INTEGRATION AGREEMENT TERMS AND CONDITIONS

 

THIS INTEGRATION AGREEMENT (“AGREEMENT”) AND THE TERMS AND CONDITIONS SET FORTH HEREIN GOVERNS CUSTOMER’S ACQUISITION AND USE OF SERVICES AND DELIVERABLES PROVIDED BY GREYFINCH, LLC, AN ARKANSAS LIMITED LIABILITY COMPANY (“GREYFINCH”) WITH A PRINCIPAL OFFICE LOCATED AT 610 PRESIDENT CLINTON AVE., SUITE 101, LITTLE ROCK, AR 72201.

CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN.

BY ACCEPTING THIS AGREEMENT THROUGH (1) CLICKING A BOX INDICATING ACCEPTANCE, (2) EXECUTING AN ORDER OR PROPOSAL THAT REFERENCES THIS AGREEMENT IN WRITING OR ELECTRONICALLY (THE “ORDER” OR THE “PROPOSAL”), OR (3) USING INTEGRATION SERVICES WITH GREYFINCH, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT.

IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES AS FURTHER IDENTIFIED IN THE PROPOSAL OR ORDER. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST  NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE PLATFORM, SOFTWARE OR SERVICES.

This Agreement was last updated on June 4, 2024. It is effective between Customer and Greyfinch as of the date of Customer’s accepting this Agreement (the “Effective Date”).This Agreement and the terms and conditions set forth herein may be updated from time to time and Customer’s acceptance or use of the Platform, Software or Services after such date shall constitute Customer’s acceptance of such updated Agreement.

AGREEMENTS

NOW THEREFORE, in consideration of the foregoing, and the mutual promises contained herein, and other good and valuable consideration, the receipt and adequacy of which is acknowledged, the Parties agree as follows:

1. Framework. Greyfinch and Customer have executed an Order or a Proposal to establish a framework to work together to explore and implement the integration tools, application programming interfaces, and data sharing necessary to (1) integrate Customer Software with the Greyfinch Solution (the “Greyfinch Integration”) and (2) integrate Customer Software with Customer’s Product as identified in the Order or Proposal (the “Customer’s Product Integration”). Together, the two integrations will be the “Final Product”. Greyfinch and Customer also desire to collaborate with each other to identify new customers and service opportunities pursuant to the terms and conditions set forth in this Agreement .

2. Joint Team Discussions: The Parties agree to collaborate on the development of APIs (as defined below) and related tools via 3rd parties, to facilitate the integration of their respective software systems. To achieve this objective, the parties will establish a joint team consisting of representatives from all parties. The joint team will be responsible for identifying the necessary application programming interfaces and other tools (“APIs” or an “API”) required to achieve the integration goals set forth in this Agreement.  The joint team will work together to define the functional requirements for the APIs and related tools and will develop and test them to ensure that they are compatible with both Parties’ systems (the “Discovery Phase”), and subsequently implement the same. The Parties agree to provide the necessary resources and support to enable the joint team to perform their duties effectively.  An important goal of this relationship is to develop a more comprehensive practice management solution that offers enhanced value to Providers, and which can be cross-marketed by the Parties to their existing and future clients.

3.  API and Software Tools:

a. The Parties agree to use Greyfinch’s existing API Services which are mostly GraphQL based and its Apps definition model to facilitate an integration for practices using Customer and Customer’s Product. The Parties will work in agreed-upon phases and meet on a regular cadence to make sure development and testing is moving forward as planned. From time to time, Greyfinch may have unstable endpoints which will be documented.

b. Development of New APIs.  The Parties may mutually agree that additional APIs must be created to perform in accordance with this Agreement. When the Parties agree on an API to be developed, they shall likewise agree on written documentation that specifies: (i) the API to be developed and its functionality; (ii) which Party will develop it; (iii) which Party will own it; (iv) what third party software will be used; (v) any use restrictions and responsibilities; (vi) what data will be shared; (vii) each party’s support responsibilities; (viii) service level terms (if applicable); and (viiii) any other terms as agreed by the Parties.

4. Intellectual Property Ownership and License. As between the Parties, the Parties acknowledge and agree that Greyfinch owns all right, title, and interest in the Greyfinch Solution, including any and all software code, computer program, documentations, updates, enhancements, upgrades, revisions, improvements, and modifications of the foregoing that Greyfinch or its third-party service providers has embedded or integrated into the same, and all aggregated data, including, but not limited to any and all intellectual property rights, derivative works, improvements, modifications, updates, releases, versions, and all comments and feedback provided by Customer related thereto.  The Parties likewise agree that Customer owns all right, title, and interest, including all intellectual property rights, in and to, the Customer Software and any improvements thereto, and any comments and feedback provided by Greyfinch related to the same. Each Party owns all right, title, and interest, including all intellectual property rights, in and to, any APIs specific to their individual systems or applications.

5. Disclaimer of Warranties. EACH PARTY’S APIs ARE PROVIDED “AS IS” AND LICENSOR SPECIFICALLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. LICENSOR SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON­ INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. LICENSOR MAKES NO WARRANTY OF ANY KIND THAT THE API OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET ANY PERSON’ OR PROVIDER’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR-FREE, OR THAT ANY ERRORS OR DEFECTS CAN OR WILL BE CORRECTED.

6. Monitoring Obligations. Each Party will monitor the use of its APIs and systems for any activity that violates applicable laws, rules, and regulations or any terms and conditions of this Agreement, including any fraudulent, inappropriate, or potentially harmful behavior, and promptly restrict any offending use.

7. Provider Privacy and Network Security.  Each Party has and will continue to maintain policies and procedures governing the collection, transfer, storage, use, and security of Patients’ data and personal information in compliance with all applicable Privacy and Data Security Laws and Regulations.  “Privacy and Data Security Laws and Regulations” means applicable laws, regulations, and/or written policies or terms of use relating to privacy; information security; data protection; the processing, sharing, and/or sale of personal data; data breach notification laws; and, to the extent applicable, the security standards promulgated pursuant to the Health Insurance Portability and Accountability Act, 45 C.F.R. § 164.302 et seq.) (“HIPAA”); the Federal Trade Commission’s Safeguards Rule, 16 C.F.R. § 314.1 et seq. (the “Safeguards Rule”); the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.  (“CCPA”); and all other applicable laws and regulations of the United States and each state and/or territory therein.

8. Confidentiality.

a. Definition. “Confidential Information” means any information disclosed by a party to the other party, directly, or indirectly, which, (a) if in written, graphic, machine-readable, electronic, or other tangible form, is marked as “confidential” or “proprietary,” (b) if disclosed orally or by demonstration, is identified at the time of initial disclosure as confidential, (c) is specifically deemed to be confidential by the terms of this Agreement, or (d) reasonably appears to be confidential or proprietary because of the circumstances of disclosure and the nature of the information itself, including, without limitation, any assessments, presentation materials, conceptual product details, product designs, product specifications, business models, financials, financial projections, programming, coding, samples, prototypes, sales techniques, prospect lists or billing practices disclosed by either party. Confidential Information will also include information disclosed by third parties where the receiving party knows or should reasonably anticipate such information to be under an obligation of confidentiality. Subject to the display of Customer Content as contemplated by this Agreement, Customer Content is deemed Confidential Information of Customer. Software and Documentation are deemed Confidential Information of Greyfinch.

b. Confidentiality. During the term of this Agreement and for 5 years thereafter (perpetually in the case of Software), each party shall treat as confidential all Confidential Information of the other party, shall not use such Confidential Information except to exercise its rights and perform its obligations under this Agreement, and shall not disclose such Confidential Information to any third party. Without limiting the foregoing, each party shall use at least the same degree of care, but not less than a reasonable degree of care, it uses to prevent the disclosure of its own confidential information to prevent the disclosure of Confidential Information of the other party. Each party shall promptly notify the other party of any actual or suspected misuse or unauthorized disclosure of the other party’s Confidential Information. Neither party shall reverse engineer, disassemble, or decompile any prototypes, software or other tangible objects which embody the other party’s Confidential Information and which are provided to the party hereunder. Each party may disclose Confidential Information of the other party on a need-to-know basis to its contractors who are subject to confidentiality agreements requiring them to maintain such information in confidence and use it only to facilitate the performance of their services on behalf of the disclosing party.

c. Exceptions. Confidential Information excludes information that: (a) is known publicly at the time of the disclosure or becomes known publicly after disclosure through no fault of the receiving party, (b) is known to the receiving party, without restriction, at the time of disclosure or becomes known to the receiving party, without restriction, from a source other than the disclosing party not bound by confidentiality obligations to the disclosing party, or (c) is independently developed by the receiving party without use of the Confidential Information as demonstrated by the written records of the receiving party. The receiving party may disclose Confidential Information of the other party to the extent such disclosure is required by law or order of a court or other governmental authority, provided that the receiving party shall use reasonable efforts to promptly notify the other party prior to such disclosure to enable the disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Each party may disclose the existence of this Agreement and the relationship of the parties, but agrees that the specific terms of this Agreement will be treated as Confidential Information; provided, however, that each party may disclose the terms of this Agreement to those with a need to know and under a duty of confidentiality such as accountants, lawyers, bankers, and investors.

9. Compliance With Applicable Law.  “Applicable Law” means any law, regulation, rule, order, directive, or other requirement of any governmental authority that is applicable to the parties, their respective businesses, or the subject matter of this Agreement, including without limitation any laws related to data privacy and security, intellectual property, export control, and anti-corruption. Applicable Law also includes any binding legal judgments, orders, or decrees that are applicable to the parties or the subject matter of this Agreement. In the event of any conflict between this Agreement and any Applicable Law, the parties agree that they will comply with the requirements of Applicable Law.  The Parties agreement to perform as set forth herein in full compliance with all Applicable Law.

10. Mutual BAA. The Parties acknowledge and agree that the activities and services described herein may result in a Party sharing with the other Party certain Protected Health Information, defined as individually identifiable health information that is protected by HIPAA, belonging to the Parties’ clients providing orthodontic or other dental or medical treatment or services.  The Mutual Business Associate Addendum, which is attached hereto as Exhibit A and hereby incorporated by reference in its entirety, shall control with respect to matters involving or concerning Protected Health Information (as such term is defined by HIPAA).

11. Marketing, Publicity, and Promotion Responsibilities.

a. Use of Parties’ Marks. Each Party acknowledges that the other Party retains all ownership rights of and interest in their respective trademarks, service marks, logos, trade dress, or other designations, advertising, material, and any associated goodwill, whether presently existing or later developed by the Party (collectively “Marks”). Unless expressly stated otherwise in this Agreement, nothing contained herein shall give a Party any rights to use any Marks of the other Party in advertising, publicity or marketing materials.  

b. Authorized Use of Marks.  A Party may use the Marks of the other Party in advertising or marketing materials, and in connection with an API, solely for purposes of carrying out its obligations under this Agreement.  Under those circumstances, the Party shall submit the advertising or marketing materials for the other Party’s review and written approval prior to any use.  A Party may use such advertising or marketing materials only upon the terms and conditions agreed by the other Party from time to time and in compliance with all applicable usage guidelines.  A Party may not modify or delete any advertising or marketing materials that it is authorized to use without the prior written consent of the other Party.  A Party’s use of the other Party’s Marks will not create any right, title, or interest in or to the Marks and all goodwill associated with the use of the Marks will insure to the benefit of the owner thereof. As soon as practicable upon termination of this Agreement, all materials containing a Party‘’s Marks in the other Party’s possession shall be returned. A Party will promptly notify the other Party if the Party becomes aware of any infringement of any intellectual property rights in the Marks of the other Party.

12. Product Support/Updates. Both Parties shall provide advance notice as soon as reasonably possible regarding any API updates that will impact integration or subsequent operations.  Both Parties will provide software release notes and updated API documentation any time such items are available, and will make commercially reasonable and good-faith efforts to prioritize and provide bug fixes, especially those that directly impact end users.

13. Final Product Schedule.  Both Parties hereby commit to prioritize the integrations contemplated by this Agreement and agree that they will work together to select an agreed upon launch date for the Final Product at the conclusion of the Discovery Period (the “Launch Date”).  Both the Greyfinch Integration and the Customer’s Product integration shall be completed by the Launch Date with the Customer’s Product integration to follow with a completion date to be agreed upon in writing, which may be an email between the designated representatives, by both parties (the “Completion Date”).

14. Expected Service Levels.  To ensure the reliable and continuous availability of their APIs, the Parties have established and agreed upon specific performance metrics.  One such metric is the Monthly Uptime Percentage, which is set at a target of 99%.  This means that the API must be functional and available to users for at least 99% of the time in any given month.  The Parties will use commercially reasonable efforts to ensure their APIs maintain a Monthly Uptime Percentage of 99%.  The “Monthly Uptime Percentage” is calculated by taking the number of successful health check requests divided by the number of total health check requests for a given month.  The Parties recognize the importance of this metric in achieving their respective business objectives and are committed to making their best efforts to maintain this level of service.

a. Exceptions.  The Service Commitment does not apply when performance issues: (a) are caused by factors outside of the Parties’ reasonable control, and the Parties’ clients’ reasonable control, including Internet access or related problems occurring beyond the point in the network where the Parties and their clients maintain access and control; (b) occur during the Parties’ scheduled maintenance for which the Parties will use commercially reasonable efforts to provide prior notice; (c) occur during the Parties’ emergency maintenance (maintenance that is necessary for purposes of maintaining the integrity or operation of the APIs), regardless of the notice provided by the Parties. The Service Commitment also does not apply when the Parties either rate or time-of-day-limit access to specific API’s; for example, restricting expensive API calls during peak times or preventing large bursts in a short window of time.  Any such limitations shall be mutually agreed upon by the Parties in advance.

b. Monitoring and Remediation.  Upon the reasonable request of Greyfinch, Customer shall provide a report showing the time during the previous month in which the subject APIs were not available, by both planned downtime and otherwise.  If the Monthly Uptime Percentage falls below 99%, the Parties will work together to identify and address any issues affecting the subject API’s performance.

15. Greyfinch Revenue Share.  Customer and Greyfinch may agree upon certain revenue sharing as set forth in an Order or Proposal.

16. Indemnification. Each Party (the “Indemnifying Party”) agrees to indemnify, defend, and hold harmless the other Party and its officers, directors, employees, agents, affiliates, successors, and assigns (the “Indemnified Parties”) from and against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, arising from or relating to (a) the Indemnifying Party’s use or misuse of an API or the Indemnified Party’s Marks, (b) the Indemnifying Party’s breach of this Agreement, and (c) the Indemnifying Party’s Applications, including any end user’s use thereof.  “Applications” means any applications developed by either Party to interact with the API provided by the other Party.  In the event an Indemnified Party seeks indemnification or defense from the Indemnifying Party under this provision, the Indemnified Party will promptly notify the Indemnifying Party in writing of the claim(s) brought against the Indemnified Party for which the Indemnified Party seeks indemnification or defense.  The Indemnified Party reserves the right, at the Indemnified Party’s option and in the Indemnified Party’s sole discretion, to assume full control of the defense of claims with legal counsel of the Indemnified Party’s choice. The Indemnifying Party may not enter into any third-party agreement that would, in any manner whatsoever, constitute an admission of fault by the Indemnified Party or bind the Indemnified Party in any manner, without the Indemnified Party’s prior written consent. In the event the Indemnified Party assumes control of the defense of such claim, the Indemnified Party will not settle any such claim requiring payment from the Indemnifying Party without the Indemnified Party‘s prior written approval.

17. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW, EXCEPT FOR LIABILITY ARISING UNDER SECTIONS 5 OR 8, IN NO EVENT WILL A PARTY BE LIABLE TO THE OTHER PARTY UNDER ANY TORT, CONTRACT, NEGLIGENCE, STRICT LIABILITY, OR OTHER LEGAL OR EQUITABLE THEORY FOR (a) ANY LOST PROFITS, LOST OR CORRUPTED DATA, COMPUTER FAILURE OR MALFUNCTION, INTERRUPTION OF BUSINESS, OR OTHER SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF THE USE THE API OR ACTIVITIES UNDER THIS AGREEMENT; OR (b) ANY DAMAGES, IN THE AGGREGATE, IN EXCESS OF $50,000 EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES AND WHETHER OR NOT SUCH LOSS OR DAMAGES ARE FORESEEABLE OR THE PARTIES WERE ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY INCLUDES OBLIGATIONS UNDER THE BAA and NDA REFERENCED HEREIN.

18. Term and Termination.

a. Term. The initial term of this Agreement begins on the Effective Date (unless otherwise agreed to in an Order or Proposal) and, unless terminated earlier pursuant to any provision of this Agreement, will continue in effect until 3 years from the Effective Date (or such other date) (the “Initial Term”).  This Agreement will automatically renew for additional successive one-year terms unless earlier terminated pursuant to this Agreement’s express provisions or either Party gives the other Party written notice of non-renewal at least 120 days prior to the expiration of the then-current term (each a “Renewal Term” and together with the Initial Term, the “Term”).

b. Early Termination by a Party.

         i. For Breach. Either Party may terminate this Agreement, effective upon the provision of written notice, if the other Party materially breaches this Agreement, and such breach: (A) is incapable of cure within a reasonable amount of time; or (B) being capable of cure, remains uncured 30 days after the non-breaching Party provides the breaching Party with written notice of such breach.

        ii. For Insolvency. Either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files, or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

c. Effect of Termination. Upon expiration or termination of this Agreement for any reason, all licenses and rights granted under this Agreement will automatically terminate and the Licensee must cease using, destroy, and permanently erase all copies of the API and all other intellectual property from all devices and systems Licensee directly or indirectly controls, and each Party will cease using the other Party’s Marks; provided, however, that if this Agreement expires pursuant to Section 14(a), an API Licensee may continue to use the API for up to 180 days after the expiration in order to properly transition clients away from an integration.

d. Survival. Outstanding payment obligations and Sections 4, 5, 6, 8, 9, 12, 13, 14, and 16 will survive expiration and termination of this Agreement.

19. Expenses. Each Party will pay its own expenses, including the salaries and benefits of their respective development teams, incurred in developing and testing the respective APIs.  The test data to be shared between Greyfinch and Customer for testing is licensed royalty-free.

20. Customer Software Updates and Development. The Parties agree to integrate their respective services with the current version of the Customer Software, as well as any future versions. The integration will be carried out in accordance with industry best practices and the standards and specifications agreed upon by the Parties.  The Parties expect that the current Agreement will cover and require Customer to maintain the most current integrations and developments, and that any future integrations with Customer will be covered under this Agreement or any subsequent agreement mutually agreed upon by the Parties.

21. Miscellaneous.

a. Entire Agreement. This Agreement, together with any Order, Proposal, Addenda, Schedules, and/or Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter.

b. Notices. All notices required or permitted hereunder must be in writing and addressed to the Parties (to the attention of CEO) at the addresses set forth in an Order or Proposal (or to such other addresses that may be designated by the Party giving notice from time to time in accordance with this Section.) All notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees prepaid), facsimile or email (with proof of transmission), or certified or registered mail (in each case, return receipt requested, postage prepaid).  Except as otherwise provided in this Agreement, a notice is effective only (i) upon receipt by the receiving Party, and (ii) if the Party giving the notice has complied with the requirements of this Section.

c. Amendment. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

d. Severability. If any provision of this Agreement is—or is later found to be—invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render such term or provision unenforceable in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to affect the original intent of the Parties as closely as possible in a mutually acceptable manner.

e. Law. This Agreement is governed by and construed in accordance with the internal laws of the State of Arkansas without giving effect to any conflict of law provision or rule that would require or permit the application of the laws of any other jurisdiction.

f. Dispute Resolution. Except as provided in Section 19(g) below, in the event that there is a controversy, disagreement, or dispute between the Parties related to the formation, interpretation, performance, enforcement, or breach of this Agreement (“Dispute“), representatives designated by each of the Parties shall promptly confer and devote their efforts to resolving the Dispute reasonably and in good faith. If the Dispute is not so resolved by the Parties within 14 days of a Party’s demand for the Parties to confer on the Dispute resolution, upon the demand of a Party, the matter will first be submitted for nonbinding mediation to a mutually selected impartial third-party mediator (such costs to be borne equally between the parties). The parties agree that the impartial third-party mediator must be selected within 10 days of submission of a matter for mediation and that any such mediation must be concluded within forty-five (45) days of submission. In the event the parties are unable to agree upon a mediator, the Parties will submit the mediation to the American Arbitration Association under its Commercial Mediation Rules. If the Dispute is not so resolved through nonbinding mediation, upon the demand of a Party, the matter will be submitted for binding arbitration to the American Arbitration Association under its Commercial Arbitration Rules. The mediation and arbitration will take place in Little Rock, Arkansas, unless both parties mutually agree on another location. Any award rendered in arbitration will be in writing and in the form of a reasoned award, will be final and binding on the parties, and may be confirmed as a judgment in any court having jurisdiction.

g. Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section 10 or, in the case of Licensee, the use restrictions applicable to the license grant, would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy.  Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

h. Assignment. No Party may assign or transfer any of its rights or delegate any of its obligations hereunder, whether voluntarily, involuntarily, by operation of law, or otherwise, without the prior written consent of the other Party.   Consent shall not be unreasonably withheld, conditioned, or delayed.  A Party may, however, assign this Agreement in connection with the sale of all or substantially all its business or a merger without the consent of the other Party. Any purported assignment, transfer, or delegation in violation of this Section is null and void.  No assignment, transfer, or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and insures to the benefit of the Parties hereto and their respective permitted successors and assigns.

i. Counterparts. This Agreement may be executed in two or more counterparts, including by electronic signature and facsimile, and transmitted by electronic-mail, telefacsimile, or other electronic means, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

Acceptance. BY ACCEPTING THIS AGREEMENT THROUGH (1) CLICKING A BOX INDICATING ACCEPTANCE, (2) EXECUTING AN ORDER OR PROPOSAL THAT REFERENCES THIS AGREEMENT IN WRITING OR ELECTRONICALLY, OR (3) CUSTOMER’S INTEGRATION OF SERVICES WITH GREYFINCH, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT AND OF THE BUSINESS ASSOCIATE ADDENDUM ATTACHED HERETO AS EXHIBIT A.

EXHIBIT A: Business Associate Addendum

Business Associate Addendum

This Business Associate Agreement (the “Agreement”), is made as of the Effective Date of the Integration Agreement to which this is attached (the “Effective Date”), by and between Greyfinch as the Covered Entity (“Covered Entity”) and Customer and any of its subcontractors as the Business Associate (collectively “Business Associate”) to comply with privacy standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164 (“the Privacy Rule”) and security standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (“the Security Rule”), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 and regulations promulgated thereunder and any applicable state confidentiality laws. Business Associate and Covered Entity are collectively referred to herein as the “Parties.”

RECITALS

WHEREAS, the Business Associate provides Practice Management Software and data conversion to Covered Entity and its affiliates and, in connection with those services, Business Associate may use or disclose certain individual health information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), the Privacy Rule, and the Security Rule; and

WHEREAS, the Parties wish to comply with the requirements of: (i) the implementing regulations at 45 C.F.R Parts 160, 162 and 164 (i.e., the HIPAA Privacy, Security, Electronic Transactions, Breach Notification, and Enforcement Rules (“the implementing Regulations”)), (ii) the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (“the HITECH Act”) that are applicable to business associates, and (iii) the requirements of the final modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules as issued on January 25, 2013, and effective [MONTH] 26, 2013 (75 Fed. Reg. 5566 (Jan. 25, 2013)) (“the Final Regulations”).

NOW THEREFORE, in consideration of the mutual covenants and conditions contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

ARTICLE I

DEFINITIONS

1.1 HIPAA Rules Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Data Aggregation, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, and Use.

1.2 Additional Definitions. The following terms used in this Agreement shall have the meanings provided below.

1.2.1 “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

1.2.2 “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Greyfinch, LLC.

1.2.3 “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Customer Name and its affiliates and subsidiaries.

1.2.4 “Designated Record Set” shall mean a group of records maintained by or for a Covered Entity that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

1.2.5 The Privacy Rule and the Security Rule and amendments codified and promulgated by the HITECH Act are referred to collectively herein as “HIPAA Rules.”

1.2.6 “Protected Health Information” or PHI shall mean individually identifiable health information that is transmitted or maintained in any form or medium.

ARTICLE II

PERMITTED USES

2.1 Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement (the “Services”), provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Also, Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with the HIPAA Rules.

2.1.1 Use. Business Associate will not, and will ensure that its directors, officers, employees, contractors, and other agents do not, use PHI other than as permitted or required by Business Associate to perform the Services or as required by law, but in no event in any manner that would constitute a violation of the Privacy Standards or Security Standards if used by Covered Entity.

2.1.2 Disclosure. Business Associate will not, and will ensure that its directors, officers, employees, contractors, and other agents do not, disclose PHI other than as permitted pursuant to this Agreement or as required by law, but in no event disclose PHI in any manner that would constitute a violation of the Privacy Standards or Security Standards if disclosed by Covered Entity.

2.1.3 Data Aggregation. In the event that Business Associate works for more than one Covered Entity, Business Associate is permitted to use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations, and only to the extent that such use is permitted under HIPAA Rules.

2.1.4 De-identified Information. Business Associate may use and disclose de-identified health information if the PHI is de-identified in compliance with the HIPAA Rules.

ARTICLE III

OBLIGATIONS OF COVERED ENTITY

3.1 Obligations of Covered Entity. If applicable, Covered Entity shall:

(a) provide Business Associate a copy of its Notice of Privacy Practices (“Notice”) produced by Covered Entity in accordance with 45 C.F.R. 164.520 as well as any changes to such Notice;

(b) provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;

(c) notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI;

(d) not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity;

(e) notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate;

(f) if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and,

(g) notify Individuals of any Breach Required by Law.

ARTICLE IV

OBLIGATIONS OF BUSINESS ASSOCIATE

4.1 Obligations of Business Associate. Business Associate agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the HIPAA Rules applicable to business associates. Additionally, when applicable, Business Associate shall:

(a) provide information and training to members of its workforce using or disclosing PHI regarding the confidentiality requirements of the HIPAA Rules and this Agreement;

(b) obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (a) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (b) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached;

(c) notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules;

(d) Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as required by law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any paper or electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity;

(e) Business Associate shall assure that all PHI is secured when accessed by Business Associate’s employees, agents, or subcontractor. Any access to PHI by Business Associate’s employees, agents or subcontractors shall be limited to legitimate business needs while working with PHI;

(f) Business Associate shall ensure that all uses and disclosures of PHI are subject to the principle of “minimum necessary use and disclosure,” i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request is used or disclosed; and, the use of limited data sets when possible;

(g) If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall require the agent or subcontractor to agree to the same restrictions and conditions as apply to Business Associate under this Agreement. Business Associate agrees that, as required by HIPAA, Business Associate will enter into a written agreement with all subcontractors that: (i) requires them to comply with the Privacy and Security Rule provisions of this Agreement in the same manner as required of Business Associate, and (ii) notifies such subcontractors that they will incur liability under the HIPAA Requirements for non-compliance with such provisions. Accordingly, Business Associate shall ensure that all subcontractors agree in writing to the same privacy and security restrictions, conditions and requirements that apply to Business Associate with respect to PHI. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the paper or electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity;

(h) Except as otherwise specified herein, Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI, received from, or created or received on behalf of by Business Associate, Covered Entity to the Secretary or his or her agents for the purpose of determining Covered Entity’s compliance with the HIPAA Rules, or any other health oversight agency, or to Covered Entity;

(i) Business Associate shall abide by the limitations of Covered Entity’s Notice of which it has knowledge. Any use or disclosure permitted by this Agreement may be amended by changes to Covered Entity’s Notice; provided, however, that the amended Notice shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice;

(j) Business Associate expressly recognizes that Covered Entity has certain reporting and disclosure obligations to the Secretary and the Individual in case of a security breach of unsecured PHI. Where Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured paper or electronic PHI, Business Associate, immediately following the discovery of a breach of such information, shall notify Covered Entity of such breach. Initial notification of the breach does not need to be in compliance with Sub Title D Title IV Section 13402 of the HITECH Act; however, Business Associate must provide Covered Entity with all information necessary for Covered Entity to comply with Sub Title D Title IV Section 13402 of the HITECH Act without reasonable delay, and in no case later than thirty (30) days following the discovery of the Breach.

(k) Business Associate agrees to only use or disclose PHI received by the Business Associate in its capacity as a Business Associate to the Covered Entity for Business Associate’s own operations if:

(i) the use relates to the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or data aggregation services relating to the health care operations of the Covered Entity; or

(ii) the disclosure of information received in such capacity will be made in connection with a function, responsibility, or services to be performed by the Business Associate, and such disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and the person agrees to notify the Business Associate of any breaches of confidentiality.

ARTICLE V

INDIVIDUAL RIGHTS

5.1 Individual Rights Regarding Designated Record Sets. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate agrees as follows:

5.1.1 Individual Right to Copy or Inspection. Business Associate agrees that if it maintains a Designated Record Set for Covered Entity that is not maintained by Covered Entity, it will permit an Individual to inspect or copy PHI about the Individual in that set as directed by Covered Entity to meet the requirements of 45 C.F.R. § 164.524. If the PHI is in electronic format, the Individual shall have a right to obtain a copy of such information in electronic format and, if the Individual chooses, to direct that an electronic copy be transmitted directly to an entity or person designated by the individual in accordance with HITECH section 13405(e). Under the Privacy Rule, Covered Entity is required to take action on such requests as soon as possible, but not later than thirty (30) days following receipt of the request. Business Associate agrees to make reasonable efforts to assist Covered Entity in meeting this deadline. The information shall be provided in the form or format requested if it is readily producible in such form or format; or in summary, if the Individual has agreed in advance to accept the information in summary form. A reasonable, cost-based fee for copying health information may be charged. If Covered Entity maintains the requested records, Covered Entity, rather than Business Associate shall permit access according to its policies and procedures implementing the Privacy Rule.

5.1.2 Individual Right to Amendment. Business Associate agrees, if it maintains PHI in a Designated Record Set, to make amendments to PHI at the request and direction of Covered Entity pursuant to 45 C.F.R. 164.526. If Business Associate maintains a record in a Designated Record Set that is not also maintained by Covered Entity, Business Associate agrees that it will accommodate an Individual’s request to amend PHI only in conjunction with a determination by Covered Entity that the amendment is appropriate according to 45 C.F.R. § 164.526.

5.1.3 Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an accounting of disclosures of PHI, whether PHI is paper or electronic format, in accordance with 45 C.F.R. § 164.528 and HITECH Sub Title D Title VI Section 13405(c), and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for accounting of disclosures. Under the Privacy Rule, Covered Entity is required to take action on such requests as soon as possible but not later than sixty (60) days following receipt of the request. Business Associate agrees to use its best efforts to assist Covered Entity in meeting this deadline but not later than forty-five (45) days following receipt of the request. Such accounting must be provided without cost to the Individual or Covered Entity if it is the first accounting requested by an Individual within any 12 month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if Business Associate informs the individual in advance of the fee and is afforded an opportunity to withdraw or modify the request. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) and shall be provided for as long as Business Associate maintains the PHI.

ARTICLE VI

TERM AND TERMINATION

6.1 Term. This Agreement shall be effective as of the Effective Date of the Integration Agreement and shall be terminated when all PHI provided to Business Associate by Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

6.2 Termination for Cause. Upon Covered Entity’s discovery of a material breach by Business Associate, Covered Entity shall either:

(a) Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or

(b) Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.

6.3 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Agreement to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

ARTICLE VII

INDEMNIFICATION AND INSURANCE

7.1 Indemnification. Business Associate shall indemnify, defend, and hold Covered Entity, its employees, directors, trustees, officers, representatives and agents (collectively, the “Indemnitees”) harmless from and against all claims, causes of action, liabilities, judgments, fines, assessments, penalties, damages, awards or other expenses, of any kind or nature whatsoever, including, without limitation, attorney’s fees, expert witness fees, and costs of investigation, litigation or dispute resolution, incurred by the Indemnitees and relating to or arising out of any breach or alleged breach of the terms of this Agreement by Business Associate.

7.2 Insurance. If Covered Entity requires, Business Associate shall obtain and maintain insurance coverage against improper uses and disclosures of PHI by Business Associate, naming Covered Entity as an additional insured. Promptly following a request by Covered Entity for the maintenance of such insurance coverage, Business Associate shall provide a certificate evidencing such insurance coverage.

ARTICLE VIII

MISCELLANEOUS

8.1 Additional Terms. The following terms shall also apply to this Agreement:

8.1.1 [Reserved.]

8.1.2 Mitigation. If Business Associate violates this Agreement or either of the HIPAA Rules, Business Associate agrees to mitigate any damage caused by such breach.

8.1.3 Survival. The rights and obligations of Business Associate under Section 6.3 of this Agreement shall survive the termination of this Agreement.

8.1.4 Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:

If to Covered Entity:

Greyfinch, LLC

ATTN: Jake Gulick

610 President Clinton Ave

Little Rock, AR 72201

If to Business Associate: at the address for Customer set forth in the Proposal or Order referred to in the Integration Agreement.

8.1.5 Amendment. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this Agreement from time to time as necessary, in order to allow Covered Entity to comply with the requirements of the HIPAA Rules.

8.1.6 Choice of Law. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Arkansas without regard to applicable conflict of laws principles.

8.1.7 Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Assignments made in violation of this provision are null and void.

8.1.8 Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.

8.1.9 No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.

8.1.10 Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

8.1.11 No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.

8.1.12 Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this Agreement are inserted for convenience only, do not constitute a part of this Agreement and shall not affect in any way the meaning or interpretation of this Agreement.

8.1.13 Entire Agreement. This Agreement, together with all exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time-to-time while this Agreement is in effect, constitutes the entire agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Agreement in any provisions of the exhibits, riders, or amendments, the provisions of this Agreement shall control.

8.1.14 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules and any applicable state confidentiality laws. The provisions of this Agreement shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules.

8.1.15 Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time-to-time.

8.1.16 Execution. This Agreement is executed through acceptance or execution of the Integration Agreement as provided for therein.