PRIVACY AND SECURITY POLICY

[EXHIBIT D]

PRIVACY AND SECURITY POLICY

GOOD METHODS GLOBAL INC.

PRIVACY AND SECURITY POLICY

Date Last Revised: October 22/2016

Good Methods Global Inc. (“Company”) takes Privacy seriously.  This Privacy and Security Policy (the “Policy”) describes (a) the types of information we may collect or that Customer may provide when you access or use the Company Platform as a service (the “Service”); and (b) our practices for collecting, using, maintaining, protecting and disclosing that information.

  • Company has many different business relationships with its customers (collectively, its “Customers” and each a “Customer”) that have been memorialized in the various agreements pursuant to which Company may be considered a “Business Associate” of Customer, who are  “Covered Entity,” both defined in Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including all pertinent regulations set forth in Title 45, Parts 160 and 164 of the Code of Federal Regulations issued by the U.S. Department of Health and Human Services as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).
  • The nature of the underlying contractual relationship (the “Agreement”) and any related agreement, including a Business Associate Agreement (‘BAA”) between Company and Customer may involve the use and/or disclosure of Protected Health Information (“PHI”) and/or Personally Identifiable Information (“PII” or “Personal Information”).
  • Both the Company and its Customers have certain obligations under HIPAA, including, the Privacy Rule and the Security Rule, and any applicable Texas, including HB300, New Mexico laws and regulation, other state statutes and regulations and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), and their implementing regulations.
  • Company further complies with the provisions of the Fair and Accurate Credit Transaction Act of 2003 (“FACTA”) and the Identity Theft Prevention Regulations issued in Part 681 of Title 16 of the Code of Federal Regulations.
  • Definitions. Terms used, but not otherwise defined, in this Policy shall have the same meaning as those terms in the Regulations, including without limitation, the Privacy Rule, as set forth in the Standards for Privacy of individually identifiable health information at 45 C.F.R. Parts 160 and 164, as amended by the HITECH ACT and as may be otherwise amended from time to time. For the purposes of this Policy, PII means any information about an individual, including (i) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, address, zip code, IP address, date and place of birth, mother’s maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information, that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
  • Obligations and Activities of Company

6.1 Use. Company shall not use or disclose PHI or PII other than as permitted or required by the Agreement, the Policy, or as required by law.

6.2 Compliance. Company shall be directly responsible for full compliance with the relevant requirements of both the HIPAA Privacy Rule and Security Rule.

6.3 Appropriate Safeguards. Company shall use reasonable and appropriate safeguards to prevent use or disclosure of PHI, Electronic PHI and PII that Company receives, maintains or transmits on behalf of Customer, other than as permitted by the Agreement, any BAA, including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI in accordance with 45 C.F.R. §§164.308, 164.310 and 164.312.  Company shall comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including, but not limited to 45 C.F.R. §164.316 and the HITECH Act, 42 U.S.C. §17931.

6.4 Designated Privacy and Security Officer. Company shall designate an individual to serve as the Privacy and Security Officer (the “Privacy Officer”) responsible for supervising the privacy and security mechanisms, including, but not limited to, administrative, physical and electronic mechanisms employed within the organization to prevent the unauthorized use, disclosure or access to PHI and PII maintained by Company on behalf of its Customers.

6.5 Company’s Agents. Company shall ensure that any agent, including a subcontractor, that creates, receives, maintains or transmits PHI and PII on behalf of Company has a written agreement or other arrangement which provides satisfactory assurances that the agent or subcontractor will appropriately safeguard the information and agrees to substantially similar restrictions and conditions that apply through this Policy to Company with respect to such information and as required under 45 C.F.R §§ 160 and 164.   If Company knows of a pattern of activity or practice of its agent or subcontractor that constitutes a material breach or violation of Company’s obligations under this Policy, Company shall take reasonable steps to cure the breach and end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.

6.6 Company’s Employees. Company shall take reasonable steps to ensure that its employees’ actions or omissions do not cause Company to breach the terms of this Policy.

6.7  Duties of Company Involving Breach or Unauthorized Access, Use or Disclosure of PHI and PII.

      • Discovery of Breach. A Breach shall be treated as discovered by the Company as of the first day on which such Breach is known to the Company or, by exercising reasonable diligence, would have been known to Company.
      • Notification. Company shall, following the discovery of a Breach of Unsecured PHI, notify the designated office of the Customer (the “Customer’s Privacy Officer”) of such breach pursuant to the terms of 45 C.F.R. §164.410 and cooperate in the Customer’s breach analysis procedures, including risk assessment, if requested.  Company will provide notice to the Customer of the discovery of a Breach of Unsecured PHI, as defined in HIPAA.  Notice shall occur as soon as possible and without unreasonable delay and no later than five (5) business days after discovery of the Breach unless it is an urgent situation requiring immediate notification under the Regulations where immediate phone notification shall be made to the Customer’s Privacy Officer.
      • Reporting Improper Access, Use or Disclosure. Company shall provide the following information to Customer within ten (10) business days of discovery of a Breach of Unsecured PHI except when despite all reasonable efforts of Company to obtain the information required, circumstances beyond the control of the Company necessitate additional time.  Under such circumstances, Company shall provide to Customer the information as soon as possible.  The information required upon discovery of a breach is as follows: the date of the breach; a description of the types of unsecured PHI that were involved; a listing of the identification of each individual and/or class of individuals whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired or disclosed; and any other details necessary to complete an assessment of the risk of harm to the individual to the extent required under 45 C.F.R. §§164.400-414. Company agrees to provide the Customer’s Privacy Officer with updates of information concerning the details of such breach and the final results of its Risk Assessment as required below, as needed, to ensure that such information remains current.
      • Risk Assessment and Investigation. Company shall perform an appropriate risk assessment immediately following the discovery of any unauthorized access, use or disclosure of PHI to determine whether PHI has been compromised.  In performing the Risk Assessment, Company shall consider a combination of factors such as: (a) the nature and extent of the PHI involved, including the types of identifiers and likelihood that the information could be re-identified; (b) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (c) was the PHI actually acquired or viewed or did an opportunity exist for acquiring or viewing the PHI; and, (d) was the risk to the PHI mitigated. The results of the Risk Assessment shall be provided to Customer in writing, without unreasonable delay, and in no event later than thirty (30) calendar days from the date of discovery of the unauthorized use, access or disclosure.  In addition to the Risk Assessment conducted by the Company, the Company agrees to cooperate with Customer to conduct its own investigation of any unauthorized use, access or disclosure of PHI occurring at a facility, site or location of Company, its agents or subcontractors or through any systems under the control of the Company, its agents, or subcontractors to the extent related to Customer’s PHI.  Customer agrees to protect the confidentiality of and not disclose any confidential and proprietary information of Company to which Customer has access during the course of such investigation.
      • Mitigation of Harm. Company shall mitigate, to the extent practicable, any harmful effect that is known to Company of a use or disclosure of PHI and PII by Company in violation of the requirements of this Agreement.  Mitigation may include, but shall not be limited to, obtaining reasonable assurance from the recipient that the information will not be further used or disclosed and providing affected individuals with services to protect them against identity theft.  Company shall bear the expense of any mitigating measures the Customer deems appropriate.
      • Notification to Individual. It is the sole responsibility of Customer to notify the individual patients/customers of any Breach of Unsecured PHI or PII.  Any such inquiries should be directed to the Customer’s Privacy Officer.  Company shall cooperate with Customer as necessary to provide such notification and any details pertaining to any Breach of Unsecured PHI or PII.
      • Cooperation with Law Enforcement. Company shall cooperate with Customer in the event law enforcement officials institute an investigation that involves the Breach of Unsecured PHI or PII under this Agreement.
      • Notification to Media. For a breach of Unsecured PHI involving more than 500 individuals, it is solely the responsibility of Customer to notify the media and appropriate law enforcement and federal and state agencies as required by the HITECH Act, 45 C.F.R. §164.406.  In the event of such a breach, Company shall limit contact with the media regarding the breach to that which is agreed upon with Customer.  Company shall cooperate with Customer as necessary to provide such notification to the media.
    • Audit by DHHS. Company shall make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Company on behalf of, Customer available to the Department of Health and Human Services or any other applicable federal or state agency (collectively the “DHHS”), in a time and manner that permits the Customer to respond in a timely manner to the DHHS’s deadline or as designated by the DHHS, for purposes of the DHHS determining Customer’s compliance with HIPAA, including the Privacy Rule and other federal or state privacy rules and regulations (“Other Privacy Regs.”).
    • Access to Information. In the event any individual requests access to his or her own PHI or PII directly from Company, Company shall within two (2) business days of such request, forward such request to Customer.  Customer shall in good faith determine whether such information is to be provided to the individual and shall so notify Company.  If requested by Customer, Company shall provide the information in a designated record set to Customer and Customer shall make the disclosure to the individual. 
    • Requested Restrictions. Company agrees to comply with any requests for restrictions on certain disclosures of (i) PHI pursuant to 45 C.F.R. Section 164.522 of the HIPAA Security and Privacy Rule to which the Customer has agreed or pursuant to the HITECH Act and which Company is notified by Customer (ii) Other Privacy Regs.
    • Electronic Availability. If Company maintains PHI electronically, it agrees to make such PHI electronically available to Customer in the form or format requested by an individual, if it is readily available in such form and format.  If the requested form or format is not readily available, Company will provide a hard copy or agree to another form or format agreeable to the individual.
    • Minimum Necessary. Company agrees to limit its request for the use and disclosure of PHI or PII to the minimum necessary to accomplish the intended purpose of the applicable request, use or disclosure.
    • Amendments of PHI. If, and to the extent that Company possesses an applicable Designated Record Set, within a reasonable amount of time of receipt of a request from the Customer for an amendment of an Individual’s PHI contained in the Designated Record Set, Company agrees to incorporate any such amendments in the PHI maintained by Company as required by 45 C.F.R. § 164.526.  In the event an individual notifies Company directly that any PHI regarding such individual is to be amended, Company shall notify Customer within five (5) business days of such request, and if the Customer notifies Company that the such information is to be amended, Company agrees to incorporate any such amendments in the PHI maintained by Company as required by 45 C.F.R. § 164.526.
    • Red Flag Rules. Company is bound as a Business Associate by FACTA and its implementing regulations and will take such actions as are necessary to comply with the requirements of the Federal Trade Commission’s (“FTC”) Red Flag Rules (12 CFR 681). Company will implement sufficient precautions, policies and procedures to prevent, detect and mitigate identity theft and train appropriate staff on these policies and procedures.  In the event that Company becomes aware of circumstances which it believes may be a Red Flag, Company, within the scope of its responsibilities, will investigate and attempt to verify the circumstances.  In the event Company is unable to do so, they will contact Customer to coordinate advising patients, making notations or corrections in records, and take other reasonable steps as may be appropriate under the circumstances.
    • Compliance with Privacy and Information Security Requirements.

6.15.1 Company shall comply with (i) all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information; and (ii), when commercially reasonable. all applicable industry standards concerning privacy, data protection, confidentiality or information security.

    • Accounting Rights. Company and its agents or subcontractors shall make available to Customer the information required to provide an accounting of disclosures to enable Customer to fulfill its obligations under the Privacy Rule and the HITECH Act.  Company agrees to implement a process that allows for an accounting and access report, to the extent required by law, to be collected and maintained by Company and its agents or subcontractors for the time period required by HIPAA and any final accounting rule(s).  At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received the PHI and if known, the address of the entity or person; (iii) a brief description of PHI disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization or a copy of the written request for disclosure.  Company is expected to meet the requirements described in this Section with respect to Electronic Health Records by the Compliance Date set forth in the HITECH Act.  Company agrees to provide to Customer, in writing and within five (5) business days of request from the Customer, information collected in accordance with this Agreement, to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.  In the event the Company receives a request directly from an individual, Company will forward the request to the Customer within two (2) business days.
    • Compliance with Current Law. Company shall conform its practices to the most recent guidance by the DHHS concerning the most effective and appropriate technical safeguards to facilitate compliance with the Security Rule.  To the extent not specifically incorporated or referenced, Company agrees to comply with all requirements applicable to Business Associates under HIPAA, the HITECH Act, or their regulations.
    • Security Incident. Company shall promptly report to Customer any “security incident,” as such term is defined in the HIPAA Security Rule.  Security incidents must be reported within two (2) business days of discovering the incident.  At the request of Customer, Company shall identify: 1) the date of the security incident; 2) the scope of the security incident; 3) the Company’s response to the security incident; and, 4) the identification of the party responsible for causing the security incident, if known.  In addition, Company agrees to mitigate, at its own expense, any harmful effect caused by the security incident.
  • Permitted Uses and Disclosures by Company
    • General Use and Disclosure Provisions. Except as otherwise limited in this Agreement, Company may use or disclose PHI on behalf of, or to provide services to, Customer as specified in or otherwise permitted by such Agreement, if such use or disclosure of PHI would not violate the Privacy, Security or Notification Rules if done by Customer or the minimum necessary policies and procedures of the Customer.
    • Specific Use and Disclosure Provisions. Except as otherwise limited in this Agreement, Company may use and disclose PHI for the proper management and administration of the Company or to carry out the legal responsibilities of the Company, provided that as to any such disclosure, the following requirements are met:
      • The disclosure is required by law; or,
      • Company obtains reasonable assurances from the person to whom the information is disclosed that the PHI will be held confidential as provided in this Agreement for the purpose for which it was disclosed to the person, and the person notifies Company within 24 hours of the discovery of any breach or suspected breach of the confidentiality of PHI.
      • Data Aggregation. Except as otherwise limited in this Agreement, Company may use PHI to provide Data Aggregation services to Customer as permitted by 45 CFR § 164.504(e)(2)(i)(B).
      • Violations of Law.  Company may use PHI to report violations of law to appropriate Federal and State authorities, consistent with Federal and State law, including but not limited to HIPAA and HITECH Act.
  • Prohibited Uses and Disclosures by Company
    • Remuneration. Company agrees that it shall not directly or indirectly receive remuneration in exchange for any PHI except with the prior written consent of Customer and as permitted by the HITECH Act, as described in 42 U.S.C. §17935(d)(2).
    • Off-shore Subcontractor. Company shall not employ, engage or contract with off-shore contractors, during the Term for purposes relating to PHI and this Agreement, unless the Company enters into Business Associate Agreement with such contractors who agree to comply with applicable provisions of this Policy, including and not limited to all applicable laws and regulations of the United States and the applicable country, i.e. country from which the off-shore contractor would access the said data.
    • Marketing. Company agrees it shall not directly or indirectly perform marketing to Customer patients using PHI that was either provided by Customer, or created or otherwise acquired by Company on behalf of Customer.
    • Special Restrictions. Company shall not disclose PHI to a health plan for payment or health care operations purposes if the individual patient has requested this special restriction, and has paid out of pocket in full for the health care item or services to which the PHI solely relates as required by 42 U.S.C. §17935(a).
    • Against the Law. Company shall not use or disclose PHI or PII for any purpose not permitted by an applicable Agreement, a BAA, HIPAA. the HITECH Act or the Privacy Laws.
  • Personal Information Safeguards

9.1 Customer Confidential Information.

9.1.1 Company agrees to treat all PII as Confidential Information of Customer. The Parties agree to use, store, process and disclose all Personal Information only in accordance with this Policy, as the same may be amended from time to time by Customer.  Additionally, except to the extent required by applicable Law, including all Privacy Laws, in the event that Company determines to change methods or locations used to store, process or use PII that would result in Customer being subject to additional or different costs or compliance obligations under any applicable Law, including any Privacy Law, then Company will provide Customer with reasonable advance written notice and will be responsible for obtaining all third party consents, if any, relating to such change and for all documented additional costs and other expenses (including any actual and reasonable increased costs to comply with such additional obligations) imposed on Customer as a result of such change.

9.1.2 Company shall develop, maintain and implement a comprehensive written information security program that complies with applicable Privacy Laws.  Company’s information security program shall include appropriate administrative, technical and physical safeguards and other security measures designed to (i) ensure the security and confidentiality of PII; (ii) protect against any anticipated threats or hazards to the security and integrity of PII; and (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any PII.  Company shall maintain information security controls which shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) maintain the security and confidentiality of PII; (ii) protect against any anticipated threats or hazards to the security and integrity of PII; and (iii) protect against any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or Access to any PII (hereinafter an “PII Incident”).  Where the processing by Company or its personnel or subcontractors of such Personal Information involves the transmission by them of such PII over a network, Company shall implement appropriate measures designed to protect the PII against the specific risks associated with such transmission.  Such measures shall reflect a level of security appropriate to the risks associated with such transmission and the nature of the PII processed.  Company shall exercise the necessary and appropriate supervision over its relevant personnel and subcontractors to maintain privacy, confidentiality and security of Personal Information in accordance with this Agreement.  Company shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements of applicable Privacy Laws, including all laws, to relevant personnel who have access to PII.

9.2 Without limiting the generality of the foregoing, Company’s safeguards shall include secure user authentication protocols, secure access control measures, reasonable monitoring of systems on which Personal Information is maintained, appropriate segregation of Personal Information from information of Company or its other Customer, and appropriate Personnel security and integrity procedures and practices, including, without limitation, conducting background checks in accordance with applicable law.  If the Processing by Company or its Personnel involves the transmission of the Personal Information over a network, Company shall implement appropriate measures designed to protect the Personal Information against the specific risks associated with such transmission.  Company shall ensure a level of security appropriate to the risks associated with such transmission and the nature of the Personal Information Processed.

9.3 Company shall immediately inform Customer in writing of any Information Security Incident of which Company becomes aware, but in no case later than three (3) days hours after it becomes aware of the Information Security Incident.  Such notice shall summarize in reasonable detail the effect on Customer, if known, of the Information Security Incident and the corrective action taken or to be taken by Company.  Company shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident.  Company shall (i) investigate such Information Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such Information Security Incident; and (iii) provide Customer with such assurances as Customer shall request that such Information Security Incident is not likely to recur.  The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Customer prior to any publication or communication thereof.

9.4 Upon the occurrence of an Information Security Incident involving Personal Information in the possession, custody or control of Company or for which Company is otherwise responsible, Company agrees to reimburse Customer on demand for all Notification Related Costs (defined below) incurred by Customer arising out of or in connection with any such Information Security Incident.  Notification Related Costs” shall include Customer’s internal and external costs associated with investigating, addressing and responding to the Information Security Incident, including, without limitation: (i) preparation and mailing or other transmission of notifications or other communications to consumers, employees or others as Customer deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., Customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, forensic expert and accounting fees and expenses associated with Customer’s investigation of and response to such incident; and (iv) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances.

9.5 Company shall exercise the necessary and appropriate supervision over its relevant Personnel to maintain appropriate privacy, confidentiality and security of Personal Information.  Company shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Policy to relevant Personnel who have access to Personal Information.

10. Limitation on Damages

10.1MAXIMUM AGGREGATE LIABILITY. THE MAXIMUM LIABILITY OF COMPANY FOR CLAIMS ARISING UNDER THIS POLICY OR ELSEWHERE, INCLUDING SECTION 6 AND SECTION 9 IN CONNECTION WITH THIS POLICY WILL NOT EXCEED THE LOWER OF (i) THE AGGREGATE AMOUNT PAID BY THE CUSTOMER IN THE TWELVE MONTH PERIOD PRECEDING THE CLAIM OR (ii) ONE MILLION USD. THE CUSTOMER ACKNOWLEDGES THAT THE AMOUNTS PAYABLE TO THE COMPANY ARE BASED IN PART ON THESE LIMITATIONS.  THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

11. Termination. Promptly upon the expiration or earlier termination of the Agreement, or such earlier time as Customer requests, Company shall return to Customer or its designee, or at Customer’s request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Customer (which decision shall be based solely on Customer’s written instructions), each and every original and copy in all media of all PHI and/or PII in Company’s possession, custody or control.  Promptly following any return or alternate action taken to comply with this Section 13, Company shall provide to Customer a completed officer’s certificate certifying that such return or alternate action occurred.  In the event and during the period that applicable law does not permit Company to perform such delivery or destruction of certain PHI and/or PII, Company agrees to maintain warrants that it shall ensure the confidentiality and security of such PHI and/or PII in accordance with this Policy and that it shall not use it or disclose it.

12. Data Security

12.1 Company shall employ appropriate administrative, physical, and technical safeguards, to secure all Customer Data from degradation and unauthorized access, disclosure, alteration and/or use, which practices shall be no less protective than those used to secure Company’s own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved.  Company shall continuously update and upgrade its tools, technologies and practices used to safeguard Customer Data; and shall assess its data privacy and security practices and policies at least once annually to ensure they are up to date and consistent with industry best practices.

12.2 Company shall automatically encrypt all Customer Data at rest and in transit and cause all Customer Data to remain so encrypted, unless Customer authorizes decryption in writing or pursuant to a court order, in which event Company will, if permitted by Applicable Law, immediately notify Customer in writing.  Company will employ all commercially reasonable measures, including storage on separate physical media, to ensure that Customer Data is stored in a manner that prevents access to such Customer Data by any other Customer of Company or any unauthorized third parties or unauthorized Company Personnel. Company shall adopt all reasonable recommendations which Customer may make concerning the security and privacy of Customer’s Customer Data.

12.3 Company will use commercially reasonable efforts to protect Company’s Computer Systems and the Services against Malware, Open Source Vulnerabilities and other defects, errors, nonconformities, or malfunctions, and prevent Data Security and Privacy Breaches. At a minimum, Company shall (i) continuously monitor its Computer Systems for Malware, Open Source Vulnerabilities and other defects, errors, nonconformities, or malfunctions, (ii) enable datacenter application automation (including automating application of security patches), (iii) enable datacenter orchestration and centralized server management, and (iv) update to the latest iteration of Open SSL or any other open source software used by Company. Company shall promptly notify Customer if Company knows that Company’s Computer Systems or the Services have been affected by Malware, Open Source Vulnerabilities or other defects, errors, nonconformities, or malfunctions that would reasonably have an adverse impact on Customer, its Customer Data or its use of the Services, and shall take steps (if Customer consents) to mitigate or prevent any resulting damage to Customer at no additional cost to Customer.

12.4 Company shall encourage the entities that hosts its Application and Platform to undergo a ISO 27001 audit and a Standards for Attestation Engagements (“SSAE”) No. 16 SOC 2 Type II audit annually (which shall be conducted by independent third party auditors) covering any and all of Company’s datacenters that Process Customer Data (including those not owned or controlled by Company). Company shall provide Customer with copies of any audits or assessments that it receives from such entities.  Company will promptly remediate (i) any errors identified in the ISO 27001 Report and SSAE 16 Report relating to Company and encourage the hosting entities to correct such errors that could reasonably be expected to have an adverse impact on Customer, its Customer Data or the Services, and (ii) material control deficiencies identified in the ISO 27001 Report and SSAE 16 Report relating to it and encourage the hosting entities to do so.

12.5 Company will maintain and comply with an information security program that provides for the security and protection of Customer Data, including, but not limited to, processes and procedures to respond to Data Security and Privacy Breaches.  Prior to the Effective Date, Company responded to Customer’s vendor security assessment questionnaire (the “Company Security Assessment”).  Customer may require Company to re-attest to its responses to the Company Security Assessment once (1x) annually and such revised responses shall thereafter be deemed the “Company Security Assessment” under this Agreement. Company shall promptly notify Customer in writing of any changes to its information technology and data security policy and practices that would cause Company to not be in compliance with the Company Security Assessment.

12.6 Company shall ensure that when any media device that contains Customer Data is damaged or replaced, Company shall properly dispose of such media device either through physical destruction or digital sanitization to ensure the protection of Customer Data.  Upon Customer’s request, Company shall provide Customer with a copy of the chain of evidence report and external audits relating to the destruction or digital sanitization of Company’s media devices that contain Customer Data.

12.7 In the event of any Data Security and Privacy Breach, Company will promptly:  (i) investigate the Data Security and Privacy Breach and promptly provide Customer with detailed information about the Data Security and Privacy Breach; (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Security and Privacy Breach and (iii) notify Customer of the Data Security and Privacy Breach in a timely manner to meet the breach notification requirements under Applicable Law.  Following the occurrence of a Data Security and Privacy Breach, Company will take prompt and appropriate corrective action aimed at preventing the reoccurrence of a similar Data Security and Privacy Breach in the future.  Company shall promptly reimburse Customer for the reasonable expenses that it may incur as a result of any Data Security and Privacy Breach caused by Company’s acts or omissions, including but not limited to, the expenses incurred in investigating the Data Security and Privacy Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances, such as credit monitoring.  Company shall, upon the receipt of written approval of Customer, promptly take the necessary action to regenerate or restore, or cause to be regenerated or restored, any Customer Data or applications that may have been lost or damaged as a result of the Data Security and Privacy Breach.

12.8 Security Breach.

12.8.1 Notification of Security Breach. If Company becomes aware of any Information Security Incident, Company shall  (i) immediately notify Customer and perform a root cause analysis thereon, (ii) investigate such security breach and determine what systems, data and information relating to Customer or Customer’ customers have been affected by such event, (iii) provide Customer with a remediation plan, reasonably acceptable to Customer, to address the security breach and to implement actions designed to prevent any further incidents, (iv) remediate such security breach in accordance with such approved plan; and (v) cooperate with Customer  and, at Customer’s request, any law enforcement or regulatory officials, credit reporting companies, and credit card associations investigating such security breach.  To the extent such Information Security Incident was caused by the acts or omissions of Company, its Affiliates or subcontractors or any of their respective personnel, all of such actions shall be at Company’s expense.  Without limiting the foregoing and notwithstanding anything herein to the contrary, subject to any requirements under applicable Legal Requirements, Customer shall make the final decision on notifying Customer’s Customers, employees, Company and/or the general public of such Information Security Breach.  The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Customer and the applicable Customer Affiliate prior to any publication or communication thereof.

12.8.2 Security Controls Certifications. With respect to Products provided under any applicable Agreement, Company will, at its option, either: (i) provide Customer with a SSAE 16, SOC 2, Type II, Service Auditor’s Report expressing an unqualified opinion that (a) Company description of its controls relating to the Services and the security of Personal Information presents fairly, in all material respects, the relevant aspects of Company controls that had been placed in operation as of a specific date within twelve (12) months of the date such report is provided, and (b) that the controls were suitably designed to achieve specified control objectives; or (ii) reasonably cooperate with Customer  to provide access and support necessary to enable Customer to satisfy, in form, content and timing reasonably acceptable to Customer , Customer’s obligations under Section 404 of the Sarbanes-Oxley Act of 2002, as amended, and related laws, rules and regulations. If a material weakness in Company processes or internal controls related to this Agreement is found during the course of a review, then Company will promptly remediate such weakness at its expense.

12.9 Data Eradication. Company will meet with each Customer to discuss the Customer’s data, including PHI and PII that is stored within Company’s platform or systems, to verify with Customer what data can be deleted or returned and to certify that all Customer’s data identified for deletion from its systems has been securely deleted and returned.

13. Cookies. When Customer or Authorized User uses Company’s site, Company will store cookies on Customer or Authorized User’s computer in order to facilitate and customize Customer or Authorized User’s use of our site. A cookie is a small data text file, which a Web site stores on computer’s hard drive (if your Web browser permits) that can later be retrieved to identify Customer or Authorized User’s to Company. Our cookies store randomly assigned user identification numbers, the country where Customer or Authorized User is located, and first name to welcome back to Company’s site. The cookies make use of the site easier, make the site run more smoothly and help Company to maintain a secure site. Customer or Authorized User are always free to decline Company’s cookies if browser permits, but some parts of our site may not work properly in that case.

14. Auto Time-Out. When the Product detects five (5) minutes of inactivity, it would automatically logoff making information inaccessible.

15. Export Certification. Company’s Applications, Products and Services (collectively the “Products”) are subject to export restrictions and controls imposed by various statutes and regulations, (collectively, the “Acts”), including the Export Administration Act and the Export Administration Regulations. Company and Customer shall not use, export or re-export the Products or Documentation except as authorized by and in compliance with the Acts and all laws and regulations of the jurisdiction in which Company made the Products available to its Customers. Without limiting the foregoing, neither Company nor its Customers shall export or re-export the Products or Documentation (i) into or to a national or resident of any embargoed countries under the Acts or (ii) to a Denied Party listed on U.S. Department of Commerce’s list of U.S. Denied Persons or a Special Designated National on the U.S. Treasury Department’s list of Specially Designated Nationals. Company represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list.