided form are specifically null and void. Except as otherwise set forth in this Agreement, no modification of or amendment to this Agreement, or any waiver of any rights under this Agreement, will be effective unless in writing and signed by an authorized signatory of Company and Catalyst.

 

Data Processing Addendum

This Data Processing Addendum (the “DPA”) is intended to supplement this Agreement between Catalyst and Company. In the event of a conflict between this DPA and this Agreement, the terms and conditions set forth in this DPA shall supersede and control with respect to such conflict. Any capitalized term that is used, but not otherwise defined, herein shall be ascribed the meaning set forth in this Agreement.

THIS DPA REFLECTS EACH PARTY’S UNDERSTANDING AND AGREEMENT WITH REGARD TO THE PROCESSING OF COMPANY PERSONAL DATA BY CATALYST FOR, OR ON THE BEHALF OF, COMPANY. THIS DPA REPLACES AND SUPERSEDES ANY AND ALL PREVIOUSLY AGREED UPON TERMS AND CONDITIONS WITH RESPECT TO THE PROCESSING OF COMPANY PERSONAL DATA. FOR THE AVOIDANCE OF DOUBT, THE SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (AND NOT THIS DPA) APPLIES TO THE COLLECTION AND PROCESSING OF PROTECTED HEALTH INFORMATION (PHI) BY CATALYST.

1. DEFINITIONS

1.1.     Affiliate means any person that is directly or indirectly, through one or more intermediaries, Controlling, Controlled by, or under common Control with, one of the parties hereto. For purposes of this definition, “Control” shall mean possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and operations of a person, whether through ownership of voting securities or by contract.

1.2.     California Consumer Privacy Act (“CCPA”) means the California Consumer Privacy Act of 2018, as amended and reenacted by the California Privacy Rights Act of 2020 and any other applicable amendments (codified at Cal. Civ. Code § 1798.100 et seq.), and includes all implementing regulations thereto.

1.3.     Company Personal Data means the Personal Data that Catalyst Processes on behalf of Company.

1.4.     Canadian Data Protection Law means all privacy legislation in Canada, and all regulations thereto, each as amended from time to time, including where applicable the following: the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (Federal) and/or any similar or successor federal data protection legislation applicable to the processing of Personal Data by organizations in Canada; An act respecting the protection of personal information in the private sector, R.S.Q., c.P-39.1 (Quebec); the Personal Information Protection Act, SA 2003, c P-6.5 (Alberta); and, the Personal Information Protection Act, SBC 2003, c 63 (British Columbia).

1.5.     Data Controller means an entity that determines the purposes and means of the Processing of Personal Data.

1.6.     Data Processor means an entity that Processes Personal Data on behalf of a Data Controller.

1.7.     Data Protection Law means all laws, statutes, and regulations applicable to the Processing of Company Personal Data under this Agreement, including (when applicable) the Canadian Data Protection Law, CCPA, the GDPR, and the United Kingdom (UK) Data Protection Act 2018.

1.8.     Data Subject means an identified or identifiable individual whose Personal Data is being Processed by Catalyst.

1.9.     Documented Instructions means the Processing terms and conditions set forth in this Agreement, this DPA, and any applicable and mutually agreed upon statement of work or similar work order issued thereunder describing Processing responsibilities.

1.10.    European Union (EU) Standard Contractual Clauses means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.11.    General Data Protection Regulation (“GDPR”) means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.

1.12.    Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an applicable Data Protection Law.

1.13.    Process, Processing, or Processes means any action performed on Company Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.

1.14.    Security Event means any actual or reasonable degree of certainty of unauthorized access, use, loss, acquisition, exfiltration, or disclosure of unencrypted Company Personal Data. A Security Event does not include an Unsuccessful Security Incident.

1.15.    Services means digital services provided by Catalyst to Company pursuant to this Agreement that involves Catalyst Processing of Company Personal Data on behalf of Company.

1.16.    Third-Party Sub-Processor means any third-party organization engaged by Catalyst to Process Company Personal Data on its behalf.

1.17.    United Kingdom (UK) Addendum means the International Data Transfer Addendum to the EU Standard Contractual Clauses (B.1.0) issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018, in force 21 March 2022, and as may be amended or replaced by the UK Information Commissioner’s Office or/and Secretary.

1.18.    Unsuccessful Security Incident means an unsuccessful attempt or activity that does not compromise the security of Company Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial-of-service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

2. SCOPE AND APPLICABILITY; OWNERSHIP

2.1.       Scope; Applicability. This DPA applies where and only to the extent that Catalyst Processes Company Personal Data for or on the behalf of Company in the course of providing Services pursuant to this Agreement. Notwithstanding expiry or termination of this Agreement, this DPA will remain in effect until, and will automatically expire upon, deletion, return, or archiving of all Company Personal Data by Catalyst to Company.

2.2.       Data Ownership. As between Company and Catalyst, Company owns the Company Personal Data and all Company Personal Data shall remain the property of Company. Company hereby grants and agrees to grant to Catalyst and its affiliates a worldwide, non-exclusive, sublicensable, royalty-free right and license to Process the Company Personal Data to the extent reasonably necessary to provide, monitor, and modify the Services or as otherwise set forth herein.

3. PROCESSING DETAILS; DISCLAIMERS

3.1.       Roles and Responsibilities. For the purposes of this DPA, (i) where Company is considered a Data Controller, then Catalyst shall be considered a Data Processor, and (ii) where Company is considered a Data Processor, then Catalyst shall be considered a sub-Processor, provided that in either of the foregoing circumstances, Catalyst shall Process any Company Personal Data in accordance with the Documented Instructions, unless required to do otherwise by law. In the event Catalyst is compelled by law to Process Company Personal Data other than in accordance with the terms and conditions set forth in the Documented Instructions, Catalyst shall notify Company of that legal requirement prior to Processing, unless such notification is expressly prohibited by law. Additional Processing by Catalyst outside the Documented Instructions, if any, will require prior written agreement between Catalyst and Company.

3.2.       Details of Processing. The subject matter, duration, nature, and purpose of the Processing, the types of Company Personal Data, and the categories of Data Subjects covered by this DPA are set forth in this Agreement and this DPA, including Annex I, and, when necessary, supplemented in an additional statement of work or similar work order executed between the parties. The parties agree that Company is solely responsible for determining the types of Company Personal Data uploaded to, and used within, the Services.

3.3.       CCPA Disclaimer. Each party acknowledges and agrees that the disclosure of Company Personal Data to the other does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale or Sharing of Company Personal Data, and if valuable consideration, monetary or otherwise, is being provided by either party, such valuable consideration, monetary or otherwise, is being provided for the rendering of Services and not for the disclosure of Company Personal Data. Catalyst (i) shall not collect, retain, use, or disclose Company Personal Data for any purpose (including for any commercial purpose) other than for the specific purpose of performing the Services, unless otherwise required by law, (ii) shall not Sell or Share Company Personal Data, except as necessary to satisfy its obligations under this Agreement, (iii) shall not collect, retain, use, or disclose Company Personal Data outside the direct business relationship between Catalyst and Company, unless expressly permitted by law, and (iv) shall, at Company’s reasonable request, cease any unauthorized Processing of Company Personal Data and grant Company authorization to assess and remediate any such unauthorized Processing. This DPA is Catalyst’s certification, to the extent the CCPA or any other applicable Data Protection Law requires such a certification, that Catalyst understands and will comply with the Processing limitations with respect to Company Personal Data that are reasonable and set forth in the Documented Instructions. The parties acknowledge and agree that the “business purpose” for which Catalyst Processes Company Personal Data is to provide the Services as defined in the applicable Agreement. For purposes of this Section 3.3 only, the terms “Business,” “Service Provider,” “Personal Information,” “Sale,” and “Sell” shall have the same meaning as set forth in the CCPA (Cal. Civ. Code § 1798.140). The limitations set forth in this Section 3.3 shall not be interpreted to prevent Catalyst from complying with an applicable law, statute, regulation, or binding order of a governmental or regulatory body.

3.4.       Canadian Law Disclaimers. Catalyst shall take all reasonable steps (including implementing the procedures necessary for compliance with this Agreement and this DPA) to ensure that Catalyst (i) shall not collect, retain, use, or disclose Company Personal Data for any purpose (including for any commercial purpose) other than for the specific purposes of carrying out this Agreement and/or performing the Services, unless otherwise required by law, and (ii) shall allow Company, on reasonable notice, to verify Catalyst’s compliance relating to confidentiality requirements in this Agreement and this DPA, provided any such verification shall not be permitted to disrupt Catalyst’s Processing activities or compromise the security and confidentiality of Personal Data pertaining to other Catalyst customers/clients. The term “Security Event” includes a “breach of security safeguards” and a “confidentiality incident” as each of those terms are defined and used under Canadian Data Protection Law. Notwithstanding the foregoing, Company agrees that it is aware of inconsequential attempts that might occur on a frequent basis to penetrate computer networks or servers (e.g., scans, “pings” or other inconsequential attempts) of Catalyst and Catalyst is not required to furnish Company with notice of incidents of this nature.

4. COMPANY OBLIGATIONS

4.1.       Accuracy; Compliance. Company shall be responsible for complying with all requirements that apply to it under applicable Data Protection Law and the Documented Instructions it issues to Catalyst. Where Company acts as a Data Controller under this DPA, then Company is solely responsible for the accuracy, quality, and legality of Company Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Company Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law. Where Company acts as a Data Processor under this DPA, Company represents it has executed terms and conditions with the applicable Data Controller requiring the Data Controller to acknowledge and agree that the Data Controller is solely responsible for the accuracy, quality, and legality of Company Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of the Company Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law.

4.2.       Lawful Basis. Company hereby represents to Catalyst that Company has the legal authority and appropriate business purpose to provide Catalyst with any and all Company Personal Data in conjunction with the Services, and when legally required, has obtained the consent from all applicable Data Subjects concerning the Processing described herein.

4.3.       Sufficiency. Company is solely responsible for reviewing the Services, including any available security documentation and features, to determine whether they satisfy Company’s requirements, business needs, and legal obligations. Company is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to Company Personal Data, securing its account authentication credentials, protecting the security of Company Personal Data when in transit to and from the Services, taking appropriate steps to securely encrypt and/or back up any Company Personal Data uploaded to the Services, and properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the Company Personal Data. Catalyst has no obligation to protect Company Personal Data that Company transmits, stores or transfers outside of the Services (e.g., offline or on-premise storage).

5. CONFIDENTIALITY; SECURITY

5.1.       Confidentiality. Catalyst shall at all times maintain the confidentiality of all Company Personal Data and ensure that individuals who are authorized to Process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2.       Information Security. Catalyst shall implement and maintain commercially reasonable technical and organizational security controls to protect and safeguard Company Personal Data, which shall include written policies describing its security controls and measures and the relevant procedures and responsibilities of Catalyst personnel who have access to Company Personal Data (“Information Security Program”). Catalyst shall designate a senior employee to be responsible for the overall management of Catalyst’s Information Security Program.

5.3.       Updates. Catalyst may update, amend, or otherwise alter its Information Security Program at any time, provided that any such update, amendment, or alteration does not increase the likelihood of a Security Event or cause the Information Security Program to not meet the minimum standards set forth herein.

6. ASSISTANCE; COOPERATION

6.1.       Requests. Catalyst shall, to the extent legally permitted, promptly notify Company if Catalyst receives a request from (i) a government or regulatory authority regarding the Processing of, or seeking access to, Company Personal Data (“Government Data Request”) or (ii) a Data Subject seeking to exercise a data protection right or privilege, such as the right to access or deletion (a “Data Subject Request”), and Catalyst shall, to the extent practicable, seek to direct the requestor to Company. Taking into account the nature of the Processing, Catalyst shall assist Company by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company’s obligation to respond to a Government Data Request or a Data Subject Request. In addition, to the extent Company, in its use of the Services, does not have the ability to address the Government Data Request or the Data Subject Request, Catalyst shall, upon Company’s request, furnish commercially reasonable efforts to assist Company in responding to such requests, to the extent Catalyst is legally required to do so. For the avoidance of doubt, Company shall be fully responsible and liable for timely and appropriately responding to a Government Data Request or a Data Subject Request.

6.2.       Impact Assessments; Consultation. Upon Company’s request, Catalyst shall provide Company with reasonable cooperation and assistance (i) needed to fulfil Company’s obligation under applicable Data Protection Law to undertake a data protection impact assessment related to Company’s use of the Services, to the extent Company does not otherwise have access to the relevant information and to the extent such information is available to Catalyst and (ii) with respect to a consultation with a government or regulatory authority.

7. RETURN OR DESTRUCTION OF DATA

7.1.       Obligations. On termination or expiration of this Agreement or this DPA, Company may wish to instruct Catalyst to delete or return all Company Personal Data (including copies) from Catalyst’s systems in accordance with applicable Data Protection Law. Catalyst will comply with this instruction as soon as reasonably practicable, and where technically feasible, and Catalyst shall not be required to delete or return Company Personal Data to the extent that Catalyst is required by applicable law or order of a governmental or regulatory body to retain some or all of the Company Personal Data or such Company Personal Data is required for Catalyst to enforce or defend its legal rights or interests. In addition, except to the extent required by applicable law, Catalyst shall not be required to delete or return Company Personal Data archived on backup systems if Catalyst shall securely isolate it and protect it from any further Processing and such Company Personal Data is deleted in accordance with Catalyst’s standard overwriting and deletion policies.

8. SECURITY EVENT PROCEDURES

8.1.       Reporting to Company. Upon confirming a Security Event and where legally required, Catalyst shall: (i) taking into account the nature of Processing of Company Personal Data and the information available to Catalyst, promptly (and in accordance with the timeframes set forth in applicable Data Protection Law) notify Company of a Security Event when it discovers the same, (ii) provide timely information to Company relating to the Security Event as it becomes known or as is reasonably requested by Company, and (iii) promptly take reasonable steps to contain, investigate, and mitigate any Security Event, and Catalyst may (in Catalyst’s sole and reasonable judgment) retain an independent data incident response consultant to contain, investigate, and remediate the Security Event on its behalf.

8.2.       Incident Notification. Catalyst will cooperate with Company as reasonably requested by Company in responding to Company’s regulators or customers with respect to a Security Event. Notwithstanding the foregoing, Company acknowledges and agrees (i) Company shall be solely responsible for notifying or disclosing a Security Event to any applicable government agency, individual, or entity, (ii) Company may not name Catalyst in consumer or regulatory notifications or press releases without Catalyst’s consent (except as required by law), and (iii) Company shall coordinate with Catalyst on developing the content of any public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities related to the Security Event if Catalyst’s name will be mentioned in such notices. Nothing in this DPA shall be interpreted to prevent Catalyst from complying with its own data incident notification requirements, provided Catalyst may not name Company in regulatory notifications or press releases without Company’s consent (except as required by law).

8.3.       Disclaimer. Any notification, assistance, or cooperation provided by Catalyst in accordance with this Section 8 shall not be interpreted or construed as an admission of liability, wrongdoing, or fault by Catalyst. To the extent Catalyst is responsible for the Security Event, Catalyst shall be liable for the costs to investigate and respond to the Security Event in accordance with the terms of this Agreement.

9. REPORTS; AUDITS

9.1.       Security Reports. Upon request (which shall not occur more than annually), Catalyst shall, where legally required, provide to Company, on a confidential basis, a summary copy of (if available) any third-party audit report or certification applicable to the Services (“Report”), so that Company can verify Catalyst’s compliance with this DPA. If Company reasonably believes that the Report provided is insufficient to demonstrate Catalyst’s compliance with this DPA, Catalyst shall also provide written responses (on a confidential basis) to reasonable requests for information made by Company related to the Processing of Company Personal Data.

9.2.       Audits; Inspections. If Company reasonably believes that the information provided by Catalyst pursuant to Section 9.1 is insufficient to demonstrate compliance with this DPA, Catalyst shall, where legally required, allow an audit by Company, or a third-party auditor appointed by Company and reasonably acceptable to Catalyst, in relation to Catalyst’s Processing of Company Personal Data. Any such audit will be at Company’s expense, with reasonable advance notice, conducted during normal business hours no more than once per year and subject to Catalyst’s reasonable security and confidentiality requirements and provided that the exercise of rights under this Section 9.2 would not infringe Data Protection Laws.

10. SUBPROCESSORS

10.1.     Catalyst may, in accordance with this DPA, engage Third-Party Sub-Processors to Process Company Personal Data, and Company hereby consents to Catalyst Third-Party Sub-Processors to Process Company Personal Data, provided that Catalyst imposes data protection terms on any Third-Party Sub-Processor to protect Company Personal Data to the same standard provided for by this DPA. Company may object to Catalyst’s use of Third-Party Sub-Processor, provided such objection is based on reasonable grounds relating to data protection. Company acknowledges and accepts that the refusal to permit the use of a particular Third-Party Sub-Processor may result in Catalyst’s inability to satisfy, in full or in part, the terms and conditions of this Agreement, and in such circumstances, Company may terminate this Agreement in accordance with the termination provisions of this Agreement, and such actions and termination shall not constitute termination for breach of the Agreement.

11. INTERNATIONAL DATA TRANSFERS

11.1.     EU Standard Contractual Clauses. Company hereby acknowledges and agrees that, for providing the Services under the Agreement, Catalyst may transfer Company Personal Data across national borders. To the extent Company Personal Data originates in the European Economic Area (EEA), the parties undertake to apply the provisions of the EU Standard Contractual Clauses to the transfer and Processing of such Company Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. To the extent required by the applicable Data Protection Law, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 11.1 of this DPA, then the following shall apply:

11.1.1.   Module Two or Three. The EU Standard Contractual Clauses shall be governed by Module Two (Transfer controller to processor) clauses where Company is a Controller and Catalyst is a Processor, and by Module 3 (Transfer processor to processor) where Company is a Processor and Catalyst is a sub-Processor. Company and/or Company’s EU affiliates shall be the data exporter and Catalyst shall be the data importer.

11.1.2.   Docking Clause. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall be deemed incorporated therein and applicable to the parties and third parties.

11.1.3.   Sub-Processing Clause. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Authorization) shall apply to the parties in accordance with Section 10 of this DPA.

11.1.4.   Redress Clause. For purposes of Clause 11 (Redress) of the EU Standard Contractual Clauses, the parties agree that the optional wording shall not be incorporated therein and therefore shall not be applicable to the parties.

11.1.5.   Governing Law. For purposes of Clause 17 (Governing law) of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the law of Ireland and select Clause 17, “Option 1” to this effect.

11.1.6.   Choice of Forum Clauses. For purposes of Clause 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses, the parties agree that any dispute arising from the EU Standard Contractual Clauses shall be resolved by the Courts of Ireland.

11.1.7.   Transfer Details (Annex I). Annex I of the EU Standard Contractual Clauses shall be completed with the information set forth in Annex I of this DPA.

11.1.8.   Security Controls (Annex II). Annex II of the EU Standard Contractual Clauses shall be completed with the information set forth in Section 5 of this DPA.

11.1.9.   Sub-Processing List (Annex III). Annex III of the EU Standard Contractual Clauses shall be completed with the information set forth in Section 10 of this DPA.

11.1.10. Onward Transfers. Catalyst shall not transfer Company Personal Data received under the EU Standard Contractual Clauses (nor permit such Company Personal Data to be transferred) to a Third-Party Sub-Processor outside the EEA, unless (i) the Third-Party Sub-Processor is established in a country which the European Commission has granted an adequacy status, or (ii) Catalyst implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor).

11.2.     UK Addendum. To the extent Company Personal Data originates in the UK, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as updated and amended by the UK Addendum, to the transfer and Processing of such Company Personal Data and hereby incorporate the UK Addendum by reference into this DPA, provided the UK Addendum shall be supplemented and completed, as appropriate, with the descriptions and party responsibilities, clause options, and similar criteria set forth in Section 11.1 of this DPA and the Annexes attached hereto. For the avoidance of doubt, with respect to UK data transfers, in the event of a conflict between the EU Standard Contractual Clauses and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control with respect to such UK data transfers only. Catalyst shall not transfer any Company Personal Data received under the UK Addendum (nor permit such Company Personal Data to be transferred) to a Third-Party Sub-Processor outside the UK, unless (i) the Third-Party Sub-Processor is established in a country which the UK authorities have granted an adequacy status, or (ii) Catalyst implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor) and the UK Addendum thereto.

11.3.     Data Transfers: Switzerland. To the extent Company Personal Data originates in Switzerland and Catalyst is not established in a country which Switzerland or, as applicable, the European Commission, has granted an adequacy status, and Catalyst has not obtained Binding Corporate Rules authorization in accordance with Data Protection Law, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as set forth in Section 11.1 of this DPA (and as amended by this Section 11.3), to the transfer and Processing of such Company Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.3, their provisions will be deemed incorporated by reference into this DPA, and shall apply subject to the following: (i) references to the GDPR in the EU Standard Contractual Clauses are to be understood as references to the Swiss Federal Act on Data Protection (FADP) insofar as the data transfers are subject exclusively to the Swiss FADP and not the GDPR, (ii) the term “member state” in the EU Standard Contractual Clauses shall not be interpreted in such a manner as to exclude Data Subjects in Switzerland from enforcing their rights in Switzerland in accordance with Clause 18(c) of the EU Standard Contractual Clauses, provided Switzerland is their habitual residence, and (iii) for purposes of Annex I(C) of the EU Standard Contractual Clauses, (a) where the data transfer is subject exclusively to the Swiss FADP (and not the GDPR), then the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and (b) where the transfer is subject to both the Swiss FADP and the GDPR, then the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority set forth in Annex I of this DPA insofar as the transfer is governed by the GDPR.

11.4.     Other Transfers. To the extent Company Personal Data originates outside of the EEA, Switzerland, or the UK, and the parties seek to transfer and Process such Company Personal Data across national borders, the parties shall also undertake to apply, as appropriate, the provisions of the EU Standard Contractual Clauses or UK Addendum to such transfer and Processing, provided that the EU Standard Contractual Clauses or UK Addendum are legally required and sufficient to meet the requirements of the applicable Data Protection Law for the transfer and Processing of Personal Data across national borders.

11.5      Surveillance Disclaimers. Catalyst hereby represents and warrants the following to be true, accurate, and complete: (i) Catalyst has never been the subject to a “FISA” warrant issued pursuant to 50 United States Code §1881(4) with regard to a request for disclosure of any Personal Data that it Processes, and (ii) Catalyst has never cooperated with public authorities conducting surveillance of communications pursuant to Executive Order (EO) 12333 with regard to Personal Data in Catalyst’s custody or control.

11.6.     Changes to the Law. If and to the extent this DPA or the EU Standard Contractual Clauses or the UK Addendum are no longer recognized by the European Commission or other local privacy authorities as an adequate mechanism for the transfer of Company Personal Data from the European Economic Area, Switzerland, United Kingdom or other country, as applicable, to the United States, then the parties shall abide by another adequate transfer mechanism, provided however that if, after commercially reasonable efforts, Catalyst is unable to comply with another adequate transfer mechanism, Company or Catalyst may, upon prior advance written notice to the other party, terminate the Agreement and obtain a refund from Catalyst of pre-paid fees prorated for the remainder of the unused Services as Company’s exclusive remedy.

12. MISCELLANEOUS

12.1.     Governing Clauses; Severance. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

12.2.     Limitation of Liability. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Company affiliates and Catalyst and Catalyst affiliates, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and all DPAs together. To the extent required by law, this section is not intended to (i) modify or limit either party’s liability for Data Subject claims made against a party where there is joint and several liability, or (ii) limit either party’s responsibility to pay penalties imposed on such party by a regulatory authority.

*                *                *

Data Processing Addendum: Annex I (Data Processing Activities)

1. List of parties:

Name (Data Exporter)	Set forth in the Agreement
Address	Set forth in the Agreement
Contact person	Set forth in the Agreement
Activities relevant to the data transferred under these Clauses	Set forth below (Section B. Description of Transfer)
Role (controller / processor)	Controller/Processor

 

Name (Data Importer)	Catalyst OrthoScience Inc.
Address	14710 Tamiami Trail N., Suite 102, Naples, FL 34110, USA.
Contact person	info@Catalyst.com
Activities relevant to the data transferred under these Clauses	Set forth below (Section B. Description of Transfer)
Role (controller / processor)	Processor/Sub-Processor

2. Description of Transfer: Unless otherwise set forth in a statement of work, order form, or similar documentation, the description of the Company Personal Data transferred is as follows:

(i) Categories of Data Subjects: Information pertaining to Company patients and similar individuals seeking medical assistance.

(ii) Categories of Personal Data: The following Personal Data may be relevant to the Services: names; contact information (telephone, address and/or email address); financial data; and, government identifiers and copies of similar identification documents.

(iii) Sensitive/Special Categories of Personal Data: Surgery and similar healthcare-related information.

(iv) Transfer Frequency: Continuous, and for so long as Company uses the Services, and for the termination and transition period, thereafter, as set forth in the Agreement.

(v) Nature of Processing: To provide merchant cash advance services to Company, and the Processing may include the following actions with respect to Personal Data: collection, recording, organization, storage, retrieval, use, disclosure, transfer, deletion, or destruction.

(vi) Purpose of Data Processing: To provide Company access to, and use of, the Services.

(vii) The Period for which Personal Data will be Retained: For the duration of the Agreement and for the termination and transition period, thereafter, as set forth in the Agreement.

(viii) Third-Party Sub-Processor Transfers: The relevant information as set forth in Section 10 of this DPA.

3. Competent Supervisory Authority: The competent supervisory authority in accordance with Clause 13 of the EU Standard Contractual Clauses is the supervisory authority of Ireland.

*          *          *

Subcontractor Business Associate Agreement

This Subcontractor Business Associate Agreement (“BAA”) is intended to supplement the Agreement, and in the event of a conflict between this BAA and the Agreement, the terms and conditions set forth in this BAA shall supersede and control with respect to the conflict. For the avoidance of doubt, the terms or conditions set forth in the Agreement that are not otherwise addressed herein shall remain in full force and effect. For purposes of this BAA, Company shall be referred to as “Business Associate” and Catalyst shall be referred to as “Subcontractor”.

This BAA reflects the parties’ agreement with regard to the collection, retention, disposal, disclosure, and use of PHI, and applies only to the extent required by the Health Insurance Portability and Affordability Act of 1996, as amended, (“HIPAA”), or the HIPAA Rules promulgated thereunder, or any successor laws and regulations governing PHI.

In the event of a conflict between this BAA and the Agreement, this BAA shall supersede and control. For the avoidance of doubt, any provision set forth in the Agreement that is neither addressed nor contradicted by this BAA shall remain in force.

RECITALS

WHEREAS, Business Associate and Subcontractor (collectively, the “Parties” and individually, a “Party”) have entered into an underlying Agreement under which Subcontractor provides certain services to Business Associate; and

WHEREAS, in connection with the services provided by Subcontractor pursuant to the Agreement, Business Associate may provide Subcontractor with access to certain PHI (as defined below);

WHEREAS, to comply with the requirements of the privacy, security, breach notification and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996, as amended (the “HIPAA Rules”), Business Associate and Subcontractor desire to enter into this BAA documenting the permitted uses and disclosures of PHI by Subcontractor and other rights and obligations of each of the Parties;

NOW, THEREFORE, in consideration of the mutual promises set forth in this BAA, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

1. Definitions. Any terms that are used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Rules.

a)    Breach. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. §164.402, limited to breaches of PHI not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under Section 13402(h) of Public Law 111-5.

b)    Breach Notification Rule. “Breach Notification Rule” shall mean the Standards for Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164, Subpart D.

c)    ePHI. “ePHI” shall mean a subset of PHI that is maintained or transmitted in electronic media.

d)    Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).

e)    PHI. “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103, limited to the information created, received, maintained, or transmitted by Subcontractor from or on behalf of Business Associate pursuant to this BAA.

f)    Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

g)    Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.

2. Status of Parties. Subcontractor is an independent contractor of Business Associate. Nothing in this BAA shall be construed to create a joint venture, partnership, or agency. No employee or agent of Subcontractor shall be deemed to be an employee or agent of Business Associate, and no employee or agent of Business Associate shall be deemed to be an employee or agent of Subcontractor.

3. Obligations of Subcontractor.

a)    Subcontractor agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.

b)    Subcontractor agrees to comply with the provisions of the HIPAA Rules concerning minimum necessary uses, disclosures, and requests for PHI. Subcontractor shall use its professional judgment in making minimum necessary determinations.

c)    Subcontractor agrees to use appropriate safeguards and to comply with the Security Rule with respect to ePHI to prevent the use or disclosure of PHI other than as provided for by this BAA.

d)    Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is or becomes known to Subcontractor or Business Associate of a use or disclosure of PHI by Subcontractor or any of its employees, agents, contractors, or subcontractors in violation of the requirements of this BAA or in violation of the HIPAA Rules.

e)    Subcontractor agrees to report to Business Associate any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including, but not limited to, any Breach and any Security Incident of which it becomes aware. Subcontractor must make such a report within five (5) business days after Subcontractor learns of such use or disclosure, provided, however, that if a delay is requested by a law enforcement official in accordance with 45 C.F.R. §164.412, Subcontractor may delay notifying Business Associate for the applicable time period.

f)    Subcontractor agrees to implement and use appropriate policies and procedures for the identification and notification of a Breach. In the event of a Breach, Subcontractor shall provide Business Associate with the following information: (1) brief description of what happened, including the date of the Breach and the date of discovery of the Breach; (2) description of the types of PHI involved in the Breach; (3) the identity of each individual whose PHI was, or is reasonably believed to have been, involved in the Breach; (4) the steps Subcontractor has taken or will take to mitigate any harmful effect of such use or disclosure; and (5) the corrective actions Subcontractor has taken or will take to prevent future, similar unauthorized use, disclosure or Breach. If this information cannot be provided within the time period required under Section 3(e), then Subcontractor shall supplement its original report with the missing information as soon as it is reasonably available.

g)    In accordance with 45 C.F.R. §164.308(b)(2) and §164.502(e)(1)(ii), Subcontractor agrees to enter into a written contract with subcontractors that create, receive, maintain or transmit PHI on behalf of Subcontractor. Such contract shall require that the subcontractor agree to the same restrictions and conditions that apply to Subcontractor with respect to PHI in this BAA.

h)    To the extent that Subcontractor has a Designated Record Set for an Individual, Subcontractor agrees to provide access to the Individual’s PHI in a Designated Record Set pursuant to 45 C.F.R. §164.524 within ten (10) days of a written request from Business Associate or the Individual. The Subcontractor’s response will be made to Business Associate. If Subcontractor is unable to provide Business Associate with access within the required time frame, Subcontractor will notify Business Associate so Business Associate may request an extension from the Individual. If the request for access relates to PHI that is maintained electronically in a Designated Record Set in the Subcontractor’s control or custody, Subcontractor shall provide an electronic copy in the form and format specified in the request if it is readily producible in such format. If the electronic copy is not readily producible in such format, Subcontractor will work with Business Associate to determine an alternative form and format that enable Business Associate to meet its electronic access obligations under 45 C.F.R. §164.524.

i)    To the extent that Subcontractor has a Designated Record Set for an Individual, Subcontractor agrees to respond to requests for amendment(s) to PHI in a Designated Record Set pursuant to 45 C.F.R. §164.526 within ten (10) days of a written request from Business Associate or the Individual. The Subcontractor’s response will be made to Business Associate. If Subcontractor is unable to respond to the amendment request within the required time frame, Subcontractor will notify Business Associate so Business Associate may request an extension from the Individual.

j)    Subcontractor agrees to document certain disclosures of PHI and information related to such disclosures and agrees to provide an accounting of such information pursuant to 45 C.F.R. §164.528 within ten (10) days of a written request from Business Associate or the Individual. The Subcontractor’s response will be made to Business Associate. If Subcontractor is unable to provide an accounting within the required time frame, Subcontractor will notify Business Associate so Business Associate may request an extension from the Individual.

k)    To the extent Subcontractor is to carry out one or more of Business Associate’s obligations under the Privacy Rule, Subcontractor agrees to comply with the requirements of the Privacy Rule that apply to Business Associate in the performance of these obligations. To the extent that Subcontractor subcontracts one or more of Business Associate’s obligations under the Privacy Rule, Subcontractor shall ensure in accordance with Section 3(g) that the subcontractor agrees to comply with the requirements of the Privacy Rule that apply to Business Associate in the performance of these obligations.

l)    Subcontractor shall make internal practices, books, and records, including policies and procedures on the use and disclosure of PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules.

m)    To the extent that Subcontractor or any of its subcontractors conducts Standard Transaction(s) on behalf of Business Associate, Subcontractor and its subcontractors shall comply with the Administrative Requirements of, and reasonably assist Business Associate in complying with any applicable certification and compliance requirements under, 45 C.F.R. Part 162.

4. Permitted Uses and Disclosures by Subcontractor.

a)    Except as otherwise limited by this BAA or permitted by this Section 4, Subcontractor may use or disclose PHI only to perform functions, activities or services for, or on behalf of, Business Associate in accordance with the Agreement.

b)    Subcontractor may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Business Associate. Subcontractor may use or disclose PHI as Required by Law.

c)    Subcontractor may use PHI when necessary for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor. Subcontractor may disclose PHI when necessary for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor if the disclosure is Required by Law or Subcontractor obtains reasonable assurances from the person to whom information is disclosed that (i) it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which disclosed and (ii) such person will notify Subcontractor of any instances of which it is aware in which the confidentiality of the PHI has been breached.

d)    Subcontractor may use PHI to provide data aggregation services relating to the health care operations of Business Associate.

5. Permissible Requests by Business Associate. Business Associate shall not request Subcontractor to use or disclose PHI in any manner that would be impermissible under the Privacy Rule if used or disclosed by Business Associate.

6. Term and Termination.

a)    Term. This BAA shall be effective as of the date first written above and shall terminate upon the first to occur of the following: (i) the termination of the Agreement; or (ii) the termination of this BAA pursuant to Section 6(b) below. The provisions of Sections 3(f) and 6(c) shall survive any termination of this BAA.

b)    Termination for Cause. Upon Business Associate’s knowledge of a material breach by Subcontractor, Business Associate shall either: (1) provide an opportunity for Subcontractor to cure the breach and end the violation within a reasonable time designated by Business Associate (but not more than thirty (30) days), and terminate this BAA and the Agreement if Subcontractor does not cure the breach or end the violation within the time specified by Business Associate; or (2) immediately terminate this BAA and the Agreement if Subcontractor has breached a material term of this BAA and Business Associate has reasonably determined that cure is impossible.

c)    Effect of Termination. (1) Except as provided in Subsection 6(c)(2) below, upon termination of this BAA for any reason, Subcontractor shall return all PHI to Business Associate or destroy all PHI to the extent Business Associate does not request its return. This provision shall apply to PHI that is in the possession of subcontractors or agents of Subcontractor. Except as provided in Subsection 6(c)(2) below, Subcontractor shall retain no copies of PHI. (2) In the event that Subcontractor reasonably determines that returning or destroying the PHI is infeasible, Subcontractor shall provide to Business Associate written notification of the conditions that make return or destruction infeasible, whereupon Subcontractor shall extend the protections of this BAA to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains the PHI.

7. Indemnification. Subcontractor shall indemnify, defend, and hold Business Associate harmless from any liability, claims, losses, damages arising from a breach of this BAA by Subcontractor’s gross negligence.

8. Miscellaneous. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The Parties agree to take such action as is necessary to amend this BAA from time to time as may be required for Business Associate to comply with the requirements of the HIPAA Rules. This BAA may only be amended in a writing signed by both Parties. Any ambiguity in this BAA shall be resolved to permit Business Associate to comply with the HIPAA Rules. The terms and conditions of this BAA shall supersede all conflicting terms and conditions of all prior agreements, including the Agreement, with respect to the subject matter set forth herein. The invalidity or unenforceability of any provisions of this BAA shall not affect the validity or enforceability of any other provision of this BAA, which shall remain in full force and effect. The section headings contained in this BAA are for reference purposes only and shall not in any way affect the meaning or interpretation of this BAA.

*          *          *