GOOD METHODS GLOBAL, INC.
PRIVACY AND SECURITY POLICY
Date Last Revised: October 22/2016

Good Methods Global Inc. (“Company”) takes Privacy seriously. This Privacy and Security Policy (the “Policy”) describes (a) the types of information we may collect or that Customer may provide when you access or use the Company Platform as a service (the “Service”); and (b) our practices for collecting, using, maintaining, protecting and disclosing that information.

6.1 Use. Company shall not use or disclose PHI or PII other than as permitted or required by the Agreement, the Policy, or as required by law.

6.2 Compliance. Company shall be directly responsible for full compliance with the relevant requirements of both the HIPAA Privacy Rule and Security Rule.

6.3 Appropriate Safeguards. Company shall use reasonable and appropriate safeguards to prevent use or disclosure of PHI, Electronic PHI and PII that Company receives, maintains or transmits on behalf of Customer, other than as permitted by the Agreement, any BAA, including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI in accordance with 45 C.F.R. §§164.308, 164.310 and 164.312. Company shall comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including, but not limited to 45 C.F.R. §164.316 and the HITECH Act, 42 U.S.C. §17931.

6.4 Designated Privacy and Security Officer. Company shall designate an individual to serve as the Privacy and Security Officer (the “Privacy Officer”) responsible for supervising the privacy and security mechanisms, including, but not limited to, administrative, physical and electronic mechanisms employed within the organization to prevent the unauthorized use, disclosure or access to PHI and PII maintained by Company on behalf of its Customers.

6.5 Company’s Agents. Company shall ensure that any agent, including a subcontractor, that creates, receives, maintains or transmits PHI and PII on behalf of Company has a written agreement or other arrangement which provides satisfactory assurances that the agent or subcontractor will appropriately safeguard the information and agrees to substantially similar restrictions and conditions that apply through this Policy to Company with respect to such information and as required under 45 C.F.R §§ 160 and 164. If Company knows of a pattern of activity or practice of its agent or subcontractor that constitutes a material breach or violation of Company’s obligations under this Policy, Company shall take reasonable steps to cure the breach and end the violation, as applicable, and, if such steps are unsuccessful, terminate the contract or arrangement, if feasible.

6.6 Company’s Employees. Company shall take reasonable steps to ensure that its employees’ actions or omissions do not cause Company to breach the terms of this Policy.

6.7 Duties of Company Involving Breach or Unauthorized Access, Use or Disclosure of PHI and PII.

6.15.1 Company shall comply with (i) all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information; and (ii), when commercially reasonable. all applicable industry standards concerning privacy, data protection, confidentiality or information security.

9.1 Customer Confidential Information.

9.1.1 Company agrees to treat all PII as Confidential Information of Customer. The Parties agree to use, store, process and disclose all Personal Information only in accordance with this Policy, as the same may be amended from time to time by Customer. Additionally, except to the extent required by applicable Law, including all Privacy Laws, in the event that Company determines to change methods or locations used to store, process or use PII that would result in Customer being subject to additional or different costs or compliance obligations under any applicable Law, including any Privacy Law, then Company will provide Customer with reasonable advance written notice and will be responsible for obtaining all third party consents, if any, relating to such change and for all documented additional costs and other expenses (including any actual and reasonable increased costs to comply with such additional obligations) imposed on Customer as a result of such change.

9.1.2 Company shall develop, maintain and implement a comprehensive written information security program that complies with applicable Privacy Laws. Company’s information security program shall include appropriate administrative, technical and physical safeguards and other security measures designed to (i) ensure the security and confidentiality of PII; (ii) protect against any anticipated threats or hazards to the security and integrity of PII; and (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any PII. Company shall maintain information security controls which shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) maintain the security and confidentiality of PII; (ii) protect against any anticipated threats or hazards to the security and integrity of PII; and (iii) protect against any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or Access to any PII (hereinafter an “PII Incident”). Where the processing by Company or its personnel or subcontractors of such Personal Information involves the transmission by them of such PII over a network, Company shall implement appropriate measures designed to protect the PII against the specific risks associated with such transmission. Such measures shall reflect a level of security appropriate to the risks associated with such transmission and the nature of the PII processed. Company shall exercise the necessary and appropriate supervision over its relevant personnel and subcontractors to maintain privacy, confidentiality and security of Personal Information in accordance with this Agreement. Company shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements of applicable Privacy Laws, including all laws, to relevant personnel who have access to PII.

9.2 Without limiting the generality of the foregoing, Company’s safeguards shall include secure user authentication protocols, secure access control measures, reasonable monitoring of systems on which Personal Information is maintained, appropriate segregation of Personal Information from information of Company or its other Customer, and appropriate Personnel security and integrity procedures and practices, including, without limitation, conducting background checks in accordance with applicable law. If the Processing by Company or its Personnel involves the transmission of the Personal Information over a network, Company shall implement appropriate measures designed to protect the Personal Information against the specific risks associated with such transmission. Company shall ensure a level of security appropriate to the risks associated with such transmission and the nature of the Personal Information Processed.

9.3 Company shall immediately inform Customer in writing of any Information Security Incident of which Company becomes aware, but in no case later than three (3) days hours after it becomes aware of the Information Security Incident. Such notice shall summarize in reasonable detail the effect on Customer, if known, of the Information Security Incident and the corrective action taken or to be taken by Company. Company shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Information Security Incident. Company shall (i) investigate such Information Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such Information Security Incident; and (iii) provide Customer with such assurances as Customer shall request that such Information Security Incident is not likely to recur. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Customer prior to any publication or communication thereof.

9.4 Upon the occurrence of an Information Security Incident involving Personal Information in the possession, custody or control of Company or for which Company is otherwise responsible, Company agrees to reimburse Customer on demand for all Notification Related Costs (defined below) incurred by Customer arising out of or in connection with any such Information Security Incident. “Notification Related Costs” shall include Customer’s internal and external costs associated with investigating, addressing and responding to the Information Security Incident, including, without limitation: (i) preparation and mailing or other transmissions of notifications or other communications to consumers, employees or others as Customer deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., Customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, forensic expert and accounting fees and expenses associated with Customer’s investigation of and response to such incident; and (iv) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances.

9.5 Company shall exercise the necessary and appropriate supervision over its relevant Personnel to maintain appropriate privacy, confidentiality and security of Personal Information. Company shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Policy to relevant Personnel who have access to Personal Information.

10. Limitation on Damages

10.1MAXIMUM AGGREGATE LIABILITY. THE MAXIMUM LIABILITY OF COMPANY FOR CLAIMS ARISING UNDER THIS POLICY OR ELSEWHERE, INCLUDING SECTION 6 AND SECTION 9 IN CONNECTION WITH THIS POLICY WILL NOT EXCEED THE LOWER OF (i) THE AGGREGATE AMOUNT PAID BY THE CUSTOMER IN THE TWELVE MONTH PERIOD PRECEDING THE CLAIM OR (ii) ONE MILLION USD. THE CUSTOMER ACKNOWLEDGES THAT THE AMOUNTS PAYABLE TO THE COMPANY ARE BASED IN PART ON THESE LIMITATIONS. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

11. Termination. Promptly upon the expiration or earlier termination of the Agreement, or such earlier time as Customer requests, Company shall return to Customer or its designee, or at Customer’s request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Customer (which decision shall be based solely on Customer’s written instructions), each and every original and copy in all media of all PHI and/or PII in Company’s possession, custody or control. Promptly following any return or alternate action taken to comply with this Section 13, Company shall provide to Customer a completed officer’s certificate certifying that such return or alternate action occurred. In the event and during the period that applicable law does not permit Company to perform such delivery or destruction of certain PHI and/or PII, Company agrees to maintain warrants that it shall ensure the confidentiality and security of such PHI and/or PII in accordance with this Policy and that it shall not use it or disclose it.

12. Data Security

12.1 Company shall employ appropriate administrative, physical, and technical safeguards, to secure all Customer Data from degradation and unauthorized access, disclosure, alteration and/or use, which practices shall be no less protective than those used to secure Company’s own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved. Company shall continuously update and upgrade its tools, technologies and practices used to safeguard Customer Data; and shall assess its data privacy and security practices and policies at least once annually to ensure they are up to date and consistent with industry best practices.

12.2 Company shall automatically encrypt all Customer Data at rest and in transit and cause all Customer Data to remain so encrypted, unless Customer authorizes decryption in writing or pursuant to a court order, in which event Company will, if permitted by Applicable Law, immediately notify Customer in writing. Company will employ all commercially reasonable measures, including storage on separate physical media, to ensure that Customer Data is stored in a manner that prevents access to such Customer Data by any other Customer of Company or any unauthorized third parties or unauthorized Company Personnel. Company shall adopt all reasonable recommendations which Customer may make concerning the security and privacy of Customer’s Customer Data.

12.3 Company will use commercially reasonable efforts to protect Company’s Computer Systems and the Services against Malware, Open Source Vulnerabilities and other defects, errors, nonconformities, or malfunctions, and prevent Data Security and Privacy Breaches. At a minimum, Company shall (i) continuously monitor its Computer Systems for Malware, Open Source Vulnerabilities and other defects, errors, nonconformities, or malfunctions, (ii) enable datacenter application automation (including automating application of security patches), (iii) enable datacenter orchestration and centralized server management, and (iv) update to the latest iteration of Open SSL or any other open source software used by Company. Company shall promptly notify Customer if Company knows that Company’s Computer Systems or the Services have been affected by Malware, Open Source Vulnerabilities or other defects, errors, nonconformities, or malfunctions that would reasonably have an adverse impact on Customer, its Customer Data or its use of the Services, and shall take steps (if Customer consents) to mitigate or prevent any resulting damage to Customer at no additional cost to Customer.

12.4 Company shall encourage the entities that hosts its Application and Platform to undergo a ISO 27001 audit and a Standards for Attestation Engagements (“SSAE”) No. 16 SOC 2 Type II audit annually (which shall be conducted by independent third party auditors) covering any and all of Company’s datacenters that Process Customer Data (including those not owned or controlled by Company). Company shall provide Customer with copies of any audits or assessments that it receives from such entities. Company will promptly remediate (i) any errors identified in the ISO 27001 Report and SSAE 16 Report relating to Company and encourage the hosting entities to correct such errors that could reasonably be expected to have an adverse impact on Customer, its Customer Data or the Services, and (ii) material control deficiencies identified in the ISO 27001 Report and SSAE 16 Report relating to it and encourage the hosting entities to do so.

12.5 Company will maintain and comply with an information security program that provides for the security and protection of Customer Data, including, but not limited to, processes and procedures to respond to Data Security and Privacy Breaches. Prior to the Effective Date, Company responded to Customer’s vendor security assessment questionnaire (the “Company Security Assessment”). Customer may require Company to re-attest to its responses to the Company Security Assessment once (1x) annually and such revised responses shall thereafter be deemed the “Company Security Assessment” under this Agreement. Company shall promptly notify Customer in writing of any changes to its information technology and data security policy and practices that would cause Company to not be in compliance with the Company Security Assessment.

12.6 Company shall ensure that when any media device that contains Customer Data is damaged or replaced, Company shall properly dispose of such media device either through physical destruction or digital sanitization to ensure the protection of Customer Data. Upon Customer’s request, Company shall provide Customer with a copy of the chain of evidence report and external audits relating to the destruction or digital sanitization of Company’s media devices that contain Customer Data.

12.7 In the event of any Data Security and Privacy Breach, Company will promptly: (i) investigate the Data Security and Privacy Breach and promptly provide Customer with detailed information about the Data Security and Privacy Breach; (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Security and Privacy Breach and (iii) notify Customer of the Data Security and Privacy Breach in a timely manner to meet the breach notification requirements under Applicable Law. Following the occurrence of a Data Security and Privacy Breach, Company will take prompt and appropriate corrective action aimed at preventing the reoccurrence of a similar Data Security and Privacy Breach in the future. Company shall promptly reimburse Customer for the reasonable expenses that it may incur as a result of any Data Security and Privacy Breach caused by Company’s acts or omissions, including but not limited to, the expenses incurred in investigating the Data Security and Privacy Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances, such as credit monitoring. Company shall, upon the receipt of written approval of Customer, promptly take the necessary action to regenerate or restore, or cause to be regenerated or restored, any Customer Data or applications that may have been lost or damaged as a result of the Data Security and Privacy Breach.

12.8 Security Breach.

12.8.1 Notification of Security Breach. If Company becomes aware of any Information Security Incident, Company shall (i) immediately notify Customer and perform a root cause analysis thereon, (ii) investigate such security breach and determine what systems, data and information relating to Customer or Customer’ customers have been affected by such event, (iii) provide Customer with a remediation plan, reasonably acceptable to Customer, to address the security breach and to implement actions designed to prevent any further incidents, (iv) remediate such security breach in accordance with such approved plan; and (v) cooperate with Customer and, at Customer’s request, any law enforcement or regulatory officials, credit reporting companies, and credit card associations investigating such security breach. To the extent such Information Security Incident was caused by the acts or omissions of Company, its Affiliates or subcontractors or any of their respective personnel, all of such actions shall be at Company’s expense. Without limiting the foregoing and notwithstanding anything herein to the contrary, subject to any requirements under applicable Legal Requirements, Customer shall make the final decision on notifying Customer’s Customers, employees, Company and/or the general public of such Information Security Breach. The content of any filings, communications, notices, press releases or reports related to any Information Security Incident must be approved by Customer and the applicable Customer Affiliate prior to any publication or communication thereof.

12.8.2 Security Controls Certifications. With respect to Products provided under any applicable Agreement, Company will, at its option, either: (i) provide Customer with a SSAE 16, SOC 2, Type II, Service Auditor’s Report expressing an unqualified opinion that (a) Company description of its controls relating to the Services and the security of Personal Information presents fairly, in all material respects, the relevant aspects of Company controls that had been placed in operation as of a specific date within twelve (12) months of the date such report is provided, and (b) that the controls were suitably designed to achieve specified control objectives; or (ii) reasonably cooperate with Customer to provide access and support necessary to enable Customer to satisfy, in form, content and timing reasonably acceptable to Customer , Customer’s obligations under Section 404 of the Sarbanes-Oxley Act of 2002, as amended, and related laws, rules and regulations. If a material weakness in Company processes or internal controls related to this Agreement is found during the course of a review, then Company will promptly remediate such weakness at its expense.

12.9 Data Eradication. Company will meet with each Customer to discuss the Customer’s data, including PHI and PII that is stored within Company’s platform or systems, to verify with Customer what data can be deleted or returned and to certify that all Customer’s data identified for deletion from its systems has been securely deleted and returned.

12.9 Data Eradication. Company will meet with each Customer to discuss the Customer’s data, including PHI and PII that is stored within Company’s platform or systems, to verify with Customer what data can be deleted or returned and to certify that all Customer’s data identified for deletion from its systems has been securely deleted and returned.

13.CookiesWhen Customer or Authorized User uses Company’s site, Company will store cookies on Customer or Authorized User’s computer in order to facilitate and customize Customer or Authorized User’s use of our site. A cookie is a small data text file, which a Web site stores on computer’s hard drive (if your Web browser permits) that can later be retrieved to identify Customer or Authorized User’s to Company. Our cookies store randomly assigned user identification numbers, the country where Customer or Authorized User is located, and first name to welcome back to Company’s site. The cookies make use of the site easier, make the site run more smoothly and help Company to maintain a secure site. Customer or Authorized User are always free to decline Company’s cookies if browser permits, but some parts of our site may not work properly in that case.

14.Auto Time-Out. When the Product detects five (5) minutes of inactivity, it would automatically logoff making information inaccessible.

15.Export Certification. Company’s Applications, Products and Services (collectively the “Products”) are subject to export restrictions and controls imposed by various statutes and regulations, (collectively, the “Acts”), including the Export Administration Act and the Export Administration Regulations. Company and Customer shall not use, export or re-export the Products or Documentation except as authorized by and in compliance with the Acts and all laws and regulations of the jurisdiction in which Company made the Products available to its Customers. Without limiting the foregoing, neither Company nor its Customers shall export or re-export the Products or Documentation (i) into or to a national or resident of any embargoed countries under the Acts or (ii) to a Denied Party listed on U.S. Department of Commerce’s list of U.S. Denied Persons or a Special Designated National on the U.S. Treasury Department’s list of Specially Designated Nationals. Company represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list.