Nayya End User TOS BAA Data Security Addendum

NAYYA TERMS AND CONDITIONS

These Terms and Conditions (the “Agreement”) apply to any order form that expressly references this Agreement and is mutually executed between Nayya Health, Inc. (“Nayya”) and the customer that affixes its signature at the bottom of that order form (such customer, the “Customer” and such order form, the “Order Form”).

  1. GENERAL

    1. Definitions. To the extent not defined herein, all defined terms have the meanings ascribed to them in the accompanying Order Form.

    2. Access and Use. Subject to the terms and conditions of this Agreement, Nayya hereby grants to Customer a non-exclusive, non-transferable, and non-sublicensable, limited right to access and use the Software Services during the Service Term solely for Customer’s benefit enrollment process and benefit engagement and utilization program with respect to its employees in accordance with the terms and conditions herein.

    3. Software Services. Nayya reserves the right to include additional features and functionalities in the Software Services and also to remove and discontinue Software Services’ features and functionalities that are no longer applicable to the feature set, as Nayya may determine from time to time in its sole discretion.

    4. Use Restrictions. Customer will not, and will not permit any third party to, use the Software Services for any purposes beyond the scope of the access granted in this Agreement. Customer will not at any time, directly or indirectly, and will not permit any third party to: (i) copy, modify, or create derivative works of the Software Services, in whole or in part; (ii) rent, lease, lend, sell, resell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Software Services, except as expressly permitted under this Agreement; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Software Services, in whole or in part; (iv) remove any proprietary notices from the Software Services; (v) use the Software Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law, regulation, or rule; (vi) offer, sell, resell, license, sublicense, assign, distribute the Software Services or other software services offered by Nayya to existing customers of Nayya; or (vii) to Customer’s knowledge, offer, sell, resell, license, sublicense, assign, distribute the Software Services or other software services offered by Nayya to current prospective customers of Nayya, without Nayya’s consent.

    5. Authorization. Customer may be required to obtain an authorization pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) from each of its employees in order to enable Nayya to provide the Software Services and Implementation Services, which may require access and use of an employee’s protected health information (“PHI”) as defined under HIPAA. Customer hereby delegates to Nayya the authority to obtain HIPAA Authorizations as necessary from employees to enable Nayya to provide the Software Services and Implementation Services.

    6. Business Associate. To the extent the Customer, including its affiliates and subsidiaries, is considered a “Covered Entity” under HIPAA, any PHI received by Nayya from Customer shall be subject to the business associate agreement located at nayya.com/BAA (the “BAA”).

    7. Suspension. Notwithstanding anything to the contrary in this Agreement, Nayya may temporarily suspend Customer’s and any other user’s access to any portion or all of the Software Services if: (i) Nayya reasonably determines that (a) there is a threat or attack on any of the Software Services; (b) Customer’s or any other user’s use of the Software Services disrupts or poses a security risk to the Software Services or to any other customer or vendor of Nayya; (c) Customer or any other user is using the Software Services for fraudulent or illegal activities; (d) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or becomes the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (e) Nayya’s provision of the Software Services to Customer or any other user is prohibited by applicable law; (ii) any vendor of Nayya has suspended or terminated Nayya’s access to or use of any third-party services or products required to enable Customer to access the Software Services; or (iii) Customer fails to make a timely payment hereunder (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). Nayya will use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Software Services following any Service Suspension. Nayya will use commercially reasonable efforts to resume providing access to the Software Services as soon as reasonably possible after the event giving rise to the Software Services Suspension is cured. Nayya will have no liability for any damage, liabilities, losses (including any loss of or profits), or any other consequences that Customer or any other user may incur as a result of a Service Suspension.

  2. CONFIDENTIALITY

    1. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Confidential Information” of the Disclosing Party). Confidential Information of Nayya includes non-public information regarding features, functionality and performance of the Implementation Services or the Software Services. Confidential Information of Customer includes non-public data provided by Customer to Nayya to enable the provision of the Implementation Services or the Software Services (“Customer Data”). Confidential Information does not include information that, at the time of disclosure is: (i) in the public domain; (ii) known to the Receiving Party; (iii) rightfully obtained by the Receiving Party on a non-confidential basis from a third party; or (iv) independently developed by the Receiving Party. The Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any person or entity, except to the Receiving Party’s employees, agents, or subcontractors who have a need to know the Confidential Information for the Receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required (i) to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party and made a reasonable effort to obtain a protective order; or (ii) to establish a party’s rights under this Agreement, including to make required court filings

  3. FEES; PAYMENT TERMS

    1. Fees. Customer agrees to pay all fees required under the applicable Order Form, and no later than thirty (30) days following receipt of Nayya’s invoice. Nayya may choose to bill through an invoice either by e-mail or mail. Nayya may change the fees described on the Order Form at the end of the then-current Service Term by providing no less than forty five (56) days’ notice in advance of the end of the then existing term.

    2. Late Payments. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower.

    3. Excess Lives. Nayya may request and Customer will promptly provide a census file. Upon receipt of Customer’s census file(s), Nayya may invoice Customer or such other designee for the number of lives that exceed the amount indicated in the Order Form on a pro rata basis and update the Order Form during subsequent renewals to account for the increased number of lives.

    4. Data Connection Fees. During the Service Term and to the extent available, Customer may elect for a third-party administrator (the “TPA”) to provide data directly to Nayya in connection with the Software Services. To the extent that the fees of a data connection with the TPA are not specified on the Order Form, Customer agrees to pay such fees to Nayya in accordance with Section 3.1 above.

    5. Taxes. All fees are exclusive of taxes. If Customer is required to pay or collect any federal, state, local, value added, or any similar tax by any government authority, then such taxes will be billed to and paid by Customer or such other designee within the thirty (30) days.

  4. TERM AND TERMINATION

    1. Term. The term of the Agreement is coterminous with the Service Term, unless terminated or not renewed in accordance with the express provisions of this Agreement.

    2. Termination for Breach. Either party may terminate this Agreement if the other party breaches any of the terms or conditions of this Agreement and fails to cure such breach within thirty (30) days of receiving notice thereof.

    3. Effect of Termination. All rights granted to Customer hereunder will immediately terminate upon any expiration or termination of this Agreement. No termination of this Agreement will result in any refund of any fees paid by Customer under an Order Form, or otherwise relieve Customer of its obligations to pay all committed fees required under any Order Form. Notwithstanding any other provision of this Agreement, Sections 1.4, 1.5, 2, 3.1, 4.2, 5, 6, 7, 8, 9, and the BAA and all rights and obligations thereunder, will survive the expiration or any termination of this Agreement and will continue in perpetuity, unless such provisions expire or terminate by their terms.

    4. Renewals. The Service Term automatically renews for successive one (1) year terms unless either party provides written notice of non-renewal to the other party at least ninety (90) days in advance of the end of the then existing term.

  5. OWNERSHIP; CUSTOMER DATA; DATA SECURITY

    1. Ownership. As between the parties, (i) Nayya owns all right, title, and interest, including all intellectual property rights, in and to the Software Services and (ii) Customer owns all right, title, and interest, including all intellectual property rights, in and to Customer Data. If Customer or any of its employees, contractors, or agents sends or transmits any communications or materials to Nayya suggesting or recommending changes to the Software Services, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), Nayya is free to use such Feedback irrespective of any other obligation or limitation between Customer and Nayya governing such Feedback. All Feedback is and will be treated as non-confidential. Customer hereby assigns to Nayya on its behalf, and will cause its employees, contractors, and agents to assign, all right, title, and interest in, and Nayya is free to use, without any attribution or compensation to Customer or any third party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Nayya is not required to use any Feedback.

    2. Customer Data. Customer hereby grants to Nayya a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Nayya to provide the Software Services. Customer represents and warrants that it has obtained all consents and provided all notices required by applicable law in connection with the collection, processing, and use of Customer Data, including Nayya’s use thereof. Notwithstanding anything to the contrary, Nayya will have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Implementation Services or the Software Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Nayya will be free (during and after the Service Term) to (i) use such information and data to improve and enhance the Implementation Services or the Software Services and for other development, diagnostic and corrective purposes in connection with the Implementation Services, the Software Services and other Nayya offerings; and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein.

    3. Data Security. In providing the Software Services, Nayya shall act in accordance with the Data Security Commitments available at nayya.com/data-security-addendum.

  6. LIMITATIONS OF LIABILITY

    IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, EXEMPLARY, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL COSTS OR DAMAGES (INCLUDING, WITHOUT LIMITATION, DOWNTIME COSTS, LOST BUSINESS, REVENUES OR PROFITS, FAILURE TO REALIZE EXPECTED SAVINGS, LOSS OF OR DAMAGE TO DATA, OR SOFTWARE RESTORATION), WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. EACH PARTY’S TOTAL AGGREGATE LIABILITY TO THE OTHER PARTY UNDER THIS AGREEMENT IS LIMITED TO THE AMOUNTS PAID BY CUSTOMER IN THE ONE YEAR PERIOD PRECEDING THE DATE ON WHICH THE CAUSE OF ACTION GIVING RISE TO SUCH LIABILITY AROSE. NAYYA IS NOT RESPONSIBLE FOR ANY DAMAGES RESULTING FROM DELAYS, DELIVERY FAILURES OR OTHER SIMILAR PROBLEMS. THE FOREGOING CAP ON LIABILITY WILL NOT APPLY TO LIABILITY FOR (1) DEATH OR PERSONAL INJURY CAUSED BY NAYYA’S NEGLIGENCE; OR FOR (2) ANY INJURY CAUSED BY NAYYA’S FRAUD OR FRAUDULENT MISREPRESENTATION.

  7. DISCLAIMER

    NAYYA MAKES NO WARRANTIES OR REPRESENTATIONS, EXPRESS, STATUTORY, IMPLIED, OR OTHERWISE, WITH RESPECT TO THE SOFTWARE SERVICES, THE IMPLEMENTATION SERVICES, OR ANYTHING ELSE, AND NAYYA HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING, NAYYA DOES NOT WARRANT THAT THE SOFTWARE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE.

  8. FORCE MAJEURE

    In no event will either party be liable to the other party or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, (except for any obligations to make payments) if and to the extent such failure or delay is caused by any circumstances beyond such party’s reasonable control, including but not limited to: (i) acts of God; (ii) flood, fire, earthquake, or explosion; (iii) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; (iv) government order, law, or actions; (v) embargoes or blockades in effect on or after the date of this Agreement; (vi) national or regional emergency; (vii) strikes, labor stoppages or slowdowns, or other industrial disturbances; (viii) internet, electronic communications, and remote computing services; and (ix) shortage of adequate power or transportation facilities.

  9. MISCELLANEOUS

    This Agreement will be governed by the laws of the State of New York, without giving effect to any conflict of law provisions. Each party consents to the exclusive jurisdiction and venue of the appropriate courts in New York, New York for all disputes arising out of or relating to this Agreement. This Agreement is not assignable, transferable or sub-licensable by Customer except with Nayya’s prior written consent. Nayya may transfer and assign any of its rights and obligations under this Agreement without Customer consent. The parties are independent contractors. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties. Nayya reserves the right to update the terms and conditions of this Agreement at the end of the Service Term and each subsequent renewal. Nayya will make the updated terms and conditions available at least one hundred and twenty (120) days in advance of the then existing term. All notices will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight. Nayya will have the right to use Customer’s logo in business development and marketing materials.

TECHNICAL REQUIREMENTS & IMPLEMENTATION PLANNING COMPONENTS

Deployment for Nayya Products Choose and/or Use
Configuration Requirements for Nayya Products Choose and/or Use*
  • Overview: Nayya’s products are configured using Employee Census Data, Plan Metadata, and Employee Enrollment data. In order to configure, Nayya requires plan information in .csv or .xlsx format.
    • Requirements:
      • Plan Metadata
      • Plan Name
      • Plan Type
      • Plan Eligibility by Class
      • Carrier Name
      • Carrier ID
        • Schedule of Benefits and Coverage Metadata
          • E.g. deductible, coinsurance, pcp visit, specialist visit, etc. (can provide full exhaustive list of attributes needed, on request)
        • Org/Group data consumable
          • Group Name
          • Address
          • Employee Classes
          • Other relevant group level metadata
        • Census Data
        • Member level data consumable
          • First Name
          • Last Name
          • Email
          • Election summary
          • DOB
          • Last 4 SSN
          • Address
          • Member ID
          • Group ID
          • Employee Class
          • Payer/Carrier Name
          • Other relevant demographic fields
        • Employee Enrollment Data
        • Member level enrollment decisions

*Plan metadata are commonly found in employer’s benefit administration platform reports, and census data are commonly found in employer’s payroll reports.

BUSINESS ASSOCIATE ADDENDUM

To the extent the terms and conditions set forth in this Addendum conflict with other terms and conditions set forth in the Agreement, the terms and conditions of this Addendum shall govern and control.

WHEREAS, Nayya is considered a business associate (“Business Associate”) of Customer (“Covered Entity”) and has entered into an agreement with Covered Entity for the purposes of performing certain services for Covered Entity under the Agreement;

WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (the “Act”) and the “Health Information Technology for Economic and Clinical Health Act,” part of the “American Recovery and Reinvestment Act of 2009” (“HITECH Act”), the Department of Health and Human Services (“HHS”) has promulgated regulations at 45 C.F.R. Parts 160-64, including regulations implementing certain privacy requirements (the “Privacy Rule”), certain security requirements regarding electronic media (“Security Rule”) and certain breach notification requirements (“Breach Notification Rule”), each as amended from time to time (the Act, HITECH Act, the Privacy Rule, the Security Rule and the Breach Notification Rule referred to collectively herein as “HIPAA”);

WHEREAS, Business Associate may receive, maintain, retain, record, store, transmit, hold, use and/or disclose Protected Health Information (as defined below) in conjunction with the services being provided under the Agreement, thus necessitating a written agreement that meets applicable requirements of the Privacy Rule and the Security Rule, and making advisable certain additional agreements regarding HIPAA; and

WHEREAS, Business Associate and Covered Entity desire to satisfy the foregoing Privacy Rule and Security Rule requirements through this Addendum, and otherwise to address related matters regarding HIPAA on the terms and conditions set forth herein.

NOW THEREFORE, in consideration of the mutual agreements and undertakings of the parties, and for other good and valuable consideration the sufficiency of which is hereby acknowledged, the parties, intending to be legally bound, hereby agree as follows:

  1. Definitions

    The following terms shall have the following meaning when used in this Agreement:

    1. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.

    2. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 C.F.R. § 164.501.

    3. “Electronic Protected Health Information” shall mean Protected Health Information that is “electronic protected health information” as defined in 45 C.F.R. § 160.103.

    4. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).

    5. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, except limited to the information received from Covered Entity, or created, maintained or received on behalf of Covered Entity.

    6. “Unsecured Protected Health Information” shall mean Protected Health Information that is “unsecured protected health information” as defined in 45 C.F.R. § 164.402.

    7. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.

    8. “Secretary” shall mean the Secretary of HHS or the designee of the Secretary of HHS.

    9. “Subcontractor” shall have the same meaning as the term “subcontractor” in 45 C.F.R. §160.103, except limited to any such individual or entity who creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate.

Any capitalized term not specifically defined herein shall have the same meaning as is set forth in 45 C.F.R. Parts 160 and 164, where applicable. The terms “use,” “disclose” and “discovery,” or derivations thereof, although not capitalized, shall also have the same meanings set forth in HIPAA.

  1. Obligations and Activities of Business Associate:

    1. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this Addendum or as Required By Law.

    2. Business Associate agrees use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.

    3. Business Associate agrees to report to the Covered Entity any use or disclosure of Protected Health Information not provided for by this Addendum, including, without limitation, Breaches of Unsecured Protected Health Information as required at 45 C.F.R. 164.410, and any Security Incident of which it becomes aware. The parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent Business Associate is aware, in unauthorized access, use or disclosure of Electronic Protected Health Information.

    4. In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such Protected Health Information.

    5. Business Associate agrees to make available Protected Health Information in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

    6. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

    7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

    8. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

    9. Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.

  1. Permitted Uses and Disclosures by Business Associate:

    1. Business Associate may only use or disclose Protected Health Information as necessary to perform the Services Agreement. In addition, Business Associate is authorized to use Protected Health Information to de-identify the Protected Health Information in accordance with 45 C.F.R. 164.502(d) and 164.514(a)-(c).

    2. Business Associate may use or disclose Protected Health Information as permitted or Required By Law.

    3. Business Associate agrees to make uses and disclosures and requests for Protected Health Information consistent with Covered Entity’s minimum necessary policies and procedures.

    4. Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth in subsections (e), (f) and (g), below.

    5. Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

    6. Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notified Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

    7. Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity.

  1. Obligations of Covered Entity:

    1. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

    2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

    3. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

    4. Except with respect to uses and disclosures by Business Associate of Protected Health Information under Sections 3(e), 3(f) and 3(g), above, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity

  1. Term and Termination:

    1. Term. The Term of this Addendum shall commence as of the effective date of the Agreement and shall terminate upon the termination of the Agreement or on the date Covered Entity terminates this Addendum for cause as authorized in subsection (b) of this Section 5, whichever is sooner.

    2. Termination for Cause. Business Associate authorizes termination of this Addendum by Covered Entity upon written notice to Business Associate if Covered Entity determines Business Associate has violated a material term of this Addendum and Business Associate has not cured the breach or ended the violation within thirty (30) days of Covered Entity providing written notice thereof to Business Associate.

    3. Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate shall:

      1. Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

      2. Return to Covered Entity or Covered Entity’s designee (to the extent permitted by HIPAA), or, if agreed to by Covered Entity, destroy the remaining Protected Health Information that the Business Associate still maintains in any form;

      3. Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains Protected Health Information;

      4. Not use or disclose Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3 (e) and (f), above, which applied prior to termination; and

      5. Return to Covered Entity, or, if agreed to by Covered Entity, destroy Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

    4. Survival. The obligations of Business Associate under this Section 5 shall survive the termination of this Addendum.

  1. Miscellaneous:

    1. Regulatory References. A reference in this Addendum to a section in the Privacy Rule, the Security Rule, or to another provision of HIPAA means the provision as in effect or as amended.

    2. Amendment. The parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for the Covered Entity to comply with the requirements of the HIPAA and any other applicable law.

    3. Interpretation. Any ambiguity in this Addendum shall be resolved to permit compliance with HIPAA.

    4. Governing Law and Disputes. The construction, interpretation and performance of this Addendum and all transactions under this Addendum shall be governed and enforced pursuant to the laws of the State of New York, without giving effect to its conflicts of laws provisions, except to the extent New York law is preempted by any provision of federal law, including HIPAA. The Parties agree that all disputes arising out of or relating to this Addendum will be subject to mandatory binding arbitration under the rules of Judicial Administration and Arbitration Services (“JAMS”) in effect at the time of submission, as modified by this Section 6(d). The arbitration will be heard and determined by a single arbitrator selected by mutual agreement of the Parties, or, failing agreement within thirty (30) days following the date of receipt by the respondent of the claim, by JAMS. Such arbitration will take place in New York NY. The arbitration award so given will be a final and binding determination of the dispute, and will be fully enforceable in any court of competent jurisdiction. Except in a proceeding to enforce the results of the arbitration or as otherwise required by law, neither Party nor any arbitrator may disclose the existence, content or results of any arbitration hereunder without the prior written agreement of both Parties.

    5. No Third Party Beneficiary. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever

    6. Controlling Provisions. In the event that it is impossible to comply with both the Agreement and this Addendum, the provisions of this Addendum shall control with respect to those provisions of each agreement that expressly conflict. This Addendum shall supersede and replace any prior business associate agreements between the parties, with respect to any actions of Business Associate after the Effective Date.

    7. Effect. This Addendum shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective successors, assigns, heirs, executors, administrators and other legal representatives.

    8. Severability. In the event any provision of this Addendum is rendered invalid or unenforceable under any new or existing law or regulation, or declared null and void by any court of competent jurisdiction, the remainder of the provisions of this Addendum shall remain in full force and effect if it reasonably can be given effect.

    9. Notices. Any notice, consent, request or other communication required or permitted under this Addendum shall be in writing and delivered personally by hand delivery or overnight delivery by a nationally recognized service. Notice that is sent by overnight courier shall be deemed given one (1) business day after it is dispatched, provided that receipt is acknowledged. All notices shall be addressed as follows:

      If to the Covered Entity: Please see Order Form.

      If to Business Associate:

      Nayya Health, Inc.
      57 E 11th Street, 4th Floor
      New York, NY 10003

      Attention: VP of Legal & Business Affairs

DATA SECURITY ADDENDUM

To the extent the terms and conditions set forth in this Addendum conflict with other terms and conditions set forth in the Agreement, the terms and conditions of this Addendum shall govern and control.

  1. DEFINITIONS

    1. “Applicable Laws” shall mean all laws or regulations relating to privacy, data protection, confidentiality, security, integrity and protection of Personal Information, including federal and state, as applicable.

    2. “Authorized Persons” means (i) Nayya’s employees who need to access Covered Information to enable Nayya to perform its obligations under the Agreement; and (ii) contractors and agents of Nayya who need to access Covered Information to enable Nayya to perform its obligations under the Agreement.

    3. “Breach” shall mean a breach of Nayya’s security leading to a material accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Customer’s Personal Information

    4. “Covered Information” means Personal Information and Proprietary Information collectively.

    5. “Personal Information” means any information provided to Nayya by the Customer (or received by Nayya in the course of Nayya’s performance under the Agreement) that identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, email addresses and other unique identifiers).

    6. “Proprietary Information” refers to either Party’s internal business information that is not generally known to the public, including, without limitation, trade secrets, policies, procedures, customer lists, vendor lists, business plans, and financial information.

  2. PROTECTION OF COVERED INFORMATION

    1. Nayya acknowledges that its performance of its obligations under the Agreement may involve access to or receipt of the Customer’s Covered Information. Nayya shall hold the Customer’s Covered Information, and any information derived from such information, using at least the same standard of care Nayya uses to protect its own valuable confidential information of like kind, and in no event less than the standard of care used to protect data of similar kind customary in Nayya’s industry.

    2. To the extent the Customer receives or accesses any Nayya Covered Information, the Customer agrees to protect such Nayya Covered Information using at least the same standard of care the Customer uses to protect its own valuable confidential information of like kind.

    3. Nayya shall not access, use or disclose the Customer’s Covered Information except in accordance with the Agreement, as authorized by the Customer or its employees, or as required by Applicable Laws. If ordered by a court of competent jurisdiction or an administrative body to disclose the Customer’s Covered Information, Nayya will notify the Customer in writing without undue delay upon receiving notice of such requirement and prior to any such disclosure.

    4. Nayya shall comply with all Applicable Laws in its access, use, storage, transfer, and disclosure of the Customer’s Covered Information.

    5. Nayya shall not transmit, transport or store Covered Information outside North America, except with the prior written consent of the Customer.

  3. DATA SECURITY

    1. Nayya shall ensure that its security measures are reviewed on no less than an annual basis and revised as necessary or appropriate to address evolving threats and vulnerabilities.

    2. Nayya shall implement commercially reasonable administrative, physical and technical safeguards to protect the Customer’s Covered Information from unauthorized access.

    3. Nayya will provide training on a range of information security topics, including, but not limited to phishing and social engineering, passwords, and removable media to Nayya personnel to educate such Nayya personnel about information security industry standards and best practices.

    4. Within 30 days of receipt of a written request from the Customer or Customer employee, Nayya shall delete the Customer’s Covered Information provided by the Customer or Customer employee, unless Nayya is required to maintain such information to comply with its legal or regulatory obligations, in which case Nayya shall destroy such data once it is no longer needed for legal or regulatory compliance purposes.

  4. BREACHES OF COVERED INFORMATION

    1. Nayya shall (i) report any Breach to the Customer without undue delay after Nayya discovers a Breach has occurred and (ii) take appropriate measures to address the Breach, including measures to mitigate any adverse effects resulting from the Breach. Nayya shall keep the Customer informed of the progress of its investigation.

    2. Notifications made pursuant to this Section 4 (Breaches of Covered Information) will describe, in Nayya’s discretion, details of the Breach, including steps taken to mitigate the potential risks and steps Nayya recommends Customer take to address the Breach.

    3. Customer is solely responsible for complying with incident notification laws applicable to Customer and carrying out any third-party notification obligations related to any Breach(es).

  5. INDEMNITY AND INSURANCE

    1. Nayya shall defend, indemnify and hold harmless the Customer from liabilities, costs, losses, damages and expenses from any third-party claim against the Customer arising out of or resulting from Nayya’s gross negligence or willful failure to comply with any of its obligations under this Addendum, including its obligations to protect the Customer’s Covered Information. In no event will Nayya’s total collective liability under this clause exceed the aggregate fees paid or owed by the Customer for services rendered pursuant to the Agreement in the last twelve (12) months.

    2. At all times during the term of the Agreement, Nayya shall maintain professional liability or errors and omissions (“E&O”) insurance, which shall include security and privacy liability, and cyber coverages (separately, or as part of the professional liability or E&O insurance coverage), covering Nayya for claims and losses resulting from actual or alleged wrongful acts committed in the performance of or failure to perform all services or support services to the Customer.

  6. MISCELLANEOUS

    1. The terms and conditions set forth in this Addendum shall survive the expiration or other termination of the Agreement between the parties for as long as Nayya retains Covered Information on behalf of Customer.

    2. A failure or delay in exercising any right in respect to this Addendum shall not be presumed to operate as a waiver, and a single or partial exercise of any right shall not be presumed to preclude any subsequent or further exercise of that right or the exercise of any other right.