Welcome to the FortressSecure, FortressCloudServices Web site (“Web Site”). Please read the following terms and conditions concerning your use of the FortressCloudServices Web Site. By accessing, creating an account, logging into, using or downloading any materials from the Web Site, you agree to follow and be bound by these notices, terms and conditions (FortressSecure “Terms”). If you are using the services on behalf of an organization, you are agreeing to these Terms for that organization and confirming now to FortressSecure, as well as FortressCloudServices that you have the authority to bind said organization to our Terms and Conditions, (in which event, “you” and “your” will refer to that organization), unless that organization has a separate paid contract in effect with us, in which event the terms of that contract will govern your use of any of our services. You may use the services only in compliance with these Terms and only if you have the power to form a contract with FortressSecure and are not barred under any applicable laws or other contractual obligations from doing so. If you do not agree with these Terms, please do not use our services or our FortressCloudServices Web Site.
Access to and use of this site is subject to the following terms and conditions and all applicable laws. FortressCloudServices is a wholly owned, or may become a majority owned product of FortressSecure Any reference herein to FortressCloudServices is additionally a reference to FortressSecure. All names, logos and marks appearing in this site, except as otherwise noted, are trademarks owned or used under license by, FortressCloudServices or its affiliates. You may download and print a copy of the material displayed on this site for your personal use for noncommercial purposes only (provided you retain all copyright and trademark notices), however, you may not modify, distribute, transmit or sell the contents of this site without the written permission of FortressSecure and or FortressCloudServices Inc. Except as required under applicable state statute in such states that may require it, neither FortressCloudServices nor FortressSecure makes any warranties or representations, express or implied, about the accuracy, timeliness or completeness of this site including without limitation the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This site may contain technical inaccuracies or typographical errors. Neither FortressCloudServices, FortressSecure, nor any of its affiliates shall be liable for any direct, incidental, consequential, indirect or punitive damages arising out of access to, inability to access, or any use of the content of this site or the content of any site(s) linked to this site, including without limitation any damages to, or viruses that may infect, your computer equipment or other property, even if FortressSecure is expressly advised of the possibility of such damages.
Any unlawful, threatening, libelous, defamatory, obscene, pornographic or profane material or any material that could constitute or encourage conduct that would be considered a criminal offense or violate any law is strictly prohibited. FortressSecure reserves the right to delete, modify or supplement any communications you send to this site or otherwise to FortressSecure and or FortressCloudServices by electronic or other means. Unless otherwise covered by a non-disclosure agreement, FortressCloudServices considers such communications non-proprietary and shall be free to use the content including any ideas, inventions, concepts, techniques or knowhow disclosed therein, for any purpose, including developing, manufacturing and/or the marketing goods or services.
FortressCloudServices does not provide, sell, license, or lease any of the materials other than those specifically identified as being provided by FortressSecure. FortressSecure reserves the right to charge and collect for any and all overages up and above the standard costs for any bandwidth and or usage beyond what has been previously paid or contracted for, including by automatically charging you using credit cards on file with FortressSecureCloud, FortressSecure and/or FortressCloudServices.
FortressCloudServices.com, Fortress-Secure.com and FortressSecure, Inc. shall not be responsible for any errors or omissions contained on our website and reserve the right to make changes to the website at any time without notice. Some product or company names and devices, logos, icons, graphics or designs referred to on FortressCloudServices.com and Fortress-Secure.com are the property of their owners and are exhibited only in such a manner as is intended to be of benefit to their owner or as to present accurate information about their products and or offerings. We intend no infringement of these proprietary rights and make every attempt to present accurate and current information. Please see the intellectual property notice below for information on what to do if you believe your intellectual property is being infringed upon.
To obtain access to FortressCloudServices and or other FortressSecure services, you will be required to obtain an account with FortressSecure and become a registered user (“Registered User”). You will be required to complete our registration to obtain and designate specific user ID and password (or multiple IDs and passwords if for an Enterprise account). Once you have been approved by FortressSecure to become a Registered User, access to our service will be made available. FortressSecure in its’ sole discretion, reserves all rights to limit your access to our service or services at all times. You may be limited to the areas of the service, if any, that FortressSecure makes available to the general public or permits its Business or Enterprise users to access. When submitting registration information to FortressCloudServices you must: (a) provide true, accurate, current and complete information about yourself as requested and stated in our “Service’s registration form”. This Registration Data in many cases will be verified through a third party. (b) You are required to maintain and promptly update your “Registration Data” to keep it accurate, current, true and complete. FortressSecure reserves the right to withdraw any user and or access approval at any time in its sole discretion, with or without cause.
Service account access is provided on an individual basis to a specific individual exclusively. You must keep your account, logon and passwords confidential. You may not authorize any third party to access or use our service on your behalf, unless we provide an approved mechanism for such use or prior written consent. You must notify us immediately if you suspect and fraud, breach, or misuse of your account or any other type of security breach or issue in the service we provide. You are responsible for all activities and all the actions that take place with or within your account. FortressSecure will not be liable for any loss or damage arising from any unauthorized use of your account or accounts.
If a third party such as your “ADMINISTRATOR” provided you your account, that party has rights to your account and maintains the rights to manage your account, reset your password, suspend or cancel your account, view your account’s usage and profile data, including additional restrictions regarding how and when your account is used, as well as read or store content in your assigned account. If you are an individual Registered User of our Service, and the domain of the primary email address associated with your account is owned by an organization and was assigned to you as an employee, contractor, independent contractor or member of such organization, and that organization establishes an “Enterprise” relationship with us and adds your account to their relationship with FortressCloudServices and or FortressSecure, then, if you do not change the email address associated with your account, your account in most cases WILL be subject to the “Enterprise” relationship between FortressCloudServices and or FortressSecure and that organization and controlled by that organization and or entity.
By registering with FortressCloudServices and or FortressSecure, you understand and you herby agree to accept any and all communications or data we may send from time to time regarding our services, including but not limited to (a) notices about your use of the services, including any notices concerning violations of use, (b) updates, and (c) promotional information and materials regarding FortressCloudServices and or FortressSecure products and or services, via electronic mail.
Use Restrictions and Indemnification
Any technology and or software that may be made available to download from this or any other FortressSecure, Fortress-Secure, FortressCloudServices Web Site is the proprietary work of FortressSecure. Use of any FortressSecure and FortressCloudServices technology and or software is governed by the terms of our user license agreement. An end user agrees to the License Agreement terms by installing, copying, or using any technology and or software that may be made available through FortressSecure and or FortressCloudServices. The technology is made available solely for use by end users according to the License Agreement.
FORTRESSSECURE PRODUCTS ARE WARRANTED, IF AT ALL, ONLY ACCORDING TO THE TERMS OF THE LICENSE AGREEMENT. EXCEPT AS MAY BE EXPRESSLY WARRANTED IN THE LICENSE AGREEMENT. FORTRESSSECURE HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTIES, AND CONDITIONS WITH REGARD TO THE USE OF OUR TECHNOLOGY, INCLUDING BUT NOT LIMITED TO ANY IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTIES, AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Any of our technology for or on behalf of the United States of America, its agencies and/or instrumentalities (“U.S. Government”), is provided with Restricted Rights. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph ((c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs ((c)(1) and (2) of the Commercial Computer Software – Restricted Rights at 48 CFR 52.227-19, as applicable. Except where expressly disclosed by FortressSecure, any and all comments and, feedback, submitted to FortressCloudServices and or FortressSecure through or in association with ANY FortressSecure and or FortressCloudServices Web Site or other submissions and communications intended to be received by FortressSecure or any public posting on any Registered User forum or message board (“ANY Submissions”) shall be considered non-confidential and FortressSecure property. By providing such Submissions to FortressSecure, you agree to assign to FortressSecure, at no charge, all worldwide rights, title and interest in copyrights and other intellectual property rights to the Submissions. FortressSecure shall be free to use and/or disseminate such Submissions on an unrestricted basis for any purpose. You acknowledge that you are responsible for the Submissions that you provide, and that you, not FortressSecure, have full responsibility for the Submissions, including their legality, reliability, appropriateness, originality and copyright. You further acknowledge that you are responsible for any other information (whether confidential or otherwise) that you store through the FortressCloudServices Web Site and retain full responsibility for such information, including its legality, reliability, appropriateness, originality and copyright.
EXCEPT WHERE EXPRESSLY PROVIDED OTHERWISE BY FORTRESSSECURE, THE MATERIALS ON THE WEB SITE ARE PROVIDED “AS IS” AND FORTRESSSECURE HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTIES, AND CONDITIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. FORTRESSSECURE MAKES NO REPRESENTATIONS, WARRANTIES, GUARANTIES, OR CONDITIONS AS TO THE QUALITY, SUITABILITY, TRUTH, ACCURACY, OR COMPLETENESS OF ANY OF THE MATERIALS CONTAINED ON THE WEB SITE.
You agree to (a) hold FortressSecure and its officers, directors, members, shareholders, subcontractors, agents and advisors, and their respective successors and assigns, harmless from any and all claims and damages arising out of its enforcement of any provision of this policy, and (b) indemnify, defend and hold harmless FortressSecure and its officers, directors, members, shareholders, subcontractors, agents and advisors, and their respective successors and assigns, from any and all claims and damages arising out of your use of the Web Site or any alleged breach of this policy.
Limitation of Liability
ALL LIABILITY OF FORTRESSSECURE, ITS DIRECTORS, EMPLOYEES, AGENTS, REPRESENTATIVES, PARTNERS, SUPPLIERS OR CONTENT PROVIDERS HOWSOEVER ARISING FOR ANY LOSS SUFFERED AS A RESULT OF YOUR USE OF OUR WEB SITE, SERVICES, CONTENT AND/OR USER SUBMISSIONS IS EXPRESSLY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, FORTRESSSECURE SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED AS A RESULT OF USING, MODIFYING, CONTRIBUTING, COPYING, DISTRIBUTING, OR DOWNLOADING THE MATERIALS. IN NO EVENT SHALL FORTRESSSECURE BE LIABLE FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGE (INCLUDING BUT NOT LIMITED TO LOSS OF BUSINESS, REVENUE, PROFITS, USE, DATA OR OTHER ECONOMIC ADVANTAGE), HOWEVER IT ARISES, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,OR OTHERWISE RESULTING FROM: (A) THE USE OF, OR THE INABILITY TO USE, OUR SERVICES, CONTENT AND/OR USER SUBMISSIONS, (B) THE COST OF PROCUREMENT OF SUBSTITUTE SERVICES AND/OR GOODS, (C) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA, (D) THE STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON OUR SERVICES AND/OR WEB SITE, (E) RELIANCE ON CONTENT, USER SUBMISSIONS AND/OR OTHER SUBMISSIONS ON OUR SERVICES AND/OR WEB SITE, OR (F) ANY OTHER MATTER RELATING TO OUR SERVICES, CONTENT, THE USER SUBMISSIONS AND/OR OUR WEB SITE. YOU HAVE SOLE RESPONSIBILITY FOR THE ADEQUATE PROTECTION AND BACKUP OF DATA AND/OR EQUIPMENT USED IN CONNECTION WITH THE WEB SITE AND YOU WILL NOT MAKE A CLAIM AGAINST FORTRESSSECURE FOR LOST DATA, RE-RUN TIME, INACCURATE OUTPUT, WORK DELAYS, OR LOST PROFITS RESULTING FROM THE USE OF THE MATERIALS. YOU AGREE TO HOLD FORTRESSSECURE HARMLESS FROM, AND YOU COVENANT NOT TO SUE FORTRESSSECURE FOR, ANY CLAIMS BASED ON OR RELATED TO THE USE OF THE WEB SITE. THESE LIMITATIONS WILL APPLY WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. EXCEPT AS REQUIRED BY THE INDEMNITY PROVISIONS HEREIN, IN NO EVENT WILL OUR DIRECT LIABILITY HEREUNDER EXCEED ONE HUNDRED US DOLLARS ($100.00).
SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, SO SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
Local Laws; Export Control
FortressSecure controls and operates this Web Site from various locations in the United States of America and makes no representation that these Materials are appropriate or available for use in other countries and or locations. If you use this Web Site from other locations, you are responsible for compliance with applicable local laws including but not limited to the export and import regulations of other countries. Unless otherwise explicitly stated, all marketing or promotional materials found on this Web Site are solely directed to individuals, companies or other entities located in the United States of America. You acknowledge and agree that Materials are subject to the U.S. Export Administration Laws and Regulations. Diversion of such Materials contrary to U.S. law is prohibited. You agree that none of the Materials, nor any direct product therefrom, is being or will be acquired for, shipped, transferred, or re-exported, directly or indirectly, to proscribed or embargoed countries or their nationals, nor be used for nuclear activities, chemical biological weapons, or missile projects unless authorized by the U.S. Government. Proscribed countries are set forth in the U.S. Export Administration Regulations. Countries subject to U.S. embargo are: Cuba, Iran, Iraq, North Korea, Syria, and the Sudan. This list is subject to change without further notice from FortressSecure, and you must comply with the list as it exists in fact. You certify that you are not on the U.S. Department of Commerce’s Denied Persons List or affiliated lists or on the U.S. Department of Treasury’s Specially Designated Nationals List. You agree to comply strictly with all U.S. export laws and assume sole responsibility for obtaining licenses to export or re-export as may be required. Export The Services cannot be exported or re-exported into (or to a national or resident of): (a) Taliban controlled Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, or any other country to which the U.S. has embargoed goods; and/or; to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Commerce Department’s Entity List, or the U.S. Commerce Department’s Denied Parties list. Distributor warrants to Supplier that Distributor is not located in, under the control of, or a national or resident of any country described above nor a party named on any list described above and shall not export Services to nationals or residents subject to U.S. embargo.
Intellectual Property Notice
Portions of this Web Site are protected by trade and other laws and may not be copied or imitated in whole or in part. No logo, graphic, sound or image from this site may be copied or retransmitted unless expressly permitted by FortressSecure. FortressCloudServices, and or FortressSecureCloud, FortressSecure logo, or the login screen, and other FortressSecure product names referenced herein are copyrights of FortressSecure and/or one of its subsidiaries, and may or may not be registered in the United States Patent and Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners, including any applicable Third-Party Providers. respects and adheres to the intellectual property rights of others. FortressSecure may, in some circumstances and at its sole discretion, terminate the access of users who infringe the copyrights or intellectual property rights of others. In this case no refund will be issued and our 100% money back guarantee will not apply. If for any reason you believe your work has been copied and is accessible from or through our web site in a way that constitutes copyright infringement, or that our web site contains links or other references to another online location that contains material or activity that infringes your copyright, please notify us immediately by providing our company the information required at firstname.lastname@example.org by the U.S. Online Copyright Infringement Liability Limitation Act of the U.S. Digital Millennium Copyright Act, 17 U.S.C. §512.
Payments and Refunds
The fees applicable for Service (“Fees”) are available by visiting the FortressCloudServices and Fortress-secure website and are published on a continual basis within our service or services. The pricing as listed for services we provide excludes any and all taxes and charges, unless otherwise clearly stated and defined. Registered users or their firms are fully responsible for any taxes as well as any and all other charges. Registered users will be required to pay the Fees in conjunction with your account. FortressSecure reserves the right to change any quoted pricing at any time with or without notice.
In addition to any Fees, additional incidental charges may still be incurred by using our service. Some of these charges may be, but not limited to, some of the following reasons; internet access, data roaming, other data transmission fees or surcharges. FortressSecure its affiliates and subsidiaries are not responsible for any charges incurred by you from any third party in using the Web Site, including any fees incurred for data transfer and usage. When supplying any and all payment information to FortressSecure and or Fortress-Secure it is required that you are authorized to use the payment method that you enter when you create a single or multiple billing accounts. You herby authorize FortressSecure and or Fortess-Secure to process charges for the our services using your payment method and for any paid feature and or overage of the service that you choose to sign up for or use while these Terms are in force. We reserve the right to bill: (a) in advance; (b) at the time of purchase; (c) shortly after purchase; and or (d) on a recurring basis for subscription Services. You may be charged you up to the amount you’ve approved, as well as any published increase that may occur upon 14 day written notice. Our intent is to notify you in advance of the difference for recurring subscription Services but reserve the right to process any and all increases. In some instances we may elect to bill you simultaneously for multiple billing cycles or periods. Our services automatically renew and we may automatically renew your Service and charge you for any renewal term.
You must keep all information in your billing account current. You can access and modify your account information using the Admin Panel. You may change your payment method at any time. If you tell us to stop using your payment method and we no longer receive payment from you for our service, we may cancel that Service. Your notice to us will not affect charges we submit to your billing account before we reasonably could act on your request. You may be notified through the email address you have most recently provided to us if we change the price of the Service we provide you. If there’s a specific length and price for your Service offer, that price will remain in force for that time. After the offer period ends, your use of the service will be charged at the new price regardless of an increase or decrease in cost. If your Service is on a specified period basis (for example, monthly) with no specific length, we will in most cases notify you of any price change and we will in most cases attempt to do so at least 30 days in advance. If you don’t agree to these changes, you must cancel and stop using the Service via a phone call (408) 360-9960 receive a cancellation confirmation from a FortressSecure representative. You must do so later than ten (10) business days prior to the conclusion of your current payment term, whether monthly, yearly, or otherwise. If you cancel, your service ends at the end of your current service period. In the cases where we bill your account on a period basis services will end at the end of the period in which you canceled.
Should you fail to cancel as required when you wish to end your access to the Web Site and services, we will automatically renew the service for the same term and will charge you according to the payment information and terms on file with us commencing on the first day of the renewal term. Payments for all single-seat accounts, and Business or Enterprise accounts registered to pay via credit card, are due the date the invoice is posted on your account. All Business or Enterprise accounts registered to pay via check, wire-transfer, or Automated Clearing House (ACH), are due within thirty (30) days of billing date unless otherwise agreed-to by the parties in writing at the time of contract. Each user/organization is subscribing for a predetermined amount of storage space. In the event of an over use of data storage, the User/Administrator will be contacted and be given the opportunity to reduce the amount of storage utilized. Should the User/Administrator desire to continue to utilize the overage in storage, an additional fee will be charged from that point forward.
Notwithstanding the foregoing, the last day of ANY free trial signifies the due date of the first payment. If payment is not received by FortressSecure on the due date, your user account or accounts will be frozen, inaccessible, and all shared links will be interrupted until all outstanding payments have been processed and received by FortressSecure. It remains your responsibility for settling all outstanding balances in a timely manner and maintaining updated billing and or payment information. Should you not comply, cancel your service, or a balance remains unpaid, at the end of 90 days, your user ID and/or account will be deactivated and all files stored within will no longer be retrievable and will be lost forever.
Unless we notify you otherwise, if you’re participating in any trial period offer, you must cancel the Service by the end of the trial period to avoid incurring new charges. If you do not cancel your Service and we have told you the Service will convert to a paid subscription at the end of the trial period, you authorize us to charge your payment method for the Service. Except as specifically set forth in this section, all Services are prepaid for the period selected (monthly, yearly or otherwise) and are non-refundable. This includes accounts that are renewed. If you are currently on a free trial of any type you may cancel or downgrade your account free of charge at any time until seven (7) days after your account was created. The day of creation constitutes and is considered to be the first day of any trial period.
If you are a Registered User, Business, or on some type of legacy plan you will not be nor are you eligible to receive a refund for your most recent or any previous billing. All cancellations and downgrades are processed automatically. To cancel or downgrade, please call customer service at 408-360-9960.
Except as prohibited by law late charges will be assessed should you not pay an invoice when due. It is required that you pay these late charges when billed for them. The late charge will be the lesser of 1.5 percent of the unpaid amount each month or the maximum rate permitted by law. We may use a third party to collect past due amounts. You must pay for all reasonable costs we incur to collect any past due amounts, including reasonable attorneys’ fees and other legal fees and costs. We may suspend or cancel your Service if you fail to pay in full on time, if you pay habitually late, or for any other reason we deem necessary.
HIPAA Business Associate Agreement
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is entered into, and effective as of the date of the acceptance of your firm’s FortressCloudServices Subscription, (the “Effective Date”) by and between your Organization, as named within FortressCloudServices (“Covered Entity”) and FortressSecure, DBA FortressCloudServices, (“Business Associate”), each individually a “Party” and collectively, the “Parties.”
The purpose of this Agreement is to comply with the requirements of (i) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the associated regulations, as may be amended; (ii) the HIPAA Privacy Rule codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended; (iii) the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended; (iv) the Breach Notification Rule codified at 45 C.F.R. Part 164, Subpart D, as may be amended; (v) the Enforcement Rule codified at 45 C.F.R. Part 160, Subparts C and D, as may be amended; (vi) the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”); and (vii) the HIPAA Omnibus Final Rule published in the Federal Register at 78 Fed. Reg. 5566 (January 25, 2013), and effective on March 26, 2013; and (viii) the final regulations concerning standard transactions and code sets codified at 45 C.F.R. Parts 160 and 162 (“Electronic Transaction Rule”). The HITECH Act provides further protection for the privacy and security of Protected Health Information (“PHI”) used and disclosed through health information technology. The Privacy, Security, Breach Notification and Enforcement Rules are collectively referred to herein as the “HIPAA Rules.” Unless otherwise defined in this Agreement, capitalized terms have the meanings given in the HIPAA Rules and the HITECH Act, and the Electronic Transactions Rule.
In consideration of the Parties’ new or continuing obligations under the Underlying Agreement and other good and valuable consideration, the receipt and sufficiency is hereby acknowledged, the Parties agree to comply with the requirements of the HIPAA Rules and HITECH Act as follows:
- Services: Covered Entity and Business Associate have entered into an agreement (the “Underlying Agreement”) under which Business Associate may create, receive, use, maintain or transmit PHI from or on behalf of Covered Entity in the course of providing certain services (the “Services”) for Covered Entity. The Underlying Agreement is incorporated herein by this reference. In the event of a conflict between the terms of the Underlying Agreement and this Agreement, this Agreement shall control with regard to the HIPAA Rules.
- Permitted Uses and Disclosures: Business Associate may use and/or disclose PHI only as permitted or required by this Agreement, or as otherwise required by law. Business Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of the Services. Business Associate shall make uses and disclosures, and requests for PHI from Covered Entity, only in a manner consistent with HIPAA’s minimum necessary requirements, and use or disclose no more than the minimum PHI necessary to perform the Services. Business Associate shall not use or disclose PHI in a manner (i) inconsistent with Covered Entity’s obligations under the HIPAA Rules or the HITECH Act, or (ii) that would violate the HIPAA Rules or the HITECH Act if disclosed or used in such a manner by Covered Entity. Business Associate may use PHI for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities in accordance with 45 C.F.R. § 164.504(e)(4).
- Safeguards for the Protection of PHI: Business Associate shall conduct a risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information (“Electronic PHI”) held by Covered Entity. Business Associate shall comply with the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended, and with the applicable provisions of the HIPAA Privacy Rule codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended, to the extent Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule.
- Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures: If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement, then Business Associate shall promptly notify Covered Entity in the manner set forth in Section 13. Business Associate shall establish and implement procedures and other reasonable efforts for mitigating, to the extent possible, any harmful effects arising from any improper use and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business Associate becomes aware of a Security incident involving PHI, by itself or any of its agents or subcontractors, Business Associate shall notify Covered Entity in writing within ten (10) calendar days, of such Security incident. Business Associate shall identify: (i) the date of the Security incident; (ii) the scope of the Security incident; (iii) the Business Associate’s response to the Security incident; and (iv) the party responsible for the Security incident, if known. Covered Entity and Business Associate agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or Security incident. For these purposes, a “Security incident” shall mean the successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
- Data Breach Notification and Mitigation: Business Associate agrees to promptly notify Covered Entity of any “Breach” of “Unsecured PHI” as those terms are defined by 45 C.F.R. § 164.402 (hereinafter a “Data Breach”). The Parties acknowledge and agree that 45 C.F.R. § 164.404, as described below in this Section, governs the determination of the date of a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than ten (10) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than ten (10) calendar days following discovery of a Data Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth at 45 C.F.R. § 164.400, et seq. Following a Data Breach, Business Associate shall have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Data Breach, including but not limited to the information described in the Breach Notification Rule.
- Use and Disclosure of PHI by Subcontractors, Agents, and Representatives: Business Associate shall require any subcontractor, agent, or other representative that is authorized to create, receive, maintain, or transmit PHI on behalf of Business Associate to execute a business associate agreement to agree in writing to the same terms set forth herein. Business Associate shall terminate its business associate agreement with any subcontractor, agent or other representative if such subcontractor, agent or representative fails to abide by any material term of such agreement.
- Individual Rights: Business Associate shall comply with the following Individual rights requirements as applicable to PHI used or maintained by Business Associate:
7.1 Right of Access: Business Associate agrees to provide access to PHI maintained by Business Associate in a Designated Record Set, at the request of Covered Entity or as directed by Covered Entity, to an individual in order to meet the requirements under 45 C.F.R. § 164.524. Such access shall be provided by Business Associate in the time and manner designated by Covered Entity, including, where applicable, access by electronic means pursuant to Section 13405(e) of the HITECH Act.
7.2 Right of Amendment: Business Associate agrees to make any amendment(s) to PHI maintained by Business Associate in a Designated Record Set that Covered Entity directs or agrees to, pursuant to 45 C.F.R. § 164.526, in the time frame and manner designated by Covered Entity.
7.3 Right to Accounting of Disclosures: Business Associate agrees to document such disclosures of PHI as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate agrees to provide to Covered Entity or an individual, in the time frame and manner designated by Covered Entity, such information collected by Business Associate in order to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by the U.S. Department of Health and Human Services (“HHS”) in accordance with such provision.
7.4 No Waiver of Privilege: Notwithstanding Sections 7.1, 7.2, and 7.3 above, Business Associate shall not permit access to any record if such access would violate Business Associate’s ethical responsibilities, work-product privilege, or the attorney-client privilege. To the maximum extent permitted by law, Covered Entity hereby reserves and retains any and all attorney-client or other privileges in which Covered Entity has an interest with respect to Business Associate’s performance of its obligations under the section. The parties acknowledge that Covered Entity retains the right to waive its attorney-client privilege with regard to its own records and to expressly instruct Business Associate to provide access to those records as a result of that waiver. In the event Covered Entity decides to waive its attorney-client privilege, Covered Entity shall provide Business Associate with written notice of that waiver before Business Associate shall act on such decision.
- Ownership of PHI: Covered Entity holds all right, title and interest in and to any and all PHI received by Business Associate from, or created or received by Business Associate on behalf of, Covered Entity, and Business Associate does not hold, and shall not acquire by virtue of this Agreement or by virtue of providing any services or goods to Covered Entity in the course of fulfilling its obligations pursuant to this Agreement, any right, title or interest in or to such PHI. Except as specified in this Agreement, Business Associate shall have no right to compile or distribute any statistical analysis or report utilizing such PHI derived from such PHI, any aggregate information derived from such PHI, or any other health and medical information obtained from Covered Entity.
- Off-shoring: Business Associate shall not transfer PHI outside the United States without the prior written consent of Covered Entity. In this context, a “transfer outside the United States” occurs if Business Associate’s workforce members, agents or subcontractors physically located outside the United States are able to access, use, or disclose PHI.
- Prohibition on Sale of PHI: Business Associate shall not sell PHI or receive any remuneration, direct or indirect, in exchange for PHI, except as expressly permitted by this Agreement and the Underlying Agreement.
- Inspection of Books and Records: If Business Associate receives a request, made by or on behalf of HHS requiring Business Associate to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Covered Entity with the Privacy Standards or the Security Standards, then Business Associate shall promptly notify Covered Entity of such request, unless otherwise prohibited by law. Except as otherwise set forth below, Business Associate shall make its books and records relating to the use and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for purposes of determining compliance of Covered Entity with the Privacy Standards and Security Standards.
To the maximum extent permitted by law, Covered Entity hereby reserves and retains any and all attorney-client or other privileges in which Covered Entity has an interest with respect to Business Associate’s performance of its obligations under this Section 11. Business Associate, to the maximum extent permitted by law, hereby reserves and retains any and all work product or other privileges or rights. This Section 11 shall not be construed to require Business Associate to disclose or produce communications subject to the attorney-client, work-product, or other privileges or rights with respect to materials that analyze, evaluate or discuss the legal implication of PHI. Notwithstanding the foregoing, in no event shall Business Associate delay complying with a request of HHS or its authorized representatives if such delay appears reasonably likely to result in any penalty, fine, or other liability being levied or imposed upon Covered Entity and if Covered Entity has instructed Business Associate in writing to disclose the information requested by HHS or its authorized representative. The Parties acknowledge that Covered Entity retains the right to: (i) waive the attorney-client privilege with regard to books and records, and (ii) expressly instruct Business Associate to provide HHS and its authorized representatives with such books and records in the event of such waiver.
- Term and Termination
12.1 Term: This Agreement shall commence on the Effective Date and end with the termination of the Underlying Agreement unless terminated sooner pursuant to Section 12.2 or Section 12.3.
12.2 Termination by Covered Entity: If Covered Entity determines that Business Associate has breached a material term of this Agreement, Covered Entity shall notify Business Associate of such breach and Business Associate shall have thirty (30) calendar days to cure such breach. In the event Business Associate does not cure the breach, or cure is infeasible, Covered Entity shall have the right to immediately terminate this Agreement and the Underlying Agreement.
12.3 Termination by Business Associate: If Business Associate determines that Covered Entity has breached a material term of this Agreement, Business Associate shall notify Covered Entity of such breach and Covered Entity shall have thirty (30) calendar days to cure such breach. In the event Covered Entity does not cure the breach, or cure is infeasible, Business Associate shall have the right to immediately terminate this Agreement and the Underlying Agreement, subject to applicable professional ethical rules of the State of California.
12.4 Effect of Termination: Upon termination of this Agreement, Business Associate shall recover any PHI relating to this Agreement in possession of Business Associate and its subcontractors, agents, or representatives. Business Associate shall return to Covered Entity or destroy all such PHI in its possession, and shall retain no copies. If Business Associate believes that it is not feasible to return or destroy the PHI as described above, Business Associate shall notify Covered Entity in writing. The notification shall include: (i) a written statement that Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. If the Parties agree that Business Associate cannot feasibly return or destroy the PHI, Business Associate shall ensure that any and all protections, requirements and restrictions contained in this Agreement shall be extended to any PHI retained after the termination of this Agreement, and that any further uses and/or disclosures shall be limited to the purposes that make the return or destruction of the PHI infeasible. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.
- Notices: Any and all notices and other communications required or permitted to be given under this Agreement shall be: (a) delivered by personal delivery, provided the person to whom delivered signs a receipt; (b) delivered by commercial courier such as Federal Express, provided the person to whom delivered signs a receipt or the commercial courier can verify delivery; (c) sent by overnight U.S. express mail, provided the postal service can verify delivery; (d) sent by registered or certified mail, postage prepaid, provided delivery is actually made; or (e) sent by facsimile, provided the person that sent the notice can verify delivery. All notices shall be sent to the following addresses or to such other addresses as shall be furnished by notice to the other party in accordance with the provisions of this Section 13:
If to Covered Entity: Billing Address as provided within FortressCloudServices
Attention: Admin as provided within FortressCloudServices
If to Business Associate:
6300 San Ignacio Avenue
San Jose, CA 95119
Attention: Security Officer
14.1 Survival: The respective rights and obligations of the Parties under Section 11 (Inspection of Books and Records), Section 12.4 (Effect of Termination), and Section 14 (Miscellaneous) shall survive termination of this Agreement indefinitely, and those other provisions of this Agreement that apply to rights or obligation of a Party, which continue or arise upon or after the termination of this Agreement shall survive the termination this Agreement to the extent necessary to enforce such rights and obligations and to otherwise effectuate such provisions.
14.2 State and Federal Law: In addition to HIPAA and the HITECH Act, Business Associate shall comply with all applicable state and federal security and privacy laws.
14.3 Regulatory References: A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.
14.4 Amendment: This Agreement may be amended or modified only in a writing signed by the Parties. The Parties agree that they shall negotiate amendments to this Agreement to conform to any changes in the HIPAA Rules as are necessary for Covered Entity to comply with the current requirements of the HIPAA Rules. In addition, in the event that either Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Rules or any other applicable legislation, then such Party shall notify the other Party of its belief in writing. For a period of up to thirty (30) calendar days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Rules, then either Party has the right to terminate this Agreement and the Underlying Agreement upon written notice to the other Party.
14.5 Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules and HITECH Act.
14.6 Governing Law; Venue: All actions commenced to enforce or interpret this Agreement shall be brought in the federal or state courts in the county where the Business Associate rendered the services pursuant to this Agreement. Neither party may assert or be entitled to relief on a claim of forum non conveniens as to a court of competent jurisdiction located in said county.
14.7 No Third Party Beneficiaries: Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors and permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
14.8 Severability: In the event any provision of this Agreement is held to be unenforceable for any reason, such unenforceability shall not affect the remainder of this Agreement, which shall remain in full force and effect.
14.9 Assignment: Neither Party may assign this Agreement without the prior written consent of the other.
14.10 Attorney’s Fees and Costs: Should legal action be required to enforce the terms of this Agreement, the prevailing Party will be entitled to receive from the other Party all costs incurred in connection with such action, including reasonable attorney, legal assistant, investigator, and other paralegal and clerical fees and costs, including such costs and fees on appeal, if any.
14.11 Binding Effect: The provisions of this Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.
14.12 Counterparts: This Agreement may be executed in counterparts, each of which will constitute an original and all of which will be one and the same document.