Butter.ai Business Associate Amendment

Effective: September 26, 2017

This Business Associate Amendment (this “BAA”) is made and entered into by and between Butter AI Corporation and Customer if and for so long as applicable under the Butter.ai Customer Terms of Service (the “Terms”), and is effective as of the date the Terms are initially accepted by Customer or the date on which this BAA becomes applicable. This BAA is intended to implement the requirements of HIPAA as they relate to the use of the Service by Customer, and support the parties’ compliance requirements thereunder.

Customer must have a valid and existing subscription to use the Service in order for this BAA to be effective, and this BAA shall govern each party’s respective obligations regarding Protected Health Information (as defined below) during the term of Customer’s subscription for the Service.

The parties agree as follows:

Definitions

For purposes of this BAA, any capitalized term not otherwise defined herein will have the meaning given to it in the Terms and/or under HIPAA.

HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.

Protected Health Information” or “PHI” will have the meaning given to it under HIPAA if provided to Butter.ai as Customer Data in connection with Customer’s permitted use of the Service.

Security Rule” means 45 C.F.R., Part 164, Subpart C, under HIPAA.

Applicability

Parties

This BAA applies to the extent Customer is acting as a Covered Entity or Business Associate, to create, receive, maintain or transmit PHI via the Service and where Butter.ai, as a result, is deemed under HIPAA to be acting as a Business Associate of Customer.

Service Scope

This BAA is applicable only to the Service. Butter.ai may expand the scope of the Service. If Butter.ai expands the scope of the Service then this BAA will automatically apply to such additional new functionality and features as of the date the Service is updated, or the date Butter.ai has otherwise provided written communication regarding an update to the scope of the Service to Customer (whichever date is earlier).

Permitted Use and Disclosure

By Butter.ai

Butter.ai may use and disclose PHI only as permitted under HIPAA as specified in the Terms and under this BAA. Butter.ai may also use and disclose PHI for the proper management and administration of Butter.ai’s business and to carry out the legal responsibilities of Butter.ai, provided that any disclosure of PHI for such purpose may only occur if (i) required by applicable law; or (ii) Butter.ai obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Butter.ai will be notified of any Breach.

By Customer

Customer is responsible for determining if it is a Covered Entity and/or a Business Associate and, if they are, ensuring that they use the Service in compliance with HIPAA. Customer is responsible for fulfilling an individual's right of access, amendment, and accounting in accordance with the requirements under HIPAA.

Customer will not request Butter.ai or the Service to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself (unless otherwise expressly permitted under HIPAA for a Business Associate). In connection with Customer’s use and administration of the Service to its Registered Users, Customer is responsible for using the available controls within the Service to support its HIPAA compliance requirements, including enforcing appropriate controls to support Customer’s HIPAA compliance. Customer will not use the Service to create, receive, maintain or transmit PHI in violation of HIPAA requirements. If Customer uses the Service in connection with PHI, Customer will ensure it takes appropriate measures to limit its use of PHI in the Service to the minimum extent necessary for Customer to carry out its authorized use of such PHI. Customer agrees that Butter.ai has no obligation to protect PHI under this BAA to the extent Customer creates, receives, maintains, or transmits such PHI outside of the Service (including Customer’s use of its offline or on-premise storage tools or third party services or applications).

Appropriate Safeguards

Butter.ai and Customer will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, consistent with this BAA, and as otherwise required under the Security Rule, with respect to the Service.

Reporting

Butter.ai will promptly notify Customer following the discovery of a Breach resulting in the unauthorized use or disclosure of PHI in violation of this BAA in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures necessary to determine the scope of the Breach and to restore the reasonable integrity of the Service by using commercially reasonable efforts to mitigate any further harmful effects to the extent practicable. Butter.ai will send any applicable Breach notice to the email address for Customer’s account (as indicated in the Service by Customer) or via direct communication with the Customer. For clarity, Customer and not Butter.ai, is responsible for managing whether its Registered Users are authorized to create, receive, maintain or transmit PHI within the Service and Butter.ai will have no obligations relating thereto. Customer is hereby advised that Butter.ai may periodically receive unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information or interference from third-parties, as part of the general operation of the Service and, even if such events are defined as a Security Incident under HIPAA, Butter.ai will not provide Customer any additional notice regarding such unsuccessful attempts.

Agents and Subcontractors

Butter.ai will take appropriate measures to ensure that any agents and subcontractors used by Butter.ai to perform its obligations under the Terms that require access to PHI on behalf of Butter.ai are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Butter.ai uses agents and subcontractors in its performance of obligations hereunder, Butter.ai will remain responsible for their performance as if performed by Butter.ai itself under the Terms.

Accounting Rights

Customer shall not use the Service in any manner that would interfere with its obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. Customer is responsible for managing its use of the Service to appropriately respond to such individual requests. Butter.ai will reasonably cooperate with Customer to enable Customer to respond to individual requests with respect to any PHI stored within the Service.

Access to Records

To the extent required by law, and subject to applicable attorney client privileges, Butter.ai will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Butter.ai on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.

Return/Destruction of Information

Butter.ai agrees that upon termination of Customer’s subscription for the Service, Butter.ai will return or destroy all PHI received from Customer, or created or stored by Butter.ai on behalf of Customer, which Butter.ai still maintains in accordance with its Privacy Policy; provided, however, that if such return or destruction is not feasible, Butter.ai will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. In the event this BAA is terminated earlier than the underlying Customer subscription for the Service, Customer may continue to use the Service in accordance with the Terms, but must delete any PHI it requests, stores, transmits or has otherwise loaded in the Service and cease to create, receive, maintain or transmit such PHI to Butter.ai or within the Service.

Breach/Cure

Customer may immediately terminate this BAA and its subscription to use the Service upon 10 days written notice to Butter.ai if Butter.ai has materially breached this BAA and such breach is not reasonably capable of being cured.

Term

This BAA will expire upon the earlier of: (i) the expiration or termination of Customer’s subscription for the Service; or (ii) the execution of an updated BAA that supersedes this BAA.

Interpretation

It is the parties’ intent that any ambiguity under this BAA be interpreted consistently with the intent to comply with applicable laws.

Effect of Amendment

Customer and Butter.ai agree that Customer’s acceptance of this BAA, pursuant to the provisions of the Terms, constitutes a written agreement between the parties.