Posted/Revised: January 12, 2019

CUSTOMER DATA ADDENDUM FOR MPOWR ENGAGE SYSTEM

This Customer Data Addendum is incorporated into the applicable Master Subscription & Services Agreement executed by MPOWR and Customer (the “Agreement”). All capitalized terms used herein shall have the same meaning as defined in the Agreement. In consideration of the commitments set forth below, the adequacy of consideration the parties hereby acknowledge, the parties agrees as follows.

1.1. Use of Customer Data. As between the parties, and subject to any provisions of these terms and conditions and the Agreement to the contrary, Customer represents and warrants that it has the necessary right, title and interest to use, process, upload and store the Customer Data. Unless it receives Customer’s prior written consent and subject to Section 5 of the Agreement, MPOWR: (a) shall not access, process, or otherwise use Customer Data other than as necessary to facilitate the System; and (b) shall not intentionally grant any third party access to Customer Data, including without limitation MPOWR’s other customers, except subcontractors that are subject to a reasonable nondisclosure agreement. Notwithstanding the foregoing, MPOWR may disclose Customer Data as required by applicable law or by proper legal or governmental authority. MPOWR shall give Customer prompt notice of any such legal or governmental demand and reasonably cooperate with Customer in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense.

Customer grants MPOWR a non-exclusive, worldwide, royalty-free license for the term of the Agreement to store, copy, display, transmit, and otherwise use the Customer Data as reasonably necessary to facilitate the System.

Customer further grants MPOWR a perpetual, non-exclusive, worldwide, royalty-free license to store, copy, display, transmit, and otherwise use the Customer Data as reasonably necessary to provide data aggregation services to Customer, and to MPOWR’s other Customers who receive the Software Services. In the event that Customer is a “Covered Entity” (as that term is defined within the HIPAA Privacy Rule), then the following additional restrictions shall apply: (i) the Customer Data may only be used to provide data aggregation services to MPOWR’s customers who are also Covered Entities; and (ii) the data aggregation services described herein shall be provided in MPOWR’s capacity as a “Business Associate” of Customer (as that term is defined within the HIPAA Privacy Rule) and subject to the terms of the simultaneously executed Business Associate Agreement. The term “data aggregation” means the combining of Customer Data with the data received by MPOWR from its other customers to permit data analyses that relate to the internal business operations of such customers.

Customer further grants MPOWR a non-exclusive, worldwide, royalty-free license for the term of this Agreement to store, copy, display, transmit, and otherwise use the Customer Data as reasonably necessary to create de-identified data that cannot be used to identify any specific individual. In the event Customer is a “Covered Entity” (as that term is defined within the Health Insurance Portability and Accountability Act), then Customer Data must be de-identified in the manner described within the “Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” or any subsequent or revised guidance issued by the Department of Health and Human Services, Office for Civil Rights. Properly de-identified information shall not be considered Customer Data, and shall not be subject to any of the provisions of this Agreement.

CUSTOMER REPRESENTS AND WARRANTS THAT EACH AND EVERY USE OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION THAT IS COLLECTED, STORED, RECEIVED OR TRANSMITTED USING THE SYSTEM SHALL BE PURSUANT TO A CURRENT AND VALID AUTHORIZATION, CONSENT, RELEASE OF INFORMATION, OR SIMILAR WRITTEN DOCUMENT THAT CLEARLY PERMITS SUCH USE OR DISCLOSURE, AND THAT IS FULLY COMPLIANT WITH ALL LAWS AND REGULATIONS GOVERNING CUSTOMER, THE CUSTOMER DATA, AND THE USE OR DISCLOSURE OF CUSTOMER DATA BEING MADE.

IN ADDITION TO ANY INDEMNIFICATION OBLIGATIONS OF CUSTOMER CONTAINED IN THE SERVICE AGREEMENT, CUSTOMER SHALL INDEMNIFY, DEFEND, AND HOLD HARMLESS MPOWR, ITS AFFILIATES, AND THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, SUCCESSORS, ASSIGNS, HEIRS, REPRESENTATIVES, AND AGENTS (COLLECTIVELY THE “MPOWR INDEMNIFIED PARTIES”) FROM AND AGAINST ANY AND ALL DAMAGES, LOSSES, CLAIMS, LIABILITIES, DEMANDS, CHARGES, SUITS, PENALTIES, COSTS AND EXPENSES (INCLUDING COURT COSTS AND REASONABLE ATTORNEYS’ FEES AND EXPENSES INCURRED IN INVESTIGATING AND PREPARING FOR ANY LITIGATION OR PROCEEDING) (COLLECTIVELY “COSTS”) WHICH ANY OF THE MPOWR INDEMNIFIED PARTIES MAY SUSTAIN, OR TO WHICH ANY OF THE MPOWR INDEMNIFIED PARTIES MAY BE SUBJECTED, ARISING OUT OF OR IN CONNECTION WITH CUSTOMER’S USE OF THE SYSTEM FOR THE INPUT AND STORAGE OF CUSTOMER DATA, PERSONALLY IDENTIFIABLE INFORMATION AND/OR THE USE OF THE SAMPLE ROI (AS DEFINED BELOW IN SECTION 1.4), OR CUSTOMER’S FAILURE TO MEET THE REQUIREMENTS OF ANY LAW, REGULATION, OR OTHER AUTHORITY TO WHICH CUSTOMER OR THE CUSTOMER DATA IS SUBJECT (INCLUDING WITHOUT LIMITATION LAWS AND REGULATIONS RELATING TO THE PRIVACY AND SECURITY OF PERSONALLY IDENTIFIABLE INFORMATION).

1.2. Risk of Exposure. Customer recognizes and agrees that hosting data online involves risks of unauthorized disclosure or exposure and that, in accessing and using the System, Customer assumes such risks. MPOWR offers no representation, warranty, or guarantee that Customer Data will not be exposed or disclosed through errors or the actions of third parties.

1.3. Excluded Data. Customer represents and warrants that Customer Data does not and will not include, and Customer has not and shall not upload or transmit to MPOWR’s computers or other media, any: (1) patient medical or other health information that is part of a Legal Health Record or Designated Record Set as protected and defined by the Health Insurance Portability and Accountability Act, or similar U.S. or foreign laws and regulations; (2) Cardholder Data, as that term is defined in the PCI standards; or (3) information subject to regulation or protection by the Gramm-Leach-Bliley Act (or related rules or regulations); (collectively, the “Excluded Data”). CUSTOMER RECOGNIZES AND AGREES THAT: (a) MPOWR HAS NO LIABILITY FOR ANY FAILURE TO PROVIDE PROTECTIONS FOR EXCLUDED DATA OR OTHERWISE TO PROTECT EXCLUDED DATA; AND (b) MPOWR’S SYSTEMS ARE NOT INTENDED FOR MANAGEMENT OR PROTECTION OF EXCLUDED DATA AND MAY NOT PROVIDE ADEQUATE OR LEGALLY REQUIRED SECURITY FOR EXCLUDED DATA.

1.4. Release of Information Template. The parties acknowledge that the System includes a Release of Information Template (the “Sample ROI”), and that such Sample ROI is intended solely to assist Customer in creating a valid authorization, consent, release of information, or similar written document that complies with the laws and regulations applicable to Customer and the Customer Data. MPOWR grants Customer a non-exclusive, worldwide, royalty-free license for the term of this Agreement to store, copy, display, transmit, and otherwise use the Sample ROI.

1.5. MPOWR Support. Regardless of any review, research, assistance, or technical support that may be provided by MPOWR, Customer understands and agrees that it shall be solely responsible and liable for compliance with any information privacy, security, or other laws and regulations to which it and the Customer Data may be subject. Customer agrees that any Customer Data it inputs into the System will be in compliance with all federal and state statutes and regulations governing such information, including but not limited to the Health Insurance Portability and Accountability Act.

1.6. Customer Data Accuracy. In accordance with Section 5.2 of the Agreement, Customer shall also be solely responsible for the accuracy and integrity of the Customer Data.

1.7. Removal of Customer Data. Customer has 30 days following the date of expiration or termination of the applicable Subscription(s) to remove its Customer Data from the System.