Business Associate Agreement
This HIPAA Business Associate Agreement (this “BAA”) defines the rights and responsibilities of DataMotion, Inc. (“Business Associate”) and “Customer” with respect to protected health information (“PHI”) and electronic PHI (“EPHI”) in compliance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, and the federal HIPAA privacy, security, and transactions and code set regulations promulgated pursuant thereto and codified at 45 C.F.R. parts 160 and 164, (the “Privacy Rule,” “Security Rule,” and “Transactions Rule”) and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, (“HITECH Act”), and the Omnibus Rule, all as may be amended from time to time, (collectively referred to herein as the “HIPAA Regulations”).
This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, maintain, use or disclose PHI or EPHI in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Underlying Agreement.
1. Applicability. This BAA applies only:
1.1. In the event and to the extent Business Associate meets, with respect to Customer, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1.2. To Services that Customer purchases directly from Business Associate and only to the extent that Customer selects “PHI Account” in the Master Service Agreement, Terms and Conditions, located at https://datamotion.com/master-service-agreement-terms-and-conditions/ (the “Underlying Agreement”) between the parties, which will incorporate the terms of this BAA into that Underlying Agreement.
1.3. Where Customer uses the Services to store or transmit any PHI as defined below.
2. Definitions. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Regulations, which definitions are incorporated in this BAA by reference.
2.1. “Business Associate” shall mean “business associate” as defined in 45 C.F.R. § 160.103.
2.2. “Electronic Protected Health Information” or “EPHI” shall mean “electronic protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Business Associate from or on behalf of Customer, in connection with the Underlying Agreement.
2.3. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Business Associate from or on behalf of Customer, in connection with the Underlying Agreement. For purposes of this BAA, references to the term PHI shall also include EPHI.
2.5. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
3. Permitted Uses and Disclosures
3.1. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in the Underlying Agreement, this BAA, or as may be Required By Law; provided, however, Business Associate may not use or further disclose PHI in a manner that would not be permissible if done by Customer.
3.2. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate if (i) the disclosures are Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate may use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
4. Obligations of Business Associate
4.1. Subcontractors and Agents. Business Associate will ensure that any agents, subcontractors and representatives that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to restrictions and conditions that are substantially the same as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI. If Business Associate uses its affiliates to provide any of the Services, Business Associate is not required to obtain written assurances from such affiliates or its employees.
4.2. Information Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. When Business Associate has possession of PHI, is accessing PHI, or is transmitting EPHI, it shall have in place Administrative, Physical and Technical Safeguards that reasonably and appropriately (i) protect the confidentiality, integrity and availability of EPHI that it receives, maintains or transmits on behalf of Customer, in accordance with the HIPAA Security Rule and (ii) prevent the use or disclosure of Customer’s PHI other than as provided for in the Underlying Agreement, this BAA, or as Required by Law. Business Associate also shall comply with any applicable State data security laws and regulations.
4.3. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, because Business Associate does not know the details of PHI contained in any Services, there will be no obligation on Business Associate to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI. Business Associate will ensure Customer access to audit logging to assist Customer in addressing Customer’s obligations for reporting under the HIPAA Regulations. Customer acknowledges that Business Associate is under no obligation to provide additional support for Customer’s reporting obligations but may choose to provide such additional services at its sole discretion or at Customer’s expense.
4.4. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer within thirty (30) calendar days of discovery of any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.
4.5. Reporting of Security Incidents. Business Associate will report to Customer within ten (10) calendar days of discovery of any Security Incidents involving PHI of which Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Customer and Business Associate agree that this provision constitutes notice to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein), whether occurring now or in the future for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Customer’s EPHI.
4.6. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer’s Unsecured PHI that Business Associate may discover to the extent required by 45 C.F.R. § 164.410. Business Associate will make such report without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of such Breach.
4.7. Access to PHI. If Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Customer pursuant to 45 C.F.R. § 164.524 within fifteen (15) business days of Business Associate’s receipt of a written request from Customer; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Customer. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate shall direct the Individual to Customer.
4.8. Amendment of PHI. If Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Customer for amendment pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of Business Associate’s receipt of a written request from Customer. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to amendment, Business Associate shall direct the Individual to Customer.
4.9. Accounting of Disclosures. Customer acknowledges that Business Associate is not required by this BAA to make disclosures of PHI to Individuals or any person other than Customer, and that Customer does not, therefore, expect Business Associate to maintain documentation of such disclosures as described in 45 C.F.R. § 164.528. In the event that Business Associate does make such a disclosure, it shall document the disclosure as would be required for Customer to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and shall provide such documentation to Customer within fifteen (15) business days of Customer’s request. If an Individual makes a request for an accounting directly to Business Associate, or inquires about his or her right to an accounting, Business Associate shall direct the Individual to Customer.
4.10. Individual Rights. As between Customer and Business Associate, Customer, not Business Associate, is responsible for responding to requests for access to or amendment of PHI from Individuals pursuant to the HIPAA Privacy Rule, including, but not limited to, 45 C.F.R. §§ 164.524, 164.526, and 164.528, as the same may be amended from time to time.
4.11. Compliance Audits. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services, in a time and manner designated by the Secretary, for purposes of the Secretary determining Customer’s compliance with HIPAA.
4.12. Mitigation. To the extent practicable, Business Associate will cooperate with Customer’s efforts to mitigate a harmful effect that is known to Business Associate of a use or disclosure of PHI that is not permitted by this BAA.
5. Customer’s Obligations
5.1. Appropriate Use of PHI Accounts. Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with the HIPAA Regulations and this BAA. Without limitation, Customer shall: (i) not include unsecured PHI in any Services that are not or cannot be HIPAA compliant, (ii) utilize the highest level of audit logging in connection with its use of all Customer applications in the Services, and (iii) maintain the maximum retention of logs in connection with its use of all Services.
5.2. Consent, Authorization, and Permission. Customer shall obtain and maintain such consents, authorizations and/or permissions, if any, as may be necessary or required under the HIPAA Regulations, or other local, state or federal laws or regulations prior to using the Services in connection with Customer content, including without limitation PHI.
5.3. Restrictions on Disclosures. Customer shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate to violate this BAA or any applicable law.
5.4. Compliance with HIPAA Regulations. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with the HIPAA Regulations or this BAA.
6. Term and Termination
6.1. Term. The term of this BAA will commence on the Underlying Agreement Effective Date and will remain in effect until the earlier of the termination of the Underlying Agreement or notification by Customer that an account is no longer subject to this BAA.
6.2. Effect of Termination. At termination of this BAA, Business Associate, if feasible, will return or destroy all PHI that Business Associate still maintains, if any. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and not make any further uses or disclosures of the PHI.
7. Miscellaneous
7.1. No Agency Relationship. As set forth in the Underlying Agreement, nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Customer the right or authority to control Business Associate’s conduct in the course of Business Associate complying with the Underlying Agreement and/or the BAA.
7.2. Entire Agreement; Conflict. Except as amended by this BAA, the Underlying Agreement will remain in full force and effect. This BAA, together with the Underlying Agreement as amended by this BAA: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. If there is any conflict between a provision of this BAA and a provision in the Underlying Agreement, this BAA will control.
7.3. Survival. Customer and Business Associate’s respective rights and obligations under this BAA shall survive the termination of the Underlying Agreement.
7.4. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Customer, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.
Copyright ©2020 DataMotion, Inc. All rights reserved.
Subcontractor Business Associate Agreement
This HIPAA Business Associate Agreement (this “BAA”) defines the rights and responsibilities of DataMotion, Inc. (“Contractor”) and “Customer” (“Business Associate”) with respect to protected health information (“PHI”) and electronic PHI (“EPHI”) in compliance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, and the federal HIPAA privacy, security, and transactions and code set regulations promulgated pursuant thereto and codified at 45 C.F.R. parts 160 and 164, (the “Privacy Rule,” “Security Rule,” and “Transactions Rule”) and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, (“HITECH Act”), and the Omnibus Rule, all as may be amended from time to time, (collectively referred to herein as the “HIPAA Regulations”).
This BAA is intended to ensure that Contractor and Business Associate will establish and implement appropriate safeguards where Contractor may receive, maintain, use or disclose PHI or EPHI in connection with the functions, activities and services that Contractor performs on behalf of Business Associate solely to perform its duties and responsibilities under the Underlying Agreement.
1. Applicability. This BAA applies only:
1.1. In the event and to the extent Contractor meets, with respect to Business Associate, the definition of a business associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1.2. To Services that Business Associate purchases directly from Contractor and only to the extent that Business Associate selects “PHI Account” in the Master Service Agreement, Terms and Conditions, located at https://datamotion.com/master-service-agreement-terms-and-conditions/ (the “Underlying Agreement”) between the parties, which will incorporate the terms of this BAA into that Underlying Agreement.
1.3. Where Business Associate uses the Services to store or transmit any PHI as defined below.
2. Definitions. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Regulations, which definitions are incorporated in this BAA by reference.
2.1. “Business Associate” shall mean “business associate” as defined in 45 C.F.R. § 160.103.
2.2. “Electronic Protected Health Information” or “EPHI” shall mean “electronic protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Contractor from or on behalf of Business Associate, in connection with the Underlying Agreement.
2.3. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Contractor from or on behalf of Business Associate, in connection with the Underlying Agreement. For purposes of this BAA, references to the term PHI shall also include EPHI.
2.5. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
3. Permitted Uses and Disclosures
3.1. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, Contractor may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Business Associate as specified in the Underlying Agreement, this BAA, or as may be Required By Law; provided, however, Contractor may not use or further disclose PHI in a manner that would not be permissible if done by Business Associate.
3.2. Permitted Uses of PHI by Contractor. Except as otherwise limited in this BAA, Contractor may use PHI for the proper management and administration of Contractor or to carry out the legal responsibilities of Contractor.
3.3. Permitted Disclosures of PHI by Contractor. Except as otherwise limited in this BAA, Contractor may disclose PHI for the proper management and administration of Contractor, or to carry out the legal responsibilities of Contractor if (i) the disclosures are Required by Law; or (ii) Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person agrees to notify Contractor of any instances of which it is aware in which the confidentiality of the information has been breached. Contractor may use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
4. Obligations of Business Associate
4.1. Subcontractors and Agents. Contractor will ensure that any agents, subcontractors and representatives that create, receive, maintain, or transmit PHI on behalf of Contractor agree to restrictions and conditions that are substantially the same as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI. If Contractor uses its affiliates to provide any of the Services, Contractor is not required to obtain written assurances from such affiliates or its employees.
4.2. Information Safeguards. Contractor will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. When Contractor has possession of PHI, is accessing PHI, or is transmitting EPHI, it shall have in place Administrative, Physical and Technical Safeguards that reasonably and appropriately (i) protect the confidentiality, integrity and availability of EPHI that it receives, maintains or transmits on behalf of Business Associate, in accordance with the HIPAA Security Rule and (ii) prevent the use or disclosure of Business Associate’s PHI other than as provided for in the Underlying Agreement, this BAA, or as Required by Law. Contractor also shall comply with any applicable State data security laws and regulations.
4.3. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, because Contractor does not know the details of PHI contained in any Services, there will be no obligation on Contractor to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI. Contractor will ensure Business Associate access to audit logging to assist Business Associate in addressing Business Associate’s obligations for reporting under the HIPAA Regulations. Business Associate acknowledges that Contractor is under no obligation to provide additional support for Business Associate’s reporting obligations but may choose to provide such additional services at its sole discretion or at Business Associate’s expense.
4.4. Reporting of Impermissible Uses and Disclosures. Contractor will report to Business Associate within thirty (30) calendar days of discovery of any Use or Disclosure of PHI not permitted or required by this BAA of which Contractor becomes aware.
4.5. Reporting of Security Incidents. Contractor will report to Business Associate within ten (10) calendar days of discovery of any Security Incidents involving PHI of which Contractor becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Business Associate and Contractor agree that this provision constitutes notice to Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein), whether occurring now or in the future for which no additional notice to Business Associate shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Contractor’s firewall, port scans, unsuccessful log-on attempts, denials of service, interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Business Associate’s EPHI.
4.6. Reporting of Breaches. Contractor will report to Business Associate any Breach of Business Associate’s Unsecured PHI that Contractor may discover to the extent required by 45 C.F.R. § 164.410. Contractor will make such report without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of such Breach.
4.7. Access to PHI. If Contractor has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate pursuant to 45 C.F.R. § 164.524 within fifteen (15) business days of Contractor’s receipt of a written request from Business Associate; provided, however, that Contractor is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Business Associate. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Contractor, or inquires about his or her right to access, Contractor shall direct the Individual to Business Associate.
4.8. Amendment of PHI. If Contractor has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate for amendment pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of Contractor’s receipt of a written request from Business Associate. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Contractor, or inquires about his or her right to amendment, Contractor shall direct the Individual to Business Associate.
4.9. Accounting of Disclosures. Business Associate acknowledges that Contractor is not required by this BAA to make disclosures of PHI to Individuals or any person other than Business Associate, and that Business Associate does not, therefore, expect Contractor to maintain documentation of such disclosures as described in 45 C.F.R. § 164.528. In the event that Contractor does make such a disclosure, it shall document the disclosure as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and shall provide such documentation to Business Associate within fifteen (15) business days of Business Associate’s request. If an Individual makes a request for an accounting directly to Contractor, or inquires about his or her right to an accounting, Contractor shall direct the Individual to Business Associate.
4.10. Individual Rights. As between Business Associate and Contractor, Business Associate, not Contractor, is responsible for responding to requests for access to or amendment of PHI from individuals pursuant to the HIPAA Privacy Rule, including, but not limited to, 45 C.F.R. §§ 164.524, 164.526, and 164.528, as the same may be amended from time to time.
4.11. Compliance Audits. Contractor shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services, in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s compliance with HIPAA.
4.12. Mitigation. To the extent practicable, Contractor will cooperate with Business Associate’s efforts to mitigate a harmful effect that is known to Contractor of a use or disclosure of PHI that is not permitted by this BAA.
5. Business Associate’s Obligations.
5.1. Appropriate Use of PHI Accounts. Business Associate is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with the HIPAA Regulations and this BAA. Without limitation, Business Associate shall: (i) not include unsecured PHI in any Services that are not or cannot be HIPAA compliant, (ii) utilize the highest level of audit logging in connection with its use of all Business Associate applications in the Services, and (iii) maintain the maximum retention of logs in connection with its use of all Services.
5.2. Consent, Authorization, and Permission. Business Associate shall obtain and maintain such consents, authorizations and/or permissions, if any, as may be necessary or required under the HIPAA Regulations, or other local, state or federal laws or regulations prior to using the Services in connection with Business Associate content, including without limitation PHI.
5.3. Restrictions on Disclosures. Business Associate shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Contractor to violate this BAA or any applicable law.
5.4. Compliance with HIPAA Regulations. Business Associate shall not request or cause Contractor to make a Use or Disclosure of PHI in a manner that does not comply with the HIPAA Regulations or this BAA.
6. Term and Termination
6.1. Term. The term of this BAA will commence on the Underlying Agreement Effective Date and will remain in effect until the earlier of the termination of the Underlying Agreement or notification by Business Associate that an account is no longer subject to this BAA.
6.2. Effect of Termination. At termination of this BAA, Contractor, if feasible, will return or destroy all PHI that Contractor still maintains, if any. If return or destruction is not feasible, Contractor will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and not make any further uses or disclosures of the PHI.
7. Miscellaneous
7.1. No Agency Relationship. As set forth in the Underlying Agreement, nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Business Associate the right or authority to control Contractor’s conduct in the course of Contractor complying with the Underlying Agreement and/or the BAA.
7.2. Entire Agreement; Conflict. Except as amended by this BAA, the Underlying Agreement will remain in full force and effect. This BAA, together with the Underlying Agreement as amended by this BAA: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. If there is any conflict between a provision of this BAA and a provision in the Underlying Agreement, this BAA will control.
7.3. Survival. Business Associate and Contractor’s respective rights and obligations under this BAA shall survive the termination of the Underlying Agreement.
7.4. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Contractor and Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.
Copyright ©2020 DataMotion, Inc. All rights reserved.
Master Service Agreement
This Master Services Agreement Terms & Conditions (the “Terms & Conditions”) govern the license terms described in the Master Services Agreement Order Form (the “Order Form”) and entered into between DataMotion, Inc., (“DataMotion”), and the customer, as each is identified in the Order Form (“Customer”) as of the effective date set forth in the Order Form (the “Effective Date”). Together, the Order Form, Terms & Conditions, and all incorporated exhibits constitute a single agreement (collectively, this “Agreement”).
1. Definitions
1.1. “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Service.
1.2. “Customer Data” means all information uploaded, submitted or transmitted to or through the Service by or on behalf of Customer, excluding DataMotion Data. For the avoidance of doubt, Customer Data shall not include quantitative and qualitative information and data regarding the performance of DataMotion Materials.
1.3. “DataMotion Data” means information collected or generated by or on behalf of DataMotion for purposes of providing, measuring or improving DataMotion’s products and services, including for benchmarking performance, or preparing statistics or system metrics, and all information developed or derived from its provision of the Service or rendering of the Professional Services, including any information derived from Customer Data or appearing in solely an anonymized and/or aggregated form. For the avoidance of doubt, “DataMotion Data” shall not include Customer Data, any personally identifiable information of any User or the contents of any data or documents uploaded, submitted or transmitted by or on behalf of any User.
1.4. “DataMotion Materials” means the Service, Documentation, DataMotion Data, Work Products and any and all other information, data, documents, materials, works, and other content, devices, methods, processes, hardware, software, and other technologies and inventions, including any deliverables, technical or functional descriptions, requirements, plans, or reports, that are provided or used by DataMotion or any subcontractor in connection with the Service or otherwise comprise or relate to the Service.
1.5. “Documentation” means any manuals, instructions, or other documents or materials made available by DataMotion which describe the functionality, components, features or requirements of the Service, including any aspect of the installation, configuration, integration, operation, use, support or maintenance thereof, as applicable to the Service purchased in the Order Form.
1.6. “Professional Services” means collectively any implementation, customizations to create, develop, implement and maintain additional features and functionalities to the Service, and/or any training services provided by DataMotion to Customer as stated in the SOW.
1.7. “Service” means access to DataMotion’s secure communications platform solution and any additional services as identified in the Order Form.
1.8. “SOW” means the Statement of Work.
1.9. “Users” means individuals for which Customer has procured subscriptions to the Service, as identified to DataMotion, or as otherwise set forth in the Order Form. Users may include, but are not limited to Customer’s employees, consultants, contractors and agents.
1.10. “Work Product” means all services, programs, systems, data and materials, in whatever form, first provided, produced or created by or for DataMotion as a result of, or related to, performance of the Professional Services under the SOW.
2. Terms of Service
2.1. Service. Subject to the terms and conditions of this Agreement and during the Term (as defined below), DataMotion shall make the Service available to be used by Customer’s Users solely for the internal business operations of Customer. The terms of this Agreement shall also apply to updates, and upgrades subsequently provided by DataMotion to Customer. DataMotion may update the features, functionality, and other aspects of the Service, including any related Documentation, from time to time in its sole discretion, as part of its ongoing efforts to improve the Service. DataMotion has the right to accept or decline trial and paid account requests in its sole discretion with no obligation to detail the reasoning behind such decision.
2.2. License Details. DataMotion shall provide the Service as set forth in the Order Form. The Order Form shall include at a minimum a listing of the Service being ordered and the associated fees. Except as otherwise provided in the Order Form, the Order Form is non-cancellable and shall be subject to the terms and conditions of this Agreement.
2.3. Service Usage. The Order Form sets forth the fees for designated levels of use (each a “Service Allocation”), beginning with the fees payable by Customer for the levels of usage in effect as of the Effective Date. Customer agrees that any usage in excess of its then-current Service Allocation will be charged for by DataMotion at its then-current rates and DataMotion will automatically reclassify Customer’s Service Allocation and corresponding fee obligations to the appropriate Service Allocation effective at the beginning of the next Renewal Term. Customer shall also have the option to increase its Service Allocation prior to the next Renewal Term, by contacting DataMotion in writing. Except as stated in this Section, Customer acknowledges that exceeding its then-current Service Allocation may result in service degradation for Customer and other DataMotion customers and agrees that DataMotion has no obligation to permit Customer to exceed its then-current Service Allocation.
2.4. Professional Services. Upon Customer’s request, DataMotion may agree to be available to Customer to perform one or more projects involving implementation, customization and/or training on such terms and conditions as DataMotion and Customer may mutually agree (each project, a “Project”). Each Project will be described in the SOW, which will be incorporated into the Order Form. The SOW will set forth the respective responsibilities of DataMotion and Customer for the respective Project. Subject to the provisions of this Agreement, once the SOW has been approved, each party will carry out and complete its duties and responsibilities set forth in the SOW. If DataMotion or Customer requests modifications or enhancements to a Project, each such change will be described in an amendment to the SOW describing such modifications, enhancements or new development in appropriate detail and shall be effective upon signature by both parties. DataMotion shall not be liable for delays or amendments to the Professional Services to the extent they are caused by Customer.
2.5. Accuracy of Customer’s Contact Information. Customer shall provide accurate, current and complete information on Customer’s legal business name, address, e-mail address and phone number, and maintain and promptly update this information if it should change.
2.6. E-mail and Notices. Except for legal notices, each party’s e-mail address for communication and notice purposes relating to this Agreement shall be the e-mail address set forth in the Order Form (or subsequent e-mail addresses as advised by the parties). DataMotion may provide any and all notices, statements, and other communications in English to Customer through either e-mail, posting on the Service (or other electronic transmission) or by mail or express delivery service. Upon account setup, Customer may further designate additional contacts for various types of notices. In addition, DataMotion may rely and act on all information, authorizations and instructions provided to DataMotion from the e-mail address and/or Customer administrators specified in the Order Form.
2.7. Service Control. Except as otherwise expressly provided in this Agreement, as between the parties DataMotion has and will retain sole control over the operation, provision, maintenance, and management of the DataMotion Materials.
2.8. HIPAA Compliance; PHI. To the extent (i) Customer is considered a “covered entity” or “business associate” as those terms are defined under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and the federal HIPAA privacy and security regulations promulgated pursuant thereto and codified at 45 C.F.R. parts 160 and 164 (the “Privacy Rule” and “Security Rule”), and (ii) DataMotion’s Services will be used to exchange any “protected health information” (as defined under 45 C.F.R. 160.103) (“PHI”), then the parties incorporate by reference and agree to be bound by the Business Associate Agreement (the “BAA”) currently located at https://www.datamotion.com/business-associate-agreement/. Alternatively, if the association between DataMotion and Customer constitutes a Subcontractor Business Associate Agreement, both parties hereby incorporate by reference and consent to adhere to the terms outlined in the Subcontractor Business Associate Agreement currently located at https://datamotion.com/subcontractor-business-associate-agreement/. In the event of any conflict between the BAA and the terms of this Agreement, the BAA shall control where the issue pertains to PHI. Customer will promptly notify DataMotion if it intends to exchange or has exchanged PHI using the DataMotion Services.
2.9. Modifications; Discontinuation of Service. DataMotion may make modifications to the Service or individual features and functionality of the Service from time to time and will use commercially reasonable efforts to notify Customer of any material modifications. DataMotion further reserves the right to discontinue offering the Service, in whole or in part, at any time. Customer agrees that DataMotion shall not be liable to Customer or any third party for any such modification or discontinuation of the Service. In the event of a modification or discontinuation that has a material, adverse impact on Customer’s ability to use the Service, Customer shall be entitled, as its sole and exclusive remedy, to terminate its subscription(s) to the affected Service, and receive a prorated refund of the subscription fees pre-paid by Customer for the affected Service for the remaining portion of the Term.
2.10. Users. Customer acknowledges that, prior to being granted access to the Service, each User will be required to accept the terms of service applicable to Users as set forth in the Order Form (the “Terms of Service”). Customer agrees that (i) Customer shall be responsible for ensuring each User agrees to, and abides by the terms of, the Terms of Service located at https://www.datamotion.com/terms-of-service/ and are incorporated into this Agreement; (ii) Customer assumes all liability for any failure of the foregoing; and (iii) DataMotion shall not be liable to Customer in connection with the failure or refusal by any such User to agree to accept the Terms of Service. Further, DataMotion reserves the right to modify any Terms of Service with prior notice to Customer. The modified terms will be effective when DataMotion (a) sends an e-mail to an affected User’s e-mail address, (b) posts a notice to the administrator of the User’s account, or (c) posts a notice on the home page or launch screen of the User’s user interface. In the event of a conflict between any Terms of Service accepted by a User, and this Agreement, this Agreement will govern.
3. Restrictions. Customer must not use the Service to act as a service bureau or otherwise provide an outsourced service, and may not rent, resell, sublicense, or permit the concurrent use of any Access Credentials, or time-sharing of the Service. Customer shall not and shall not permit any User or other third party to (i) copy, translate, create a derivative work of, reverse engineer, reverse assemble, disassemble, or decompile the Service, or any algorithms or software used to operate the Service, or any part thereof or otherwise attempt to discover any source code or modify the Service in any manner or form, (ii) access or use the Service to circumvent or exceed Service account limitations or requirements, (iii) use the Service for the purpose of building a similar or competitive product or service, (iv) attempt to circumvent the authentication required to access the Service or other security measures of the Service (including without limitation permitting access to or use of the Service via shared Access Credentials, or another system or tool, the primary effect of which is to enable input of requests or transactions by other than authorized Users), (v) use the Service in a manner that is in violation of any third party rights of privacy or intellectual property rights, (vi) issue or participate in any press release or other public statement related to this Agreement or the Service without prior written consent of DataMotion, (vii) publish, post, upload or otherwise transmit Customer Data that contains any viruses, Trojan horses, worms, time bombs, corrupted files or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any systems, data, personal information or property of another, or (viii) use or permit the use of any tools in order to probe, scan or attempt to penetrate or benchmark the Service. Customer will not input or share any Customer Data to or through the Service that is unlawful, harassing, libelous, defamatory or threatening. Except as permitted by this Agreement, no part of the Service may be copied, reproduced, distributed, republished, displayed, posted or transmitted in any form or by any means. Customer agrees not to access the Service by any means other than through the interfaces that are provided by DataMotion. Customer shall not engage in any “mirroring” or “framing” of any part of the Service, or create hyperlinks to the Service which include Access Credentials and/or secure cookies.
4. Customer Obligations. Customer acknowledges that the successful deployment and continued operation of the Service is contingent on Customer complying with certain dependencies set out in the Documentation and SOW and DataMotion’s reasonable requirements made known to Customer from time to time. DataMotion is not responsible or liable for any delay or failure of performance caused in whole or in part by Customer’s delay in performing, or failure to perform, any of its obligations under this Agreement. Customer acknowledges that it is solely Customer’s obligation to secure consent and authorization for DataMotion to perform any integration or interface of the Service with third party software, including third party APIs, and including (but not limited to) any third-party platforms identified in the applicable SOW. In no event will DataMotion be responsible for any claims arising from or relating to the interface of the Service with such third-party systems. Customer is responsible for all activities conducted under its User Access Credentials, including as a result of any sharing of Access Credentials, or failure to adequately safeguard Access Credentials. Customer shall comply with all applicable local, state, federal, and foreign law, treaties, regulations, and conventions (collectively “laws”) in connection with this Agreement. Customer shall comply with the export laws of the United States and other applicable jurisdictions in using the Service and obtain any permits, licenses and authorizations required for such compliance. Without limiting the foregoing, (i) Customer represents that it is not named on any U.S. government list of persons or entities prohibited from receiving exports, (ii) Customer shall not permit Users to access or use the Service in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer shall comply with all applicable laws regarding the transmission of technical data exported from the United States and the country in which its Users are located. Customer shall ensure that all Users access and use the Service only in accordance with the terms and conditions of this Agreement. Any action or breach of this Agreement by a User shall be deemed an action or breach by Customer. Without limiting any of the foregoing, Customer acknowledges and agrees that it is solely responsible for obtaining all necessary consents and authorizations to ensure all uses and disclosures of Customer Data, including any personally identifiable information, are consistent with applicable federal and state privacy laws.
5. Term; Suspension/Termination
5.1. Term. This Agreement shall commence on the Effective Date, as defined in the Order Form, and shall continue in effect for the initial period specified in the Order Form (the “Initial Term”). Thereafter, this Agreement shall automatically renew for periods specified in the Order Form (each, a “Renewal Term”), unless either party provides written notice to the other of its intention not to renew no less than sixty (60) days before such expiration in accordance with the Order Form. The Initial Term and all Renewal Terms are collectively referred to as the “Term.”
5.2. Suspension for Ongoing Harm. DataMotion may on reasonable notice to Customer suspend access to the Service if DataMotion reasonably concludes that Customer’s account is being used to engage in denial of service attacks, spamming, or illegal activity, and/or Customer’s use of the Service is causing immediate, material and/or ongoing harm to DataMotion or others. In the event that DataMotion suspends access to the Service, DataMotion will use commercially reasonable efforts to limit the suspension to (and only for the duration of) the offending portion of the Service and work with Customer to resolve the issues causing the suspension of Service. DataMotion reserves the right to charge Customer for resolving such issues. Customer agrees that DataMotion shall not be liable to Customer nor to any third party for any suspension of the Service under such circumstances. Any such suspension shall not excuse Customer from Customer’s obligation to make payments under this Agreement.
5.3. Termination for Cause/Expiration. Either party may immediately terminate this Agreement in the event the other party commits a material breach of any provision of this Agreement which is not cured within thirty (30) days of written notice from the complaining party. Such notice by the complaining party shall expressly state all of the reasons for the claimed breach in sufficient detail so as to provide the alleged breaching party a meaningful opportunity to cure such alleged breach.
5.4. Effect of Termination. Upon termination or expiration of this Agreement, Customer shall have no rights to continue use of the Service. If this Agreement is terminated by Customer for any reason other than a termination expressly permitted by this Agreement, then DataMotion shall be entitled to all of the fees due under this Agreement for the entire Term. If this Agreement is terminated as a result of DataMotion’s breach of this Agreement, then Customer shall be entitled to a refund of the pro rata portion of any fees paid by Customer to DataMotion for the base Service under this Agreement for the terminated portion of the Term. DataMotion shall not be required to delete or expunge data or documents that DataMotion is required to retain pursuant to applicable laws or for purposes of current or anticipated litigation, audit or government investigation.
6. Proprietary Rights
6.1. Ownership of Customer Data. As between DataMotion and Customer, all title and intellectual property rights in and to the Customer Data is owned exclusively by Customer. Customer acknowledges and agrees that in connection with the provision of the Service, DataMotion may store and maintain Customer Data for a period of time consistent with DataMotion’s standard business processes for the Service. Customer grants DataMotion a limited, revocable, non-exclusive, non-transferable (except in connection with an assignment of this Agreement), sublicensable license to access, store, and process the Customer Data to the extent necessary to provide the Service and otherwise fulfill its rights and obligations under this Agreement. Notwithstanding the foregoing, nothing in this Agreement is intended to prevent DataMotion from generating and using DataMotion Data for purposes of providing, measuring, improving and marketing DataMotion’s products and services; provided that DataMotion shall not disclose to any third party any information that is identifiable as Customer-specific information. Following expiration or termination of the Agreement or a Customer account, if applicable, DataMotion may deactivate the applicable Customer account(s) and delete any data associated therewith.
6.2. Customer Marks. Customer’s name, trademarks service marks, logos and product and service names are marks of Customer (the “Customer Marks”). Customer grants DataMotion a limited license during the Term to use and display the Customer Marks on the Service solely as necessary to fulfill DataMotion’s obligations as set forth herein.
6.3. DataMotion Materials. All rights, title and interest in and to the DataMotion Materials (including without limitation all intellectual property rights therein and all modifications, extensions, customizations, scripts or other derivative works of the Service provided or developed by DataMotion) are owned exclusively by DataMotion or its licensors. Except as provided in this Agreement, the rights granted to Customer do not convey any rights in the Service, express or implied, or ownership in the Service or any intellectual property rights thereto. Customer grants DataMotion a royalty free, worldwide, perpetual, irrevocable, transferable right to use, modify, distribute and incorporate into the Service (without attribution of any kind) any suggestions, enhancement request, recommendations, proposals, correction or other feedback or information provided by Customer or any Users related to the operation or functionality of the Service. Any rights in the Service or DataMotion’s intellectual property not expressly granted herein by DataMotion are reserved by DataMotion. DataMotion’s name, trademarks service marks, logos and product and service names are marks of DataMotion (the “DataMotion Marks”). Customer agrees not to use or display or use the DataMotion Marks in any manner without DataMotion’s express prior written permission.
6.4. Reservation of Rights. Nothing in this Agreement grants any right, title, or interest in or to (including any license under) any intellectual property rights in or relating to, the Service, DataMotion Materials, whether expressly, by implication, estoppel, or otherwise. All right, title, and interest in and to the Service, the DataMotion Materials are and will remain with DataMotion.
7. Users; Data Security; Processing; Transmission
7.1. Users. If required by the Services, Customer shall provide DataMotion the names and e-mail addresses of Users authorized by Customer to access the Service. DataMotion will then send each authorized User an e-mail invitation with temporary Access Credentials in order to allow the User to set up an account. Customer acknowledges and agrees that the accuracy of the e-mail addresses provided is the sole responsibility of Customer, and that DataMotion is not responsible to verify either the accuracy of the e-mail address or the actual identity of the e-mail recipient. Users are limited to the number of seats set forth in the Order Form (as may be increased during the Term in accordance with the Order Form). Access Credentials are for designated Users and cannot be shared, transferred or used by more than one User. Customer will be responsible for the confidentiality and use of User Access Credentials. Customer will also be responsible for all Customer Data, including that which contains business information, account registration, account holder information, financial information, and all other data of any kind contained within e-mails or otherwise entered electronically through the Service or under Customer’s account. Any Customer Data received from a User associated with Customer will be deemed to have been sent by Customer. Customer shall use all commercially reasonable efforts to prevent unauthorized access to or use of the Service and shall promptly notify DataMotion of any unauthorized access or use of the Service and any loss or theft or unauthorized use of any User’s password or name and/or Service account numbers. Users are not required to disclose, and shall not disclose, to DataMotion any contents of any encrypted e-mail while utilizing the Service.
7.2. Security. DataMotion shall maintain administrative, physical and technical safeguards designed for the protection, confidentiality and integrity of Customer Data. All Customer Data shall be processed in accordance with applicable U.S. local, state, and federal laws.
7.3. Privacy. The Service does not receive, create, use or disclose any personally identifiable information, including any electronic personal health information, and cannot be used to store any unencrypted data or any kind. Notwithstanding the foregoing, DataMotion’s handling of any personally identifiable information shall be in accordance with the DataMotion Privacy Policy, available at, https://datamotion.com/privacy_policy.
7.4. Transmission. Customer understands that the technical processing and transmission of Customer Data is fundamentally necessary to use of the Service. Customer is responsible for securing DSL, cable or another high-speed Internet connection and up-to-date “browser” software in order to utilize the Service. Customer expressly consents to DataMotion’s interception and storage of Customer Data as needed to provide the Service, and Customer acknowledges and understands that the Customer Data will be subject to transmission over the Internet, and over various networks, only part of which may be owned and/or operated by DataMotion. Customer further acknowledges and understands that Customer Data may be accessed by unauthorized parties when communicated across the Internet, network communications facilities, telephone or other electronic means. Without limiting DataMotion’s applicable obligations under Sections 7.2 (Security) or 8 (Confidentiality), DataMotion is not responsible for any Customer Data that is delayed, lost, altered, intercepted or stored during the transmission of any data whatsoever across networks not owned and/or operated by DataMotion, including, but not limited to, the internet and Customer’s local network.
8. Confidentiality
8.1. Definition. “Confidential Information” means any non-public commercial, financial, marketing, business, sales, customer, technical or other data, security measures and procedures, know-how or other information disclosed by or on behalf of the disclosing party to the receiving party in connection with this Agreement, that, under the circumstances, a person exercising reasonable business judgment would understand to be confidential or proprietary, including the features and functionality of the Service and the terms of this Agreement. For the avoidance of doubt, Customer Data is the Confidential Information of Customer and DataMotion Materials is the Confidential Information of DataMotion. Notwithstanding the foregoing, the following shall not be subject to the restrictions on Confidential Information (i) information that was publicly available at the time of its disclosure, or becomes publicly available through no fault of the receiving party, (ii) information that was rightfully in the receiving party’s possession without restriction prior to disclosure, (iii) information that was rightfully disclosed to the receiving party by a third party without restriction, (iv) information that was independently developed by employees and/or contractors of the receiving party who did not have access to, and without use of or reference to the disclosing party’s Confidential Information.
8.2. Obligations of the Parties. Each party agrees to use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (at all times exercising at least a commercially reasonable degree of care in the protection of such confidential information) not to use or disclose Confidential Information except to the extent necessary to perform its obligations or exercise rights under this Agreement or as directed by the disclosing party. The receiving party may disclose Confidential Information on a need to know basis to its contractors and service providers who shall be bound by confidentiality and non-use obligations at least as restrictive as those in this Section 8. Either party may disclose Confidential Information to the extent that such disclosure is required by law or order of a court or request or requirement of any other governmental authority. In addition, either party may disclose the terms of this Agreement to (i) its legal, business and financial advisors with a need to know solely for the purpose of providing services to such party; and (ii) prospective business parties in contemplation of a merger, acquisition or similar transaction, provided, however, that any such recipient shall first be bound by a written agreement requiring such recipient not to disclose the terms of this Agreement to any third party and to use such terms only for the purposes of evaluating the applicable transaction.
9. Warranties
9.1. DataMotion Warranties. DataMotion represents and warrants to Customer that (i) it has full power and authority to execute, deliver, and perform its obligations under this Agreement, and (ii) it will conform to and comply with all applicable statutory or regulatory requirements imposed by any federal or state law, rule, regulation or order and any intermediary regulations, including the HIPAA Privacy Rule and Security rule, and that DataMotion shall maintain all permits, licenses and other authorizations necessary to commence and continue its performance under this Agreement. Such warranties shall only apply if the applicable Service has been utilized in accordance with the applicable documentation, this Agreement and applicable law.
9.2. Customer Warranties. Customer warrants that it will not introduce any viruses, Trojan horses, worms, spyware, or other such malicious code into the Service. Customer here represents and warrants that it has obtained all necessary consents and authorizations to use and disclose all Customer Data, including any personally identifiable information prior to submitting any of the foregoing to the Service. The foregoing representation is a condition precedent to DataMotion’s provision of the Service to Customer.
9.3. Disclaimer of Warranties. For the avoidance of doubt, the foregoing warranties are applicable only to the Service as provided by DataMotion and described in the Documentation. EXCEPT AS OTHERWISE STATED IN THIS SECTION 9, THE SERVICE IS PROVIDED TO CUSTOMER ON AN “AS IS” AND “AS AVAILABLE” BASIS. DATAMOTION DOES NOT WARRANT OR REPRESENT THAT CUSTOMER’S USE OF THE SERVICE WILL BE SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR THAT THE SERVICE WILL MEET CUSTOMER’S REQUIREMENTS OR THAT ALL ERRORS IN THE SERVICE AND/OR DOCUMENTATION WILL BE CORRECTED OR THAT THE OVERALL SYSTEM THAT MAKES THE SERVICE AVAILABLE (INCLUDING BUT NOT LIMITED TO THE INTERNET, OTHER TRANSMISSION NETWORKS, AND CUSTOMER’S LOCAL NETWORK AND EQUIPMENT) WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE WARRANTIES STATED IN THIS SECTION 9 ABOVE ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY DATAMOTION. THERE ARE NO OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. DATAMOTION EXPRESSLY DISCLAIMS ANY REPRESENTATIONS OR WARRANTIES THAT CUSTOMER’S USE OF THE SERVICE WILL SATISFY ANY STATUTORY OR REGULATORY OBLIGATIONS, OR WILL ASSIST WITH, GUARANTEE OR OTHERWISE ENSURE COMPLIANCE WITH ANY APPLICABLE LAWS OR REGULATIONS. CUSTOMER ASSUMES ALL RESPONSIBILITY FOR DETERMINING WHETHER THE SERVICE OR THE INFORMATION GENERATED THEREBY IS ACCURATE OR SUFFICIENT FOR CUSTOMER’S PURPOSES.
10. Limitations of Liability
10.1. Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT FOR ANY LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR OTHER INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OR REPUDIATION OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). CERTAIN STATES AND/OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, IN WHICH CASE SUCH DAMAGES SHALL BE SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION 10.2 BELOW.
10.2. Limitations on Liability. THE MAXIMUM AGGREGATE LIABILITY OF EITHER PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON BREACH OR REPUDIATION OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, SHALL NOT EXCEED THE TOTAL FEES PAID FOR THE SERVICE GIVING RISE TO THE LIABILITY DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT OUT OF WHICH THE LIABILITY AROSE.
10.3. Acknowledgement. Both parties acknowledge that the fees reflect the allocation of risk set forth in this Agreement and that the parties would not enter into this Agreement without these limitations on their liability.
11. Indemnification
11.1. Infringement. DataMotion shall indemnify and defend, or at its option, settle any claim, suit, or proceeding brought against Customer based on an allegation that the Service infringes upon any patent, copyright or trade secret of any third party (“Infringement Claim”), provided Customer promptly notifies DataMotion in writing of upon discovery of an Infringement Claim such that DataMotion is not prejudiced by any delay in such notification. DataMotion will have sole control over the defense or settlement of any Infringement Claim and Customer will provide reasonable assistance in the defense of the same. Following notice of an Infringement Claim, or if DataMotion believes such a claim is likely, DataMotion may at its sole expense and option: (i) procure for you the right to continue to use the alleged infringing Service; (ii) replace or modify the Service to make it non-infringing; or (iii) discontinue the Service and provide Customer with a prorated refund. DataMotion assumes no liability for any Infringement Claims or allegations of infringement based on: (a) Customer’s use of the Service after notice that Customer should cease use of the Service due to an Infringement Claim; (b) any modification of the Service by Customer or at Customer’s direction; or (c) Customer’s combination of the Service with non -DataMotion programs, data, hardware, or other materials, if such Infringement Claim would have been avoided by the use of the Service alone. THE FOREGOING STATES CUSTOMER’S EXCLUSIVE REMEDY WITH RESPECT TO ANY INFRINGEMENT CLAIM.
11.2. Customer’s Indemnity. Subject to the terms and conditions set forth in this Section 11, Customer shall, at its own expense, hold harmless and defend DataMotion from and against any and all Claims: (i) arising from Customer’s breach of any of terms of this Agreement or violation of applicable laws; or (ii) arising from Customer’s gross negligence or willful misconduct, and shall indemnify DataMotion from and against liability for any Losses to the extent based upon such Claims.
11.3. Indemnification Procedures and Survival. In the event a party becomes aware of a Claim for which the other party may have an indemnification obligation, the indemnified party shall: (i) promptly notify the indemnifying party in writing of such Claim; (ii) allow the indemnifying party to have sole control of its defense and settlement; provided, however, that the indemnifying party shall not enter into any settlement or compromise of any such Claim that imposes any liability or obligation on the indemnified party without the indemnified party’s prior written consent, which consent shall not be unreasonably withheld or delayed; and (iii) upon request of the indemnifying party, cooperate in all reasonable respects, at the indemnifying party’s cost and expense, with the indemnifying party in the investigation, trial, and defense of such Claim and any appeal arising therefrom. A party’s indemnification obligations are expressly conditioned upon the indemnified party’s compliance with this Section 11.3, except that failure to notify the indemnifying party of such Claim shall not relieve that party of its obligations, but such obligations shall be reduced to the extent of any damages attributable to such failure.
12. Governing Law and Dispute Resolution
12.1. Governing Law. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation (“Claim”) shall be governed by and construed in accordance with the law of the State of New York without regard to conflict of law principles. Each party irrevocably agrees that the courts in the State of New York shall have exclusive jurisdiction to settle any Claim.
12.2. Jurisdiction and Venue. The parties agree that any and all disputes, claims and actions, at law or in equity, arising out of or relating to or in connection with this Agreement or the breach, termination, enforcement, interpretation or validity thereof, or to the use of the Service shall be brought in the federal or state courts located in the State of New York and each party agrees that such courts shall have exclusive jurisdiction and venue for any such actions, except that DataMotion retains the right to submit a Claim to any court of competent jurisdiction. DataMotion also may seek injunctive or other equitable relief for breach of this Agreement in any court of competent jurisdiction wherever located. Customer consents to the jurisdiction of and venue in such courts and waive any objection as to inconvenient forum. The prevailing party in any suit, action or proceeding, including any arbitration proceeding, will be entitled to recover its reasonable legal fees and costs and expenses from the other party.
12.3. Prohibition of Class and Representative Actions and Non-Individualized Relief. CUSTOMER AGREES THAT CUSTOMER MAY BRING CLAIMS AGAINST DATAMOTION ONLY ON AN INDIVIDUAL BASIS AND HEREBY WAIVES THE RIGHT TO PARTICIPATE AS A PLAINTIFF OR CLASS MEMBER IN ANY CLASS ACTION OR REPRESENTATIVE PROCEEDING, TO THE MAXIMUM EXTENT NOT PROHIBITED BY APPLICABLE LAW. FURTHER, UNLESS BOTH PARTIES OTHERWISE AGREE IN WRITING, THE COURT MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON’S CLAIMS, AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING.
12.4. Waiver of Jury Trial. EACH OF THE PARTIES TO THIS AGREEMENT HEREBY IRREVOCABLY WAIVES ALL RIGHT TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM BETWEEN THEM ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE TRANSACTIONS CONTEMPLATED HEREBY.
13. General Provisions
13.1. Notice. Any legal notice required under this Agreement shall be provided to the other party in writing and addressed as follows: To Customer: address included in the Order Form; and To DataMotion: DataMotion, Inc., 67 East Park Place, Suite 301, Morristown, NJ 07960, Attn: Chief Operating Officer. If Customer has a legal dispute with DataMotion or if Customer wishes to provide a notice under Section 11 (Indemnification) of this Agreement, or if Customer becomes subject to insolvency or other similar legal proceedings, Customer will promptly send written notice to legal@datamotion.com along with a copy by mail or express delivery service.
13.2. Integration. This Agreement, together with all referenced items, constitutes the entire understanding between Customer and DataMotion and are intended to be the final and entire expression of their agreement. The parties expressly disclaim any reliance on any and all prior discussions, e-mails, RFP’s and/or agreements between the parties. There are no other verbal agreements, representations, warranties undertakings or other agreements between the parties other than those incorporated into this Agreement. Under no circumstances will the terms, conditions or provisions of any purchase order, invoice or other administrative document issued by Customer in connection to this Agreement be deemed to modify, alter or expand the rights, duties or obligations of the parties under, or otherwise modify, this Agreement, regardless of any failure of DataMotion to object to such terms, provisions, or conditions. DataMotion may modify or amend this Agreement in its sole discretion to ensure compliance with laws and regulations upon giving notice to Customer. Otherwise this Agreement shall not be modified, or amended, except as expressly set forth herein or by a properly executed and accepted Order Form.
13.3. Assignment. Customer may not assign this Agreement without the prior written consent of DataMotion. This Agreement shall inure to benefit and bind the parties hereto, and their successors and assigns. Customer agrees that that DataMotion may subcontract aspects of the Service and shall not be responsible or liable for any breach by the applicable service provider that is beyond DataMotion’s reasonable control.
13.4. Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
13.5. Relationship of the Parties. This Agreement does not create any joint venture, partnership, agency, or employment relationship between the parties, although DataMotion reserves the right to name Customer as a user of the Service in a press release or similar public statement.
13.6. Severability. If any provision is held by a court of competent jurisdiction to be contrary to law, such provision shall be eliminated or limited to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect.
13.7. Waiver. A waiver of any breach under this Agreement should not constitute a waiver of any other breach or future breach.
13.8. Force Majeure. DataMotion shall not be liable for loss, delay, nonperformance to the extent resulting from any force majeure event, including, but not limited to, acts of God, strike, riot, fire, explosion, flood, earthquake, natural disaster, pandemic, terrorism, act of war, civil unrest, criminal acts of third parties, failure of the Internet, governmental acts or orders or restrictions, failure of suppliers, labor stoppage or dispute (other than those involving DataMotion employees), or shortage of materials, provided that DataMotion uses reasonable efforts, under the circumstances, to notify the Customer of the circumstances causing the delay and to resume performance as soon as possible and any delivery date shall be extended accordingly.
13.9. Headings. The Section headings used in this Agreement are included for reference purposes only and shall not affect the meaning or interpretation of this Agreement in any way.
13.10. Survival. Sections 1, 2.1, 3, 4, 5.4, 6, 7.2, 8, 9, 10, 11, 12, and 13 shall survive the termination or expiration of this Agreement.
Copyright ©2020 DataMotion, Inc. All rights reserved.
HISP Description of Service
Version: January 13, 2021
This HISP Description of Service describe the Direct Messaging Service (the “Service”) and govern the terms of DataMotion providing the Service and the use of the Service identified in the Master Services Agreement Order Form (the “Order Form”). Capitalized terms not defined in this HISP Description of Service shall have the meaning ascribed to them in the Master Services Agreement Terms and Conditions located at https://datamotion.com/master-service-agreement-terms-and-conditions/ (the “Terms & Conditions”). Capitalized terms not defined in this HISP Description of Service shall have the meaning ascribed to them in the Terms & Conditions or the Order Form, as applicable. Any exceptions to the Terms & Conditions related to the Service are noted in this HISP Description of Service and are not to be construed as permanent modifications to the Terms & Conditions (i.e. they apply only to the Service). The term of this HISP Description of Service is effective beginning upon the Order Effective Date and continues through the completion of the engagement as it relates to the Service.
DataMotion is an Electronic Healthcare Network Accreditation Commission (“EHNAC”) accredited Health Information Service Provider (“HISP”), Certificate Authority (“CA”) and Registration Authority (“RA”), which enables secure transport of electronic health information between authorized users. In accordance with the standards and guidelines of EHNAC, the Service enables secure access for its authorized users, provides secure storage of the data during transport, ensures emergency back up and disaster recovery of data, and enables compliance with generally accepted information privacy and security standards and applicable laws, rules, and regulations, including, but not limited to, HIPAA.
DATAMOTION DOES NOT ACCESS, READ OR PROCESS CONTENTS OF THE ENCRYPTED EMAIL SENT USING THE SERVICE AND HAS NO KNOWLEDGE WHETHER THE CONTENTS OF THE ENCRYPTED EMAIL CONTAIN EPHI OR ANY OTHER SENSITIVE INFORMATION.
DataMotion has installed a valid digital certificate for its HISP Service from DataMotion EHNAC-accredited CA, in compliance with the requirements of the Direct Project.
DataMotion has established and shall continuously maintain a Trust Anchor relationship with DirectTrust.org, a designated and approved agency for the implementation of the Direct Project.
DataMotion will provide the Service for certificate management and user registration, and facilitate user onboarding and communications in conformity with requirements of the Direct Project, and in accordance with the terms of this HISP Description of Service.
The Service will include the following components:
1. Enrollment. DataMotion shall enroll Customer to register in accordance with the following procedure:
1.1. Customer shall be solely responsible for its organizational and administrative qualifications to enable DataMotion to obtain for Customer a Direct Org Certificate (based on Customer organizational domain) and Direct Address Certificate (based on the Administrator name and email address as well as the Org Certificate) from the CA.
1.2. Upon issue of the respective Direct Org Certificate and Direct Address Certificate, DataMotion will notify Customer and add the respective certificates in its database in order to provide access to the Service.
1.3. Subsequently, DataMotion will setup a co-branded DataMotion Direct Account for Customer. The named administrator (the “Administrator”) will manage the Customer account and will be authorized to add additional Users for Customer up to the maximum number of licensed Users. For the avoidance of doubt, the maximum number of licensed Users includes the Administrator. The account will be co-branded with Customer logo and provided with overall account management capabilities.
1.4. DataMotion will create a Direct Address for each User on-boarded based on each User’s required information in accordance with DirectTrust rules and guidelines and as further detailed in Section 8 below (“Directory Information”). Each Direct Address created by DataMotion will become part of its health provider directory (“HPD”) and made available to all Users of HISP. All Direct Addresses in the HPD will be accessible to any user with a Direct Address in DataMotion HISP or from any third party HISP using a compatible search function and in accordance with Direct Protocol. Customer and its Users expressly consent without limitation to include the Direct Address(es) in the HPD and to share the Directory Information with HPD of third party HISPs in accordance with guidelines provided by DirectTrust.
2. Training
2.1. DataMotion will provide the Administrator with basic training regarding Customer’s registration, onboarding and use of DataMotion’s Service. The training will be provided remotely using online meeting, conferencing or similar tools.
2.2. Customer shall be responsible for subsequent onboarding and training of any and all of its Users and their ongoing support (i.e., helpdesk customer service regarding basic questions about the Service for which Customer has received adequate training from DataMotion).
2.3. DataMotion is not required to provide training or technical support services to Users, including training on password protection and information security requirements. DataMotion shall have no direct contact with any User except to provision the Services in accordance with this Agreement.
3. Reporting. DataMotion will provide Customer suitable tools required for generating reports for its Direct Projectcompliance reporting and for submissions required for, if any, monetary reimbursement. Except for baseline reports, if additional report writing tools are required, Customer shall be responsible for the applicable Professional Service Fees, if any, for tools to be developed by DataMotion.
4. Certificate Management. As part of DataMotion Direct HISP offering, certificate services are provided according to guidelines established by the Direct Project. These guidelines include certificate management, establishing Trust Anchors with approved partner HISPs, obtaining from the CA the organizational certificate for Customer to Direct-enable its subscribers, and maintaining certificates and renewals. DataMotion will provide notification to Customer when the certificate(s) is/are due for renewal. DataMotion shall automatically renew the certificate(s) with the CA unless Customer notifies DataMotion sixty (60) days prior to the renewal date not to renew the certificate. Customer shall be responsible for payment of any and all fees related to certificate renewal.
5. E-Communications. Any User communication passing through the Services automatically expires after 30 days and it is purged from the system. In addition, a User may delete a communication at any time prior to its expiration. Such deleted communication is also purged from the system. Any deleted or expired and purged communication cannot be recovered in any manner whatsoever and it is permanently lost. User is solely responsible for ensuring any information contained in such communications is appropriately handled, stored or archived independent of HISP Services, and DataMotion shall have no obligation or liability for the deletion of such communications.
6. Customer Security Responsibilities. Customer and its Users shall take proper measures to ensure security of access to the Service. This includes, but is not limited to: (i), the security credentials (User name and password for login) that allows outside access to a User’s account, (ii) not including personal information in non-encrypted fields such as “Subject” line, (iii) making sure that the recipient’s email address is correctly spelled. Customer acknowledges that DataMotion shall not be liable for any security violations by Customer or a User or by any recipient of their secure communications. Customer is solely responsible for providing proper training to Users and ongoing supervision of their use of the Services.
7. Customer Use of Service. Customer shall use commercially reasonable efforts to ensure that Customer and Users use the Services exclusively for authorized and legal purposes, consistent with all applicable laws, regulations and the rights of others. Customer shall notify DataMotion of any known misuse of the Service by a User (e.g., HISP Services used to send spam), although the parties recognize that the Customer will not monitor the content of any communications. Customer shall not attempt to interfere with or disrupt the Service or attempt to gain access to any systems or networks that connect thereto by any unlawful means.
8. Directory Information
| Contract | Field |
| C | Provider Identifier, only for records containing the Direct Address. |
| R | Direct Address |
| C | NPI |
| O | Prefix Name |
| R | First Name |
| O | Middle Name |
| R | Last Name |
| O | Suffix Name |
| O | Specialty |
| O | Specialty Code |
| O | Organization Name / Location Name (Typically Clinic) |
| R | Address Line1 |
| C | Address Line2 |
| R | City |
| R | State |
| R | Zip code |
| C | Primary Telephone Number |
| C | Fax Number |
C – Conditional (if known, please provide)
R – Required
O – Optional
Copyright ©2020, 2021 DataMotion, Inc. All rights reserved.