MASTER SUBSCRIPTION AND SERVICES AGREEMENT (“MSSA”)

This Master Subscription and Services Agreement (“MSSA”) is entered into by and between Iodine Software, LLC (“Iodine”), a Texas limited liability
company, with its principal place of business at 6850 Austin Center, Blvd., Ste. 230, Austin, Texas, 78731, and Customer. For purposes of this MSSA,
“Customer” shall mean the entity order the Software or Services. This MSSA includes any orders separately executed by the parties, and any
attachments or exhibits, each of which is incorporated herein by reference (collectively the “Agreement”). The Agreement sets forth the terms and
conditions under which Customer may Use Iodine’s proprietary software (“Software”) that is specifically licensed to Customer pursuant to an order
(each an “Order”).

LICENSE GRANT AND RIGHT OF USE

  1. License Grant. Any Software licensed shall be licensed pursuant to an Order. Each such license shall be a limited, United States,nonexclusive and nontransferable subscription to use only the object code version of the Software and subject to all limitations and restrictions contained herein and in the Order (“Use”). Web access for permitted third parties’ Use shall be defined in the applicable Order if such access is to be permitted under this Agreement or an Order.
  2. Use. Individuals authorized under the applicable Order to Use the Software (“Authorized Users”) may Use the Software solely to support Customer’s own internal operations. Individuals who access the Software, directly or indirectly, whether via an Iodine provided interface or otherwise, and/or cause the Software to perform any functions must be Authorized Users. Neither Customer nor any third party authorized by Customer shall (i) access the Software to process, or permit to be processed, the data of any other party; or (ii) access the Software for service bureau or commercial time-sharing use. If the Software licensed under an Order is to be accessed by a computer connected to the Internet, as authorized in the applicable Order, Customer shall not allow any web site that is not fully owned by Customer, to frame, syndicate, distribute, replicate, or copy any portion of Customer’s web site that provides direct or indirect access to the Software. Unless otherwise expressly permitted in the Order and subject to Section 1.3 below, Customer shall not permit any third parties to access the Software.
  3. Authorized Users. Unless otherwise specifically provided in the Order, Authorized Users shall only consist of employees of Customer, Customer’s authorized contractors/agents who are mutually agreed upon and are not competitors of Iodine, and physicians on Customer’s medical staff on behalf of Customer.
  4. Additional Restrictions. In no event shall Customer disassemble, decompile, or reverse engineer the Software or Confidential Information (as defined below) or permit others to do so. Disassembling, decompiling, and reverse engineering include, without limitation: (i) converting the Software from a machine-readable form into a human-readable form; (ii) disassembling or decompiling the Software by using any means or methods to translate machine-dependent or machine-independent object code into the original human-readable source code or any approximation thereof; (iii) examining the machine-readable object code that controls the Software’s operation and creating the original source code or any approximation thereof by, for example, studying the Software’s behavior in response to a variety of inputs; or (iv) performing any other activity related to the Software that could be construed to be reverse engineering, disassembling, or decompiling. To the extent any such activity may be permitted pursuant to written agreement, the results thereof shall be deemed Confidential Information subject to the requirements of this Agreement. Customer may use Iodine’s Confidential Information solely in connection with the Software and pursuant to the terms of this Agreement.

PAYMENT

  1. Fees. Unless otherwise provided in the Order, Iodine may invoice Customer for all license fees and all other charges due thereunder immediately following the Order Effective Date (as defined in the applicable Order). Customer shall reimburse Iodine for all reasonable travel, food, lodging and other out-of-pocket expenses incurred in performance hereunder.
  2. Payment Due Date. Unless otherwise provided in the applicable Order, all invoices shall be payable by Customer in United States dollars and payment shall be due thirty (30) days after the invoice date. If payment is overdue by at least ten (10) days, and not disputed by Customer in good faith and in written detail, Iodine may immediately suspend the Software or Services on written notice.
  3. Purchase Orders. Unless otherwise described in the applicable Order, Customer agrees to provide Iodine with a valid purchase order, immediately upon execution of an Order. Notwithstanding anything to the contrary herein, purchase orders are to be used solely for Customer’s accounting purposes and any terms and conditions contained therein shall be deemed null and void with respect to the parties’ relationship and this Agreement. Customer’s failure to issue a purchase order or provide such purchase order to Iodine shall in no way relieve Customer of any obligation entered into pursuant to this this Agreement or any Order including, but not limited to, its obligation to pay Iodine in a timely fashion.
  4. Taxes. All amounts required to be paid hereunder do not include any amount for taxes or levy (including interest and penalties). Customer shall reimburse Iodine and hold Iodine harmless for all sales, use, VAT, excise, property or other taxes or levies which Iodine is required to collect or remit to applicable tax authorities. This provision does not apply to Iodine’s income or franchise taxes, or any taxes for which Customer is exempt, provided Customer has furnished Iodine with a valid tax exemption certificate.
  5. Late Payments. Any late payment shall be subject to any costs of collection (including reasonable legal fees) and shall bear interest at the rate of one and one-half percent (1.5%) per month (prorated for partial periods) or at the maximum rate permitted by law, whichever is less.

SUPPORT AND ENHANCEMENT SERVICES

  1. Exclusions. In no event shall Iodine have any obligation to provide support and enhancement services for Software that has been modified without Iodine’s prior written approval.
  2. Other Products. For clarification, support and enhancement services do not provide rights to other products that are not listed in an applicable Order. Such other products would be subject to mutual negotiation and execution of a separate agreement and payment of an additional license fee for such new product.
  3. Beta or Pre-Release Products. If any of the accessed Services or Software has been designated as a “beta” limited release, early access, preview, prototype, pilot or with similar designation (“Pre-Release”) then Customer’s use of the Pre-Release Services or Software is subject to the terms available at: https://iodinesoftware.com/legal/prereleaseterms/.
  4. Third Parties. Iodine shall have the right to use third parties, including employees of Iodine’s affiliates and subsidiaries (the “Subcontractors”) in performance of its obligations and services hereunder and, for purposes of this Section, all references to Iodine or its employees shall be deemed to include such Subcontractors.

PROFESSIONAL SERVICES

  1. Professional Services. Customer may receive professional services (“Services”) identified on mutually agreed upon statements of work referencing this Agreement (“Statement of Work”). Customer may use any items developed and/or delivered solely by Iodine and paid for by Customer pursuant to a Statement of Work (“Deliverables”) for use as described herein.
  2. Statement of Work. Each Statement of Work shall define the Services to be provided to Customer, the applicable pricing, Deliverables to be created thereunder, Customer deliverables and obligations, and all other appropriate terms and conditions. Iodine will not be obligated to begin any Services unless a Statement of Work governing such Services has been executed by both parties.
  3. General Disclaimer. The Services do not include medical advice of any kind. The Services do not include coding or billing advice of any kind. Customer and its resources are responsible for exercising their judgment and ensuring they act in a manner compliant with Customer’s policies and all applicable federal and state laws and regulations including, but not limited to, all authorities governing the coding and submission of claims for reimbursement to Medicare, Medicaid, and other government health care programs.
  4. Customer Obligations. The Customer’s employees are responsible for compliant and ethical practice at all times. Any and all information provided as part of the Services is provided strictly as education and is not meant to be taken as direction to practice.

CONFIDENTIALITY AND OWNERSHIP

  1. Definition. “Confidential Information” includes all information marked as described herein and disclosed by either party, before or after the Effective Date, and generally not publicly known, whether tangible or intangible and in whatever form or medium provided, as well as any information generated by a party that contains, reflects, or is derived from such information.
  2. Confidentiality of Materials. All Confidential Information in tangible form shall be marked as “Confidential” or the like or, if intangible (e.g. orally disclosed), shall be designated as being confidential at the time of disclosure and shall be confirmed as such in writing within thirty (30) days of the initial disclosure. Notwithstanding the foregoing, the following is deemed Iodine Confidential Information with or without such marking or written confirmation: (i) the Software and other related materials furnished by Iodine; (ii) the oral and visual information relating to the Software; and (iii) this Agreement and the terms and conditions of the Order.
  3. Exceptions. Without granting any right or license, the obligations of the parties hereunder shall not apply to any material or information that: (i) is or becomes a part of the public domain through no act or omission by the receiving party; (ii) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; (iii) is rightfully obtained from a third party without any obligation of confidentiality to the disclosing party; or (iv) is already known by the receiving party without any obligation of confidentiality prior to obtaining the Confidential Information from the disclosing party. In addition, neither party shall be liable for disclosure of Confidential Information if made in response to a valid order of a court or authorized agency of government, provided that notice is promptly given to the party whose Confidential Information is to be disclosed so that such party may seek a protective order and engage in other efforts to minimize the required disclosure. The parties shall cooperate fully in seeking such protective order and in engaging in such other efforts.
  4. Ownership of Confidential Information. Nothing in this Agreement or the Order shall be construed to convey any title or ownership rights to the Software or other Iodine Confidential Information to Customer or to any patent, copyright, trademark, or trade secret embodied therein, or to grant any other right, title, or ownership interest in the Iodine Confidential Information. Nothing in this Agreement or the Order shall be construed to convey any title or ownership rights to Customer’s Confidential Information to Iodine or to any patent copyright, trademark, or trade secret embodied therein, or to grant any other right, title, or ownership interest in the Customer Confidential Information. Neither party shall, in whole or in part, sell, lease, license, assign, transfer, or disclose the Confidential Information to any third party and shall not copy, reproduce or distribute the Confidential Information except as expressly permitted in this Agreement or the Order. Each party shall take every reasonable precaution, but no less than those precautions used to protect its own Confidential Information, to prevent the theft, disclosure, and the unauthorized copying, reproduction or distribution of the Confidential Information.
  5. Non-Disclosure. Each party agrees at all times to keep strictly confidential all Confidential Information belonging to the other party. Each party agrees to restrict access to the other party’s Confidential Information only to those employees or Subcontractors who (i) require access in the course of their assigned duties and responsibilities, and (ii) have agreed in writing to be bound by provisions no less restrictive than those set forth in this Section.
  6. Injunctive Relief. Each party acknowledges that any unauthorized disclosure or use of the Confidential Information would cause the other party imminent irreparable injury and that such party shall be entitled to, in addition to any other remedies available at law or in equity, temporary, preliminary, and permanent injunctive relief in the event the other party does not fulfill its obligations under this Section.
  7. Rights to Professional Services Deliverables. Subject to Customer’s full payment for Deliverables, subject to any restrictions contained in the applicable Statement of Work, Iodine hereby grants to Customer, at no additional charge, an internal, worldwide, nonexclusive, nontransferable license to the object code version of the Deliverables to use and exploit the Deliverables solely in connection with the Software.
  8. Suggestions/Improvements. Notwithstanding this Section, unless otherwise expressly agreed in writing, all suggestions, solutions, improvements, corrections, and other contributions provided by Customer regarding the Software or other Iodine materials provided to Customer shall be owned by Iodine, and Customer hereby agrees to assign any such rights to Iodine. Nothing in this Agreement shall preclude Iodine from using in any manner or for any purpose it deems necessary, the know-how, techniques, or procedures acquired or used by Iodine in the performance of services hereunder.
  9. Data Use. Iodine may aggregate de-identified Customer data with the data of other Iodine customers and analyze patient-identityfree clinical information and user behavior data for the benefit of a covered entity’s health care operations including use of aggregate data to (i) help develop new features of the Software; (ii) recommend areas for examination or improvement; (iii) train algorithms; and (iv) analyze, compare, and benchmark customer data, provided all PHI used as described in this Section must be de-identified in accordance with the requirements of HIPAA. No Customer data shall be shared or otherwise disclosed by Iodine unless all patient and Customer-specific identifiers have been removed therefrom. To the extent that use of Customer data gathered by Iodine would require a license, Customer hereby automatically and forever grants such license to Iodine.
  10. Access to Data. The Software provides Customer with controls that Customer may use to retrieve Customer reports or data prior to the termination of the Agreement. Customer’s access to the Software or Services may be restricted during a suspension or following a termination of any Order, SOW, or the Agreement. Customer is responsible for retrieving a copy of Customer reports or data prior to the termination of the Agreement. Customer data may be maintained on backup media and will be destroyed in accordance with Iodine’s retention and disposal process.

WARRANTY

  1. Authorized Representative. Customer and Iodine warrant that each has the right to enter into this Agreement and the Order and that the Order executed shall be executed by an authorized representative of each entity.
  2. Product Warranty. Iodine warrants that for a period of ninety (90) days from availability of the Software, the Software will perform in material compliance with all product descriptions set forth in the applicable Order (“Documentation.”). Customer’s sole remedy for noncompliance with the warranty in this Section shall be Iodine’s obligation to cure such noncompliance. Iodine will promptly repair any material defects that prevent the Software from complying with the Documentation as Customer’s sole remedy with respect to any and all warranty claims related to the Software under this Agreement.
  3. Disclaimer of Professional Services Warranties. The Services are provided “AS IS” without warranties of any kind. IODINE MAKES NO WARRANTY OF ANY KIND WHATSOEVER, WHETHER EXPRESSED OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
  4. Disclaimer of Warranties. EXCEPT AS OTHERWISE STATED IN THIS AGREEMENT, IODINE MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
  5. Customer Acknowledgement. In no event and under no circumstances will Iodine be responsible in any manner for the healthcare services provided by Customer or any of Customer’s physicians or other healthcare providers that in any way utilize the Software. Customer and its physicians and other healthcare providers will be solely responsible for care provided to patients. Customer acknowledges and agrees that the Software, Services, and Content (as defined in an Order), as applicable, are used by Customer and Authorized Users at Customer’s own risk and that Customer will be solely responsible for any damage arising from such use.
  6. User Responsibilities. Authorized Users are responsible for exercising their judgment and ensuring they act in a manner compliant with Customer’s policies and all applicable federal and state laws and regulations including, but not limited to, all authorities governing the coding and submission of claims for reimbursement to Medicare, Medicaid, and other government health care programs. Iodine does not provide medical advice of any kind.

LIMITATION OF LIABILITY AND INDEMNIFICATION

  1. Liability Cap. IN NO EVENT SHALL IODINE, IODINE’S THIRD PARTY LICENSORS OR SUBCONTRACTORS BE LIABLE UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, INDEMNITY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, FOR DAMAGES WHICH, IN THE AGGREGATE, EXCEED THE AMOUNT OF THE FEES PAID BY CUSTOMER FOR THE SOFTWARE OR SERVICES WHICH GAVE RISE TO SUCH DAMAGES IN THE ONE (1) YEAR PERIOD PRIOR TO SUCH CLAIM AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
  2. Professional Services Limitation of Liability. IN NO EVENT SHALL IODINE BE LIABLE ON ANY THEORY OF LIABILITY FOR DAMAGES WHICH, IN THE AGGREGATE, EXCEED THE GREATER OF $1,000 OR THE AMOUNT OF CHARGES PAID BY CUSTOMER UNDER THE STATEMENT OF WORK THAT GAVE RISE TO THE DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
  3. Disclaimer of Damages. IN NO EVENT SHALL IODINE, IODINE’S THIRD PARTY LICENSORS OR SUBCONTRACTORS BE LIABLE UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, INDEMNITY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, FOR ANY SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND AND HOWEVER CAUSED INCLUDING, BUT NOT LIMITED TO, BUSINESS INTERRUPTION OR LOSS OF PROFITS, BUSINESS OPPORTUNITIES, OR GOODWILL ARISING HEREUNDER EVEN IF NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
  4. Healthcare Disclaimer. IN NO EVENT AND UNDER NO CIRCUMSTANCES WILL IODINE BE RESPONSIBLE IN ANY MANNER FOR THE HEALTHCARE SERVICES PROVIDED BY CUSTOMER OR ANY OF CUSTOMER’S PHYSICIANS OR OTHER HEALTHCARE PROVIDERS THAT IN ANY WAY UTILIZE THE SOFTWARE OR SERVICES. CUSTOMER AND ITS PHYSICIANS AND OTHER HEALTHCARE PROVIDERS WILL BE SOLELY RESPONSIBLE FOR CARE PROVIDED TO PATIENTS. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE SOFTWARE, SERVICES, AND CONTENT, AS APPLICABLE, USED BY CUSTOMER AND END USERS AT CUSTOMER’S OWN RISK AND THAT CUSTOMER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE ARISING FROM SUCH USE.
  5. Iodine Indemnification. Iodine will defend, indemnify and hold Customer, its parent and affiliates, and their respective officers, directors, employees, equity holders, agents, successors, and assigns harmless from any third party claim that the Software, as delivered by Iodine to Customer, infringes a United States patent, copyright, or trade secret of a third party. Iodine will pay those costs and damages finally awarded against Customer pursuant to any such claim or paid in settlement of any such claim if such settlement was approved in advance by Iodine. Customer may retain its own counsel at Customer’s own expense. Iodine shall have no liability for any claim of infringement based on (i) Software which has been modified by parties other than Iodine; (ii) use of the Software in conjunction with data where use with such data gave rise to the infringement claim; or (iii) use of the Software with non-Iodine software or hardware, where use with such other software or hardware gave rise to the infringement claim. Should the Software become, or in Iodine’s opinion is likely to become, the subject of a claim of infringement that is subject to indemnification, Iodine may, at its option, (i) obtain the right for Customer to continue using the Software; (ii) replace or modify the Software so it is no longer infringing or reduces the likelihood that it will be determined to be infringing; or (iii) if neither of the foregoing options is commercially reasonable, terminate the right to use the Software. Upon such termination, Iodine will refund to Customer, as Customer’s sole remedy for such terminated access, all prepaid fees paid by Customer for the terminated Software. This Section states the entire liability of Iodine with respect to any claim of infringement regarding the Software.
  6. Customer Indemnification. Customer will defend, indemnify and hold Iodine, its parent and affiliates, and their respective officers, directors, employees, equity holders, agents, successors, and assigns harmless from any third party claim arising out of (i) Customer’s requirements to comply with Medicare, Medicaid, or other payer regulations or other failure to comply with applicable law, including but not limited to, the False Claims Act, or otherwise arising from the actions or inactions of the Customer or Customer’s employees, physicians, contractors or affiliates; (ii) Customer’s provisioning of healthcare services; or (iii) Customer’s use of Content.
  7. Indemnification Procedure. The indemnifying party shall have no liability unless: (i) the indemnified party notifies the indemnifying party in writing promptly after the indemnified party becomes aware of a claim or the possibility thereof; and (ii) the indemnifying party has sole control of the settlement, compromise, negotiation, and defense of any such action; and (iii) the indemnified party cooperates, in good faith, in the defense of any such legal action.

TERM AND TERMINATION

  1. Termination. This Agreement and any Order may be terminated by either party: (i) on thirty (30) days written notice to the other party if the other party fails to perform any other material obligation required of it hereunder, and such failure is not cured within such thirty (30) day period; or (ii) if the other party files a petition for bankruptcy or insolvency, has an involuntary petition filed against it, commences an action providing for relief under bankruptcy laws, files for the appointment of a receiver, or is adjudicated a bankrupt concern.
  2. Termination of Licenses. Upon termination of this Agreement, any Order or any license hereunder, Customer’s rights to the affected Software, Iodine Confidential Information, and other Iodine materials (collectively “Materials”) shall cease. Customer shall immediately stop using such Materials and shall return such Materials to Iodine or destroy all copies thereof. In addition, Customer shall provide Iodine with written certification signed by an officer of Customer, that all copies of the Materials have been returned or destroyed and that no copies have been retained by Customer for any purpose whatsoever. Following termination, any use of the Materials by Customer shall be an infringement and/or misappropriation of Iodine’s proprietary rights in the Materials. Upon termination of this Agreement or any Order by Customer, Iodine shall have no further obligation or liability hereunder and all fees due under this Agreement or an Order shall become due and payable to Iodine immediately upon such termination.
  3. Other Remedies. Termination of this Agreement, an Order, or any license shall not limit either party from pursuing other remedies available to it, including injunctive relief, nor shall such termination relieve Customer’s obligation to pay all fees that have accrued or are otherwise owed by Customer under this Agreement, any Order, or exhibit.

MISCELLANEOUS

  1. Compliance With Laws. Each party agrees to comply with all applicable laws, regulations, and ordinances relating to its performance under this Agreement and any Order including privacy/healthcare laws and import/export laws and regulations. As between the parties, Customer will be responsible for obtaining and giving all rights, consents, authorizations, permits, and notices required by applicable law to allow the Customer Data to be used by both parties in the manner permitted by this Agreement. The parties agree that this Agreement and any Order shall not be governed by the United Nations Convention on the International Sale of Goods or by UCITA, the application of which is expressly excluded. Contemporaneously with this Agreement the parties shall enter into a mutually agreed upon Business Associate Agreement which is hereby incorporated by reference.
  2. Assignment. Customer may not assign this Agreement or an Order or otherwise transfer any license whether by operation of law, change of control, or in any other manner, without the prior written consent of Iodine. In the event of Customer’s acquisition of, or merger with, a third-party Customer may continue to Use the Software and the licenses and rights of Customer under this Agreement or an Order shall apply to, and may be exercised only in connection with, the operations of Customer as they existed on the date prior to the acquisition or merger. Any assignment or transfer in violation of this Section shall be null and void.
  3. Survival. The provisions set forth in sections 1.5, 2, 4, 5, 5.3, 6.4, 7, 8.2, 8.3, and 9 of this Agreement shall survive termination or expiration of this Agreement or any Order and any applicable license hereunder.
  4. Notices. Any notice required under this Agreement, or an Order, shall be given in writing and shall be deemed effective upon delivery to the party to whom addressed. All notices shall be sent to the applicable address specified on the face page hereof or to such other address as the parties may designate in writing. Unless otherwise specified, all notices to Iodine shall be sent to the attention of the Contracts Manager. Any notice of material breach shall clearly define the breach including the specific contractual obligation that has been breached.
  5. Force Majeure. Iodine shall not be liable to Customer for any delay or failure of Iodine to perform its obligations hereunder if such delay or failure arises from any cause or causes beyond the reasonable control of Iodine. Such causes shall include, but are not limited to, acts of God, pandemic or epidemic, floods, fires, loss of electricity or other utilities, or delays by Customer in providing required resources or support or performing any other requirements hereunder.
  6. Conflict. In the event of a conflict between the terms and conditions of this Agreement, an Order, or an exhibit, the terms and conditions of the Order or exhibit shall prevail, in that order.
  7. Restricted Rights. Use of the Software by or for the United States Government is conditioned upon the Government agreeing that the Software is subject to Restricted Rights as provided under the provisions set forth in FAR 52.227-19. Customer shall be responsible for assuring that this provision is included in all agreements with the United States Government and that the Software, when delivered to the Government, is correctly marked as required by applicable Government regulations governing such Restricted Rights as of such delivery.
  8. Entire Agreement. This Agreement, any Order and any exhibits, shall constitute the entire agreement between the parties regarding the subject matter hereof and supersede all proposals and prior discussions and writings between the parties with respect thereto. Customer acknowledges and agrees that it is not relying on any statement or warranty not expressly provided herein with respect to the Software.
  9. Modifications. The parties agree that this Agreement or any Order cannot be altered, amended or modified, except by a writing signed by an authorized representative of each party.
  10. Headings. Headings are for reference purposes only, have no substantive effect, and shall not enter into the interpretation hereof.
  11. No Waiver. No failure or delay in enforcing any right or exercising any remedy will be deemed a waiver of any right or remedy.
  12. Severability and Reformation. Each provision of this Agreement and any Order is a separately enforceable provision. If any provision of this Agreement or an Order is determined to be or becomes unenforceable or illegal, such provision shall be reformed to the minimum extent necessary in order for this Agreement or an Order to remain in effect in accordance with its terms as modified by such reformation.
  13. Customer’s Facilities. To the extent required by Iodine, Customer will, upon request, promptly make available to Iodine certain of its facilities, computer resources, software programs, networks, personnel, and business information as are required to perform any service, or other obligation hereunder or pursuant to an Order.
  14. Ancillary Agreements. Customer agrees that no employees of Iodine shall be required to individually sign any agreement in order to perform any services hereunder or pursuant to an Order including, but not limited to, access agreements, security agreements, facilities agreements or individual confidentiality agreements.
  15. Independent Contractor. Iodine is an independent contractor and nothing in this Agreement or an Order shall be deemed to make Iodine an agent, employee, partner or joint venturer of Customer. Iodine shall have no authority to bind, commit, or otherwise obligate Customer in any manner whatsoever.
  16. Choice of Law. This Agreement and any Order shall be governed and interpreted by the laws of the state of Texas without regard to the conflicts of law provisions of any state or jurisdiction.
  17. Dispute Resolution. Any dispute or claim relating to or arising out of the Agreement shall be submitted to binding arbitration. Class action lawsuits, classwide arbitration, private attorney-general actions, requests for public injunctions, and other proceedings or requests for relief where someone acts in a representative capacity are not allowed. Nor is combining individual proceedings without the consent of all parties. The arbitration shall be conducted in the state and county of the initial defending party’s principal place of business in accordance with the Commercial Rules of the AAA in effect at the time the dispute or claim arose. The arbitration shall be conducted by one arbitrator from AAA or a comparable arbitration service. In a dispute involving $25,000 or less, any hearing will be telephonic or by videoconference unless the arbitrator finds good cause to hold an in-person hearing instead. The arbitrator shall issue a reasoned award with findings of fact and conclusions of law. Either party may bring an action in any court of competent jurisdiction to compel arbitration under the Agreement, or to enforce an arbitration award. Neither party nor an arbitrator may disclose the existence, content or results of any arbitration under the Agreement without the prior written consent of both parties. Either party shall be permitted to appeal the final award under the AAA’s Optional Appellate Arbitration Rules in effect at the time the dispute or claim arose. Grounds for vacating the award shall include, in addition to those enumerated under the Federal Arbitration Act, 9 U.S.C. sec. 1, et seq., that the arbitrator committed errors of law that are material and prejudicial. The appeal shall be determined upon the written documents submitted by the parties, with no oral argument. After the appellate rights described in this section have been exercised or waived, the parties shall have no further right to challenge the award.

Security and Hosting Exhibit

Iodine Security Protocols and Policies

  1. Written Security Program. Iodine has developed and will maintain a comprehensive written security program (“WSP”) that is consistent with generally recognized industry standards and practices that reflects the size and type of Iodine ‘s business, the types of products and services produced or sold by Iodine, and the requirements of applicable data protection laws. The WSP contains administrative, technical, and physical safeguards for the security and confidentiality of Customer’s systems and data in connection with the products and services of Iodine.
  2. Ongoing Risk Assessments. Without limiting the generality of the foregoing, Iodine’s WSP shall provide for regular assessments of reasonably foreseeable risks to the security of Customer Data (as defined below) and Iodine’s systems and networks. Such assessments shall involve (1) identification and assessment of internal and external threats that could result in unauthorized disclosure, alteration or destruction of Customer Data and such systems; (2) review of the sufficiency of Iodine’s administrative, technical and physical controls to mitigate the risks presented by such threats; and (3) establishment of appropriate steps for remediation of identified vulnerabilities in Iodine controls.
  3. Iodine Security Controls. To the extent Iodine is responsible for accessing, creating, receiving, storing, processing, or transmitting Customer data in connection with its products and services (“Customer Data”), Iodine agrees to maintain the following security controls:
    1. Network Security. Iodine will maintain network security controls designed to protect, detect and respond to network threats to Customer Data and Iodine systems, to include appropriate use of firewalls, intrusion detection/prevention, antimalware, and the application of patches, fixes and updates in accordance with generally recognized industry standards to operating systems, infrastructure components and applications as provided or maintained by Iodine.
    2. Access and Authorization. Iodine will maintain identity and access controls for its personnel designed around the principles of minimum necessary use, role-based access, and segregation of duties. Iodine will apply controls designed to protect access credentials in its possession. Iodine will require multi-factor-authentication to access its networks or systems that host Customer Data.
    3. Backup and Recovery. Iodine will maintain a backup and recovery plan and procedure which is appropriate for the types of products and services provided by Iodine and shall target a Recovery Time Objective of 48 hours and Recovery Point Objective of 24 hours.
    4. Encryption. Iodine shall encrypt any and all Customer Data in its possession and/or control at rest or transiting public networks (such as the Internet) using industry-standard encryption ciphers such as those consistent with FIPS 140-2. Cryptographic keys will be stored separately from the media they secure.
    5. Training. Iodine will maintain an ongoing information security training and awareness program for Company personnel.
    6. Vendors. Iodine will maintain a third-party risk management program designed to identify and mitigate risks associated with Iodine’s third-party vendors.
    7. Incident Response. Iodine will maintain an incident response program designed to monitor for and respond to information security incidents which may adversely impact Iodine’s environment, the products and services of Iodine, and/or Customer Data.
    8. Vulnerability Management. Iodine will maintain formal processes designed to receive, analyze and respond to vulnerabilities disclosed by internal and external sources (e.g. internal testing, security bulletins, or security researchers) regarding Iodine products and services.

Iodine Product and Service Security

  1. Secure Development Life Cycle. Iodine has established and implemented generally recognized industry standard security controls and processes that are adhered to during Iodine product development activities (“Development Security Standards”), such security standards being designed to address potential threats to the development environment, security incidents, product vulnerability to unauthorized access, loss of functions, and viruses. Iodine’s Development Security Standards contain testing processes and tools designed to ensure the security of the products and services.
  2.  Illicit Code. Iodine employs static and dynamic testing and other commercially reasonable measures to minimize the risk that software developed by Iodine contains Illicit Code. “Illicit Code” is defined as any harmful or hidden programs or data incorporated therein that destroys, impairs, or maliciously appropriates the Iodine system, software and/or Customer Data, thereby inhibiting or preventing Customer from using the system as authorized. If Illicit Code is found, Iodine shall use commercially reasonable efforts to correct the software and cooperate with Customer to reduce the effects of the Illicit Code. The foregoing is the sole and exclusive remedy for Illicit Code in violation of this section.
  3. Code Vulnerabilities. Iodine shall as appropriate review Iodine software to ensure it is free from vulnerabilities described in The Open Web Application Security Project’s (OWASP) “Top Ten Project” – see http://www.owasp.org.
  4. Product Logging. Iodine products or services supplied to Customer where Customer Data is processed or stored have the capability to produce system and/or security logs in a standard exportable format.
  5. Product Security Vulnerability Disclosure. In the event Iodine identifies or validates the existence of a real or potential critical or high security vulnerability that is not addressed in accordance with generally recognized industry standard timeframes Iodine shall provide prompt written notification to Customer of such vulnerability.

Data Security

  1. Data Access. Except as set forth in the Agreement, required by law, or with Customer’s prior written consent, Iodine shall not at any time during or after the term of the Agreement disclose Customer Data to any person, other than Authorized Persons and Customer personnel in connection with the performance of the services. If such disclosure is required by law, Iodine shall notify Customer prior to such disclosure, unless such notification is prohibited by law. “Authorized Persons” means Iodine’s employees, contractors, sub-processors or business associates who have a need for such access in order to perform services set forth in the Agreement.
  2.  Destruction of PHI. Upon termination of the Agreement, Iodine shall erase, destroy, and render unrecoverable all PHI in the products and services of Iodine and certify in writing that these actions have been completed within thirty (30) days of a written request from Customer. If erasure, destruction, or rendering of PHI unrecoverable is not feasible, Iodine shall extend the information security protections set forth in this Exhibit to such data for so long as Iodine maintains such PHI.

Security Incident and Breach Notification

Iodine agrees to notify Customer without unreasonable delay, but in no event later than five (5) days from the time of discovery of (i) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data; or (ii) any other event requiring breach notification under applicable data protection law (each an “Incident”). Iodine shall investigate the Incident and reasonably cooperate with Customer in providing all information necessary to enable Customer to fulfill its obligations under applicable laws.

Customer Responsibilities

Customer shall be solely responsible for establishing the applicable safeguards and associated policies for protecting Customer information in its facilities or on its systems. Customer shall follow all data security instructions communicated by Iodine in connection with the Iodine products and services. Customer has sole responsibility for the security of (i) Customer passwords and (ii) Customer facilities, systems, computers and data centers. Customer shall follow all reasonable data security instructions communicated by Iodine in connection with the Iodine products and services. Iodine products and services are not a backup of Customer data and Iodine is not responsible for any damages from Customers failure to backup or inability to timely restore Customer systems and data.

Notification

Where Iodine is required to provide notification to Customer under this Exhibit, such notification shall be provided in
accordance with the Agreement and with email notification to the following email addresses:
Customer Information Security Contact:
Customer Privacy Contact:

For the purposes of this Exhibit, a required timeframe for notice shall be met by the earlier of (a) notification in accordance with the
Agreement; or (b) transmission of email notification to at least one of the contacts above.

Download PDF