Cloud Services Agreement for SecureLink Services

This Cloud Services Agreement (the “Agreement”) is by and between Imprivata, Inc., a Delaware corporation, with its principal place of business at 20 CityPoint, 6th floor, 480 Totten Pond Rd., Waltham, MA 02451 (“Imprivata”), and you (“Company” or “you”). Collectively, Imprivata and Company may be referred to as the “Parties” or in the singular as “Party”. By accessing and using the Service (defined below) you (either you as an individual or, if the Service will be used by an entity, on behalf of that entity) represent and agree that you have the capacity and authority to bind yourself or, if applicable, the applicable entity, to the terms of this Agreement and agree to be bound by the terms of this Agreement. If you do not agree to the terms of this Agreement, you may not access and use the Service. This Agreement is effective as of the date Company accesses the Service (“Effective Date”). Any terms and conditions in a purchase order (or in any similar document) which are in addition to, or conflict or are inconsistent with these terms are hereby rejected and superseded by the terms contained herein. The Service is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties.

1. Background.

Imprivata provides a cloud solution for remote computer access and support (the “Service”). This Agreement sets forth the terms pursuant to which Imprivata will provide the Services to Company and provide other related services set forth in this Agreement and the Imprivata Quote. The term “Imprivata Quote” or “Quote” means the supplemental document issued by Imprivata, which specifies the Services and any other software and/or hardware which may be purchased by you, and the price associated with each. The term “Services” includes any related services provided by Imprivata to Company as well as the Documentation (as defined below).

2. Services.

2.1 Access and Use. Subject to the timely payment by Company of all applicable fees, Imprivata hereby grants to Company, and Company hereby accepts, a limited, non-exclusive, term-limited, non-transferable, non-sublicensable, right to access and use the Services (including the Documentation) during the Term (defined below) solely (i) in connection with Company’s normal business operations, (ii) in accordance with the documentation provided by Imprivata with the Services (the “Documentation”), and (iii) subject to any limitations set forth in this Agreement or in the Quote (or its equivalent if purchasing through an authorized reseller).

2.2 Use by Employees and Contractors. Employees or authorized independent contractors of Company may access and use the Service provided that all such use shall be solely for the benefit of Company and in accordance with the terms and conditions of this Agreement. Company shall ensure that its employees and any independent contractors comply with the terms and conditions contained in this Agreement. Company shall remain fully liable for all acts and omissions of its employees and independent contractors, as if such acts and omissions had been committed by Company itself. The Services may not be used by Company to facilitate remote access by its employees or contractors to Company’s own systems unless Company has purchased an internal use license.

2.3 Service and System Control. Except as otherwise expressly provided in this Agreement, as between the parties:

(a) Imprivata has and will retain sole responsibility for the operation, provision, maintenance, and management of the Imprivata Materials. “Imprivata Materials” means the Services, Documentation, and Imprivata’s systems and any and all other information, data, documents, materials, works, and other content, devices, methods, processes, hardware, software, and other technologies and inventions, including any deliverables, technical or functional descriptions, requirements, plans, or reports, that are provided or used by Imprivata or any subcontractor in connection with the Services or otherwise comprise or relate to the Services or Imprivata’s systems.

(b) Company has and will retain sole responsibility for the operation, maintenance, and management of, and all access to and use of, the Company Systems (as defined below), and sole responsibility for all access to and use of the Imprivata Materials by any person by or through the Company Systems or any other means controlled by Company or any Company authorized user, including any: (i) information, instructions, or materials provided by any of them to the Services or Imprivata; (ii) results obtained from any use of the Services or Imprivata Materials; and (iii) conclusions, decisions, or actions based on such use. “Company Systems” means Company’s information technology infrastructure, including computers, software, databases, electronic systems (including database management systems), and networks, whether operated directly by Company or through the use of third-party services.

2.4 Limitations. Company shall not, and shall not permit any other person to, access or use the Services or Imprivata Materials except as expressly permitted by this Agreement. For purposes of clarity and without limiting the generality of the foregoing, Company shall not, except as this Agreement expressly permits: (i) decompile, reverse engineer, decode, or disassemble the Imprivata Materials or otherwise attempt to reduce or access the Imprivata Materials to a human perceivable form in whole or in part; (ii) decrypt, circumvent, bypass, breach, or disable any security or other technological features or measures of the Imprivata Materials; (iii) access or attempt to access or use the Services for purposes of competitive analysis of the Services or Imprivata Materials, the development, provision, or use of a competing software service or product or any other purpose that is to the Imprivata’s detriment or commercial disadvantage; (iv) copy, publish, release, rent, lease, loan, sell, distribute, or transfer the Imprivata Materials; (iv) frame or mirror any content forming part of the Imprivata Materials; (v) use or permit the use of the Imprivata Materials for commercial time-sharing arrangements or providing service bureau, data processing, rental, or other services to any third party; (vi) alter, modify, adapt, translate, or create derivative works based upon the Imprivata Materials either in whole or in part; (vii) remove any copyright notice or other proprietary rights notices that may appear in or on the Imprivata Materials; (viii) perform any security or penetration testing of the Imprivata Materials; (ix) input, upload, transmit, or otherwise provide to or through the Services, any information or materials that are unlawful or injurious, or contain, transmit, or activate any virus, trojan horse, or other malicious code; (x) damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Services, Imprivata Systems, or Imprivata’s provision of services to any third party, in whole or in part; or (xi) use the Services to harass any person; cause damage or injury to any person or property; publish any material that is false, defamatory, harassing or obscene; violate privacy rights; promote bigotry, racism, hatred or harm; send unsolicited bulk e-mail, junk mail, spam or chain letters; infringe property rights; or otherwise violate applicable laws, ordinances or regulations. Company will use the Services in compliance with all applicable laws and regulations, and refrain from any unethical conduct or any other conduct that tends to damage the reputation of Imprivata. However, where Company has other rights under statute that make any portion of the foregoing contractual prohibition void, Company agrees to provide Imprivata with reasonably detailed information regarding any intended disassembly or de-compilation. Company may not access the Services if Company is a direct competitor of Imprivata. With any mission-critical activity, the Services should not be Company’s only means of receiving or providing remote support, and Company acknowledges and agrees that it is responsible for taking steps to protect against system failures, including (without limitation) providing back-up remote access methods.

2.5 Service Usage and Data Storage. Exhibit A sets forth Fees for designated levels of usage and data storage (each a “Service Allocation”) for the applicable Services, beginning with the Fees payable by Company for the levels of usage and data storage in effect as of the Effective Date. Imprivata will use commercially reasonable efforts to notify Company in writing if Company has reached 80 percent of its then current Service Allocation and Company may increase its Service Allocation. Company acknowledges that if it exceeds its Service Allocation by (i) exceeding Company’s network usage, then its access to the Services will be throttled or (ii) exceeding storage limits, then audit data will automatically be deleted.

2.6 Reservation of Rights. Nothing in this Agreement grants any right, title, or interest in or to (including any license under) any intellectual property rights in or relating to, the Services or Imprivata Materials whether expressly, by implication, estoppel, or otherwise. Imprivata (and its licensors) retains all title, interest, and ownership rights in and to the Imprivata Materials and reserves all rights not expressly granted to Company in this Agreement. If Company provides any suggestions, ideas, enhancement requests, feedback (including identifying potential errors and improvements), recommendations or other information relating to the Services to Imprivata (collectively “Feedback”), then Imprivata may use the Feedback without payment or restriction. The Imprivata name, the Imprivata logo, and the product names associated with the Services are trademarks of Imprivata, and no right or license is granted to use them. Company will not accrue any rights (including residual rights) to the Services or Imprivata Materials or any related technology, including any rights to the underlying intellectual property rights.

3. Additional Services; Updates; Company Obligations.

3.1 Services. As part of the Services, Imprivata will provide Company with the implementation, training, and support services identified in the Quote (or its equivalent if purchasing through an authorized reseller).

3.2 Updates. Imprivata may update the Imprivata Materials from time to time. The terms “Services,” “Imprivata Materials,” and “Documentation” shall include all updates provided by Imprivata.

3.3. Company Obligations. Company shall at all times during the Term: (a) set up, maintain, and operate in good repair all Company Systems on or through which the Services are accessed or used; (b) provide Imprivata with such access to Company Systems as is necessary for Imprivata to perform the Services in accordance with this Agreement; and (c) provide all cooperation and assistance as Imprivata may reasonably request to enable Imprivata to exercise its rights and perform its obligations under and in connection with this Agreement. Imprivata is not responsible or liable for any delay or failure of performance caused in whole or in part by Company’s delay in performing, or failure to perform, any of its obligations under this Agreement.

4. Account Information and Data

4.1 “Company Data” means any data, information or material provided or submitted to the Services by the Company in the course of using the Services. “Resultant Data” means data and information related to Company’s use of the Services that is used by Imprivata in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services. For the avoidance of doubt, Imprivata Materials includes (and Company Data excludes) Resultant Data and any other information reflecting the access or use of the Services by or on behalf of Company. In furtherance of the foregoing, Company hereby unconditionally and irrevocably grants to Imprivata an assignment of all right, title, and interest in and to the Resultant Data. Terms such as controller, processor, process or processing, data subject, data exporter, and data importer that are not defined in this Agreement shall have the meanings provided by applicable law.

4.2 Imprivata does not own any Company Data. Company, not Imprivata, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Company Data and Imprivata shall not be responsible or liable for the deletion, correction, destruction, damage, or loss of any data that result from Company’s actions. Imprivata is not responsible for restoring lost data or damage to Company Data that results from Company’s actions. Company hereby grants to Imprivata a non-exclusive, fully-paid and royalty-free license to reproduce, distribute, perform, display and otherwise use the Company Data as necessary or reasonable to provide, protect, improve, and develop the Services to Company as described herein and to collect, compile and use De-identified information collected in the performance of the Services (“Benchmarking Statistics”), for the purpose of analyzing and reporting the effectiveness of and any trends in corporate ethics and compliance programs according to industry, company size, country, geographic region or other relevant classification or for other uses as Imprivata may decide. “De-identified information” means data or information that neither identifies nor provides a reasonable basis to identify a company or an individual, where, without limitation, the following identifiers have been removed: company names and the names of individuals, addresses, account numbers, social security numbers, phone numbers, e-mail address(es) and any other information which could reasonably be anticipated to identify, when taken in the aggregate, a specific company, organization or individual. Company shall have no right to access or use Imprivata’s aggregate Benchmarking Statistics. Company represents and warrants that: (i) Company owns or otherwise has the right to grant the license set forth in this section for the Company Data, (ii) the Company Data, and provision of Company Data to Imprivata under this Agreement, does not violate the privacy rights, publicity rights, copyright rights, or other rights of any person or entity, and (iii) Company shall use the Services in compliance with applicable laws. Company is responsible for any security vulnerabilities, and the consequences of such vulnerabilities, arising from Company Data, including any viruses, Trojan horses, worms or other harmful programming routines contained in Company Data.

4.3 To the extent Company Data includes Personal Data (as defined in the Data Processing Addendum attached to this Agreement Addendum A), Imprivata and Company will comply with the Data Processing Addendum. If the Parties execute a Business Associate Agreement and Company Data includes Electronic Protected Health Information (as defined in the Business Associate Agreement), Imprivata and Company will comply with the Business Associate Agreement. Company is solely responsible for determining whether the Service enables Company to comply with laws applicable to Company.

4.4 The Imprivata Systems are programmed to perform routine data backups in the form of daily snapshots. Imprivata may update this backup policy from time to time. In the event of any loss, destruction, damage, or corruption of Company Data caused by the Imprivata Systems or Services, Imprivata will, as its sole obligation and liability and as Company’s sole remedy, use commercially reasonable efforts to restore the Company Data from Imprivata’s then most current backup of such Company Data.

5. Fees.

5.1 Fees. Unless purchasing through an authorized reseller, upon execution of the Quote, Company will pay Imprivata the fees for the Services set forth in the Quote for the first Contract Year. “Contract Year” shall mean the first twelve month period immediately following the Effective Date and each subsequent twelve month period thereafter. The fees for each subsequent Contract Year will be calculated in accordance with the Quote. Imprivata may invoice for each Contract Year beginning thirty days prior to the start of the Contract Year. Fees are determined based on the usage of the Services during the preceding Contract Year. Accordingly, any increase in Company’s use of the Services (e.g., more Concurrent Connections or use by more Vendors, as applicable) will require payment of additional fees for the subsequent Contract Year in accordance with the Quote. Imprivata may update the per-unit pricing for any Renewal Term (as defined below) by providing Company written notice at least ninety days prior to the end of the then-current Term. The following terms may be used in the Quote in calculating the applicable fees:

1. “Average Peak Usage” for any given Contract Year means the number calculated by averaging the peak number of Concurrent Connections during the three highest months of the applicable Contract Year.
2. “Concurrent Connections” means the total number of simultaneous connections on the Services at any one time.
3. “Site” shall mean a single physical location unless otherwise defined in the Quote (or its equivalent if purchasing through an authorized reseller).
4. A “Vendor” means a single entity using the Services to access Company’s systems.

5.2 Payment of Fees. Imprivata shall sell to Company and Company shall purchase from Imprivata the Services as set forth in the applicable Imprivata Quote (or its equivalent if purchasing through an authorized reseller). Imprivata will invoice Company for the total purchase price set forth on the Imprivata Quote. Company will pay invoices within 30 days of each invoice date. All purchases are non-cancellable and non-refundable. Imprivata may withhold shipments and cease providing any services until past-due payments are made. Late payments are subject to a charge of the lesser of 1.5% per month or the maximum allowed by law during such time as any payment is late as well as collection costs, including reasonable collection and attorney’s fees. Prices do not include, and Company shall be responsible for, all applicable taxes of any kind due in respect of the transactions contemplated by this Agreement, except taxes on Imprivata's net income.

6. Term and Termination.

6.1 Term. The initial term of this Agreement will begin on the Effective Date and continue for the number of Contract Years indicated on the Quote (or its equivalent if purchasing through an authorized reseller) (the “Initial Term”). This Agreement will automatically renew for subsequent one-year periods (each a “Renewal Term”) unless either Party gives the other Party written notice of termination at least sixty days prior to the end of the then-current Term. The Initial Term together with all Renewal Terms are referred to in this Agreement as the “Term.”

6.2 Termination. Either Party may terminate this Agreement by written notice if the other Party materially breaches this Agreement and fails to cure the breach within thirty days of receiving written notice specifying the breach in reasonable detail.

6.3 Effect of Termination. Upon termination Company shall have no further right to access the Services or Imprivata Materials. Imprivata will use commercially reasonable efforts to make Company Data available to Company to download in the format in which it is stored by Imprivata.

6.3 Survival. Sections 2.2, 2.3, 2.4, and 8.3, and Articles 4, 5, 6, 7, 9, 10 and 11 shall survive any termination or expiration of this Agreement, regardless of the cause of termination.

7. Confidentiality.

7.1 Confidentiality. “Confidential Information” means any confidential or proprietary information of a Party (the “Discloser”) that is disclosed in any manner to the other Party (the “Recipient”) in connection with this Agreement and that at the time of disclosure either (i) is marked as being “Confidential” or “Proprietary,” (ii) is otherwise reasonably identifiable as the confidential or proprietary information of Discloser, or (iii) under the circumstances of disclosure should reasonably be considered as confidential or proprietary information. Imprivata’s “Confidential Information” shall include all features and functionality of the Services or Imprivata Materials and the results of any benchmark or other tests of the Services or Imprivata Materials. Recipient shall not disclose Discloser’s Confidential Information to any third party without Discloser’s prior written approval; provided, that, Recipient may disclose the Confidential Information to its employees, contract personnel, subcontractors, officers, directors, shareholders, consultants, agents, attorneys, accountants, or advisors (collectively, “Representatives”) who need to know such information for the purposes of this Agreement, provided that such Representatives shall be informed by Recipient of the confidential nature of the Confidential Information and shall have agreed in writing to terms and conditions as protective of the Confidential Information as those in this Agreement. Recipient shall use the same procedures to protect Discloser’s Confidential Information as it uses to protect its own Confidential Information, but in any event no less than commercially reasonable procedures.

7.2 Exclusions. The restrictions under Section 7.1 above shall not apply to information that: (i) Recipient independently develops without use of Discloser’s Confidential Information; (ii) was, at the time of disclosure, already known to Recipient without restriction on use or disclosure and was not obtained from Discloser; (iii) is lawfully disclosed to Recipient without restriction on use or disclosure by a third party who is not required to maintain its confidentiality; or (iv) is publicly available through no fault of the Recipient.

7.3 Ownership of Confidential Information. The Confidential Information of Discloser is and will remain the property of Discloser. Nothing in this Agreement grants or confers any rights to Recipient by license or otherwise in Discloser’s Confidential Information, except as expressly provided in this Agreement.

7.4 Remedies Upon Breach. Recipient agrees that in the event of a breach or threatened breach of this Agreement, Discloser may have no adequate remedy in money damages and, accordingly, will be entitled to seek an injunction against such breach, in addition to any other legal or equitable remedies available to Discloser.

7.5 Legally Required Disclosure. If Recipient is legally required to disclose any of Discloser’s Confidential Information, then it may do so provided that Recipient (i) provides prompt written notice to Discloser (to the extent permitted by law), (ii) provides all reasonably requested assistance to Discloser in attempting to limit the scope of the disclosure, and (iii) only discloses Discloser’s Confidential Information to the extent actually required by law.

8. Warranties and Disclaimers.

8.1 Mutual Representations and Warranties. Each Party represents and warrants that: (i) it has the legal power to enter into this Agreement; (ii) the signatory hereto has the authority to bind the applicable organization; and (iii) when executed and delivered, this Agreement will constitute the legal, valid, and binding obligation of such Party, enforceable in accordance with its terms, subject to bankruptcy, insolvency, moratorium, reorganization, or similar laws affecting the rights of creditors generally and the availability of equitable remedies.

8.2 Additional Imprivata Warranty. Imprivata represents and warrants that the Services will conform to the Documentation in all material respects during the Term and that all Services will be performed in a professional and workmanlike manner. COMPANY’S EXCLUSIVE REMEDY, AND IMPRIVATA’S ENTIRE LIABILITY, FOR ANY BREACH OF THIS SECTION 8.2 OR THE FAILURE OR UNAVAILABILITY OF THE SERVICES, IS LIMITED TO, AT IMPRIVATA’S OPTION, THE REPAIR OF ANY MATERIAL, REPRODUCIBLE IMPAIRMENT TO THE FEATURES AND FUNCTIONALITY IN THE SERVICES (OR DEFECTIVE PORTION OF THE SERVICES), REPERFORMANCE OF THE SERVICES, OR REFUNDING THE FEES PAID TO IMPRIVATA FOR THE DEFICIENT SERVICES FOR THE THEN-CURRENT CONTRACT YEAR, IN WHICH CASE, COMPANY SHALL IMMEDIATELY RETURN AND CEASE USE OF THE SERVICES.

8.3 DISCLAIMERS. EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED HEREIN AND TO THE MAXIMUM EXTENT PERMITTED BY LAW, IMPRIVATA EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, REPRESENTATIONS, AND GUARANTEES WITH RESPECT TO THE IMPRIVATA MATERIALS AND THE SERVICES, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW, USAGE OF TRADE, COURSE OF DEALING, COURSE OF PERFORMANCE, PRIOR ORAL OR WRITTEN STATEMENTS, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING, IMPRIVATA DOES NOT WARRANT (I) THAT THE IMPRIVATA MATERIALS OR THE SERVICES WILL BE FREE FROM ANY INTERRUPTIONS, DELAYS, INACCURACIES, SERVER DOWN-TIME, ERRORS, OR OMISSIONS, (II) THE PERFORMANCE OR RESULTS COMPANY MAY OBTAIN BY RECEIVING OR USING THE SERVICES OR THE IMPRIVATA MATERIALS, OR (III) THE IMPRIVATA MATERIALS OR THE SERVICES WILL MEET COMPANY’S REQUIREMENTS. NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE, OR PERFORMANCE OF THE IMPRIVATA MATERIALS OR ANY SERVICES, NOT CONTAINED IN THIS AGREEMENT SHALL BE DEEMED TO BE A WARRANTY, CONDITION, REPRESENTATION, OR GUARANTY BY IMPRIVATA.

9. LIMITATIONS OF LIABILITY.

9.1 LIMITATION OF LIABILITY. EXCEPTING ONLY IN THE EVENT OF A BREACH BY YOU OF SECTION 2 (“SERVICES”) OR A BREACH BY EITHER PARTY OF SECTION 7 (“CONFIDENTIALITY”), NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR LOST PROFITS, FORESEEABLE OR UNFORESEEABLE, OF ANY KIND (INCLUDING, WITHOUT LIMITATION, LOSS OF GOODWILL, LOST OR DAMAGED DATA OR SOFTWARE, LOSS OF USE OF PRODUCTS, OR DOWNTIME) ARISING FROM THE SALE, DELIVERY OR USE OF THE APPLIANCES, PERFORMANCE OF ANY SERVICES OR ANY OTHER ACT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IMPRIVATA'S MAXIMUM LIABILITY TO YOU, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WILL NOT EXCEED THE FEES PAID AND PAYABLE BY YOU DURING THE PRECEDING TWELVE MONTH PERIOD. MONETARY DAMAGES AS LIMITED BY THIS SECTION SHALL SERVE AS YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM UNDER THIS AGREEMENT FOR WHICH AN EXCLUSIVE REMEDY IS NOT PROVIDED, AND AS YOUR SOLE AND EXCLUSIVE ALTERNATIVE REMEDY SHOULD ANY EXCLUSIVE REMEDY HEREUNDER BE FOUND TO FAIL OF ITS ESSENTIAL PURPOSE. NO LIMITATION AS TO DAMAGES FOR PERSONAL INJURY IS HEREBY INTENDED.

THE DISCLAIMER OF WARRANTIES AND LIMITATIONS OF LIABILITY CONTAINED IN THIS AGREEMENT ARE FUNDAMENTAL PARTS OF THE BASIS OF IMPRIVATA’S BARGAIN HEREUNDER, AND COMPANY ACKNOWLEDGES THAT SUCH PROVISIONS REPRESENT A REASONABLE ALLOCATION OF RISK.

9.2 Jurisdictions Preventing Limitation or Exclusion of Warranty or Liability. Since some states do not allow certain limitations or exclusions of warranties or liability, some or all of the limitations and exclusions set forth in Sections 8.3 and 9.1 above may be held unenforceable as applied to Company. In such cases, Imprivata’s liability shall be limited to the greatest extent permitted under applicable law.

10. Indemnification

10.1 Claims Related to the Service. Provided that Company complies with the procedures set forth in Section 10.5 and subject to Section 10.2, Imprivata will, at Imprivata’s expense, defend and/or settle any claim, suit or proceeding brought by a third party against Company or Company’s officers, directors, employees, agents and affiliates (collectively, “Company Parties”) alleging that the Services, as provided by Imprivata, infringes any copyright, trademark, trade secret or patent protectable under U.S. law that is issued as of the date of this Agreement. In addition, Imprivata will pay any judgment awarded against Company or any settlement amount agreed to by Imprivata and, subject to Section 10.5, any authorized expenses incurred by Company all in relation to the indemnified claim. This indemnity shall be the Company’s exclusive remedy with respect to any claim of infringement.

10.2 Exclusions. Imprivata will have no obligation under Section 10.1 with respect to any claim of infringement arising out of or based upon: (i) Company Data used with the Services or otherwise, (ii) use of the Services in any manner other than as expressly authorized and contemplated in this Agreement and the Documentation, (iii) the combination of the Services with any other software, hardware, material, or processes, or (iv) Company otherwise causing the Services to become infringing.

10.3 Injunction. If Imprivata reasonably believes that a claim of infringement relating to the Services may arise, Imprivata may, without limiting Imprivata’s indemnity obligations hereunder, procure the right for Company to continue to use the Services or modify the Services in a functionally equivalent manner so as to avoid such claim of infringement. If the foregoing options are not available on commercially reasonable terms and conditions, Imprivata may immediately terminate the Agreement and refund to Company a prorated amount of prepaid fees for access to the Services actually paid by Company for the remainder of the then-current Contract Year.

10.4 Claims Related to Company Data. Provided that Imprivata complies with the procedures set forth in Section 10.5, Company will, at Company’s expense, defend and/or settle any claim, suit or proceeding brought by a third party against Imprivata or Imprivata’s officers, directors, employees, agents and affiliates (collectively, “Imprivata Parties”) and arising out of or related to Company Data or any Company breaches of Sections 2.4 or 4.2. In addition, Company will pay any judgment awarded against Imprivata or any settlement amount agreed to by Company and, subject to Section 10.5, any authorized expenses incurred by Imprivata all in relation to the indemnified claim.

10.5 Procedure. If one Party (the “Indemnitee”) receives any notice of a claim or other allegation with respect to which the other Party (the “Indemnitor”) has an obligation of indemnity hereunder, then the Indemnitee will, within 15 days of receipt of such notice, give the Indemnitor written notice of such claim or allegation setting forth in reasonable detail the facts and circumstances surrounding the claim. The Indemnitee will not make any payment or incur any costs or expenses with respect to such claim, except as requested by the Indemnitor or as necessary to comply with this procedure. The Indemnitee will not make any admission of liability or take any other action that limits the ability of the Indemnitor to defend the claim. The Indemnitor shall immediately assume the full control of the defense or settlement of such claim or allegation, including the selection and employment of counsel, and shall pay all authorized costs and expenses of such defense. The Indemnitee will fully cooperate, at the expense of the Indemnitor, in the defense or settlement of the claim. The Indemnitee shall have the right, at its own expense, to employ separate counsel and participate in the defense or settlement of the claim. The Indemnitor shall have no liability for costs or expenses incurred by the Indemnitee, except to the extent authorized by the Indemnitor or pursuant to this procedure.

11. General Provisions.

11.1 Relationship of the Parties; Third Party Beneficiaries. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. There are no third-party beneficiaries to this Agreement.

11.2 Force Majeure. Neither Party is responsible for delays or failures to perform its responsibilities under this Agreement (other than payment of money due) due to causes beyond its reasonable control, including: acts of God; acts of government; flood; fire; earthquakes; tornadoes; civil unrest; acts of terror; strikes or other labor problems; computer, telecommunications, internet service provider, or hosting facility failures or delays involving hardware, software, or power systems; pandemic or disease; denial of service attacks; or power failures.

11.3 Attorney’s Fees. The prevailing Party in disputes concerning this Agreement shall be entitled to the costs of collections and enforcement, including but not limited to reasonable attorney’s fees, court costs and all necessary expenses. Notwithstanding anything in this Agreement to the contrary, in the event of Company’s bankruptcy or insolvency, Imprivata will be entitled to recover from Company Imprivata’s costs and expenses, including, without limitation, reasonable attorneys’ fees and costs, that Imprivata incurs enforcing and/or otherwise protecting Imprivata’s rights and remedies under this Agreement or amendments and modifications thereto.

11.4 Company Trademarks. Company agrees that Imprivata can list Company on Imprivata’s website as a customer of Imprivata and hereby grants Imprivata a limited, non-exclusive license to copy and display Company’s logo or trademark on Imprivata’s website in connection with its customer list. Imprivata will provide samples of use upon request and will modify the use as reasonably requested by Company.

11.5 Notices. Any notices or other communications required to be given in writing under this Agreement (“Notices”) shall be in writing and addressed to the parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the receiving party from time to time in accordance with this section). Notices must be delivered by personal or courier delivery (with all fees prepaid), or certified or registered mail (in each case, return receipt requested, postage prepaid). Except as otherwise provided in this Agreement, a Notice is effective only upon receipt by the receiving party.

11.6 Waiver and Cumulative Remedies. No failure or delay by either Party in exercising any right under this Agreement shall constitute a waiver of that right. Other than as expressly stated herein, the remedies provided are in addition to, and not exclusive of, any other remedies available at law or in equity.

11.7 Invalidity. If any provision of this Agreement is determined to be illegal or unenforceable, then the provision will be deemed to be restated to reflect as nearly as possible the original intentions of the parties in a manner that complies with applicable law. The remainder of this Agreement, if capable of substantial performance, will remain in full force and effect.

11.8 Assignment. Neither Party may assign this Agreement or any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other Party, which shall not be unreasonably withheld. Notwithstanding the foregoing, Imprivata may assign this Agreement in its entirety, without the consent of Company, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of Imprivata’s assets. Any attempt by a Party to effect an assignment in breach of this Section 11.8 shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the parties, their respective successors, and permitted assigns.

11.9 Governing Law; Venue. This Agreement and the rights and obligations of the parties will be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts in the United States. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act (UCITA) as adopted by any state are specifically excluded from application hereunder.

11.10 Case Study. Company agrees to reasonably cooperate with Imprivata to serve as a reference account upon request and to allow a case study to be developed about Company’s experience (e.g. in video or text form), which Imprivata may publish or otherwise use for marketing purposes.

11.11 Entire Agreement; Amendment. This Agreement, including the Quote, constitutes the entire agreement between the parties with respect to the subject matter set forth herein, and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter. No terms, provisions, or conditions of any purchase order, acknowledgement, check, or other business form that Company may use in connection with the acquisition or licensing of the Service will have any effect on the rights, duties, or obligations of the parties under this Agreement, regardless of any failure of Imprivata to object to such terms, provisions, or conditions. The Quote and this Agreement shall be read together as a single agreement so as to give effect to all terms in both documents to the extent possible. To the extent there is a direct conflict between this Agreement and the Imprivata Quote, the Imprivata Quote shall control. As used in this Agreement, the terms “including,” “include,” and “includes” are not limiting and shall be deemed to be followed by the phrase “without limitation.” Use of the terms “hereunder,” “herein,” “hereby,” and similar terms refer to this Agreement. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by both parties hereto.

11.12 Export. Company agrees to comply with all U.S. export and re-export control laws and regulations and the U.S. economic sanctions, including the Export Administration Regulations (“EAR”) administered by the U.S. Department of Commerce, the laws and regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control, and the International Traffic in Arms Regulations (“ITAR”) administered by the U.S. Department of State, and not cause Imprivata to violate the same. Notwithstanding anything contained in this Agreement to the contrary, Company shall not export or import, directly or indirectly, the Imprivata Materials or information pertaining thereto to or from any country (such as Cuba, Iran, North Korea, Sudan, or Syria), to which such export or import is restricted or prohibited or as to which such government or any agency thereof requires a license or other governmental approval at the time of export or import without first obtaining such license or approval. Furthermore, Company agrees to cooperate as requested by Imprivata to ensure compliance with any such export or import restrictions. Company agrees to hold harmless and defend, to the fullest extent permitted by law, at Imprivata’s option, Imprivata and its successors and assigns from and against any fines, penalties, judgments, settlements, and reasonable documented costs, including attorney’s fees, that may arise as a result of a failure to comply with this Section 11.12 by Company’s agents, officers, directors or employees.

11.13 Governmental Use. If Company is a branch or agency of the United States Government or a contractor thereto, then the following provision applies. The Imprivata Materials are comprised of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 (Sept. 1995) and are provided to the Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policies set forth in 48 C.F.R. 12.212; or (ii) for acquisition on behalf of the Department of Defense consistent with the policies set for the in 48 C.F.R. 227.7202-1 (Aug. 1995) and 227.7202-3 (Aug. 1995).

 

Exhibit A

1. Service Allocation Chart for Imprivata Enterprise Access

 

2. Service Allocation Chart for Imprivata Customer Connect

 

Addendum A

Data Processing Addendum

This Data Processing Addendum ("DPA") shall be supplemental to the Agreement to which it is attached and apply to the extent of Imprivata’s Processing of Company Personal Data in connection with the provision of the Software or Services. To the extent of any direct conflict between any provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. The terms defined in the Agreement shall have the same meaning in this DPA except as otherwise defined herein.

---

 

1. DEFINITONS

 1.1 In this DPA, the terms "Personal Data", "Controller", "Processor", "Data Subject", "Process" and "Supervisory Authority" shall have the same meaning as set out in the GDPR or other applicable Data Protection Laws with equivalent terms, and the following words and expressions shall have the following meanings unless the context otherwise requires:

 1.2 "Company Personal Data" means the personal data described in Appendix 1 of Exhibit 1, and any other Personal Data that Imprivata Processes on behalf of Company in connection with Imprivata's provision of the Services.

 1.3 "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"), any other European Union legislation relating to personal data and all other global legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Company Personal Data.

 1.4 "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

 1.5 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Company Personal Data that compromises the security, confidentiality or integrity of such Company Personal Data.

 1.6 "Standard Contractual Clauses" means the Standard Contractual Clauses (processors) approved by the European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply); and which includes Exhibit 1 to this DPA.

 1.7 "Subprocessor" means any Processor engaged by Imprivata to Process Company Personal Data on Imprivata’s behalf.

2. DATA PROCESSING

 2.1 Imprivata will only Process Company Personal Data in accordance with:

1. the Agreement and any Quote, to the extent necessary to provide the Services to Company; and
2. Company's written instructions, unless Processing is required by applicable European Union or Member State law to which Imprivata is subject, in which case Imprivata shall, to the extent permitted by applicable law, inform Company of that legal requirement before so Processing that Company Personal Data.

 2.2 The Agreement and any Quote (subject to any changes to the Services), and this DPA, shall be Company's complete and final instructions to Imprivata in relation to the Processing of Company Personal Data.

 2.3 Processing outside the scope of this Agreement will require prior written agreement between Company and Imprivata on additional instructions for Processing.

 2.4 Company shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Company Personal Data by Imprivata in accordance with the Agreement. Company shall obtain and maintain throughout the term of the Agreement any required notices, consents and/or authorizations related to its provision of, and Imprivata’s processing of, Company Personal Data as part of the Services.

 2.5 Company acknowledges that Imprivata is reliant on Company for direction as to the extent to which Imprivata is entitled to use and Process Company Personal Data. Consequently, Imprivata will not be liable for any claim brought against Company by a Data Subject arising from any act or omission by Imprivata to the extent that such act or omission resulted from Company's instructions or Company's use of the Services.

 2.6 Unless set forth in a Quote, Company Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Imprivata in addition to or different from those specified in the Documentation or which are not provided as part of the Services.

 2.7 If applicable Data Protection Laws recognize the roles of “controller” and “processor” as applied to Company Personal Data then, as between Company and Imprivata, Company acts as controller and Imprivata acts as a processor (or subprocessor, as the case may be) of Company Personal Data and Imprivata is controller of Resultant Data and Benchmarking Statistics.

 2.8 As required by applicable Data Protection Laws, if Imprivata believes any Company instructions to Process Company Personal Data will violate applicable Data Protection Laws, or if applicable Data Protection Laws require Imprivata to process Company Personal Data relating to data subjects in the EEA or other applicable jurisdictions in a way that does not comply with Company’s documented instructions, Imprivata shall notify Company in writing, unless applicable Data Protection Laws prohibit such notification, and provided Imprivata is not responsible for performing legal research or providing legal advice to Company.

 2.9 Imprivata shall Process Company Personal Data for the duration of the provision of Services in accordance with the Agreement and thereafter only as set forth in the Agreement and this DPA.

 2.10 Each Party will comply with Data Protection Laws applicable to such Party in connection with the Agreement and this DPA.

3. SUBPROCESSORS

 3.1 Consent to Subprocessor Engagement. Company generally authorizes the engagement of third parties as Subprocessors.

 3.2 Information about Subprocessors. A current list of Subprocessors is available here ("Subprocessor List") and may be updated by Imprivata from time to time in accordance with this DPA. Company may sign up to receive notices of additions to the Subprocessor List by completing the email sign-up process on the Subprocess List web page referenced above.

 3.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Imprivata will:

 3.4 execute with Subprocessors a written agreement providing:

1. the Subprocessor only Processes Company Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
2. the Subprocessor utilize the same level of data protection and security with regard to its Processing of Company Personal Data as are described in this DPA.

 3.5 remain responsible for the performance of the Subprocessors’ obligations in compliance with the terms of this DPA and Data Protection Laws.

 3.6 Opportunity to Object to Subprocessor Changes. Company may, on reasonable and objective grounds, object to Imprivata's use of a new Subprocessor by providing Imprivata with written notice within fifteen (15) days after Imprivata has provided notice to Company as described herein with documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA or Data Protection Laws ("Objection"). In the event of an Objection, Company and Imprivata will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the DPA or Data Protection Laws. To the extent Company and Imprivata do not reach a mutually acceptable resolution within a reasonable timeframe, Imprivata will use reasonable endeavors to make available to Company a change in the Services, or will recommend a commercially reasonable change to the Services to prevent the applicable Subprocessor from Processing Company Personal Data. If Imprivata is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Company shall have the right to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Company or Imprivata, and (iii) without relieving Company from its payment obligations under the Agreement up to the date of termination.

4. INTERNATIONAL TRANSFERS

 4.1 In accordance with Company’s instructions under Sections 2.1 and 2.2, Imprivata may access and Process Company Personal Data on a global basis as necessary to perform the Services, including for IT security purposes, maintenance and performance of the Services and related infrastructure, technical support, and change management.

 4.2 To the extent that the Processing of Company Personal Data by Imprivata involves the transfer of such Personal Data from the EEA to a country or territory outside the EEA, other than a country or territory that has received a binding adequacy decision as determined by the European Commission (an "EEA Transfer"), such EEA Transfer shall be governed by the Standard Contractual Clauses (with its applicable Appendices attached as Exhibit 1) where Company shall be deemed to have signed in its capacity of “data exporter” and Imprivata in its capacity as “data importer,” or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws. In the event of any conflict between any terms in the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.

 4.3 To the extent that the Processing of Company Personal Data by Imprivata involves the transfer of such Personal Data from Argentina to a country or territory outside Argentina, other than a country or territory that has received a binding adequacy decision as determined by the National Directorate for Personal Data Protection (an "Argentina Transfer"), such Argentina Transfer shall be governed by the Argentinean Model Clauses incorporated herein by reference or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws. In the event of any conflict between any terms in the Argentinean Model Clauses and this DPA, the Argentinean Model Clauses shall prevail.

5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

 5.1 Imprivata Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Imprivata shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the Processing, including the measures set out in Appendix 2 of Exhibit 1. To the extent Imprivata has completed a SOC 2 assessment, Company may request no more than once per year, and Imprivata shall provide, an attestation letter regarding the SOC 2 assessment.

 5.2 Security Audits.

1. Imprivata will, upon Company’s written request, verify its compliance with its obligations in this DPA by first providing to Company for its review documentation regarding the same and, if such documentation is not reasonably sufficient to address Company’s inquiries, participate in and contribute to audits as set forth below.
2. Company may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third party auditors) Imprivata's compliance with the security measures set out in this DPA (including the technical and organizational measures as set out in Appendix 2 of Exhibit 1). Imprivata shall assist with and contribute to any audits conducted in accordance with this Section 5.2. Such audits may be carried out once per year, or more often if required by Data Protection Law or Company’s applicable Supervisory Authority.
3. Any third party engaged by Company to conduct an audit must be pre-approved by Imprivata (such approval not to be unreasonably withheld) and sign Imprivata’s confidentiality agreement. Company must provide Imprivata with a proposed audit plan at least two weeks in advance of the audit, after which Company and Imprivata shall discuss in good faith and finalize the audit plan prior to commencement of audit activities.
4. Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Imprivata’s security and other policies, and may not unreasonably interfere with Imprivata’s regular business activities. Company shall reimburse Imprivata for any costs or expenses incurred by Imprivata in granting access to its data processing facilities.
5. Information obtained or results produced in connection with an audit are Imprivata confidential information and may only be used by Company to confirm compliance with this DPA and for complying with its requirements under Data Protection Laws.
6. In lieu of Company auditing any Imprivata Subprocessors, Company may request that Imprivata audit a Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Company in obtaining a third-party audit report concerning the Subprocessor’s operations) to verify compliance with the Subprocessor’s obligations. Company may additionally request in writing and Imprivata shall provide copies of the relevant privacy and security terms from Imprivata’s agreement with any applicable Subprocessors.
7. Without prejudice to the rights granted in Section (b) above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report or attestation letter issued by a qualified third party auditor within the prior twelve months and Imprivata provides such report or attestation letter to Company confirming there are no known material changes in the controls audited, Company agree to accept the findings presented in the third party audit report or attestation letter in lieu of requesting an audit of the same controls covered by the report.

 5.3 Upon Company's written request, Imprivata shall make available all information reasonably necessary to demonstrate compliance with this DPA as required by Data Protection Laws.

 5.4 Personal Data Breach Notification.

1. If Imprivata or any Subprocessor becomes aware of and determines a Personal Data Breach has occurred, Imprivata will:
   1. notify Company of the Personal Data Breach promptly, and at the latest within seventy-two (72) hours after such determination, at the contact information on file, where such notification shall describe (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to Imprivata that Company is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Laws; and
   2. investigate the Personal Data Breach and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the Personal Data Breach.

 5.5 Except as required by applicable Data Protection Laws, the obligations set out in Section 5.4 shall not apply to Personal Data Breaches caused by Company.

 5.6 Company and Imprivata shall work together in good faith within the timeframes for Company to provide Personal Data Breach notifications in accordance with Data Protection Laws to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Laws.

 5.7 Imprivata Employees and Personnel. Imprivata shall treat Company Personal Data as the Confidential Information of Company, and shall put procedures in place to ensure that:

1. access to Company Personal Data is limited to those employees or other personnel who have a business need to have access to such Company Personal Data; and
2. any employees or other personnel with access to Company Personal Data have committed themselves to confidentiality of Company Personal Data or are under an appropriate statutory obligation of confidentiality and do not Process such Company Personal Data other than in accordance with this DPA.

6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

 6.1 Data Subject Requests.

1. Save as required (or where prohibited) under applicable law, Imprivata shall promptly notify Company of any request received by Imprivata or any Subprocessor from a Data Subject in respect of their Personal Data included in Company Personal Data, and shall not respond to the Data Subject, where the Data Subject identifies Company as its Data Controller. If a Data Subject does not identify a Data Controller, Imprivata will instruct the Data Subject to identify and contact the relevant Data Controller.
2. Imprivata shall, where possible and provided Company follows Imprivata’s procedures for requesting such assistance including submitting a support ticket, and taking into account the nature of the processing, use reasonable endeavors to assist Company with its obligations in connection with handling Data Subject access requests under applicable Data Protection Laws by:
   1. providing Company with the ability to correct, delete, block, access or copy the Personal Data of a Data Subject, or
   2. if functionality or other means under (a) are not available, Company may submit a support request for Imprivata to correct, delete, block, access or copy Company Personal Data within Imprivata Services at Company's request on its behalf.

 6.2 Government Disclosure. Imprivata shall promptly notify Company of any request for the disclosure of Company Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency and without responding to such request unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request).

 6.3 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Imprivata shall use reasonable endeavors to assist Company by implementing other appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company’s obligation to respond to Data Subject requests as required by the GDPR.

7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

 7.1 To the extent required under applicable Data Protection Laws, Imprivata shall provide reasonable assistance to Company with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Company, in each case solely in relation to Processing of Company Personal Data and taking into account the nature of the Processing and information available to Imprivata, including by providing Company with documentation regarding its Processing operations.

8. RETRIEVAL AND DELETION OF PERSONAL DATA

 8.1 Retrieval and Deletion of Personal Data. Subject to Section 8.2 below, Imprivata shall:

1. make available to Company a complete copy of Company Personal Data then available in the Services in electronic format for ninety (90) days after termination or expiration of the Agreement (“Retrieval Period”); and
2. after such Retrieval Period, delete and use all reasonable efforts to procure the deletion of all other copies of Company Personal Data Processed by Imprivata or any Subprocessors, and where deletion is not possible, sufficiently de-identify Company Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes.

 8.2 Legally Required Retention of Personal Data. Imprivata and its Subprocessors may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Imprivata shall protect the confidentiality of all such Company Personal Data and shall Process such Company Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

9. CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”)

 9.1 Generally, Imprivata processes Personal Data as a service provider for customers who are typically the organization with the direct relationship with individual end users using the Services. Therefore, in addition to other exceptions under the CCPA that may apply (including for employees, contractors and business contacts), Imprivata’s processing of Personal Data as a service provider may not involve a “sale” of Personal Data of a consumer as defined by the CCPA.

 9.2 To the extent that Imprivata processes any Personal Data of any consumer covered by the CCPA under the Agreement, and that such processing is not otherwise exempt under the CCPA, Imprivata confirms it is generally acting as a service provider under the Agreement. Except to the extent permitted under the CCPA, or otherwise required by applicable laws or regulations, to protect Imprivata’s legal rights, to protect security, or to improve the Services, including other products and services, of Imprivata, Imprivata is prohibited from:

1. “selling” (as such term is defined in the CCPA) Personal Data received by Imprivata in connection with the processing of Personal Data under the Agreement;
2. retaining, using or disclosing Personal Data received by Imprivata under the Agreement for any purpose other than:
   1. providing Services under the Agreement;
   2. retaining and employing another service provider as a Subprocessor;
   3. for internal use in building products or services or improving the quality of products or services;
   4. detecting data security incidents, or protecting against fraudulent or illegal activity; or
   5. purposes enumerated in Civil Code section 1798.145, subsections (a)(1) through (a)(4), and
3. retaining, using or disclosing such Personal Data outside of the direct business relationship between Imprivata and Company.

 9.3 Pursuant to the CCPA, Imprivata certifies that it understands these restrictions and will comply with them with respect to any Personal Data of any consumer covered by the CCPA that is processed by Imprivata under the Agreement, where such processing is not otherwise exempt under the CCPA.

EXHIBIT 1

APPENDIX 1

DETAILS OF THE TRANSFER FORMING PART OF THE STANDARD CONTRACTUAL CLAUSES

Data exporter

The data exporter is Company.

Data importer

The data importer is Imprivata, Inc.

Data subjects

The personal data transferred concern the following categories of data subjects: Employees, contractors, and other personnel of Data Importer and its vendors, suppliers, partners, and affiliates.

Categories of data

The personal data transferred concern the following categories of data:

• Email
• First and last name
• IP address
• Information contained in any screen captures or recorded user sessions for users using the Service (optional)

Processing operations

The personal data transferred will be subject to the following basic processing activities: transmitting, collecting, storing and using data in order to provide the Service to Company, and any other activities related to the provision of the Service or specified in the Agreement. The subject matter of the processing includes providing software-as-a-service for remote computer access and support (“SaaS Application”).

Special categories of data (if appropriate):

The Personal Data transferred concern the following special categories of data: Data Importer does not require any special categories of data in order to provide the Services. Unless otherwise specified in the Agreement, Data Exporter shall not provide and must receive prior written consent of Data Importer before transferring any special categories of data or sensitive data to Data Importer.

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

1. Data Importer maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
   • (a) secure any Personal Data Processed by Data Importer against accidental or unlawful loss, access or disclosure;
   • (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Personal Data Processed by Data Importer;
   • (c) minimize security risks, including through risk assessment and regular testing.
2. Data Importer’s security measures include, for example:
   • Use of Linux-based minimal hardened operating systems in the Appliance.
   • SaaS Application utilizes hardened SSH services including ephemeral 2048-bit SSH keys, ACLs, mutual authentication, and strong encryption
   • Session source validation such as rotating RSA keys and validation of incoming IPs
   • Whitelisted shell access to the Appliance
   • Stateful Traffic Inspecting (SPI) Firewall utilized to control inbound and outbound traffic to the Appliance
   • IP connection limitations provide Denial of Service protection for the Appliance
   • Inline Intrusion Prevention Systems for the Appliance
   • Static (and regularly updated) IP Blacklists limit traffic into and out of the Appliance
   • Dynamic IP Blacklist detects malicious traffic to the Appliance
   • Appliance accesses SaaS Application through a Web Application Firewall (WAF)
   • In addition to the WAF, the SaaS Application has a web security filter
   • Antivirus software embedded into the Appliance
   • Files on the Appliance are hashed and logged to a local database
   • Appliance employs MACL controls via SELinux
   • All above security services on the Appliance log to its local syslog
   • Data Importer server, user, and client agents all employ FIPS-validated cryptographic modules for all encryption activity
3. Additional detail regarding Data Importer’s technical and organizational security measures may be found at via the Data Importer intranet site available to customers.