These Customer Terms of Service include this introduction, the terms and conditions in this document, Addendum 1 - Business Associate Agreement, any incorporated documents and terms, any statements of work or order forms, and any additional terms applicable to the Service which may be posted on our website from time to time (collectively, the “Agreement”) and forms a legal agreement between Anatomy Financial, Inc. and its affiliates, successors and assigns (collectively, “Anatomy”) and you or the entity you represent (“Customer”, “you”, “your”). This Agreement governs your use of the products and services Anatomy makes available to you (the “Services”) and your Anatomy account (“Anatomy Account”).

‍

This Agreement is effective upon the date you first access or use the Services and continues until you or Anatomy terminate it. By using the Service, you agree to comply with all of the terms and conditions in the Agreement. By accessing or using the Services, you agree to be bound by this Agreement. You also acknowledge that you have read, understood, and agree to the terms of our Privacy Policy, which is incorporated herein by reference. If you do not agree to this Agreement or the Privacy Policy, you may not access or use the Services.

‍

As referenced in Section 18 below, any dispute between you and Anatomy is subject to a class action waiver and must be resolved by individual binding arbitration. Please read the arbitration provision in this Agreement as it affects your rights under this Agreement.

You and Anatomy agree as follows:

‍

1. Anatomy Account

‍

1.1 Eligibility. The Anatomy Account and Services are available in the United States of America and its territories. Anatomy makes no representation that the Anatomy Account or the Services are applicable or appropriate for use or consumption outside of the United States of America or its territories. You, the individuals signing up for your Anatomy Account (each a “Representative”) and any users of your Anatomy Account (each an “Authorized User” or “User”) must not attempt to create an Anatomy Account on behalf of or for the benefit of a user whose use of the Services was suspended or terminated by Anatomy, unless Anatomy approves otherwise. Authorized Users must be at least 18 years of age.

‍

1.2 Business Representative. Anatomy may require you or your Representative to provide additional information or documentation demonstrating your Representative’s authority.‍
‍

2. Anatomy Services

‍

2.1 Services. Anatomy provides a website, software, user interfaces, and other technology that Anatomy uses to provide and make available the Services (the “Anatomy Technology”) through which you and your Authorized Users, where applicable, can access the Services. Your employees, customers, subcontractors, providers or subsidiaries (collectively, “your agents”) separately agree to terms and conditions as applicable to products and services offered by Anatomy to them.

‍

2.2 Service Modifications and Updates. The Services and Anatomy Technology are subject to modification, alteration, substitution, or discontinuance at any time at Anatomy’s sole discretion (“Service Modifications”). Anatomy will generally endeavor to provide notification of any material Service Modification via a posting on the Anatomy website or by notice to you. 

‍

2.3 Subcontracting. Anatomy may subcontract its obligations under this Agreement to third parties

‍

2.4 Services Restrictions. You may only use the Services for business purposes. You must not, and must not enable or allow any third-party to attempt to or actually do the following with respect to the Services or the Anatomy Technology:

1. use or access the Services to violate, encourage others to violate, or provide instructions on how to violate, any right of a third-party, including by infringing or misappropriating intellectual property rights;
2. work around technical limitations enable functionality or access or attempt to access non-public systems, programs, data, or services of Anatomy;
3. reverse engineer the Services, Anatomy user interfaces, or other technology used to provide the Services, except as expressly permitted by law;
4. use the Services for illegal, fraudulent, deceptive, exploitative or harmful purposes, or in violation of any law;
5. perform actions that interfere with the normal operation of the Services, including uploading viruses, spyware, or other harmful core, disrupting networks or servers or interfering with other users’ enjoyment of the Services;
6. collect personal information about users, Authorized Users or third parties without proper consent;
7. exceed Services usage limitations, use unauthorized tools or mechanisms (e.g. crawlers, bots or scrapers) to access the Services, or reproduce, republish, upload, post, transmit, resell, or distribute any part of the Services or the Anatomy Technology without permission;
8. interfere with security-related features such as disabling or circumventing content protections; or attempting to discover source code, unless explicitly permitted by applicable law;
9. impersonate any person or entity, share or misuse login credentials, access accounts or data without permission, or falsify identity information; or
10. sell, transfer, or otherwise misuse the access rights granted under this Agreement.

‍

2.5 Monitoring. Anatomy has no obligation to monitor either the content provided by you or your use of the Services. Anatomy may do so, however, and Anatomy may remove any such content or prohibit any use of the Services it believes may be (or alleged to be) in violation of the Agreement or applicable law.

‍

2.6 Third-Party Services. Anatomy may reference or enable you to access a service, product, or promotion provided by a third-party that utilizes, integrates with or is ancillary to the Services (each a “Third-Party Service”). These Third-Party Services are provided for your convenience only and Anatomy does not approve, endorse, or recommend any Third-Party Services to you. Your access and use of any Third-Party Service is at your own risk and Anatomy disclaims all responsibility and liability for your use of any Third-Party Service. Third-Party Services are not Services and are not governed by this Agreement or Anatomy’s Privacy Policy. Your use of any Third-Party Service, including those linked from the Anatomy website, is subject to that Third-Party Service’s own terms of use and privacy policies (if any).
‍

3 Bank Services

‍

3.1 Anatomy’s Role. Anatomy is a financial technology company, not a bank. Anatomy-related bank accounts are provided by Live Oak Banking Company, Member FDIC (“Bank”). Anatomy, acting as a third-party service provider of Bank, facilitates Bank services for Customer through the Services and Anatomy Technology, but does not otherwise hold deposits on behalf of Customer.  As a Bank customer, your Bank deposits are insured by the FDIC up to $250,000 per depositor, for each account ownership category.

‍

3.2 Bank Accounts. 

1. When you access the Services, you may be presented with the opportunity to open one or more bank accounts with the Bank (collectively, “Bank Accounts”) through the Anatomy Technology. If you elect to establish Bank Accounts and are subsequently approved to open Bank Accounts, such Bank Accounts will be opened at the Bank and not at Anatomy. Anatomy is a financial technology services provider and not a bank. Funds deposited to Bank Account are deposits at the Bank facilitated by the Services through methods allowed by the Bank.  Funds are deposited directly with the Bank and are held in bank accounts established at the Bank. Other bank services may be made available by Bank from time to time in the Bank’s sole discretion. 
2. Anatomy collects certain identifying information about Customer and the individual authorized by Customer to open Bank Accounts (both the individual and Customer information are collectively referred to as the “Account Information”) to allow Bank to comply with applicable laws and regulations. Account Information may include (i) for the Customer: Customer’s legal name, d/b/a, state of organization, employer identification number (EIN), physical address, beneficial owners, other contact information, and other information regarding the Customer and how account(s) will be utilized and (ii) for the authorized individual opening the Bank account(s) for Customer: that individual’s name, social security number (SSN), date of birth, physical address, email address, phone number, ownership percentage (if applicable), and role with Customer. Customer hereby grants Anatomy an unrestricted, perpetual, irrevocable, non-exclusive, fully-paid, royalty-free right and license to use Account Information, and Customer authorizes Anatomy to provide the Account Information to (x) its partner Bank to provide Bank Account(s) and (y) to Anatomy’s other third party service providers as necessary to provide the Services. Anatomy may also obtain personal information from third parties in order to verify your identity or that of End Users or other Customer representatives, or to prevent fraud. Customer hereby authorizes Anatomy, Bank, and/or a third-party service provider that we designate, to take any measures that we consider necessary to confirm the personal information provided and to verify and authenticate such personal information, and take any action we deem necessary based on the results. This process may result in a delay in establishing Bank Account(s) or access to the Services, and Customer may not be authorized to access or use Bank Account(s) or the Services until information has been successfully verified. Each of you and Customer agree that the information you provide to Anatomy is accurate, complete, and not misleading, and that Customer will keep such information accurate and up to date at all times
3. The Services and the Third Party Services offered by third-parties who are not Bank are not Bank services.  Any Services ancillary to Bank Accounts require pre-approval by Bank.

‍

3.3 Bank Account Terms. Prior to establishing Bank Accounts with Bank, you must review and agree to separate account and services terms with Bank. The applicable terms for the Bank and the respective demand deposit account types are linked below:

1. Prior to opening a Bank Account, please review Bank’s Live Oak Anatomy Business Deposit Account Terms and Conditions (available here). Bank does not allow cash deposits. You must link an existing bank account at a third-party institution to an account verification service provided by a Service Provider, and once the account is verified, You may initiate a transfer to initially fund the account.
2. If you obtain a product from Bank that pays interest on your funds, information regarding the interest rates on the account type can be found here.

‍

3.4 Transactions. Anatomy is responsible for attempts to conduct transactions through the Anatomy Technology. If you identify an error in transactions that occur through the Anatomy Technology, you may contact Anatomy to resolve such identified error in accordance with Anatomy’s error resolution procedures.  Bank is responsible for transactions conducted in Bank Accounts only after a transaction attempt has been successfully and accurately transmitted to the Bank from the Anatomy Technology through your use of the Services.

‍

3.5 Intellectual Property Rights. Banks retains all intellectual property rights relating to Bank Accounts and Bank’s copyrights, trademarks, service marks, trade dress, trade secrets, and patents.

‍

4 User Information

‍

4.1 User Information and Personal Data. “User Information” includes information and documentation about you that Anatomy requires to comply with applicable law, governmental authority and Bank requirements, and may include information (including Personal Data) about your Authorized Users, beneficial owners, principals and other individuals associated with you or your Anatomy Account, it also includes all other information Anatomy requests to assess risk and ability to perform your obligations under this Agreement. “Personal Data” means any information relating to an identifiable natural person that is collected in connection with the Services and includes “personal information” as defined in the CCPA.

4.2 Required Information. Upon Anatomy’s request, you must provide User Information to Anatomy in a form satisfactory to Anatomy. Anatomy may share User Information with third parties in accordance with its Privacy Policy. If you have more than one entity or business organization or if you do business under different names, you must provide User Information for each such entity, business organization and name. You must keep the User Information in your Anatomy Account current. You must promptly update your Anatomy Account with any changes affecting you, the nature of your business activities, your Authorized User, beneficial owners, principals, or any other pertinent information. You must immediately notify Anatomy, and provide to Anatomy updated User Information, if (a) you experience or anticipate experiencing a change of control; or (b) you experience or anticipate experiencing a material change in your business or financial condition, including (i) if you are the subject of a petition, resolution, order or any other step in relation to winding up, bankruptcy or equivalent proceedings, (ii) you enter into a compulsory or voluntary liquidation, or a liquidator is appointed in relation to you or any of your assets, or (iii) any legal proceeding, corporate action or other procedure or step is taken in connection with appointing an administrator, administrative receiver, receiver, liquidator, manager, trustee in bankruptcy or other similar officer in relation to you or any of your assets (each an “Insolvency Event”). Failure to provide Account Information or respond to requests for additional information may result in a delay in establishing Bank Accounts and/or access to the Services, and You may not be authorized to access or use Bank Accounts and/or the Services until information has been successfully verified.

‍

4.3 Information Anatomy Obtains. You authorize Anatomy to obtain information about you and your business from Anatomy’s service providers and other third parties for the purposes of verifying identities and preventing fraud.  Information obtained subject to this Section 4.3 may be shared with Service Providers in accordance with the Privacy Policy.

‍

5 Fees

‍

5.1 Service Fees. Anatomy may charge fees for using the Services. For paid Services, you will pay Anatomy the applicable fees as agreed (the “Fees”). To the extent applicable, you will pay Anatomy for additional services, including professional service fees or other consulting fees as separately agreed by you and Anatomy. All payments will be made in accordance with the payment schedule and the method of payment set forth in the applicable order form or statement of work. If not otherwise specified, payments will be due within thirty (30) days of the invoice date and are nonrefundable.

1. Collection of Fees and Other Amounts. You must pay or ensure that Anatomy is able to collect fees and other amounts you owe under this Agreement when due, inclusive of any indemnification obligations stated in this Agreement. If you fail to pay amounts owed to Anatomy when due (“Unpaid Fees”), you hereby agree that Anatomy may, to the extent applicable law permits, deduct, recoup or setoff Unpaid Fees from either: (a) if established and applicable, any funds on reserve with Anatomy; or (b) funds payable by Anatomy to you or your affiliates. Further, you hereby acknowledge and agree that Customer will execute an ACH debit authorization that allows Anatomy to initiate an ACH debit entry from your Bank Account for the amount of any Unpaid Fees. You also agree to execute any additional authorizations or instruments that may be reasonably necessary for Anatomy to collect the amount of any Unpaid Fees. Unpaid Fees are subject to a finance charge of one percent (1.0%) per month, or the maximum permitted by law, whichever is lower, plus all expenses of collection, including reasonable attorneys’ fees. Fees under this Agreement are exclusive of all taxes, including national, state or provincial and local use, sales, value-added, property and similar taxes, if any. You will pay such taxes (excluding US taxes based on Anatomy's net income) unless you have provided Anatomy with a valid exemption certificate. In the case of any withholding requirements, you will pay any required withholding itself and will not reduce the amount paid to Anatomy on account thereof.

‍

6 Termination and Suspension

‍

6.1 Customer Termination. You may terminate this Agreement at any time by closing your Anatomy Account and paying all outstanding fees and charges. To do so, you must email support@anatomy.com, include in your  message “close my account” and stop using the Services. If after termination you use the Services again, this Agreement will apply with an Effective Date that is the date on which you first use the Services again.

‍

6.2 Anatomy Termination. Anatomy may terminate this Agreement (or any part) or close your Anatomy Account at any time for any or no reason by notifying you. In addition, Anatomy may terminate this Agreement (or relevant part) or close your Anatomy Account for cause if Anatomy exercises its right to suspend Services and does not reinstate the suspended Services within 30 days.  

‍

6.3 Effects of Termination. Upon any termination of this Agreement, all rights and licenses granted by Anatomy hereunder will immediately terminate; you will no longer have the right to access or use the Services and Bank may close your Bank Account(s). Anatomy is not required to retain your data post-termination except as stated in Section 9.3 hereof.

‍

6.4 Termination for Material Breach. A party may terminate this Agreement immediately upon notice to the other party if the other party materially breaches this Agreement, and if capable of cure, does not cure the breach within 10 days after receiving notice specifying the breach. If the material breach affects only certain Services, the non-breaching party may choose to terminate only the affected Services.

‍

6.5 Suspension. Anatomy may immediately suspend providing any or all Services to you, and your access to the Anatomy Technology, if:

1. Anatomy believes it will violate any law or Bank or governmental authority requirement;
2. a governmental authority or the Bank requires or directs Anatomy to do so;
3. you do not respond in a timely manner to Anatomy’s request for User Information or do not provide Anatomy adequate time to verify and process updated User Information;
4. you breach this Agreement or any other agreement between the parties;
5. you breach any Bank requirement;
6. you enter an Insolvency Event; or
7. Anatomy believes that your use of the Services (i) is or may be harmful to Anatomy or any third-party; (ii) presents an unacceptable level of credit risk; (iii) increases, or may increase, the rate of fraud that Anatomy observes; (iv) degrades, or may degrade, the security, privacy, stability or reliability of the Services, Anatomy Technology or any third-party’s system (e.g., your involvement in a distributed denial of service attack); (v) enables or facilitates, or may enable or facilitate, illegal or prohibited transactions; or (vi) is or may be unlawful.

‍

6.6 Survival. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, restrictions, accrued rights to payment, indemnification, confidentiality obligations, intellectual property rights, warranty disclaimers, and limitations of liability.

‍

7 Use Rights

‍

7.1 Use of Services. Subject to the terms of this Agreement, Anatomy grants you a worldwide, non-exclusive, non-transferable, non-sublicensable, royalty-free license during the term of this Agreement to access and use the Anatomy Technology, as long as your access and use is (a) solely as necessary to use the Services; (b) solely for your business purposes; and (c) in compliance with this Agreement.

‍

7.2 Feedback. During the term of this Agreement, you and your affiliates may provide ideas, suggestions, comments, observations and other input to Anatomy regarding the Services and the Anatomy Technology (“Feedback”). You grant, on behalf of yourself and your affiliates, to Anatomy a perpetual, worldwide, non-exclusive, irrevocable, royalty-free license to exploit that Feedback for any purpose, including developing, improving, promoting, selling and maintaining the Services. All Feedback is Anatomy’s confidential information.

‍

7.3 No Joint Development; Reservation of Rights. As between the parties, Anatomy, and its third-party licensors own all copyrights, patents, trademarks, service marks, trade secrets, moral rights and other intellectual property rights recognized anywhere in the world (“IP Rights”) in the Services, and the Anatomy Technology. Any joint development between the parties of intellectual property will require and be subject to a separate agreement between the parties. Nothing in this Agreement assigns or transfers ownership of any IP Rights to the other party or its affiliates or contemplates a joint development of intellectual property. All rights (including IP Rights) not expressly granted in this Agreement are reserved.

‍

8 Cooperation

‍

You are required to cooperate with Anatomy in connection with the performance of this Agreement by making available such personnel, materials and information as may be reasonably required, and taking such other actions as Anatomy may reasonably request. You will also cooperate with Anatomy in establishing a password or other procedures for verifying that only Authorized Users have access to any administrative functions of the Services and will cooperate with Anatomy and its third-party service providers in connection with any investigation of fraudulent or unlawful activity.

‍

9 Privacy and Data Use

‍

9.1 Privacy Policies. Each party will make available a privacy policy and/or a policy that complies with the Health Insurance Portability and Accountability Act of 1996, as applicable. Anatomy’s Privacy Policy explains how and for what purposes Anatomy collects, uses, retains, discloses and safeguards the Personal Data you provide to Anatomy.  

‍

9.2 Disclosures. When you provide Personal Data to Anatomy, or authorize Anatomy to collect Personal Data, you must provide all necessary notices to, and obtain all necessary rights and consents from, the applicable individuals (including your Authorized Users sufficient to enable Anatomy to lawfully collect, use, retain and disclose the Personal Data in the ways this Agreement and Anatomy’s Privacy Policy describe. You will determine the content of the notices you provide to your Authorized Users.

‍

9.3 Retention of Data. Anatomy is not obligated to retain data after the term of this Agreement, except as (a) required by applicable law; (b) required for Anatomy to perform any post-termination obligations; (c) this Agreement otherwise states; or (d) the parties otherwise agree in writing. You are responsible for maintaining back-up copies of any Third-Party Data provided to Anatomy.

‍

9.4 Third-Party Data You Provide. If you enable Services or features of Services or functionality that provide Anatomy, Bank and/or its third-party providers (“Service Providers”) access to data (including data shared between Service Providers in order to provide the Services and including but not limited to User Information, from your Authorized Users or third-party service providers (collectively, “Third-Party Data”), then you authorize Anatomy to access and use the Third-Party Data, and you must obtain all necessary rights and consents from the applicable individuals and third parties sufficient to enable Anatomy to lawfully collect, use, retain, and disclose the Third-Party Data. Service Providers may use Third-Party Data as this Agreement and the Privacy Policy describe and to (a) secure, provide, improve and update the Services, (b) comply with applicable law and Bank requirements, (c) prevent and mitigate fraud, financial loss, and other harm, and (d) to develop future products and services.  

‍

10 HIPAA Compliance

‍

You are liable for any disclosure of Protected Health Information (as defined under the Health Insurance Portability and Accountability Act of 1996, “HIPAA”) to Anatomy when you provide access to the Personal Data. If any Protected Health Information is created, received, maintained or transmitted by you or on your behalf in connection with the Services, it is subject to the Business Associate Agreement (“BAA”) attached as an Addendum to these terms and incorporate by reference herein. The BAA outlines the responsibilities of both parties in handling Protected Health Information and ensures compliance with HIPAA regulations.

‍

11 Confidentiality

‍

11.1 Information. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose Proprietary Information (defined below).  This Section 11.1 does not supersede any data sharing authorization or Bank Account terms.

‍

11.2 Proprietary Information. "Proprietary Information" means all non-public, confidential, or proprietary information, whether disclosed orally, in writing, or electronically, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Proprietary Information includes, but is not limited to, business plans, financial data, trade secrets, technical data, product designs, software, customer lists, marketing strategies, and other information related to the disclosing party’s business, products, or services. Proprietary Information does not include information that: (a) is or becomes generally available to the public without breach of this Agreement by the Receiving Party; (b) is independently developed by the Receiving Party without the use of or reference to the Disclosing Party’s Proprietary Information; or (c) is obtained from a third-party without breach of a confidentiality obligation.  Proprietary Information does not include User Information.

‍

11.3 Disclosure. The Receiving Party agrees: (a) not to divulge to any third person any such Proprietary Information, (b) to give access to such Proprietary Information solely to those employees with a need to have access thereto for purposes of this Agreement, and (c) to take the same security precautions to protect against disclosure or unauthorized use of such Proprietary Information that the party takes with its own proprietary information, but in no event will a party apply less than reasonable precautions to protect such Proprietary Information. The Disclosing Party agrees that the foregoing will not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public without any action by, or involvement of, the Receiving Party, or (b) was in its possession or known by it without restriction prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third-party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party. Nothing in this Agreement will prevent the Receiving Party from disclosing the Proprietary Information pursuant to any judicial or governmental order, provided that the Receiving Party gives the Disclosing Party reasonable prior notice of such disclosure to contest such order. In any event, Anatomy may aggregate data and use such aggregated data to evaluate and improve the Services and otherwise for its business purposes.

‍

11.4 Receipt of Proprietary Information. Anatomy does not wish to receive any Proprietary Information from you that is not necessary for Anatomy to perform its obligations under this Agreement, and, unless the parties specifically agree otherwise, Anatomy may reasonably presume that any unrelated information received from Customer is not confidential or Proprietary Information.

‍

12 Data Security

‍

12.1 Controls. Each party will maintain commercially reasonable administrative, technical, and physical safeguards designed to protect data, including Personal Data, Anatomy Data and User Information in its possession or under its control from unauthorized access, accidental loss, and unauthorized modification.

‍

12.2 Anatomy Account Credentials. You must prevent any unauthorized access, disclosure or use of your Anatomy Account credentials (each a “Compromise”), and otherwise ensure that your Anatomy Account is not used or modified by anyone other than you and your Authorized Users. Credential and access sharing between Users is prohibited. If a Compromise occurs, you must promptly notify Anatomy at support@anatomy.com and cooperate with Anatomy, including by providing information that Anatomy requests. Any act or failure to act by Anatomy will not diminish your responsibility for Compromises.

‍

12.3 Instructions. Services Providers shall be entitled to rely on all instructions and data provided by you, including oral (including telephonic) instructions, and you shall be responsible for any losses or liabilities that result from erroneous instructions. While you should provide written confirmation of oral instructions, Service Providers may, but are not required to, act on such oral instructions in the absence of such written confirmation

‍

12.4 Data Breach. You must notify Anatomy immediately if you become aware of an unauthorized acquisition, modification, disclosure, access to, or loss of Personal Data on your systems.

‍

12.5 Audit Rights. If Anatomy believes that a compromise of data has occurred on your systems, website, or app, Anatomy may require you to permit an Anatomy approved third-party auditor to audit the security of your systems and facilities. You must fully cooperate with all auditor requests for information or assistance. As between the parties, you are responsible for all costs and expenses associated with these audits. Anatomy may share with Bank any report the auditor issues.

‍

13 Customer Restrictions

‍

You will not, and will not permit your Authorized Users  or any third-party to: (a) reverse engineer, decompile, disassemble or otherwise attempt to discover or obtain the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to or used in connection with provision of the Services by Anatomy or the Anatomy Technology, provided that reverse engineering is prohibited only to the extent such prohibition is not contrary to applicable law; (b) modify, translate, or create derivative works based on the Services or the Anatomy Technology; (c) use the Services Anatomy Technology for timesharing or service bureau purposes or for any purpose other than its own internal use for its own internal benefit; (d) use the Services or Anatomy Technology in any infringing, defamatory, harmful, fraudulent, illegal, deceptive, threatening, harassing, or obscene way; (e) use the Services or Anatomy Technology and subsequently develop or sell software that bears similarity to the Services or Anatomy Technology; or (f) use the Services or Anatomy Technology other than in accordance with this Agreement and in compliance with all applicable laws, regulations and rights (including but not limited to those related to privacy, intellectual property, consumer and child protection, SPAM, text messaging, obscenity, defamation and anti-money laundering regulation).

‍

14 Representations and Warranties

‍

14.1 Representations and Warranties. You represent as of the date on which you begin using the Services, and warrant at all times during the term of this Agreement, that:

1. you and your Representative have the right, power, and ability to enter into, be bound by, and perform under this Agreement;
2. your Representative is an executive officer, senior manager or otherwise has significant responsibility for the control, management or direction of you;
3. you and your Representative are authorized to provide information that Anatomy requires to comply with applicable law, governmental authority and Bank requirements, including information about beneficial owners, principals and Authorized Users;
4. you are a business and are eligible to apply for an Anatomy Account and use the Services;
5. you have, and comply with, all necessary rights, consents, licenses, and approvals for the operation of your business and to allow you to access and use the Services in compliance with this Agreement and applicable law;
6. your employees, contractors and agents are acting consistently with this Agreement;
7. you will comply with the Payment Card Industry Data Security Standards (“PCI-DSS”) as well as other Service Provider requirements;
8. use of the Services does not violate or infringe upon any third-party rights, including IP Rights;
9. your use of the Services and Anatomy Technology, performance of your obligations under this Agreement, and conduct of your business, comply with law; and
10. all information you provide to the Service Providers, including the User Information, is accurate and complete and not misleading.

‍

15 Indemnity

‍

You will defend, indemnify and hold harmless Anatomy and the Bank and their respective officers, directors, employees, agents, successors and assigns (“Indemnified Parties”) from and against any fines, penalties and losses (including without limitation costs and attorneys' fees) arising from any claim, demand, government investigation or legal proceeding made or brought by a third-party (each a “Claim”) to the extent arising out of related to: (a) an alleged violation of your obligations, representations or warranties under this Agreement; (b) your use of the Services, including use of Personal Data; (c) an allegation that you infringed on or misappropriated the rights, including IP Rights, of the third-party making the Claim; (d) any errors, omissions or inaccuracies in the information provided for checks, deposits, or other financial transactions processed through the Services, (e) any unauthorized, fraudulent or otherwise improper transactions conducted using your Account or through your use of the Services, (f) any returned or cancelled payments or negative balances of any kind, including but not limited to: dishonored checks, rejected deposits, chargebacks or reversals initiated by you, on your behalf, or in any of your Bank Accounts, (g) any delays, interruptions or errors in the processing of any data you submit to Anatomy or in the processing of checks, deposits, or other financial transactions caused by you or your use of the Services; or (h) negligence, willful misconduct or fraud by you or your affiliates.

‍

16 Disclaimer

‍

Anatomy provides the Services and the Anatomy Technology “AS IS” and “AS AVAILABLE”. Except as expressly stated as a “warranty” in this Agreement, and to the maximum extent permitted by applicable law, Anatomy does not make any, and expressly disclaims all, express and implied warranties and statutory guarantees with respect to its performance under this Agreement, the Services, the Bank, and the Anatomy Technology, including as related to availability, the implied warranties of fitness for a particular purpose, merchantability and non-infringement, and the implied warranties arising out of any course of dealing, course of performance or usage in trade.

‍

17 Limitation of Liability

‍

17.1 Failure of Purpose. The following disclaimer and limitations will apply notwithstanding the failure of the essential purpose of any limited remedy.

‍

17.2 Indirect Damages. To the maximum extent permitted by applicable law, the Anatomy Parties will not be liable to you or your affiliates in relation to this Agreement or the Services during and after the term of this Agreement, whether in contract, negligence, strict liability, tort or other legal or equitable theory, for any lost profits, personal injury, property damage, loss of data, business interruption, indirect, incidental, consequential, exemplary, special, reliance, or punitive damages, even if these losses, damages, or costs are foreseeable, and whether or not you or Anatomy have been advised of their possibility.

‍

17.3 General Damages. To the maximum extent permitted by applicable law, the Anatomy will not be liable to you or your affiliates in relation to this Agreement or the Services during and after the term of this Agreement, whether in contract, negligence, strict liability, tort or other legal or equitable theory, for losses, damages, or costs exceeding in the aggregate the lesser of (a) $10,000 USD or (b) the total amount of Fees you paid to Anatomy (excluding all pass-through fees levied by the Bank, if applicable) during the 3-month period immediately preceding the event giving rise to the liability.

‍

18 Dispute Resolution; Agreement to Arbitrate

‍

18.1 Governing Law. The laws of the State of California will govern this Agreement, without giving effect to its conflict of laws principles.

‍

18.2 Binding Arbitration.

1. All disputes, claims and controversies, whether based on past, present or future events, in any way arising out of or in any way relating to statutory or common law claims, the breach, termination, enforcement, interpretation or validity of any provision of this Agreement, and the determination of the scope or applicability of your agreement to arbitrate any dispute, claim or controversy originating from this Agreement, but specifically excluding any dispute principally related to either party’s IP Rights (which will be resolved in litigation before the United States District Court for the Northern District of California), will be determined by binding arbitration in San Francisco, California before a single arbitrator.
2. This Arbitration Provision, and any arbitration between you and Anatomy, is subject to the Federal Arbitration Act and will be administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules. The Expedited Procedures of the American Arbitration Association’s Commercial Arbitration Rules will apply for cases in which no disclosed claim or counterclaim exceeds $75,000 USD (excluding interest, attorneys’ fees and arbitration fees and costs). Where no party’s claim exceeds $25,000 USD (excluding interest, attorneys’ fees and arbitration fees and costs), and in other cases where the parties agree, Section E-6 of the Expedited Procedures of the American Arbitration Association’s Commercial Arbitration Rules will apply.
3. Nothing in this Agreement will preclude the parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.
4. The arbitrator will apply the substantive law of the State of California and of the United States, excluding their conflict or choice of law rules.
5. The parties acknowledge that this Agreement evidences a transaction involving interstate commerce. Notwithstanding the provisions in this Section 18 referencing applicable substantive law, the Federal Arbitration Act (9 U.S.C. Sections 1-16) will govern any arbitration conducted in accordance with this Agreement.

‍

18.3 Arbitration Procedure.

1. A party must notify the other party of its intent to commence arbitration prior to commencing arbitration. The notice must specify the date on which the arbitration demand is intended to be filed, which must be at least 30 days after the date of the notice. During this time period, the parties will meet for the purpose of resolving the dispute prior to commencing arbitration.
2. Subject to Section 18.3(a) hereof, each party may commence arbitration by providing to the American Arbitration Association and the other party to the dispute a written demand for arbitration, stating the subject of the dispute and the relief requested.
3. Subject to the disclaimers and limitations of liability stated in this Agreement, the appointed arbitrators may award monetary damages and any other remedies allowed by the laws of the State of California. In deciding, the arbitrator will not have the authority to modify any term of this Agreement. The arbitrator will deliver a reasoned, written decision with respect to the dispute to each party, who will promptly act in accordance with the arbitrator’s decision. Any award (including interim or final remedies) may be confirmed in or enforced by a state or federal court located in San Francisco, California. The decision of the arbitrator will be final and binding on the parties and will not be subject to appeal or review.
4. In accordance with the AAA Rules, the party initiating the arbitration is responsible for paying the applicable filing fee. Each party will advance one-half of the fees and expenses of the arbitrator, the costs of the attendance of the arbitration reporter at the arbitration hearing, and the costs of the arbitration facility. In any arbitration arising out of or relating to this Agreement, the arbitrator will award to the prevailing party, if any, the costs and attorneys’ fees reasonably incurred by the prevailing party in connection with those aspects of its claims or defenses on which it prevails, and any opposing awards of costs and legal fees awards will be offset.

‍

18.4 Confidentiality The parties will keep confidential the existence of the arbitration, the arbitration proceeding, the hearing and the arbitrator’s decision, except (a) as necessary to prepare for and conduct the arbitration hearing on the merits; (b) in connection with a court application for a preliminary remedy, or confirmation of an arbitrator’s decision or its enforcement; (c) Anatomy may disclose the arbitrator’s decision in confidential settlement negotiations; (d) each party may disclose as necessary to professional advisors that are subject to a strict duty of confidentiality; and (e) as applicable law otherwise requires. The parties, witnesses, and arbitrator will treat as confidential and will not disclose to any third person (other than witnesses or experts) any documentary or other evidence produced in any arbitration, except as required by applicable law or if the evidence was obtained from the public domain or was otherwise obtained independently from the arbitration.

‍

18.5 Conflict of Rules. In the case of a conflict between the provisions of this Section 18 and the AAA Rules, the provisions of this Section 18 will prevail.

‍

18.6 Class Waiver. To the extent applicable law permits, any dispute arising out of or relating to this Agreement, whether in arbitration or in court, will be conducted only on an individual basis and not in a class, consolidated or representative action. Notwithstanding any other provision of this Agreement or the AAA Rules, disputes regarding the interpretation, applicability, or enforceability of this class waiver may be resolved only by a court and not by an arbitrator. If this waiver of class or consolidated actions is deemed invalid or unenforceable, neither party is entitled to arbitration.

‍

18.7 No Jury Trial. If for any reason a claim or dispute proceeds in court rather than through arbitration, each party knowingly and irrevocably waives any right to trial by jury in any action, proceeding or counterclaim arising out of or relating to this Agreement or any of the transactions contemplated between the parties.

‍

19 Modifications to This Agreement

‍

Anatomy may modify all or any part of this Agreement at any time by posting a revised version of the modified Agreement (including the introduction to this Agreement) or terms incorporated by reference on the Anatomy website or by notifying you. The modified Agreement is effective upon posting or, if Anatomy notifies you, as stated in the notice. By continuing to use Services after the effective date of any modification to this Agreement, you agree to be bound by the modified Agreement. It is your responsibility to check this page regularly for modifications to this Agreement. Except as this Agreement (including in this Section 19) otherwise allows, this Agreement may not be modified except in writing signed by the parties.

‍

20 Electronic Consent

‍

20.1 Electronic Communications. By accepting this Agreement or using any Service, you consent to electronic communications as described in this Section 20.

‍

20.2 Consent.  You consent to: (a) the use of electronic signatures for any purpose in our relationship with you and your Representatives, and (b) receive and view communications, disclosures, notices, statements, policies, agreements and any other communications we are required by applicable law to provide to you or may otherwise provide to you for any products or services you obtain from us (collectively, “Disclosures”) relating to your Anatomy Account electronically by any of the following means: (a) Text to your mobile phone number (which may include a link to a new Disclosure on the website); (b) to your email; or (c) notifications on our website. Your consent applies to all electronic signatures we use or obtain from you as well as all Disclosures relating to any Service and remains in effect until you give us notice that you are withdrawing it. Delivery by any of these means will constitute proper notice to you under applicable law.

‍

20.3 Disclosures. You acknowledge that Disclosures will include, but may not be limited to, the following: (a) your Account, the Services, the Privacy Policy, and this Agreement (“Policies and Agreements”); (b) Disclosures, modifications, updates and/or amendments we may provide you under our Policies and Agreements; (c) account balance activity and any other information on your Account; (d) receipts, confirmations, authorizations, and transaction history for your Account; (e) Disclosures regarding the resolution of any claimed error on any periodic statements; and (f) Disclosures required or permitted by applicable law or regulation.

‍

20.4 Your Right to Revoke Consent. Your consent is effective until further notice by us or until you revoke your consent to receive electronic Disclosures. You may revoke your consent to receive electronic Disclosures at any time by emailing your request to us at support@anatomy.com.  Your withdrawal of consent will become effective after we have had a reasonable opportunity to act upon it. If you do not consent or if you withdraw your consent, we reserve the right to refuse to create your Anatomy Account, to cancel your Anatomy Account, place your Anatomy Account on inactive status, or to provide a paper copy of Disclosures. If you request a paper copy of a Disclosure (“Disclosure Request”) within 180 days of the date of the Disclosure and we elect to send you a paper copy, we will waive our standard Disclosure Request Fee for the first two (2) requests. After that, any additional Disclosure Requests may be subject to fees. We will only provide paper copies upon your request if your current mailing address is in your Anatomy Account profile.

‍

20.5 System Requirements. In order to receive Disclosures, whether by text or email, you must  have a means of printing or storing them. In addition to having an email address and phone number you must have the following: (a) Computer or mobile device with Internet connection; (b) a current web browser with cookies enabled; (c) a valid email address on file in your Account profile; (d) ability to store or print the Disclosures; and if you use a spam blocker, you must add support@anatomy.com to your email address book or whitelist. By giving your consent, you are confirming that you have access to the necessary equipment and are able to receive, open, and print or download a copy of any Disclosure for your records.  We reserve the right to change these System Requirements and will provide you with a Disclosure when we make a material change to the System Requirements.

‍

20.6 Receiving Texts and Emails. In order to receive Disclosures, you must ensure that (a) the primary mobile phone and/or email address that you provide us is your valid, current phone number or email address, (b) you are able to receive at that address texts or email messages containing Disclosures including attached electronic documents, and (c) such Disclosures, including portions that are attached documents are available for viewing and storing or printing by you. You acknowledge that our ability to notify you of the availability of your Disclosures is contingent on the validity of the mobile phone number and email address in our records. If your mobile phone or email address is no longer valid, we reserve the right to determine your Account is inactive or take other actions as set forth in this Agreement. You will not be able to conduct any transactions in your Anatomy Account until you update your mobile phone or email address in your Anatomy Account profile.

‍

20.7 Reservation of Rights. We reserve the right to provide you with any Disclosure in writing, rather than electronically, or to withdraw the right to receive Disclosures electronically at any time. You agree to maintain on file with us your current street address and to promptly update your address in the event it changes by updating your Anatomy Account profile. Although we may waive our fee for delivery of paper Disclosures, we reserve the right to charge the Disclosure Request Fee and to increase this fee at our discretion.

‍

20.8 Communications in Writing. We recommend that you print a copy of this E-Consent and any Disclosure that you view electronically for your records as the Disclosure may not be accessible online at a later date. All Disclosures from us to you will be considered "in writing" and shall have the same meaning and effect as a paper Disclosure. You acknowledge and agree that Disclosures are considered received by you within 24 hours of the time posted to the Anatomy website, or within 24 hours of the time emailed or sent via text to you unless we receive notice that the Disclosure was not delivered.

‍

20.9 Responsibility. You understand and agree that we are responsible for sending the Disclosures to you. We are not responsible for any delay or failure in your receipt of the email or text notices and whether or not you choose to view the Disclosure, subject to your right to revoke your consent to receive Disclosures electronically.

‍

21 General Terms

‍

21.1 Notice. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by e-mail (for notice to Anatomy, such email to be delivered to support@anatomy.com); and upon receipt, if sent by certified or registered mail (return receipt requested), postage prepaid or by recognized overnight courier (e.g. Federal Express or DHL).

‍

21.2 Media and Press. You will participate in press announcements, case studies, trade shows, or other forms of marketing and publicity reasonably requested by Anatomy. Anatomy is permitted to disclose that you are one of its customers to any third-party, at its sole discretion, and to identify you as a customer on its website and in marketing materials.

‍

21.3 Legal Process. Anatomy may respond to and comply with any Legal Process that Anatomy believes to be valid. Anatomy may deliver or hold any funds or, subject to the terms of Anatomy’s Privacy Policy, any data as required under the Legal Process, even if you are receiving funds or data on behalf of other parties. Where applicable law permits, Anatomy will notify you of the Legal Process by sending a copy to the email address in the applicable Anatomy Account. Anatomy is not responsible for any losses, whether direct or indirect, that you may incur as a result of Anatomy’s response or compliance with a Legal Process in accordance with this Section 21.3.

‍

21.4 Interpretation.

1. No provision of this Agreement will be construed against any party on the basis of that party being the drafter.
2. References to “includes” or “including” not followed by “only” or a similar word mean “includes, without limitation” and “including, without limitation,” respectively.
3. Except where expressly stated otherwise in writing executed between you and Anatomy, this Agreement will prevail over any conflicting policy or agreement for the provision or use of the Services.
4. All references in this Agreement to any terms, documents, law or Bank requirements are to those items as they may be amended, supplemented or replaced from time to time. All references to URLs are references to those URLs as they may be updated or replaced.
5. The section headings of this Agreement are for convenience only and have no interpretive value.
6. Unless expressly stated otherwise, any consent or approval that may be given by a party (i) is only effective if given in writing and in advance; and (ii) may be given or withheld in the party’s sole and absolute discretion.
7. References to “business days” means weekdays on which banks are generally open for business in the country in which Anatomy is located. Unless specified as business days, all references in this Agreement to days, months or years mean calendar days, calendar months or calendar years.
8. Unless expressly stated to the contrary, when a party makes a decision or determination under this Agreement, that party has the right to use its sole discretion in making that decision or determination.
9. The United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement.

‍

21.5 Waivers. To be effective, a waiver must be in writing signed by the waiving party. The failure of either party to enforce any provision of this Agreement will not constitute a waiver of that party’s rights to subsequently enforce the provision.

‍

21.6 Force Majeure. Anatomy and its affiliates will not be liable for any losses, damages, or costs you suffer, or delays in Anatomy’s performance or non-performance, to the extent caused by an event beyond the control of Anatomy, including (a) a strike or other labor dispute or labor shortage, stoppage or slowdown; (b) supply chain disruption; (c) embargo or blockade; (d) telecommunication breakdown, power outage or shortage; (e) inadequate transportation service or inability or delay in obtaining adequate supplies; (f) weather, earthquake, fire, flood, natural disaster or act of God; (g) riot, civil disorder, war, invasion, hostility (whether war is declared or not) or terrorism threat or act; (h) civil or government calamity; (i) epidemic, pandemic, state, national or international health crisis; and (j) law or act of a governmental authority.

‍

21.7 Assignment. You may not assign or transfer any obligation or benefit under this Agreement without Anatomy’s consent. Any attempt to assign or transfer in violation of the previous sentence will be void in each instance. If you wish to assign this Agreement, please contact us. Anatomy may, without your consent, freely assign and transfer this Agreement, including any of its rights or obligations under this Agreement. This Agreement will be binding on, inure to the benefit of, and be enforceable by the parties and their permitted assigns.

‍

21.8 Embargo and Trade Control. You must not use or otherwise export, re-export or transfer the Anatomy Technology except as authorized by United States law, including by providing access to Anatomy Technology (a) to any jurisdiction as to which the United States maintains and embargo (“Embargoed Jurisdiction”), or (b) to any individual or entity resident in an Embargoed Jurisdiction or who is on the U.S. Department of Treasury’s List of specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). By using the Anatomy Technology, you represent as of the Effective Date and warrant during the Term that you are not (i) located in or organized under the laws of any Embargoed Jurisdiction; (ii) a Designated National; or (iii) owned 50% or more, or controlled, by individuals and entities (x) located in or, as applicable, organized under the laws of any Embargoed Jurisdiction; or (y) any of whom or which is a Designated National. You must not use the Anatomy Technology for any purposes prohibited by law.

‍

21.9 No Agency. Each of the parties to this Agreement and the Bank, are independent contractors. Nothing in this Agreement serves to establish a partnership, joint venture, or general agency relationship between Anatomy and you, or with the Bank.

‍

21.10 Severability. If any court or governmental authority determines a provision of this Agreement is unenforceable, the parties intend that this Agreement be enforced as if the unenforceable provision were not present, and that any partially valid and enforceable provision be enforced to the extent that it is enforceable.

‍

21.11 Cumulative Rights; Injunctions. The rights and remedies of the parties under this Agreement are cumulative, and each party may exercise any of its rights and enforce any of its remedies under this Agreement, along with all other rights and remedies available to it at law or in equity. Any material breach by a party of Section 7, Section 9 or Section 11 hereof could cause the non-breaching party irreparable harm for which the non-breaching party has no adequate remedies at law. Accordingly, the non-breaching party is entitled to seek specific performance or injunctive relief for the breach.

‍

21.12 Entire Agreement. This Agreement constitutes the entire agreement and understanding of the parties with respect to the Services and supersedes all prior and contemporaneous agreements and understandings.

‍

Addendum to Terms of Service

‍

HIPAA BUSINESS ASSOCIATE AGREEMENT‍

‍

This Business Associate Agreement, effective as of the date of acceptance of terms (“BAA”), is between Customer (“Covered Entity”) and Anatomy Financial, Inc. and its affiliates, successors and assigns (“Business Associate”).

‍

Business Associate and Covered Entity have entered into Terms of Service. In connection with Business Associate's services, Business Associate and Covered Entity anticipate that Business Associate will create or receive Protected Health Information from and/or on behalf of Covered Entity, which information is subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), and related regulations promulgated by the Secretary (together “HIPAA”).

‍

In light of the foregoing and the requirements of HIPAA, Business Associate and Covered Entity agree to be bound by the following terms and conditions.

‍

The parties agree as follows:

1. Definitions.

1. Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning given to those terms by HIPAA as in effect or as amended from time to time.
2. “Services Agreement” shall mean any present or future agreements, either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of Protected Health Information.‍

‍

2. Obligations and Activities of Business Associate.

a. Use and Disclosure. If Protected Health Information is created by or disclosed to Business Associate, Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Services Agreement, this BAA or as Required by Law. Business Associate shall comply with the provisions of this BAA relating to privacy and security of Protected Health Information and all present and future provisions of HIPAA that relate to the privacy and security of Protected Health Information and that are applicable to “business associates,” as that term is defined in HIPAA.

‍

b. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by this BAA. Without limiting the generality of the foregoing sentence, Business Associate will:

• Implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of the Covered Entity as required by the Security Rule.
• Report to Covered Entity any Security Incident involving Electronic Protected Health Information of which Business Associate becomes aware. Any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay. Any attempted, unsuccessful Security Incident of which Business Associate becomes aware will be reported to Covered Entity orally or in writing on a reasonable basis, as requested by Covered Entity. If HIPAA is amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.
• Notify Covered Entity following the discovery of a Breach of Unsecured
• Protected Health Information in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 days (or within any shorter deadline imposed by applicable State law) after discovery of the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured Protected Health Information shall include the identification of each Individual whose Protected Health Information has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach.

‍

c. Reporting. Business Associate agrees to report, without unreasonable delay, to Covered Entity any use or disclosure of Protected Health Information by Business Associate or a third party to which Business Associate disclosed Protected Health Information not permitted by this BAA of which Business Associate becomes aware.

‍

d. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure.

‍

e. Mitigation. Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA (including, without limitation, any Security Incident or Breach of Unsecured Protected Health Information). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this BAA and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices required to be made under HIPAA or any other Federal or State laws, rules or regulations, to any Individual (entitled to notice in connection with a Breach), regulatory body, or any third party, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.

‍

f. Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate through this BAA.

‍

g. Access to Designated Record Sets. To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by the Covered Entity, to Protected Health Information in a Designated Record Set created or received by Business Associate solely on behalf of Covered Entity only, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under HIPAA Regulations. If an Individual makes a request for access to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within ten (10) business days of such request. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for access to Protected Health Information.

‍

h. Amendments to Designated Record Sets. To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, within thirty (30) days of a receipt of a request from Covered Entity for the amendment of an Individual’s Protected Health Information contained in such Designated Record Set, Business Associate agrees to provide such Protected Health Information to Covered Entity for amendment and to incorporate any such amendment(s) to Protected Health Information in the Designated Record Set maintained by the Business Associate pursuant to HIPAA Regulations and in the time and manner designated by the Covered Entity. If an Individual makes a request for an amendment to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within ten (10) business days of such request. Covered Entity will have the sole responsibility to make decisions regarding whether to approve a request for amendment to Protected Health Information.

‍

i. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's and Business Associate's compliance with the Privacy Rule.

‍

j. Accountings. Business Associate agrees to, within thirty (30) days of request for an accounting of disclosures of Protected Health Information from Covered Entity, make available to Covered Entity such information as is in Business Associate’s possession and as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall have the sole responsibility to provide an accounting of disclosures.

‍

3. Permitted Uses and Disclosures by Business Associate.

1. Services Agreement. Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
2. Use for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Covered Entity acknowledges and agrees that proper management and administration of Business Associate includes, without limitation, modifications or upgrades to its software or services, and development of new features or functionality thereof, or new related product or services.‍
3. Disclosure for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that the third party will:
   • protect the confidentiality of the Protected Health Information, and
   • use or further disclose the Protected Health Information only as Required by Law or for the purpose for which it was disclosed to the third party.
4. ‍Data Aggregation. Business Associate may use Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under this Agreement or the Service Agreement.
5. De-Identified Information. Business Associate may use Protected Health Information to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may disclose deidentified health information for any purpose permitted by law.

‍

4. Obligations of the Covered Entity.

1. Permissible Requests by Covered Entity. Except as set forth in Section 3 of this BAA, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
2. Minimum Necessary PHI. When Covered Entity discloses Protected Health Information to Business Associate, Covered Entity shall provide the minimum amount of Protected Health Information necessary for the accomplishment of Business Associate's purpose.
3. Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of Protected Health Information to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall not agree to any restriction on the use or disclosure of Protected Health Information under 45 C.F.R. § 164.522 that restricts Business Associate’s use or disclosure of Protected Health Information under this BAA unless Business Associate grants its written consent.
4. Notice of Privacy Practices. Except as required under HIPAA or other applicable law, with Business Associate’s consent or as set forth in the Services Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate's use or disclosure of Protected Health Information under this BAA.

‍

5. Term and Termination.

1. Term. This BAA shall be effective as of the date of this BAA and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
2. Termination Upon Breach. Any other provision of this BAA notwithstanding, either party (the “Non-Breaching Party”), upon knowledge of a material breach by the other party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If Breaching Party does not cure the breach or end the violation within thirty (30) calendar days, the Non-Breaching Party may terminate: (A) this BAA; and (B) all of the provisions of the Services Agreement that involve the use or disclosure of Protected Health Information In the event that termination of this BAA is not feasible, in the Non-Breaching Party's sole discretion, the Non-Breaching Party has the right to report the breach to the Secretary.
3. Effect of Termination.
   1. Except as provided in Section 5(c)(ii), upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
   2. In the event that Business Associate reasonably determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Covered Entity acknowledges and agrees that (i) it is infeasible for Business Associate to delete Protected Health Information from its backup tapes or other backup systems and (ii) it is infeasible for Business Associate to delete all Protected Health Information during an ongoing investigation in connection with a Security Incident or Breach of Unsecured Protected Health Information, and that temporarily retaining certain Protected Health Information may be necessary for such investigation.

‍

6. Compliance with HIPAA Transaction Standards.

When providing its services and/or products, Business Associate shall comply with all applicable HIPAA standards and requirements (including, without limitation, those specified in 45 CFR Part 162) with respect to the transmission of health information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”). Business Associate will make its services and/or products compliant with HIPAA’s standards and requirements no less than thirty (30) days prior to the applicable compliance dates under HIPAA. Business Associate represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Business Associate shall comply with any modifications to HIPAA standards and requirements which become effective from time to time. Business Associate shall require all of its agents and subcontractors (if any) who assist Business Associate in providing its services and/or products to comply with the terms of this Section 6.

‍

7. Miscellaneous.

1. Regulatory References. A reference in this BAA to a section in HIPAA, means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
2. Amendment. The Parties agree to take such action as is necessary to amend Services Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA.
3. Survival. The respective rights and obligations of Business Associate under Section 5(c) of this BAA shall survive the termination of the Services Agreement or this BAA.
4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA.
5. Miscellaneous. The terms of this BAA are hereby incorporated into the Services Agreement. To the extent that Business Associate receives Protected Health Information from or on behalf of Covered Entity and except as otherwise set forth in Section 7(d) of this BAA, in the event of a conflict between the terms of this BAA and the terms of the Services Agreement, the terms of this BAA shall prevail. The terms of the Services Agreement which are not modified by this BAA shall remain in full force and effect in accordance with the terms thereof.

‍

‍