This CraftyNotes business associate agreement becomes effective upon the date of acceptance indicated on the final page of this document and establishes a mutual understanding between CraftyNotes Inc., situated at 2261 Market Street #4569, San Francisco, CA 94114 (referred to as "CraftyNotes" herein) and the organization identified and entered into CraftyNotes’ systems by its representative, as specified on the final page of this agreement (referred to as "Company" herein). RECITALS Company operates as a HIPAA Covered Entity or Business Associate. CraftyNotes and Company are set to enter into a business relationship whereby CraftyNotes will provide specific Services to Company. In the course of rendering such Services, CraftyNotes may handle, utilize, maintain, disclose, or otherwise process PHI (Protected Health Information) as a Business Associate for or on behalf of Company. The undersigned parties to this agreement hereby mutually consent as follows: Definitions. Unless otherwise defined in this agreement, capitalized terms shall bear the meanings assigned to them by the HIPAA Laws. "Affiliate" refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. For the purposes of this agreement, "control" signifies an economic or voting interest of at least fifty percent (50%) or, in its absence, the authority to direct or influence the management and policies of such entity. "HIPAA Laws" collectively encompass the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This includes, among other things, the Privacy Rule and the Security Rule as specified in the Code of Federal Regulations (C.F.R.) Title 45, Parts 160 and 164. The term "PHI" is defined as per 45 C.F.R. § 160.103 of HIPAA, restricted to protected health information received by CraftyNotes from, or generated, received, maintained, or transmitted by CraftyNotes on behalf of Company through Company’s utilization of the Services pursuant to this agreement. All mentions of PHI in this agreement shall encompass Electronic PHI, as applicable under the HIPAA Laws. "Security" or "Security Measures" denotes the administrative, physical, and technical safeguards and documentation requirements delineated in the Security Rule. "Services" denote the unified communications services or other services provided by CraftyNotes to Company through contract whereby CraftyNotes is generating, receiving, maintaining, or transmitting PHI. Permitted Uses and Disclosures of PHI. 2.1. Performance of the Agreement for CraftyNotes Services. CraftyNotes shall refrain from Using or Disclosing PHI except as permitted or mandated by this agreement or as necessitated by Law. CraftyNotes may Use or Disclose PHI to carry out functions, activities, or services for or on behalf of Company concerning the Services, including but not limited to providing maintenance and support services, subject to adherence to HIPAA Laws as if done by Company, unless explicitly permitted as delineated in Section 2.2 below. 2.2. Management, Administration, and Legal Responsibilities. Unless otherwise restricted in this agreement, CraftyNotes may Use and Disclose PHI for CraftyNotes’ proper management and administration or to fulfill CraftyNotes’ legal obligations, or both, provided any Disclosure occurs solely if: (a) Required by Law; or (b) CraftyNotes secures reasonable assurances from the recipient of the PHI that it shall maintain its confidentiality and Use or further Disclose it only as Required by law or for the purpose it was Disclosed, with the recipient promptly notifying CraftyNotes of any breaches of PHI confidentiality. Responsibilities with Respect to PHI. 3.1. CraftyNotes’ Responsibilities. CraftyNotes commits to the following: 3.1.1. Limitations on Use, Disclosure, and Sale. CraftyNotes shall solely utilize the minimum necessary PHI for CraftyNotes’ proper management and administration or to report legal infringements to pertinent federal and state authorities, in accordance with 45 C.F.R. § 164.502(j)(1). CraftyNotes shall refrain from engaging in the sale of PHI. 3.1.2. Safeguards. CraftyNotes shall: (a) employ reasonable and appropriate safeguards to prevent improper Use and Disclosure of PHI except as provided for in this agreement; and (b) adhere to the pertinent requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule. 3.1.3. Subcontractors. CraftyNotes may enlist Subcontractors to fulfill its duties under this agreement. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, CraftyNotes shall mandate its Subcontractors who generate, receive, maintain, or transmit PHI on CraftyNotes’ behalf to agree in writing to: (a) substantively similar or more stringent restrictions and conditions governing such PHI as those applicable to CraftyNotes; (b) adequately safeguard the PHI; and (c) comply with the relevant requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule. 3.1.4. Reporting to Company. CraftyNotes shall promptly report to Company: (a) any Use or Disclosure of PHI not permitted or mandated by this agreement, of which CraftyNotes becomes aware; (b) any Security Incident that comes to its attention, with the understanding that notification is automatically provided for Unsuccessful Security Incidents (as defined below), and no further notification of such Unsuccessful Security Incidents will be issued; or (c) any discovery of a Breach involving Company’s Unsecured PHI (in accordance with 45 C.F.R. § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without undue delay, but in no event later than ten (10) business days following CraftyNotes’ discovery of the Breach. Notification of a successful Security Incident or other unauthorized Use or Disclosure of PHI by CraftyNotes or its Subcontractors will be provided without undue delay, but in no event later than fifteen (15) business days following CraftyNotes’ discovery thereof. 3.1.5. Unsuccessful Security Incidents. For the purposes of this Section, “Unsuccessful Security Incidents” include, without limitation, pings and other broadcast attacks on CraftyNotes’ firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination thereof, provided no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI. 3.1.6. Disclosures to the Secretary. CraftyNotes shall make available to Company or the Secretary, upon request, internal practices, books, and records concerning the Use and Disclosure of PHI, as required for the Secretary to determine Company’s or CraftyNotes’ compliance with the HIPAA Laws. This provision does not waive any applicable attorney-client privilege, work product protection, confidentiality, or other legal rights. 3.1.7. Access and Amendment. The Services offered do not encompass the ability to establish or maintain a Designated Record Set. If Company requires access to or amendment of a Designated Record Set, Company shall undertake such actions directly, without CraftyNotes' involvement. 3.1.8. Accounting of Disclosures. At Company's request, CraftyNotes shall furnish to Company, in a manner and timeframe reasonably requested by Company, relevant information regarding Disclosures made by CraftyNotes necessary for Company to fulfill any requested accounting of Disclosures pursuant to 45 C.F.R. § 164.528. 3.1.9. Privacy Rule and Security Rule Compliance. CraftyNotes shall adhere to the Privacy Rule in performing its obligations under this agreement concerning the Services, to the extent the Privacy Rule expressly applies to CraftyNotes under this agreement or as mandated by Law. CraftyNotes shall comply with the Security Rule concerning PHI. 3.2. Company’s Responsibilities. 3.2.1. No Impermissible Requests. Company shall refrain from requesting CraftyNotes to Use or Disclose PHI in any manner that would contravene the HIPAA Laws if undertaken by a Covered Entity (unless allowed by HIPAA Laws for a Business Associate). 3.2.2. Contact Information for Notices. Company hereby acknowledges that any reports, notifications, or other communications from CraftyNotes pursuant to this agreement may be conveyed electronically to the Company contact specified in Company’s account information. Company shall ensure that such contact information remains current throughout the duration of this agreement. Failure to provide and maintain current contact information may impede CraftyNotes' ability to furnish Breach notification under this agreement. 3.2.3. Safeguards and Appropriate Use of PHI. Company shall take reasonable measures to restrict the PHI made accessible through the use of the Services to the minimum necessary. Company is responsible for implementing suitable privacy and security measures to safeguard its PHI in compliance with the HIPAA Laws. Company is solely accountable for excluding PHI from information submitted to technical support personnel through a technical support request. Company is also responsible for ensuring that the PHI transmitted via CraftyNotes complies with legal disclosure requirements. 3.2.4. Communicating Changes to CraftyNotes. Company shall promptly inform CraftyNotes of any changes in, or revocation of, an Individual’s permission to use or disclose PHI, to the extent such changes may affect CraftyNotes’ use or disclosure of PHI. 3.2.5. Communicating Restrictions to CraftyNotes. Company shall notify CraftyNotes of any restriction on the use or disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect CraftyNotes’ use or disclosure of PHI. 3.2.6. Communicating Restrictions in Notices of Privacy Practices to CraftyNotes. Company shall inform CraftyNotes of any limitations in any applicable notice of privacy practices as per 45 C.F.R. § 164.520, to the extent such limitations may impact CraftyNotes’ use or disclosure of PHI. Term and Termination. 4.1. Term. This agreement commences upon the acceptance date indicated below and automatically terminates upon the cessation of all Services requiring a business associate agreement under the HIPAA Laws, unless terminated earlier by Company or CraftyNotes in accordance with Section 4.2. 4.2. Termination for Breach. 4.2.1. Termination for Breach by Company. Upon Company's awareness of a material breach of this agreement by CraftyNotes, Company shall: (a) Grant CraftyNotes a reasonable period to remedy the breach or terminate the agreement and associated Services if CraftyNotes fails to rectify the breach promptly; (b) Immediately terminate the agreement and associated Services if CraftyNotes breaches a material term of this agreement and cure is not feasible; or (c) If neither termination nor remedy is possible, report the violation to the Secretary. 4.2.2. Termination for Breach by CraftyNotes. Upon CraftyNotes' knowledge of a pattern of activity or practice by Company constituting a material breach or violation of Company's obligations under this agreement, CraftyNotes must notify Company to rectify the material breach or violation. If remedial actions are unsuccessful, CraftyNotes may: (a) Terminate the agreement; or (b) If terminating the agreement is impracticable, notify the Department of Health and Human Services Secretary. Post-Termination Obligations. 5.1. Return, Destruction, or Retention of PHI. Upon Termination. Subject to Section 5.2 below, upon termination or expiration of this agreement, CraftyNotes shall return or destroy all PHI received from Company or created or received by CraftyNotes on Company's behalf. This requirement extends to PHI held by CraftyNotes' Subcontractors or agents. CraftyNotes shall retain no copies of the PHI. However, CraftyNotes may retain a copy of PHI received from, or created or received on behalf of, Company if necessary for CraftyNotes' ongoing management and administration or to fulfill its legal obligations, provided that CraftyNotes extends the safeguards of this agreement to such PHI. 5.2. Notice When Return or Destruction is Infeasible. If CraftyNotes determines that returning or destroying PHI is unfeasible, CraftyNotes shall notify Company of the conditions preventing return or destruction. CraftyNotes shall continue to protect such PHI and limit further Use and Disclosure to purposes necessitating the retention of such PHI, for as long as CraftyNotes retains it. Limitation of Liability. CRAFTYNOTES' TOTAL LIABILITY TO COMPANY FOR ALL DAMAGES ARISING FROM A BREACH OF THIS AGREEMENT CAUSED BY CRAFTYNOTES SHALL NOT EXCEED TEN THOUSAND DOLLARS. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, MISREPRESENTATION, NEGLIGENCE, STRICT LIABILITY, AND OTHER TORTS. THIS LIMITATION REMAINS EFFECTIVE REGARDLESS OF ANY FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY. Notices. For legal notices under this agreement to be valid, including Breach notifications, the notifying party must deliver such notices in writing via electronic mail to the following addresses: (a) If to CraftyNotes, to privacy@craftynotes.com; Attention: Privacy Officer. A copy of all notices must also be sent to legal@craftynotes.com; and (b) If to Company, to the contact information provided in Company’s account information, with a copy to the address listed in the introductory paragraph of this agreement. Miscellaneous (continued) 8.1. No Agency Relationship. The parties do not intend for this agreement to establish an express or implied agency relationship according to federal or state agency law. Each party is an independent contractor, and no agency relationship is created. 8.2. No Third-Party Rights or Remedies. This agreement does not confer any enforceable rights or remedies on any person other than CraftyNotes and Company. 8.3. References. References in this agreement to sections in the Privacy Rule or Security Rule mean the sections currently in effect. 8.4. Assignment. No party may assign its rights or delegate its obligations under this agreement without the other party's written consent, except for assignments to an Affiliate, a successor by merger, or an acquirer of substantially all of the assigning party's assets. Any assignment or transfer in violation of this provision is void. Consent to an assignment may not be unreasonably withheld. 8.5. Amendments; Waiver. The parties will take necessary action to amend this agreement periodically to comply with HIPAA Laws. Amendments are effective only if in writing and signed by both parties. No waiver of any provision of this agreement is valid unless in writing and executed by the party against whom it is enforced. 8.6. Ambiguity. The parties intend to resolve any ambiguity in this agreement to meet their intent and facilitate compliance with HIPAA Laws. 8.7. Merger; Conflicts. This agreement constitutes the final agreement between the parties, superseding all prior or contemporaneous agreements and discussions. In case of conflict with other agreements, this agreement prevails. 8.8. Severability. If any provision of this agreement is found invalid, illegal, or unenforceable, it will not affect the remaining provisions' validity or enforceability. 8.9. Governing Law; Forum Selection. This agreement is governed by the laws of the State of California, without regard to its conflict of laws principles. Any legal action arising under this agreement must be brought exclusively in the courts of Santa Clara, California. 8.10. Electronic and Digital Signatures. Electronic signatures, including digital signatures or typed names, are equivalent to handwritten signatures and are legally binding. By accepting this agreement, CraftyNOtes and Company agree to its terms and conditions.