Marea Software as a Service (SaaS) Terms
Last Updated: March 26, 2026
MAREA SOFTWARE AS A SERVICE (SAAS) TERMS
These SOFTWARE AS A SERVICE (SAAS) TERMS (“TERMS”), together with the applicable Order Form and referenced Schedules (collectively, the “Agreement”), govern Customer’s access to and use of the Services.
This Agreement becomes effective on the date Customer accepts it electronically by clicking “I Agree,” “Accept,” or similar assent mechanism in connection with an Order Form or online checkout process at https://www.usemarea.com (“Effective Date”),
BETWEEN
Marea Software Inc., a Quebec corporation with its principal place of business located at 7405 Trans Canada Rte. #100, Saint-Laurent, QC Canada H4T 1Z2 (“Provider”)
and
The entity identified in the applicable Order Form or online checkout process. (“Customer”)
Provider and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."
BACKGROUND:
Provider offers certain cloud-based software-as-a-service solutions and related services for use by commercial customers.
Customer wishes to access and use the Services for its internal business purposes, subject to the terms of this Terms.
These Terms set forth the terms and conditions under which Provider will make its software-as-a-service offerings and related support services available to Customer together with any professional services or data-processing obligations identified in the attached Schedules.
NOW, THEREFORE, in consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties hereto agree as follows:
DEFINITIONS.
The following terms have the meanings set out below:
“Aggregated Data” means data or information generated or derived from Customer’s use of the Services in de-identified or anonymized form that does not identify Customer, any Authorized User, or any individual.
"Applicable Health Privacy Laws" means all federal, state, provincial, and local laws, regulations, and binding guidance governing the privacy, security, confidentiality, collection, use, disclosure, or processing of medical information, protected health information, consumer health data, or biometric identifiers, as applicable to Customer's operations and the jurisdiction(s) in which Customer's patients or end users are located, including without limitation: (i) HIPAA and the HITECH Act and implementing regulations; (ii) the California Confidentiality of Medical Information Act (Cal. Civil Code §§ 56 et seq.); (iii) the Washington My Health MY Data Act; (iv) the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) where applicable; and (v) any substantially similar or successor federal or state statutes or regulations enacted or amended from time to time. The enumeration of specific statutes in this definition is illustrative only and does not limit the scope of "Applicable Health Privacy Laws" to those statutes named.
“Authorized Users” means individuals who Customer authorizes to access and use the Services on Customer’s behalf.
“Confidential Information” has the meaning given in Section 9.
“Customer Data” means data, content, or information submitted by or on behalf of Customer into the Services. Customer Data may include Protected Health Information where permitted under these Terms and subject to an applicable Business Associate Agreement. Customer Data does not include Aggregated Data or any data generated by Provider through the operation of the Services.
“Customer Marks” means Customer’s name and logo as provided by Customer for use as permitted under these Terms.
“Customer Personal Information” means any Personal Information within Customer Data that is processed by Provider on Customer’s behalf.
“Data Processing Addendum” or “DPA” means a separate written agreement governing Provider’s processing of Customer Personal Information where required under applicable privacy laws.
“Fees” means the fees payable for the Services as set out in an Order Form.
“Force Majeure Event” has the meaning set out in Section 11.5.
“Order Form” means an ordering document, online checkout, or similar record specifying the Services purchased by Customer, including pricing, term, and any applicable usage limits.
“Personal Information” means information about an identified or identifiable individual, including information defined as “personal information,” “personal data,” or similar terms under applicable laws.
“Protected Health Information” or “PHI” means “protected health information” as defined in 45 C.F.R. Section 160.103, including any individually identifiable health information that is transmitted or maintained in any form or medium.
“Provider” means the Provider entity identified in the applicable Order Form.
“Sensitive Personal Information” (or “Sensitive Data”) means any category of Personal Information that is subject to heightened or special protection under applicable privacy laws, including, as applicable, health or medical information, biometric identifiers, financial account or payment card numbers, precise geolocation, information about children or minors, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, genetic data, and any other category of Personal Information defined as “sensitive” under applicable privacy laws. For clarity, Protected Health Information processed in accordance with an applicable Business Associate Agreement is not prohibited Sensitive Personal Information for purposes of these Terms.
“Services” means the cloud-based software-as-a-service offerings provided by Provider, as described in the applicable Order Form, including any related documentation, websites, and support services.
“Terms” means these Terms of Service, together with all applicable Order Forms and referenced documents.
Incorporation of Order Forms and Referenced Documents. Order Forms and any referenced documents form part of these Terms. In the event of conflict, the following order applies: (1) Order Form; (2) Business Associate Agreement (if applicable, with respect to PHI) attached hereto as Schedule F; (3) Data Protection Addendum (if applicable, with respect to non-PHI personal data) attached hereto as Schedule D; (4) these Terms; and (5) any additional referenced documents attached hereto. Customer’s electronic acceptance of an Order Form or completion of an online checkout constitutes acceptance of this Agreement and all incorporated documents.
PROVISION OF SERVICES.
Provision of Access. Provider will make the Services available to Customer as described in one or more Order Forms. Each Order Form will specify the applicable services, features, and duration (including any subscription term, project term, or usage period).
Right of Use. Subject to Customer’s compliance with these Terms and payment of all applicable Fees, Provider grants Customer a limited, non-exclusive, non-transferable right for Authorized Users to access and use the Services and related documentation solely for Customer’s internal business purposes, in accordance with the usage limits, features, and scope described in the applicable Order Form. Customer may not sublicense, resell, distribute, or commercially exploit the Services, except as expressly permitted in an Order Form.
Support Services. Provider will provide standard technical support and maintenance for the Services in accordance with its then-current Support Policy. Support includes access to Provider’s help desk, knowledge base, and reasonable assistance in troubleshooting service issues. Unless expressly stated in an Order Form or separate service-level agreement, Provider does not guarantee any specific response times, resolutions, or service levels. Support does not include custom development, configuration, integration work, or training unless purchased separately.
Updates and Enhancements. Provider may update, enhance, or modify the Services from time to time, including to improve functionality, security, performance, or compliance. Updates may include new features, improvements, bug fixes, patches, or changes to the user interface. Provider will not materially reduce the core functionality of the Services during the applicable service duration stated in an Order Form without providing reasonable notice. Nothing in this Section obligates Provider to make any particular feature or functionality available unless expressly stated in an Order Form. Any custom enhancements or development requested by Customer may be subject to additional fees.
Temporary Limitations or Disruptions. The Services may be subject to scheduled maintenance, upgrades, or repairs, and may also experience unscheduled interruptions or delays. Provider will use commercially reasonable efforts to minimize disruptions and, where practicable, will provide advance notice of material scheduled maintenance. Customer acknowledges that access to the Services may be temporarily limited or unavailable during such events. Unless expressly stated in an Order Form or separate service-level agreement, Provider does not guarantee uninterrupted service or any specific availability level.
Beta or Trial Services. Provider may make certain features, modules, or functionality available to Customer on a beta, trial, evaluation, or pre-release basis (“Beta Features”). Beta Features are provided solely for testing and evaluation, may be made available for a limited period, and may be modified or discontinued at any time. Beta Features are provided “as is,” without warranties, support commitments, service levels, or indemnities. Customer should not use Beta Features with production data unless expressly authorized by Provider in writing. Beta features must not be used process or store Protected Health Information unless expressly authorized by Provider in writing and subject to a separate Business Associate Agreement covering such use.
Subcontractors and Affiliates. Provider may use its affiliates and third-party subcontractors to provide or support the Services. Provider remains responsible for the performance of the Services by its subcontractors and will ensure that any subcontractor with access to Customer Data is bound by confidentiality and security obligations consistent with these Terms. With respect to Protected Health Information, Provider will ensure that any subcontractor or affiliate that creates, receives, maintains, or transmits PHI on Provider’s behalf enters into a written agreement imposing obligations at least as protective as those required under HIPAA and the applicable Business Associate Agreement.
Professional Services. Any implementation, configuration, integration, training, data migration, or other professional services are not included in the Services unless expressly stated in an Order Form or statement of work. Any such services will be provided for the fees and on the terms set out in the applicable Order Form or statement of work.
Compliance with Laws. Provider shall perform its obligations under these Terms in compliance with all laws and regulations applicable to Provider in the conduct of its business and the provision of the Services, including export-control, anti-corruption, and data-protection laws to the extent applicable. Provider shall not be required to take any action under these Terms that would cause it to violate any applicable law or regulation.
CUSTOMER OBLIGATIONS.
Customer Systems and Cooperation. Customer is responsible for maintaining all systems, equipment, software, and network connections required to access and use the Services. Customer will provide Provider with any cooperation, information, and access reasonably required for Provider to deliver the Services. Customer will promptly notify Provider of any issues affecting its ability to access or use the Services. Customer acknowledges that Provider’s ability to perform the Services depends on Customer’s timely cooperation. Any delay or failure by Customer to provide required cooperation, information, or access may impact the Services, will extend Provider’s performance timelines accordingly, and will not constitute a breach by Provider. Provider is not responsible for delays or failures caused by Customer’s acts, omissions, or failure to meet its obligations under these Terms.
Use Restrictions. Customer and its Authorized Users must use the Services only as permitted in these Terms and the applicable Order Form. Customer must not, and must ensure Authorized Users do not:
copy, modify, translate, or create derivative works of the Services or documentation;
sublicense, resell, rent, lease, loan, or otherwise make the Services available to third parties except as expressly permitted;
reverse engineer, decompile, disassemble, or attempt to access the source code of the Services;
bypass, disable, or interfere with security or access controls;
upload or transmit malicious code, harmful materials, or unlawful content;
use the Services in a manner that violates third-party rights or applicable laws;
send spam or unsolicited communications;
process or store unlawful, harmful, or infringing content;
Upload, transmit, or store any Sensitive Personal Information in the Services except for Protected Health Information that Customer is authorized to provide and Provider is authorized to process pursuant to an applicable Business Associate Agreement; or
interfere with or disrupt the performance or integrity of the Services.
For the avoidance of doubt, Customer may not upload or process Protected Health Information unless a valid and fully executed Business Associate Agreement is in effect between the Parties. Any upload of PHI outside of such agreement is strictly prohibited.
Account Security and Unauthorised Use. Customer is responsible for maintaining the confidentiality and security of all account credentials, passwords, access tokens, API keys, and other access methods issued to Customer or its Authorized Users. Customer must ensure that each Authorized User uses unique credentials and does not share or reuse credentials. Customer is responsible for all activity under its accounts, whether authorized or unauthorized, except to the extent caused by Provider’s breach of these Terms. Customer must promptly notify Provider of any actual or suspected unauthorized access to or use of the Services, Customer accounts, or Customer Data, and must take reasonable steps to stop and mitigate such activity, including disabling or re-securing compromised accounts or credentials. Customer is responsible for ensuring that its Authorized Users comply with these Terms and for all actions taken through Customer’s accounts.
Suspension and Cooperation. Provider may temporarily suspend Customer’s or any Authorized User’s access to the Services if Provider reasonably believes that the account has been compromised, is being misused, or poses a security or operational risk. Provider will promptly restore access once the issue is resolved. Customer will reasonably cooperate with Provider in investigating and resolving any such issue.
Security Testing and Audits. Customer must not conduct, or permit any third party to conduct, penetration testing, vulnerability scanning, or similar security testing of the Services without Provider’s prior written consent. Provider may approve such testing subject to reasonable conditions to protect the security and stability of the Services.
Compliance with Laws and Policies. Customer must use the Services in compliance with all applicable laws, regulations, and government requirements, including those relating to privacy, data protection, anti-spam, and export control. Customer is responsible for ensuring that its collection and use of Customer Data complies with applicable laws and any applicable internal policies. Customer must not export, re-export, or transfer the Services or any related technical data in violation of applicable export laws.
RIGHTS AND INTELLECTUAL PROPERTY.
Customer Marks and Content. Customer grants Provider a limited, non-exclusive, royalty-free license to use Customer Marks solely to identify Customer as a user of the Services in Provider’s customer lists, websites, and marketing materials. Any other use of Customer Marks, including case studies or testimonials, requires Customer’s prior written approval. Provider will use Customer Marks in accordance with Customer’s reasonable brand guidelines. All rights in the Customer Marks remain with Customer.
Artificial Intelligence and Machine Learning. Provider may use artificial intelligence, machine learning, automation, and similar technologies (“AI Technologies”) in connection with the operation, support, and improvement of the Services, including to analyze usage patterns, optimize performance, develop new features or models, and enhance Provider’s products and offerings.
Feedback. If Customer or any Authorized User provides feedback, suggestions, or ideas relating to the Services (“Feedback”), Provider may use, disclose, reproduce, modify, and otherwise exploit such Feedback without restriction or obligation to Customer. Feedback is not considered Customer’s Confidential Information.
Reservation of Rights. Except for the limited rights expressly granted in these Terms, Provider retains all rights, title, and interest in the Services and all related technology, software, documentation, and materials. All other rights are reserved.
DATA AND SECURITY
Ownership of Customer Data. As between the parties, Customer retains all right, title, and interest in and to Customer Data. Nothing in these Terms transfers ownership of Customer Data to Provider. Customer is responsible for the accuracy, quality, and legality of Customer Data and for obtaining all rights and consents necessary for Customer Data to be used in connection with the Services.
Processing of Customer Data. Provider will process Customer Data only to provide, maintain, and support the Services and to perform its obligations under these Terms, and in accordance with Customer’s documented instructions. If Provider believes that a Customer instruction violates applicable law, Provider may notify Customer. If required under applicable privacy laws, the parties will enter into a separate Data Processing Addendum governing Provider’s processing of Customer Personal Information. Provider will not sell, share, or use Customer Data for any purpose unrelated to providing the Services. To the extent Customer Data includes Protected Health Information, Provider’s processing of such PHI will be governed exclusively by the applicable Business Associate Agreement and applicable HIPAA regulations, and not by the Data Processing Addendum or other privacy provisions of these Terms.
Customer Representations and Consents. Customer represents and warrants that it has obtained all notices, consents, and permissions required under applicable laws for Provider to receive, use, store, and process Customer Data as described in these Terms. Customer is solely responsible for the legality, accuracy, and means by which it collects, uses, or discloses Customer Data, including Customer Personal Information. Customer must not provide Customer Data that is unlawful, infringes third-party rights, or that Customer is not legally permitted to provide to Provider.
License to Use Customer Data. Customer grants Provider a limited, non-exclusive, worldwide, royalty-free license to host, copy, use, process, transmit, display, and store Customer Data solely to provide, maintain, support, and improve the Services and to perform Provider’s obligations under these Terms. This license includes the right to share Customer Data with Provider’s affiliates and subcontractors solely as required to provide the Services, subject to confidentiality and security obligations. Notwithstanding the foregoing, Provider will not use Protected Health Information for analytics, product improvement, artificial intelligence training, or any secondary purposes except as expressly permitted by the applicable Business Associate Agreement or where required by law.
Aggregated and Statistical Data. Provider may generate, use, and disclose aggregated, anonymized, or de-identified data derived from Customer’s use of the Services (“Aggregated Data”) for analytics, benchmarking, research, and to improve and develop the Services. Aggregated Data will not be used to identify or re-identify Customer, any Authorized User, or any individual. All right, title, and interest in Aggregated Data belongs to Provider. Aggregated Data expressly excludes Protected Health Information. Provider will not aggregate, de-identify, or otherwise derive data from PHI except as permitted by the applicable Business Associate Agreement and HIPAA.
Data Retention and Deletion. Provider is not obligated to store, retain, or return Customer Data beyond the period required by applicable law or Provider’s standard retention policies. Upon termination or expiration, Customer may request an export of Customer Data for thirty (30) days. Data export requests must be submitted in writing and may be subject to reasonable fees for Provider’s time, resources, and technical costs. After this period, Provider may delete or anonymize Customer Data in accordance with its retention practices, unless otherwise required by law or agreed in writing.
Information Security Program. Provider will maintain an information security program with administrative, technical, and physical safeguards appropriate to the nature of the Services and the Customer Data processed within them. Provider may update its security practices from time to time, provided such updates do not materially reduce the overall level of protection. The security program is designed to protect the confidentiality, integrity, and availability of the Services and to prevent unauthorized access to Customer Data.
Notice of Security Incident. Provider will notify Customer without undue delay after becoming aware of any confirmed unauthorized access to or disclosure of Customer Personal Information within the Services (“Security Incident”). Provider will take reasonable steps to contain, investigate, and mitigate the Security Incident and will keep Customer informed of material developments. Provider’s obligations apply only to Customer Personal Information stored within the Services and do not extend to data exported, downloaded, or otherwise transferred by Customer outside the Services. To the extent a Security Incident involves Protected Health Information, notification, investigation, mitigation, and cooperation obligations will be governed by the applicable Business Associate Agreement and HIPAA, and not limited by the notification provisions, timelines, or liability limitations set forth in these Terms.
PHI Patient Consent and Notice Obligations. Where Customer shares, transmits, submits, or otherwise makes available any Protected Health Information to Provider for processing in connection with the Services, Customer represents, warrants, and covenants that, prior to and at the time of each such disclosure:
Customer has established and documented a valid legal basis for disclosing such PHI or medical information to Provider under all Applicable Health Privacy Laws;
Customer has provided to each applicable patient all required notices of privacy practices in accordance with 45 C.F.R. § 164.520, and any additional notice required under applicable federal or state law; and
Customer maintains written records sufficient to demonstrate compliance with each of subsections (a) and (b) above under all applicable federal and state medical privacy laws, including without limitation records sufficient to demonstrate a valid disclosure basis under HIPAA and, where applicable, California Civil Code § 56.10 or any analogous state statute; and will make such records available to Provider promptly upon written request.
To the extent Customer uses any audio transcription or recording feature of the Services in connection with patient encounters or patient communications, Customer has obtained all consents required under all Applicable Health Privacy Laws, including without limitation the consent requirements of the California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.) where applicable, prior to initiating any such recording or transcription.
Customer is solely responsible for the sufficiency, validity, and accuracy of any such authorizations, consents, and notices. Provider has no obligation to verify whether Customer has satisfied the foregoing requirements prior to processing PHI on Customer's behalf. Customer acknowledges that attached as Exhibit A to Schedule F – BAA is a sample Customer Consent Form to assist Customer in drafting its own customer consent form in order to comply with the terms set forth herein. Customer further acknowledges that any such sample form is provided for informational purposes only, does not constitute legal advice, and does not represent that such form satisfies applicable legal requirements in any jurisdiction. Customer is solely responsible for the adequacy, legality, and sufficiency of all patient-facing consent forms and notices.
THIRD PARTY SERVICES AND INTEGRATIONS
Third Party Services. The Services may enable access to or integration with third-party products, applications, websites, or services (“Third-Party Services”). Provider does not control, endorse, or assume responsibility for Third-Party Services or how they handle Customer Data. Customer’s use of Third-Party Services is governed solely by the terms and policies of the applicable third-party provider.
Customer Responsibility and Provider Rights. Customer is solely responsible for any Customer Data it shares with Third-Party Services and for any integrations it develops or configures. Provider is not liable for any disclosure, loss, or modification of Customer Data resulting from Customer’s use of Third-Party Services or customer-managed integrations. Provider may suspend or disable an integration if it poses a security, legal, or operational risk, violates these Terms, or is no longer supported. Additional fees for integrations may apply as set out in the Order Form.
FEES AND PAYMENT.
Fees. Customer will pay the Fees set out in the applicable Order Form. All Fees are payable in the currency specified in the Order Form and are non-refundable unless otherwise stated in these Terms. If no currency is specified, Fees are payable in U.S. dollars.
Invoicing and Payment Terms. Provider will invoice Customer as stated in the applicable Order Form. Unless otherwise specified, invoices are due thirty (30) days from the invoice date. Late payments may incur interest at the rate specified in the Order Form or, if none is stated, 1.5% per month (18% per annum) or the maximum amount permitted by law. Customer must pay all Fees without set-off, except as required by law.
Taxes. Fees exclude all taxes, duties, and similar charges. Customer is responsible for all such amounts imposed on the Services, except for taxes based on Provider’s income. If Customer claims a tax exemption, it must provide valid exemption documentation. If Customer is required to withhold taxes, Customer must gross-up payments so that Provider receives the full amount that would have been paid absent such withholding.
Fee Adjustments. Provider may adjust Fees at the start of each renewal term by providing at least sixty (60) days’ prior notice, unless otherwise stated in the Order Form.
Annual Price Adjustments. Beginning on the first anniversary of the Effective Date, and on each anniversary thereafter, Provider may increase the Fees payable under this Agreement by an amount not to exceed the percentage increase, if any, in the Consumer Price Index for All Urban Consumers (CPI-U), U.S. City Average, All Items (1982–84 = 100), as published by the U.S. Bureau of Labor Statistics, measured over the twelve (12) month period immediately preceding the applicable anniversary date. Any such adjustment will apply prospectively and will be reflected in the Fees charged for the applicable renewal term or billing period following such anniversary.
Late Payments. In addition to late payment interest, if Provider retains a collection agency or attorney to collect any overdue amounts, Customer will pay all costs of collection, including without limitation reasonable attorneys' fees, collection agency fees, court costs, and other expenses incurred by Provider in collecting the overdue amounts. These collection costs are in addition to, and not in lieu of, any other remedies available to Provider under these Terms or applicable law.
TERM AND TERMINATION.
Term. These Terms remain in effect for as long as any service term under any Order Form is active, unless terminated earlier in accordance with this Section. Each Order Form will specify its own subscription or service term. Unless otherwise stated in an Order Form, subscriptions renew automatically for successive one-year periods unless either party gives written notice of non-renewal at least sixty (60) days before the end of the then-current term.
Termination. Either party may terminate these Terms or an applicable Order Form with written notice if the other party: (a) materially breaches these Terms and fails to cure within thirty (30) days after written notice, or (b) becomes insolvent, ceases business operations, or becomes subject to bankruptcy or similar proceedings.
Suspension of Services. Provider may suspend or restrict access to the Services if: (a) Customer fails to pay undisputed Fees when due and does not cure within ten (10) days of notice; (b) Customer’s or an Authorized User’s use of the Services poses a security, legal, or operational risk; or (c) suspension is required to comply with applicable law. Provider will restore access once the issue is resolved.
Effect of Termination. Upon termination or expiration of this Terms or any Order form:
all rights and licenses granted to Customer under the terminated Order Form(s) end immediately;
Customer must stop using the Services;
Customer must pay all Fees accrued up to the effective date of termination;
Any Fees that have been invoiced but remain unpaid will become immediately due;
Provider may delete or anonymize Customer Data in accordance with these Terms;
Termination does not affect any rights, remedies, or obligations that accrued before the effective date of termination; and
Provider has no obligation to refund any prepaid fees, except as expressly stated in these Terms or an applicable Order Form.
If Customer terminates these Terms or any Order Form for any reason other than Provider’s uncured material breach or insolvency, Customer must pay the full amount of Fees that would have become payable for the remainder of the applicable subscription or service term, less any amounts already paid. The parties agree that such amounts represent a reasonable estimate of Provider’s losses resulting from early termination.
Survival. Sections relating to Fees, Confidentiality, Intellectual Property, Warranty Disclaimers, Indemnities, Limitations of Liability, Data and Security, and any other provisions intended to survive termination will remain in effect.
CONFIDENTIALITY.
Definition of Confidential Information. “Confidential Information” means non-public information disclosed by one party to the other that is identified as confidential or should reasonably be understood to be confidential given its nature and the circumstances of disclosure. Confidential Information does not include Customer Data, or information that is publicly available without breach, already known to the receiving party, received from a third party without restriction, or independently developed without use of the other party’s Confidential Information. Protected Health Information is Confidential Information and is subject to additional protections under the applicable Business Associate Agreement and HIPAA.
Obligations. The receiving party must: (a) use Confidential Information only to perform its obligations or exercise its rights under these Terms; (b) protect Confidential Information using at least the same degree of care it uses to protect its own similar information, but no less than reasonable care; and (c) not disclose Confidential Information except to its personnel, affiliates, subcontractors, or advisers who need to know it and are bound by confidentiality obligations no less protective than those in these Terms.
Required Disclosure. If the receiving party is required by law or legal process to disclose Confidential Information, it may do so but must provide prompt notice to the disclosing party (where legally permitted) and limit disclosure to what is legally required.
Return or Destruction. Upon written request, the receiving party will return or delete the disclosing party’s Confidential Information, except that the receiving party may retain copies as required by law or in routine backups, provided such information remains subject to this Section.
Survival of Confidentiality Obligations. Confidentiality obligations survive termination of these Terms for three (3) years, except that trade secrets remain protected for as long as they qualify as trade secrets under applicable law.
RISK MANAGEMENT
Mutual Representations. Each party represents and warrants that it has the legal authority to enter into these Terms and to perform its obligations under them.
Limited Warranty; Disclaimer. PROVIDER WARRANTS THAT IT WILL PROVIDE THE SERVICES IN A PROFESSIONAL AND WORKMANLIKE MANNER CONSISTENT WITH GENERALLY ACCEPTED INDUSTRY STANDARDS. EXCEPT FOR THIS LIMITED WARRANTY, THE SERVICES AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE FULLEST EXTENT PERMITTED BY LAW, PROVIDER DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS.
Indemnification by Provider. Provider will defend and indemnify Customer against any third-party claim alleging that Customer’s authorized use of the Services infringes a third party’s intellectual property rights, and will pay any damages or costs finally awarded, provided that Customer promptly notifies Provider of the claim and cooperates in the defense.
Provider may resolve such claims by (a) modifying the Services, (b) obtaining a right for Customer to continue using them, or (c) terminating the affected Services and refunding any prepaid Fees for the unused portion of the applicable term. This Section does not apply to claims arising from: (i) Customer Data; (ii) use of the Services in combination with products not provided by Provider; (iii) unauthorized use; or (iv) modifications not made by Provider. THIS SECTION SETS FORTH PROVIDER’S ENTIRE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY FOR ANY THIRD-PARTY CLAIM ALLEGING INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS RELATING TO THE SERVICES.
Indemnification by Customer. Customer will defend and indemnify Provider, its affiliates, and their respective officers, directors, employees, and contractors from and against any third-party claim, demand, or proceeding, and all related losses, damages, liabilities, fines, penalties, costs, and reasonable legal fees, arising from:
Customer Data – including any allegation that Customer Data is unlawful, inaccurate, infringes third-party rights, violates privacy or data-protection laws, or was collected or provided without the required notices or consents.
Misuse or Violations – Customer’s or any Authorized User’s use of the Services in violation of these Terms, the Documentation, or applicable law, including use to transmit harmful, infringing, or unlawful content.
Customer Systems and Integrations – any integrations, configurations, code, scripts, or systems not provided by Provider, including any claim that such integrations caused unauthorized access, security incidents, service degradation, or other harm.
Combination or Modification – Customer’s combination of the Services with non-Provider products or Customer-made modifications to the Services, to the extent the claim would not have arisen but for such combination or modification.
PHI Patient Consent and Notice Failures – any third-party claim, demand, action, regulatory proceeding, investigation, fine, or penalty arising from or related to: (i) Customer's failure to obtain written patient authorization or consent required under Applicable Health Privacy Laws prior to sharing, transmitting, or making available any Protected Health Information or medical information to Provider for processing under these Terms, including but not limited to the requirements of Section 5.9 of these Terms; (ii) any claim by a patient, authorized representative, or regulatory authority that proper written notice of privacy practices was not provided to a patient in accordance with HIPAA, Applicable Health Privacy Laws, or any other applicable federal or state law; or (iii) Customer's failure to establish, document, or maintain a valid legal basis under Applicable Health Privacy Laws for disclosing Protected Health Information or medical information to Provider, including any claim brought pursuant to California Civil Code § 56.35 or any analogous state medical privacy statute providing a private right of action, and any associated statutory damages, penalties, or attorney's fee awards arising therefrom.
Communications Recording and Interception — any third-party claim, regulatory action, or proceeding arising from Customer's failure to obtain legally required consent for the recording, transcription, or interception of patient or third-party communications facilitated through the Services, including without limitation claims under the California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.) or any analogous federal or state wiretapping, eavesdropping, or electronic communications privacy statute, arising from Customer's use of the Services in connection with any audio recording, transcription, clinical encounter documentation, patient-facing communications, call handling, or messaging features.
Provider will promptly notify Customer of any such claims in 10.4 and will reasonably cooperate in the defense at Customer’s expense. Customer may not settle any claim without Provider’s prior written consent unless the settlement unconditionally releases Provider of all liability.
Limitation of Liability. To the maximum extent permitted by law
NO INDIRECT DAMAGES. NEITHER PARTY IS LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, BUSINESS, OR ANTICIPATED SAVINGS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AGGREGATE CAP. EACH PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE FEES PAID AND PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. FOR SERVICES PROVIDED AT NO CHARGE, PROVIDER’S TOTAL LIABILITY WILL NOT EXCEED ONE HUNDRED (100) DOLLARS OR THE AMOUNT REQUIRED BY APPLICABLE LAW TO RENDER THIS LIMITATION VALID AND ENFORCEABLE IN THE JURISDICTION WHERE THE CLAIM IS BROUGHT.
Exceptions. The exclusions and limitations in this Section do not apply to:
either Party’s indemnification obligations;
Customer’s payment obligations;
a Party’s breach or misappropriation of the other Party’s intellectual property Rights;
a Party’s breach of its Confidentiality obligations in Section 9;
death or personal injury caused by negligence;
obligations arising under an applicable Business Associate Agreement or HIPAA, including regulatory fines, penalties, or enforcement actions that cannot be limited by law;
fraud or willful misconduct; or
any liability that cannot lawfully by excluded or limited under applicable law.
Basis of Bargain. The parties acknowledge that the limitations and exclusions in this Section are an essential basis of their agreement and apply even if any limited remedy fails of its essential purpose.
Equitable Relief. Nothing in these Terms limits either party’s right to seek urgent or equitable relief, including injunctive relief, to prevent actual or threatened misuse of its intellectual property or Confidential Information.
Insurance. Provider will maintain insurance coverage appropriate to its business and the Services, which may be maintained by Provider or its affiliates, including, without limitation, cyber liability and technology errors and omissions insurance with aggregate limits of not less than $5,000,000 per policy period. Provider will provide evidence of such coverage upon reasonable request.
MISCELLANEOUS.
Entire Agreement. These Terms and the applicable Order Forms constitute the complete agreement between the parties regarding the Services and supersede all prior or contemporaneous agreements on the same subject matter. Any terms or conditions in a purchase order, vendor portal, confirmation, or other document issued by Customer that conflict with or supplement these Terms or an Order Form are void and will not apply, even if Provider accepts or performs under such document.
Notices. All notices under these Terms must be in writing and delivered (a) by email to the email address associated with Customer’s account or specified in the Order Form; (b) to the notice address specified in the Order Form. A notice is deemed received on the next business day after it is sent, unless the sender receives a delivery failure notice. Either party may update its notice address or email by providing notice to the other party.
Force Majeure. Neither party is liable for any delay or failure to perform its obligations (other than payment obligations) due to events beyond its reasonable control, including natural disasters, acts of God, fire, flood, earthquake, war, terrorism, civil unrest, labor disputes, failures of utilities or telecommunications, or government actions (“Force Majeure Event”). The affected party will promptly notify the other party of the Force Majeure Event and use commercially reasonable efforts to resume performance as soon as practicable.
Amendments, Modifications, and Waivers. Any amendment or waiver of these Terms must be in writing and agreed to by both parties, including by electronic acceptance, clickwrap, or other electronic means. A waiver of any provision or right is effective only for the specific instance and purpose for which it is given and does not constitute a continuing waiver. Failure or delay by either party to enforce any provision of these Terms will not be deemed a waiver of that provision.
Severability. If any term or provision of these Terms is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of these Terms or invalidate or render unenforceable such term or provision in any other jurisdiction.
Assignment. Neither party may assign these Terms without the other party’s prior written consent, except that Provider may assign these Terms without consent to (a) an affiliate, (b) a successor in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its business or assets, or (c) an entity acquiring control of Provider. Any unauthorized assignment is void. These Terms bind the parties and their permitted successors and assigns.
Relationship of the Parties. The parties are independent contractors. These Terms do not create any partnership, joint venture, employment, agency, or fiduciary relationship. No third party has rights under these Terms except that Provider’s affiliates and subcontractors may rely on the disclaimers and limitations set out in these Terms. Nothing in these Terms creates a Business Associate relationship or authorizes the processing of Protected Health Information except pursuant to a separately executed Business Associate Agreement.
Compliance. Each party will comply with all applicable laws and regulations, including export-control, trade sanctions, anti-corruption, and anti-bribery laws. Customer must not use the Services in violation of such laws or allow access by prohibited persons. Customer is responsible for ensuring that its use of the Services, including its collection and processing of Customer Data, complies with all laws applicable to its business, operations, and industry, including privacy, consumer protection, and data-security laws. Customer must not use the Services for any unlawful purpose. Where Customer uses the Services in connection with healthcare operations, Customer represents that it is a Covered Entity or Business Associate under HIPAA, as applicable, and Provider will act as a Business Associate solely as set forth in the applicable Business Associate Agreement.
Governing Law and Jurisdiction. These Terms and any dispute, controversy, or claim arising out of or relating to them will be governed by the laws of the jurisdiction where the contracting Provider entity is organized, without regard to conflict-of-laws principles. Each party irrevocably submits to the exclusive jurisdiction and venue of the courts located in that jurisdiction and waives any objection to venue or inconvenient forum. Each party waives any right to a jury trial and agrees that any dispute must be brought on an individual basis and not as a class or representative action, to the maximum extent permitted by law. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
Costs and Attorney’s Fees. In any legal action or proceeding arising out of or relating to these Terms, the prevailing party is entitled to recover its reasonable attorneys’ fees, costs, and expenses from the non-prevailing party, in addition to any other relief awarded.
Interpretation. Headings are for convenience only and do not affect interpretation. “Including” means “including without limitation.” References to a statute include any amendments, re-enactments, or successor laws. If any action is required on a non-business day, it may be taken on the next business day. Parties agree no presumption arises against either party as drafter.
Execution. These Terms and any Order Form may be executed or accepted electronically and in counterparts, each of which is deemed an original. Electronic signatures and acceptance have the same legal effect as physical signatures.
Language. The Parties have required that these Terms and all deeds, documents and notices relating to these Terms be drawn up in the English language. Les parties aux présentes ont exigé que le présent contrat et tous autres contrats, documents ou avis afférents aux présentes soient rédigés en langue anglaise.
Schedule A – Services Description
Our platform provides AI-assisted tools designed to help dental practices streamline documentation, patient intake, and front-desk communications. The Services are intended to support administrative and clinical workflows; they do not replace licensed clinical judgment, diagnosis, treatment planning, or professional decision-making.
1) Dental Scribe (AI Documentation & Clinical Drafting)
The Dental Scribe helps generate draft clinical documentation based on practice-provided inputs such as dictation, typed notes, structured prompts, or other workflow data.
Key features may include:
Clinical note drafting in common formats (e.g., narrative, SOAP-style, procedure notes), customizable to practice templates.
Transcription support (where enabled) from audio dictation into editable text.
Summaries and visit documentation including chief complaint, history, findings, assessment, and plan (as provided by the user).
Referral letters and reports drafted for referring providers, based on the information entered by the practice.
Smart formatting and structure to standardize documentation and reduce repetitive typing.
Template management (practice-specific wording, macros, preferred phrasing).
Review-and-approve workflow so staff can edit, accept, or reject drafts prior to saving/exporting.
Export/copy tools for transferring finalized text into your preferred record system (where supported).
2) Digital Forms (Patient Intake, Consents, and Workflow Automation)
Digital Forms provide tools for collecting patient-entered information electronically and organizing it for use by the practice.
Key features may include:
Customizable patient intake forms (demographics, medical/dental history, medications, allergies, etc.).
Consent forms and acknowledgements (e.g., treatment consent, privacy acknowledgements) with e-signaturesupport where enabled.
Pre-appointment workflows such as sending forms by link/SMS/email (if configured) and tracking completion status.
Conditional logic and validation (show/hide questions, required fields, basic input validation).
Multi-device access for patients (mobile/tablet/desktop).
Practice-facing review views to help staff quickly locate and verify submitted information.
Secure storage and retrieval of submitted form records (subject to your plan and retention settings).
Optional integrations with third-party systems (e.g., PMS/EHR) where supported.
3) AI Dental Receptionist (Calls, Messages, Scheduling Support)
The AI Dental Receptionist is an automated assistant that helps handle routine patient communications via channels enabled in your plan (e.g., web chat, SMS, or phone), including after-hours coverage.
Key features may include:
Answering common questions (hours, location, services, pricing guidance you provide, insurance/payment policies you provide).
Appointment support such as scheduling requests, rescheduling requests, cancellations, and waitlist handling (where enabled).
Lead capture for new patients (contact details, reason for visit, preferred times).
Patient messaging workflows including confirmations, reminders, and follow-ups (if configured).
Basic intake/triage prompts to collect relevant information (e.g., symptoms and urgency), with routing rules you configure.
Human handoff to staff via notification, message escalation, or transfer flow (where enabled).
Conversation summaries and logs to help your team review interactions and outcomes.
Multilingual support where available in your configuration.
Schedule B – Fees and Payment
Currency: USD
1) Monthly Subscription Fees (billed monthly in advance)
Digital Forms — $199.99 USD / month
Scribe Pro — $79.99 USD / month
Scribe Practice — $119.99 USD / month
Scribe Enterprise — $199.99 USD / month
Receptionist — $649.99 USD / month
2) Additional Authorized User (Seat) Fees for Scribe Plans (billed monthly in advance)
Additional Authorized User (seat) fees apply for each Authorized User enabled to access the applicable Scribe plan beyond any included users (if any) specified in the Order Form:
Scribe Pro — $49.99 USD / additional user / month
Scribe Practice — $99.99 USD / additional user / month
Scribe Enterprise — $139.99 USD / additional user / month
3) Billing Rules
Billing cadence: Monthly in advance.
Proration: Provider may prorate charges for plan upgrades and added seats for the remainder of the then-current billing period and bill the updated recurring amount at the next renewal.
Seat reductions/downgrades: Effective end of the then-current billing period unless otherwise stated in the Order Form.
Refunds: Fees are non-refundable except as required by law or expressly stated in an Order Form.
Schedule C – Service Levels and Support Services
This Schedule C sets forth the service levels and support services applicable to the Services provided by Provider under the Agreement.
1. Service Availability
Provider will use commercially reasonable efforts to maintain a monthly uptime percentage of at least 99.5% for the Services (the “Uptime Commitment”). Uptime is measured as the total number of minutes in a calendar month during which the Services are available, divided by the total number of minutes in that calendar month, expressed as a percentage.
2. Scheduled Maintenance Exclusions
The Uptime Commitment does not include periods of unavailability resulting from: (a) scheduled maintenance windows, provided that Provider uses commercially reasonable efforts to notify Customer in advance; (b) Force Majeure Events as defined in the Agreement; (c) failures or delays in Customer’s own systems, equipment, or internet connectivity; or (d) Customer’s misuse of the Services or actions taken in violation of the Agreement.
3. Support Services
Provider offers in-application support to Customer and its Authorized Users. Support is accessible through the in-app help features embedded within the Services, which may include a help center, knowledge base, guided walkthroughs, and an in-app messaging or chat function for submitting support inquiries.
4. Support Scope
Support services cover general product questions, troubleshooting of errors or service disruptions, guidance on the use of features and functionality, and assistance with account-related inquiries. Support does not include custom development, third-party integration debugging, data migration assistance, or on-site services unless separately agreed in an Order Form or statement of work.
5. Modifications
Provider may update the service levels and support offerings described in this Schedule from time to time. Any material reduction to the Uptime Commitment or elimination of a support channel will be communicated to Customer with reasonable advance notice.
Schedule D – DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Terms and any applicable Order Form between Customer and Provider (collectively, the “Agreement”) where Provider Processes Customer Personal Information as a Processor on behalf of Customer.
This DPA supplements, and does not limit, the Agreement. In the event of a direct conflict between this DPA and the Agreement regarding the Processing of Customer Personal Information, this DPA will control. Nothing in this DPA increases either party’s monetary liability beyond the limitations set out in the Agreement.
For the avoidance of doubt, this Data Processing Addendum does not apply to Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Any Processing of PHI by Provider on behalf of Customer is governed exclusively by the applicable Business Associate Agreement between the parties and applicable HIPAA regulations, and not by this DPA.
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
Definitions
“Applicable Privacy Laws” means all privacy and data-protection laws applicable to the Processing of Customer Personal Information under this DPA, including, as applicable (a) U.S. state privacy laws, including the California Consumer Privacy Act as amended by the CPRA, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act; (b) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws (including Alberta PIPA, BC PIPA, and Quebec’s Law 25); and (c) any substantially similar or successor laws.
“Controller” means the entity that determines the purposes and means of Processing Personal Information. For this DPA, Customer is the Controller of Customer Personal Information.
“Customer Personal Information” have the meanings given in the Agreement; for clarity, Customer Personal Information is the Personal Information within Customer Data that Provider Processes on behalf of Customer under the Agreement.
“Data Subject” means an identified or identifiable natural person to whom Personal Information relates.
“Personal Information” means any information relating to an identified or identifiable individual, including information defined or described as “personal information,” “personal data,” “personally identifiable information,” or similar terms under Applicable Privacy Laws.
. “Processor” means an entity that Processes Personal Information on behalf of a Controller. For the purposes of this DPA, Provider acts as Customer’s Processor (or “service provider” or “processor” as those terms are defined under Applicable Privacy Laws) when Processing Customer Personal Information on Customer’s behalf.
“Security Incident” means a confirmed unauthorized access to or disclosure of Customer Personal Information, or other compromise of the security of Customer Personal Information Processed by Provider in connection with the Services, excluding unsuccessful attempts or activities that do not compromise the security of Customer Personal Information (such as unsuccessful login attempts, pings, port scans, or denial-of-service attacks).
“Sensitive Data” means categories of Personal Information that are subject to enhanced or special protection under Applicable Privacy Laws, including health data, biometric identifiers, financial account numbers, precise geolocation, information about children, and any other data categorized as “sensitive” by Applicable Privacy Laws. For the avoidance of doubt, Sensitive Data does not include PHI that is processed by Provider pursuant to a valid and fully executed Business Associate Agreement.
“Sub-processor” means any third party engaged by Provider to Process Customer Personal Information on behalf of Customer.
Roles and Scope
Roles. Customer is the Controller of Customer Personal Information. Provider acts as Customer’s Processor when processing Customer Personal Information. Provider will Process Customer Personal Information solely on behalf of Customer and only as described in the Agreement and this DPA.
Instructions. Customer is responsible for ensuring that its instructions to Provider regarding the Processing of Customer Personal Information comply with Applicable Privacy Laws. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete and final instructions to Provider for the Processing of Customer Personal Information. Customer may issue additional written instructions during the applicable Service Term, provided that such instructions are: (a) consistent with the Agreement; (b) technically feasible; and (c) lawful. Provider will promptly notify Customer if Provider determines that Customer’s instructions violate Applicable Privacy Laws.
Compliance with Instructions and Purpose Limitation. Provider will Process Customer Personal Information only for the purposes described in the Agreement and this DPA, or as otherwise documented within Customer’s lawful instructions, except where Processing is required by Applicable Privacy Laws. Provider is not responsible for compliance with any data protection or privacy laws that apply solely to Customer or Customer’s industry and that are not generally applicable to processors performing substantially similar services. Where legally permitted, Provider will notify Customer if Provider is required by applicable law to Process Customer Personal Information in a manner that conflicts with Customer’s instructions.
Description of Processing. The subject matter, nature, and purpose of the Processing, the types of Customer Personal Information, the categories of Data Subjects, and the duration of the Processing are described in the Agreement and applicable Order Forms and further detailed in Annex A (Description of Processing) to this DPA. The parties may update Annex A as reasonably necessary to reflect changes to Customer’s use of the Services, provided such updates remain consistent with the Agreement.
Sensitive Data. Customer determines, through its configuration and use of the Services, the types of Customer Data that Customer transmits or Processes within the Services. Customer is responsible for ensuring that appropriate safeguards, notices, consents, and security controls are in place prior to transmitting or Processing any Sensitive Data (as defined under Applicable Privacy Laws) via the Services. Unless expressly agreed in writing, the Services are not designed to Process Sensitive Data subject to heightened protections under Applicable Privacy Laws (including, where applicable, health information, financial account numbers, biometric identifiers, precise geolocation, children’s data, or other categories designated as sensitive). To the extent Customer chooses to submit Sensitive Data, such Processing will be subject to the scope limitations, restrictions, and safeguards described in this DPA and any additional mutually agreed terms between the parties.
Restrictions on Processing. Provider will not:
sell or share Customer Personal Information, or otherwise Process Customer Personal Information for Provider’s own purposes or for any purpose other than providing the Services;
retain, use, or disclose Customer Personal Information for any purpose other than to perform the Services or as permitted under the Agreement, this DPA, or Applicable Privacy Laws;
retain, use, or disclose Customer Personal Information outside the direct business relationship between Customer and Provider;
combine Customer Personal Information with Personal Information that Provider receives from or on behalf of another person or entity or collects from Provider’s own interactions with a Data Subject, except (i) as permitted by Applicable Privacy Laws to perform a business purpose, or (ii) to provide, maintain, secure, or improve the Services;
Process, transfer, modify, amend, or alter Customer Personal Information except in accordance with Customer’s lawful instructions or as required by Applicable Privacy Laws;
disclose Customer Personal Information to any third party except to authorized Sub-processors or as otherwise permitted under this DPA or required by Applicable Privacy Laws; or
engage in any Processing that would cause Provider to qualify as a “business” or “controller” with respect to Customer Personal Information under Applicable Privacy Laws.
Provider certifies that it understands and will comply with the restrictions set out in this Section.
Provider Personnel.
Limited Access. Provider will ensure that access to Customer Personal Information is limited to its and its Affiliates’ personnel who have a legitimate need to access such information in order to perform Provider’s obligations under the Agreement and this DPA.
Confidentiality Obligations. Provider will ensure that all personnel who have access to Customer Personal Information are bound by written confidentiality obligations that are no less protective than those in the Agreement. Such obligations will survive termination of the personnel’s engagement with Provider.
Training. Provider will ensure that personnel who Process Customer Personal Information receive appropriate training regarding their responsibilities under Applicable Privacy Laws and this DPA, including training relating to information security, confidentiality, and the proper handling of Customer Personal Information.
Reliability and Integrity. Provider will take commercially reasonable steps to ensure the reliability and integrity of personnel who have access to Customer Personal Information.
Least-Privilege Access Controls. Provider will ensure that personnel access Customer Personal Information only on a need-to-know basis and solely to the extent required to perform their job responsibilities and Provider’s obligations under the Agreement and this DPA.
Security
Security Program. Provider will maintain an information security program with administrative, technical, and physical safeguards appropriate to the nature of the Services and the types of Customer Personal Information Processed. Provider’s security program is designed to protect Customer Personal Information against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, disclosure, or access. Provider may update its security program from time to time, provided such updates do not materially reduce the overall level of protection for Customer Personal Information.
Security Measures. Without limiting Section 4.1, Provider will implement and maintain measures as may be described further in Annex B (Security Measures) that include, as appropriate:
access controls and authentication measures;
encryption of Customer Personal Information in transit and at rest where technically feasible;
network and perimeter security measures;
protections against malicious code;
regular testing and evaluation of security procedures; and
personnel training consistent with Section 3.
Security Incidents. Provider will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Information Processed by Provider under the Agreement. Such notice will include information reasonably sufficient to allow Customer to meet its obligations under Applicable Privacy Laws, to the extent known to Provider at the time of notification.
Following a Security Incident, Provider will:
promptly investigate the Security Incident;
take reasonable steps to contain, mitigate, and remediate its effects; and
provide Customer with updates as necessary to keep Customer informed of material developments.
Provider’s obligations in this Section apply only to Security Incidents involving Customer Personal Information Processed within the Services and do not apply to incidents caused by Customer, Customer’s users, or third parties outside Provider’s systems.
Cooperation. Customer is responsible for determining whether to notify regulators, Data Subjects, or other third parties regarding a Security Incident, and for making any such notifications, unless otherwise required by Applicable Privacy Laws. Provider will provide reasonable cooperation and assistance to Customer in relation to any Security Incident to the extent required for Customer to comply with its obligations under Applicable Privacy Laws, taking into account the nature of the Processing and the information available to Provider.
Customer Responsibilities. Customer is responsible for maintaining the security and confidentiality of Customer’s access credentials, for configuring the Services in accordance with Provider’s instructions and documentation, and for ensuring appropriate safeguards when transmitting Customer Personal Information to the Services. Provider is not responsible for security incidents or unauthorized access caused by Customer’s failure to secure its systems, credentials, or networks.
Subprocessors
Authorization. Customer authorizes Provider to engage Subprocessors to Process Customer Personal Information as reasonably necessary to provide, maintain, secure, and support the Services. Provider will remain responsible for the acts and omissions of its Subprocessors to the same extent Provider is responsible for its own acts and omissions under the Agreement.
Provider will ensure that each Subprocessor is bound by a written contract that:
requires the Subprocessor to Process Customer Personal Information only on Provider’s behalf and only for the purposes permitted under this DPA and the Agreement;
imposes data-protection obligations that are no less protective of Customer Personal Information than those in this DPA; and
requires the Subprocessor to implement appropriate technical and organizational security measures consistent with this DPA.
Due Diligence. Provider will conduct appropriate due diligence to ensure that Subprocessors have the capability to meet their contractual obligations and maintain appropriate security and privacy protections.
Subprocessor List and Notifications. Provider may maintain a list of current Subprocessors, which may be made available to Customer upon request or published online. Provider will provide Customer with reasonable advance notice of any new Subprocessor. Customer may object to a new Subprocessor on reasonable data-protection grounds.
Objections. If Customer objects to a new Subprocessor on reasonable grounds relating to data protection, the parties will discuss in good faith to find a mutually acceptable resolution. If no resolution is reached, Customer may terminate the affected portion of the Services with written notice, and Provider will refund any prepaid Fees for the terminated portion.
Data Subject Rights Assistance
Customer Responsibilities. Customer is responsible for responding to requests from individuals (Data Subjects) to exercise their rights under Applicable Privacy Laws, including rights of access, deletion, correction, and opt-out. Provider will not respond directly to any Data Subject request relating to Customer Personal Information unless expressly instructed to do so by Customer or required by Applicable Privacy Laws.
Notice of Requests Received by Provider. If Provider receives a Data Subject request relating to Customer Personal Information, Provider will promptly (and in no event later than is reasonably required by Applicable Privacy Laws) notify Customer, unless legally prohibited from doing so. Provider may respond to the Data Subject only to confirm receipt and indicate that the request has been forwarded to Customer.
Provider Assistance. To the extent Customer is unable to fulfill a Data Subject request through the self-service features of the Services, Provider will, upon Customer’s request and to the extent reasonably possible, assist Customer in responding to such request. Provider will provide such assistance taking into account the nature of the Processing and the information available to Provider. If such assistance requires effort beyond standard functionality or support, Customer will reimburse Provider’s reasonable costs.
Limitations. Provider has no obligation to fulfill or respond to any Data Subject request where:
Customer has not provided necessary details;
the request pertains to data that Provider does not Process on behalf of Customer;
fulfilling the request would violate Applicable Privacy Laws; or
the data is not Customer Personal Information within the meaning of this DPA.
Return or Deletion of Customer Personal Information.
During the Term. At any time during the Term, Customer may instruct Provider to return or delete Customer Personal Information. Provider will comply with Customer’s instruction within a reasonable period, subject to:
End of Term. Upon termination or expiration of the Agreement, or upon Customer’s written request, Provider will, at Customer’s option:
return Customer Personal Information in a commonly used, machine-readable format;
delete Customer Personal Information; or
both return and delete it,
unless Provider is required by Applicable Privacy Laws to retain some or all Customer Personal Information.
Backup and Archival Copies. Notwithstanding Customer’s deletion instruction, Provider may retain Customer Personal Information in standard backup or archival systems maintained for disaster recovery or business continuity purposes, provided that such copies:
are not actively Processed;
remain subject to this DPA; and
are securely overwritten or deleted in accordance with Provider’s standard data retention schedule.
Retention Required by Law. If Provider is legally required to retain Customer Personal Information beyond termination of the Agreement, Provider will continue to ensure the confidentiality, security, and limited Processing of such retained data, and will Process it only as necessary to comply with the legal requirement.
Regulatory Cooperation
Assistance with Data Protection Impact Assessments. To the extent required by Applicable Privacy Laws, Provider will, upon Customer’s request and taking into account the nature of the Processing and the information available to Provider, provide reasonable assistance to Customer in connection with: (a) data protection impact assessments (“DPIAs”) or similar risk assessments; and (b) consultations with supervisory authorities or regulators relating to Customer’s use of the Services.
Limitations. Provider’s obligations under this Section apply only to Processing of Customer Personal Information performed by Provider on Customer’s behalf under the Agreement and are subject to Provider’s confidentiality and security obligations, including protections for Provider’s own confidential information, trade secrets, systems, and data.
Cross-Border Transfers.
Customer Personal Information may be transferred, stored, or accessed in the United States or Canada as necessary to provide the Services. Each party will ensure that any such cross-border transfers comply with Applicable Privacy Laws, including any requirements relating to notice, consent, or contractual safeguards.
To the extent Customer requires the transfer of Customer Personal Information to or from jurisdictions outside the United States or Canada, the parties will implement appropriate transfer mechanisms as required under Applicable Privacy Laws. If Customer requires the use of Standard Contractual Clauses, the parties will execute the separate SCC DPA (Data Processing Addendum with Standard Contractual Clauses) provided by Provider.
Nothing in this Section requires Provider to operate or store Customer Personal Information in a specific geographic location unless expressly agreed in writing in the Agreement or an applicable Order Form.
Changes in Law
Required Modifications. If either party believes that changes to this DPA are necessary to comply with Applicable Privacy Laws, that party may notify the other in writing. The parties will work together in good faith to negotiate and implement any modifications reasonably required to address such legal changes.
Cooperation. Provider will make reasonable adjustments to its Processing and its obligations under this DPA to enable Customer to comply with its own obligations under Applicable Privacy Laws, provided that such adjustments:
relate solely to Provider’s role as Processor;
are technically feasible; and
do not impose obligations on Provider that are not generally applicable to processors providing substantially similar services.
Additional Agreements. If Customer requires additional agreements or lawful transfer mechanisms (such as Standard Contractual Clauses, UK Addendum, or similar instruments) for international transfers or to address changes in Applicable Privacy Laws, Provider will enter into such agreements where reasonably required and mutually agreed by the parties and to the extent applicable to Provider’s Processing of Customer Personal Information.
Audit Rights
Demonstrating Compliance. Upon Customer’s reasonable request, Provider will make available information necessary to demonstrate Provider’s compliance with this DPA, which may include:
responses to reasonable security or privacy questionnaires;
summaries of Provider’s internal or external audits; or
copies of independent third-party audit reports or certifications (e.g., SOC 2, ISO 27001), to the extent Provider makes such reports available to its customers.
Audit Process. If the information provided under Section is insufficient for Customer to meet its obligations under Applicable Privacy Laws, Customer may conduct an audit of Provider’s compliance with this DPA. Any such audit must:
be requested with at least thirty (30) days’ prior written notice;
occur no more than once in any twelve (12) month period (unless required more frequently by a regulator or following a confirmed Security Incident);
be conducted during normal business hours;
not unreasonably disrupt Provider’s operations; and
be limited to records, systems, and facilities relevant to Provider’s Processing of Customer Personal Information.
On-Site Audits. Customer must first exhaust the information available under this Section before requesting an on-site audit. On-site audits may only be performed:
by Customer or a mutually agreed independent third party that is not a competitor of Provider; and
under reasonable confidentiality obligations no less protective than the Agreement.
Customer will bear its own costs associated with any audit. If an audit requires Provider to incur costs that are not included in Provider’s standard compliance program (such as extensive engineering time, supervision costs, or costs associated with third-party resources), Customer will reimburse Provider’s reasonable out-of-pocket costs.
Limitation. No audit may:
access data belonging to Provider’s other customers;
access Provider’s proprietary information, trade secrets, or internal HR records; or
compromise Provider’s or its Subprocessors’ security, confidentiality, or availability controls.
Provider may object to any auditor it reasonably believes is not independent, is a competitor, or poses a security or confidentiality risk. In such cases, Customer must appoint a different auditor.
Liability
Limitation of Liability. The limitations, exclusions, and caps on liability set out in the Agreement apply to this DPA and to any claims, losses, or liabilities arising out of or relating to the Processing of Customer Personal Information. Nothing in this DPA is intended to increase either party’s liability or create additional remedies not expressly provided for in the Agreement. For clarity, any obligations imposed on Provider under this DPA (including assistance obligations, deletion/return obligations, security measures, audit rights, or cross-border transfer mechanisms) do not create additional indemnification obligations or monetary liability beyond what is stated in the Agreement. For the avoidance of doubt, nothing in this DPA limits liability that cannot be limited under Applicable Privacy Laws.
Any claims brought under or in connection with this DPA must be brought by the parties to the Agreement and not by any third party, including Data Subjects. No third party has rights or standing to enforce this DPA.
Conflict. If there is a conflict between this DPA and the Agreement, this DPA will control solely with respect to the Processing of Customer Personal Information. If a conflict arises between this DPA and Applicable Privacy Laws, Applicable Privacy Laws will control. All other terms of the Agreement remain unchanged and in full force.
Duration. This DPA will remain in effect for as long as Provider Processes Customer Personal Information on behalf of Customer under the Agreement. Termination or expiration of the Agreement will not relieve either party of its obligations under this DPA with respect to Customer Personal Information Processed prior to such termination or expiration, including obligations relating to confidentiality, deletion, return, and security.
Acceptance and Incorporation. This DPA forms part of the Agreement only where required under Applicable Privacy Laws or where expressly agreed by the parties, including by executing an Order Form that incorporates this DPA. Customer may also accept this DPA by signing or electronically accepting it separately when requested or made available by Provider. If Customer purchases the Services through an authorized partner or reseller, this DPA applies only where required and agreed for Customer’s use of the Services.
Exhibit A to Data Processing Addendum: Description of Processing
This Exhibit describes the subject matter and details of Provider’s Processing of Customer Personal Information under the DPA.
1. Subject Matter of the Processing
Processing of Customer Personal Information as necessary to provide, maintain, support, secure, and improve the Services under the Agreement and any applicable Order Forms.
2. Duration of the Processing
For the Term of the Agreement and as long as Provider Processes Customer Personal Information on behalf of Customer, including any retention permitted under the Agreement or required by Applicable Privacy Laws.
3. Nature and Purpose of the Processing
The Processing includes the following activities, as applicable to the Services purchased by Customer:
Hosting and storage of Customer Personal Information
Transmission of Customer Personal Information
Access, retrieval, and display
Organization, structure, and use
Analysis, reporting, and service-related analytics
Authentication and authorization
Logging, monitoring, and security operations
Backup and archival for business continuity
Customer support and troubleshooting
Configuration, maintenance, and administration of the Services
Any other Processing strictly necessary to perform the Services in accordance with the Agreement
4. Types of Customer Personal Information
Depending on Customer’s configuration and use of the Services, Customer Personal Information may include:
Business contact information (names, titles, roles, business email addresses, phone numbers)
Account and authentication information
Device and usage information
Communication content submitted through the Services
Transactional or support interaction details
Any other Customer Personal Information submitted, transmitted, or stored by Customer within the Services
Sensitive Data: Customer may choose to submit Sensitive Data, but the Services are not designed to Process Sensitive Data unless expressly agreed in writing. Any Sensitive Data submitted is subject to the restrictions and safeguards described in this DPA.
5. Categories of Data Subjects
May include:
Customer’s employees, contractors, and personnel
Customer’s end users or clients
Customer’s prospective leads or contacts
Individuals whose information is processed by Customer through its use of the Services
Any other individuals whose Personal Information Customer submits to the Services
6. Processing Instructions
Provider will Process Customer Personal Information only:
Exhibit B to Data Processing Addendum: Security Measures
Provider maintains an information security program designed to protect Customer Personal Information against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, or disclosure. The following categories of safeguards will be implemented, as appropriate:
1. Organizational Controls
Information security program appropriate to the nature of the Services
Regular risk assessments and security reviews
Policies governing acceptable use, access control, encryption, and incident response
Independent audits or certifications (e.g., SOC 2, as applicable)
Vendor and Subprocessor security evaluations
Personnel training on security and privacy responsibilities
2. Access Controls
Role-based and least-privilege access
Authentication and authorization controls
Multi-factor authentication where applicable
Logging of access to systems containing Customer Personal Information
Regular access reviews
Immediate removal of access upon personnel termination or job change
3. Physical and Environmental Security
Secure data center facilities with physical access controls
Environmental safeguards (HVAC, power redundancy, fire suppression)
Surveillance, monitoring, and visitor management
Asset disposal and media sanitization policies
4. Network and System Security
Firewalls, intrusion detection/prevention, and network segmentation
Patch management and vulnerability remediation
Anti-malware and endpoint protection
Secure configuration management
Encryption of Customer Personal Information in transit using TLS or equivalent security
Encryption of Customer Personal Information at rest where technically feasible
5. Operational Controls
Secure software development lifecycle (SDLC) practices
Code review and testing
Backup and recovery procedures
Business continuity and disaster recovery plans
Monitoring and logging of system activity
Regular penetration testing or vulnerability assessments
6. Incident Response
Documented incident response plan
Processes for detection, investigation, containment, and remediation
Notification to Customer without undue delay following confirmation of a Security Incident
Schedule F – Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into and forms part of the Terms and any applicable Order Form between Customer and Provider (collectively, the “Agreement”). If accepted electronically, the BAA Effective Date is the date Customer electronically accepts the Agreement or Order Form incorporating this BAA.
RECITALS
The Parties have entered into the SOFTWARE AS A SERVICE (SAAS) TERMS (“TERMS”), together with the Schedules, including this BAA, and applicable Order Form (collectively, the “Agreement”) under which Provider provides services that may involve the receipt, transmission or maintenance of PHI (as defined below) for or on behalf of Customer for a function or activity regulated by 45 C.F.R. Part 160 Subpart.
Customer is a “covered entity” subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the implementing regulations of HIPAA and HITECH (HIPAA, HITECH and the implementing regulations of HIPAA and HITECH are hereinafter collectively referred to as “HIPAA”).
Due to the services Provider provides for Customer, Provider may be subject to certain provisions of HIPAA.
HIPAA requires the Parties to enter into an agreement to protect the privacy and security of PHI (as defined below), and the Parties wish to modify the Agreement to address requirements that may now be or may become applicable to the Parties due to HIPAA.
NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
Definitions.
“Breach”, “Covered Entity”, “Designated Record Set”, “Disclosure”, “Individual”, “Required by Law”, “Secretary”, “Security Incident”, “Unsecured PHI”, “Use”, and any other terms defined in the HIPAA Rules, whether capitalized or not, have the meaning ascribed to such terms in the HIPAA Rules unless otherwise specified.
“Additional Terms” means any additions to or modifications of this BAA agreed by the parties.
“BAA Effective Date” is the effective date of this BAA specified by the parties (or, if not explicitly specified, the date of execution of the agreement that incorporates this BAA).
“Data Disposition Period” is defined in Section 5.2.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and implementing regulations.
“HIPAA Rules” means the Privacy Rule and Security Rule.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, codified at 42 U.S.C. §§ 17921–17954, and implementing regulations.
“HHS” means the Department of Health and Human Services.
“Main Agreement” means the separate agreement under which Business Associate is providing a service to Customer to which this BAA relates.
“Privacy Rule” means the standards for permissible uses and disclosures of Protected Health Information codified at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
“Protected Health Information” or “PHI” means protected health information or electronic protected health information (as such terms are defined in the HIPAA Rules) that Business Associate creates, receives, maintains, or transmits on behalf of Customer in connection with activities under the Main Agreement.
“Response Period” means ten days.
“Safeguards” is defined in Section 3.2(a).
“Security Rule” means the standards for security of Protected Health Information codified at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
“Subcontractor” is defined in Section 3.7.
“Unsuccessful Security Incident” means an attempted but failed Security Incident involving PHI or a Business Associate’s information system containing PHI, such as pings or other broadcast attacks on a firewall, denial of service attacks, port scans, or unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
Role of the Parties. Business Associate provides a service to Customer under the Main Agreement which may involve creating, receiving, maintaining, or transmitting PHI.
Obligations of Business Associate.
Permitted Uses and Disclosures of PHI.
Business Associate may Use and Disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in the Main Agreement.
Business Associate agrees not to Use or Disclose PHI other than as permitted or required by the Main Agreement, this BAA, or as Required by Law.
Business Associate may Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that (i) such disclosure was Required by Law or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose of which it was Disclosed, and the person notifies Business Associate of any instances of which it is aware where confidentiality of the information has been breached.
Adequate Safeguards for PHI.
Business Associate will implement and maintain appropriate safeguards designed to prevent the Use or Disclosure of PHI in any manner other than as permitted by this BAA (“Safeguards”).
Safeguards will include administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer.
Business Associate will comply with the Security Rule as applicable to Business Associate.
Event Reporting Obligations.
Unauthorized Use or Disclosure. Business Associate will report to Customer any Use or Disclosure of PHI by Business Associate (including its employees or Subcontractors) not permitted under this BAA of which it becomes aware without unreasonable delay, but no later than the Response Period following Business Associate becoming aware of such Use or Disclosure.
Security Incidents. Business Associate will report to Customer any Security Incident affecting PHI of which it becomes aware without unreasonable delay, but no later than the Response Period following Business Associate becoming aware of the Security Incident. For Unsuccessful Security Incidents, notice is deemed provided and no further notice will be required.
Breach of Unsecured PHI.
Business Associate will report to Customer any Breach of Unsecured PHI (“Breach Report”) of which it becomes aware without unreasonable delay, but no later than the Response Period following Business Associate becoming aware of the Breach of Unsecured PHI.
Each Breach Report, to the extent possible, will include the identification of each Individual whose Unsecured PHI has been or is reasonably believed to have been Breached and other information regarding the Breach as reasonably requested by Customer.
Business Associate will (A) supplement its Breach Report if the above information is not available at the time of the initial report and (B) otherwise cooperate with Customer’s requests for information as may be necessary for Customer to evaluate the scope of the Breach and related compliance issues.
Availability of Internal Records to Government Agencies.
Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Customer’s compliance with the HIPAA Rules.
Business Associate will, if permitted by law, promptly notify Customer of any requests made by the Secretary relating to Customer and provide Customer with copies of any documents produced in response to such request.
Access to and Amendment of PHI. Within the Response Period following a request by Customer, Business Associate will make PHI in a Designated Record Set available to Customer to enable Customer to make access available to an Individual, make amendments and incorporate such amendments into the PHI, or otherwise fulfill its obligations under the Privacy Rule (including, but not limited to, 45 C.F.R. Section 164.524 and 164.526).
Accounting of Disclosures. Business Associate will document Business Associate’s Disclosures of PHI and provide such information to Customer as necessary to permit Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR Section 164.528 and Section 13405(c) of Title XII, Subtitle D of the HITECH Act.
Subcontractors. Business Associate may Disclose PHI to one or more subcontractors (each, a “Subcontractor”), and may allow a Subcontractor to create, receive, maintain, or transmit PHI on its behalf, provided that Business Associate executes a written agreement obligating each such Subcontractor to comply with the same restrictions and conditions that apply to Business Associate with respect to the PHI.
Agreement to Mitigate. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this BAA.
Compliance with Customer Obligations. To the extent Business Associate carries out Customer’s obligations under the Privacy Rule, Business Associate will comply with the requirements of such Privacy Rule that apply to Customer in the performance of such obligations.
Minimum Necessary. Business Associate will Use or Disclose the minimum necessary amount of PHI to accomplish the purposes of the Use or Disclosure in accordance with the HIPAA Rules.
HITECH Act Compliance. Business Associate will comply with the requirements of the HITECH Act which are applicable to business associates.
Obligations of Customer.
Safeguards. Customer is responsible for implementing appropriate privacy and security safeguards, including the privacy and security safeguards required of Customer under the Main Agreement, in order to protect its PHI in accordance with the HIPAA Rules.
Notice of Privacy Practices. Customer will inform Business Associate of any limitation in its notice of privacy practices adopted in accordance with the Privacy Rule, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
Information on Restrictions. Customer will inform Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI if such changes affect Business Associate’s Use or Disclosure of PHI.
Impermissible Requests. Customer will not request or cause Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.
Notice Obligations. Customer's obligations under Section 5.9 (PHI Patient Consent and Notice Obligations) of the Terms are incorporated herein by reference and apply with equal force to all disclosures of PHI by Customer under this BAA. Customer acknowledges that compliance with HIPAA alone does not satisfy Customer's obligations under Section 5.9, which independently requires compliance with all Applicable Health Privacy Laws as defined in the Main Agreement.
Term and Termination.
Duration of BAA. This BAA commences on the BAA Effective Date and terminates upon expiration or termination of the Main Agreement.
Disposition of PHI Upon Termination or Expiration. Within 60 days after expiration or earlier termination of this BAA (“Data Disposition Period”), Business Associate will, if feasible, return or destroy all PHI it still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this BAA and limit further Uses and Disclosures of such PHI to those purposes that make the deletion infeasible.
General Terms.
Order of Precedence. Any Additional Terms will control in a conflict with the terms of this BAA.
Relationship to Main Agreement.
This BAA (including any Additional Terms) is incorporated into the Main Agreement.
In the event of a conflict between a provision of this BAA (as modified by any Additional Terms) and the Main Agreement, the BAA will control. Otherwise, this BAA will be construed under, and in accordance with, the terms of the Main Agreement.
The parties acknowledge that any liability provisions of the Main Agreement apply to this BAA.
No Third-Party Beneficiaries. There are no third-party beneficiaries to this BAA.
Independent Contractors. The parties are independent contractors, not agents, partners, or joint venturers. Neither party will represent itself as the agent or legal representative of the other for any purpose.
Exhibit A to Schedule F – Sample Patient Consent For AI-Assisted Clinical Documentation
NOTICE TO CUSTOMER — NOT FOR PATIENT DISTRIBUTION AS-IS - This template is provided by [Vendor Name] as a reference resource to assist customers in developing their own patient consent processes. It does not constitute legal advice. Customers are solely responsible for ensuring that their consent forms, disclosures, and recording practices comply with all applicable federal, state, and local laws—including HIPAA, state wiretapping and recording statutes, and state health information privacy laws—in each jurisdiction where they operate. Customers should consult qualified legal counsel before implementing this or any consent form in their practice.
Remove this notice before distributing to patients.
[PRACTICE NAME]
[Address | Phone | Fax]
PATIENT CONSENT FOR AI-ASSISTED CLINICAL DOCUMENTATION
(Audio Recording and AI Scribe Technology)
1. What This Form Is About
This practice uses an artificial intelligence (AI) clinical documentation tool (an “AI scribe”) to assist your healthcare provider in creating accurate records of your visit. The AI scribe works by recording the audio of your clinical encounter, converting the conversation to text, and generating a draft clinical note for your provider’s review.
This form asks for your informed consent to (a) the audio recording of your visit and (b) the processing of that recording by the AI scribe system before, during, or after your encounter.
2. How the AI Scribe Works
A microphone or device in the exam room will record the audio of your conversation with your provider.
The audio recording is transmitted to the AI scribe system, which transcribes the conversation and generates a draft clinical note.
Your provider will review, edit, and approve the note before it is finalized and added to your medical record. No AI-generated note is entered into your chart without provider review.
The AI scribe does not provide medical advice, make clinical decisions, or replace your provider’s judgment in any way.
3. Data Handling, Storage, and Retention
Audio is processed in real time and is not stored or retained by the AI scribe vendor after transcription is complete.
Transcripts and draft notes are stored in systems that comply with HIPAA security requirements.
The AI scribe vendor operates under a Business Associate Agreement (BAA) with this practice, requiring the vendor to safeguard your protected health information (PHI) in accordance with HIPAA.
Your transcript and clinical note data will not be sold to any third party.
Your data will not be used to train or improve AI models unless you provide separate, explicit written consent for that purpose.
4. Who May Access Your Information
Your recorded and transcribed information may be accessed only by:
Your treating provider(s) and authorized clinical staff at this practice;
The AI scribe vendor’s systems, solely for the purpose of generating your clinical note under the terms of the BAA; and
Other parties only as permitted or required by law (e.g., for treatment, payment, healthcare operations, or as otherwise authorized under HIPAA).
5. Your Rights
Voluntary consent. Your consent is entirely voluntary. You may decline to be recorded without any effect on the quality, scope, or availability of care you receive.
Right to withdraw. You may withdraw your consent at any time, including during a visit. Simply inform your provider, and the recording will be stopped. No audio is stored by the AI scribe vendor.
Right to opt out for specific visits. Even after signing this form, you may request that the AI scribe not be used for any particular visit. Your provider will document your care using an alternative method.
Right to access your records. You may request a copy of any clinical note generated from your visit in accordance with applicable law.
6. State Recording Law Compliance
Certain states, including California, require the consent of all parties to a conversation before it may be recorded. By signing below, you acknowledge that you have been informed that your clinical visit will be audio-recorded for the purposes described above, and you consent to that recording. This consent satisfies applicable federal and state requirements, including but not limited to HIPAA, the California Invasion of Privacy Act (Cal. Penal Code §§ 630–638.55), and the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.), as well as the recording and privacy laws of any other state in which the patient or provider is located at the time of the encounter.
7. Scope and Duration of Consent
This consent applies to all visits at this practice until you revoke it in writing. You may revoke this consent at any time by notifying the practice in writing. Revocation will take effect for all visits occurring after receipt of the revocation and will not affect the validity of recordings or notes created before revocation.
Patient Acknowledgment and Consent
By signing below, I confirm that:
I have read and understand this form, or it has been explained to me in a language I understand.
I have had the opportunity to ask questions about the AI scribe and how my information will be used.
I voluntarily consent to the audio recording of my clinical visits and the use of AI scribe technology as described above.
I understand that I may withdraw this consent at any time without affecting my care.
Decline of Consent
☐ I decline to consent to the use of AI scribe technology for my visits at this time. I understand that this will not affect the quality or availability of my care.
For Office Use Only
Verbal consent confirmed at time of visit: ☐ Yes ☐ No ☐ N/A (written consent obtained)
Staff initials: __________ Provider: __________ Date: __________
Consent status entered in EHR: ☐ Yes