Issuetrak Cloud-Based Application Agreement

Download

BY SIGNING ISSUETRAK’S QUOTE, INDICATING YOUR ACCEPTANCE OF THE QUOTE BY EMAIL, OR USING THE SERVICE AFTER RECEIVING THE QUOTE, ISSUETRAK AND YOU AGREE TO THE FOLLOWING:

CAREFULLY READ THE TERMS OF THIS AGREEMENT AND THE TERMS OF YOUR QUOTE. DO NOT ACCESS OR USE THE SERVICE UNTIL YOU HAVE READ AND AGREED TO THE TERMS. THIS AGREEMENT IS LEGALLY BINDING. ACCESSING OR USING THE SERVICE CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THE TERMS OF THIS AGREEMENT. BY CLICKING “ACCEPT” OR OTHERWISE ACCESSING OR USING THE SERVICES, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT, INCLUDING ALL APPLICABLE ATTACHMENTS. IF YOU DO NOT AGREE, DO NOT CLICK “ACCEPT” AND DO NOT ACCESS OR USE THE SERVICE OR OTHER MATERIALS.

  1. Background. Issuetrak, Inc. (“Issuetrak”) provides a cloud-based service identified in the quote that allows you to report on and monitor the resolution of issues related to your business (the “Service”). This Agreement governs access to and use of the Service.

  2. Quote. The terms of the quote you accepted for the Service (the “Quote”) are incorporated into this Agreement by this reference.

  3. Definitions. Capitalized terms used in this Agreement have the meanings indicated in this Agreement or in the attachments, schedules or exhibits to this Agreement.

  4. Rights Granted. Subject to and conditioned upon your payment of the Fees and compliance with all terms of this Agreement, Issuetrak grants to you a non-exclusive, non-assignable and terminable (a) right for you and your employees, consultants, contractors, agents and customers who are authorized by you to access and use the Service (each, a “User”) to access and use the Service in accordance with the terms and conditions herein, and (b) license to use Issuetrak’s user manuals, handbooks, and guides relating to the Service provided by Issuetrak to you either electronically or in hard copy form (the “Documentation”) during the Term solely for your internal business purposes in connection with your use of the Services.

  5. Rights Not Granted. Issuetrak retains all rights not expressly granted to you in this Agreement. Except as expressly set forth in this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel or otherwise, to you or any third party any intellectual property rights or other right, title or interest in or to the Service, Documentation, or intellectual property provided to you or any User in connection with the foregoing (collectively, “Issuetrak IP”).

  6. Use Restrictions. You shall not (and shall not authorize or permit others) to: (a) use the Service to send any unsolicited or unauthorized advertising, promotional materials, junk mail, spam, chain letters, pyramid schemes, or other form of duplicative messages, whether commercial or otherwise; (b) use the Service to transmit unlawful, harassing, libelous, abusive, threatening, vulgar, or otherwise legally objectionable material; (c) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (d) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (e) reverse engineer, disassemble, decompile, decode, adapt, other otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (f) remove any proprietary notices from the Services or Documentation; (g) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any contract, proprietary rights, intellectual property or other rights of any person, or that violates applicable law; or (h) interfere with another’s authorized use of the Service.

  7. Your Representations and Obligations.

    1. System Requirements. Issuetrak’s website (www.issuetrak.com/system-requirements/) describes the minimum system requirements for accessing and using the Service. You are responsible for obtaining and maintaining the internet connection and computer hardware and software you need to access and use the Service.

    2. Point of Contact. You must designate to Issuetrak and retain (or replace) a point of contact who has the authority to make decisions related to the access and use of the Service on your behalf.

    3. Your Responsibility for Your Users, Agents, Point of Contact, and Customers. You are solely responsible and liable for access to and uses of the Service and Documentation resulting from access provided by you, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the foregoing, you are responsible and liable for all acts and omissions of Users, Agents, consultants, and customers. A breach of this Agreement by anyone of those individuals will be a breach by you of this Agreement. You also are responsible and liable for any unauthorized party who accesses and uses the Service or Documentation using the credentials, usernames, or passwords of any of such individuals. For purposes of this Agreement, an “Agent” is a User of the Service that holds advanced permissions (can assign an issue, be assigned an issue, submit on behalf of other Users, access and/or maintain administration functions, assign next actions, be assigned next actions, and/or be designated as a system administrator within the Service). A fee is charged for each Agent.

    4. Collection of Usage Data. You consent to Issuetrak monitoring your use of the Service and collecting and compiling data and information relating to your use of the Service, including but not limited to User types, number and types of issues submitted, and number and size of attachments (collectively, the “Usage Data”). Usage Data will belong to us and is our Confidential Information. We have the right to use such Usage Data for the statistical and analytical purposes, for use to improve the Service, for such other purposes as we determine.

    5. Compliance with Laws. You are solely responsible and liable for access to and use of the Service in compliance with all applicable local, state, national and foreign laws and regulations, including without limitation the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and any applicable U.S. Export Administration Regulations.

  8. Issuetrak Representations and Obligations.

    1. Availability. Subject to the terms and conditions of this Agreement, Issuetrak will use commercially reasonable efforts to make the Service available as described in Attachment A.

    2. Data Access. Issuetrak may access and use any information, data and other content, in any form or medium, that is submitted, posted or otherwise transmitted by or on your behalf or an Agent or User through the Service (“Your Data”), to the extent necessary to provide the Service, including, without limitation, in response to your service and support requests.

    3. Data Storage Allocation Limits. The Service includes an allocation of up to 20 gigabytes (20 GB) of data storage. If you exceed this level of data storage, Issuetrak reserves the right to charge an additional fee to you.

  9. Fees.

    1. Fees. You shall pay Issuetrak the fees as set forth in the Quote and in each invoice (collectively, the “Fees”) without offset or deduction. All Fees and other amounts payable by you under this Agreement are exclusive of taxes and similar assessments. You are solely responsible for all sales, use and excise taxes, and other similar taxes, duties and charges of any kind imposed by any federal, state, local, or foreign government or regulatory authority on any amounts payable hereunder, other than taxes imposed on Issuetrak’s income.

    2. Payment. You shall make all payments hereunder in U.S. dollars on or before the date due to Issuetrak at 200 Golden Oak Court, Suite 470, Virginia Beach, VA 23452 or at such other address as Issuetrak may designate in writing. All Fees and other amounts will be due by the date(s) specified on the relevant invoice(s). Without limiting our other rights or remedies, you shall pay to Issuetrak a late-payment charge at a rate of one and one-half percent (1.5%) per month or the highest rate allowed by applicable law, whichever is less, for any amounts not paid when due. Your failure to make a payment when due is a material breach of this Agreement. In addition to any other remedies it may have, Issuetrak may suspend or terminate your access to and use of the Service until such amounts are paid in full.

    3. Price Increases. Issuetrak reserves the right to increase any Fee on the anniversary of the Effective Date. Issuetrak will give you at least thirty (30) days’ prior notice of a Fee increase. In addition, if you increase the number of authorized Agents, Issuetrak will invoice you for, and you shall pay, the increase in Fees associated with that change.

  10. Title; Confidentiality; Security.

    1. Title. Issuetrak retains all right, title, interest, including all intellectual property rights, in and to the Issuetrak IP, all applications thereof, and all documentation.

    2. Confidentiality. From time to time during the term of the Agreement, Issuetrak and you may each disclose or make available to the other information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic or other form or media, whether or not marked, designated or otherwise identified as “confidential” (collectively, “Confidential Information”). In no way limiting the foregoing, for purposes of Issuetrak, “Confidential Information” also includes the Issuetrak IP. Confidential Information does not include information that, at the time of disclosure is: (i) in the public domain other than by the receiving party’s noncompliance with this Agreement; (ii) known to the receiving party at the time of disclosure; (iii) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (iv) independently developed by the receiving party without reference to or use of the disclosing party’s Confidential Information. The receiving party shall not disclose the disclosing party’s Confidential Information to any person or entity, except to the receiving party’s employees, agents or consultants who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations under this Agreement. The receiving party shall hold the disclosing party’s Confidential Information in confidence, using at least the same degree of care it uses to protect the confidentiality of its own Confidential Information. Notwithstanding the foregoing, each party may disclose the Confidential Information of the other party to the limited extent required (1) in order to comply with the order of a court of other governmental body, or as otherwise necessary to comply with applicable law, provided that the receiving party making the disclosure pursuant thereto shall first have given written notice to the disclosing party and made a reasonable a reasonable effort to obtain a protective order; or (2) to establish a party’s rights under this Agreement, including to make required court filings. On the expiration or termination of this Agreement, the receiving party shall promptly return to the disclosing party all copies, whether in written, electronic or other form or media, of the disclosing party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing party that such Confidential Information has been destroyed.

    3. Equitable Relief. Each party acknowledges and agrees that any use or disclosure of the other’s Confidential Information, other than as contemplated under this Agreement, may result in irreparable injury and damage to the other party. Accordingly, each party agrees that, in the event it uses or discloses the other’s Confidential Information other than as permitted by this Agreement, the other party, in addition to other remedies it may have, will be entitled to seek equitable relief, without any obligation to post bond or security.

    4. Duration of Confidentiality Obligation. The confidentiality obligations of each party set forth in this Section 10 will survive expiration or termination of this Agreement.

    5. Security. Issuetrak’s website (www.issuetrak.com/security/) describes the security Issuetrak provides for the Service. ISSUETRAK IS NOT RESPONSIBLE FOR THE SECURITY OF FACILITIES, EQUIPMENT, DATA, OR SOFTWARE NOT UNDER ITS DIRECT CONTROL.

  11. Service Operation.

    1. Backup. Issuetrak’s website (www.issuetrak.com/security/) describes the backup Issuetrak provides for the Service.

    2. Restoration. Database backups are available for thirty (30) days after creation. In the event of a hardware failure of the server on which the Service is hosted, Issuetrak will restore the most recent available backup of the Service and customer data to a comparable server in a comparable facility at no additional charge to you.

    3. Test Site. You may request Issuetrak to create one (1) test site in the form of a clean installation or as a copy of your existing production site. This allows you to test alternative or new configurations without impacting your production site. Issuetrak may provide a test site with certain features disabled by default. Although you may have the ability to enable them, certain features will not work, and you should not use them, in the test site. Those features include, but are not limited to, Outgoing Email, Incoming Email, Escalation Rules, SLAs, Recurring Issues, and Scheduled Reports. Certain other features, including but not limited to, Issue Attachments and KB Attachments, will not be accessible from the test site. Copied sites will have all audit history truncated unless directly requested for explicit testing. Issuetrak may remove the test site if it is not used for a period of greater than one (1) year. You should not use the test site as an active site and you should not rely on the test site as a backup. Test sites are provided as is and do not have SLA’s or warranties.

    4. Audit History and Log Retention. Issuetrak may review excess usage patterns and, at Issuetrak’s sole discretion, truncate, archive or delete asset audit history, or other excessive logging that exceeds one (1) year. You may request an exception for compliance reporting requirements.

    5. Hosted Incoming Email Mailbox. Issuetrak will provide, upon request, a hosted mailbox(es) with its strategic mail partner(s) to provide incoming email processing within Issuetrak for an additional fee. Hosted mailboxes provided by Issuetrak are made available to you subject to this Agreement.

      1. Filtering. Issuetrak’s strategic mail partner provides certain services designed to filter unwanted incoming email, such as spam, phishing scams, and email infected with viruses. You acknowledge that the technological limitations of the filtering service will likely result in the capture of some legitimate email, and the failure to capture some unwanted or malicious email. The filtering service is provided “AS IS” with no warranties. You release Issuetrak and its employees, agents, suppliers, and affiliates from any liability or damages arising from the failure of filtering services to capture unwanted email or from the capture of legitimate mail, or any data loss thereof.

      2. Retention. You must configure your hosted mailboxes with “Delete Messages After Processing” enabled. In addition, hosted mailboxes provided by Issuetrak will be configured to automatically delete any messages older than thirty (30) days. Issuetrak will not recover deleted email or provide any recovery services. Mailboxes will only maintain mail in between processing intervals.

      3. Mail Processing. Issuetrak will provide automatic incoming email processing with ten (10) minute intervals.

      4. Security. Issuetrak will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality and integrity of mail data, including, but not limited to, encryption of data in transmission (TLS). The Service will support the following mail protocols POP3, POP3 (SSL), IMAP and IMAP (SSL).

  12. Term and Termination.

    1. Your Early Termination Rights. If you are not satisfied with the Service, you may, within fifteen (15) days after the Effective Date, notify Issuetrak in writing of your dissatisfaction and your election to terminate the Agreement pursuant to this Section 12(a). Upon issuance of such notice to Issuetrak, you will immediately cease all access to and use of the Service and Documentation and comply with the provisions of Section 10 with respect to the return of Confidential Information. Issuetrak will terminate your access and use of the Service upon receipt of your notice. Issuetrak will then return to you license and module fees paid by you for the Service, except any professional and/or data services charges, within a reasonable time after rescission.

    2. Term. The term of this Agreement (the “Term”) begins on the date you accept your Quote (the “Effective Date”) and continues for the initial term set forth in your Quote, or until terminated as provided in this Agreement. Unless either party delivers written notice to the other party at least thirty (30) days prior to the expiration of the then current Term, this Agreement will automatically renew at the end of such Term for additional one (1) term periods, provided that you are not in breach of the Agreement.

    3. Termination by Issuetrak. Issuetrak may terminate this Agreement, effective upon written notice to you, if you (i) fail to pay any amount when due hereunder and such failure continues for a period of fifteen (15) days after written notice thereof; or (ii) breaches any of its obligations under Section 6 or Section 10(b).

    4. Termination by Either Party. Either party may terminate this Agreement, (i) effective upon written notice to the other party, if the other party materially breaches this Agreement and fails to cure the breach to the non-breaching party’s reasonable satisfaction within fifteen (15) days after the breaching party receives written notice describing the breach; or (B) immediately, if the other party becomes insolvent or admits in writing its inability to pay its debts as they mature, or makes an assignment for the benefit of creditors; if a petition under any foreign, state, or United States bankruptcy act, receivership statute, or the like, as they now exist, or as they may be amended, is filed by the other party or if such a petition is filed by any third party; or an application for a receiver is made by anyone and such petition or application is not resolved favorably within ninety (90) days.

    5. Effect of Expiration or Termination. Upon expiration or termination of this Agreement, you shall immediately discontinue use of the Issuetrak IP, including, but not limited to the Service, and without limiting your obligations under Section 10, you shall delete, destroy, or return all copies of the Issuetrak IP and certify in writing to Issuetrak that the Issuetrak IP has been deleted or destroyed. No expiration or termination of this Agreement will affect your obligation to pay all Fees and other amounts that may have become due before such expiration or termination, or entity you to any refund.

    6. Return of Customer Data. Issuetrak will maintain Your Data on its archive for a period of no more than ninety (90) days after expiration or termination of this Agreement. Within this retention time period, and upon receipt of a written request, Issuetrak will return to you, at no charge and in a format to be mutually agreed upon, all of Your Data contained within the Service.

  13. Limited Warranty; Disclaimer; Indemnification; Limitation of Liability.

    1. Limited Warranty. Issuetrak warrants that the Services will conform in all material respects to the service levels set forth on Attachment A when accessed and used in accordance with the Documentation. Issuetrak does not make any representations or guarantees regarding uptime or availability of the Service unless specifically identified in Attachment A. The remedies set forth in Attachment A are your sole remedies and Issuetrak’s sole liability under the limited warranty set forth in this Section 13(a).

    2. Disclaimer. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 13(a) ABOVE, THE SERVICES ARE PROVIDED “AS IS” AND ISSUETRAK DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANT SET FORTH IN SECTION 13(a) ABOVE, ISSUETRAK MAKES NO WARRANTY OF ANY KIND THAT THE SERVICES, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET YOUR OR ANY OTHER PERSON’S REQUIREMENTS, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE. FURTHER, ISSUETRAK MAKES NO WARRANTY THAT THE SERVICE, OR YOUR USE THEREOF, WILL ENSURE THAT YOU ARE OR WILL BE IN COMPLIANCE WITH ANY APPLICABLE LAW OR REGULATION.

    3. Indemnification by Issuetrak. Subject to the limitations of liability in Section 13(f), below, Issuetrak will indemnify and hold you harmless from and against losses, damages, liabilities and costs (including reasonable attorney’s fees) (“Losses”) that you incur resulting from any third-party suit or proceeding (“Third Party Claims”) that allege that your use of the Service in accordance with this Agreement, infringes a third party’s U.S. intellectual property right that is a matter of public record as of the Effective Date. Issuetrak’s obligations under this Section 13(c)are conditioned upon you providing Issuetrak with (i) prompt written notice of the infringement claim, (ii) your full cooperation in the defense of the claim, and (iii) sole authority to control the defense and settlement of the claim. If such a claim is made or appears possible, you agree to permit Issuetrak, at Issuetrak’s sole discretion, to (A) modify or replace the Service, or component or part thereof, to make it non-infringing, or (B) obtain the right for you to continue to use the Service, or component or part thereof. If Issuetrak reasonably determines that neither alternative (A) nor (B) is reasonably available, Issuetrak may terminate this Agreement, in its entirety or with respect the affected component or part, effective immediately on written notice to you. This Section 13(c) will not apply to the extent any alleged infringement arises from (1) use of the Service in combination with data, software, hardware, equipment or technology not provided by Issuetrak: (2) modifications to the Service not made by Issuetrak; or (3) Your Data.

    4. Indemnification by You. You will indemnify, hold harmless, and at Issuetrak’s option, defend Issuetrak from and against any Losses resulting from any Third Party Claims that (a) allege that any use of Your Data or information in connection with this Agreement, infringes or misappropriates such third party’s U.S. intellectual property right or (b) are based on your or any User’s (i) negligence or willful misconduct; (ii) use of the Service in a manner not authorized by this Agreement; (iii) use of the Service in combination with data, software, hardware, equipment or technology not provided by Issuetrak; or (iv) modifications to the Service not made by Issuetrak, provided that you may not settle any Third Party Claim against Issuetrak unless Issuetrak consents to such settlement, and further provided that Issuetrak will have the right, at its option, to defend itself against such Third Party Claim or to participate in the defense thereof by counsel of its own choice.

    5. Sole Remedy. SECTIONS 13(c) AND 13(d) SET FORTH YOUR SOLE REMEDIES AND ISSUETRAK’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICE INFRINGES, MISAPPROPRIATES, OR OTHERWISE VIOLATES ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.

    6. Limitations of Liability. IN NO EVENT WILL ISSUETRAK BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER ISSUETRAK WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL ISSUETRAK'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE AMOUNT OF FEES PAID BY YOU TO ISSUETRAK DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

  14. General Provisions.

    1. Governing Law; Venue. This Agreement is governed by and interpreted in accordance with the laws of the Commonwealth of Virginia, without regard to its conflict of laws principles. You agree that any action to interpret or enforce this Agreement shall be instituted and maintained in a court having appropriate jurisdiction and located in Norfolk, Virginia.

    2. Entire Agreement; Headings. The term “Agreement” includes this Cloud Based Application Agreement, the Quote, any and all applicable Attachments, schedules and exhibits. This Agreement sets forth the parties’ entire agreement and understanding related to the subject matter hereof and merges all prior discussions between them. This Agreement’s captions and headings are intended solely for convenience and are not intended to explain, modify or restrict any of the terms or provisions of this Agreement.

    3. Modifications to Agreement. Issuetrak may, in its sole discretion, modify this Agreement upon each renewal of this Agreement.  Issuetrak will provide you with notice of any such changes at least 45 days in advance of the effective date of the applicable renewal date. You can find the most recent version of these terms and conditions on the website https://issuetrak.com/terms-of-service.

    4. Notice. Notices must be in writing and deemed effective (i) upon delivery if given in person or by electronic mail or facsimile transmission, or (ii) the next business day after being sent if sent by internationally recognized overnight courier, in any case addressed to Issuetrak, as indicated on its website, and to you, as indicated on your invoice, unless you give Issuetrak notice of a different address.

    5. Force Majeure. The non-performance of either party (except payment of Fees and another other amounts due hereunder) will be excused to the extent performance is rendered impossible by terrorism, war, strike, fire, flood, governmental acts or orders or restrictions, failure of suppliers, denial of service attacks, or any other reason where failure to perform is beyond the control and not caused by the negligence or willful misconduct of the non-performing party.

    6. Binding Effect; Assignment; Non-Agency; No Third-Party Beneficiaries. This Agreement is binding upon the parties hereto, their successors, assigns, heirs and personal representatives. You may not assign your rights or duties under this Agreement to any other person(s) or entity(ies) without Issuetrak’s prior written consent, except in the context of reorganization, merger, consolidation, acquisition or other restructuring involving all or substantially all of the voting securities and/or assets of your business. Issuetrak is permitted to assign this Agreement without your consent. Nothing in this Agreement will be construed to make the parties partners, joint venturers, representatives or agents of one another, nor will either party so represent to any third person or entity. Nothing in this Agreement is intended to, or will, create any third-party beneficiaries, whether intended or incidental and neither party will make any representations to the contrary.

    7. Partial Invalidity; Waiver. If any provision of this Agreement is held to be invalid by an arbitrator or a court of competent jurisdiction, then the remaining provisions will remain in full force and effect, unless the Agreement would thereby fail of its essential purpose. A party’s failure in a given instance to enforce any of its rights or any of the other party’s obligations hereunder will not be construed or act as a waiver of enforcement of such right or obligation in any other instance.

    8. Legal Expenses. The substantially prevailing party in any arbitration or legal action brought by one party against the other under this Agreement will be entitled, in addition to any other rights and remedies it may have, to reimbursement for its reasonable costs and expenses, including court costs and reasonable fees and expenses of attorneys and other professionals.

    9. Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which will be deemed an original and all of which together will constitute but one (1) instrument. A facsimile or digital signature will have the same legal effect as an original signature. A digital or PDF copy of this Agreement will have the same effect as an original.

    10. Attachments. This Agreement is supplemented by and subject to the terms and conditions of the following attachment(s), if applicable, which will govern in case of any conflict with the rest of the Agreement: (i) Attachment A: Service Level Terms and Conditions, (ii) Attachment B: Data Processing Addendum, (iii) Attachment C: Business Associate Addendum, and (iv) Attachment D: Chat Messaging Service Agreement. Attachments B, C and D are only applicable under certain circumstances.

    11. Survival. Rights and obligations created by this Agreement which are continuing in nature, including without limitation those rights and obligations described in Sections 6, 7(c), 7(d), 9, 10(a)-(d), 12(e), 12(f), 13(c)-(f), and 14 of the Agreement, will survive termination of this Agreement and remain in full force and effect.

ATTACHMENT A: SERVICE-LEVEL TERMS AND CONDITIONS

  1. Service Availability.

    1. Standard Hours for Service Availability. Subject to the terms and conditions of the Agreement, Issuetrak will use commercially reasonable efforts to make the Service available at least 99% of the time as measured over the course of each calendar month, excluding unavailability as a result of any of the exceptions set forth below (the “Availability Requirement”). For purposes of calculating the Availability Requirement, the following are “Exceptions” to the Availability Requirement, and neither the Service will be considered unavailable nor any service level failure will be deemed to occur in connection with any failure to meet the Availability Requirement or impaired ability of you or any User to access or use the Service that is due, in whole or in part, to any: (i) act or omission by you or any User, or access to or use of the Service by you or any User, or using you or any User’s access credentials, that does not strictly comply with this Agreement; (ii) your or a User’s Internet connectivity; (iii) force majeure event; (iv) failure, interruption, outage, or other problem with any software, hardware, system, network, facility, or other matter not supplied by Issuetrak pursuant to this Agreement; (v) Scheduled Downtime; (vi) Planned Service Outage; or (vii) disabling, suspension, or termination of the Service pursuant to the terms of the Agreement.

    2. Scheduled Downtime. Issuetrak may use the time periods commencing at 10:00 p.m. Eastern Time on Tuesday, Friday and Saturday and ending at 6:00 a.m. Eastern Time on the following day for hardware maintenance, repair, or replacement or maintenance, updates, upgrades, implementation of patches or fixes, or installation of new releases of the Service (“Scheduled Downtime”).

    3. Planned Service Outages. In the event that a major renovation or upgrade is required, a period of additional scheduled downtime (“Planned Service Outage”) may be scheduled outside of Scheduled Downtime hours. Issuetrak will use commercially reasonable efforts to give you at least forty-eight (48) hours’ notice of any Planned Service Outage.

    4. Rights of Issuetrak. Issuetrak may temporarily suspend access to and use of the Service: (i) during Scheduled Downtime and Planned Service Outages; (ii) during any unavailability caused by circumstances beyond Issuetrak’s reasonable control, including a force majeure event; or (iii) if Issuetrak suspects or detects any malicious data or misuse of the Service by you or your Users.

  2. Releases. Issuetrak may apply new releases to the Service. The three levels of Releases, Major, Minor, and Patch Releases are identified by a release version number consisting of a sequence of three numbers separated by a dot (“.”). The first number in the sequence identifies a Major Release where dramatic or substantial changes to the product are included. The second number identifies a Minor Release when a few new features are included but are not substantial enough to be considered a Major Release. The third number in the sequence is a Patch Release which includes fixes to issues, but no new features.

  3. Service Level Fee Adjustments. In the event of a material failure of the Services to meet the Availability Requirement (“Service Level Failure”), Issuetrak will, upon request, issue you a credit in the amount of one day of the Monthly Fee for the Service due for the period in which the Service Level Failure occurred (“Service Credit”); provided that (a) Issuetrak has no obligation to issue a Service Credit unless (i) you report the Service Level Failure to Issuetrak immediately on becoming aware of it, and (ii) you request the Service Credit in writing within fifteen (15) days of the Service Level Failure; and (b) in no event will a Service Credit for any month exceed 100% percent of the total fees that would be payable for such month if no Service Level Failure had occurred. You acknowledge and agree that this Service Credit will be your only remedy, and Issuetrak’s sole obligation and liability, for a Service Level Failure.

  4. Support Requests. During the Term, Issuetrak will accept support requests related to the Service by telephone, electronic mail, or the Issuetrak Support site twenty-four (24) hours per day, seven (7) days a week. However, subject to the provisions set forth below, Issuetrak will provide technical support staff only during the hours of 8:00 a.m. and 8:00 p.m. Eastern Time, Monday through Friday, excluding U.S. Federal and/or company holidays. Issuetrak may employ a third-party answering service, as needed, when technical support staff is not available. Outside normal business hours, during the Term, Issuetrak will use reasonable efforts to provide technical support for any problem related to the Service that renders unusable the Service by you (an "Emergency"). Issuetrak will provide such after-hours Emergency support only by telephone and only to the extent that Issuetrak has technicians available. Issuetrak support staff will determine the severity of the Emergency in conjunction with you. Under Emergency conditions, Issuetrak may opt to follow the quickest path to resolution to restore services as quickly as reasonably possible, including, but not limited to, rolling back executed changes that inflicted the Emergency. Issuetrak may monitor and track all support-related requests and monitor and record all support-related telephone calls and electronic mail to, among other things, ensure accurate issue logs and to facilitate the creation of a “lessons-learned” database.

ATTACHMENT B: DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of the Cloud-Based Application Agreement (“Agreement”) between Issuetrak, Inc. (“Issuetrak”) and the Company referred to as “You” therein (“Client”) and applies only to the extent that (1) Client is subject to the Data Protection Laws, including the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”); (2) Client is a Controller of Personal Data Processed by Issuetrak as that term is defined in the Data Protection Laws; and (3) Issuetrak is a Processor of such Personal Data as that term is defined in the Data Protections Laws. If all of the foregoing conditions are met, Client and Issuetrak agree as follows:

1. Definitions. The following definitions apply to this Addendum. Any capitalized terms not defined in this Addendum have the meaning ascribed to them in the Agreement.

(a) “Commercially Reasonable Efforts” means in respect of the party in question, taking such steps and performing them in such a way as that party would undertake to achieve a particular desired result for its own benefit, assuming such party was acting in a determined, prudent and reasonable manner and in the best interests of the other party.

(b) “Confidential Information” means any information that is received from or on behalf of a disclosing party and/or is obtained by a party or its personnel in connection with or arising out of this Agreement, including for the purposes of providing or receiving the Services that, if disclosed in tangible form, is marked confidential or if disclosed otherwise is confirmed in writing as being confidential or, whether disclosed in tangible form or otherwise, is manifestly confidential. Confidential Information includes this Agreement and the relationship between the parties but does not include Personal Data.

(c) “Data Protection Laws” means all data protection and privacy laws that apply to the Processing of Personal Data under this Addendum, including:

(i) all statutes, statutory instruments, regulations, by-laws, ordinances or subordinate legislation from time to time made or issued to which a party is subject;

(ii) the common law and the law of equity as applicable to the Parties;

(iii) any binding court order or judgment;

(iv) any applicable guidance, policy or standard which, in each case, is enforceable by law; and

(v) any applicable direction, policy, rule or order that is legally binding and that is issued by a Supervisory Authority insofar as the same relates to the Processing, protection or security of Personal Data.

(d) “Data Subject” means the natural living person to whom Personal Data relates.

(e) “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by European Commission decision 2010/87/EC, dated 5 February 2010.

(f) “Good Industry Practice” means the exercise of at least the skill, care, prudence and efficiency which would reasonably be expected for a similarly situated provider of services that are the same as, or substantially similar to, the Services under the Agreement.

(g) “Personal Data” means any information, including information in electronic form, that is included in Your Data and is processed by Issuetrak to provide the Service, and that relates to a living person who can be identified: (a) from those data, or (b) from those data and the use of additional information, taking into account all means reasonably likely to be used by anyone to identify the person directly or indirectly and includes, without limitation, first and last names, ID numbers, including government-issued identifiers, personal dates such as birthdates, email addresses, location data, internet protocol address or other online identifiers and information concerning race, ethnicity or mental or physical health.  For clarity, “Personal Data” includes “Personal Information,” as that term is defined by the CCPA, and personal data that is publicly available.  The term “Personal Data”  excludes personal data that has been anonymized so that it is no longer possible to identify a Data Subject from the information, taking into account all means likely reasonably to be used by Issuetrak or anyone else to identify them.

(h) “Personal Data Breach” means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Issuetrak or its Subprocessors, which is adverse to this Addendum or Data Protection Laws, or otherwise unlawful.

(i) “Personnel” shall include the relevant Party’s partners, members, employees, officers and agents, self-employed contractors and those of its sub-contractors.

(j) “Processing” means any operation or set of operations performed on data, whether or not by automated means, such as accessing, collection, downloading, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (and “Process” and “Processed” shall be construed accordingly).

(k) “Subprocessor” means anyone engaged by Issuetrak to perform Processing that Issuetrak performs on behalf of Client.

(l) “Supervisory Authority” means any person or body having regulatory, supervisory, administrative, governmental or competent authority from time to time over all or any part of the Issuetrak or Client, including the European Data Protection Board. For avoidance of doubt, this includes any successors to any person or body that would be considered to be a “Supervisory Authority” at the date of this Addendum.

2. Data Protection.

(a) With respect to the Parties’ rights and obligations under this Addendum, the Parties agree that Issuetrak is a Processor and Client is a Controller (each as defined in Data Protection Laws) of Personal Data.

(b) The Parties agree that Issuetrak is a “Service Provider,” as that term is defined in the CCPA, with respect to any Personal Data subject to the CCPA.  Issuetrak is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than providing the Service, or as otherwise permitted by the CCPA; and (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between the person and the business.  Issuetrak hereby certifies that it understands the restrictions in this Section 2(b) and will comply with them.

(c) The subject matter and duration of the Processing of Personal Data are described in the Agreement and this Addendum. The nature and purpose of the Processing of Personal Data is providing the Service.

(d) The types of personal data and the categories of data subjects are set forth in Schedule 1 to this Addendum.

3. Responsibilities of Client.

(a) Client shall process Personal Data in compliance with Data Protection Laws and good data processing practice.

(b) Client’s documented instructions of Processing of Personal Data are primarily given in the Agreement and this Addendum. Client shall have the right to give Issuetrak new documented instructions or amend the documented instructions given by Client to Issuetrak. Issuetrak is entitled to charge for reasonable and substantiated additional costs for complying with new or amended documented instructions from Client.

4. Responsibilities of Issuetrak. Issuetrak shall and shall procure that its personnel shall, at all times:

(a) process Personal Data in compliance with Data Protection Laws and good data processing practice;

(b) process Personal Data in accordance with this Addendum or on documented instructions from Client, unless prescribed otherwise by a provision of Data Protection Laws applicable to Issuetrak. In such case, Issuetrak shall inform Client of such requirement before beginning the Processing of Personal Data in accordance with the instructions, unless informing of such requirement is prohibited in Data Protection Laws;

(c) inform Client without undue delay if Issuetrak considers that instructions of Client are in breach of Data Protection Laws;

(d) ensure that Issuetrak’ personnel who are authorized to process Personal Data agree to maintain the confidentiality of such Personal Data in a manner consistent with the provisions of this Addendum;

(e) implement and maintain technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful Processing;

(f) follow the conditions concerning the use of Subprocessors as prescribed in Section 7(a) below;

(g) taking into account the information available to Issuetrak, provide reasonable assistance to Client in responding to requests for exercising the rights of Data Subjects where Client does not have the required information. Issuetrak is entitled to charge Client, and Client must pay to Issuetrak upon demand, for additional costs and expenses that were reasonably incurred as a result of complying with this Section 4(g). Issuetrak will promptly notify Client if it receives a request from a Data Subject to access, correct or delete that Data Subject’s Personal Data or other right under Data Protection Laws or if a Data Subject objects to the Processing thereof and Issuetrak shall not respond to a Data Subject request without Client’s prior written consent;

(h) taking into account the information available to Issuetrak, provide reasonable assistance to Client in ensuring compliance with its obligations set out in Data Protection Laws relating to data security, Personal Data Breaches, data protection impact assessments, and prior consulting obligations. Issuetrak is entitled to charge Client, and Client must pay to Issuetrak upon demand, for additional costs and expenses that were reasonably incurred as a result of complying with this Section 4(h);

(i) at the choice of Client, delete or return Personal Data to Client on termination of the Services and delete all existing copies unless Issuetrak is required to store such Personal Data by any law or regulation to which Issuetrak is subject; and

(j) make available to Client all information necessary to demonstrate compliance with Issuetrak’ obligations set out in this Addendum and in Data Protection Laws. Client is obliged to keep all such information confidential at all times.

5. Personal Data Breach Notification.

(a) Issuetrak shall notify Client of all Personal Data Breaches without undue delay, but no later than one (1) business day after Issuetrak has become aware of the Personal Data Breach. Issuetrak shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps deemed necessary and reasonable in order to remediate the cause of such Personal Data Breach. The Personal Data Breach notification shall contain the following:

(i) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;

(ii) the name and contact details of the relevant contact person at Issuetrak handling the Personal Data Breach;

(iii) a description of the likely consequences and/or actual, realized consequences of the Personal Data Breach; and

(iv) a description of the measures Issuetrak has taken to address the Personal Data Breach and to mitigate its adverse effects.

(b) To the extent Issuetrak is unable to provide all of the information set forth above upon initial notice to Client, Issuetrak may supplement such notice with information as it becomes available and/or known to Issuetrak.

(c) Issuetrak shall document Personal Data Breaches and, subject to attorney-client privilege, disclose the documentation to Client upon Client’s written request.

(d) After Issuetrak has become aware of the Personal Data Breach, Issuetrak shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with Client.

6. Transfers of Personal Data.

(a) Issuetrak may process Personal Data anywhere in the world where Issuetrak or its Sub-processors maintain data Processing operations. Issuetrak shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws.

(b) To the extent Issuetrak’s performance or Client’s use of the Services requires the transfer of Personal Data from within the European Union or Switzerland to the United States or any other country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the Standard Contractual Clauses are incorporated by reference in this Addendum and will apply to the transfer, unless the parties jointly agree that another valid mechanism under Data Protection Laws may be used with respect to the export Personal Data.  For purposes of the Standard Contractual Clauses:

(i) Client is the “data exporter” and Issuetrak is the “data importer;”

(ii) Issuetrak’s obligations under the Standard Contractual Clauses will be governed by the laws of the member state(s) in which Client is established;

(iii) The details of Appendix 1 of the Standard Contractual Clauses are set forth in Schedule 1 to this Addendum, which will be completed and executed by the parties;   

(iv) The details of Appendix 2 of the Standard Contractual Clauses are set forth at https://www.issuetrak.com/security/; and 

(v) In the event of any conflict between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

7. Subprocessors.

(a) Issuetrak is entitled to engage and use Subprocessors in Processing Personal Data. Issuetrak may continue to use those Subprocessors already engaged by Issuetrak as of the date of this Addendum, and subject to Issuetrak meeting its obligations in Section 7(d) below Client hereby approves of such Subprocessors.

(b) Issuetrak is entitled to reduce the number of Subprocessors without separate notice to Client.

(c) Issuetrak shall notify Clients at least thirty (30) days prior to new Subprocessor commencing to Process Personal Data under this Addendum. Client may deny the use of the new Subprocessor only if Client has good faith, reasonable doubts about the ability of the Subprocessor to comply with Data Protection Laws. If Client does not deny the use of the new Subprocessor in writing within fourteen (14) days from the date of written notice from Issuetrak, Issuetrak may use the new Subprocessor in Processing Personal Data. If Client reasonably objects to a change in Subprocessor and Issuetrak cannot change the Service or recommend a commercially reasonable change to Client’s configuration or use of the Service to avoid Processing of Personal Data by such Subprocessor, Client may terminate the Agreement. In such case, Issuetrak will refund Client any prepaid fees covering the remainder of the term of the Agreement.

(d) Issuetrak shall take appropriate measures to ensure that the Subprocessors comply with the obligations specified in this Addendum, including security and confidentiality requirements, and Issuetrak shall enter into a written agreement with each Subprocessor containing data protection obligations substantially similar to, and no less protective than those contained in this Addendum. Issuetrak is responsible for the performance of its Subprocessors.

8. Amendment. Except as set forth herein. this Addendum may only be amended by mutual written agreement of the Parties.

Schedule 1 to Data Processing Addendum

This Schedule forms part of the EU Model Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Schedule.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter is the entity identified as “Client” in the Data Processing Addendum executed between the data exporter and the data importer, a user of the cloud-based application provided by the data importer. 

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

The data importer is Issuetrak, Inc., the provider of a cloud-based application utilized by the data exporter to report on and monitor the resolution of issues related to the data exporter’s business.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The data exporter may, at its sole discretion, submit Personal Data to the Service, which may include, but is not limited to, the following categories of Data Subjects: employees, customers, prospective customers, service providers, business partners, vendors, advisors (all of whom are natural persons) of the data exporter and any natural person(s) authorized by the data exporter to use the Services.

Categories of data

The personal data transferred concern the following categories of data (please specify):

The data exporter may, at its sole discretion, submit Personal Data to the Service which may include, but is not limited to, the following categories of data: first and last name, email address, telephone number, address (business or personal), date of birth, communications (telephone recordings, voicemail), customer service information, and title.  

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):




Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The data importer will host and process Personal Data in the course of providing its cloud-based application for use by the data exporter, including as necessary to provide service and support.

  DATA EXPORTER   DATA IMPORTER
  Signature:   Signature:
  Name:   Name:
  Title:   Title:
  Date:   Date:



ATTACHMENT C: BUSINESS ASSOCIATE AGREEMENT ADDENDUM

This Business Associate Agreement (“BAA”) applies only to the extent that (1) Client is a “covered entity” as that term is defined in the HIPAA Rules; (2) Issuetrak is a “business associate” as that term is defined in the HIPAA Rules; (3) Client is entering PHI into the Service; and (4) Issuetrak is creating, receiving, transmitting or maintaining ePHI on behalf of Client. If all of the foregoing conditions are met, Client and Issuetrak enter into this Business Associate Agreement pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), to addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. This BAA is effective as of the date that Covered Entity indicates its acceptance of this BAA (the “Effective Date”).

1. Definitions.

(a) This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use or disclose in connection with the functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs for Covered Entity are defined in Cloud Based Application Agreement (the “Underlying Agreement”).

(b) Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on business associates.

(c) Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI and use.

(d) A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by the HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA and the HIPAA Rules.

2. General Obligations of Business Associate.

(a) Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

(b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.

(c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

(d) Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within ten (10) business days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or promptly thereafter as information becomes delayed. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.

(e) Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.

(f) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity to enable the Covered Entity to fulfill its obligations under the Privacy Rule, including 45 C.F.R. 164.524.

(g) Business Associate agrees to comply with an individual’s written request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.

(h) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

(i) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make PHI available to the Covered Entity so that the Covered Entity can make any amendments to PHI in the Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. 164.526.

(j) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528.

(k) Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.

(l) To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

(m) Business Associate agrees to account for the following disclosures:

(i) Business Associate agrees to maintain and document disclosures of PHI in a manner as would be required for Covered Entity to respond to a request by an individual for an accounting of PHI disclosures.

(ii) Business Associate agrees to provide to Covered Entity upon written request, information collected in accordance with this Section 2(m), to permit Covered Entity to respond to a request by an individual for an accounting of PHI disclosures.

(iii) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) (“EHR”) in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested in writing from Covered Entity.

(iv) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, Section 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, Section 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.

(n) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the covered entity

3. Permitted Uses and Disclosures by Business Associate.

(a) Business Associate agrees to use or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule or Security Rule (as defined in Section 5) and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. 164.504(e), if the use or disclosure would be done by Covered Entity.

(b) Business Associate may use and disclose PHI as permitted in the Underlying Agreement or as Required By Law.

(c) Business Associate may use and disclose PHI for the proper management and administration of Business Associate to carry out the legal responsibilities of Business Associate, provided that such uses or disclosures are permitted under state and federal confidentiality laws.

4. Obligations of Covered Entity.

(a) Covered Entity shall:

(i) Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.

(ii) Notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.

(iii) Notify Business Associate in writing of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

(b) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.

5. Compliance with Security Rule.

(a) Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.

(b) In accordance with the Security Rule, Business Associate agrees to:

(i) Implement administrative, physical and technical safeguards to reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the Security Rule; and

(ii) Report to the Covered Entity any Security Incident of which it becomes aware. Covered Entity acknowledges and agrees that this Section 5(b)(ii) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security incidents means, without limitation, pings and other attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

6. Term and Termination.

(a) This BAA shall become effective on the Effective Date and shall continue in effect until all obligations of the parties have been met, including return or destruction of all PHI in Business Associate’s possession (or in the possession of Business Associate’s agents and/or contractors) as necessary, unless sooner terminated as provided herein. It is expressly agreed that the terms and conditions of this BAA designed to safeguard PHI shall survive expiration or other termination of the Underlying Agreement(s) and shall continue in effect until Business Associate has performed all obligations under this BAA.

(b) Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable period of time from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA, upon written notice to the other party. If termination is not feasible, the non-breaching party may report the breach to the Secretary.

(c) Upon termination of this BAA for any reason, the parties agree that Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. In the event Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall provide Covered Entity with notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate shall only be required to return or destroy PHI when it is feasible to do so.

7. Miscellaneous.

(a) The parties agree to take such reasonable action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules and any other applicable law.

(b) The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.

(c) This BAA shall be interpreted such that any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. Any provision of this BAA that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

(d) This BAA may only be modified in a writing signed by both parties.

(e) This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA. This BAA supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

(f) This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

(g) For avoidance of doubt, and not to the exclusion of another other provision, Section 13(f) shall apply to this BAA.

(h) Notices shall be given as specified in the Underlying Agreement.

(i) Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia.

ATTACHMENT D: CHAT MESSAGING SERVICE AGREEMENT

NOTE: This Section is only applicable to users of Issuetrak’s optional chat messaging service.

Issuetrak licenses the chat messaging service (“Chat Service”) from a third-party vendor (“Chat Provider”). The Chat Service allows Users to share messages with other Users through the Chat Provider’s website. If Customer uses the Chat Service, it agrees to the terms set forth in this Attachment.

  1. Chat Service customers shall not to record, upload, post, transmit, cause the display, playback or performance of, or otherwise make available any content that:

    • is harmful, threatening, abusive, harassing, tortious, vulgar, hateful, obscene, pornographic excessively violent or racially, ethnically or otherwise offensive or discriminatory;

    • is illegal, tortious, defamatory, libelous or invasive of another’s privacy or publicity rights;

    • infringes any patent, trademark, trade secret, copyright or other proprietary or intellectual property rights of any party or includes copyrighted materials for which you do not possess appropriate rights;

    • you do not have a right to make available under law or contractual or fiduciary relationships;

    • includes private information of any third-party

    • is advertising, solicitation or promotional material;

    • contains software viruses or any other computer code, files or programs designed to destroy, interrupt or otherwise limit the functionality of any computer software, computer hardware or other equipment.

  2. All messages, information, videos or other content, whether publicly posted, displayed or performed on, or privately transmitted, are the sole responsibility of the person who sends or publishes such items. Accordingly, Customer is responsible for all items that its Users record, upload, post, cause a display, playback or performance of, email, transmit or otherwise make available via the website. Issuetrak may, but has no obligation to, monitor or screen the content posted and/or displayed or performed in the Chat Service and to remove any content in its sole discretion. Nevertheless, CUSTOMER REMAINS SOLELY RESPONSIBLE FOR THE CONTENT ITS USERS RECORD, UPLOAD, POST, CAUSE TO BE DISPLAYED, PLAYED BACK OR PERFORMED IN ANY AREAS OF THE CHAT SERVICE AND THAT ITS USERS TRANSMIT IN ANY OF THEIR COMMUNICATIONS THAT USE THE CHAT SERVICE.

  3. Customer may not do any of the following to the Chat Service:

    • use the Chat Service in any manner that could damage, disable, overburden, disrupt or impair the Chat Service or any Chat Service server, or the network(s) connected to any Chat Service server, or interfere with any other party’s use and enjoyment of the Chat Service;

    • disobey any applicable policies or regulations of networks connected to the Chat Service;

    • use any robot, spider, site search/retrieval application, or other device to retrieve, index or interface with any portion of the Chat Service;

    • modify, adapt, translate, reverse engineer or frame the Chat Service or reformat it in any way or create user accounts using any automated means or under false pretenses.

  4. No Responsibility for Third-Party Content. Customer understands that the Chat Service acts only as a technical interface between users and that Issuetrak and its Chat Provider do not verify the qualifications of users, nor do they evaluate or control in any ongoing manner exchanges between users. Any opinions or statements expressed by a user are those of the user alone, and are not to be attributed to Issuetrak or its Chat Provider who cannot and do not assume responsibility for the accuracy, completeness, safety, reliability, timeliness, innocuousness, legality or applicability of anything said, written, posted, displayed or otherwise made available by any user. Customer understands that its users may be exposed to content that they find offensive, and that Customer and its users use the Chat Service at their own risk.

  5. Interstate and International Use. Users in the European Union consent to the collection and processing of personal information, as described in this Agreement, in the United States. All users understand the potential cross-border nature of communications made using the Chat Service, and acknowledge that using the Chat Service may result in interstate and international transmission of data.

  6. Content License. Customer retains the copyright and any other rights it already holds in content which it submits, posts or displays on or through, the Chat Service. By submitting, posting or displaying the content Customer gives Issuetrak or its Chat Provider a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, transmit and distribute any content which Customer submits, posts or displays on or through, the Chat Service. This license is for the sole purpose of enabling Issuetrak or its Chat Provider to maintain, operate and provide the Chat Service. Neither Issuetrak nor its Chat Provider shall make such content available to other companies, organizations or individuals without Customer’s permission.

  7. Copyright Policy. In addition to any other use restrictions set forth in this Agreement, Customer may not engage in or facilitate the posting, modification, distribution, reproduction of any copyrighted material, trademarks, or other proprietary information belonging to others without obtaining the prior written consent of the owner of such proprietary rights. It is the policy of Issuetrak or its Chat Provider to terminate all privileges of any user who infringes the copyright rights of others.

  8. Third-Party Web Sites, Services and Content. The Chat Service may contain links to third-party sites that are not under the control of Issuetrak or its Chat Provider. Neither Issuetrak nor its Chat Provider are responsible for, nor does it guarantee the accuracy or integrity of these links.

Disclaimer of Warranties and Limitation of Liability. Each of Issuetrak and its Chat Provider disclaims any and all responsibility or liability for the content, legality, reliability, or operability or availability of information or material displayed in or from the Chat Service. Each of Issuetrak and its Chat Provider disclaims any responsibility for the deletion, failure to store, mis-delivery, or untimely delivery of any content, information or other material and disclaims any responsibility for any harm resulting from downloading or accessing any information or material on the Internet through the Chat Service.

THE CHAT SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITH NO WARRANTIES WHATSOEVER. ALL EXPRESS, IMPLIED, AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY RIGHTS, ARE EXPRESSLY DISCLAIMED TO THE FULLEST EXTENT PERMITTED BY LAW. IN ADDITION, EXCEPT AS EXPRESSLY PROVIDED OTHERWISE, ISSUETRAK AND ITS CHAT PROVIDER DISCLAIM ANY WARRANTIES OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT. TO THE FULLEST EXTENT PERMITTED BY LAW, ISSUETRAK AND ITS CHAT PROVIDER DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: CUSTOMER’S USE OF THE CHAT SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE, CUSTOMER’S USE OF THE CHAT SERVICE WILL MEET CUSTOMER’S REQUIREMENTS, AND, ANY INFORMATION OR CONTENT OBTAINED BY CUSTOMER AS A RESULT OF CUSTOMER’S USE OF THE CHAT SERVICES WILL BE LEGAL, ACCURATE, RELIABLE OR OF A QUALITY THAT MEETS CUSTOMER’S EXPECTATIONS, TO THE FULLEST EXTENT PERMITTED BY LAW, AND DISCLAIM ANY WARRANTIES FOR OTHER SERVICES OR GOODS RECEIVED THROUGH OR ADVERTISED ON THE CHAT SERVICE OR RECEIVED THROUGH ANY LINKS PROVIDED IN THE CHAT SERVICE, AS WELL AS FOR ANY INFORMATION OR ADVICE RECEIVED THROUGH THE CHAT SERVICE OR THROUGH ANY LINKS PROVIDED IN THE CHAT SERVICE. ISSUETRAK AND ITS CHAT PROVIDER DISCLAIM ANY RESPONSIBILITY FOR THE DELETION, FAILURE TO STORE, MISDELIVERY, OR UNTIMELY DELIVERY OF ANY INFORMATION OR MATERIAL AND DISCLAIM ANY RESPONSIBILITY OR LIABILITY FOR ANY HARM RESULTING FROM DOWNLOADING OR ACCESSING ANY INFORMATION OR MATERIAL THROUGH THE CHAT SERVICE, INCLUDING, WITHOUT LIMITATION, FOR HARM CAUSED BY VIRUSES OR SIMILAR CONTAMINATION OR DESTRUCTIVE FEATURES. CUSTOMER UNDERSTANDS AND AGREES THAT ANY MATERIAL DOWNLOADED OR OTHERWISE ACCESSED OR OBTAINED THROUGH THE USE OF THE CHAT SERVICE IS DONE AT ITS OWN DISCRETION AND RISK AND THAT CUSTOMER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGES TO ITS COMPUTER SYSTEM, MOBILE TELEPHONE, OTHER DEVICE OR DATA THAT RESULTS IN THE DOWNLOAD OF SUCH MATERIAL. NO ADVICE OR INFORMATION, WHETHER WRITTEN OR ORAL, OBTAINED BY CUSTOMER FROM ISSUETRAK AND ITS CHAT PROVIDER, THEIR EMPLOYEES OR REPRESENTATIVES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS. CUSTOMER EXPRESSLY UNDERSTANDS AND AGREES THAT UNDER NO CIRCUMSTANCES SHALL ISSUETRAK AND ITS CHAT PROVIDER BE LIABLE TO ANY USER OF THAT USER’S USE OR MISUSE OF THE CHAT SERVICE OR RELIANCE ON THE CHAT SERVICE. SUCH LIMITATION OF LIABILITY SHALL APPLY TO PREVENT RECOVERY OF DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, AND PUNITIVE DAMAGES (EVEN IF ISSUETRAK AND ITS CHAT PROVIDER HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). SUCH LIMITATION OF LIABILITY SHALL APPLY WHETHER THE DAMAGES ARISE FROM USE OR MISUSE OF AND RELIANCE ON THE CHAT SERVICE, FROM INABILITY TO USE THE CHAT SERVICE, OR FROM THE INTERRUPTION, SUSPENSION, OR TERMINATION OF THE CHAT SERVICE AND THE DELETION OF CONTENT (INCLUDING SUCH DAMAGES INCURRED BY THIRD PARTIES). SUCH LIMITATION SHALL ALSO APPLY WITH RESPECT TO DAMAGES INCURRED BY REASON OF OTHER SERVICES OR GOODS RECEIVED THROUGH OR ADVERTISED ON THE CHAT SERVICE OR RECEIVED THROUGH ANY LINKS PROVIDED IN THE CHAT SERVICE, AS WELL AS BY REASON OF ANY INFORMATION OR ADVICE RECEIVED THROUGH OR ADVERTISED ON THE CHAT SERVICE OR RECEIVED THROUGH ANY LINKS PROVIDED IN THE CHAT SERVICE. SUCH LIMITATION SHALL APPLY, WITHOUT LIMITATION, TO THE COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOST PROFITS, OR LOST DATA. SUCH LIMITATION SHALL APPLY WITH RESPECT TO THE PERFORMANCE OR NON-PERFORMANCE OF THE CHAT SERVICE OR ANY INFORMATION OR MERCHANDISE THAT APPEARS ON, OR IS LINKED OR RELATED IN ANY WAY TO THE CHAT SERVICE OR TO ISSUETRAK OR ITS CHAT PROVIDER. SUCH LIMITATION SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. SUCH LIMITATION SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW.

SUCH LIMITATION OF LIABILITY SHALL ALSO APPLY TO ANY DAMAGE CAUSED BY LOSS OF ACCESS TO, DELETION OF, FAILURE TO STORE, FAILURE TO BACK UP, OR ALTERATION OF USER CONTENT. CUSTOMER AGREES THAT ISSUETRAK AND ITS CHAT PROVIDER’S ENTIRE LIABILITY, IF ANY, FOR ANY AND ALL CLAIMS ARISING FROM THE USE OF THE CHAT SERVICE SHALL NOT EXCEED THE AMOUNT OF THE MOST RECENT ONE MONTH SERVICE FEE PAYMENT OR TEN ($10) US DOLLARS, WHICHEVER IS LOWER. UNDER NO CIRCUMSTANCES SHALL ISSUETRAK OR ITS CHAT PROVIDER BE HELD LIABLE FOR ANY DELAY OR FAILURE IN PERFORMANCE RESULTING DIRECTLY OR INDIRECTLY FROM ACTS OF NATURE, FORCES, OR CAUSES BEYOND ITS REASONABLE CONTROL, INCLUDING, WITHOUT LIMITATION, INTERNET FAILURES, COMPUTER EQUIPMENT FAILURES, TELECOMMUNICATION EQUIPMENT FAILURES, OTHER EQUIPMENT FAILURES, ELECTRICAL POWER FAILURES, STRIKES, LABOR DISPUTES, RIOTS, INSURRECTIONS, CIVIL DISTURBANCES, SHORTAGES OF LABOR OR MATERIALS, FIRES, FLOODS, STORMS, EXPLOSIONS, ACTS OF GOD, WAR, GOVERNMENTAL ACTIONS, ORDERS OF DOMESTIC OR FOREIGN COURTS OR TRIBUNALS, NON-PERFORMANCE OF THIRD PARTIES, OR LOSS OF OR FLUCTUATIONS IN HEAT, LIGHT, OR AIR CONDITIONING.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS OF THIS SECTION MAY NOT APPLY TO CUSTOMER.

  1. Indemnity. Customer agrees to indemnify, defend, and hold Issuetrak and its Chat Provider, their respective officers, agents, co-branders, partners, and employees harmless from any claim or demand made by any third party due to or arising out of Customer’s use of the Chat Service, Customer’s connection to the Chat Service, Customer’s violation of the Terms of Service or Privacy Policy, or Customer’s violation of any rights of other users of the Chat Service. Any such indemnification shall include the payment of reasonable attorney’s fees incurred in the defense of such claim.

  2. Termination or Modification; Consequences of Violation of Terms of Service. Issuetrak or its Chat Provider may terminate Customer’s privilege to use the Chat Service at any time for any reason. In addition, Issuetrak and its Chat Provider have the right but no obligation to:

    • remove any material that in its sole opinion may violate, or that is alleged to violate, any applicable law or these Terms of Service;

    • terminate a Chat Service discussion or any other portion of the Chat Service, and/or remove a user or users from a discussion or otherwise terminate any use of the Chat Service if Issuetrak or its Chat Provider determine or have a good faith concern that such use is unlawful and/or prohibited by these Terms of Service;

    • inform law enforcement of any illegal activity or material that is suspected or discovered on, through, or otherwise relating to the Chat Service and provide law enforcement officials with all requested information about the user account from which the illegal activity or material originated.

  3. European Union (“EU”) customers have the ability to store Chat Service content on EU servers. If Customer is in the EU and wishes to store its content on EU servers, contact Issuetrak for additional information.