CadLink Anywhere™ Cloud Services Agreement
This Cloud Services Agreement (“Agreement”) is a binding contract between you (“Customer,” “you,” or “your”) and Cadwell Laboratories, Inc. (“Provider,” “we,” or “us”). This Agreement, together with any Order, governs your access to and use of the Cloud Services. In case of any conflict between this Agreement and any Order, the terms of this Agreement shall control, unless agreed between the parties in writing which explicitly references the Sections of this Agreement to be modified.
BY ACCESSING OR USING THE CLOUD SERVICES YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION; AND (C) ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS. IF YOU DO NOT ACCEPT THESE TERMS, YOU MAY NOT ACCESS OR USE THE CLOUD SERVICES.
1. DEFINITIONS
(a) “Anonymized Data” means system-level performance, aggregated statistical data, and de-identified Customer Data that does not contain Protected Health Information (PHI).
(b) “Authorized User” means Customer and Customer’s employees, consultants, contractors, and agents (i) who are authorized by Customer to access and use the Cloud Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Cloud Services has been purchased hereunder.
(c) “Cloud Services” means the services provided by Provider under this Agreement that are reflected in the Order and CadCare Membership support as described on Provider’s website located at https://www.cadwell.com/cadcare/.
(d) “Customer Data” means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or any other Authorized User through the Cloud Services.
(e) “Documentation” means Provider’s user manuals, handbooks, and guides relating to the Cloud Services provided by Provider to Customer either electronically or in hard copy form.
(f) “Effective Date” means the date of first use of the Cloud Services by the Customer.
(g) “Order” means the purchase order, work statement, form or quote under which an order is placed by Customer to Provider for the Cloud Services. The Order is incorporated by reference into this Agreement as if set forth fully herein.
(h) “Provider IP” means the Cloud Services, the Documentation, and all intellectual property provided to Customer or any other Authorized User in connection with the foregoing. For the avoidance of doubt, Provider IP includes Aggregated Statistics and any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Cloud Services, but does not include Customer Data.
(i) “Third-Party Products” means any products, content, services, information, websites, or other materials that are owned by third parties and are incorporated into or accessible through the Cloud Services.
2. ACCESS AND USE
(a) Provision of Access. Subject to and conditioned on your payment of Fees and compliance with all the terms and conditions of this Agreement, Provider hereby grants you a revocable, non-exclusive, non-transferable, non-sublicensable, non-assignable limited right to access and use the Cloud Services during the Term solely for your internal business operations by Authorized Users in accordance with the terms and conditions herein. Provider shall provide you the necessary passwords and access credentials to allow you to access the Cloud Services.
(b) Documentation License. Subject to the terms and conditions contained in this Agreement, Provider hereby grants you a non-exclusive, non-sublicensable, non-transferable, non-assignable license for Authorized Users to use the Documentation during the Term solely for your internal business purposes in connection with use of the Cloud Services.
(c) Downloadable Software. Use of the Cloud Services may require or include use of downloadable software. Provider grants you a non-transferable, non-exclusive, non-assignable, limited right for Authorized Users to use downloadable software we provide solely as part of the Cloud Services provided under this Agreement. Any Third-Party Products that consist of downloadable software are subject to the terms of Section 3(e).
(d) Use Restrictions. You shall not, and shall not permit any Authorized Users to, use the Cloud Services, any software component of the Cloud Services, or Documentation for any purposes beyond the scope of the access granted in this Agreement. You shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Cloud Services, any software component of the Cloud Services, or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Cloud Services or Documentation except as expressly permitted under this Agreement; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Cloud Services, in whole or in part; (iv) remove any proprietary notices from the Cloud Services or Documentation; (v) use the Cloud Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law, regulation, or rule; (vi) use the Cloud Services to send or store infringing, libelous, or otherwise unlawful or tortious material, or to store or submit malicious or harmful code; (vi) interfere with or disrupt the integrity or performance of the Cloud Services or the data contained therein; (vii) attempt to gain unauthorized access to the Cloud Services or its related systems or networks; or (viii) disclose the results of any benchmark or performance tests of the Subscription Service.
(e) Aggregated Statistics. Notwithstanding anything to the contrary in this Agreement, Provider may monitor Customer’s use of the Cloud Services and collect and compile data and information related to Customer’s use of the Cloud Services to be used by Provider in an aggregated and anonymized manner, including but not limited to compiling statistical and performance information related to the provision and operation of the Cloud Services (“Aggregated Statistics”). As between Provider and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Provider. You acknowledge that Provider may compile Aggregated Statistics based on Customer Data input into the Cloud Services. You agree that Provider may (i) make Aggregated Statistics publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided that such Aggregated Statistics do not identify Customer or Customer’s Confidential Information.
(f) Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.
(g) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily or permanently suspend Customer’s and any other Authorized User’s access to any portion or all of the Cloud Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any other Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer or any other Authorized User is using the Provider IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Provider’s provision of the Cloud Services to Customer or any other Authorized User is prohibited by applicable law; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Cloud Services; or (iii) in accordance with Section 4 (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Cloud Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Cloud Services as soon as reasonably possible after the event giving rise to the Cloud Services Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of or profits), or any other consequences that Customer or any other Authorized User may incur as a result of a Service Suspension.
(h) Maintenance. Scheduled and unscheduled maintenance will be performed periodically by Provider. Provider will use commercially reasonable efforts to notify Customer at least fourteen (14) days in advance of any routine maintenance. In the event of an unscheduled maintenance event, Provider will use commercially reasonable efforts to notify Customer as soon as is reasonably practical.
3. CUSTOMER RESPONSIBILITIES
(a) Acceptable Use Policy. The Cloud Services may not be used for unlawful, fraudulent, offensive, or obscene activity. You will comply with all terms and conditions of this Agreement, all applicable laws, rules, and regulations, and all guidelines, standards, and requirements related to the use of the Cloud Services.
(b) Account Use. You are responsible and liable for all uses of the Cloud Services and Documentation resulting from access provided by you, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, you are responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by you will be deemed a breach of this Agreement by you. You shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized Users’ use of the Cloud Services and shall cause Authorized Users to comply with such provisions.
(c) Customer Data. You hereby grant to Provider a non-exclusive, royalty-free, worldwide license, as allowed by law, to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Cloud Services to you, and a non-exclusive, perpetual, irrevocable, royalty-free, transferrable and sub-licensable worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Aggregated Statistics and/or Anonymized Data. You will ensure that Customer Data and any Authorized User’s use of Customer Data will not violate any policy or terms referenced in or incorporated into this Agreement or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Customer Data.
(d) Passwords and Access Credentials. You are responsible for keeping your passwords and access credentials associated with the Cloud Services confidential. You will not sell or transfer them to any other person or entity. You will promptly notify us about any unauthorized access to your passwords or access credentials.
(e) Third-Party Products. The Services may permit access to Third-Party Products. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions presented to you for acceptance within the Cloud Services by website link or otherwise. If you do not agree to abide by the applicable terms for any such Third-Party Products, then you should not install, access, or use such Third-Party Products.
(f) System Requirements. Customer must ensure that all equipment, software and the computing environment used to access the Cloud Services comply with any system requirements designated by Provider. Customer will be solely responsible for all computer functionality, operating system and network services in relation to your equipment. Such systems requirements include the implementation and maintenance programs for network firewall provisioning, intrusion detection, and regular vulnerability assessments. Customer further agrees to maintain network security that conforms to generally recognized industry standards and best practices to prevent malware from being coded or introduced, or other unauthorized intrusions, into the systems used in connection with the Cloud Services.
(g) Excess Data Egress Fees. Normal usage of Cloud Services incurs Provider data egress fees from hosting platforms. These fees are absorbed into Cloud Services pricing plans. Should Customer usage incur excess fees, Provider reserves the right to charge Customer for fees. Cloud Services fees are calculated monthly.
4. FEES AND PAYMENT
Customer shall pay Provider the agreed upon fees in accordance with terms of the Order (“Fees”). Provider may suspend, in accordance with Section 2(g), Customer’s and all other Authorized Users’ access to any portion or all of the Cloud Services until such amounts are paid in full. Payment terms are net thirty (30) days from the invoice date. All payments made after thirty (30) calendar days are subject to a service charge equal to 2% of the total amount due for each month the payment is in arrears. It shall be deemed a material breach giving Provider the right of termination under Section 11(b)(ii) below if Fees are in arrears for thirty (30) days or more. In the event Provider modifies its fees and prices, it shall give Customer thirty (30) days written notice.
5. CONFIDENTIAL INFORMATION
From time to time during the Term, Provider and Customer may disclose or make available to the other party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media/in written or electronic form or media, and whether or not marked, designated, or otherwise identified as “confidential” at the time of disclosure (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure, is: (a) in the public domain; (b) known to the receiving party; (c) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (d) independently developed by the receiving party. The receiving party shall not disclose the disclosing party’s Confidential Information to any person or entity, except to the receiving party’s employees, agents, or subcontractors who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder and who are required to protect the Confidential Information in a manner no less stringent than required under this Agreement. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required (i) to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party and made a reasonable effort to obtain a protective order; or (ii) to establish a party’s rights under this Agreement, including to make required court filings. Each party’s obligations of non-disclosure with regard to Confidential Information are effective as of the date such Confidential Information is first disclosed to the receiving party and will expire five years thereafter; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.
6. PRIVACY NOTICE
Provider shall comply with the Business Associate Agreement attached hereto and incorporated herein.
7. INTELLECTUAL PROPERTY OWNERSHIP; FEEDBACK
As between you and us, (a) we own all right, title, and interest, including all intellectual property rights, in and to the Cloud Services, and (b) you own all right, title, and interest, including all intellectual property rights, in and to Customer Data. If you or any of your Authorized Users sends or transmits any communications or materials to us by mail, email, telephone, or otherwise, suggesting or recommending changes to the Cloud Services, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), we are free, but not obligated, to use such Feedback irrespective of any other obligation or limitation between you and us governing such Feedback. All Feedback is and will be treated as non-confidential. You hereby assign to us on your behalf, and shall cause your employees, contractors, and agents to assign, all right, title, and interest in, and we are free to use, without any attribution or compensation to you or any third party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever.
8. LIMITED WARRANTY AND WARRANTY DISCLAIMER
(a) Provider warrants that it provides Cloud Services using a commercially reasonable level of care and skill. THE FOREGOING WARRANTY DOES NOT APPLY, AND PROVIDER STRICTLY DISCLAIMS ALL WARRANTIES, WITH RESPECT TO ANY THIRD-PARTY PRODUCTS OR SERVICES.
(b) Customer Warranty. You warrant that you (i) own all rights, title, and interest, including all intellectual property rights, in and to Customer Data and that both the Customer Data and your use of the Cloud Services are in compliance with the terms and conditions herein; (ii) have the requisite power and authority to enter into this Agreement; and, (iii) your use the Cloud Services complies with all applicable laws, regulations, and rules.
(c) EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), THE CLOUD SERVICES ARE PROVIDED “AS IS” AND PROVIDER SPECIFICALLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE CLOUD SERVICES, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET YOUR OR ANY OTHER PERSON’S OR ENTITY’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY OF YOUR OR ANY THIRD PARTY’S SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE, OR THAT ANY ERRORS OR DEFECTS CAN OR WILL BE CORRECTED.
9. INDEMNIFICATION
(a) Provider Indemnification.
i. Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees (“Losses”), incurred by Customer resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Cloud Services, or any use of the Cloud Services in accordance with this Agreement, infringes or misappropriates such third party’s US intellectual property rights, provided that Customer promptly notifies Provider in writing of the Third-Party Claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such Third-Party Claim.
ii. If such a Third-Party Claim is made or Provider reasonably anticipates such a Third-Party Claim will be made, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Cloud Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer. This Section 9(a)(ii) sets forth your sole remedies and our sole liability and obligation for any actual, threatened, or alleged Third-Party Claims that the Cloud Services infringe, misappropriate, or otherwise violate any intellectual property rights of any third party.
iii. This Section 9(a) will not apply to the extent that any such Third-Party Claim arises from Customer Data or Third-Party Products.
(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all Losses arising from or relating to any Third-Party Claim (i) that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party’s US intellectual property rights; (ii) based on Customer’s or any Authorized User’s misconduct or use of the Cloud Services in a manner not authorized by this Agreement; or (iii) arising from any breach of Customer’s Responsibilities under Section 3 of this Agreement or Customer’s warranties under Section 8(b) of this Agreement, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.
10. LIMITATIONS OF LIABILITY
IN NO EVENT WILL PROVIDER BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EXCEED THE TOTAL AMOUNTS PAID TO PROVIDER UNDER THIS AGREEMENT IN THE TWELVE MONTHS PRECEDING THE DATE THAT THE CLAIM ARISES.
11. TERM AND TERMINATION
(a) Term. The term of this Agreement begins on the Effective Date and continues for one (1) calendar year, and shall automatically renew in thirty (30) day increments thereafter, until terminated per section 11b.
(b) Termination. In addition to any other express termination rights set forth in this Agreement:
i. Provider may terminate this Agreement, for any reason upon thirty (30) days advance notice. You may terminate this Agreement for any reason upon sixty (60) days advance notice.
ii. Either party may terminate this Agreement, effective on written notice to the other party, if the other party materially breaches this Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured thirty (30) days after the non-breaching party provides the breaching party with written notice of such breach; or
iii. Either party may terminate this Agreement, effective immediately upon written notice to the other party, if the other party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
(c) Effect of Termination. Upon termination of this Agreement,
i. Customer shall immediately discontinue use of the Provider IP. No expiration or termination of this Agreement will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination, or entitle Customer to any refund.
ii. Provider shall retain Customer Data for a period of ninety (90) days after termination of this Agreement, and upon request of Customer, shall provide a copy of such data in a reasonably accessible electronic format. Provider has the right to delete Customer Data ninety (90) days after termination of this Agreement.
(d) Survival. This Section 11(d), Sections 3(c), 4, 5, 9, 10, 13, 14, and 15, and any right, obligation, or required performance of the parties in this Agreement which, by its express terms or nature and context is intended to survive termination or expiration of this Agreement, will survive any such termination or expiration.
12. MODIFICATIONS
You acknowledge and agree that we have the right, in our sole discretion, to modify this Agreement from time to time, and that modified terms become effective on posting. You will be notified of modifications through direct written communication from us. You are responsible for reviewing and becoming familiar with any such modifications. Your continued use of the Cloud Services after the effective date of the modifications will be deemed acceptance of the modified terms. Provider will provide at least sixty (60) days advance notice of changes to any service level that Provider reasonably anticipates may result in a material reduction in quality or services.
13. EXPORT REGULATION
The Cloud Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. You shall not, directly or indirectly, export, re-export, or release the Cloud Services or the software or technology included in the Cloud Services to, or make the Cloud Services or the software or technology included in the Cloud Services accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, regulation, or rule. You shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Cloud Services or the software or technology included in the Cloud Services available outside the US.
14. GOVERNING LAW AND JURISDICTION
This Agreement is governed by and construed in accordance with the internal laws of the State of Washington without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Washington. Except as otherwise set forth herein, any legal suit, action, or proceeding arising out of or related to this agreement or the rights granted hereunder will be instituted exclusively in the United States District Court for the Eastern District of Washington or the courts of the State of Washington in each case located in the city of Richland and County of Benton, and each party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
15. MISCELLANEOUS
This Agreement constitutes the entire agreement and understanding between the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. Any notices to us must be sent to our corporate headquarters address at 909 N. Kellogg St., Kennewick, WA 99336, and must be delivered either in person, by certified or registered mail, return receipt requested and postage prepaid, or by recognized overnight courier service, and are deemed given upon receipt by us. Notwithstanding the foregoing, you hereby consent to receiving electronic communications from us. These electronic communications may include notices about applicable fees and charges, transactional information, and other information concerning or related to the Cloud Services. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing. The invalidity, illegality, or unenforceability of any provision herein does not affect any other provision herein or the validity, legality, or enforceability of such provision in any other jurisdiction. Any failure to act by us with respect to a breach of this Agreement by you or others does not constitute a waiver and will not limit our rights with respect to such breach or any subsequent breaches. This Agreement is personal to you and may not be assigned or transferred for any reason whatsoever without our prior written consent and any action or conduct in violation of the foregoing will be void and without effect. We expressly reserve the right to assign this Agreement and to delegate any of its obligations hereunder.
16. CUMULATIVE REMEDIES
The rights and remedies provided by this Agreement are cumulative and the use of any one right or remedy by any party shall not preclude or waive its right to use any or all other remedies. Said rights and remedies are given in addition to any other rights the parties may have by law, statute, ordinance or otherwise.
Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered into by and between Customer (“Covered Entity”) and Cadwell Laboratories, Inc. (the “Business Associate”) (each a “Party” and collectively the “Parties”), and is made a part of the Cloud Services Agreement (the “Service Agreement”) pursuant to which Business Associate provides a service or services to Covered Entity that involves the creation, receipt, maintenance, or transmission of Covered Entity Protected Health Information (“PHI”).
NOW, THEREFORE, for good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree as follows:
I. DEFINITIONS:
A. Terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1320d (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009, as codified at 42 U.S.C. § 17901 et seq. (“HITECH Act”), and any current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any current and future regulations promulgated under either are referred to as the “Regulations”).
B. Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity, including but not limited to electronic PHI.
II. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE:
A. Business Associate may only use and disclose PHI as permitted by this Agreement or as required by law. Specifically, Business Associate may 1) use and disclose PHI to perform its obligations as set forth in the Services Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity; (2) use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; (3) disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (4) use PHI to provide data aggregation services relating to the health care operations of Covered Entity at the request and direction of Covered Entity; and (5) use PHI to create de-identified information for use by Covered Entity consistent with the standards set forth at 45 CFR §164.514 and at the request and direction of Covered Entity. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations.
B. Business Associate will limit its uses and disclosures of, and requests for, PHI (1) when practical, to the information making up a Limited Data Set; and (2) in all other cases subject to the requirements of 45 CFR § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE:
A. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Cloud Services Agreement, this Agreement, or as required by law. Business Associate will comply with the provisions of this Agreement related to privacy and security of PHI and the Regulations, as they may be modified from time to time, and that are applicable to Covered Entity or Business Associate. To the extent that Business Associate performs any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
B. Business Associate agrees to use appropriate administrative, physical and technical safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent the use or disclosure of the PHI other than as provided for by this Agreement.
C. Business Associate acknowledges and agrees that under the HITECH Act (i) the requirements of Sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements) of the Security Rule apply to Business Associate in the same manner that such sections apply to Covered Entity, and (ii) the additional requirements of the HITECH Act that relate to security and that are made applicable to Covered Entity shall also be applicable to Business Associate (with such security requirements in (i) and (ii) above collectively referred to as the “HITECH Act Security Requirements”). Business Associate shall comply with the HITECH Act Security Requirements which shall be, by this reference, incorporated into this BA Agreement.
D. Unless Covered Entity agrees, in writing, that this requirement is infeasible with respect to particular data, Business Associate shall secure all Protected Health Information by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals consistent with guidance issued by the Secretary, including the use of standards developed under Section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by the HITECH Act.
E. Business Associate shall ensure that any agents and subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree to comply with the same restrictions, conditions, and requirements that apply through this Agreement or otherwise to Business Associate with respect to such information. Business Associate shall enter into written agreements with any subcontractors, and the terms of such agreements shall incorporate the applicable requirements of, and otherwise comply with, the Regulations.
F. Business Associate will make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining compliance with the Regulations, subject to attorney-client and other applicable legal privileges.
G. Business Associate will provide documentation regarding any disclosures by Business Associate that would be required for an accounting of disclosures to an Individual under 45 CFR § 164.528 and the HITECH Act, within a reasonable amount of time of receipt of a request from Covered Entity. Any request under § 164.528 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity.
H. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available for amendment and incorporate any amendments to PHI in accordance with the requirements of 45 C.F.R. § 164.526. Any request under § 164.526 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity.
I. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available to the extent and in the manner required by 45 C.F.R. § 164.524. Any request under § 164.524 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity.
J. Business Associate agrees to comply with any requests for restrictions on certain disclosures of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and the Regulations and of which Business Associate has been notified by Covered Entity.
K. Business Associate will mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement.
L. Business Associate agrees to notify within five (5) business days the designated Privacy Official of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Agreement, any Security Incident, and any Breach of Unsecured Protected Health Information of which Business Associate becomes aware. The parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, “Unsuccessful Security Incidents” include attempted but unsuccessful activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity’s Protected Health Information.
1. Business Associate shall provide the following information to Covered Entity within ten (10) business days of discovery of a breach of unsecured PHI except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to Covered Entity the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach:
a. the date of the breach;
b. the date of the discovery of the breach;
c. a description of the types of unsecured PHI that were involved;
d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and
e. any other details necessary to complete a risk assessment in accordance with the Regulations.
2. Business Associate will cooperate with Covered Entity in providing notification to individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, to the extent required by Sec. 13402 of the HITECH Act, 42 U.S.C. § 17932, provided that Business Associate shall not provide any such notifications on behalf of Covered Entity without the express written consent of Covered Entity.
3. Business Associate agrees to pay actual reasonable costs of notification and of any associated mitigation incurred by Covered Entity, such as credit monitoring, if Covered Entity determines that the breach is significant enough to warrant such measures.
4. Business Associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
IV. TERM AND TERMINATION:
A. Term. This Agreement shall become effective on the date of execution of a Services Agreement, and shall terminate upon the later of the termination or expiration of all Services Agreement(s) or when all PHI has been destroyed or returned to Covered Entity. Notwithstanding the foregoing, obligations imposed on either party pursuant to the Regulations must be complied with only when the particular provisions referenced become effective or compliance becomes required, whichever is later.
B. Termination for Cause. Either Party may immediately terminate this Agreement and the Services Agreement(s) if such Party makes the determination that the other Party has breached a material term of this Agreement, in accordance to the terms of the Cloud Services Agreement.
C. Effect of Termination.
1. Upon termination or expiration of this Agreement, Business Associate agrees to return to Covered Entity or destroy, within thirty (30) days of the termination or expiration of this Agreement, all PHI in the possession of Business Associate and/or in the possession of any subcontractor or agent of Business Associate (including without limitation destroying all backup tapes and permanently deleting all electronic PHI) and to retain no copies of the PHI.
2. In the event that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Upon mutual agreement by the Parties that return or destruction of the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
V. INDEMNIFICATION:
The Parties agree to indemnify, defend and hold harmless the other and its respective employees, directors, officers, subcontractors, agents or other members of its workforce against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with any negligent or willful breach of this Agreement or from any negligent or willful acts or omissions related to this Agreement by a Party or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, the indemnifying Party shall reimburse any indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from a Party’s negligent or willful acts or omissions hereunder. The Parties obligation to indemnify any indemnified Party shall survive the expiration or termination of this Agreement.
VI. MISCELLANEOUS:
A. Amendments. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. The parties agree to take such action to amend this Agreement from time to time as is necessary to achieve and maintain compliance with the requirements of the Regulations.
B. Survival. The respective rights and obligations of Business Associate and Covered Entity set forth in Sections IV.C. and V shall survive termination of this Agreement.
C. Regulatory References. Any reference herein to a federal regulatory section within the Code of Federal Regulations shall be a reference to such section as it may be subsequently updated, amended or modified.
D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA. Furthermore, in case of any conflict between the terms and conditions of this Agreement and the Services Agreement, the terms and conditions of this Agreement shall prevail.
E. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, or their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
F. Assignment. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party.
G. Independent Contractors. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.
H. Governing Law. This Agreement will be governed by the laws of the State of Washington.
I. Non-Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.
J. Headings. The section headings contained in this Agreement are for reference purposes only and will not affect the meaning of this Agreement.
K. Notices. Any notices given hereunder shall be in writing and addressed as follows:
If to Covered Entity:
Attn: Privacy Official
If to Business Associate:
Cadwell Laboratories, Inc
Attn: Legal
909 N. Kellogg St.
Kennewick, WA 99336
Rev 7/2023