1. TERMS OF SERVICE

Thank you for using GENEICD Software!

Acceptance. GENEICD INC Software (GENEICD) owns and operates the websites *.GENEICD.com (the Site) and the Platform GENEICD Integration (GENEICD Laboratory Portal or the Service, as defined below). Your access to the Site and Platform and all other use of the Service is subject to acceptance without modification of all of the terms and conditions contained herein (Terms of Service). The Terms of Service shall also be deemed to include all other operating rules, conditions, policies and procedures that are referred to below or that may otherwise be published or implemented by GENEICD, from time to time, within the Platform (collectively, Policies), including without limitation, the Privacy Policy and Business Associate Agreement.

IF YOU ARE ACCESSING THE PLATFORM AND USING THE SERVICE ON BEHALF OF, FOR THE BENEFIT OF OR UNDER AN ACCOUNT ESTABLISHED BY ANY CUSTOMER, THEN YOU ACKNOWLEDGE AND AGREE THAT: YOU ARE ALSO BOUND BY ALL OTHER TERMS AND CONDITIONS THAT ARE APPLICABLE TO THAT CUSTOMER (WHETHER SET FORTH IN THESE TERMS OF SERVICE OR IN ANY CONTRACT BETWEEN THAT CUSTOMER AND GENEICD); AND THAT IT IS YOUR RESPONSIBILITY TO IDENTIFY, UNDERSTAND AND COMPLY WITH ALL SUCH OTHER TERMS AND CONDITIONS.

IF YOU DO NOT AGREE TO ALL OF THESE TERMS OF SERVICE, OR IF YOU ARE NOT ELIGIBLE OR AUTHORIZED TO AGREE TO THESE TERMS OF SERVICE, THEN DO NOT REGISTER FOR, DOWNLOAD, ACCESS OR USE THE SERVICE. DOWNLOADING ANY APP, COMPLETING OUR REGISTRATION PROCESS OR OTHERWISE ACCESSING OR USING THE PLATFORM OR ANY OTHER PART OF THE SERVICE WILL CONSTITUTE ACCEPTANCE OF, AND CREATE A LEGALLY ENFORCEABLE CONTRACT UNDER WHICH YOU AGREE TO BE BOUND BY, ALL OF THE TERMS OF SERVICE, WITHOUT MODIFICATION.

Updates. GENEICD reserves the right, at its sole discretion, to update, modify or replace the Terms of Service (including any Policy), in whole or in part, at any time. GENEICD will use reasonable efforts to notify you of any material change in advance of the effective date of any change. Change notices may be communicated by postings via the Platform, email or otherwise. In any case, you should periodically check the Policies and other Terms of Service for changes. Continued access or use of the Service following any change to the Terms of Service constitutes your acceptance of those changes. The Terms of Service may not otherwise be amended, as they apply to you, except by a written agreement executed by you and GENEICD. GENEICD may modify, suspend or terminate the Service (including without limitation, access to the Platform), in whole or in part, at any time. In the event that GENEICD suspends or terminates the Service, GENEICD will use commercially reasonable efforts to continue to operate the Service in its native form (Native Operational Window) for a reasonable period of time (not to exceed 6 months) in an effort to provide you with time to plan your transition away from the Service.

Eligibility. The Service is intended by GENEICD to be made available only to Users who are at least 18 years old or the age of majority in your jurisdiction, whichever age is older. If you do not qualify, then you are prohibited from accessing, registering for, uploading, downloading or using any aspect of the Service. GENEICD will not collect personally identifiable information from any person who is actually known to us to be under the age of 13. For the avoidance of doubt, Service Data (as defined below) may include information about individuals under the age of 13. If we become aware that a person under 13 has provided personally identifiable information, GENEICD will take steps to remove such information and terminate that individual’s account, access and use of the Service. GENEICD may refuse to offer or continue offering the Service to any person or entity, and may change its eligibility criteria from time to time.

2. DEFINITIONS

Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the Service or Service Data (including without limitation, measurements of Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).

Business Associate means a “business associate,” as such term is defined under HIPAA.

Contract means the sales quotation, proposal, order form, sales confirmation or other similar writing provided by GENEICD or its authorized distributor (as the case may be) that describes the Service, term and prices being offered to Customer, whichever is most current (or the corresponding invoice, if no such other writing exists).

Covered Entity means a “covered entity,” as such term is defined under HIPAA.

Customer means any laboratory, company, or other organization or entity that has entered into an agreement with GENEICD to establish an account to use and pay for the Service.

Deliverable means any work product that is delivered to Customer, and which results from Work performed by GENEICD.

Feedback means ideas, assessments, suggestions and other feedback related to the function or performance of the Platform, Service and other GENEICD IP (including performance and benchmarking results related to the Service).

HIPAA means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH).

GENEICD IP means the Site, Platform, Service, Analytics, Deliverables, GENEICD Confidential Information, access credentials and all other Service-related documentation, data, know-how and information provided by GENEICD.

PHI means electronic and other “protected health information,” as such term is defined under HIPAA; provided PHI is understood to mean only the PHI that GENEICD creates, receives, maintains or transmits in providing the Service or Work for Customer.

Platform means the technology platform developed and/or used by GENEICD in providing the Service (including all related ideas, concepts, inventions, systems, hardware, software, interfaces, dashboards, tools, utilities, content, templates, forms, samples, techniques, methods, processes, algorithms, know-how, trade secrets and other technologies, implementations and information), and all corrections, improvements and extensions thereto.

Results means the charts, graphs, data, messages, reports and similar work products, if any, that are generated by GENEICD, which are based on Service Data and displayed, delivered or otherwise made available to Customer or Users as a result of using the Service.

Service means GENEICD’s application for laboratory, information, and data management (commonly referred to as a laboratory information management system) that is made available under these Terms of Service, as such application may be hosted in a cloud environment, branded and provided on a software-as-a-service basis from time to time by GENEICD. Among other things, the Service permits Customer and its Users to organize, track and share scientific, technical and/or clinical data. GENEICD may use online hosting services (such as, for example, Amazon Web Services) in connection with providing the Service (including without limitation, for the purposes of processing and storing Service Data).

Service Data means non-public information and data, including, without limitation, PHI, provided by or collected or learned from Customer and Users in connection with their use of the Service (including without limitation, scientific, technical and clinical data, and files and metadata).

Statement of Work means any written work statement that references these Terms of Service and that is acceptable to and executed by Customer and GENEICD, and which will include other information related to the Work (as the term is defined in Section 3) (such as, for example, task descriptions, schedules and payments).

Third Party Data means Service Data that is received from another User.

User means each of the named individuals who is specifically identified by Customer for onboarding and use of the Service under Customer’s Account.

3. SERVICE

License. So long as the Service is provided to Customer and subject to compliance with all Terms of Service, GENEICD will make the Service available to Customer and hereby grants to Customer a nonexclusive right and license: to access and use the Service through a web-based interface; and to permit identified Users to do the same under its Account. The GENEICD IP may be used only in unmodified form and solely for research and scientific purposes, clinical sample management and workflow management and Customer’s internal business purposes (which may include providing clinical laboratory services to third parties). Customer and Users’ access and use of the GENEICD IP shall comply with all other conditions that may be set forth in these Terms of Service or the Contract (such as, for example, restrictions regarding the number or identity of authorized Users, data formats, size limits, time limits or prohibited uses). From time to time, Customer and Users may (at their discretion) provide Feedback to GENEICD.

Account. GENEICD will provide Customer with access credentials (and/or a mechanism that permits Customer to specify access credentials) as needed to identify, authorize and designate roles for Users who will have rights (as appropriate to their roles) to establish, administer, configure, manage and use the Service through a Customer-specific account (Account). Customer and Users are responsible for maintaining the confidentiality of all Account information (including access credentials). Customer agrees to be liable for all activities under its Account. Customer and Users agree to keep all Account information up-to-date and to notify GENEICD immediately of any unauthorized use of their Account. Customer shall promptly notify GENEICD of Users who are no longer permitted to access and use the Service under Customer’s Account. Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the Service under its Account.

Resources. As between the parties, Customer and Users are responsible for ensuring the accuracy and completeness of Service Data that they provide, and for acquiring all: (a) consents, authorizations, permissions and other rights necessary for GENEICD to receive, access, copy, store, process, distribute, transmit, display and use Service Data as provided in these Terms of Service; (b) servers, storage, software, databases, network and communications systems and services needed by Customer and Users to access, manage and use the Service, Service Data and Results; and (c) backup, recovery, network security and maintenance services for Customer’s and Users’ internal systems (collectively, the Customer Resources).

Sharing Service Data. Using the Service, Users may share Service Data with other Users, and other Users may share Third Party Data. GENEICD does not review the substance of Service Data, Third Party Data or communications via the Service and does not control the use of Service Data that has been shared with other Users. Authentication of the true identity of Internet users is difficult, and so GENEICD cannot and does not confirm that any User is the person or entity who they claim to be. Accordingly, GENEICD makes no representation or warranty, and assumes no liability, regarding the accuracy, quality, integrity, legality, reliability or appropriateness of any Third Party Data. Customer and its Users agree to assume all risk and liability arising from (a) sharing their own Service Data (including any further distribution or use for an unintended purpose) and (b) using Third Party Data (including all results that are generated using Third Party Data).

Support Services. Using commercially reasonable efforts, GENEICD will: assist Customer to access, configure, verify and commence User operation of the Service under its Account; provide ongoing technical support for the Service (telephone, email or web-based), in accordance with its standard practices during normal business hours; and endeavor to analyze and resolve material errors. GENEICD has no obligation to operate or support any version of the Service other than the then current version. GENEICD may charge Customer in accordance with its then current policies for support services that result from problems, errors or inquiries related to the Service Data or Customer Resources.

Additional Services. From time to time, Customer may request and GENEICD may agree to provide certain additional implementation, integration, data analysis, development, training or other professional services related to the Service (Work). GENEICD agrees to undertake and use commercially reasonable efforts to complete the Work as described in the corresponding Statement of Work. GENEICD grants Customer a nonexclusive, nontransferable right and license (without right to sublicense) to use the resulting Deliverables solely in conjunction with authorized use of the Service, subject to the terms of these Terms of Service and other rights or restrictions set forth in the Statement of Work.

Third Party Services. Certain applications, platforms and services provided by third parties (collectively, Third Party Services) may be accessed from the Service. Third Party Services are not operated or controlled by GENEICD, and GENEICD shall not be responsible for the availability, accuracy or any other aspect of the content or function of Third Party Services. Additional or different terms and conditions (including without limitation, privacy and security practices) apply to the use of Third Party Services, and Customer and each User hereby agrees to comply with such terms and conditions when using Third Party Services.

Compliance. If the Service is being used in connection with Customer’s provision of clinical laboratory Services, then Customer, Users and GENEICD agree to comply with all federal, state and local laws, regulations and rules (including without limitation, HIPAA, the Physician Self-Referral Law (42 USC 1395nn), the federal Medicare/Medicaid Anti-Kickback Law and regulations promulgated thereunder). Without limiting the generality of the foregoing, it is neither a purpose nor requirement of these Terms of Service, the Contract or any other agreement between the parties to offer or receive any remuneration or benefit of any nature, to solicit, require, induce or encourage the referral of any patient, payment of which may be made in whole or in part by Medicare or Medicaid. No payment made or received under these Terms of Service is in return for the referral of patients or in return for the purchasing, leasing, ordering or arranging for or recommending the purchasing, leasing or ordering of any good, service, item or product for which payment may be made in whole or in part under Medicare or Medicaid.

Service Data Processing. GENEICD may de-identify Service Data such that any resulting information does not disclose any individually identifiable information, except in a de-identified, including de-identified PHI, (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements) (Converted Data). GENEICD shall then deliver such Converted Data to Customer, and Customer shall own all rights, title, and interest in and to the Converted Data that GENEICD delivers, subject to the license granted to GENEICD under Section 6.

4. PAYMENTS

Fees. Customer shall pay GENEICD the fees described in the Contract and each Statement of Work, in the amounts and at the times set forth therein, and as otherwise stated in these Terms of Service. Fees may be specified as being payable in advance or in arrears; fees may be fixed, contingent or variable (e.g., depending on usage factors or per sample charges); and fees may be specified on a recurring basis (e.g., subscription fees and/or usage fees, which may be payable monthly, quarterly or annually) or non-recurring basis (e.g., one-time activation fees).

Recurring Fees. Recurring fees (e.g., subscription fees and/or usage fees) must be paid by an automatic payment method (credit card or ACH bank transfer). Generally, recurring fees will be billed monthly, in arrears. Customers will receive notice (by email) of all recurring fees (whether from GENEICD or from a partner of GENEICD) for the current billing period by the third business day of the following month. If Customer does not dispute the charges within 15 calendar days, then GENEICD will process the automatic payment. Customer hereby accepts all credit card charges that comply with these Terms of Service.

Payment Terms. Unless specified otherwise, all amounts due hereunder shall be paid in full (without deduction, set-off or counterclaim) within 30 days after invoice in US dollars at GENEICD’s address or to an account specified by GENEICD. Past due amounts shall bear a late payment charge, until paid, at the rate of 1.5% per month or the maximum amount permitted by law, whichever is less. If any payment is past due, GENEICD shall have the right to take whatever action it deems appropriate (including without limitation, disabling the Account, suspending User access to the Service, requiring payment in advance or terminating the Contract pursuant to Section 10). Customer agrees to reimburse GENEICD for all costs (including attorneys’ fees) incurred in collecting late payments.

Taxes. All payments required by these Terms of Service are exclusive of federal, state, local and foreign taxes, duties, tariffs, levies, withholdings and similar assessments (including without limitation, sales taxes, use taxes and value added taxes), and Customer agrees to bear and be responsible for the payment of all such charges, excluding taxes based upon GENEICD’s net income. All amounts due hereunder shall be grossed-up for any withholding taxes imposed by any foreign government. If Customer claims exemption from any tax, then it shall furnish GENEICD with a valid tax exemption certificate issued by or acceptable to the applicable taxing jurisdiction or entity.

5. CONFIDENTIALITY

Scope. The term Confidential Information means all trade secrets, know-how, inventions, software and other financial, business, scientific, clinical or technical information and data disclosed by or for a party in connection with using or providing the Service. The restrictions on use and disclosure of Confidential Information will not apply to any information or data that the receiving party can demonstrate is (a) rightfully furnished to it without restriction by a third party, (b) generally available to the public without breach of these Terms of Service or (c) independently developed by it without reliance on such information or data. For clarity, all Service Data will be treated as Customer’s or User’s Confidential Information, and all Feedback, GENEICD IP and pricing information will be treated as GENEICD’s Confidential Information.

Confidentiality. Except for the specific rights granted by these Terms of Service, and except for disclosures that are necessary to comply with any legal, regulatory, law enforcement or similar requirement or investigation, the receiving party shall not access, reproduce, use or disclose any of the other party’s Confidential Information without its written consent, and shall use reasonable care to protect the other’s Confidential Information from unauthorized access, use and disclosure (including by ensuring that its personnel who access any Confidential Information have a need to know for the permitted purpose and are bound by written obligations that are at least as protective as these Terms of Service). Each party shall be responsible for any breach of confidentiality by its personnel (including Users, in the case of Customer). Promptly after any termination (or at the disclosing party’s request at any other time), the receiving party shall, unless otherwise agreed, return all of the other’s tangible Confidential Information, erase Confidential Information from any storage media and destroy information, records and materials developed therefrom (except Confidential Information stored in accordance with automated backup procedures in the ordinary course of business). Each party may disclose only the general nature, but not the specific terms, of any Contract without the prior consent of the other party; provided, Customer or GENEICD may provide a copy of the Contract or otherwise disclose its terms in connection with any legal or regulatory requirement, audit, financing transaction or due diligence inquiry.

PHI. If and only if (a) Customer is a Covered Entity, (b) Customer notifies GENEICD in writing that all or any part of the Service Data constitutes PHI and (c) GENEICD qualifies as a Business Associate of Customer as a result of the Service and/or Work provided hereunder, then the terms and conditions in the Business Associate Agreement shall apply as of the date all such conditions are met (BAA Effective Date). Otherwise, the Business Associate Agreement shall not have any force or effect.

Compelled Disclosures. These restrictions will not prevent either party from complying with any law, regulation, court order, demand by law enforcement or other legal requirement or investigation that purports to compel disclosure of any Service Data or other Confidential Information. The receiving party will promptly notify the disclosing party upon learning of any such legal requirement, and cooperate with the disclosing party in the exercise of its right to protect the confidentiality of the Confidential Information before any tribunal or governmental agency.

6. PROPRIETARY RIGHTS

Customer and Users. Customer and each User hereby grants GENEICD a nonexclusive, royalty-free, worldwide right and license: to access, copy, store, process, distribute, transmit, display and use their Service Data to generate Results and otherwise to provide the Service to Customer and all Users under Customer’s Account; to copy, store, process and use Service Data to develop, improve, extend and test the Platform and Service; to design, develop, distribute, commercialize and use Analytics in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data. Customer and each User hereby grants and agrees to grant an irrevocable, perpetual, worldwide, royalty-free, right and license: (i) to freely access, copy, store, process, distribute, transmit, display Converted Data; (ii) use and disclose Converted Data for GENEICD’s business purposes; (iii) to copy, store, process and use Converted Data to develop, improve, extend and test the Platform and Service; and (iv) to copy, store, process and use Converted Data to design, develop, distribute, commercialize and use Analytics. GENEICD’s rights and license to use the Converted Data shall be exclusive, except that Customer may use the Converted Data solely for its internal business purposes. Customer and each applicable User hereby grants to GENEICD all necessary permissions (including without limitation, any permission required under HIPAA) for GENEICD to engage and work with trusted third parties to provide the Service, and Customer and each applicable User hereby agrees to secure any necessary third party permissions and individual authorizations. Except for the foregoing, no other right, license or option is granted, no other use is permitted and Customer or the applicable User (as the case may be) owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Results, Service Data, and Converted Data. Unless and only to the extent expressly agreed otherwise by GENEICD and Customer in writing, Customer shall not be entitled to any revenue, royalties, or other compensation for GENEICD’s own use or disclosure of Converted Data. For the avoidance of doubt, Analytics shall not be understood to be the same as or overlap with Converted Data, as GENEICD owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Analytics, and Customer owns and retains all rights, title and interests to Converted Data.

GENEICD. Except for the limited rights and licenses expressly granted hereunder, no other right, license or option is granted, no other use is permitted and (as between the parties) GENEICD owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the GENEICD IP. Customer agrees that GENEICD is free to use the Feedback, and all generalized knowledge, expertise know-how and technologies related to or acquired in providing the Service, in any manner for all purposes (including developing new or improved products and services).

Restrictions. Customer and Users shall not, directly or indirectly (a) use any of GENEICD’s Confidential Information to create any software, platform, service or documentation that is similar to any of the GENEICD IP, (b) attempt to access any Platform component or to disassemble, decompile, reverse engineer or use any other means to discover any source code or underlying organization, structures, ideas or algorithms within the Platform (except and only to the extent these restrictions are expressly prohibited by applicable statutory law) or to circumvent any technological measure that controls access thereto, (c) encumber, sublicense, distribute, transfer, rent, lease, lend, access or use any GENEICD IP in any time-share, service bureau or similar arrangement, (d) copy, adapt, combine, create derivative works of, translate, localize, port or otherwise modify any GENEICD IP, (e) use or allow the transmission, transfer, export, re-export or other transfer of any product, technology or information it obtains or learns using the Service (or any direct product thereof) in violation of any export control or other laws and regulations of the United States or any other relevant jurisdiction or (f) permit any third party to do any of the foregoing.

Third Party Software. The Platform may interface, inter-operate, link or be delivered with or include software or other technology (In-Licensed Code) that is licensed from and owned by third parties (In-Licensors), the use of which may be subject to additional or different terms set forth in the applicable open source or proprietary license (In-License). Customer and each User unconditionally agrees that the In-Licensors (a) make no representation or warranty concerning the In-Licensed Code or GENEICD IP, (b) have no obligation or liability as a result of these Terms of Service and (c) are intended third party beneficiaries of these Terms of Service in respect of their respective In-Licensed Code. Upon specific written request received prior to the third anniversary of Acceptance, GENEICD will make available the source code for In-Licensed Code, but only if doing so is required by the applicable In-License.

## 7. LIMITED WARRANTIES AND DISCLAIMERS

Customer and Users. Customer and each User warrants to GENEICD that the access, transfer, collection, processing, distribution and use of Service Data and Converted Data as described in these Terms of Service complies with and will not violate applicable laws, regulations, rules or proprietary rights (including without limitation, professional and scientific standards, copyrights and rights regarding privacy, publicity and defamation). Customer and each User warrants to GENEICD that the Service Data it provides is accurate and complete and that Customer and each User has obtained all consents, authorizations, permissions and other rights necessary for GENEICD to receive, access, copy, store, process, distribute, transmit, display and use Service Data and Converted Data as provided in these Terms of Service.

GENEICD. GENEICD warrants to Customer that all Work will be provided in a professional manner and that it will use commercially reasonable efforts to maintain the Service available to Users at all times, subject to downtimes for scheduled maintenance, upgrades, repairs, security issues and emergency outages. GENEICD will not be responsible for any delay, degradation or failure in the Service resulting from or attributable to (a) unusually high usage volumes, (b) failures in Customer Resources or any third party’s services, networks or systems, (c) Customer’s or any User’s or third party’s negligence, acts or omissions, (d) any force majeure or other cause beyond GENEICD’s reasonable control or (e) unauthorized access to the Service, breach of firewalls or other hacking.

Disclaimers. EXCEPT AS EXPRESSLY SPECIFIED HEREIN, THE RESULTS, WORK, SERVICE AND OTHER GENEICD IP ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. FOR CLARITY, GENEICD AND ITS LICENSORS DO NOT WARRANT THAT: (A) ANY INFORMATION WILL BE TIMELY, ACCURATE, RELIABLE OR CORRECT; (B) THE WORK, SERVICE OR OTHER GENEICD IP OR RESULTS WILL BE ERROR-FREE, UNINTERRUPTED, SECURE OR AVAILABLE AT ANY PARTICULAR TIME OR PLACE; (C) ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR (D) THE WORK, SERVICE OR OTHER GENEICD IP OR RESULTS WILL MEET CUSTOMER’S OR ANY USER’S REQUIREMENTS OR THAT ANY OUTCOME CAN BE ACHIEVED. TO THE FULLEST EXTENT PERMITTED BY LAW, GENEICD HEREBY DISCLAIMS (FOR ITSELF AND ITS LICENSORS) ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, WITH RESPECT TO THE RESULTS, WORK, SERVICE AND OTHER GENEICD IP, INCLUDING WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, INTEGRATION, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE AND ALL WARRANTIES ARISING FROM ANY COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE.

## 8. INDEMNIFICATION

Customer. Customer agrees to defend GENEICD against any demand, suit, action or other claim by any third party (including any User under its Account) that is related to any Service Data provided by Customer or Users or any breach of Customer’s or any User’s obligations or warranties under these Terms of Service, and to indemnify GENEICD for liabilities (as specified in settlements or judgment awards) that result from such claims.

GENEICD. GENEICD agrees to defend Customer and Users (Customer Indemnitees) against any demand, suit, action or other claim by any third party that the Service or any Deliverable misappropriates or infringes its intellectual property rights, and to indemnify Customer Indemnitees for liabilities (as specified in settlements or judgment awards) that result from such claims. If the Service or any Deliverable becomes or, in GENEICD’s opinion, is likely to become the subject of an injunction or other claim preventing its use as contemplated herein, GENEICD may, at its option and expense (a) obtain the rights needed to continue providing the Service or using the Deliverable, or (b) replace or modify the Service or Deliverable without substantially compromising its principal functions. If (a) and (b) are not reasonably available, then GENEICD may (c) upon written notice to Customer, terminate Customer’s Account and stop providing the Service to Users, and refund to Customer any prepaid fees, prorated for the remainder of the prepaid period. The foregoing states the entire liability of GENEICD, and Customer’s and each User’s exclusive remedy, with respect to any actual or alleged violation of intellectual property or proprietary rights by the GENEICD IP or Work, any part thereof or their use or operation.

Exclusions. GENEICD shall have no liability or obligation hereunder with respect to any claim attributable to (a) any use of the GENEICD IP by Customer or any User not strictly in accord with these Terms of Service, or in an application or environment or on a platform or with devices for which it was not designed or contemplated or (b) alterations, combinations or enhancements of the GENEICD IP not created by GENEICD.

Conditions. The indemnifying party’s obligations hereunder are conditioned on (a) the party seeking indemnification providing prompt written notice thereof and reasonable cooperation, information, and assistance in connection therewith and (b) the indemnifying party having sole control and authority to defend, settle or compromise such claim. The indemnified party may participate in the defense at its sole cost and expense. The indemnifying party will not enter into any settlement (other than for payment of money subject to its indemnity) that adversely affects the indemnified party’s rights or interests without its prior written approval, not to be unreasonably withheld. The indemnifying party shall not be responsible for any settlement it does not approve in writing.

9. LIMITATION OF LIABILITY

EXCEPT TO THE EXTENT THAT ANY EXCLUSION OR LIMITATION OF LIABILITY IS VOID, PROHIBITED OR UNENFORCEABLE BY APPLICABLE LAW, AND EXCEPT FOR LIABILITIES TO THIRD PARTIES PURSUANT TO SECTION 8 (INDEMNIFICATION): IN NO EVENT SHALL GENEICD (OR ITS LICENSORS), CUSTOMER OR ANY USER BE LIABLE CONCERNING THE SUBJECT MATTER OF THE CONTRACT OR THESE TERMS OF SERVICE, REGARDLESS OF THE FORM OF ANY CLAIM OR ACTION (WHETHER IN CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE), FOR ANY (A) LOSS OF DATA, LOSS OR INTERRUPTION OF USE, OR COST TO PROCURE SUBSTITUTE TECHNOLOGIES, GOODS OR SERVICES OR (B) INDIRECT, PUNITIVE, INCIDENTAL, RELIANCE, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUES, PROFITS OR GOODWILL; AND GENEICD (AND ITS LICENSORS) SHALL NOT BE LIABLE TO CUSTOMER OR ANY USER FOR AGGREGATE DAMAGES IN EXCESS OF THE FEES IT, HE OR SHE (AS THE CASE MAY BE) PAID TO GENEICD DURING THE PRIOR 12 MONTHS OR US$25.00, WHICHEVER IS GREATER; EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS ARE INDEPENDENT FROM ALL OTHER PROVISIONS OF THESE TERMS OF SERVICE AND SHALL APPLY NOTWITHSTANDING THE FAILURE OF ANY REMEDY PROVIDED HEREIN.

FOR USERS ONLY: SOME STATES AND OTHER JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU.

10. TERM AND TERMINATION

Term. Unless as otherwise specified in the Contract, Customer’s and its Users’ ability to access the Platform and use the Service shall commence on the date of Customer’s acceptance of the proposal for GENEICD Lab Portal in the Contract and continue in effect on a month-to-month basis after the Go Live date (as the term is defined in the Contract). Unless as otherwise specified in the Contract, the Contract (subject to these Terms of Service) will be extended automatically on a month-to-month basis until terminated by Customer or GENEICD. Unless as otherwise specified in the Contract, Customer or GENEICD may terminate the Contract by giving at least 30 days prior written notice (email being sufficient) to the other. Users may discontinue their use of the Service at any time upon giving written notice to Customer.

Termination. The Contract may be earlier terminated by either party if the other party breaches any material provision of these Terms of Service and fails to cure such breach within 30 days (10 days in the case of payment issues) after receiving written notice of such breach from the non-breaching party.

Effects of Termination. Upon any expiration or termination of the Contract, all rights, obligations and licenses of the parties shall cease, except that the following shall survive: all obligations that accrued prior to the effective date of termination (including payment obligations); all remedies for any breach of these Terms of Service; and the provisions of Sections 4 (Payments), 5 (Confidentiality), 6 (Proprietary Rights), 7 (Limited Warranties and Disclaimers), 8 (Indemnification), 9 (Limitation of Liability), 11 (General Provisions) and this Section 10. GENEICD has no obligation to retain any Service Data after any expiration or termination, except that GENEICD will transmit a copy of the Service Data to Customer and/or applicable User if requested in writing within 30 days after the effective date of termination.

11. GENERAL PROVISIONS

Entire Agreement. These Terms of Service (including then current Policies), together with the Contract and, if any, all Statements of Work, constitute the entire agreement, and supersede all prior negotiations, understandings or agreements (oral or written), among the parties regarding the subject matter hereof (and all past dealing or industry custom). Any additional, different or inconsistent terms on any related purchase order, even if signed by the parties hereafter, shall have no effect under these Terms of Service. In the event of any conflict or inconsistency between the terms set forth in these Terms of Service and the Contract, the terms in the Contract shall control as between GENEICD and Customer. Except as expressly provided herein, no change, consent or waiver under these Terms of Service will be effective unless in writing and signed by the party against which enforcement is sought. The failure of any party to enforce its rights under these Terms of Service at any time, for any period will not be construed as a waiver of such rights, and the exercise of one right or remedy will not be deemed a waiver of any other right or remedy. If any provision of these Terms of Service is determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that these Terms of Service will otherwise remain in full force and effect and enforceable. These Terms of Service are in English only, which language shall be controlling in all respects. No version of these Terms of Service in another language shall be binding or of any effect.

Governing Law. The parties’ rights and obligations under the Contract and these Terms of Service shall be governed by and construed in accordance with the laws of the Commonwealth of Arizona, USA, without regard to its conflicts of law provisions. In the event of any conflict between US and foreign laws, regulations and rules, US laws, regulations and rules shall govern. Neither the United Nations Convention on Contracts for the International Sale of Goods nor the implementation of the Computer Information Transactions Act in any jurisdiction shall apply to these Terms of Service.

Dispute Resolution. A printed version of these Terms of Service (and any Policy) and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to the Service, Contract or these Terms of Service (including any Policy) to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. Customer, Users and GENEICD agree that any claim or cause of action arising out of or related to the Service, Contract or these Terms of Service (including any Policy) must be commenced within 1 year after the claim or cause of action arose. Otherwise, such claim or cause of action is permanently barred.

Except that either party may seek an injunction or other equitable relief from any court of competent jurisdiction (as described below), all disputes between the parties arising out of or in relation to or in connection with the Service, Contract or these Terms of Service (including any Policy) shall be settled by binding arbitration in accordance with the JAMS streamlined arbitration rules and procedures then in force, by one neutral arbitrator appointed in accordance with the rules. The arbitration shall take place in Phoenix, Arizona, USA. The proceedings shall be in English, all evidence shall be in English (or translated into English) and the governing law shall be as set forth herein. The arbitrator’s decision shall be in writing and shall comply with all terms and conditions in the applicable version of these Terms of Service and the Contract. The decision and award rendered shall be final and binding on all parties. The parties acknowledge and agree that the Terms of Service and any award rendered pursuant hereto shall be governed by the UN Convention on the Recognition and Enforcement of Foreign Arbitral Awards. Judgment on the award may be entered in any court of competent jurisdiction.

ANY ARBITRATION UNDER THESE TERMS OF SERVICE WILL TAKE PLACE ONLY ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CUSTOMER, USERS AND GENEICD UNDERSTAND AND AGREE THAT BY ENTERING INTO THE CONTRACT AND THESE TERMS OF SERVICE, EACH PARTY IS WAIVING THE RIGHT TO TRIAL BY JURY AND TO PARTICIPATE IN A CLASS ACTION.

Use of the Service is not authorized in any jurisdiction that does not give effect to all provisions of the Terms of Service, including without limitation, this section.

International Use. GENEICD makes no representation or warranty that the Service is appropriate or legally available for use in locations outside the United States, and accessing and using the Service is prohibited from places where doing so would be illegal. Accessing or using the Service from other locations may be done at Customer’s or applicable User’s own initiative and Customer or such User shall be liable for compliance with all local laws. Customer each User hereby expressly consents to GENEICD’s processing of Service Data in accordance with these Terms of Service. Customer and each User understands and agrees that Service Data may be stored and processed in (or transferred from) the country where it was collected and the United States, and that United States laws regarding the collection, storage, processing and onward transfer of information may be less stringent than the laws where Customer is located. Customer and each User agrees that each person who accesses or uses the Service through its Account or his/her credentials (and each person whose information is included in Service Data) has given express consent to the collection, storage, processing, transfer, distribution, display and use of his or her personal data as provided herein.

Remedies. Except as expressly specified otherwise herein, each right and remedy in these Terms of Service are in addition to any other right or remedy, at law or in equity. Each party agrees that, in the event of any breach or threatened breach of Section 5 or 6, the non-breaching party will suffer irreparable damage for which it will have no adequate remedy at law. Accordingly, the non-breaching party shall be entitled to injunctive and other equitable remedies to prevent or restrain such breach or threatened breach, without the necessity of proving actual damages or posting any bond.

Notices. All notices under these Terms of Service will be in writing, in English and delivered to the parties at their respective addresses stated herein or in the Contract (or, in the case of Users, as provided during registration), or at such other address designated by written notice. Notices will be deemed to have been duly given and effective: when receipt is electronically confirmed, if transmitted by facsimile or email; or when received, if personally delivered or sent by overnight courier or certified or registered mail, return receipt requested.

 

 

 

Notices to GENEICD should be sent to the following address:

GENEICD INC
Attn: CEO
3370 N Hayden Rd Ste 123, Box #169
Scottsdale, AZ 85251 USA

legal@geneicd.com



Publicity. Customer hereby consents to inclusion of its name and logo in customer lists and presentation materials that may be published and distributed as part of GENEICD’s marketing and promotional efforts. From time to time upon request, Customer agrees to provide GENEICD with reasonable cooperation and assistance in connection with other marketing efforts (such as, for example, by acting as a reference, issuing press releases and providing written or videotaped customer testimonials and case studies, with statements attributed to a named employee of Customer). Except for the foregoing or as required by any applicable law or regulation, neither Customer, User nor GENEICD may issue any press release or other public announcement concerning the arrangements under these Terms of Service, or use the other party’s names, trademarks or logos, without the applicable other party’s prior written consent, not to be unreasonably delayed, conditioned or withheld.

Assignment. These Terms of Service and the performance contemplated hereunder are personal to each User and Users shall not have the right or ability to subcontract, delegate, assign or otherwise transfer any rights or obligations under this Agreement without the prior written consent of Customer and GENEICD. The Contract, these Terms of Service and the rights and obligations therein and herein may not be assigned, in whole or in part, by Customer or GENEICD without the other’s prior written consent, not to be unreasonably withheld. However, without consent, GENEICD may subcontract performance of all or any part of the Service or Work, and GENEICD and Customer may assign these Terms of Service together with the Contract (but not separately), and all of its rights and obligations hereunder and thereunder, to any of its affiliates or to any successor to all or substantially all of its business which concerns the Contract (whether by sale of assets or equity, merger, consolidation, reorganization or otherwise). The Contract and these Terms of Service shall be binding upon, and inure to the benefit of, the successors, representatives and permitted assigns of the parties.

Force Majeure. No party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control.

Business associates. The parties shall be liable under the Contract and these Terms of Service (including under the BAA and other Policies), and nothing herein will constitute either party as the employer, employee, agent or representative of the other party for any purpose; provided, the foregoing is not intended to modify or limit any prior employment or other arrangement between Customer and any of the Users.

Government. Products within the GENEICD IP are commercial products, developed solely at private expense and proprietary to GENEICD, Inc. and its licensors. If Customer is an agency, department or other entity of the United States Government or if any User is accessing and using the Service on behalf of or for the benefit of any such entity, then the use, duplication, reproduction, modification, release, disclosure or transfer of GENEICD IP is restricted in accordance with FAR 12.212 for civilian agencies and DFAR 227.7202 for military agencies. The Platform is “commercial computer software”, the documentation is “commercial computer software documentation”, and their use is further restricted in accordance with these Terms of Service.

 

Privacy Policy
Last Updated: May 20th, 2021

We want to let you know about what we do with information we collect from you, how it is used, and other details about privacy.

This Privacy Policy discloses the privacy practices our websites, software, and services (collectively, “Our Products & Services” or “Services”). This Privacy Policy applies to any type of access we make available to you for Our Products & Services, such as websites, applications on your electronic devices, through APIs, and through third parties.

1. COLLECTION

a. We need some information from you in order to provide Our Products & Services and you understand that we have access to and collect information that you voluntarily give us via the enrollment process, your emails to us, or other direct contact from you. We also collect information related to your usage and access of our Services.

b. We use technology like cookies to provide and improve Our Products & Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with Our Produces & Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use Our Products & Services.

2. USE AND SHARING

a. In general, we will use your information to communicate with you, to provide Our Products & Services, and to facilitate collaboration between you and other users.

b. We will not sell your information in personally identifiable form to any third party outside of our company and in general only share such information with outsiders as necessary to fulfill your requests, such as to respond to inquiries about content or troubleshooting technology issues, and as needed to provide Our Products & Services.

c. We may de-identify information such that the resulting de-identified data, including de-identified protected health information (PHI), is not individually identifiable information as provided in 45 CFR § 164.514, and we may provide such data in de-identified or aggregated form (combined with other data, results or measurements) to our partners. However, we never disclose aggregate usage or de-identified information to a partner (or allow a partner to collect such information) in a manner that would identify you or any other individual.

d. If you are using Our Products & Services as part of a team, your team leader may have the ability to limit your access and control of Our Products & Services. Please be aware that limitations, restrictions, licenses, or any other controls placed by employers, team leaders, or other administrators that you work under may see or otherwise be provided access to information that you provide to us. We cannot be responsible for the internal agreements, policies, or practices of your university, employer, or team (for example, related to sharing of protected health information (PHI) or other confidential or proprietary data). It is your responsibility to review and ensure you are complying with those agreements, policies, and practices. If you have concerns about any of these types of entities or individuals being provided that information, please review those agreements, policies, and practices, and be mindful of the teams you join or invite others to.

e. In order to cooperate with legitimate governmental requests, subpoenas or court orders, to protect Our Products & Services and other users, or to ensure the integrity and operation of Our Products & Services, we may access and disclose any information we consider necessary or appropriate, including, but not limited to, IP addresses and traffic information, usage history, and uploaded content.

3. SECURITY

We are continuously monitoring and developing ways to keep your information secure. For example, our GENEICD client APIs and applications use industry standard secure encryption for all communications with our Services. We also continue to work on features, including encryption of files at rest, to keep your information secure. If you wish to protect your data during transmission, it is your responsibility to use a securely encrypted connection to communicate with our Services.

4. RETENTION OF YOUR INFORMATION

We will retain information you store on Our Products & Services for as long as we need it to provide you Our Products & Services. If you delete your account, we will also delete this information. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.

5. THIRD PARTY LINKS

From time to time, Our Products & Services may provide links or other access to third parties. Please be aware that we are not responsible for the content or privacy practices of such third parties. We encourage our users to be aware when they leave Our Products & Services and to read the privacy statements of any third parties that collect personally identifiable information.

6. TERMS OF SERVICE

For more information about using Our Products & Services, please refer to our Terms of Service for information on our other policies and guidelines regarding use of Our Products & Services. Although we do not think it would happen, in the event of any conflicting terms, the Terms of Service are controlling over this Privacy Policy.

8. CONTACT

If you have questions or concerns about this Privacy Policy or any of Our Products & Services, you can contact us via email at support@geneicd.com

 

Risk Management Policies
Last Updated: May 20th, 2021

  1. It is the policy of GENEICD to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of the GENEICD’s information security program.

  2. Risk analysis and risk management are recognized as important components of GENEICD’s corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).

    1. Risk assessments are done throughout product life cycles:

    2. Before the integration of new system technologies and before changes are made to GENEICD physical safeguards; and

      • These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the GENEICD Platform.

    3. While making changes to GENEICD physical equipment and facilities that introduce new, untested configurations.

    4. GENEICD performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.

  3. GENEICD implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

    1. Ensure the confidentiality, integrity, and availability of all ePHI GENEICD receives, maintains, processes, and/or transmits for its Customers;

    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;

    3. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and

    4. Ensure compliance by all workforce members.

  4. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and GENEICD’s Security Officer.

  5. All GENEICD workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation according to GENEICD’s policies, which is outlined in the GENEICD Policy Management Policy.

  6. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of GENEICD’s Security Officer (or other designated employee), and the identified Risk Management Team.

  7. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.

Risk Management Procedures

Risk Assessment: The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

  • Step 1. System Characterization

    • The first step in assessing risk is to define the scope of the effort. To do this, identify where ePHI is received, maintained, processed, or transmitted. Using information-gathering techniques, the GENEICD Platform boundaries are identified.

    • Output – Characterization of the GENEICD Platform system assessed, a good picture of the Platform environment, and delineation of Platform boundaries.

  • Step 2. Threat Identification

    • Potential threats (the potential for threat-sources to successfully exercise a particular vulnerability) are identified and documented. All potential threat-sources through the review of historical incidents and data from intelligence agencies, the government, etc., to help generate a list of potential threats.

    • Output – A threat list containing a list of threat-sources that could exploit Platform vulnerabilities.

  • Step 3. Vulnerability Identification

    • Develop a list of technical and non-technical Platform vulnerabilities that could be exploited or triggered by potential threat-sources. Vulnerabilities can range from incomplete or conflicting policies that govern an organization’s computer usage to insufficient safeguards to protect facilities that house computer equipment to any number of software, hardware, or other deficiencies that comprise an organization’s computer network.

    • Output – A list of the Platform vulnerabilities (observations) that could be exercised by potential threat-sources.

  • Step 4. Control Analysis

    • Document and assess the effectiveness of technical and non-technical controls that have been or will be implemented by GENEICD to minimize or eliminate the likelihood / probability of a threat-source exploiting a Platform vulnerability.

    • Output – List of current or planned controls (policies, procedures, training, technical mechanisms, insurance, etc.) used for the Platform to mitigate the likelihood of a vulnerability being exercised and reduce the impact of such an adverse event.

  • Step 5. Likelihood Determination

    • Determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat-source given the existing or planned security controls.

    • Output – Likelihood rating of low (.1), medium (.5), or high (1). Refer to the NIST SP 800-30 definitions of low, medium, and high.

  • Step 6. Impact Analysis

    • Determine the level of adverse impact that would result from a threat successfully exploiting a vulnerability. Factors of the data and systems to consider should include the importance to GENEICD’s mission; sensitivity and criticality (value or importance); costs associated; loss of confidentiality, integrity, and availability of systems and data.

    • Output – Magnitude of impact rating of low (10), medium (50), or high (100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

  • Step 7. Risk Determination

    • Establish a risk level. By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents actions that senior management must take for each risk level.

    • Output – Risk level of low (1-10), medium (>10-50) or high (>50-100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

  • Step 8. Control Recommendations

    • Identify controls that could reduce or eliminate the identified risks, as appropriate to the organization’s operations to an acceptable level. Factors to consider when developing controls may include effectiveness of recommended options (i.e., system compatibility), legislation and regulation, organizational policy, operational impact, and safety and reliability. Control recommendations provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented.

    • Output – Recommendation of control(s) and alternative solutions to mitigate risk.

  • Step 9. Results Documentation

    • Results of the risk assessment are documented in an official report, spreadsheet, or briefing and provided to senior management to make decisions on policy, procedure, budget, and Platform operational and management changes.

    • Output – A risk assessment report that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.

Risk Mitigation: Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of GENEICD Platform ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

  • Step 1. Prioritize Actions

    • Using results from Step 7 of the Risk Assessment, sort the threat and vulnerability pairs according to their risk-levels in descending order. This establishes a prioritized list of actions needing to be taken, with the pairs at the top of the list getting/requiring the most immediate attention and top priority in allocating resources

    • Output – Actions ranked from high to low

  • Step 2. Evaluate Recommended Control Options

    • Although possible controls for each threat and vulnerability pair are arrived at in Step 8 of the Risk Assessment, review the recommended control(s) and alternative solutions for reasonableness and appropriateness. The feasibility (e.g., compatibility, user acceptance, etc.) and effectiveness (e.g., degree of protection and level of risk mitigation) of the recommended controls should be analyzed. In the end, select a “most appropriate” control option for each threat and vulnerability pair.

    • Output – list of feasible controls

  • Step 3. Conduct Cost-Benefit Analysis

    • Determine the extent to which a control is cost-effective. Compare the benefit (e.g., risk reduction) of applying a control with its subsequent cost of application. Controls that are not cost-effective are also identified during this step. Analyzing each control or set of controls in this manner, and prioritizing across all controls being considered, can greatly aid in the decision-making process.

    • Output – Documented cost-benefit analysis of either implementing or not implementing each specific control

  • Step 4. Select Control(s)

    • Taking into account the information and results from previous steps, GENEICD’s mission, and other important criteria, the Risk Management Team determines the best control(s) for reducing risks to the information systems and to the confidentiality, integrity, and availability of ePHI. These controls may consist of a mix of administrative, physical, and/or technical safeguards.

    • Output – Selected control(s)

  • Step 5. Assign Responsibility

    • Identify the workforce members with the skills necessary to implement each of the specific controls outlined in the previous step, and assign their responsibilities. Also identify the equipment, training and other resources needed for the successful implementation of controls. Resources may include time, money, equipment, etc.

    • Output – List of resources, responsible persons and their assignments

  • Step 6. Develop Safeguard Implementation Plan

    • Develop an overall implementation or action plan and individual project plans needed to implement the safeguards and controls identified. The Implementation Plan should contain the following information:

      • Each risk or vulnerability/threat pair and risk level;

      • Prioritized actions;

      • The recommended feasible control(s) for each identified risk;

      • Required resources for implementation of selected controls;

      • Team member responsible for implementation of each control;

      • Start date for implementation

      • Target date for completion of implementation;

      • Maintenance requirements.

    • The overall implementation plan provides a broad overview of the safeguard implementation, identifying important milestones and timeframes, resource requirements (staff and other individuals’ time, budget, etc.), interrelationships between projects, and any other relevant information. Regular status reporting of the plan, along with key metrics and success indicators should be reported to GENEICD Senior Management.

    • Individual project plans for safeguard implementation may be developed and contain detailed steps that resources assigned carry out to meet implementation timeframes and expectations. Additionally, consider including items in individual project plans such as a project scope, a list deliverables, key assumptions, objectives, task completion dates and project requirements.

    • Output – Safeguard Implementation Plan

  • Step 7. Implement Selected Controls

    • As controls are implemented, monitor the affected system(s) to verify that the implemented controls continue to meet expectations. Elimination of all risk is not practical. Depending on individual situations, implemented controls may lower a risk level but not completely eliminate the risk.

    • Continually and consistently communicate expectations to all Risk Management Team members, as well as senior management and other key people throughout the risk mitigation process. Identify when new risks are identified and when controls lower or offset risk rather than eliminate it.

    • Additional monitoring is especially crucial during times of major environmental changes, organizational or process changes, or major facilities changes.

    • If risk reduction expectations are not met, then repeat all or a part of the risk management process so that additional controls needed to lower risk to an acceptable level can be identified.

    • Output – Residual Risk documentation

Risk Management Schedule: The two principle components of the risk management process – risk assessment and risk mitigation – will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of GENEICD’s information security program:

  • Scheduled Basis – an overall risk assessment of GENEICD’s information system infrastructure will be conducted annually. The assessment process should be completed in a timely fashion so that risk mitigation strategies can be determined and included in the corporate budgeting process.

  • Throughout a System’s Development Life Cycle – from the time that a need for a new, untested information system configuration and/or application is identified through the time it is disposed of, ongoing assessments of the potential threats to a system and its vulnerabilities should be undertaken as a part of the maintenance of the system.

  • As Needed – the Security Officer (or other designated employee) or Risk Management Team may call for a full or partial risk assessment in response to changes in business strategies, information technology, information sensitivity, threats, legal liabilities, or other significant factors that affect GENEICD’s Platform.

Process Documentation

Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.

 

BUSINESS ASSOCIATE AGREEMENT
Last Updated: May 20th, 2021

1. SERVICE.

GENEICD INC (GENEICD or Business Associate) owns and operates the websites *.GENEICD.com. (the Site) , Platform and Service, which are accessed and used by its Customers and their Users to (among other things) organize, track and share scientific, technical and/or clinical data.

The following business associate agreement (BAA) explains GENEICD’s obligations as a “business associate” under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH) (together HIPAA), if applicable. This BAA supplements the other terms and conditions that apply between Customer and GENEICD, which are detailed or referenced in the Terms of Service for GENEICD.

This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, create, maintain, use or disclose electronic or other “protected health information” as such term is defined under HIPAA (PHI), provided PHI is understood to mean only the PHI that Business Associate creates, receives, maintains or transmits in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Services Agreement (the  Services).

2. APPLICABILITY.

Customer and Business Associate agree that this BAA applies solely with respect to PHI that Business Associate creates, receives, accesses, uses, maintains or discloses in connection with performing the  Services; it does not apply to other information, including information that would meet the definition of PHI, that Business Associate may create, receive, access, use, maintain or disclose outside of performing the  Services.

3. DEFINITIONS.

  • Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the  Services or Service Data (including without limitation, measurements of  Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).

  • Individual shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

  • Required By Law shall have the same meaning as the term “required by law” in 45 CFR §164.103.

  • Services Agreement shall mean the Contract between GENEICD and Customer, taken together with the Terms of Service.

  • User means each of the named individuals who is specifically identified by Customer for onboarding and use of the  Services under Customer’s Account.

  • Capitalized terms used but not defined herein have the meanings assigned to them in the Terms of Service or HIPAA, as the case may be.

4. PERMITTED AND REQUIRED USES AND DISCLOSURES.

a. Service Offerings. Business Associate may use or disclose PHI in connection with the performance of the  Services if such use or disclosure of PHI would not violate HIPAA if done by Customer or if such use or disclosure is expressly permitted under this BAA or the Services Agreement.

b. Administration and Management of  Services. Business Associate may use or disclose PHI received by Business Associate in its capacity as “business associate” of Customer for the proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached; and (3) the person will provide Business Associate appropriate notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law.

c. Disclosures Required By Law. Business Associate may only use or disclose PHI on the basis that such disclosure is required by law after notifying Customer’s Privacy Officer or his/her designee to allow an opportunity to object to the disclosure and to seek appropriate relief. If Customer objects to such disclosure, Business Associate shall, to the extent legally permitted, refrain from disclosing the PHI until Customer has exhausted all alternatives for relief. However, if Business Associate is unable to notify Customer for reasons beyond Business Associate’s control, Business Associate may disclose PHI on the basis that such disclosure is required by law so long as Business Associate provides immediate notice to Customer’s Privacy Officer or his/her designee following the disclosure.

d. Disclosure to Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in a writing that complies with the requirements of 45 CFR §164.504(e)(2) through (e)(4), to be bound by the same restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI, including, without limitation, implementing reasonable and appropriate safeguards to protect it.

e. Data Aggregation. To the extent permitted by the Services Agreement, or as otherwise expressly agreed to in writing by Customer, Business Associate may use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations of Customer, and only to the extent that such use is permitted under HIPAA.

5. OBLIGATIONS OF BUSINESS ASSOCIATE.

a. Limit on Uses and Disclosures. Business Associate will use and disclose PHI only as permitted by this BAA or as Required By Law. If Customer notifies Business Associate that Customer has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, Business Associate and Customer shall mutually agree on the extent to which Business Associate will be bound by such additional restrictions and Business Associate shall not disclose PHI in violation of such additional mutually agreed upon restrictions.

b. Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI) as determined by Business Associate.

c. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.

d. Reporting of Security Incidents. Business Associate will report to Customer no less than fourteen (14) business days from the date Business Associate becomes aware of any Security Incidents involving PHI in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.

e. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer’s Unsecured PHI that Business Associate may discover to the extent required by 45 CFR §164.410. Business Associate will make such report without unreasonable delay, and in no case later than four (4) hours after discovery by Business Associate of such Breach. Business Associate undertakes no obligation to report network security related incidents which occur on its managed network but do not directly involve Customer’s use of the  Services.

f. Accounting of Disclosures. Business Associate will make available to Customer the information required to provide an accounting of Disclosures in accordance with 45 CFR §164.528 of which Business Associate is aware, if requested by Customer.

g. Internal Records. Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.

6. CUSTOMER’S OBLIGATIONS.

a. Appropriate Use of HIPAA Accounts. At all times, Customer will comply with the Privacy Rules, Security Rules and other applicable laws and regulations. By way of illustration and not limitation, Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with HIPAA and this BAA and Customer shall not include PHI in any  Services that are not or cannot be HIPAA compliant.

b. Necessary Consents. Customer warrants that it has obtained all necessary authorizations, consents, and other permissions from the Individuals (or their personal representatives), in the form and to the extent required by the Privacy Rules, that may be required under applicable law for Business Associate to use and disclose their PHI in the manner and for the purposes described in this BAA and the Services Agreement. Customer will promptly notify Business Associate of any changes in, or withdrawal of, such written permission provided to Customer by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 CFR §164.508. Customer will also promptly notify Business Associate of any restrictions to the use and disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restrictions affect Business Associate’s use or disclosure of PHI.

c. Restrictions on Disclosures. Customer shall not agree to any request for restrictions or place any restrictions in any notice of its privacy practices that would cause Business Associate to violate this BAA, the Services Agreement or any applicable law.

d. Compliance with HIPAA. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with this BAA, the Services Agreement, HIPAA or any other applicable law.

e. Privacy Practices. Customer will provide Business Associate with a copy of the notice of privacy practices that it provides to Individuals (or their personal representatives) who are the subject of the PHI.

f. Identity of Users. The  Services include means by which Customer’s Users may be permitted to import, export, review and exchange PHI. Therefore, Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the  Services under its Account.

7. TERM AND TERMINATION.

a. Term. The term of this BAA will commence on the BAA Effective Date and will remain in effect until the termination of the Contract.

b. Effect of Termination. At termination of this BAA, Business Associate, if feasible, will return or destroy all PHI that Business Associate still maintains in its role as Business Associate for the purposes of carrying out the  Services, if any. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and make no further use or disclosure of PHI.

c. Account Access. If Customer requests contemporaneously with any termination event or notice, Business Associate will allow Customer to have access to Customer’s Account for a reasonable period of time following termination as necessary for Customer to retrieve or delete any PHI at its then current monthly recurring rate; provided, however, that if the security of Customer’s servers has been compromised, or the Services Agreement was terminated by Customer’s failure to use reasonable security precautions, Business Associate may: (i) provide Customer with restricted access via a dedicated or private link or tunnel to Customer Account or (ii) refuse to allow Customer to have access to Customer’s Account but will use reasonable efforts to copy Service Data onto media Customer provides to Business Associate, and will ship the media to Customer at Customer’s risk and expense. Business Associate’s efforts to copy Service Data onto Customer-supplied media shall be billable as an Additional Service at Business Associate’s then current hourly rates.

d. De-identification. Customer owns all rights, title and interests in and to its Service Data, including, without limitation, PHI. Notwithstanding anything to the contrary herein, Business Associate may de-identify PHI, such that any resulting information does not disclose any individually identifiable information, except in de-identified (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements) (Converted Data). Customer shall own all rights, title and interests in and to such Converted Data.

Upon de-identification (as described in the immediately preceding paragraph), Business Associate shall deliver Converted Data to Customer, and Customer shall own all rights, title, and interests in and to Converted Data, subject to the license granted by Customer and each of its Users to Business Associate hereunder.

Business Associate may use Converted Data under the following license, which is granted by Customer to Business Associate. Customer and each User hereby grants and agrees to grant an exclusive, irrevocable, perpetual, worldwide, royalty-free, right and license: (i) to freely access, copy, store, process, distribute, transmit, display Converted Data; (ii) use and disclose Converted Data for Business Associate’s business purposes; (iii) to copy, store, process and use such Converted Data to develop, improve, extend and test the Platform and  Services; and (iv) to copy, store, process and use Converted Data to design, develop, distribute, commercialize and use Analytics.

Business Associate’s rights and license to use Converted Data shall be exclusive, except that Customer may use Converted Data solely for its internal business purposes. Unless and only to the extent expressly agreed otherwise by Business Associate and Customer in writing, Customer shall not be entitled to any revenue, royalties, or other compensation for Business Associate’s own use or disclosure of such Converted Data.

For the avoidance of doubt, Analytics shall not be understood to be the same as or overlap with Converted Data; Customer owns all rights, title and interests in and to Converted Data, and Business Associate owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Analytics.

8. MISCELLANEOUS.

a. Amendment. Customer and Business Associate agrees to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for either party to comply with the requirements of the Privacy Rule and related laws and regulations.

b. Survival. Customer and Business Associate’s respective rights and obligations under Sections 7(b) – (d) of this BAA shall survive the termination of the Services Agreement.

c. Interpretation. Any ambiguity in the Services Agreement shall be resolved to permit Business Associate and the Customer to comply with HIPAA and the Privacy Rule.

d. Entire Agreement. This BAA constitutes the entire agreement, and supersedes all prior negotiations, understandings or agreements (oral or written), between the parties regarding the subject matter hereof. All notices under this BAA will be in writing and delivered to the parties at their respective addresses as provided in the Services Agreement. Neither party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control. Nothing in this BAA confers upon any person other than the parties (and their respective successors and permitted assigns) any rights, remedies, obligations or liabilities whatsoever.