IMPORTANT – PLEASE CAREFULLY READ AND UNDERSTAND THESE LABDX APPLICATION TERMS (“TERMS”), BEFORE ACCESSING, USING, OR SUBMITTING ANY INFORMATION THROUGH OUR SERVICES. THESE TERMS CONTAIN DISCLAIMERS OF WARRANTIES AND LIMITATIONS OF LIABILITIES (SEE SECTIONS 7 AND 8). THESE TERMS FORM AN ESSENTIAL BASIS OF OUR AGREEMENT. PLEASE PRINT AND RETAIN A COPY OF THIS AGREEMENT FOR YOUR RECORDS.

BY CLICKING “I AGREE,” CHECKING A RELATED BOX TO SIGNIFY YOUR ACCEPTANCE, USING ANY OTHER ACCEPTANCE PROTOCOL PRESENTED THROUGH THE SERVICES (AS DEFINED BELOW) OR OTHERWISE AFFIRMATIVELY ACCEPTING THESE TERMS YOU ACKNOWLEDGE THAT YOU HAVE READ, ACCEPTED, AND AGREED TO BE BOUND BY THESE TERMS. IF YOU DO NOT HAVE THE AUTHORITY TO ENTER INTO THESE TERMS (INCLUDING TO BIND ANY APPLICABLE ENTITIES) OR YOU DO NOT AGREE TO THESE TERMS, DO NOT ACCEPT THESE TERMS AND DO NOT USE OR ACCESS THE SERVICES.

THESE TERMS CONTAIN ARBITRATION AND CLASS ACTION WAIVER PROVISIONS THAT WAIVE YOUR RIGHT TO A COURT HEARING, RIGHT TO A JURY TRIAL AND RIGHT TO PARTICIPATE IN A CLASS ACTION. ARBITRATION IS MANDATORY AND IS THE EXCLUSIVE REMEDY FOR ANY AND ALL DISPUTES SPECIFIED BELOW IN SECTION 9, UNLESS YOU OPT-OUT. PLEASE CAREFULLY REVIEW THE DISPUTE RESOLUTION PROVISIONS IN SECTION 9 BELOW, WHICH DESCRIBES YOUR RIGHT TO OPT-OUT.

These Terms are entered into by and between you (“you,” “your,” or “Subscriber”) and The Dr Z Functional Medicine LabDX, LLC (“we,” “our,” “us,” or “LabDX”). LabDX and Subscriber may also be referred to herein each as a “Party” or collectively as the “Parties.”

These Terms govern your access to and use of the Services (as defined below). If you are entering into these Terms on behalf of a company, organization, or other legal entity, you acknowledge that you are agreeing to these Terms on behalf of such entity and represent to LabDX that you have the authority to bind such entity to these Terms. In such case, all references to “you,” “your,” or “Subscriber” in these Terms shall refer to such entity and its Affiliates. If you are a User of an entity, then these Terms will apply to you to the extent they are applicable to Users.

Now, therefore, in consideration of the mutual covenants hereinafter set forth, the receipt and sufficiency of which is hereby acknowledged, the Parties, intending to be legally bound, hereby covenant and agree as follows:

1. DEFINITIONS

1.1 “Applicable Law” means all applicable laws, rules, and regulations.

1.2 “Affiliate” means an entity that controls, is controlled by, or is under common control with a Party, where “control” means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.

1.3 “Fees” means the amount you owe to LabDX for your applicable Plan.

1.4 “Feedback” means any suggestions, enhancement requests, recommendations or other comments you, your Users, employees, contractors, or agents provide to LabDX regarding the Services.

1.5 “Intellectual Property Rights” means any and all registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection, or other intellectual property rights law, and all similar or equivalent rights or forms of protection, in any part of the world, in each case, for their full term and together with any renewals or extensions.

1.6 “Malicious Software” means viruses, worms, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

1.7 “Plan” means the specific services and product features available to you based on your subscription.

1.8 “Services” means the LabDX application and all reports, information, or other outputs generated by your use of the Services.

1.9 “Subscriber Data” means any data, content, or information you input into the Services.

1.10 “Subscriber Personal Data” means any Subscriber Data that is legally protected as “personal data” or “personal information” under Applicable Law.

1.11 “Subscription Term” means the subscription term set forth in the applicable Plan.

1.12 “Taxes” means taxes, duties, and other governmental charges including, but not limited to, federal, government, state and local sales, use, excise and value-added taxes (but excluding any taxes due on LabDX’s income, property or employees)

1.13 “Trials and Beta Features” means any product, service, or component of the Services offered to you on a free, trial, beta or early access basis.

1.14 “User” means any authorized individual engaged by you to use the Services on your behalf.

2. USE OF AND ACCESS TO THE SERVICES

2.1 USER ACKNOWLEDGEMENT. BY ACCEPTING THESE TERMS OR USING THE SERVICES, YOU ACKNOWLEDGE AND AGREE THAT LABDX IS NOT A HEALTHCARE PROVIDER AND THAT BY USING THE SERVICES, YOU ARE NOT ENTERING INTO A DOCTOR-PATIENT RELATIONSHIP, OR HEALTH CARE PROVIDER-PATIENT RELATIONSHIP WITH LABDX. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF OUR SERVICES IS AT YOUR SOLE RISK AND YOU WILL NOT RELY ON OUR SERVICES AS A SOLE SOURCE OF TRUTH OR FACTUAL INFORMATION, OR AS A SUBSTITUTE FOR PROFESSIONAL ADVICE FROM A QUALIFIED HEALTHCARE PROVIDER. ALL INFORMATION PROVIDED THROUGH OUR SERVICES IS FOR GENERAL INFORMATIONAL PURPOSES ONLY AND SHOULD NOT BE CONSTRUED AS MEDICAL ADVICE OR PROFESSIONAL ADVICE OF ANY KIND. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE USING ANY INFORMATION PROVIDED BY LABDX.

2.2 Right to Use the Services. Subject to and conditioned on your compliance with these Terms, we hereby grant you a limited, revocable, non-exclusive, non-transferable, non-sublicensable right, during the Subscription Term, to access and use the Services solely for your own informational and educational purposes.

2.3 User and Account Security. You acknowledge and agree that you are solely responsible and liable for: (a) your use of the Services, including your acts and omissions in connection with their use of the Services (including the acts and omissions of your Users); (b) managing your access to, and the security of, the Services; and (c) ensuring that User credentials are kept confidential and not shared by more than one User. You will use reasonable efforts to prevent any unauthorized use of the Services and to immediately notify us if you discover any unauthorized use of the Services. Immediately upon discovery of unauthorized use, you will take all necessary steps to terminate the unauthorized use and cooperate with us in preventing any further unauthorized use. LabDX will not be responsible for any damages, losses, or liability that result from the acts or omissions of you or your Users.

2.4 Use Restrictions. You and your Users will not: (a) use the Services in any manner, or for any purpose, that violates any Applicable Laws or infringes, misappropriates, or otherwise violates any Intellectual Property Rights or other right of any person; (b) copy, modify, or create derivative versions of the Services, in whole or in part; (c) distribute, publish, transfer, publicly display, rent, lease, lend, share, sell, license, sublicense, redistribute, syndicate access to, assign, or otherwise make the Services available to any third party; (d) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component or source code of the Services, in whole or in part; (e) remove any proprietary notices from the Services; (f) attempt to cloak or conceal your identity when requesting authorization to use the Services; (g) access the Services in any manner that compromises, breaks or circumvents any of our technical processes or security measures, poses a security vulnerability, or tests the vulnerability of our systems or networks; (h) transmit or upload any Malicious Software to the Services; (i) use the Services for any purpose that competes with LabDX, including to replicate, compete with, or attempt to build or replace the features, functionality or user experience of, the Services; (j) use the Services in a manner that adversely affects the performance, stability or security of the Services. LabDX, in its sole discretion, may impose additional limits or restrictions on your use of the Services from time to time.

2.5 Right to Suspend the Services. We may restrict functionality or suspend your use of the Services if we reasonably believe such suspension is necessary to prevent unauthorized use of the Services (including but not limited to a violation of these Terms) or to prevent an ongoing violation of any Applicable Laws. In addition, if you fail to timely pay any Fees in accordance with these Terms, we may, without limitation to any of our other rights or remedies, suspend your use of the Services until we receive all amounts due. We will not be liable to you or any third parties for any of the foregoing actions.

2.6 Updates to the Services. You acknowledge and agree that LabDX, in its sole discretion, has the right to update, suspend, or modify any and all aspects of the Services (each an “Update”) from time to time. Your continued use of the Services following an update constitutes binding acceptance of the Update.

2.7 Feedback. All Feedback is and will be treated as non-confidential. You hereby assign to LabDX on your behalf, and on behalf of your Users, employees, contractors, and agents, all right, title, and interest in such Feedback. LabDX is free to use, without any attribution or compensation to you or any third party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever. For the avoidance of doubt, LabDX is not required to use any Feedback.

2.8 Monitoring. LabDX reserves the right to monitor and audit your activities relating to your access and use of the Services to ensure compliance with these Terms. You agree that you will cooperate with inquiries and audits relating to your access to the Services and provide us with proof that you comply with these Terms.

3. FEES AND PAYMENTS.

3.1 Plan Details. The Services available to you will be based on your Plan. When you access the Services, you can select which features you would like to purchase and your Subscription Term for each. The details of your Plan and applicable Fees will be displayed within the Services.

3.2 Payment and Refunds. You will pay for your Plan through the Services in accordance with this Section 3. Payments for Fees are due immediately on the first day of each Subscription Term and on each Monthly Pay Date or Annual Pay Date (each as defined herein), as applicable. If we do not receive timely payment from you for our Services, we may suspend your access to the Services. Payments for Fees are non-refundable, except where required by law.

3.3 Monthly Payment Plans. For Plans where you pay LabDX on a monthly basis, we will charge you on the first day of your Subscription Term and automatically on the same date in each subsequent month (“Monthly Pay Date”). We will continue to charge you for your Plan on the Monthly Pay Date unless you cancel your Plan. If you cancel your Plan in the month preceding your Monthly Pay Date, you will continue to have access to the Services until the following Monthly Pay Date and you will not be issued any refunds or credits for prepaid and unused fees for the remainder of the Subscription Term. We reserve the right to increase pricing for our monthly Plans at any time in our sole discretion. Any price changes to a monthly Plan will take effect on the next Monthly Pay Date following notice to you of such price change.

3.4 Annual Payment Plans. For Plans where you pay LabDX on an annual basis, we will charge you on the first day of your Subscription Term, and your Subscription Term will automatically renew for subsequent annual periods, and we will automatically charge you on the same date in each subsequent year (“Annual Pay Date”) unless you cancel your Plan. We will continue to charge you for your Plan on the Annual Pay Date unless you cancel your Plan prior to the next Annual Pay Date. If you cancel your Plan during an ongoing Subscription Term, you will continue to have access to the Services until the following Annual Pay Date, and you will not be issued any refunds or credits for any prepaid and unused fees for the remainder of the Subscription Term. We reserve the right to increase pricing for our annual Plans at any time in our sole discretion. Any price changes to an annual Plan will take effect on the next Annual Pay Date following notice to you of such price change.

3.5 Changes To Your Plan. If you upgrade or change your Plan during your Subscription Term, you will be charged the then-current price generally available to our customers for the upgrade or additional Services, prorated based on the number of days remaining in your Subscription Term (unless otherwise stated within the Services). Any upgrade that you add will be coterminous with the existing Plan and will automatically renew at the end of the Subscription Term along with your Plan. If you choose to downgrade your Plan or remove any features from your Plan, you will not be issued any refunds or credits for the unused and prepaid fees in connection with the downgrade or removal. Downgrading your Plan may cause the loss of content or features and we will not be liable for any such loss.

3.6 Credit Card and PayPal Authorization. You acknowledge and agree that LabDX uses a third-party payment processor to process payments made by credit card or PayPal account. By submitting your credit card or PayPal information to LabDX, you authorize the third-party payment processor, acting on behalf of LabDX, to store such information and to charge the credit card or PayPal account until your Subscription Term is terminated. In addition, you authorize us to use a third-party payment processor in processing payments. If your credit card expires, or is declined, or your PayPal information requires an update, we will provide you notice via email. If, for any reason, your payment cannot be completed through credit card or PayPal, we may suspend your access to our Services until we receive payment. You can choose to set up a backup payment method that will be used if the primary method fails for any reason (such as an expired credit card or insufficient funds). By adding a backup payment method, you agree that, if your primary payment method fails, LabDX can automatically charge your backup payment method to avoid interruptions to the Services.

3.7 Cancellation. If you would like to cancel your Plan, you must provide such notice via email to [EMAIL] [or click ‘BUTTON’ within the Services] prior to the end of the then-current Subscription Term. If you cancel your Plan during an ongoing Subscription Term, you will not be issued any refunds or credits for any prepaid and unused fees for the remainder of the Subscription Term, and you will be required to pay any and all unpaid fees due to LabDX. If you fail to make timely payments, any and all unpaid fees that are outstanding under your Plan may become immediately due and payable in LabDX’s discretion. These Terms do not override any mandatory local laws regarding your cancellation rights.

3.8 Disputes and Late Payments. You must notify us in writing of any amounts you wish to dispute prior to the date such amounts would otherwise be due. Except for amounts disputed by you in good faith, any amount not paid when due shall be subject to finance charges equal to one and one-half percent (1.5%) of the unpaid balance per month (determined and compounded daily from the date due until the date paid) or the highest rate permitted by applicable law, whichever is less. You will reimburse any costs or expenses (including, but not limited to, reasonable attorneys’ fees) incurred by us to collect any amount that is not paid when due. Amounts due from you under these Terms shall not be withheld or offset by you against amounts due to you for any reason.

3.9 Taxes. You are responsible for the payment of any applicable Taxes resulting from your purchase or use of the Services.

4. TERMINATION

4.1 Termination by You. You may only cancel your Plan and terminate these Terms in accordance with Section 3.7 above. Except as specifically provided in this Agreement, you will not be entitled to any refunds or credits, and any unpaid fees under your Plan for the applicable Subscription Term will remain due and payable.

4.2 Termination by Us. We may terminate these Terms, your Plan, and your use of the Services for any of the following reasons: (a) you fail to comply with these Terms; (b) you do not pay your Fees in accordance with your Plan; (c) at the expiration of the Subscription Term if we provide prior written notice to you; (d) you become the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors; or (e) if we reasonably believe that you breached these Terms. In no event will any termination by us for any of the foregoing reasons entitle you to any refunds of any prepaid and unused Fees or relieve you of your obligation to pay any Fees payable to us prior to the date of termination, and any unpaid fees under your Plan will remain due and payable.

4.3 Effect of Termination. Upon expiration or termination of these Terms: (a) you will pay to LabDX any Fees or other amounts that have accrued prior to the effective date of the termination; (b) any and all liabilities accrued prior to the effective date of termination will survive; and (c) your access to and use of the Services will cease. LabDX shall have the right to permanently delete your information, settings, and Subscriber Data within thirty (30) days of such expiration, cancellation, or termination with no liability or notice to you.

5. INTELLECTUAL PROPERTY RIGHTS

5.1 What You Own. You shall retain all Intellectual Property Rights in, and sole ownership of, your Subscriber Data. You grant to us a nonexclusive, revocable, worldwide, limited, fully paid-up and royalty-free right to use, copy, prepare derivative works of, distribute, publish, remove, retain, add, process, or analyze your Subscriber Data for the sole purpose of providing the Services.

5.2 What We Own. LabDX shall retain all Intellectual Property Rights in, and sole ownership of, the Services along with all Intellectual Property Rights related to the Services. Your use of the Services under these Terms does not give you additional rights in the Services or ownership of any Intellectual Property Rights associated with the Services.

6. DATA PRIVACY AND SECURITY

6.1 Data Privacy. You acknowledge and agree that LabDX will collect, use, and disclose your Subscriber Personal Data in accordance with our Privacy Policy and Consumer Health Data Privacy Policy. To the extent required by Applicable Law, and at your expense, LabDX will assist you in fulfilling your obligations under Applicable Law with respect to data privacy and security, including by assisting in the completion of data protection impact assessments and data subject requests. You are solely responsible for ensuring that you are authorized to provide Subscriber Personal Data to LabDX and for fulfilling your obligations as a data controller/collector/exporter under Applicable Law.

6.2 Data Security. LabDX has implemented technical and organizational measures designed to secure your Subscriber Personal Data from accidental or unauthorized access, use, loss, alteration, and disclosure. LabDX shall ensure that each of its workforce members assigned to the performance of the Services are aware of and bound by confidentiality obligations. LabDX will notify you without undue delay in the event of any breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Subscriber Personal Data. We cannot guarantee the security of your Subscriber Personal Data. Any transmission of Subscriber Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the Services.

6.3 CCPA-Specific Terms. To the extent that the California Consumer Privacy Act (“CCPA”) applies to LabDX’s processing of Subscriber Personal Data, LabDX shall: (a) process Subscriber Personal Data solely as a “Service Provider,” as such term is defined under CCPA; (b) not sell any Subscriber Personal Data, or portion thereof; (b) not use or disclose Subscriber Personal Data except to the minimum necessary extent required to perform the Services; (c) not use or disclose Subscriber Personal Data outside of the business relationship; and (d) not combine Subscriber Personal Data with personal information that LabDX received from, or on behalf of, another person or collected from its own interaction with a consumer, provided that LabDX may combine personal information to perform any business purpose as defined in CCPA.

6.4 GDPR-Specific Terms. To the extent that the General Data Protection Regulations (including as adopted by the United Kingdom) (“GDPR”) applies to LabDX’s processing of Subscriber Personal Data, LabDX shall: (a) process Subscriber Personal Data solely as a “Processor” as such term is defined by GDPR and in accordance with your instructions as documented in the Agreement or otherwise in writing; (b) notify you if LabDX believes it is required by Applicable Law to act or refrain from acting in a manner contrary to such instructions; and (c) once per year, upon your reasonable written request, make available for your inspection and audit, copies of certifications, records, or reports demonstrating Company’s compliance with GDPR. Where a transfer of Subscriber Personal Data from you to LabDX is governed by the GDPR, the transfer will be conducted in accordance with an approved mechanism, respectively, set forth in Articles 46 through 49 of the GDPR which may, if determined by the transferring party in consultation with the receiving party, require binding the receiving party to the applicable Standard Contractual Clauses (“SCCs”) module appropriate to the roles of the parties in such transfer. Where SCCs Modules 2, 3 and/or 4 are used, the parties agree that if there is any conflict or contradiction between such SCC’s and this Agreement, the required resolution of such conflict in favor of the SCCs shall apply only to the act of transfer/importation and the sub-set of Subscriber Personal Data directly involved therewith.

6.5 Data Use and Retention. You acknowledge and agree that LabDX may use data regarding your use of the Services, including de-identified, anonymized, or aggregated Subscriber Data and outputs generated by your use of the Services (“Usage Data”) to: (a) operate, improve, and support the Services; (b) develop or enhance new products and services; (c) develop and publish benchmarks and similar informational reports for internal purposes or sharing with external parties; and (d) for any other lawful purpose. LabDX will own all Intellectual Property Rights in, and sole ownership of, such Usage Data and any data derived therefrom. Without undue delay following expiration or termination of this Agreement, LabDX will delete your Subscriber Personal Data, or upon written request, may return your Subscriber Personal Data.

6.6 Permitted Disclosures. You acknowledge and agree that: (a) LabDX will provide Subscriber Personal Data to its own service providers and sub-processors in order to provide the Services to you, or if required to do so by Applicable Law (“Sub-Processors”); (b) you provide your general consent to LabDX’s use of such Sub-Processors; and (c) your Subscriber Personal Data shall be processed, stored, and transferred to the United States and to any jurisdiction in which LabDX or its Sub-Processors operate. Before providing your Subscriber Personal Data to any Sub-Processors, we will take reasonable steps to ensure that such party maintains commercially reasonable data practices for maintaining the confidentiality and security of your data and for preventing unauthorized access to Subscriber Personal Data.

6.7 Business Associate Addendum. If you are a “Covered Entity” and your use of the Services involves the use or disclosure of “Protected Health Information” (as these terms are defined under the Health Insurance Portability and Accountability Act of 1996, as amended), then the HIPAA Business Associate Agreement attached hereto and incorporated into this Agreement at Schedule 1 (the “BAA”) shall apply. For the avoidance of doubt, the BAA does not apply to your use of the Services if you are not a “Covered Entity” or if your use of the Services does not involve the use or disclosure of “Protected Health Information” to LabDX.

7. WARRANTIES AND DISCLAIMERS

7.1 Subscriber Warranties. You hereby represent and warrant that: (a) the information you provide in registering for the Services is accurate, complete, and rightfully yours to use; (b) you and all Users are 18 years old or older; (c) you and all User will use the Services in compliance with all Applicable Laws and all guidelines, standards, and other requirements that may be implemented by LabDX from time to time with respect to use of the Services; (d) you and all Users are authorized to submit the Subscriber Data to LabDX and your Subscriber Data has not been collected, stored, or transferred to LabDX in violation of Applicable Laws; and (e) you are not a competitor of LabDX or using the Services for purposes that are competitive with LabDX

7.2 DISCLAIMER. THE SERVICES ARE PROVIDED ON AN “AS IS” BASIS, WITHOUT ANY WARRANTIES, GUARANTEES, CONDITIONS, OR REPRESENTATIONS OF ANY KIND, AND, TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY, DESIGN, TITLE, QUALITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ON BEHALF OF LABDX. LABDX RELIES ON THIRD-PARTY SERVICE PROVIDERS AND THEREFORE DOES NOT WARRANT THAT THE SERVICES, OR ANY INFORMATION PROVIDED THROUGH THE SERVICES, WILL BE UNINTERRUPTED, AVAILABLE, ACCESSIBLE, SECURE, TIMELY, ACCURATE, COMPLETE, FREE FROM VIRUSES OR HARMFUL CODE, ERROR-FREE, OR WILL ALWAYS BE AVAILABLE. LABDX DISCLAIMS ALL LIABILITY FOR ANY MALFUNCTIONING, IMPOSSIBILITY OF ACCESS, OR POOR USE CONDITIONS OF THE SERVICES DUE TO INAPPROPRIATE EQUIPMENT, INTERRUPTIONS, OR OTHER ISSUES RELATED TO THE INTERNET AND ELECTRONIC COMMUNICATIONS SERVICE PROVIDERS, OR ANY OTHER DELAY, ERROR, OMISSION, INTERRUPTION, DELETION, THEFT, DESTRUCTION, UNAUTHORIZED ACCESS TO, OR LOSS OF DATA ON THE SERVICES, ALL OF WHICH ARE NOT WITHIN LABDX’S REASONABLE CONTROL. WE DO NOT PROVIDE ANY WARRANTIES, INDEMNITIES OR REMEDIES FOR ANY TRIALS AND BETA FEATURES. TRIALS AND BETA FEATURES ARE OPTIONAL AND ARE USED AT YOUR OWN RISK.

8. LIABILITY AND INDEMNIFICATION

8.1 Exclusion of Consequential and Related Damages. LABDX WILL NOT, UNDER ANY CIRCUMSTANCES, BE LIABLE TO YOU, UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, FOR CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY, ENHANCED, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THESE TERMS, INCLUDING BUT NOT LIMITED TO LOST PROFITS, REVENUE, BUSINESS, OR DATA; BUSINESS INTERRUPTION; OR LOSS OF GOODWILL OR REPUTATION, REGARDLESS OF WHETHER THE PARTY IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING OR ANY LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.

8.2 Monetary Cap on Liability. UNDER NO CIRCUMSTANCES WILL THE MAXIMUM AGGREGATE LIABILITY OF LABDX TO YOU (INCLUDING YOUR AFFILIATES) ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICES, REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, EXCEED THE GREATER OF $100.00 OR THE TOTAL AMOUNT PAID BY YOU TO LABDX UNDER THE APPLICABLE PLAN DURING THE SIX (6) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THE FOREGOING LIABILITY LIMITATIONS WILL NOT IN ANY WAY LIMIT YOUR PAYMENT OBLIGATIONS UNDER THESE TERMS. IN NO EVENT WILL LABDX BE LIABLE FOR ANY DAMAGES FOR SERVICES PROVIDED ON A FREE TRIAL BASIS OR FOR BETA SERVICES, INCLUDING, WITHOUT LIMITATION, CONSEQUENTIAL DAMAGES, LOST REVENUE, LOST PROFITS, OR LOST DATA, EVEN IF LABDX ARE APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING OR ANY SUCH DAMAGES WERE OTHERWISE FORESEEABLE.

8.3 Indemnification. You agree to defend, indemnify, and hold LabDX (along with its Affiliates and its respective officers, directors, employees, contractors, and agents) harmless from and against any and all claims, losses, demands, liabilities, damages, settlements, expenses, and costs (including reasonable attorney’s fees) brought against LabDX that arises from or relates to: (a) your or your Users’ breach of these Terms; and (b) your violation of any third-party right, including without limitation any right of privacy, publicity or Intellectual Property Rights.

9. DISPUTE RESOLUTION BY MANDATORY BINDING ARBITRATION AND CLASS ACTION WAIVER

9.1 AGREEMENT TO ARBITRATE DISPUTES; CLASS ACTION WAIVER. PLEASE READ THIS PROVISION CAREFULLY; IT REQUIRES YOU TO ARBITRATE ANY DISPUTE OR CLAIM BETWEEN YOU AND LABDX ON AN INDIVIDUAL BASIS. YOU AGREE THAT ANY DISPUTE OR CLAIM ARISING FROM OR RELATING TO THE SERVICES, THIS ARBITRATION PROVISION, LABDX’S PRIVACY POLICY OR TERMS, OR LABDX’S ADVERTISING OR MARKETING PRACTICES SHALL BE SUBMITTED TO BINDING, FINAL, AND CONFIDENTIAL ARBITRATION BEFORE A SINGLE ARBITRATOR ADMINISTERED BY THE AMERICAN ARBITRATION ASSOCIATION (“AAA”) UNDER ITS CONSUMER ARBITRATION RULES. THIS ARBITRATION PROVISION SHALL BE GOVERNED BY THE FEDERAL ARBITRATION ACT (“FAA”), 9 U.S.C. §§ 1-16, AND THE ARBITRATOR SHALL BE BOUND BY THE TERMS OF THIS ARBITRATION PROVISION. THE ARBITRATOR SHALL HAVE THE EXCLUSIVE AND SOLE AUTHORITY FOR DETERMINING WHETHER A DISPUTE OR CLAIM IS ARBITRABLE. THE ARBITRATOR SHALL FOLLOW APPLICABLE SUBSTANTIVE LAW OF THE STATE OF WYOMING TO THE EXTENT CONSISTENT WITH THE FAA, AND SHALL BE AUTHORIZED TO AWARD ALL REMEDIES AVAILABLE IN AN INDIVIDUAL LAWSUIT UNDER SUBSTANTIVE LAW, INCLUDING, WITHOUT LIMITATION, COMPENSATORY, STATUTORY AND PUNITIVE DAMAGES, DECLARATIVE, INJUNCTIVE AND OTHER EQUITABLE RELIEF, INCLUDING PUBLIC INJUNCTIVE RELIEF, AND ATTORNEYS’ FEES AND COSTS WHERE AVAILABLE UNDER APPLICABLE SUBSTANTIVE LAW. THE ARBITRATOR MAY ONLY RESOLVE DISPUTES OR CLAIMS BETWEEN YOU AND LABDX AND MAY NOT CONSOLIDATE CLAIMS OR PROCEEDINGS WITHOUT LABDX’ CONSENT. THE ARBITRATOR MAY NOT HEAR CLASS OR REPRESENTATIVE CLAIMS OR REQUESTS FOR RELIEF ON BEHALF OF OTHER INDIVIDUALS. IF A COURT OR ARBITRATOR DECIDES THAT ANY PART OF THIS AGREEMENT TO ARBITRATE CANNOT BE ENFORCED AS TO A PARTICULAR CLAIM FOR RELIEF OR REMEDY, THEN THAT CLAIM OR REMEDY (AND ONLY THAT CLAIM OR REMEDY) MUST BE BROUGHT IN COURT AND ANY OTHER CLAIMS MUST BE ARBITRATED.

9.2 INJUNCTIVE RELIEF. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, YOU AGREE THAT LABDX HAS THE RIGHT TO BRING A CLAIM AGAINST YOU IN THE STATE OR FEDERAL COURTS OF WYOMING FOR INJUNCTIVE RELIEF, EQUITABLE RELIEF, OR OTHERWISE ARISING FROM ANY POTENTIAL OR ACTUAL MISAPPROPRIATION OR INFRINGEMENT OF LABDX’ INTELLECTUAL PROPERTY RIGHTS AND YOU AGREE THAT VENUE IS PROPER AND THAT YOU ARE SUBJECT TO PERSONAL JURISDICTION IN SUCH FORUM.

9.3 OPT OUT. YOU MAY OPT OUT OF ARBITRATION WITHIN 30 DAYS OF THE DATE THAT YOU ACCESSED, USED, OR TRANSMITTED INFORMATION THROUGH THE SERVICES BY SENDING A LETTER TO: LABDX ATTN. LEGAL DEPARTMENT, 30 N GOULD ST #37288 SHERIDAN, WY 82801 STATING YOUR NAME, THE WEBSITE YOU ACCESSED, USED, OR TRANSMITTED INFORMATION THROUGH, OR ANY PRODUCT OR SERVICE PURCHASED, AND YOUR INTENT TO OPT OUT OF ARBITRATION. UNLESS YOU TIMELY OPT-OUT, YOU WILL NOT HAVE THE RIGHT TO: (A) HAVE A COURT OR JURY DECIDE YOUR DISPUTE OR CLAIM; (B) OBTAIN INFORMATION PRIOR TO THE HEARING TO THE SAME EXTENT THAT YOU WOULD HAVE IN COURT; (C) PARTICIPATE IN A CLASS ACTION IN COURT OR IN ARBITRATION, EITHER AS A CLASS REPRESENTATIVE, CLASS MEMBER, OR CLASS OPPONENT; (D) ACT AS A PRIVATE ATTORNEY GENERAL IN COURT OR IN ARBITRATION; OR (E) JOIN OR CONSOLIDATE YOUR DISPUTE OR CLAIM WITH THE DISPUTE OR CLAIM OF ANY OTHER PERSON. OTHER RIGHTS THAT YOU WOULD HAVE HAD IF YOU WENT TO COURT MAY ALSO NOT BE AVAILABLE IN ARBITRATION.

10. GENERAL TERMS

10.1 Agreement Term. The term of these Terms commence when you access the Services, agree to a Plan, or otherwise acknowledge your acceptance of these Terms, and will continue in effect until expiration of a Subscription Term or terminated as set forth in these Terms

10.2 Trials and Beta Features. LabDX may make Trials and Beta Features available to you solely for evaluation and testing purposes. You acknowledge and agree that Trials and Beta Features are provided on an “as is” and “as available” basis without any warranties or conditions of any kind, whether express, implied, statutory or otherwise. LabDX may, in its sole discretion, suspend, limit, or terminate access to Trials and Beta Features at any time. LabDX is not obligated to provide support for Trials and Beta Features and provides no assurance that any errors or performance issues in Trials and Beta Features will be corrected. Use of Trials and Beta Features is at your sole risk and may be subject to additional requirements as specified by LabDX. In no event will LabDX be liable to you (including for any indemnification obligations) arising out of or relating to your use of or inability to use Trials and Beta Features.

10.3 Assignment. Neither Party may assign these Terms without the prior consent of the other Party, except that LabDX may assign these Terms, with notice to you, in connection with LabDX’ reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. These Terms will bind and inure to the benefit of each Party’s permitted successors and assigns.

10.4 Relationship of the Parties. The parties are independent contractors, not agents, partners, or joint venturers. There are no third-party beneficiaries to these Terms.

10.5 Governing Law and Venue. The law of WYOMING governs these Terms and any action arising out of or relating to these Terms, without reference to conflict of law rules. The parties will adjudicate any such action in the courts of Sheridan County, Wyoming and each Party consents to the exclusive jurisdiction and venue in of the courts of Sheridan County, Wyoming for these purposes.

10.6 Notices. Notices, requests and approvals under these Terms must be in writing to LabDX at 30 N Gould St #37288 Sheridan, WY 82801 or to you at the email address listed in your account. Notices will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email.

10.7 Entire Agreement. These Terms are the parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In these Terms, headings are for convenience only and “including” and similar terms are to be construed without limitation. These Terms may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement.

10.8 Updates to Terms. From time to time, we may revise and update these Terms in our sole discretion. Any changes we make to these Terms are effective immediately when we post them. Continued use of the Services after we provide you notice of the updated Terms shall constitute your acceptance of the updated Terms.

10.9 Waivers and Severability. Waivers must be signed by the waiving Party’s authorized representative and cannot be implied from conduct. If any provision of these Terms is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary, so the rest of these Terms remain in effect.

SCHEDULE 1

HIPAA BUSINESS ASSOCIATE AGREEMENT

1. PREAMBLE AND DEFINITIONS

1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Subscriber as defined in the Underlying Agreement defined below (“Covered Entity”) and The Dr Z Functional Medicine LabDX, LLC or any of its corporate affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) effective as of the effective date of the Underlying Agreement defined below (the “Effective Date”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

1.2 This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Lab DX Application Terms to which this BAA is attached, including its exhibits, schedules and other documents expressly referenced therein (the “Underlying Agreement”).

1.3 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.

1.4 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.

1.5 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.

2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.

2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

2.2 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by the BAA.

2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

2.4 The Business Associate agrees to the following breach notification requirements:

(a) Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 30 calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time

(b) In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.52

(a) Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law

(b) Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).

(c)Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

2.9 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in 1.5).

2.10 To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

2.11 Business Associate agrees to account for the following disclosures:

(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in 5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested directly from the Business Associate.

(d) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.

2.12 Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

2.13 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

3.1 Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in 5), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.

3.2 Business Associate may use or disclose PHI as Required By Law.

3.3 Business Associate agrees to make uses and disclosures and requests for PHI: consistent with Covered Entity’s Minimum Necessary policies and procedures which Covered Entity has provided in writing to Business Associate.

3.4 Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.

3.5 Except as otherwise provided in this BAA, Business Associate may use PHI to provide Data Aggregation Services to Covered Entity as permitted by HIPAA for (a) benchmarking and for training AI models for quality assurance and other activities to improve Covered Entity’s health care operations and (b) as otherwise expressly provided for in the Underlying Agreement.

3.6 Except as otherwise provided in this BAA, Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities as permitted under applicable law.

3.7 Except as otherwise provided in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate; provided that the disclosures are required by applicable law, or Business Associate obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as required by applicable law or for the purpose(s) for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the breach notification requirements of this BAA.

3.8 Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

3.9 Business Associate may use PHI to de-identify the information, and Covered Entity hereby requests and authorizes Business Associate to do the same consistent with the requirements of 45 C.F.R. § 164.514 to assist Covered Entity with quality assurance and other activities to improve Covered Entity’s health care operations. Once de-identified for the foregoing requested and authorized purpose, the information is no longer PHI and Covered Entity acknowledges that Business Associated may use for any purpose.

3.10 Business Associate may use PHI to provide Data Aggregation services, and Covered Entity hereby requests and authorizes Business Associate to do the same to assist Covered Entity with quality assurance and other activities to improve Covered Entity’s health care operations. In order to view the summary reports and analysis on the data aggregated by Business Associate and prepared by Business Associate from other covered entities Business Associate serves to improve said operations, Covered Entity requests and authorizes Business Associate to add its PHI to this aggregated data set. Covered Entity acknowledges and understands that raw data will not be shared between different covered entities and that the summary reports and analysis on the raw data is not identifiable of any individual as it is merely reflective of trends and averages of pooled populations.

4. OBLIGATIONS OF COVERED ENTITY.

4.1 Covered Entity shall:

(a) Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI. Covered Entity shall include in its Notice of Privacy Practices that it has requested and authorized Business Associate to de-identify PHI and perform Data Aggregation services to assist Covered Entity with quality assurance and other activities to improve Covered Entity’s health care operations.

(b) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.

(c) Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under 3 of this BAA.

4.3 Covered Entity shall use reasonable efforts to limit the amount of PHI it makes available to Business Associate to the Minimum Necessary for Business Associate to perform its obligations pursuant to the Underlying Agreement.

5. COMPLIANCE WITH SECURITY RULE.

5.1 Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

5.2 In accordance with the Security Rule, Business Associate agrees to:

(a) Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies and procedures, requirements and any guidance issued by the Secretary from time to time with respect to such requirements;

(b) Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and

(c) Report to the Covered Entity any Security Incident of which it becomes aware.

6. INDEMNIFICATION.

The parties agree and acknowledge that except as set forth herein, the indemnification obligations and related provisions under the Underlying Agreement shall govern each party’s performance under this BAA.

7. TERM AND TERMINATION.

7.1 This BAA shall commence as of the Effective Date, and shall terminate on the earlier of the date that:

(a) Either party terminates for cause as authorized under 7.2;

(b) All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with 7.3; or

(c) The Underlying Agreement is terminated.

7.2 Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.

7.3 Upon termination of this BAA for any reason, the parties agree that Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

(a) Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, except as may be expressly provided under the Underlying Agreement.

(b) Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form.

(c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.

(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Section 3.5, above under “Specific Other Uses and Disclosures” which applied prior to termination.

(e) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

7.4 The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.

8. MISCELLANEOUS.

8.1 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.

8.2 The respective rights and obligations of Business Associate under 6 and 7 of this BAA shall survive the termination of this BAA.

8.3 This BAA shall be interpreted in the following manner:

(a) Any ambiguity shall be resolved in favor of a meaning that permits Business Associate to comply with the HIPAA Rules.

(b) Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

8.4 This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

8.5 This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

8.6 This BAA may be executed in two or more counterparts, each of which shall be deemed an original.

8.7 Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Underlying Agreement.

9. PART 2.

9.1 If Covered Entity is a provider type subject to 42 C.F.R. Part 2 Confidentiality of Substance Use Disorder Patient Records (“Part 2”) and Business Associate will necessarily have access to and use such records pursuant to the Underlying Agreement, Covered Entity and Business Associate hereby agree to comply with the applicable Part 2 SUD Rules by February 2026 (the “Enforcement Date”).

9.2 Subject to the applicability, necessity, and Enforcement Date set forth in Section 9.1, Covered Entity and Business also agree as follows:

(a) Certain of Covered Entity’s operations may constitute a “program” (the “Part 2 Program”) as defined in the federal alcohol and drug rehabilitation regulations in Part 2. With respect to the Part 2 Program, Business Associate may be a “qualified service organization” as defined under Part 2.

(b) “Substance Use Disorder Records” means the subset of PHI that is records, as defined under Part 2.

(c) As of the Enforcement Date, Business Associate represents and warrants that it has implemented and at all times will maintain training of all members of its workforce to ensure that such personnel have a reasonable and appropriate awareness and understanding of Business Associate’s obligations with regard to Part 2.

(d) As of the Enforcement Date, any disclosure of Substance Use Disorder Records by the Business Associate to a Subcontractor or agent of Business Associate shall be pursuant to a writing containing the requirements of Part 2 regarding qualified service organizations in addition to the requirements set forth in Section 2.5.

(e) As of the Enforcement Date, subject to Covered Entity’s compliance with its obligations set forth in Section 4, Business Associate shall not use or further disclose Substance Abuse Disorder Records in a manner that would violate Part 2 if done by Covered Entity.