Exhibit
10.26
DP#510975
CPD#6000185
MICROSOFT
HEALTHVAULT SOLUTION PROVIDER AGREEMENT
|
| Microsoft
|
Business
Name:
|
Microsoft
Corporation
|
Street
Address:
|
One
Microsoft Way
|
City,
State, Zip Code:
|
Redmond,
WA 98052-6399
|
Microsoft
Business Contact:
|
Name: Beatrice
Pang
Phone:
425 707 8995
Email:
bpang@microsoft.com
|
Microsoft
Technical Contact:
|
Name:
Kalpita Deobhakta
Phone:
425 703 8268
Email:
kalpitad@microsoft.com
|
Send
a copy of all notices via fax to:
|
Legal
& Corporate Affairs, Health Solutions Group Fax no. (425)
936-7329
|
|
Company
|
Business
Name:
|
Vemics,
Inc.
|
Form
of Business organization:
|
Corporation
|
Place
of organization (if incorporated):
|
Nevada
|
Street
Address:
|
3600
Bee Caves Road, Suite 216
|
City,
State, Zip Code:
|
Austin,
Texas, 78746
|
Company
Business Contact:
|
Name:
Tom C. Dorsett
Phone:
(512) 791-0003
Fax:
(512) 233-5190
Email:
tdorsett@vemics.com
|
Company
Technical Contact:
|
Name:
John Dogru
Phone:
(512) 382-4312
Fax:
(512) 233-5190
Email:
idogru@vemics.com
|
Additional
Contact for Notice (if applicable):
|
Name:
Fred Zolla
Fax:
(512) 233-5190
Email:
fzolla@vemics.com
|
Agreement
Effective Date:
|
February
15, 2008
|
Microsoft
DealPoint No.:
|
By
signing below, Microsoft and Company agree to enter into this Agreement. Each
Party represents and warrants to the other that it has the authority to enter
into this Agreement, and that it has all rights necessary to perform under this
Agreement. The Parties agree that if the Agreement Effective Date is not filled
in above, the Agreement Effective Date will be the later of the two signature
dates filled in below. Each Party is responsible for its own costs and expenses
associated with this Agreement except as otherwise provided in this Agreement or
as may be otherwise agreed in writing by their authorized
representatives.
|
Microsoft
|
Company
|
Signature: /s/
Nate McLemore
|
Signature: /s/
Tom C. Dorsett
|
Print
Name: Nate McLemore
|
Print
Name: Tom C. Dorsett
|
Print
Title: Director
of Business Development
|
Print
Title: President of Healthcare Solutions
|
Date: 2/20/08
|
Date: 2/19/08
1.
DEFINITIONS.
Wherever
used in this Agreement, these terms have the following defined
meanings:
Affiliate means an entity that
directly or indirectly controls, is controlled by, or is under common control
with a Party, where "control" means ownership of more than a 50% interest of
voting securities in a Party, or the ability to direct the management and
policies of a Party whether through contract or otherwise.
Agreement means this Microsoft
HealthVault Solution Provider Agreement (including Exhibits), as it may be
amended from time-to-time.
Company Solutions means
Company's hardware, software, services or other solutions that are compatible
with HealthVault and more fully described in Exhibit A.
End-User Data means the
personal information and other data of an End-User that Company accesses,
transmits or stores in connection with a HealthVault Account.
End-User means a custodian of,
and other users to whom a custodian grants access to, a HealthVault
Account.
HealthVault means Microsoft's
online health platform that enables an End-User and their designees to collect,
store, retrieve, manage and use personal health information and other
health-related data.
HealthVault Account means the
End-User initiated and controlled online account holding End-User defined and
controlled information within HealthVault.
HealthVault Requirements means
(a) any requirements included in Exhibit A; and (b) the Operating Requirements
and Privacy Requirements.
HealthVault Technology means
HealthVault, and any other technology provided by Microsoft for Company's use in
connection with HealthVault, including any software development kit(s),
application programming interface(s), hosted database(s), and any associated
software, hardware, and documentation.
Microsoft means Microsoft
Corporation and its Affiliates involved in the development and/or operation of
HealthVault.
Operating Requirements means
the then current minimum requirements for operation with HealthVault (the
current version of which is attached as Exhibit B).
Party or Parties means
Microsoft or Company individually or collectively, as the context
requires.
Privacy Requirements means the
then current minimum privacy requirements for HealthVault (the current version
of which is attached as Exhibit C).
Provider Page means the
Web-pages hosted on HealthVault that list HealthVault compatible
solutions.
Term means the period
described in Section 6 (Term and Termination).
2. DEVELOPMENT AND
DEPLOYMENT OF COMPANY SOLUTIONS.
2.1 Compatibility.
Company Solutions must comply with the HealthVault Requirements. Company will
not offer or knowingly allow use of Company Solutions for other than
health-related purposes.
2.2 Evaluation.
Microsoft will assess Company Solutions prior to enabling Company Solutions
access to HealthVault. Microsoft may require Company to make modifications or
error corrections to Company Solutions for compliance, interoperability,
usability or performance with HealthVault prior to deployment.
2.3 Deployment. If
Microsoft determines in its discretion that the Company Solutions meet the
HealthVault Requirements, then Microsoft will enable Company Solutions to access
HealthVault.
2.4 Provider Page.
If Company Solutions are approved for deployment, then Microsoft will place on
the Provider Page information provided by Company about Company Solutions, which
information may include a hypertext link to Company's web site. The size and
placement of the information will be at Microsoft's sole discretion. Microsoft
may change the type of information allowed or required on the Provider Page. The
Provider Page may include branding, content, data, text and other information
from both Microsoft and third parties.
2.5 Microsoft Support. Microsoft
will make available online technical information, access to a HealthVault
development environment, and publicly available development forums. Additional
Microsoft technical support may be provided via e-mail or, on Company's request
and subject to availability, at Microsoft's then-current published hourly rates
for scheduled technical services. Company's support requests must be
communicated via the Company Technical Contact identified
above.
3. ACCESS TO
HEALTHVAULT.
3.1 Revisions. Microsoft may
revise the Operating Requirements and Privacy Requirements on 30 days prior
written notice which may be provided via email to the Company contacts above.
Microsoft may release new versions of HealthVault and the HealthVault
Technologies at any time in its sole discretion.
3.2 Review of Company
Solutions. Microsoft has the right but not the obligation to evaluate
Company's Solutions for continued compliance with the terms of this Agreement.
Company will cooperate with Microsoft in any such evaluation by providing
information, records, data and other materials reasonably requested. Microsoft
will notify Company of, and Company will promptly remedy any material
nonconformities.
3.3 Suspension of Company
Solutions. Microsoft may suspend, until remedied, access between
HealthVault and Company Solutions at any time on written notice (which may be
provided via email to the Company contacts above) for material failure to comply
with HealthVault Requirements.
3.4 Suspension of HealthVault.
Microsoft may suspend operation or access to relevant portion(s) of HealthVault
during any period Microsoft believes it is unable to prevent unauthorized access
or other threats to the security and integrity of End-User
Data.
3.5 No Third Party Access.
Company shall not re-sell, or otherwise allow third parties to access or use
HealthVault or HealthVault Technology without express prior written permission
of an authorized Microsoft representative.
3.6 Compliance with Laws.
HealthVault does not hold designated record sets as defined under the U.S.
Health Insurance Portability and Accountability Act of 1996 and the regulations
promulgated thereunder (HIPAA), nor medical records as defined under state law.
If Company provides healthcare- related services that are regulated under state
or federal law, Company acknowledges and agrees that (i) Microsoft is not a
business associate for purposes of HIPAA, (ii) Microsoft does not act as
Company's agent, (iii) Company will not use data located in a HealthVault
Account as the basis for any decisions about individuals, but will make such
decisions only using a copy of End User Data received and copied into Company's
own system, and (iv) Company is responsible for determining the form of and
obtaining consent and/or authorization, if any, required by HIPAA, state or
other laws or regulations prior to transmitting any End User Data to
HealthVault. Each Party is responsible for compliance with all laws, rules, and
regulations applicable to its products and services in all jurisdictions in
which they are anticipated to be used, manufactured and/or
sold.
4.
LICENSES.
4.1 Company Solutions. Company
grants to Microsoft for the Term and a commercially reasonable wind-down period
thereafter, on a non-exclusive and royalty-free basis, all rights necessary to
enable Microsoft to test, integrate and deploy Company Solutions with
HealthVault and to perform all obligations and services described in this
Agreement.
4.2 Marks. Each Party grants
to the other for the Term and a commercially reasonable wind-down period
thereafter, on a non-exclusive and royalty-free basis, the rights necessary to
use, reproduce, and display the trademarks, logos, or similar identifiers
provided hereunder ("Marks"), only as described in
this Agreement. Company will comply with all branding and user interface
requirements and restrictions that accompany Microsoft Marks. Microsoft will
comply with any Company branding requirements and restrictions agreed to in
Exhibit A. Neither Party will use the other Party's Marks to (i) imply
endorsement, sponsorship, or affiliation by the other Party except as allowed by
this Agreement or (ii) to disparage the other Party or its products or services.
All goodwill will inure to the benefit
of the Party that provides the Mark. Each Party will correct and remedy any
deficiencies in its use of the other Party's Marks promptly after
notice.
4.3 Company Input. If Company
provides Microsoft with comments or suggestions about HealthVault Technology
("Feedback") without a
separate Agreement about that Feedback, Company hereby grants Microsoft, under
all applicable Company intellectual property rights, a non-exclusive, worldwide,
perpetual, irrevocable, royalty-free license to (a) make, use, copy, modify and
create derivative technologies of the Feedback, (b) publicly perform, display,
import, broadcast, transmit, distribute, license (including the right to further
sublicense), offer to sell, and sell, rent, lease or lend the Feedback and
derivatives thereof.
4.4 Other License Terms.
Company's use of the HealthVault software development kit and any other
Microsoft materials that come with a separate license, is subject to those
license terms, which are incorporated herein by reference. All rights not
expressly granted in this Agreement are reserved.
5. PRESS
RELEASES. Neither
Party will issue a press release or similar publicity regarding this Agreement
or the relationship between the Parties without the prior written consent of the
other Party.
6. TERM AND
TERMINATION. The Term of this Agreement is one (1) year from
the Effective Date and will automatically renew on each anniversary of the
Effective Date for successive one (1) year periods, unless either Party
terminates by providing the other Party with 60 days written notice prior to the
anniversary date. Either Party may terminate this Agreement at any time (i) if
the other Party is in material breach and fails to cure within ten (10) days
after written notice, or (ii) for no reason on thirty (30) days prior written
notice. Sections 7, 8, 9, 10 and 11 shall survive the termination of this
Agreement.
7.
DISCLAIMER OF WARRANTIES. ALL SOFTWARE, TECHNOLOGY, SERVICES,
DOCUMENTATION, MATERIALS, OR INFORMATION PROVIDED BY EITHER PARTY TO THE OTHER
PARTY IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND AND THE ENTIRE RISK AS
TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH THE
RECIPIENT. TO THE EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY DISCLAIMS ALL
OTHER STATUTORY REPRESENTATIONS, CONDITIONS AND WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
8.
EXCLUSION OF DAMAGES: LIMITATION OF LIABILITY. NEITHER
PARTY WILL BE LIABLE FOR ANY SPECIAL, PUNITIVE, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO, LOST PROFITS, LOSS OR
BREACH OF DATA OR INFORMATION, BUSINESS INTERRUPTION, OR OTHER LOSSES) ARISING
OUT OF OR RELATED TO THIS AGREEMENT, EVEN IN THE EVENT OF A FINDING OF FAULT,
TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF
WARRANTY BY EITHER PARTY OR ANY SUPPLIER, AND EVEN IF A PARTY HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. NEITHER PARTY'S AGGREGATE LIABILITY FOR ALL
CLAIMS, ACTIONS AND/OR OMISSIONS ARISING FROM OR RELATED TO THIS AGREEMENT WILL
EXCEED TEN THOUSAND DOLLARS (U.S. $10,000.00). THE FOREGOING LIMITATIONS,
EXCLUSIONS AND DISCLAIMERS APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE. NONE OF THE LIMITATIONS AND
EXCLUSIONS IN THIS SECTION 8 APPLY TO CLAIMS UNDER SECTION 9 (INDEMNIFICATION)
OR BREACHES OF SECTION 10 (CONFIDENTIALITY).
9.
INDEMNIFICATION.
9.1
Indemnification. Each Party shall defend, indemnify and hold
harmless the other Party from and against all damages, liabilities, costs and
expenses, including without limitation reasonable attorneys' fees and other
costs of defense, arising from or related to all unaffiliated third party claims
that if true would constitute violation of (a) the privacy statement the Party
provides to End Users; (b) any law, rule or regulation applicable (i) in the
case of Microsoft, to the HealthVault Technologies, or (ii) in the case of
Company, to the Company Solution; (c) any third party interest in Marks or other
intellectual property provided by the Party in connection with this Agreement
(excluding material provided by third parties to Microsoft in connection with
their solutions); (d) the Party's marketing and promotion to End Users or (e)
the HealthVault Requirements; ("Claims").
9.2 Process. The indemnified
Party must promptly notify the indemnifying Party in writing of a Claim. The
indemnifying Party has sole control of the defense and settlement of the Claim,
except that it may not enter into any settlement that results in an admission of
liability or wrongdoing on the part of the indemnified Party, or the imposition
of equitable relief. The indemnified Party may employ separate counsel and
participate in the defense of any Claim at its own expense.
10.
CONFIDENTIALITY.
Confidential information means
non-public information in any form that is designated as confidential, or a
reasonable person knows or reasonably should understand to be confidential. The
following types of information, however marked, are not Confidential
Information: that which (i) is, or becomes, publicly available without a breach
of this Agreement; (ii) was lawfully known to the receiver without an obligation
to keep it confidential; (iii) is received from another source who can disclose
it lawfully and without an obligation to keep it confidential; (iv) is
independently developed; or (v) is a comment or suggestion one Party volunteers
about the other's business, products or services.
For a
period of 5 years after initial disclosure, neither Party will use the other
Party's Confidential Information without the other Party's written consent
except in furtherance of this business relationship or as expressly permitted by
this section 10, or disclose the other Party's Confidential Information
except:
|
•
|
to
employees, contractors or consultants only if they have a need to know
about it for purposes of this Agreement and subject to the confidentiality
obligations herein, or
|
•
|
if
required to comply with a court order or other government demand that has
the force of law, in which case the Party must seek the highest level of
protection available and, when possible, give the other enough prior
notice to provide a reasonable chance to seek a protective
order.
Each Party will:
|
•
|
take
reasonable steps to safeguard the other Party's Confidential Information,
which steps must be at least as great as those the Party takes to protect
its own confidential information,
|
•
|
notify
the other promptly upon discovery of any unauthorized use or disclosure of
Confidential Information and
|
•
|
cooperate
in any reasonable way to help the other Party regain control of the
Confidential Information and prevent further unauthorized use or
disclosure.
Neither
Party is required to restrict work assignments of representatives who have had
access to Confidential Information. Neither Party can control the incoming
information the other Party may disclose in the course of working together, or
what its representatives will remember, even without notes or other aids. The
Parties agree that use of information in representatives' unaided memories in
the development or deployment of their respective products or services does not
create liability under this Agreement or trade secret law, and the Parties agree
to limit what they disclose to each other accordingly.
11. GENERAL
11.1 Notices and
Requests. Except for revisions to Privacy Requirements
or Operating Requirements as described in 3.1, all notices must be sent by
express courier or registered mail with a copy by fax to the contacts listed on
the first page. Each Party may change its contacts on prior written
notice.
11.2 Governing Law; Venue;
Jurisdiction. The laws of the State of Washington govern this
Agreement. If federal jurisdiction exists, the Parties each consent to exclusive
jurisdiction and venue in the federal courts in King County, Washington. If not,
the Parties each consent to exclusive jurisdiction and venue in the Superior
Court of King County, Washington. The Parties waive all defenses of lack of
personal jurisdiction and forum non conveniens. Process may be served on either
Party in the manner authorized by applicable law or court rule.
11.3 No
Partnership. The Parties are operating as independent
contractors, and nothing in this Agreement will be construed as creating a
partnership, franchise, joint venture, employer-employee or agency
relationship.
11.4
Waiver. Any delay or failure of either Party to exercise
a right or remedy will not result in a waiver of that, or any other, right or
remedy. No waiver will be effective unless made in writing and signed by an
authorized representative of the waiving Party.
11.5
Severability. If any provision of this Agreement is
unenforceable, the Parties (or, if the Parties cannot agree, a court) will
revise it so that it can be enforced. Even if no revision is possible, the rest
of this Agreement will remain in place.
11.6
Assignment. This Agreement will be binding on the
Parties and their successors and assigns. Either Party may assign this Agreement
to an Affiliate on written notice. If assignment is the result of merger or
acquisition, the non-assigning Party shall have the right to terminate this
Agreement. All other assignment requires prior written consent of the
non-assigning Party.
11.7
Interpretation. This Agreement will be interpreted according
to the plain meaning of its terms without any presumption that it should be
construed either in favor of or against either Party.
11.8 Entire Agreement. This
Agreement is the entire agreement between the Parties about this subject and
supersedes all prior and contemporaneous agreements or communications. This
Agreement may not be modified except by a written agreement signed by authorized
representatives of the Parties.
EXHIBIT
A
DESCRIPTION,
DEVELOPMENT, MARKETING & INSURANCE REQUIREMENTS
|
1.
|
DESCRIPTION OF COMPANY
SOLUTIONS INCLUDING SERVICE WEBSITE, URL,
ETC.:
Vemics
iMedicor™ is a HIPAA compliant, collaborative online portal designed for and by
medical professionals to facilitate practice productivity and the rapid, secure
exchange of medical records, educational content and ideas in real-time. Basic
services are provided free of charge in exchange for participation in practice
relevant, ACCME accredited educational programming. Advanced services are
available on a fee-for-service basis.
Free
basic services include:
• Secure
medical record / image transfer online
• Secure
messaging
• Professional
online community for consults and referrals
•
Practice relevant CME/CEU program available in both on-demand and fully
interactive live online formats)
Fee
based services include:
• Voice-recognition
driven document creation and management (NuScribe)
• Real-time
video, voice and data communication and collaboration
• ePrescribing
2. DESCRIPTION OF
DEVELOPMENT/FUNCTIONAL COMMITMENTS:
DocuSign
Envelope ID: 81291746-6B9A-48FF-9505-C21D66C8084F
Company
will integrate Company Solutions with HealthVault and pilot the integrated
offering at pilot client sites, leveraging any applicable HealthVault platform
elements, such as universal sign-in account for patients, data storage,
authentication, data interchange, device connectivity, search and other
features.
Patients
using Company Solutions shall each be provided with HealthVault Accounts and
have the ability to input, upload, store, view and interact with their health
data while using Company Solutions. Company Solutions shall allow patients to
save a copy of their health data from the Vemics iMedicor™ systems to their
corresponding HealthVault Accounts.
Microsoft
will provide Company with a software development kit (SDK) and reasonable
program account management resources to assist in Company's integration to
HealthVault at no cost to Company.
3. ONBOARDING SCHEDULE AND
REQUIREMENTS TO GO LIVE ON HEALTHVAULT:
3.1
Development requirement milestones, if any:
Company
shall develop a project plan, which outlines the project and key milestones for
the initial phase of the integration, no later than February 22, 2008. Company
shall reasonably incorporate feedback from Microsoft.
Company
shall complete the integration of Vemics iMedicor™ with HealthVault no later
than May 1, 2008 and commercially deploy Company Solutions at pilot client sites
on or before August 31, 2008.
3.2 Other requirements, if
any: None.
4. MARKETING.
4.1 Company will, in
compliance with Microsoft's HealthVault branding guidelines (provided
separately):
(a) Feature
Company Solution on the homepage of Company's Web site;
(b) Indicate
HealthVault compatibility on all relevant Company materials regarding Company
Solution;
(c) Promote
HealthVault in all relevant Company marketing materials regarding Company
Solutions, subject to Microsoft prior written approval; and
(d)
Permit Microsoft to list or feature Company Solution in a variety of marketing
opportunities, subject to Company prior written
approval.
4.2 Microsoft may at its
discretion:
(a)
Feature Company Solution and related Company Marks:
• on
the homepage and Program Page of the HealthVault Web site;
• in
the default set-up for HealthVault Connection Center;
• in
tradeshows, presentations, and keynote speeches; and
(b)
Demonstrate Company Solution in tradeshows, presentations, and keynote speeches;
and
(c)
Refer reporters and bloggers to Company for quotes on Company Solutions and
HealthVault.
5. Insurance.
5.1 General. Company warrants
that it shall maintain sufficient insurance coverage to enable it to meet its
obligations created by this Agreement and by law. Without limiting the
foregoing, Company warrants that such insurance shall include Commercial General
Liability (Occurrence Form) coverage with minimum limits of $2,000,000 per
occurrence, to the extent this Agreement creates exposures generally covered
thereby.
5.2 Professional Liability.
Company shall maintain Professional Liability/Errors & Omissions
Liability insurance with policy limits of not less than USD$2,000,000 each claim
with a deductible of not more than One Hundred Thousand Dollars (US$100,000.00).
Such insurance shall include coverage for infringement of the proprietary rights
of any third party, to the extent reasonably available, including without
limitation copyright and trademark infringement as related to Company
performance under this Agreement. In addition, such insurance shall include
coverage for the following personal injuries, unless
covered, and not in any way excluded or restricted, by Company's general
liability insurance: invasion of privacy, and advertising injury. Such insurance
shall include coverage for contingent bodily injury/property damage. If Company
solution includes hardware, such insurance shall include coverage for third
party loss of use arising from the recall, removal, or of use arising from the
recall, removal or withdrawal of products due to your errors, omissions, or
negligent acts. Such insurance shall not contain limitations of coverage for
claims arising from unauthorized/exceeded access to systems/data or for services
rendered over public/private networks. Throughout the Term, the Professional
Liability/Errors & Omissions Liability insurance's retroactive coverage date
will be no later than the Effective Date of this Agreement. Upon termination of
this Agreement, Company will either continue to maintain an active insurance
policy, or purchase an extended reporting period providing coverage for claims
first made and reported to the insurance company within 12 months after the end
of this Agreement
EXHIBIT
B
OPERATING
REQUIREMENTS
Company
Solutions must satisfy the following minimum requirements:
A. Support for Company
Solutions. Company Technical Contact will coordinate technical
issues and resolution of any problems related to Company
Solutions.
B. HealthVault Technology
Requirements.
1. Company Solutions must
securely interoperate with HealthVault Technology and comply with all
requirements in HealthVault Technology documentation. All Company Solutions
services and components that access HealthVault or utilize HealthVault
Technology must invoke only those features and functions supported by
HealthVault Technology.
2. Company Solutions must not
modify the standard HealthVault links to launch into the Company Solutions.
Company Solutions must always obtain affirmative End-User approval prior to
modifying any configuration, application, service, End-User data or other
information stored on End User's hardware. Company Solutions must contain clear
and conspicuous branding, logos and other indicators so End-Users are aware of
when they are accessing features and functions made available in Company
Solutions.
C. End-User Support. Company
must provide direct End-User support for Company Solutions including any
services. Company must provide support under terms at least as favorable to the
End- User as the terms used by Company to support other online or computer
system products and services. At a minimum, Company will provide commercially
reasonable email support.
D. Security Vulnerabilities.
Each Party will notify the other Party if it identifies security vulnerabilities
related to Company Solutions, categorized as:
|
Severity
Rating
|
Description
|
Critical/Important
|
A vulnerability where
exploitation could(a)allow the self-propagation of an Internet worm,
virus, or similar security threat without End-User action; or (b) result
in compromise of the confidentiality, integrity, or availability of
End-User Data or the integrity or availability of processing
resources.
|
Moderate/Low
|
A
vulnerability where exploitation is mitigated to a significant degree by
factors such as default configuration, auditing, or difficulty of
exploitation.
|
|
1. Company
must acknowledge receipt of Microsoft's notice of a) critical/important
vulnerability within 4 hours and b) moderate/low vulnerability, within 24
hours of the time of Microsoft's notice by sending an e-mail to hsgse@microsoft.com
(or any successor e-mail alias that Microsoft
provides).
|
|
2. Company
must address vulnerabilities as
follows:
|
A)
|
For
security vulnerabilities with a Critical/Important Severity Rating,
Company must work with Microsoft to resolve the security vulnerability
immediately. Company may elect to (a) suspend, remove or disable the
features or functions involved, in whole or in part, (b) patch, correct
or
fix
the vulnerability or (c) take any other action that it believes will prevent the
exploitation of such vulnerability in a commercially reasonable
way.
|
|
B) For
vulnerabilities with a Moderate/Low Severity Rating, Company will send
Microsoft within 72 hours of the initial notice a plan to resolve the
security vulnerability and, unless otherwise mutually agreed, resolve the
vulnerability within 7 days of the initial
notice.
|
|
3. Microsoft
may suspend connectivity or remove the Company Solutions until the
vulnerability is resolved to Microsoft's
satisfaction.
E. Security Program. Company
must implement and maintain an information security program reasonably designed
to maintain the security, integrity and availability of End-User Data, and which
meets a widely recognized U.S. or international security
standard.
F. Geographic Restrictions.
Company may not store End-User Data outside the U.S. Company acknowledges that
HealthVault Accounts are currently offered only to U.S.
End-Users.
G. Usability. Company
Solutions must provide commercially reasonable End-User experience, including
usability, performance, and availability.
H. Branding. Company will use
the appropriate Microsoft Marks in accordance with the user interface and
branding guidelines Microsoft provides, to promote HealthVault compatibility and
indicate HealthVault functionality in Company Solutions. Company Solutions must
be designed in accordance with HealthVault user interface guidelines. Neither
party may use the other Party's Marks in a way that:
| n
| may
cause confusion about whether the products or services are products or
services of the other Party;
| n
| may
cause confusion about ownership of the Marks;
|
n
|
alters,
animates or distorts the Marks or combines them with any other symbols,
words, images or designs; or
|
n
|
on
or in connection with related products, premiums or promotional items,
whether sold or given away to promote the sale of the Company's Solutions
without prior written consent.
I. Installation. Company
Solutions must not, automatically or otherwise, install any software on an
End-User's hardware without the End-User's prior affirmative consent. No icons
for any software such as a systray application or a background process shall be
installed and/or displayed in the Company Solutions if such icons subvert the
End-User's selection of an active service or if such icons subvert any of the
End-User's choice options exposed by Windows (e.g., file extension
ownership).
EXHIBIT
C
PRIVACY
REQUIREMENTS
If the
Company receives any End-User Data, Company shall comply with the following
provisions:
|
|
1. Accountability.
Company must maintain and comply with a privacy statement at least as
protective of the security, confidentiality, integrity and accuracy of
End-User Data as the HealthVault Privacy Statement, and which must comply
with all legal requirements applicable to Company's collection of personal
health data from its End-Users. If Company uses sub-contractors or
vendors, they must agree in writing (i) to comply with the same policies
and procedures as disclosed in Company's privacy statement, including (ii)
that they cannot transfer End-User Data to other third parties without the
End-User's explicit opt-in consent. Company will maintain and implement
reasonable and appropriate technical, administrative, organizational and
physical security practices to protect all End-User
Data.
|
|
2. Notice.
Company will present its privacy statement and terms of use in an
accessible and prominent manner upon the End-User's initial use, each
subsequent use, and on each webpage of Company Solution. Any new or
revised privacy statements or terms of use must be presented to the
End-User prior to installation or use of a Company Solution (or
update/upgraded Solutions) under the new terms. Company must submit its
privacy statement and terms of use (and any revisions or updates) to
Microsoft, which Microsoft may publish/post on HealthVault. Receipt or
publishing does not constitute Microsoft approval of Company's privacy
statement or terms. Microsoft reserves the right to advise End-Users about
privacy or use terms. Company will inform the End-User of the origin of
all information it transfers into
HealthVault.
|
|
3. Consent;
Information Use and Retention. Company must obtain explicit opt-in
End-User consent through then-existing HealthVault mechanisms prior to
accessing any End-User Data and will provide Microsoft an explanation of
its intended use of each type of End-User Data it requests access to.
Company will not disclose End-User Data to a third party without first
obtaining explicit opt-in consent from the End-User with respect to the
specific third party. Company will provide the End-User the ability to
access and/or update any End-User Data that is extracted from HealthVault.
Microsoft reserves the right to display to the End-User the types of data
that Company asserts are required to use the Company Solutions, and the
right to programmatically allow Company access to only those types of
End-User Data. Company will maintain End-User Data only for purposes the
End-User has consented to. Company must not attempt to identify de-
identified End User Data (by, for example and without limitation,
combining it with other databases of information), and must prohibit any
third parties who receive de-identified End User Data from doing so.
Except for data retention required by law, if Company retains End-User
Data beyond an active session, the End-User must always have the ability
to delete the information.
|
|
4. Breach.
Company will immediately inform Microsoft in writing of any material data
breach involving End-User Data.
|
5.
|
Explicit opt-in consent
means for the purpose of this Exhibit C, that the End-User must take an
explicit action to indicate its consent before data is
accessed.
EXHIBIT
D
COMPANY
CUSTOMER ACCESS TO HEALTHVAULT PLATFORM
Notwithstanding
anything to the contrary set forth in the Agreement, Company may allow Customers
to access or use HealthVault subject to the following terms and
conditions:
1. Additional
Definitions for this Exhibit.
Customer means a person or
entity for which Company delivers value-added services that use HealthVault
Technology pursuant to a written agreement that includes terms sufficient to
comply with the terms and conditions of the Agreement.
Customer Agreement means a
written agreement between Company and Customer for the development of Customer
Solutions.
Customer Solutions means
hardware, software, services or other solutions that are (i) developed by
Company for Customer; (ii) operated by a Customer or on behalf of a Customer by
Company; and (iii) compatible with HealthVault.
2.
Written Agreement Required.
(i)
Company shall enter into a Customer Agreement that is at least as protective of
Microsoft as the terms and conditions contained in the Agreement. The Customer
Agreement must meet these minimum requirements:
a. It
must provide that Microsoft is an intended third party beneficiary with rights
to enforce the written agreement directly against Customer; and
b. To
comply with the requirements that are the same as those imposed on Company by
the Agreement. This includes the requirements of Sections 2.1, 3, 4.3-4.4, 5-10,
11.2, Ex. A (Sec. 5), and Ex. B-C. For avoidance of doubt, the written agreement
shall provide that as an intended third party beneficiary, Microsoft has the
right to suspend Customer Solutions pursuant to Sec. 3.3 of the
Agreement.
(ii)
Company shall not sublicense the rights licensed to Company in Section 4.2. Such
rights may only be sublicensed pursuant to a separate written agreement between
Company and Microsoft.
(iii)
Notwithstanding anything to the contrary set forth in the Agreement (including
this Ex. D), the Customer Agreement shall exclude the following provisions: 2.4
and, 2.5.
(iv)
Company shall require Customers to send any notices required under Exhibits B
and C directly to the appropriate Microsoft contact, in addition to
Company.
(v)Within
fifteen (15) days of signing a Customer Agreement and in any event prior to a
Customer Solution being offered to potential End-Users, Company shall report
such Customer Agreement to Microsoft. The report shall include the following
information: a) the Customer name and contact information; b) a description of
Customer Solution, including service website, URL, etc.; and c) onboarding
schedule to go live in HealthVault. Company shall securely maintain all: a)
Application I.D.s and private keys for Customer Solutions; and b) records of all
HealthVault Application I.D.s issued to Customers. Company shall promptly make
such Application I.D. records available to Microsoft upon
request.
3. Indemnity. Company shall
defend, indemnify and hold Microsoft and its Affiliates harmless from and
against all damages and costs (including attorneys' fees) of any kind in
connection with any breach by Company or Customer of this Exhibit D. Such
Company indemnity shall not extend to any
claim for which Microsoft is obligated to indemnify Company pursuant to Section
9 of the Agreement.
4. Termination. If the Agreement terminates, then
Company must terminate all Customer Agreements. Sections 3 and 4 of this Exhibit
D shall survive termination of any Customer Agreement.