Marea Software as a Service (SaaS) Terms

Last Updated: January 30, 2026

MAREA SOFTWARE AS A SERVICE (SAAS) TERMS

These SOFTWARE AS A SERVICE (SAAS) TERMS ("TERMS"), together with the applicable Order Form and referenced Schedules (collectively, the "Agreement"), govern Customer's access to and use of the Services.

This Agreement becomes effective on the date Customer accepts it electronically by clicking "I Agree," "Accept," or similar assent mechanism in connection with an Order Form or online checkout process at https://www.usemarea.com ("Effective Date"),

BETWEEN

9546-3105 Quebec Inc. d/b/a Marea, a Quebec corporation with its principal place of business located at 7405 Trans Canada Rte. #100, Saint-Laurent, QC Canada H4T 1Z2 ("Provider")

and

The entity identified in the applicable Order Form or online checkout process. ("Customer")

Provider and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."

BACKGROUND:

NOW, THEREFORE, in consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties hereto agree as follows:

1. DEFINITIONS.

1.1 The following terms have the meanings set out below:

1.2 Incorporation of Order Forms and Referenced Documents. Order Forms and any referenced documents form part of these Terms. In the event of conflict, the following order applies: (1) Order Form; (2) Business Associate Agreement (if applicable, with respect to PHI) attached hereto as Schedule F; (3) Data Protection Addendum (if applicable, with respect to non-PHI personal data) attached hereto as Schedule D; (4) these Terms; and (5) any additional referenced documents attached hereto. Customer's electronic acceptance of an Order Form or completion of an online checkout constitutes acceptance of this Agreement and all incorporated documents.

2. PROVISION OF SERVICES.

2.1 Provision of Access. Provider will make the Services available to Customer as described in one or more Order Forms. Each Order Form will specify the applicable services, features, and duration (including any subscription term, project term, or usage period).

2.2 Right of Use. Subject to Customer's compliance with these Terms and payment of all applicable Fees, Provider grants Customer a limited, non-exclusive, non-transferable right for Authorized Users to access and use the Services and related documentation solely for Customer's internal business purposes, in accordance with the usage limits, features, and scope described in the applicable Order Form. Customer may not sublicense, resell, distribute, or commercially exploit the Services, except as expressly permitted in an Order Form.

2.3 Support Services. Provider will provide standard technical support and maintenance for the Services in accordance with its then-current Support Policy. [AW1]Support includes access to Provider's help desk, knowledge base, and reasonable assistance in troubleshooting service issues. Unless expressly stated in an Order Form or separate service-level agreement, Provider does not guarantee any specific response times, resolutions, or service levels. Support does not include custom development, configuration, integration work, or training unless purchased separately.

2.4 Updates and Enhancements. Provider may update, enhance, or modify the Services from time to time, including to improve functionality, security, performance, or compliance. Updates may include new features, improvements, bug fixes, patches, or changes to the user interface. Provider will not materially reduce the core functionality of the Services during the applicable service duration stated in an Order Form without providing reasonable notice. Nothing in this Section obligates Provider to make any particular feature or functionality available unless expressly stated in an Order Form. Any custom enhancements or development requested by Customer may be subject to additional fees.

2.5 Temporary Limitations or Disruptions. The Services may be subject to scheduled maintenance, upgrades, or repairs, and may also experience unscheduled interruptions or delays. Provider will use commercially reasonable efforts to minimize disruptions and, where practicable, will provide advance notice of material scheduled maintenance. Customer acknowledges that access to the Services may be temporarily limited or unavailable during such events. Unless expressly stated in an Order Form or separate service-level agreement, Provider does not guarantee uninterrupted service or any specific availability level.

2.6 Beta or Trial Services. Provider may make certain features, modules, or functionality available to Customer on a beta, trial, evaluation, or pre-release basis ("Beta Features"). Beta Features are provided solely for testing and evaluation, may be made available for a limited period, and may be modified or discontinued at any time. Beta Features are provided "as is," without warranties, support commitments, service levels, or indemnities. Customer should not use Beta Features with production data unless expressly authorized by Provider in writing. Beta features must not be used process or store Protected Health Information unless expressly authorized by Provider in writing and subject to a separate Business Associate Agreement covering such use.

2.7 Subcontractors and Affiliates. Provider may use its affiliates and third-party subcontractors to provide or support the Services. Provider remains responsible for the performance of the Services by its subcontractors and will ensure that any subcontractor with access to Customer Data is bound by confidentiality and security obligations consistent with these Terms. With respect to Protected Health Information, Provider will ensure that any subcontractor or affiliate that creates, receives, maintains, or transmits PHI on Provider's behalf enters into a written agreement imposing obligations at least as protective as those required under HIPAA and the applicable Business Associate Agreement.

3. CUSTOMER'S RESPONSIBILITIES.

3.1 Customer Compliance. Customer will use the Services in compliance with applicable laws, these Terms, and any applicable Order Form. Customer is responsible for ensuring that Authorized Users comply with the terms of this Agreement.

3.2 Customer Data. Customer is solely responsible for the accuracy, quality, legality, and appropriateness of all Customer Data submitted to the Services. Customer represents and warrants that it has obtained all necessary rights, consents, and authorizations required under applicable law to submit Customer Data for processing through the Services.

3.3 Account Security. Customer is responsible for maintaining the confidentiality of login credentials and for all activity that occurs under its accounts. Customer will promptly notify Provider of any unauthorized access or use.

3.4 Restrictions. Customer will not: (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share, or otherwise make the Services available to any third party except Authorized Users or as otherwise permitted in an Order Form; (b) copy, modify, adapt, or create derivative works of the Services or any content or materials provided as part of the Services; (c) reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code, algorithms, or underlying structure of the Services; (d) access the Services in order to build a competing product or service, or copy any features, functions, or user interface of the Services; (e) use the Services to send spam, store or transmit infringing or unlawful material, or store or transmit material in violation of third-party privacy rights; (f) interfere with or disrupt the integrity or performance of the Services; (g) attempt to gain unauthorized access to the Services or related systems or networks; or (h) use the Services to process or store Sensitive Personal Information (including Protected Health Information) unless such use is expressly authorized under these Terms, an applicable Order Form, or a separately executed Business Associate Agreement.

3.5 Restrictions on Use of PHI. Customer will not use the Services to create, receive, maintain, or transmit Protected Health Information unless: (a) Customer and Provider have entered into a valid Business Associate Agreement that governs Provider's handling of PHI; and (b) the applicable Order Form expressly authorizes the processing of PHI through the Services. If no such agreement and authorization are in place, Customer will not submit, upload, or otherwise provide PHI to the Services.

4. FEES AND PAYMENT.

4.1 Fees. Customer will pay all fees specified in the applicable Order Form. Except as otherwise specified in an Order Form: (a) fees are based on the scope described in the Order Form and are not contingent on the delivery of future features or functionality; (b) payment obligations are non-cancellable, and fees paid are non-refundable; and (c) the number of Authorized Users and usage limits purchased under an Order Form cannot be decreased during the applicable service duration.

4.2 Payment Terms. Unless otherwise specified in the applicable Order Form, invoices are due and payable within thirty (30) days of the invoice date.

4.3 Late Payments. If Customer fails to pay any invoiced amount when due, Provider may: (a) charge interest on overdue amounts at a rate of 1.5% per month or the maximum rate permitted by law, whichever is less; and (b) suspend Customer's access to the Services upon thirty (30) days' prior written notice until all overdue amounts are paid in full.

4.4 Taxes. All Fees are exclusive of applicable taxes, levies, or duties. Customer is responsible for all applicable taxes, excluding taxes based on Provider's net income. If Provider is required to collect or remit any such taxes, they will be invoiced to Customer.

5. INTELLECTUAL PROPERTY.

5.1 Provider IP. Provider owns and retains all right, title, and interest in and to the Services, all related technology, documentation, and content, and all modifications, enhancements, or derivative works thereof. Customer does not acquire any ownership interest in the Services by virtue of this Agreement.

5.2 Customer Data. Customer retains all right, title, and interest in and to Customer Data. Customer grants Provider a limited, non-exclusive, royalty-free license to use, reproduce, store, and process Customer Data solely as necessary to provide the Services and to comply with applicable law.

5.3 Aggregated Data. Provider may collect, generate, and use Aggregated Data for its business purposes, including product improvement, benchmarking, and analytics. Aggregated Data will not identify Customer or any individual.

5.4 AI and Machine Learning. Provider may use de-identified and aggregated data derived from the Services to train, improve, and enhance its artificial intelligence and machine learning models ("AI Improvements"). Such data will be de-identified in accordance with applicable law, and AI Improvements will not contain or reveal Customer Data or identify Customer or any individual. Customer retains all rights in its Customer Data. Nothing in this Section grants Provider any right to use identifiable Customer Data for AI or machine learning purposes without Customer's prior written consent.

5.5 Feedback. If Customer provides suggestions, ideas, or feedback regarding the Services ("Feedback"), Provider may use such Feedback without obligation or compensation.

5.6 Customer Marks. Customer grants Provider a limited, non-exclusive, revocable license to use Customer Marks solely to identify Customer as a user of the Services, including on Provider's website, marketing materials, and customer lists. Provider will use Customer Marks in accordance with Customer's reasonable trademark usage guidelines, if provided. Customer may revoke this license at any time upon written notice.

6. TERM AND TERMINATION.

6.1 Term. These Terms commence on the Effective Date and remain in effect for the duration specified in the applicable Order Form. If no duration is specified, the initial term will be twelve (12) months from the Effective Date. Unless otherwise specified in the applicable Order Form, the Agreement will automatically renew for successive one-year terms unless either Party provides written notice of non-renewal at least sixty (60) days prior to the end of the then-current term.

6.2 Termination for Cause. Either Party may terminate this Agreement upon written notice if the other Party materially breaches these Terms and fails to cure such breach within thirty (30) days after receiving written notice specifying the breach.

6.3 Termination for Insolvency. Either Party may terminate this Agreement immediately upon written notice if the other Party files for bankruptcy, becomes insolvent, makes an assignment for the benefit of creditors, or is subject to proceedings under any bankruptcy or insolvency law.

6.4 Suspension. Provider may suspend Customer's access to the Services immediately if: (a) Customer's use poses a security risk to the Services or other users; (b) Customer is in material breach of these Terms; (c) Customer fails to pay fees after the cure period in Section 4.3; or (d) suspension is required by law or regulation. Provider will provide advance notice where practicable.

6.5 Effect of Termination. Upon termination or expiration: (a) Customer's right to use the Services will immediately cease; (b) each Party will return or destroy Confidential Information of the other Party; (c) Customer may request return of Customer Data within thirty (30) days of termination; after such period, Provider may delete Customer Data; and (d) with respect to Protected Health Information, Provider will return or destroy PHI in accordance with the applicable Business Associate Agreement and will not retain copies except as required by law.

6.6 Survival. Sections relating to Fees owed, intellectual property, indemnification, limitation of liability, confidentiality, and any other provisions that by their nature should survive, will survive termination.

7. DATA PROTECTION AND PRIVACY.

7.1 Data Processing. Provider will process Customer Data in accordance with these Terms, the applicable Order Form, and its Privacy Policy. Where Customer Data includes Customer Personal Information, processing will also be governed by a Data Processing Addendum.

7.2 Data Processing Addendum. If required under applicable privacy laws, the Parties will enter into a DPA governing the processing of Customer Personal Information. The DPA will set forth the categories of data processed, the purposes of processing, the duration of processing, and the rights and obligations of each Party.

7.3 Security. Provider will maintain administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. Security measures will be consistent with industry standards and applicable law.

7.4 Breach Notification. In the event of a data breach affecting Customer Data, Provider will notify Customer without undue delay and in any event within the timeframe required by applicable law. The notification will describe the nature of the breach and the measures taken or proposed to address it.

7.5 HIPAA Compliance. Where the Services are used to process Protected Health Information, Provider will comply with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, the "HIPAA Rules"). Provider's obligations with respect to PHI will be set forth in a separately executed Business Associate Agreement, which will be incorporated into and form part of these Terms by reference.

7.6 Subprocessors. Provider may engage subprocessors to assist with the processing of Customer Data, including Customer Personal Information. Provider will maintain a list of subprocessors and will notify Customer of material changes. Provider will ensure that subprocessors are bound by obligations no less protective than those in these Terms.

7.7 International Transfers. Where Customer Data is transferred outside the jurisdiction in which it was collected, Provider will ensure that appropriate safeguards are in place, such as standard contractual clauses, adequacy decisions, or other legally recognized transfer mechanisms.

8. REPRESENTATIONS AND WARRANTIES.

8.1 Mutual Representations. Each Party represents that: (a) it is duly organized and in good standing; (b) it has full authority to enter into this Agreement; and (c) this Agreement does not conflict with any other obligation.

8.2 Provider Warranties. Provider warrants that: (a) the Services will materially conform to the applicable documentation during the service duration; (b) the Services will be provided in a professional manner consistent with industry standards; and (c) the Services will not, at the time of delivery, contain any virus, malware, or malicious code intentionally introduced by Provider.

8.3 Customer Warranties. Customer represents and warrants that: (a) Customer Data does not infringe any third-party rights; (b) Customer has obtained all necessary consents and authorizations for the processing of Customer Data; and (c) Customer's use of the Services will comply with applicable laws.

8.4 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES ARE PROVIDED "AS IS." PROVIDER DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

9. CONFIDENTIALITY.

9.1 Definition. "Confidential Information" means information disclosed by one Party to the other in connection with this Agreement that is designated as confidential or that reasonably should be understood to be confidential, including business plans, technology, pricing, Customer Data, and the terms of this Agreement. Confidential Information does not include information that: (a) is or becomes publicly known through no fault of the receiving Party; (b) was known to the receiving Party prior to disclosure; (c) is independently developed without reference to the disclosing Party's Confidential Information; or (d) is lawfully obtained from a third party without restriction.

9.2 Obligations. Each Party will: (a) protect the other's Confidential Information using at least the same care it uses for its own confidential information (and no less than reasonable care); (b) use Confidential Information only for the purposes of this Agreement; and (c) not disclose Confidential Information to third parties except to employees, contractors, and agents who need to know and are bound by confidentiality obligations at least as protective.

9.3 Compelled Disclosure. A Party may disclose Confidential Information if required by law, regulation, or court order, provided it gives prior notice (where permitted) and limits disclosure to what is legally required.

10. INDEMNIFICATION.

10.1 Provider Indemnification. Provider will indemnify, defend, and hold harmless Customer from and against third-party claims alleging that the Services infringe any third-party intellectual property right ("IP Claim"). Provider will: (a) have sole control of the defense and settlement of the IP Claim; and (b) pay damages, costs, and expenses finally awarded or agreed in settlement. If the Services are found to infringe, Provider may, at its option: (i) modify the Services to be non-infringing; (ii) procure a license for continued use; or (iii) terminate Customer's access and refund prepaid fees for the unused portion. This Section states Provider's entire obligation with respect to IP Claims.

10.2 Customer Indemnification. Customer will indemnify, defend, and hold harmless Provider from and against third-party claims arising from: (a) Customer Data; (b) Customer's breach of these Terms; or (c) Customer's use of the Services in violation of applicable law.

10.3 Indemnification Procedure. The indemnified Party will: (a) promptly notify the indemnifying Party; (b) grant the indemnifying Party sole control of the defense and settlement; and (c) provide reasonable cooperation. The indemnified Party may participate in the defense at its own expense.

11. LIMITATION OF LIABILITY.

11.1 Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA, REGARDLESS OF THE CAUSE OF ACTION OR THE THEORY OF LIABILITY.

11.2 Cap on Liability. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

11.3 Excluded Claims. The limitations in Sections 11.1 and 11.2 will not apply to: (a) a Party's indemnification obligations under Section 10; (b) a Party's breach of confidentiality obligations under Section 9; (c) Customer's payment obligations; or (d) either Party's liability for willful misconduct or fraud.

11.4 Basis of the Bargain. The limitations of liability in this Section reflect the allocation of risk between the Parties and form an essential basis of the bargain.

11.5 Force Majeure. Neither Party will be liable for delays or failure in performance caused by events beyond its reasonable control, including natural disasters, pandemics, acts of government, labor disputes, internet or telecommunications failures, or cyberattacks ("Force Majeure Events"), provided that the affected Party promptly notifies the other Party and uses commercially reasonable efforts to mitigate the impact. If a Force Majeure Event continues for more than sixty (60) days, either Party may terminate the affected Order Form.

12. GOVERNING LAW AND DISPUTE RESOLUTION.

12.1 Governing Law. This Agreement will be governed by and construed in accordance with the laws of the Province of Quebec and the federal laws of Canada applicable therein, without regard to conflict-of-law principles.

12.2 Dispute Resolution. Any dispute arising under this Agreement will first be escalated to senior executives of each Party for good-faith resolution. If not resolved within thirty (30) days, either Party may submit the dispute to binding arbitration under the rules of the Canadian Arbitration Association, with arbitration conducted in Montreal, Quebec. Notwithstanding the foregoing, either Party may seek injunctive or other equitable relief in any court of competent jurisdiction.

13. GENERAL PROVISIONS.

13.1 Entire Agreement. This Agreement, including all Order Forms and referenced documents, constitutes the entire agreement between the Parties regarding its subject matter and supersedes all prior agreements, representations, and understandings.

13.2 Amendments. These Terms may be updated by Provider from time to time. Material changes will be communicated at least thirty (30) days before taking effect. Continued use after notice constitutes acceptance. Order Forms may only be amended in a writing signed by both Parties or by mutual electronic acceptance.

13.3 Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign in connection with a merger, acquisition, or sale of substantially all of its assets.

13.4 Notices. All notices under this Agreement must be in writing and sent to the address specified in the applicable Order Form or as otherwise designated.

13.5 Severability. If any provision of these Terms is found to be unenforceable, the remaining provisions will remain in full force and effect.

13.6 Waiver. Failure to enforce any provision will not constitute a waiver of that provision.

13.7 Independent Contractors. The Parties are independent contractors, and nothing in this Agreement creates a partnership, joint venture, or agency relationship.

13.8 Third-Party Beneficiaries. There are no third-party beneficiaries of this Agreement.

SCHEDULE A: ACCEPTABLE USE POLICY (AUP)

This AUP is part of and incorporated into the Terms.

1. PROHIBITED CONDUCT.

Customer and its Authorized Users will not:

2. COMPLIANCE WITH APPLICABLE LAWS.

Customer will use the Services in compliance with all applicable laws, including export controls, anti-corruption laws, and data protection laws. In the healthcare context, Customer will comply with HIPAA, HITECH, and applicable state privacy and security laws in connection with any Protected Health Information processed through the Services.

3. REPORTING AND ENFORCEMENT.

Provider may investigate and respond to violations of this AUP, including by: (a) removing content that violates this AUP; (b) suspending or terminating access to the Services; or (c) reporting violations to law enforcement. Provider will use commercially reasonable efforts to notify Customer before taking enforcement action, except where immediate action is necessary.

4. SECURITY.

Customer is responsible for maintaining the security of its accounts, passwords, and access credentials. Customer will promptly notify Provider of any unauthorized use or security breach.

5. AUP MODIFICATIONS.

Provider may update this AUP from time to time. Material changes will be communicated at least thirty (30) days before taking effect. Continued use of the Services after notice constitutes acceptance of the updated AUP.

SCHEDULE B: SERVICE LEVEL AGREEMENT (SLA)

This SLA is part of and incorporated into the Terms.

1. AVAILABILITY.

1.1 Service Availability Target. Provider will use commercially reasonable efforts to maintain 99.9% availability of the Services during each calendar month ("Availability Target"). Availability is measured as a percentage of total minutes in a calendar month, excluding Scheduled Maintenance, Force Majeure Events, and Customer-caused issues.

1.2 Availability Calculation. Availability = ((Total Minutes in Month - Downtime Minutes) / Total Minutes in Month) x 100%.

2. SCHEDULED MAINTENANCE.

Provider may perform scheduled maintenance during designated maintenance windows. Provider will provide at least 48 hours' advance notice for scheduled maintenance that may impact availability. Scheduled maintenance windows will not count toward Downtime for SLA purposes.

3. SERVICE CREDITS.

3.1 Eligibility. If Provider fails to meet the Availability Target, Customer may request a service credit by submitting a written request within thirty (30) days of the end of the affected month.

3.2 Credit Amounts. Service credits will be applied as follows:

3.3 Limitations. Service credits are the sole and exclusive remedy for Provider's failure to meet the Availability Target. Credits will not exceed 20% of the monthly fees for the affected Service in any single month and will be applied as a credit against future invoices (not paid in cash).

4. EXCLUSIONS.

Downtime caused by the following will not count toward the Availability Target: (a) Scheduled Maintenance; (b) Force Majeure Events; (c) Customer's equipment, software, or connectivity; (d) Customer's breach of the Agreement or AUP; or (e) features designated as Beta Features.

5. SUPPORT.

5.1 Support Channels. Provider will make support available via email and in-app chat during standard business hours (9:00 AM - 5:00 PM ET, Monday through Friday, excluding public holidays).

5.2 Severity Levels. Support requests will be classified by severity: (a) Critical: Services are unavailable or a core function is completely impaired; (b) High: A significant function is impaired but the Services remain operational; (c) Medium: A non-critical function is impaired; (d) Low: General questions, feature requests, or minor issues. Response times will vary based on severity and the applicable support plan.

6. SLA MODIFICATIONS.

Provider may update this SLA from time to time. Material changes will be communicated at least thirty (30) days before taking effect.

SCHEDULE C: PROFESSIONAL SERVICES TERMS

This Schedule is part of and incorporated into the Terms and applies when Provider delivers Professional Services to Customer.

1. DEFINITIONS.

1.1 "Professional Services" means implementation, configuration, integration, training, consulting, data migration, or other professional services described in an applicable Statement of Work ("SOW").

1.2 "Deliverables" means the tangible or intangible work product produced by Provider under a SOW.

2. SCOPE AND PERFORMANCE.

2.1 Statement of Work. Each engagement for Professional Services will be governed by a mutually agreed SOW that describes the scope, deliverables, timeline, fees, and any assumptions or dependencies.

2.2 Performance Standard. Provider will perform Professional Services in a professional and workmanlike manner consistent with industry standards.

2.3 Customer Cooperation. Customer will provide timely access to personnel, systems, data, and information reasonably required for Provider to perform the Professional Services. Delays caused by Customer may result in adjustments to timelines and additional fees.

3. FEES AND EXPENSES.

3.1 Fees. Fees for Professional Services will be set forth in the applicable SOW.

3.2 Expenses. Customer will reimburse Provider for reasonable, pre-approved travel and out-of-pocket expenses incurred in performing Professional Services, supported by documentation.

4. INTELLECTUAL PROPERTY.

4.1 Provider IP. Provider retains all right, title, and interest in its pre-existing intellectual property, tools, methodologies, and know-how used in delivering Professional Services.

4.2 Deliverables. Unless otherwise specified in the applicable SOW, upon full payment, Customer will receive a non-exclusive, perpetual license to use the Deliverables for its internal business purposes.

4.3 Customer Data. Customer retains all rights in Customer Data provided to Provider during Professional Services.

5. CHANGE ORDERS.

Changes to the scope, timeline, or fees of a SOW must be documented in a written change order signed by both Parties.

6. TERM AND TERMINATION.

Each SOW will specify its own term. Either Party may terminate a SOW for cause in accordance with the termination provisions of the Terms. Upon termination, Customer will pay for Professional Services performed through the effective date of termination.

SCHEDULE D: DATA PROCESSING ADDENDUM (DPA)

This DPA is part of and incorporated into the Terms and applies where Provider processes Customer Personal Information on behalf of Customer.

1. DEFINITIONS.

1.1 "Controller" means the Party that determines the purposes and means of the processing of Personal Information.

1.2 "Processor" means the Party that processes Personal Information on behalf of the Controller.

1.3 "Data Subject" means an identified or identifiable individual to whom Personal Information relates.

1.4 "Processing" means any operation performed on Personal Information, including collection, use, storage, disclosure, and deletion.

1.5 "Security Incident" means any accidental or unauthorized access to, or acquisition, use, modification, disclosure, loss, or destruction of, Customer Personal Information.

1.6 "Subprocessor" means a third party engaged by Provider to process Customer Personal Information.

2. ROLES AND SCOPE.

2.1 Customer is the Controller and Provider is the Processor with respect to Customer Personal Information.

2.2 Provider will process Customer Personal Information only in accordance with Customer's documented instructions and the terms of this DPA. The subject matter, duration, nature, and purpose of processing, the types of Personal Information processed, and the categories of Data Subjects are described in Annex 1 to this DPA.

3. PROVIDER OBLIGATIONS.

3.1 Processing Instructions. Provider will process Customer Personal Information only on documented instructions from Customer, unless required by applicable law. If Provider is required by law to process Customer Personal Information for another purpose, Provider will inform Customer before such processing (unless prohibited by law).

3.2 Confidentiality. Provider will ensure that personnel authorized to process Customer Personal Information are subject to confidentiality obligations.

3.3 Security. Provider will implement appropriate technical and organizational measures to protect Customer Personal Information, taking into account the nature of the processing, the risks, and the state of the art.

3.4 Subprocessors. Provider may engage Subprocessors subject to the following: (a) Provider will maintain a list of current Subprocessors; (b) Provider will notify Customer of new Subprocessors at least thirty (30) days before engagement; (c) Customer may object to a new Subprocessor on reasonable grounds within fifteen (15) days of notice; and (d) Provider will ensure that Subprocessors are bound by data protection obligations no less protective than those in this DPA.

3.5 Data Subject Rights. Provider will assist Customer in responding to requests from Data Subjects exercising their rights under applicable privacy laws.

3.6 Security Incidents. Provider will notify Customer of a Security Incident without undue delay and will provide reasonable information and cooperation to assist Customer in responding.

3.7 Data Protection Impact Assessments. Provider will assist Customer with data protection impact assessments and prior consultations with supervisory authorities, where required.

3.8 Deletion and Return. Upon termination of the Agreement, Provider will, at Customer's election, return or delete Customer Personal Information, except where retention is required by applicable law.

4. INTERNATIONAL TRANSFERS.

Where Customer Personal Information is transferred to a jurisdiction that does not provide an adequate level of data protection, Provider will ensure appropriate safeguards, such as standard contractual clauses or other legally recognized transfer mechanisms.

5. AUDITS.

Customer may audit Provider's compliance with this DPA upon reasonable notice. Audits will be conducted during normal business hours, no more than once per year, and at Customer's expense. Provider will cooperate with audits and provide access to relevant records and facilities.

6. TERM.

This DPA will remain in effect for the duration of the Agreement and will survive until Provider has deleted or returned all Customer Personal Information.

SCHEDULE E: SECURITY OVERVIEW

This Schedule is part of and incorporated into the Terms and describes Provider's security practices.

1. ORGANIZATIONAL SECURITY.

1.1 Security Program. Provider maintains a written information security program that includes administrative, technical, and physical safeguards designed to protect Customer Data.

1.2 Personnel. Provider personnel with access to Customer Data are subject to background checks and confidentiality obligations.

1.3 Training. Provider provides regular security awareness training to its personnel.

2. TECHNICAL SAFEGUARDS.

2.1 Encryption. Customer Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

2.2 Access Controls. Provider enforces role-based access controls, multi-factor authentication, and least-privilege principles.

2.3 Network Security. Provider uses firewalls, intrusion detection/prevention systems, and network segmentation.

2.4 Logging and Monitoring. Provider maintains audit logs and monitors systems for security events.

2.5 Vulnerability Management. Provider conducts regular vulnerability scans and applies security patches in a timely manner.

3. PHYSICAL SAFEGUARDS.

3.1 Data Centers. Services are hosted in SOC 2 Type II-audited data centers with physical access controls, environmental protections, and redundancy.

3.2 Media Disposal. Provider securely disposes of media containing Customer Data.

4. INCIDENT RESPONSE.

Provider maintains an incident response plan that includes procedures for identification, containment, eradication, recovery, and notification of security incidents.

5. BUSINESS CONTINUITY.

Provider maintains a business continuity and disaster recovery plan and performs regular testing. The recovery objectives are described in the applicable SLA or Order Form.

6. COMPLIANCE.

Provider may provide evidence of compliance through third-party audit reports (such as SOC 2 Type II), certifications, or other documentation, upon Customer's reasonable request.

SCHEDULE F: BUSINESS ASSOCIATE AGREEMENT (BAA)

This BAA is part of and incorporated into the Terms (the "Main Agreement") and applies when Customer uses the Services to create, receive, maintain, or transmit Protected Health Information (as defined below). This BAA supplements the Main Agreement and, where applicable, the DPA.

1. DEFINITIONS.

In addition to the definitions in the Main Agreement:

2. OBLIGATIONS OF BUSINESS ASSOCIATE.

2.1. Permitted Uses and Disclosures. Business Associate will Use and Disclose PHI only as permitted or required by this BAA, the Main Agreement, or as Required By Law. Business Associate will not Use or Disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted in this Section.

2.2. Safeguards. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, in accordance with the Security Rule (45 C.F.R. Part 164, Subpart C).

2.3. Subcontractors. Business Associate will ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on Business Associate's behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

2.4. Reporting. Business Associate will report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA, any Security Incident, or any Breach of Unsecured PHI, without unreasonable delay and in no event later than ten (10) business days after discovery.

2.5. Access. Business Associate will make PHI maintained in a Designated Record Set available to Customer or the Individual as required under 45 C.F.R. Section 164.524.

2.6. Amendment. Business Associate will incorporate amendments to PHI in a Designated Record Set as directed by Customer in accordance with 45 C.F.R. Section 164.526.

2.7. Accounting of Disclosures. Business Associate will maintain an accounting of Disclosures of PHI as required under 45 C.F.R. Section 164.528 and will make such accounting available to Customer or the Individual upon request.

2.8. Government Access. Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.

2.9. Minimum Necessary. Business Associate will limit its Use, Disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with the HIPAA Rules.

3. PERMITTED USES AND DISCLOSURES.

3.1. Service Performance. Business Associate may Use and Disclose PHI as necessary to perform its obligations under the Main Agreement, provided that such Use or Disclosure would not violate the HIPAA Rules if done by Covered Entity.

3.2. Business Associate's Operations. Business Associate may Use PHI for its proper management and administration or to carry out its legal responsibilities, provided that the Use is permitted under the HIPAA Rules.

3.3. Disclosure for Management and Administration. Business Associate may Disclose PHI for its proper management and administration, provided that: (a) the Disclosure is Required By Law; or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required By Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

3.4. Aggregation and De-Identification. Business Associate may aggregate PHI with data of other covered entities for data analysis, provided that such aggregation is permitted under the HIPAA Rules. Business Associate may de-identify PHI in accordance with 45 C.F.R. Section 164.514. De-identified information is not PHI and is not subject to this BAA.

4. OBLIGATIONS OF CUSTOMER.

4.1. Safeguards. Customer is responsible for implementing appropriate privacy and security safeguards, including the privacy and security safeguards required of Customer under the Main Agreement, in order to protect its PHI in accordance with the HIPAA Rules.

4.2. Notice of Privacy Practices. Customer will inform Business Associate of any limitation in its notice of privacy practices adopted in accordance with the Privacy Rule, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.

4.3. Information on Restrictions. Customer will inform Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI if such changes affect Business Associate's Use or Disclosure of PHI.

4.4. Impermissible Requests. Customer will not request or cause Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.

5. TERM AND TERMINATION.

5.1. Duration of BAA. This BAA commences on the BAA Effective Date and terminates upon expiration or termination of the Main Agreement.

5.2. Disposition of PHI Upon Termination or Expiration. Within 60 days after expiration or earlier termination of this BAA ("Data Disposition Period"), Business Associate will, if feasible, return or destroy all PHI it still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this BAA and limit further Uses and Disclosures of such PHI to those purposes that make the deletion infeasible.

6. GENERAL TERMS.

6.1. Order of Precedence. Any Additional Terms will control in a conflict with the terms of this BAA.

6.2. Relationship to Main Agreement.

6.3. No Third-Party Beneficiaries. There are no third-party beneficiaries to this BAA.

6.4. Independent Contractors. The parties are independent contractors, not agents, partners, or joint venturers. Neither party will represent itself as the agent or legal representative of the other for any purpose.