Exhibit 10.1
AMENDMENT 9
[form version 2015-12-31]
SIGNATURE PAGE
|
Agreement Name and Date
|
Amended and Restated Value-Added Reseller Agreement, dated September 2, 2010
(together with any prior amendments, the “Agreement”)
|
Salesforce Entity Name
|
salesforce.com, inc. (“SFDC” or “Salesforce”)
|
Salesforce Address
|
The Landmark @ One Market, Suite 300 San Francisco, California 94105
|
Reseller Full Legal Name
|
Veeva, Inc.
(“Reseller”)
|
Reseller Address
|
4280 Hacienda Dr., Pleasanton, California 94588
By signing where indicated below, SFDC and Reseller have agreed to amend the Agreement by way of this Amendment (“Amendment”). SFDC and Reseller are each a “Party” and collectively the “Parties” to the Agreement and this Amendment. This Amendment is effective as of the later of the dates beneath the Parties’ signatures below (“Amendment Effective Date”), provided, however, that if the dates of the signatures are separated by a period of time greater than 30 days, then this Amendment will be null and void. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.
The Parties, by their respective authorized signatories, have duly executed this Amendment as of the Amendment Effective Date.
|
SFDC
|
|
Reseller
|
|
|
|
|
|
By:
|
/s/ Joslyn Lacy
|
|
By:
|
/s/ Josh Faddis
|
Name:
|
Joslyn Lacy
|
|
Name:
|
Josh Faddis
|
Title:
|
Manager, Order Management
|
|
Title:
|
General Counsel
|
Date:
|
August 11, 2016
|
|
Date:
|
Aug 1, 2016
This Amendment consists of this Signature Page and the following Recitals and Amendment Terms & Conditions, as well as Exhibit G attached hereto and incorporated by reference herein.
Page 1 of 5
Recitals
WHEREAS, SFDC and Reseller desire to amend certain terms of the Agreement.
WHEREAS, other than as expressly modified in this Amendment, the Parties desire for the terms of the Agreement to remain unchanged and continue in full force and effect.
NOW, THEREFORE, in consideration of the mutual promises set forth herein and in the Agreement, and for other good and valuable consideration the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:
Terms & Conditions
|
1.
|
Business Associate Addendum. The Business Associate Addendum attached hereto and incorporated by reference herein is hereby added to the Agreement as Exhibit G.
|
2.
|
Effect of Amendment. Subject to the above modifications, the Agreement remains in full force and effect.
|
3.
|
Entire Agreement. The terms and conditions herein contained constitute the entire agreement between the Parties with respect to the subject matter of this Amendment and supersede any previous and contemporaneous agreements and understandings, whether oral or written, between the Parties hereto with respect to the subject matter hereof.
|
4.
|
Counterparts. This Amendment may be executed in one or more counterparts, including facsimiles or scanned copies sent via email or otherwise, each of which will be deemed to be a duplicate original, but all of which, taken together, will be deemed to constitute a single instrument.
(End of Amendment Terms & Conditions)
Page 2 of 5
Exhibit G HIPAA BUSINESS ASSOCIATE ADDENDUM
This HIPAA Business Associate Addendum (this “Addendum”) is made a part of, and incorporated into, the Agreement. The purpose of this Addendum is to implement certain of the requirements of the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations promulgated thereunder as supplemented and amended by the requirements of Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act of 2009 and the rules and regulations promulgated thereunder (collectively, “HIPAA”). A capitalized term not defined herein shall have the meaning ascribed to that term in the Agreement, or, if any such term has no meaning ascribed in the Agreement, then such term shall have the meaning ascribed to it under HIPAA.
WHEREAS, the parties acknowledge that those regulations include both the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & E) (the “Privacy Rule”) and the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & C) (the “Security Rule”).
WHEREAS, in the course of providing the OEM Services to Reseller Customers on Reseller’s behalf, pursuant to the Agreement, SFDC may, on behalf of such Reseller Customers, receive, maintain or transmit information entered into the OEM Services as Customer Data that constitutes Protected Health Information, as defined in 45 CFR §160.103 (the “PHI” as used herein), and as a result may, for certain purposes and under certain circumstances, be deemed a Business Associate (as such term is defined in 45 CFR §160.103) of Reseller under HIPAA. For clarity, neither SFDC nor its Subcontractors “create” Protected Health Information in the provision of the OEM Services. This Addendum governs Reseller’s and SFDC’s respective responsibilities with respect to such PHI as and when SFDC acts as a Business Associate of Reseller, including SFDC’s Use and Disclosure of PHI, as such terms are defined in 45 CFR §160.103.
Whereas, the obligations set forth herein are not applicable to Heroku products or services, including the Heroku OEM Services.
Accordingly, the parties agree as follows:
|
1.
|
Use and Disclosure of PHI by Reseller. Reseller shall Use and Disclose PHI only as permitted by HIPAA. Reseller shall not authorize, request or require SFDC to Use or Disclose PHI in any manner that would violate HIPAA if the Use or Disclosure were carried out by Reseller except as permitted under HIPAA and set forth in this Addendum.
|
2.
|
Use and Disclosure of PHI by SFDC. SFDC shall Use or Disclose PHI only in the manner and for the purposes set forth in this Addendum and not in any other manner or for any other purposes. Reseller hereby authorizes SFDC to do the following:
|
|
(i)
|
Use and Disclose PHI as necessary to provide the OEM Services, to prevent or address service or technical problems and, as may be set forth in the Agreement, to help resolve technical support issues; and
|
|
(ii)
|
Use and Disclose PHI as Required by Law.
Page 3 of 5
|
3.
|
Protection of PHI. In connection with its receipt, maintenance or transmission of PHI on behalf of Reseller, SFDC agrees to do the following:
|
|
(i)
|
in accordance with 45 CFR § 164.502(e)(1), ensure that any Subcontractors that receive, maintain or transmit PHI on behalf of SFDC agree to restrictions and conditions no less restrictive than those that apply to SFDC in this Addendum with respect to such PHI;
|
|
(ii)
|
use appropriate administrative, technical and physical safeguards, and comply, where applicable, with the Security Rule with respect to any PHI that constitutes Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for by this Addendum; and
|
|
(iii)
|
to the extent SFDC is to carry out the Reseller’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the Reseller in the performance of those obligations; notwithstanding the foregoing, the parties acknowledge that, under the Agreement and this Addendum, unless otherwise agreed upon by the parties in writing, SFDC has no obligations to carry out any of Reseller’s obligations under the Privacy Rule.
|
4.
|
Breach Notification.
|
|
(i)
|
SFDC shall report to Reseller any Use or Disclosure of PHI not provided for in this Addendum of which SFDC becomes aware, including any Breach of Unsecured Protected Health Information in accordance with 45 CFR § 164.410. In addition, SFDC shall provide to the Reseller all information required by 45 CFR § 164.410(c) to the extent known and provide any additional available information reasonably requested by Customer for purposes of investigating the Breach. For purposes of this Addendum, “Breach” means the acquisition, access, Use or Disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI as defined, and subject to the exclusions set forth, in 45 CFR § 164.402.
|
|
(ii)
|
SFDC shall be required to report to Reseller, without unreasonable delay, only successful Security Incidents pertaining to the PHI of which SFDC becomes aware. Throughout the term of the applicable Service Order, SFDC will make information regarding unsuccessful Security Incident attempts available to active Reseller Customers’ Users with appropriate administrative rights via the “Login History” feature.
|
5.
|
Access by HHS. SFDC shall make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining the Reseller Customer’s compliance with HIPAA.
|
6.
|
Individual Access Requests. SFDC shall forward any requests SFDC receives from an Individual for access to the Individual’s PHI that is entered in the OEM Services to which Reseller or Reseller Customer, as the case may be, shall respond in accordance with the requirements of 45 CFR § 164.524. By virtue of providing the OEM Services, SFDC shall make available to Reseller all PHI that is entered in the OEM Services, including PHI about an Individual, to facilitate compliance with the requirements of 45 CFR § 164.524.
|
7.
|
Individual Amendment Requests. SFDC shall forward any requests SFDC receives from an Individual for amendments to the Individual’s PHI that is entered in the OEM Services. SFDC shall not be responsible for responding to requests by Individuals for amendment to their PHI in accordance with HIPAA. By virtue of providing the OEM Services, SFDC shall make available all PHI that is entered in the OEM Services by Reseller Customer, including any PHI required to be made available for amendment in accordance with 45 CFR § 164.526.
|
8.
|
Individual Accounting Requests. SFDC shall in accordance with and as required by 45 CFR § 164.504(e)(2) document Disclosures of PHI made by SFDC and maintain information related to such
Page 4 of 5
|
Disclosures. SFDC shall make related information reasonably available to Reseller to assist Reseller, comply with its legal obligations under 45 CFR § 164.528 and for Reseller to respond to requests by Individuals for an accounting of Disclosures of their respective PHI.
|
9.
|
Heroku. For the avoidance of doubt, the obligations set forth under this Addendum do not apply to any Heroku products or services, including the Heroku OEM Services.
|
10.
|
Termination. SFDC has no obligation to retain Customer Data following thirty days after termination of a Reseller Customer’s final Service Order with Reseller. Reseller shall advise Reseller Customers that such customers have thirty (30) days from the date of termination of their final Service Order subscription term in which to request a copy of their Customer Data, which will be made available by SFDC to such Customer in a .csv format. Any modifications to such Customer Data made by the Reseller Application outside of the SFDC Service (if any) will not be captured in such Customer Data and the return of any such modified data shall be the responsibility of Reseller. If return or destruction of Customer Data that constitutes PHI is not feasible, SFDC shall extend the protections of this Addendum to that Customer Data and limit further Uses and Disclosures of that Customer Data to those purposes that make the return or destruction of the Customer Data infeasible.
|
11.
|
Non-Compliance. In the event either party becomes aware that the other party has engaged in a pattern of activity or practice that constitutes a material breach or violation of this Addendum, the nonbreaching party may request in writing that the breaching party cure the breach or violation. If the breach or violation is not cured within 30 days of the written notice, the non-breaching party may terminate this Addendum and the Agreement.
|
12.
|
General
|
|
12.1
|
Regulatory References. A reference in this Addendum to a section in HIPAA means the section as then in effect or as amended.
|
|
12.2
|
Communications. SFDC may, in its discretion, fulfill certain communication obligations to Reseller hereunder by making such communications to the Reseller Customer on Reseller’s behalf. Such communications may include the following: forwarding a request or making certain information available.
Amendment. The parties shall take such action as is necessary to amend the Agreement and this Addendum from time to time as is necessary for the parties to comply with changes to the rules and regulations under HIPAA. If the parties cannot agree as to a necessary amendment, either party may terminate the Agreement and this Addendum with 30 days prior written notice to the other party.
|
|
12.4
|
Interpretation. Any ambiguity in this Addendum shall be resolved to permit the parties to comply with HIPAA.
Page 5 of 5