Terms of Service

These Terms of Service govern the provision of products and service by Pretty Good AI, Inc. (“Service Provider”) to the customer listed on an Order Form executed by Service Provider and the customer (“Customer”). Collectively, these Terms of Service and any executed Order Form are referred to as the “Agreement.” Capitalized terms not defined in these Terms of Service have the definitions given in the Order Form. In the event of a conflict between the terms of an Order Form and these Terms of Service, the conflicting term of the Order Form will prevail if such conflicting term expresses a specific intent to override a specific provision of these Terms of Service.

DEFINITIONS

“Artificial Intelligence” or “AI” means any machine-based system or functionality that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Artificial Intelligence includes, but is not limited to, large language models capable of producing derived synthetic content (e.g., images, videos, audio, text, and other digital content, etc.).

“Confidential Information” means all nonpublic information disclosed by one party (as “Discloser”) directly or indirectly to the other (as “Recipient”) that is designated as confidential or proprietary or that reasonably appears to be confidential due to the nature of the information or the circumstances of disclosure, including but not limited to, information relating to the terms and conditions of the Agreement; information relating to unreleased products or services of Discloser; marketing or business plans, promotions, or financial information relating to Discloser’s business; business policies or practices of Discloser; the identity of Discloser’s current or prospective customers or suppliers; the terms and conditions of any agreements or relationships Discloser has with its customers or suppliers; or information received from others that Discloser is obligated to treat as confidential. The Customer Data is expressly Customer’s Confidential Information.

“Contact” means a patient, customer, or other third-party individual or entity who interacts with the Service (such as by contacting Customer through a Service-enhanced channel such as phone or internet), or whose Personal Data otherwise appears in the Customer Data.

“Customer Branding” means any name, logo, branding materials, or other trademark or service mark provided by Customer to Service Provider for Service Provider’s use under the Agreement.

“Customer Configuration” means any configuration, setting, or other customization within the Service implemented by or on behalf of the Customer to tailor the Service’s operation or outputs for the Customer, including any customer-specific knowledge bases, scripts, prompt templates, disclosure language, and limits on AI-generated outputs.

“Customer Data” means the data or information provided, submitted, or otherwise transmitted by or on behalf of Customer to or through the Service (such as by a Contact interacting with Customer through the Service), including any information, voice recordings, call information, or other data imported into the Service via integrations with Customer-specified third-party products, services, or systems.

“Customer-Provided Materials” means any information, software, Customer Branding, Customer-specific configuration logic or prompts, hardware, electronic media, artwork, designs, tools, equipment, devices, drawings, patterns, proofs, specifications, notes, memoranda, documents, or other material furnished by Customer in connection with Professional Services to be performed by Service Provider pursuant to an Order Form.

“Documentation” means Service Provider’s user manuals, handbooks, and installation guides, if any, relating to the Service and made available by Service Provider to Customer.

“Personal Data” means information that relates to an identified or identifiable individual or household, including without limitation any information qualifying as (i) “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) or (ii) “personal information” or “personal data” under the California Consumer Privacy Act, as amended, or any laws based in part on the California Consumer Privacy Act.

“Professional Services” means the integration, consulting, customization, training, or other project-based technical services performed by Service Provider in connection with the Service.

“Required Third-Party Products” means third-party products, services, and/or registrations that are not included in the Service and must be or can be procured, maintained, and managed by Customer to facilitate Service functionality, such as for Customer’s use and/or for interactions with Contacts.

“Service” means Service Provider’s proprietary software-as-a-service platform, as licensed in accordance with the Agreement and as may be further described in the Order Form.

“Subscription Period” means the Initial Subscription Period (as specified in the Order Form) and any and all Renewal Periods (as specified in the Order Form).

“Usage Data” means any aggregated or appropriately de-identified data and statistics collected or created by Service Provider relating to Customer’s use of the Service.

“Work Product” means any documents, computer code, works of authorship, designs, data, or other works that are conceived, made, developed, reduced to practice, fixed in tangible form, or otherwise created or provided by Service Provider in the performance of Professional Services.

THE SERVICE

Licenses; Delivery. Subject to the terms and conditions of the Agreement, including the payment by Customer of the fees described in the applicable Order Form, Service Provider hereby grants to Customer a limited, non-exclusive, non-sublicensable, non-transferable license during the Subscription Period, solely within the United States and its territories that are subject to United States laws, to: (a) access and use the Service for Customer’s internal business purposes, and (b) to use and make a reasonable number of copies of the Documentation solely for Customer’s internal business purposes in connection with Customer’s use of the Service. Service Provider will deliver the Service through a cloud platform that is accessible to Customer via phone, web browser, or other means that Service Provider may make available to its customers.

Service Account Credentials. Customer agrees to ensure that any personnel who interact with the Service on Customer’s behalf safeguard any usernames and passwords used by them to use and access the Service. Customer will notify Service Provider promptly if it learns of any unauthorized use, disclosure, or acquisition of any such login credentials or any other known or suspected breach of the Agreement by Customer personnel and/or breach of security related to the Service. Customer is responsible and liable for all activities that occur under its Service account(s) and for all acts or omissions of its officers, directors, members, shareholders, partners, employees, contractors, and other personnel.

Customer Data.

As between Customer and Service Provider, Customer owns all Customer Data.

If Customer and Service Provider have executed a Business Associate Agreement, then that Business Associate Agreement (the “BAA”) is hereby incorporated into these Terms of Service by this reference, and the parties will comply with that BAA with respect to any Customer Data that is “protected health information,” as that term is defined in HIPAA.

Except to the extent the BAA applies and renders inapplicable all legal requirements for Customer and Service Provider to enter into the Data Processing Addendum attached as Annex A to these Terms of Service (“DPA”), Customer and Service Provider will comply with the DPA.

In any case, Customer is solely responsible for taking any steps that may be legally required for Customer and Contacts to use and interact with the Service, including by:

providing any legally required notices and obtaining any legally required consents for the uses and disclosures of Customer Data by Customer, Service Provider, Service Provider’s subprocessors, and applicable successors, transferees and assignees as contemplated by these Terms of Service and

applying any opt-outs, revocations of consent, or other privacy preferences expressed by a Contact within the legal deadline for doing so.

Customer will not provide Service Provider with Customer Data, or permit a Contact to provide Service Provider with Customer Data, where doing so would:

cause Service Provider to violate any legal requirement through the operation of the Service or provision of Professional Services as contemplated by the Agreement;

obligate Service Provider to provide a Contact with any notice or obtain a consent from any Contact that Service Provider is not already providing and obtaining for Service Provider; or

require Service Provider to contractually impose any obligation on a subprocessor that is not explicitly required by the BAA or DPA.

Customer will not disable or circumvent any privacy or safety features of the Service.

With respect to Customer Data that is not subject to the BAA or DPA, Customer hereby grants to Service Provider a limited, royalty-free, non-exclusive license to: (a) collect, use, store, and process the Customer Data solely to provide and support the proper operation of products and services ordered by Customer under the Agreement and comply with legal requirements, and (b) sublicense such rights to Service Provider’s affiliates and subcontractors for such purposes.

Use of Artificial Intelligence. Customer understands that: (a) the Service relies on Artificial Intelligence for many of its features, including those involving interactions with Contacts; and (b) Artificial Intelligence operates probabilistically and may produce outputs that are incorrect or unexpected. Customer is responsible for ensuring that the Service’s outputs are acceptable to Customer, including by implementing appropriate practices for (a) testing the Service and Customer Configuration, and (b) conducting human review of all Service outputs and transactions. Service Provider disclaims all liability for Service outputs generated by Artificial Intelligence.

Required Third-Party Products. Customer understands that some Service functionality requires certain Required Third-Party Products (e.g., those relating to telephone, CRM, scheduling, or records management services).

Performing or maintaining an integration of the Service with a Required Third-Party Product is a Professional Services engagement, and Customer and Service Provider must agree to the scope, schedule, and fees for such engagement in an Order Form before the work occurs to perform or maintain an integration. If an integration is not performed or maintained, related Service functionality will be unavailable.

Customer, not Service Provider, is solely responsible for procuring or maintaining current, active, accurate accounts and registrations with third parties relating to any Required Third-Party Products, for any related costs or fees imposed by any third party, and for properly managing all such accounts, registrations, and relationships. For example, Customer must obtain and maintain appropriate voice call and SMS/text service from a phone carrier with accurate caller ID and must maintain complete and accurate CNAM, SHAKEN-STIR, and A2P 10DLC registrations, and must comply with any carrier requirements for text messages and calls. Required Third-Party Products may be subject to terms, conditions, and fees of the third-party providers, and Customer is solely responsible for compliance with such terms and conditions and payment of such fees. Service Provider is not responsible for any issues or problems relating to Required Third-Party Products, including any issues relating to quality, availability, delays, inaccuracy, call blocking, fees, or inability of Contacts to access Required Third-Party Products or the related Service functionality or to receive notifications or communications from the Service.

Customer must (i) inform all Contacts (whether or not they are patients or customers of Customer) that calls will be recorded and transcribed by a service provider for purposes of the Service and that they may receive notifications or communications from the Service (e.g., via email, SMS, or voice call), (ii) obtain any necessary consents from Contacts to permit Service Provider and the Service to record and transcribe the calls and to send the notifications or other communications that will be sent or made to the Contact, (iii) take any other actions necessary to ensure that neither Service Provider nor the Service is an unauthorized third-party participant in any call or other interaction with a Contact, (iv) properly configure all announcements, disclosures, and Contact options to enable Service functionality in a manner that complies with the Agreement and all applicable laws, (v) ensure that any contact information provided to the Service to contact any Contact or other person or entity (e.g., a phone number or email address) is the correct information for the intended recipient, whom Customer hereby confirms is permitted to receive such communication and has authorized it, (vii) promptly remove any contact information from the Service if any such information previously provided is no longer valid or the recipient is no longer a permitted and authorized recipient for notifications or communications from the Service, such as if the person opts out. Customer is solely responsible for ensuring that the integration of the Service with any Required Third-Party Product, and Customer’s use of the Services via that integration, including the recording, transcription, Customer Configuration, and AI processing of calls and the sending of notifications and communications, complies with all applicable laws (including, without limitation, the Telephone Consumer Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Comprehensive Computer Data and Fraud Access Act, the CAN-SPAM Act, HIPAA, and any other applicable statute, regulation, or rule including those relating to privacy, seclusion, wiretapping, eavesdropping, interception of voice calls or electronic messages, conversion, the recording and/or transcription of voice calls, processing of data with artificial intelligence, disclosure of AI-generated communications, use of AI, and the sending or receiving of calls, texts, or electronic messages), does not constitute a tort of any kind, and further complies with any applicable third-party terms and conditions applicable to Required Third-Party Products.

The Service does not provide any functionality relating to emergencies of any kind and does not replace or interact with 911 or similar emergency services. Customer is solely responsible for providing all disclosures to Contacts relating to emergencies and for providing Contacts with appropriate responses about or access to emergency services. Service Provider has no obligation or liability with respect to any emergency (relating to health or otherwise) of a Contact or other person or entity.

Branding. The Service may give Customer the option to include its name or Customer Branding in the visual and/or audio interface(s) with which Contacts interact. However, Customer understands that some Service Provider branding may still be presented in the Service (e.g., “Powered by Pretty Good AI” or similar). If Customer wishes to use its name or other Customer Branding in the Service, then Customer hereby grants Service Provider a limited, royalty-free, non-exclusive license during the term of the Agreement to use the Customer Branding provided by Customer solely to enable Service Provider to include such Customer Branding in the Service provided to Customer under the Agreement. As between Customer and Service Provider, Customer owns all right, title, and interest in and to the Customer Branding. All representations of the Customer Branding that Service Provider intends to use will be exact copies of those provided by Customer. All use of the Customer Branding by Service Provider will inure to the benefit of Customer. Service Provider will comply with any written request by Customer to remove the Customer Branding from the Service.

Usage Data. Service Provider may lawfully collect or create Usage Data in aggregate or appropriately de-identified format only, for Service Provider’s business or commercial purposes, including without limitation developing and improving Service Provider products and services and statistical analysis with respect to usage and traffic patterns. Usage Data will not include any Customer Data that could be used to identify Customer or any Contact, all of which is Customer Data regardless of how it is collected or created.

Feedback. If Customer provides Service Provider with any suggestions, enhancement requests, recommendations, or other feedback relating to Service Provider’s products and services (“Feedback”), Customer hereby grants Service Provider and its affiliates a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate such Feedback into Service Provider’s products and services.

PROFESSIONAL SERVICES

Order Forms. Service Provider will perform the Professional Services and deliver the Work Product described in an Order Form executed by the parties that describes such services and the associated fees and schedule.

Schedule. Unless otherwise specified in the Order Form, the schedule for Professional Services in the Order Form is an estimate based on the understandings of the parties at the time the Order Form is executed, and the specific start and stop dates are expected to be revised during the course of the Professional Services engagement. Service Provider will notify Customer promptly (via email or otherwise) if it encounters or expects delays.

Expenses. Customer will reimburse Service Provider for reasonable and necessary incidental expenses incurred by Service Provider in connection with the performance of Professional Services. This may include, for example, travel and living expenses in connection with on-site work or costs of procurement of third-party products and services that are itemized in an Order Form as being Service Provider’s responsibility. Service Provider will keep Customer reasonably apprised of any such expenses and will seek Customer’s prior approval (which may be provided by email or orally) for expenses beyond a nominal amount.

On-Site Conduct. If performance of Professional Services requires Service Provider to be present at Customer’s offices, Service Provider will ensure that while its personnel are on Customer’s premises, such personnel will obey all reasonable instructions, standards, and procedures issued by Customer that are relevant to Service Provider’s performance.

Customer Obligations. To facilitate Service Provider’s performance of the Professional Services, Customer will: (a) promptly render or obtain all decisions and approvals so as not to delay or impede the performance of Professional Services; (b) promptly provide or obtain all reasonable cooperation, assistance, information, Customer-Provided Materials, and suitably configured third-party products that are necessary for performance of Professional Services; (c) notify Service Provider of any issues, concerns or disputes with the Professional Services; and (d) undertake any other responsibility referred to in an Order Form as being a matter of Customer responsibility. Service Provider will not be liable for any failure to perform Professional Services where such failure is the result of Customer’s or its third-party vendor’s failure to perform obligations or to otherwise provide reasonable cooperation in the provision of Professional Services.

Change Orders. One or both parties may, from time to time, deem it necessary to make changes by altering, adding to, or deducting from the Professional Services or Work Product described in an Order Form, including requests for changes in project plans, scope, specifications, schedule, designs or requirements. Any such request for a change must be in writing, and neither party will be bound by the changes until both parties’ authorized representatives have executed a written change order or other similar document describing the changes.

Customer-Provided Materials. Customer will provide all Customer-Provided Materials necessary for the performance of the applicable Professional Services. As between Customer and Service Provider, Customer owns all right, title, and interest in and to the Customer-Provided Materials. Customer represents and warrants that it has the necessary rights to provide the Customer-Provided Materials to Service Provider for the purposes for which such materials are provided. Customer grants to Service Provider a non-exclusive, royalty-free, non-transferable license and right to use, copy, and modify the Customer-Provided Materials as necessary and appropriate to perform the Professional Services for Customer.

License to Work Product. The Work Product is not a work-made-for-hire, and Service Provider retains all intellectual property and proprietary rights in and to the Work Product, subject only to the licenses granted to Customer pursuant to the Agreement. Service Provider hereby grants Customer a limited, non-exclusive, non-sublicensable, non-transferable license during the Subscription Period to use the Work Product as necessary and appropriate in connection with Customer’s permitted use of the Service.

LICENSE RESTRICTIONS

Service Provider and its suppliers or licensors, if any, retain ownership of all intellectual and proprietary rights in and relating to the Service, the Work Product, and Documentation. All rights not expressly granted in the Agreement are reserved by Service Provider. Except as expressly set forth in the Agreement, Customer will not, and will not permit or encourage any third party, to do or attempt to do any of the following: (a) remove any copyright or proprietary rights notices from the products, services, or documentation provided by Service Provider; (b) disassemble, decompile, reverse engineer, modify or create derivative works of the products or services provided by Service Provider; (c) redistribute, sell, assign, sublicense, lease, loan, rent, timeshare, or otherwise transfer its rights to the products or services provided by Service Provider to any third party; (d) knowingly transmit through or submit to the Service any information, data, or material that is unlawful, libelous, defamatory, tortious, infringing, threatening, obscene, or harmful to minors; (e) knowingly transmit through the Service any data or material containing viruses, malware, or other harmful computer code, files, scripts, agents, or programs; (f) knowingly interfere with or disrupt the integrity or performance of the Service or attempt to gain unauthorized access to any services or systems; (g) write or develop, or have written or developed, any software or program based on the products or services provided by Service Provider or any other Confidential Information supplied to Customer by Service Provider; or (h) use or authorize others to use the Service Provider products or services in any way not expressly permitted in the Agreement. This Section will survive the expiration or termination of the Agreement for any reason.

CONFIDENTIALITY

Protection of Confidential Information. Recipient will protect all Confidential Information of Discloser using at least the same degree of care that it uses to protect its own confidential information of a similar nature, and in any event no less than a reasonable degree of care. Recipient will not intentionally disclose any such information to any third party, and will only intentionally permit access to Discloser’s Confidential Information to those Recipient employees, officers, directors, members, partners, subcontractors, service providers, and agents who have a demonstrable need to know and who are bound by obligations of confidentiality at least as restrictive as those set forth in these Terms of Service. Recipient agrees not to reverse engineer, disassemble, or decompile any prototypes, software, or other tangible objects that embody the Discloser’s Confidential Information.

Ownership, Return of Confidential Information. All Confidential Information remains the property of Discloser and may be used by Recipient solely for the purposes of exercising its rights and performing its obligations under the Agreement. No license of any proprietary rights of Discloser is granted by any disclosure of Confidential Information. Upon written request of Discloser, Recipient will, at Discloser’s direction and Recipient’s expense, either return to Discloser or destroy any written or electronic materials (and all copies, extracts, and summaries thereof) in Recipient’s possession or control. Recipient will provide Discloser with a certification of return or destruction.

Exceptions. The obligations of confidentiality contained in this Section do not apply to information that: (a) is or becomes part of the public domain through no act or omission of Recipient; (b) was rightfully in Recipient’s possession prior to the disclosure by Discloser and had not been obtained by Recipient either directly or indirectly from Discloser; or (c) is rightfully disclosed to Recipient by a third party without restriction on disclosure.

Compelled Disclosure. If Recipient receives a demand to disclose Confidential Information of Discloser pursuant to law or the lawful order of a court or governmental authority, Recipient agrees to: (a) give Discloser immediate advance notice of such disclosure requirement except to the extent not legally permitted to do so, and (b) cooperate with Discloser in opposing the disclosure and/or seeking a protective order or other such protective treatment. If, upon the advice of Recipient’s counsel, Recipient is nevertheless compelled to disclose Confidential Information, Recipient may do so, provided that the scope of any required disclosure is limited to the minimum disclosure necessary to comply with the legal requirement.

Survival of Obligations. The provisions of this Section 5 survive the expiration or termination of the Agreement for any reason until the applicable Confidential Information falls into one of the exceptions of Section 5.3.

FEES AND PAYMENTS

Fees and Payments. Customer must pay all applicable fees in accordance with the payment terms set forth in the applicable Order Form. Service Provider reserves the right to increase such fees no more than once per year upon written notice provided to Customer at least 90 days prior to the commencement of the fee increase. Unless otherwise specified in the Order Form, all payments are due within 30 days of receipt of invoice. All fees under the Agreement exclude any sales, use, excise, and other taxes, as well as applicable export and import fees, customs duties, and similar charges, if any, that Service Provider is obligated to collect, except for taxes based on Service Provider’s income. All such taxes and charges are Customer’s responsibility.

Late Payments. If Customer fails to make any payment when due, in addition to all other rights remedies that may be available to it: (a) Service Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; and (b) Service Provider may suspend its performance under the Agreement and any associated licenses granted to Customer for any period during which any payment owed to Service Provider has not been made by Customer.

Participation by Customer Affiliates. If any affiliated company(ies) of Customer wish to exercise any rights under the Agreement through an Order Form executed by Customer or another Customer affiliate, then: (a) Customer represents and warrants to Service Provider that Customer has the full power and authority to act on behalf of and bind any such affiliates to all of the terms and conditions of the Agreement; (b) Customer is responsible for payment to Service Provider, on a consolidated basis, of all fees triggered under the Agreement for any such Customer affiliates’ use of the Service and/or ordering of products and services from Service Provider; (c) Customer is responsible for ensuring that each such affiliate complies with the terms and conditions of the Agreement and is liable to Service Provider for all acts or omissions of such Customer affiliates in connection with such affiliates’ possession, access to, or use of the products and services provided by Service Provider.

TERM AND TERMINATION

Term. As to each applicable Order Form, the Agreement commences on the date such Order Form is signed or the date that the Subscription Period starts, if earlier, and continues for the duration of the Subscription Period, unless earlier terminated in accordance with this Section 7. Unless otherwise provided in the Order Form, the Subscription Period renews automatically for a Renewal Period unless either party provides written notice of its intent not to renew at least 15 days prior to the beginning of the next Renewal Period. Each Order Form will provide the duration of the Initial Subscription Period and the Renewal Period(s).

Termination. Either party may terminate the Agreement upon 30 days’ written notice to the other party if such other party substantially breaches any material obligation under the Agreement and fails to cure that breach during that 30-day notice period. However, if the breach is a failure to pay amounts due, such notice period is reduced to 10 days. Any notice of breach must specify the breach in reasonable detail. In addition, Service Provider may terminate the Agreement immediately upon written notice if Customer breaches any provision that is incapable of cure, including any breach of Section 4 (License Restrictions).

Effect of Termination. Upon any termination of the Agreement: (a) Customer’s licenses and any right to use the Service Provider products and services automatically terminates, (b) Customer must immediately discontinue all use of Service Provider products and services, (c) each party will immediately discontinue all use of the other party’s Confidential Information and return to the other party or destroy (with written certification), all copies of such other party’s Confidential Information then in its possession; and (d) Customer will promptly pay any amounts due and remaining payable under the Agreement. Provisions of the Agreement that naturally survive the expiration or termination of the Agreement do survive.

WARRANTIES; DISCLAIMER

Limited Service Provider Warranties. Service Provider represents and warrants to Customer, and solely for the benefit of Customer, that: (a) the Service will perform in substantial conformance with the technical specifications set forth in the Documentation and the Order Form; and (b) if Service Provider delivers Professional Services under the Agreement, then Service Provider will perform those Professional Services in a professional and workmanlike manner consistent with industry standards. These warranties are conditioned on payment by Customer of all fees as they become due under the applicable Order Form.

Warranty Remedies and Limitations. If Customer notifies Service Provider of a breach of the foregoing warranties within 90 days of the initial delivery of the Service or Professional Services, then, AS CUSTOMER’S SOLE AND EXCLUSIVE REMEDY AND SERVICE PROVIDER’S SOLE LIABILITY FOR THAT BREACH, Service Provider will promptly either correct or replace the defective Service or Professional Services free of charge. These warranties are null and void if and to the extent that the warranty breach was caused by: (a) an alteration or modification to the products or services from their original state by anyone other than Service Provider, (b) use of the products or services in a manner that breaches the Agreement or violates applicable law; and/or (c) products or services not provided by Service Provider. Service Provider makes no warranty to any third party under the Agreement.

Additional Warranties. Each of Service Provider and Customer represents and warrants to the other that: (a) it has the requisite power and authority to enter into and perform the Agreement, and (b) it will comply with all applicable laws in connection with the Agreement. Customer further represents and warrants to Service Provider that: (i) it has all necessary rights to Customer Data and Customer-Provided Materials to provide them to Service Provider for purposes of the Agreement, (ii) it has provided proper notices and received proper consents, consistent with applicable laws and the Agreement, from all Contacts and other third parties to enable Service Provider’s provision of the Service, and (iii) to the extent that the Service integrates or interacts with Required Third-Party Products or any other third-party products or services of Customer, Customer has all necessary rights and licenses to permit Service Provider to perform those integrations and to enable Service Provider’s provision of the Service to Customer and its Contacts in connection with such third-party products and services.

Disclaimer. EXCEPT FOR THE LIMITED WARRANTIES EXPRESSLY GRANTED IN THESE TERMS OF SERVICE, SERVICE PROVIDER MAKES NO OTHER WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR ARISING FROM ANY COURSE OF DEALING. TO THE MAXIMUM EXTENT PERMITTED BY LAW, SERVICE PROVIDER EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, INCLUDING THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND AGAINST INFRINGEMENT. SERVICE PROVIDER DOES NOT WARRANT THAT USE OF ITS PRODUCTS OR SERVICES WILL BE ERROR-FREE, THAT THE SERVICE IS INTEROPERABLE WITH ANY PARTICULAR THIRD-PARTY PRODUCT OR SERVICE, OR THAT ANY PRODUCT OR SERVICE WILL MEET CUSTOMER’S NEEDS OR REQUIREMENTS.

INDEMNIFICATION

By Service Provider. Service Provider will defend Customer and its officers, directors, members, partners, and employees (the “Customer Indemnitees”) against any claim, action, suit, proceeding, or allegation (collectively, “Claims”) brought by a third party that alleges that: (a) the Service, as used in compliance with the Agreement, infringes or misappropriates the third party’s patent, copyright, trademark, trade secret, or other proprietary right, or (b) Service Provider has failed to comply with applicable laws in connection with the Agreement. Service Provider will indemnify the Customer Indemnitees against, and hold them harmless from, any resulting loss, damage, expense, fine, or cost (including attorneys’ fees) (collectively, “Losses”). Service Provider’s obligations under this Section do not apply to a Claim if it arises from or relates to: (i) software, services, hardware, materials, or data not developed or provided by Service Provider (including, without limitation, any Required Third-Party Product or other products or services procured from third parties); (ii) the use of software or material other than a currently supported, unaltered release obtained directly from Service Provider for a paid (not an unpaid pilot or evaluation) license; (iii) the use of any Service Provider product or service that has been modified, combined, or merged with other products, processes, or materials, where the alleged infringement or other legal violation relates to such modification, combination, or merger rather than the unaltered Service Provider product or service on its own; (iv) any product or service that is made for Customer in accordance with Customer’s written specifications or instructions where the infringement or other legal violation relates to such specifications or instructions; (v) continued allegedly infringing activity after Customer has been notified of the infringement or legal violation; (vi) use of any product or service that is not in compliance with the Agreement.

Additional Infringement Remedy. In addition to the obligation to defend and indemnify, if the Service becomes the subject of a Claim for which Customer has indemnification rights under Section 9.1 and an injunction is issued by a court of competent jurisdiction barring Customer’s exercise of the rights granted under the Agreement or Service Provider believes such an injunction will be issued, Service Provider will either: (a) procure for Customer the right to continue use of the Service as furnished; or (b) replace the infringing Service or modify it to make it non-infringing without loss of essential functionality. If Service Provider is unable to accomplish the foregoing remedies after using commercially reasonable efforts, Service Provider may terminate the applicable Order Form(s) and/or the Agreement immediately and provide a pro-rated refund of prepaid fees for the period that was terminated early. Sections 9.1 and 9.2 state Service Provider’s sole and exclusive liability, and Customer’s exclusive remedy, with respect to any claim or suit alleging infringement of third-party rights.

By Customer. Customer will defend Service Provider and its officers, directors, and employees (“Service Provider Indemnitees”) against any Claim brought by a third party that alleges that: (a) Customer Data or Customer-Provided Materials used in compliance with the Agreement infringes or misappropriates the third party’s patent, copyright, trademark, trade secret, or other proprietary right, (b) Customer has failed to comply with applicable law and/or with the agreements, privacy policies, or other terms and conditions of Customer or Customer’s third-party vendors (including, without limitation, any failure to comply with Section 2.5), (c) Customer Data processed by Service Provider in accordance with the Agreement has been collected, monitored, processed, disclosed, or used in an unauthorized manner; and/or (d) the third party was damaged or harmed as a result of any business or medical decision of Customer, whether or not Customer relied on any output of the Service in connection with such decision. Customer will indemnify the Service Provider Indemnitees against, and hold them harmless from, any resulting Losses.

Process. If a Claim arises for which a party (as the “Indemnified Party”) seeks indemnification from the other (as the “Indemnifying Party”):

The Indemnified Party will:

Provide the Indemnifying Party with reasonably prompt notice of the Claim;

Provide the Indemnifying Party with the right to control the defense of the Claim and any negotiations relating to the Claim’s settlement or compromise (provided that the Indemnifying Party promptly and diligently assumes such defense and/or negotiations with counsel reasonably acceptable to the Indemnified Party);

Provide the Indemnifying Party with reasonable information and assistance, at the Indemnifying Party’s expense, to help the Indemnifying Party defend Claims at its expense.

The Indemnifying Party will not stipulate, admit, or acknowledge any fault or liability on behalf of an Indemnified Party without prior written consent. The Indemnified Party will not settle any Claim or publicize any settlement without the Indemnifying Party’s prior written consent.

LIMITATIONS OF LIABILITY

EXCEPT AS SET FORTH IN SECTION 10.2: (A) UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY OR ITS AFFILIATES BE LIABLE TO THE OTHER PARTY OR ANY OTHER PERSON OR ENTITY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OR RELATING TO THE AGREEMENT OR THE USE (OR INABILITY TO USE) THE SERVICE PROVIDER PRODUCTS AND SERVICES, EVEN IF THE PARTY CAUSING DAMAGES IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND (B) TO THE MAXIMUM EXTENT PERMITTED BY LAW AND NOTWITHSTANDING ANY OTHER PROVISIONS OF THE AGREEMENT, SERVICE PROVIDER’S AGGREGATE LIABILITY UNDER THE AGREEMENT IS LIMITED TO THE AMOUNTS PAID BY CUSTOMER TO SERVICE PROVIDER DURING THE 12 MONTHS LEADING UP TO THE EVENT GIVING RISE TO THE CLAIM.

THE EXCLUSIONS AND LIMITATIONS SET FORTH IN SECTION 10.1 DO NOT APPLY TO THE FOLLOWING: (A) A PARTY’S LIABILITY FOR BREACH OF SECTIONS 4 (LICENSE RESTRICTIONS) OR 5 (CONFIDENTIALITY), (B) A PARTY’S OBLIGATIONS UNDER SECTION 9 (INDEMNIFICATION), (C) A PARTY’S LIABILITY ARISING FROM ITS RECKLESS OR INTENTIONAL MISCONDUCT OR ITS INFRINGEMENT OF THE OTHER PARTY’S INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS, AND (D) THE OBLIGATION OF CUSTOMER AND ITS AFFILIATES TO PAY FEES AS THEY BECOME DUE. IN ADDITION, (i) SERVICE PROVIDER HAS NO LIABILITY FOR THE PERFORMANCE, NONPERFORMANCE, OR TERMS AND CONDITIONS OF ANY OF CUSTOMER’S THIRD-PARTY PRODUCTS OR SERVICES, INCLUDING WITHOUT LIMITATION REQUIRED THIRD-PARTY PRODUCTS, AND (ii) AS TO SERVICE PROVIDER’S LIABILITY FOR BREACH OF SECTION 5 (CONFIDENTIALITY) AND/OR (IF APPLICABLE) BREACH OF THE BAA OR DPA, SERVICE PROVIDER’S AGGREGATE LIABILITY FOR ANY AND ALL SUCH CLAIMS IS LIMITED TO TWO TIMES (2X) THE AMOUNTS PAID BY CUSTOMER TO SERVICE PROVIDER UNDER THE AGREEMENT DURING THE 12 MONTHS LEADING UP TO THE EVENT GIVING RISE TO THE CLAIM.

GENERAL

Governing Law and Venue. The laws of the United States of America and the State of Delaware (without regard to its conflict of law provisions) govern all matters relating to the Agreement. The federal or state courts located in Wilmington, Delaware are the exclusive venues for resolution of any dispute, controversy or claim arising out of or relating to the Agreement, whether at law or in equity, and the parties hereby irrevocably and unconditionally consent to the exclusive jurisdiction and venue of such courts.

Equitable Relief. Certain breaches of the Agreement including, without limitation, breaches relating to a party’s Confidential Information or intellectual property rights, including license restrictions, could result in irreparable harm for which money damages would be an inadequate remedy. In the event of such a breach or threatened breach, the non-breaching party is entitled to seek immediate equitable and other provisional relief without posting a bond, in addition to any other remedies available at law or in equity and without prejudice to any such other remedies.

Attorneys’ Fees. The non-prevailing party in any proceeding or lawsuit in connection with the Agreement (including any sub-proceeding or motion practice), as determined by the judge or other tribunal, must promptly reimburse the prevailing party for its out-of-pocket costs, including expert witness fees, attorneys’ fees, and any costs and fees on appeal.

Export Restrictions. The software used to power the Service, the Work Product, and related documentation and technical information are subject to laws and regulations relating to export and re-export out of the U.S. and other relevant jurisdictions. Customer will not export or re-export any products or technical information, directly or indirectly, without Service Provider’s prior written consent and/or without a license or other approval issued by the U.S. or other government, to the extent such license or other approval is required by law.

Notices. Except as otherwise specified in the Agreement, any consents, requests, demands, communications, and other notices permitted or required to be given under the Agreement must be in writing and will be deemed validly given upon delivery if: (a) personally delivered with service fees prepaid, or (b) delivered with fees prepaid by reputable overnight courier that provides proof of delivery (e.g., FedEx or UPS), or (c) delivered via email. Notices to Customer may be sent to the contact information given in the Order Form or via the Service. Notices to Service Provider should be sent to the contact information below. Either party may update its notice information by providing notice under this Section. English is the official language of the Agreement, and all communications and notices must be in the English language.

Notices to Service Provider:

Pretty Good AI, Inc.

455 Market St., Ste. 1940, PMB 87205

San Francisco, CA 94105-2448

Attention: Legal Notices

Email: legal@prettygoodai.com

Waiver or Delay. Any waiver of any kind by either party of a breach of the Agreement must be in a signed writing, will be effective only to the extent set forth in such writing, and will not operate or be construed as a waiver of any subsequent breach by the other party. No failure of either party to insist upon strict compliance with any obligation or provision, and no custom or practice of the parties at variance with the terms hereof, will constitute a waiver of any right to demand exact compliance with the terms of the Agreement. Neither party’s delay or omission in exercising any right, power or remedy upon a breach or default by the other party will impair any such right, power or remedy.

Force Majeure. If either party is unable to perform in whole or in part its obligations under the Agreement because of a labor dispute, strike, lockout, riot, war, act of terrorism or vandalism, widespread power outage, severing of communications lines by a third party, earthquake, flood, fire or other action of the elements, governmental restriction, or other cause beyond the reasonable control of the party, then such party may provide the other party prompt written notice of such cause. Upon providing such notice, the party affected will be relieved of those obligations to the extent it is unable to perform for as long as such cause continues or for 90 days, whichever is shorter. If after 90 days the party affected by such cause is unable to continue performance, the other party may terminate the Agreement upon written notice. Neither party will be liable for any loss, injury, delay, or damages suffered or incurred by the other due to the above causes or to the termination of the Agreement pursuant to this Section.

Severability. If any provision of the Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions of the Agreement remain in full force and effect if the parties’ essential rights and obligations under the Agreement remain valid, legal, and enforceable.

Relationship of the Parties. Nothing in the Agreement should be construed as creating any agency, partnership, joint enterprise or other similar relationship between the parties. The relationship between the parties is, at all times, that of independent contractors. Neither party has the authority to contract for or bind the other in any manner whatsoever. The Agreement confers no rights upon either party except those expressly granted herein or to make any representation or commitment on behalf of the other.

No Publicity. Neither party will issue any publicity or general marketing communications concerning the Agreement or the parties’ relationship, or otherwise use the other party’s name or trademarks, without the prior written consent of the other party in each instance. The parties agree not to unreasonably withhold, condition, or delay such consent.

Assignment. The Agreement and the rights and obligations arising under the Agreement are binding upon and inure to the benefit of the parties and to their respective permitted successors and assigns. Neither party may transfer or assign any of its rights or delegate any of its obligations under the Agreement without the prior written consent of the other party. The parties agree not to unreasonably withhold, delay, or condition such consent. However, (a) Service Provider may subcontract any aspect of its obligations under the Agreement to qualified third parties, provided that any such subcontracting arrangement does not relieve Service Provider of any of its obligations under the Agreement; and (b) either party may transfer the Agreement in its entirety without the other party’s consent, but upon written notice, in connection with a merger, acquisition, corporate reorganization, sale of all or substantially all of its assets, or similar transaction, provided that the transferee agrees to assume all of the transferring party’s obligations. In connection with any permitted assignment or transfer of the Agreement, the assigning party may transfer Confidential Information (including Customer Data and other Personal Data) to the permitted assignee and its affiliates, provided that the assignee agrees to be bound by confidentiality and data protection obligations no less protective than those set forth in the Agreement. Any attempt to transfer, assign, or delegate not authorized by the Agreement is null and void.

Headings. The paragraph and section headings and captions of the Agreement are included merely for convenience of reference. They are not to be considered part of, or to be used in interpreting, the Agreement and in no way limit or affect any of the contents of the Agreement.

Entire Agreement. These Terms of Service and each executed Order Form constitute the entire agreement between the parties, including all understandings, representations, conditions, warranties, and covenants, concerning its and their subject matter. These Terms of Service and each executed Order Form supersede any prior or collateral agreements or understandings between the parties, whether written or oral, with respect to their subject matter.

Modifications to Terms of Service. Service Provider may modify these Terms of Service at any time in its sole discretion. Service Provider will notify Customer of any such change (which may be via the Service). If Customer objects in writing to the updated Terms of Service within 15 days of Service Provider’s notification, the modified version of the Terms of Service will not apply to Customer’s Order Forms for the period that lasts until the beginning of the next Renewal Period or, if sooner, until the execution of a new Order Form, at which time the updated Terms of Service do apply to such Order Form.

Annex A

Data Processing Addendum

Except to the extent the BAA applies and renders inapplicable all legal requirements for Customer and Service Provider to enter into this Data Processing Addendum (“DPA”), this DPA applies to Personal Data about Contacts that Service Provider receives from or on behalf of Customer (such as from a Contact) through the Service or any Professional Services. With respect to such Personal Data, (i) this DPA applies and forms part of the Terms of Service (“Terms”) and (ii) this DPA takes precedence over any conflicting component of the rest of the Terms to the extent of any conflict, except that (iii) if both the BAA and this DPA apply to the same Personal Data, the provision most protective of the Personal Data will take precedence. All capitalized terms used in this DPA but not defined will have the meaning set forth in the rest of the Terms or under Applicable Privacy Law (as defined below).

Definitions

In this DPA:

“Applicable Privacy Law” means all laws, regulations and other legal requirements that govern privacy, security, data protection or confidentiality and that are applicable to either (i) Service Provider as provider of the Service or Professional Services or (ii) Customer as user of the Service or Professional Services. For example, to the extent applicable, this includes the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”), as well as U.S. state laws similar to the CCPA, such as the Washington My Health My Data Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Delaware Personal Data Privacy Act, the Florida Digital Bill of Rights, the Indiana Consumer Data Protection Act, the Iowa Consumer Privacy Act, the Kentucky Consumer Data Protection Act, the Maryland Online Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Privacy Act, the Oregon Consumer Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act, the Tennessee Information Protection Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and any regulations issued under any of them (together with the CCPA, as they become effective, the “U.S. State Privacy Laws”).

“Designated Contact Address” means the email address associated with Customer’s main admin account in the Service at the time notice is given.

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, disclosure or other Processing of, or access to, Personal Data.

“Process” and “Processing” mean any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Subprocessor” means a subcontractor engaged by Service Provider for the Processing of Personal Data. athenahealth, Inc. is not considered a Subprocessor or other subcontractor.

For ease of reading, some other terms are defined later in the DPA.

Scope, Relationship of the Parties, and Data Use Limitations

With respect to the Personal Data, to the extent any U.S. State Privacy Laws apply, (i) Customer is the “controller,” “regulated entity,” “business,” or equivalent (as applicable), and (ii) Service Provider is Customer’s “service provider,” “processor,” or equivalent (as applicable).

Unless required by applicable law, Service Provider will Process the Personal Data only (i) to provide and ensure the proper operation of the Service or Professional Services consistent with the Agreement; and (ii) to carry out Customer’s reasonable written instructions that are consistent with the Agreement. Without limiting the foregoing, Service Provider:

shall not “sell” the Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies);

shall not “share” the Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies) or otherwise disclose it for targeted advertising purposes;

shall not retain, use, or disclose any such data outside of the direct business relationship between the Customer and Service Provider, or for any purpose (including any commercial purpose) other than the limited business purposes specified in this DPA and as permitted by Applicable Privacy Law;

shall comply with any applicable restrictions under Applicable Privacy Law on combining the Personal Data that Service Provider receives from, or on behalf of, the Customer with Personal Data that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any other interaction between Service Provider and a data subject;

shall provide the same level of protection for the Personal Data subject to the CCPA as is required of “businesses” under the CCPA; and

hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.

If applicable law requires Service Provider to engage in Processing not permitted by the above, Service Provider will first inform the Customer of the relevant legal requirement unless applicable law prohibits such notification. Service Provider will notify the Customer as soon as legally permissible if, for any other reason, Service Provider determines that Service Provider can no longer meet its obligations under Applicable Privacy Law.

Customer has the right to take reasonable and appropriate steps to (a) exercise its rights under the Compliance Verifications and Audits section of this DPA to ensure that Service Provider is using the Personal Data consistent with the Customer’s obligations under Applicable Privacy Law, and (b) stop and remediate unauthorized use by Service Provider of the Personal Data.

Customer is responsible for providing any legally required notices to the individual, obtaining any legally required consents from the individual, and taking any other steps required by applicable law, to enable the Customer to lawfully use the Service and any Professional Services as set forth in the Agreement. Customer shall not provide Service Provider with any Personal Data that is not reasonably necessary for the Customer’s use of the Service or Professional Services. Customer shall provide Service Provider with Personal Data only through the channels that Service Provider designates for its receipt of the Personal Data.

Confidentiality and Training

Service Provider will ensure that the persons Service Provider authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data.

Security

Service Provider will comply with its security obligations under Applicable Privacy Law and will protect the Personal Data with the security safeguards mandated by the HIPAA Security Rule, regardless of whether the Customer is subject to HIPAA. Service Provider may, without notice to the Customer, make future lawful replacements or updates to the measures that do not materially lower the level of security provided for the Personal Data. Service Provider is not responsible for any losses that arise from the Customer’s failure to use optional security features or optional security configurations of the Service or Professional Services.

Subprocessors

Service Provider may subcontract the collection or other Processing of Personal Data (i) only in compliance with Applicable Privacy Law regarding subprocessing, (ii) only with the Customer’s consent, and (iii) only if Service Provider has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on Service Provider under this DPA. Subprocessors need not hold the same security certifications as Service Provider.

Current Subprocessors are listed at https://trust.delve.co/pretty-good-ai. Unless exigent circumstances require the use of a new Subprocessor with the earlier Processing of Personal Data, Service Provider will notify the Customer (“Subprocessor Notification”) at least 15 days prior to giving the Subprocessor access to the Personal Data (the “Subprocessor Notification Period”) by (i) updating that webpage and (ii) sending an email to the Designated Contact Address.

Customer’s sole recourse if it objects to the new Subprocessor will be to terminate the Customer’s subscription within ten (10) days from the date of the Subprocessor Notification. Following such termination, the Customer will be entitled to a refund of unused prepaid fees only if (a) Service Provider breached its obligation to maintain the requisite contract provisions with the Subprocessor, or (b) Service Provider’s engagement of the Subprocessor is otherwise a breach of the Agreement, or (c) the Agreement otherwise provides for a refund. This is without prejudice to any right the Customer may have under the Agreement in relation to a breach of contract. Customer is deemed to consent to the new Subprocessor if the Customer does not terminate the subscription as set forth above.

Service Provider remains liable for its Subprocessors’ acts and omissions to the same extent Service Provider is liable for its own, consistent with the limitations of liability set forth in the Agreement.

Assistance Responding to Individuals’ Requests to Exercise Rights

If Service Provider receives a request from an individual or their representative to exercise Personal Data-related rights under Applicable Privacy Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, or a Personal Data-related complaint from an individual or their representative, and the communication identifies the Customer, Service Provider will forward the communication to the Customer at the Designated Contact Address:

• as soon as commercially practicable; but
• no later than within 5 business days of receipt if the communication arrives via privacy@prettygoodai.com or any other contact method specified in the privacy policy on Service Provider’s website.

Customer will be responsible for lawfully addressing the Data Subject Request, and Service Provider will provide prompt, reasonable cooperation to the Customer, taking into account the nature of the Service and the information available to Service Provider.

Personal Data Breach Notification

Service Provider will comply with the Personal Data Breach-related obligations applicable to it under Applicable Privacy Law. Service Provider will assist the Customer in complying with those applicable to the Customer by informing the Customer of a confirmed Personal Data Breach without undue delay and in any event without undue delay and by otherwise complying with this “Personal Data Breach Notification” section of the DPA.

Service Provider will provide such notification to the Customer at the Designated Contact Address.

Such notification is not an acknowledgement of fault or responsibility. The notification will include Service Provider’s then-current assessment of the following:

The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

The likely consequences of the Personal Data Breach; and

Measures taken or proposed to be taken by Service Provider to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.

Assistance with DPIAs and Consultation with Governmental Authorities

Service Provider will provide reasonable assistance to and cooperation with the Customer, taking into account the nature of the Service and information available to Service Provider for (i) the Customer’s performance of any data protection impact assessment or similar analysis of the Processing or proposed Processing of the Personal Data involving Service Provider, and (ii) related consultation with governmental authorities.

Data Return and Destruction

Service Provider will destroy all Personal Data within 30 days after the termination of the Agreement except to the extent applicable law requires storage of the Personal Data.

In the event of such legally required retention, (i) Service Provider will inform the Customer as soon as legally permitted, (ii) Service Provider will retain only Personal Data as required by applicable law and will retain it only as long as is required, (iii) during the retention period, Service Provider will refrain from Processing the Personal Data other than as required by applicable law and will continue to comply with this DPA with respect to the Personal Data, to the extent permitted by applicable law, and (iv) Service Provider will promptly destroy the Personal Data when applicable law no longer requires its retention.

Service Provider will provide certification of the destruction upon request.

Compliance Verification and Audits

Service Provider will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer that has signed a data use and confidentiality agreement acceptable to Service Provider. If the requested audit scope is addressed in a SOC 2 report, penetration test, HIPAA security audit, or other industry-standard report issued by an independent third party auditor or security tester within the then-prior 12 months, and Service Provider provides a summary of such report to the Customer and confirms that there are no known material changes in the controls audited or tested, the Customer agrees to accept the findings presented in the summary report in lieu of requesting an audit of the same controls covered by the report. Nothing herein will require Service Provider to disclose or make available (i) any data of any other customer of Service Provider; (ii) access to systems; (iii) Service Provider’s internal accounting or financial information; (iv) any trade secret of Service Provider; (v) any information or access that, in Service Provider’s reasonable opinion, could (a) compromise the security of Service Provider systems or premises; or (b) cause Service Provider to breach its obligations under applicable law or applicable contracts; or (vi) any information sought for any reason other than the good faith fulfilment of the Customer’s obligations under applicable law to audit compliance under this DPA.

Any information that the Customer receives under this Section is confidential information of Service Provider, and the Customer will not disclose it except to its service providers that have signed a data use and confidentiality agreement acceptable to Service Provider.