Archer Analysis Unlimited (AAU) – SOFTWARE TERMS OF SERVICE

Archer Analysis Unlimited (AAU) – SOFTWARE TERMS OF SERVICE

(for Archer Analysis Unlimited v 7.0 and later)

Terms last updated May 24, 2022. 

These AAUSoftware Terms of Service (“Terms”) are entered into between the entity listed on the Order Form (“Client”) and Invitae Corporation, together with its subsidiaries and affiliates, (“Company” or “Invitae”), as of the  date of Order Form (as defined below) execution (or, if earlier, the date Client first uses the Application as defined below). These Terms govern any access to and use of Company’s online software-as-a service solutions made available by Company through a website or online portal owned or controlled by Company (“Site”). These Terms set out Client’s payment obligations (if any) for use of the Application(s), limit Company’s liability and obligations to Client, set out rules for Client’s use of the Application(s), grant Company certain rights in Client Data (as defined below) and allow Company to change, suspend or terminate Client’s access to and use of the Application(s) under certain circumstances. These Terms are subject to  modification from time to time as described below. 

If Client has submitted or entered into one or more of Company’s service agreement forms, registration forms or other ordering documents with the Company, whether online, in written form or otherwise (each an “Order Form”), specifying various details about Client’s subscription or access to one or more Applications, such as pricing, usage parameters and/or other applicable terms, such Order Form shall be incorporated into these Terms by reference and shall apply to Client’s use of the Application(s) hereunder. Any applicable terms stated or linked to where Client signs up or registers for an Application on the applicable Site shall be deemed part of these Terms. The terms and conditions of these Terms shall take precedence over the terms and conditions of any any Order Form, including terms added by Client, and to the  extent of any conflict, these Terms, rather than the Order Form, shall  govern and apply, except to the extent any Order Form expressly states that the Order Form terms  shall take precedence over these Terms (in which case such Order Form terms shall apply solely for purposes of that  Order Form). 

THE PERSON ACCEPTING THESE TERMS ON BEHALF OF A BUSINESS OR A LEGAL ENTITY (AS CLIENT HEREUNDER), WHETHER PURSUANT TO EXECUTION OF ANY ORDER FORM OR USE OF ANY APPLICATION, HEREBY REPRESENTS AND WARRANTS THAT SUCH PERSON  HAS THE AUTHORITY TO BIND THAT BUSINESS OR LEGAL ENTITY TO THESE TERMS AND THAT SUCH PERSON’S AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS OR LEGAL ENTITY.  FOR THE AVOIDANCE OF DOUBT, “CLIENT” REFERS HEREIN TO THAT BUSINESS OR LEGAL ENTITY.

Section 1.
SERVICES 

1.1 Services Overview.  Invitae offers a suite of cloud-based software services related to medical genetics and related professional services. “Services” means the specific SaaS Services (as defined below) and any Professional Services  set forth in one or more Order Forms. 

1.2 SaaS Services. Invitae shall provide non-exclusive, non-transferable right to access and use in the Territory in accordance with the documentation, and if the Integrated Option applies install and use solely in connection with the Client System, the Invitae application(s) identified on a Order Form (each, an “Application”) via either a Web-Based Access Option or via an Integrated Option as indicated in the applicable Order Form (collectively, Applications made available via the Web-Based Option and Integrated Options may be referred to as the “SaaS Services”). “Web-Based Access Option” means, in accordance with these Terms, that Client shall obtain web-based access to the Application via the internet location provided by Invitae.  “Integrated Option” means that Client shall obtain access to the Application, in accordance with the terms of these Terms, via integration into the Client System identified in an applicable Order, such integration pursuant to an Order Form. “Client System” means Client’s internal data management system that is connected to the Application if Client selects the Integrated Option. 

During any Term, as identified in an Order Form with respect to the Applications, the SaaS Services will be subject to any service levels identified in the applicable Order Form, and Invitae will provide support in accordance with the support policy described in the applicable Order Form. 

1.3 Professional Services. Invitae shall perform the implementation and other services identified on an Order Form (the “Professional Services”) and provide the items specifically identified as “Deliverables” to Client (“Deliverables”). Invitae shall not be liable for any delay in performance directly or indirectly resulting from acts of Client, its agents, employees, or subcontractors.

1.4 Authorized Users; Patients/Specimens. Client shall identify to Invitae Client’s employees and agents that will be provided password protected access to the SaaS Services (the “Authorized Users”). Additional limitations and restrictions may be set forth in the applicable Order Form (e.g., maximum number of Authorized Users). Furthermore, Client’s usage of the Application and SaaS Services is limited to the maximum number of patients or specimens which may be specified on the applicable Order Form.  Client is responsible for compliance by its affiliates and each Authorized User with the Terms. Client acknowledges and understands that all Authorized Users will have access to all information and data in Client’s account and Client is solely responsible for their access and use of information. Client is responsible to notify Invitae when Authorized Users are no longer authorized to have access to Client’s Account and request that Invitae revoke each such Authorized User’s account privileges. Client shall notify Invitae immediately of any unauthorized use of any password or account or any other known or suspected breach of security or misuse of the Services. Client is responsible for the use of the Application and the SaaS Services by any and all employees, contractors, or other users that Client allows to access the Application or the SaaS Services. Client shall implement appropriate safeguards to ensure that Authorized Users do not share passwords or access information with each other or anyone else.

1.5 Territory. The “Territory” shall mean United States of America, unless the territory in the applicable Order Form specifies otherwise. The Services are only available in the Territory and Client therefore acknowledges and agrees that Client will access the Application and use the SaaS Services only in the Territory and only in connection with Services Client performs in the Territory.  

1.6 Use Restrictions. Client shall not directly or indirectly, nor permit any party to, do any of the following: (i) copy, modify, create derivative works of, publish, license, sublicense, sell, market,  distribute or otherwise commercially exploit the Application or SaaS Services; (ii) reverse engineer, decompile, disassemble or otherwise attempt to gain access to the source code form of the Application or SaaS Services; (iii) use the Application, SaaS Services or associated documentation in violation of export control Laws and regulations; (iv) remove any proprietary or legal notices from the Application, SaaS Services, documentation or any other Invitae materials furnished or made available hereunder; (v) access the Application or SaaS Services in order to (y) build a competitive product or service, or (z) copy any features, functions, content or graphics of the Application or SaaS Services; (vi) make the Application or SaaS Services available to anyone other than Authorized Users;  (vii) sell, resell, rent or lease the Application or SaaS Services, including, without limitation, use the Application or SaaS Services on a service bureau or time sharing basis or otherwise for the benefit of a third party; (viii) use the Application or SaaS Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights; (ix) use the Application or SaaS Services to store or transmit malicious code; (x) interfere with or disrupt the integrity or performance of the Application or SaaS Services or any data contained therein; (xi) attempt to gain unauthorized access to the Application or SaaS Services or their related data, systems or networks; (xii) publish or disclose to third parties any evaluation of the Application or SaaS Services without Invitae’s prior written consent; (xiii) publish or disclose to third parties any data or information on Client’s results from using the Application or SaaS Services, without Invitae’s prior written consent; (xiv) perform vulnerability, load or any other test of the Application or SaaS Services without Invitae’s prior written consent; or (xv) use the Application or SaaS Services in any manner or for any purpose that infringes or misappropriates any intellectual property right or other right of any person, or that violates any Laws.  Client (a) is solely responsible for the accuracy, quality, integrity and legality of all electronic data or information submitted by Client to the Application or SaaS Services (“Client’s Data”) and of the means by which Client acquired Client’s Data, (b) shall prevent unauthorized access to or use of the Application or SaaS Services, and notify Invitae promptly of any such unauthorized access or use, and (c) shall use the Application or SaaS Services only in accordance with any user guides and acceptable use policies for the Application or SaaS Services and Laws.  “Laws” means all applicable national,  state and local laws, ordinances, regulations and codes, throughout the Territory, all as may be amended from time to time.

1.7 Additional Terms and Conditions Specific to Applications. Additional terms and conditions specific to an Application or SaaS Service may be included in the applicable Order Form.

Section 2.
PAYMENT

2.1   Charges.  Client shall pay the fees, charges, and expenses specified in the Order Form in accordance with its terms and these Terms.  All payments by Client to Invitae pursuant to these Terms are due and payable within 30 calendar days of the date of invoice, unless otherwise agreed in the applicable Order Form.  All unpaid past-due invoices are subject to a late fee on the outstanding balance for each month that they remain unpaid equal to the lesser of one and one-half percent (1.5%) per month and the highest rate allowable by applicable law.  Starting in the first year following the effective date of the applicable Order Form, Invitae may increase its charges for the SaaS Services specified in the applicable Order Form annually upon 60 days’ prior written notice. If any amount owing by Client under these Terms or any other agreement for Invitae’s services is 10 days or more overdue, Invitae may, without limiting Invitae’s other rights and remedies, accelerate Client’s unpaid fee obligations under these Terms and the other agreements so that all such obligations become immediately due and payable, and suspend Invitae’s Application, Services and Deliverables to Client until such amounts are paid in full.  All payments are non-refundable and all fees are non-cancellable.

2.2   Taxes.  Client will pay sales, use or similar state or local taxes in connection with the Services or payments to be made under these Terms, excluding taxes based on Invitae’s net income.  

2.3 Audit. Client shall maintain complete and accurate records to support and document its compliance with these Terms. Upon request, Client shall provide reasonable assistance to Invitae or its designated agent to conduct audits to confirm the compliance with these Terms and the terms of any applicable Order Forms. Any such audit will be conducted upon reasonable notice and during regular business hours, and shall be at Invitae’s expense, unless such audit reveals a discrepancy of more than five percent (5%) in the total applicable amount due to Invitae, in which event Client shall pay for, or reimburse Invitae the cost of, such audit. 

Section 3.
DATA

3.1 Ownership; Rights

(A) As between the parties, Client shall own all data and information that Client provides and stores using the Application or SaaS Services or has provided and stored on its behalf (“Client Data”). 

(B) Invitae may access Client’s account and Client Data from time to time as Invitae deems necessary or appropriate for purposes of performing the Services, including, without limitation, providing support, performing account administration and generating invoices with respect to Client’s use of the Application and receipt of the Services.  Except as permitted in these Terms or BAA (if applicable with respect to specific Applications and SaaS Services), Invitae shall not during the Term  edit, delete or disclose the contents of Client Data unless authorized by Client or Invitae is required to do so by law or in the good faith belief that such action is necessary to: (1) conform with Laws or comply with legal process served on Invitae; (2) protect and defend the rights or property of Invitae and its licensors; or (3) enforce these Terms or establish any rights hereunder.  Notwithstanding any provision herein or in any BAA to the contrary,  Invitae may de-identify Client Data, including protected health information (“PHI”), and use de-identified data, and data regarding Client’s usage of the Application and Services (“Usage Data”), to analyze, develop, modify and improve Invitae’s product and service offerings, including, without limitation, databases with aggregated or de-identified data, algorithms, machine learning models and analysis services;  to the extent necessary, Client shall permit Invitae to have reasonable access to the Client System to obtain and de-identify Client Data and Usage Data for such purposes. Invitae may use Client Data and Usage Data to generate, utilize and publish aggregated or de-identified data, statistics, analytical results and trend information related to the usage of the Application or SaaS Services (such as usage patterns), but only if such information is not attributed to Client and personally identifying information of Client’s users is not provided. 

3.2 Client is responsible for its Client Data, including its content and accuracy, and agrees to comply with Laws and the Section 1.6 (Use Restrictions) in using the Service. Client represents and warrants that it has made all disclosures and has all rights, consents and permissions necessary to use its Client Data with the Services and grant Invitae the rights in Section 3.1, all without violating or infringing Laws, third-party rights (including intellectual property, publicity or privacy rights) or any terms or privacy policies that apply to the Client Data. 

3.3 Security. While Invitae will use reasonable safeguards to protect Client Data, Client is solely responsible for the accuracy, quality, integrity, legality, reliability and appropriateness of all Client Data.  Notwithstanding any applicable Business Associate Agreement, Invitae will have no liability to Client or any third party for the deletion, correction, destruction, loss, infringement or failure of the Application or SaaS Services to process or store any Client Data. Invitae reserves the right to establish a maximum amount of storage and a maximum amount of Client Data that Client may store, process, post or transmit on or through any Application or SaaS Services.

3.4 Business Associate Agreement. If Client provides Invitae with any “Protected Health Information” as defined under HIPAA, then the terms of the Business Associate Agreement attached as Exhibit A to these Terms shall apply.  The BAA will not govern the use, disclosure and security of PHI with respect to Covered Entity Services. As used in this Section 3.4, “Business Associate Services” means Services provided by Invitae where Invitae acts as a “business associate” as defined by 45 C.F.R. 160.103. As used in this Section 3.4, “Covered Entity Services” means Services provided by Invitae where Invitae acts as a “covered entity” as defined by 45 C.F.R. 160.103.  

3.5 Data Processing Addendum. If Client provides Invitae with any “personal data” as defined under the General Data Protection Regulation (or other applicable privacy regulations), then the terms of the  Data Processing Addednum (“DPA”) attached as  Exhibit B to these Terms shall apply. 

Section 4.
WARRANTIES; COMPLIANCE WITH LAW

4.1   Service and Performance Warranty.  Invitae represents and warrants that the applicable Application or SaaS Services will conform to the applicable published end user documentation in all material respects during the Term (the “Warranty Period”).  In the event the Services or Deliverables do not conform to this warranty in any material respect, as Client’s exclusive remedy, Invitae will, at no cost or expense to Client, promptly correct, re-perform and, as applicable, re-deliver the Services and Deliverables.  For each day during the Warranty Period that the Deliverables do not conform to the warranty, the Warranty Period shall be extended by one day.  

4.2   Mutual Warranties.  Each party represents and warrants to the other that: (i) it is organized and validly existing under the Laws of the state of its formation and has full authority to enter into these Terms and to carry out its obligations hereunder; (ii)  these Terms are a legal and valid obligation binding upon such party and enforceable against such party, except to the extent such enforceability may be limited by bankruptcy, reorganization, insolvency or similar Laws of general applicability governing the enforcement of the rights of creditors or by the general principles of equity (regardless of whether considered in a proceeding at law or in equity); and (iii) neither the execution of an Order Form referring to these Terms, nor the delivery and performance of Services under these Terms conflicts with any agreement, instrument or contract, oral or written, to which such party is bound.

4.3   Disclaimers

(A) EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS AND EXCLUDES ALL OTHER WARRANTIES, WHETHER STATUTORY, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. FOR THE AVOIDANCE OF DOUBT, INVITAE DOES NOT WARRANT THAT THE APPLICATIONS OR SERVICES WILL MEET CLIENT’S NEEDS OR REQUIREMENTS, THAT THE APPLICATIONS OR THE PROVISION OF THE SERVICES WILL BE UNINTERRUPTED OR THAT THE APPLICATIONS OR SERVICES WILL BE AVAILABLE AT ANY PARTICULAR TIME OR ERROR-FREE, OR THAT THE APPLICATION OR SERVICES WILL RESULT IN ANY PARTICULAR HEALTH OUTCOMES.  FURTHER, INVITAE DOES NOT WARRANT THAT ALL ERRORS IN THE APPLICATIONS OR SERVICES ARE CORRECTABLE OR WILL BE CORRECTED.  Client acknowledges that, notwithstanding the taking by Invitae of security precautions, use of, or connection to, the Internet provides the opportunity for unauthorized third parties to circumvent such precautions and illegally gain access to the Services and Client Data.  Accordingly, Invitae cannot and does not guarantee the privacy, security, integrity or authenticity of any information so transmitted over or stored in any system connected to the Internet or that any security precautions taken will be adequate or sufficient.

(B) Client Review. Without limiting the generality of the disclaimers in Section 4.3(A), Client acknowledges and agrees that:

  1. Not Prescriptive. The Applications and Services may include clinical decision support tools designed for use by healthcare professionals only to assist Client and its Authorized Users in the delivery of medical care. They should not be viewed as prescriptive or authoritative. Any medication decisions should be made by a qualified healthcare professional. Client alone is responsible for all decisions, acts, and omissions of any persons in connection with the delivery of medical care or other services to any patients. There are numerous considerations unique to each patient which the physician or other licensed prescribing professional must take into account before deciding what treatment to offer, modify, or discontinue. Only the physician is in a position to make a complete assessment of the patient and to judge the relevance of the information provided in the report to the actual clinical situation. Any adverse outcome connected with following or not following the recommendations found in reports generated using this program is the responsibility of Client and its Authorized Users. 
  2. Some Services may be for Research Use Only.  Research Use Only Services shall be identified on their Order Forms. Such Services are for use by end-users only for research use and are not to be used for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of, individual patients. Any use of Research Use Only Services for any clinical,  diagnostic or therapeutic purpose is performed at the end-user’s risk and requires separate clinical and analytical validation by the end-user of the Research Use Only Services in combination with any materials, technology and methods end-user employs for such clinical, diagnostic or therapeutic purpose.
  3. Client Review. Before any Application or Service is placed into a live production environment, it is Client’s responsibility to review and test the Application and Service as implemented, make independent decisions about system settings and configuration based upon Client’s needs, practices, standards and environment, and reach its own independent determination that the Application or SaaS Services is appropriate for such live production use. Any use by Client or its Authorized Users will constitute Client’s representation that it has complied with the foregoing. 

Updates. Invitae uses commercially reasonable efforts to keep the information in the Application and SaaS Services accurate and up-to-date. However, there is no guarantee that information will be updated on a regular basis or will continue to be updated for an unlimited period of time. There is also no guarantee that all adverse or important outcomes will be reported in the literature and incorporated in the Application or SaaS Service. CLIENT AND ITS AUTHORIZED  USERS MUST EXERCISE THEIR INDEPENDENT PROFESSIONAL JUDGMENT AT ALL TIMES. To the extent applicable, Client and its Authorized Users should always review and consider the latest manufacturer’s package information for all medications their patients are using.

  1. No FDA Approval. The Applications and SaaS Services have not been reviewed or approved by the United States Food and Drug Administration and cannot be used to diagnose or treat any disease or other health condition. 

(C) Disclaimers Specific to Applications. In addition to, and without limiting the other disclaimers in these Terms, additional disclaimers apply to the specific Application or SaaS Services identified in the applicable Order Form.

4.4   Compliance with Law.  Client and its affiliates shall use the Services in compliance with the requirements of all Laws.

Section 5.
INTELLECTUAL PROPERTY AND CONFIDENTIALITY

5.1   Intellectual Property.  As between the parties and except for the limited express rights granted to Client under Section 1.2 of these Terms, Invitae owns all right, title and interest, including all related intellectual property rights, in and to the Application, SaaS Services and all Deliverables, along with any improvements or modifications thereto.   Client acknowledges that the limited rights granted under these Terms do not provide Client with title to or ownership of the Application or the Services, the Deliverables, any customizations thereto, or any intellectual property therein. For clarity, no right or license to the intellectual property of either party is granted pursuant to these Terms except for the limited rights expressly granted in these Terms or any applicable Order Form. In the event that Client provides comments or feedback relating to Invitae, the Application or SaaS Services, Deliverables, or any of its products or services (“Feedback”), any such Feedback shall be owned exclusively by Invitae. 

5.2   Confidential Information.  “Confidential Information” means any software, data, business, financial, operational, client, vendor or other information disclosed by one party to the other and not generally known by or disclosed to the public.  Notwithstanding anything herein to the contrary, Confidential Information does not include information that is:  (a) already known to or otherwise in the possession of a party at the time of receipt from the other party, provided such knowledge or possession was not the result of a violation of any obligation of confidentiality; (b) publicly available or otherwise in the public domain prior to disclosure by a party; (c) rightfully obtained by a party from any third party having a right to disclose such information without breach of any confidentiality obligation by such third party; or (d) developed by a party independent of any disclosure hereunder, as evidenced by a party’s records.

5.3   Confidentiality Obligations.  Each party shall maintain all of the other party’s Confidential Information in confidence and will protect such information with the same degree of care that such party exercises with its own Confidential Information, but in no event less than a reasonable degree of care.  If a party suffers any unauthorized disclosure, loss of, or inability to account for the Confidential Information of the other party, then the party to whom such Confidential Information was disclosed shall promptly notify and cooperate with the disclosing party and take such actions as may be necessary or reasonably requested by the disclosing party to minimize the damage that may result therefrom.  Except as provided in these Terms, a party shall not use or disclose (or allow the use or disclosure of) any Confidential Information of the other party without the express prior written consent of such party.  If a party is legally required to disclose the Confidential Information of the other party, the party required to disclose will, as soon as reasonably practicable, provide the other party with written notice of the applicable order or subpoena creating the obligation to disclose so that such other party may seek a protective order or other appropriate remedy.  In any event, the party subject to such disclosure obligation will only disclose that Confidential Information which the party is advised by counsel as legally required to be disclosed.  In addition, such party will exercise reasonable efforts to obtain assurance that confidential treatment will be accorded to such Confidential Information.  Access to and use of any Confidential Information shall be restricted to those employees and persons within a party’s organization who have a need to use the information to exercise rights under or perform these Terms or, in the case of Client, to make use of the Services and Deliverables, and are subject to a contractual, professional or other obligation to keep such information confidential.  A party’s consultants and subcontractors may be included within the meaning of “persons within a party’s organization,” provided that such consultants and subcontractors have executed confidentiality agreement with provisions similar to those contained in this section. A party may disclose information concerning these Terms and the transactions contemplated hereby, including providing a copy of these Terms, to any or all of the following: (a) potential acquirers, merger partners, investors, lenders, financing sources, and their personnel, attorneys, auditors and investment bankers, solely in connection with the due diligence review of such party by persons and provided that such disclosures are made in confidence, (b) the party’s outside accounting firm, or (c) the party’s outside legal counsel.  A party may also disclose these Terms in connection with any litigation or legal action concerning these Terms.

5.4   Return of Confidential Information.  All of a party’s Confidential Information disclosed to the other party, and all copies thereof, are and shall remain the property of the disclosing party. All such Confidential Information and any and all copies and reproductions thereof shall, upon request of the disclosing party or the expiration or termination of these Terms, be promptly returned to the disclosing party or destroyed (and removed from the party’s computer systems and electronic media) at the disclosing party’s direction, except as prohibited by applicable law, and except that to the extent any Confidential Information is contained in a party’s backup media, databases and e-mail systems, then such party shall continue to maintain the confidentiality of such information and shall destroy it as soon as practicable and, in any event, no later than required by such party’s record retention policy.  In the event of any destruction hereunder, the party who destroyed such Confidential Information shall, if requested, provide to the other party written certification of compliance therewith within fifteen days after destruction.  

5.5 Equitable Relief.  The receiving party acknowledges that unauthorized disclosure of Confidential Information could cause substantial harm to the disclosing party for which damages alone might not be a sufficient remedy and, therefore, that upon any such disclosure by the receiving party the disclosing party will be entitled to appropriate equitable relief in addition to whatever other remedies it might have at law or equity. 

Section 6.
TERM AND TERMINATION 

6.1   Term.  These Terms are valid for the Order Form these Terms accompany. Services will be provided for the term specified in the applicable Order Form (the “Initial Term”). Following the end of the Initial Term, unless otherwise indicated in the applicable Order Form, the Order Form and these Terms will renew for successive one year periods (each such successive term, the “Successive Terms”, and together with the Initial Term, are referred to herein as the “Term”) unless a party notifies the other in writing of its intent not to renew the Order Form and these Terms at least 90 days prior to the end of the then-current Term.  

6.2   Termination.  In the event a party materially breaches these Terms or terms of an Order Form, the the breaching party is in default and the non-breaching party may terminate without penalty or fee upon 30 days’ advance written notice to the breaching party, if the breach is not cured within such the 30 day period (a) in the case of a breach of terms of an Order Form, the applicable Order From under which the breach occurred; or (b) in the case of breach of these Terms, these Terms and any Order Forms that been placed under these Terms.  Any failure to pay charges hereunder is a material breach of these Terms.  

6.3   Effect of Termination.  The termination or expiration of the applicable Order Form or these Terms for any reason shall not affect Client’s or Invitae’s rights or obligations that expressly or by their nature continue and survive (including without limitation, the payment terms and the provisions concerning ownership, confidentiality, limitation on liability, indemnity and the warranty disclaimers), and Client shall promptly pay all amounts owed to Invitae for Services and Deliverables.  Termination of these Terms will also result in the termination of all Order Forms covered by these Terms.  Client acknowledges that, due to the limited nature of these Terms and any applicable Order Forms, no Application or SaaS Services should be used in order to maintain any records, and that the Client Data may be destroyed at any time after 60 days following termination of these Terms and/or an Order Form.

6.4   Termination and Non-Renewal Rights are Absolute.  The rights of termination set forth in these Terms are absolute, and the parties have considered the possibility of such termination and the possibility of loss and damage resulting therefrom, in making expenditures pursuant to the performance of these Terms and/or pursuant to any applicable Order Forms.  Neither party shall be liable to the other for damages or otherwise by reason of the termination or expiration of these Terms and/or any applicable Order From as provided for herein.

6.5   Remedies. Notwithstanding anything in these Terms to the contrary, where a breach of certain provisions of these Terms may cause either party irreparable injury or may be inadequately compensable in monetary damages, either party may seek equitable relief in addition to any other remedies which may be available.  The rights and remedies of the parties under these Terms are not exclusive and are in addition to any other rights and remedies available at law or in equity.  

Section 7.
INDEMNITY AND LIMITATION ON LIABILITY

7.1   Client Obligations. Client shall defend Invitae against any cause of action, suit or proceeding (each a “Claim”) made or brought against Invitae by a third party arising out of or attributable to Client’s use of the Application, Deliverables, or Services (other than as expressly set forth in Section 7.2 below), and shall indemnify Invitae for any damages finally awarded against, and for reasonable attorney’s fees incurred by, Invitae in connection with the Claim, on condition that Invitae (a) promptly gives Client written notice of the Claim (provided, however, that the failure to give such notice shall not relieve Client of its indemnification obligations hereunder except to the extent that Client is materially prejudiced by such failure); (b) gives Client sole control of the defense and settlement of the Claim (provided that Client may not settle any Claim unless the settlement unconditionally release Invitae of all liability); and (c) provides reasonable assistance in connection with the defense (at Client’s reasonable expense).

7.2   Invitae Obligations. Invitae shall defend Client against any Claim made or brought against Client by a third party alleging that Client’s use of any Application, Deliverables, or SaaS Services as permitted under the applicable Order Form infringes or misappropriates the intellectual property rights of a third party, and shall indemnify Client for any damages finally awarded against, and for reasonable attorney’s fees incurred by, Client in connection with the Claim, on condition that Client (a) promptly gives Invitae written notice of the Claim (provided, however, that the failure to give such notice shall not relieve Invitae of its indemnification obligations hereunder except to the extent that Invitae is materially prejudiced by such failure); (b) gives Invitae sole control of the defense and settlement of the Claim (provided that Invitae may not settle any Claim unless the settlement unconditionally release Client of all liability); and (c) provides reasonable assistance in connection with the defense (at Invitae’s reasonable expense).  If a Claim is brought or threatened, or Invitae believes is likely to occur, Invitae may, at its option, (i) procure for Client the right to use the applicable Application or SaaS Services, (ii) replace the applicable Application or SaaS Services with other suitable products, or (iii) refund any prepaid fees that have not been earned and terminate the applicable Order Form upon notice. Invitae will have no liability under these Terms or otherwise to the extent a Claim is based upon (a) use of any Application, SaaS Services or Deliverables in combination with software, hardware or technology not provided by Invitae, if infringement would have been avoided in the absence of the combination, (b) modifications to any Application, SaaS Services or Deliverables not made by Invitae, if infringement would have been avoided by the absence of the modifications, (c) use of any version other than a current release of any Application or SaaS Services, if infringement would have been avoided by use of a current release, or (d) any action or omission of Client for which Client is obligated to indemnify Invitae under these Terms.

7.3   Exclusive Remedy. This Section 7 states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section.

7.4   Limitation on Liability.  IN NO EVENT SHALL THE  AGGREGATE LIABILITY OF INVITAE ARISING OUT OF OR RELATED TO THESE TERMS, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNT PAID BY CLIENT HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT, NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF THESE TERMS OR ANY LIMITED REMEDY HEREUNDER.  

7.5   Exclusion of Consequential and Related Damages. IN NO EVENT SHALL INVITAE HAVE ANY LIABILITY TO CLIENT FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT INVITAE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF THESE TERMS OR ANY LIMITED REMEDY HEREUNDER.

Section 8.
OTHER PROVISIONS

8.1   Marketing.  Invitae may include and use Client’s name on a list of customers and may refer to Client and its logo as a user of the Application and Services and may briefly describe Client’s business in Invitae’s advertising, marketing, promotional, website, and investor materials.

8.2   Notices. Unless otherwise provided herein, any notice, request, or other communication to be given in writing under these Terms will be deemed to have been given by either party to the other party upon the date of receipt, if hand delivered, or two business days after deposit in the U.S. mail if mailed to the other party by registered or certified mail, properly addressed, postage prepaid, return receipt requested, or one business day after deposit with a national overnight courier for next business day delivery, or upon the date of electronic confirmation of receipt of a facsimile transmission if followed by the original copy mailed to the applicable party at its address set forth in the applicable Order Form or other address provided in accordance herewith.  A party may change its address for notices by providing written notice to the other party. All notices to Invitae must be sent to the attention of the Legal Department.

8.3   Assignment. Neither party shall assign its rights under an Order Form without the other party’s prior written consent, except that Invitae may, without Client’s consent, assign an Order Form to an affiliate or pursuant to a corporate reorganization, merger, acquisition or sale of all or substantially all of its assets to which the applicable Order Form relates.  Any attempted assignment or delegation in violation of the foregoing is void.  These Terms and each Order Form are binding upon the parties and their successors and permitted assigns.

8.4   Updates.  Invitae may, in its discretion from time to time, make updates to these Terms, and such updates shall automatically apply without requiring signature of an additional Order Form. When updates are made, Invitae will make a new copy of these Terms available on its website. All changes are effective immediately upon posting and apply to all access to and use of the Services thereafter. The date these Terms were last revised is identified at the top of the page. Client’s continued use of the Services following the posting of revised Terms means that Client accepts and agrees to the changes. Client agrees to check this page from time to time so that Client is aware of any changes, as such changes are binding on Client.  

8.5   Independent Contractor. Invitae is acting as an independent contractor in performing the Services hereunder. Nothing contained herein or done in pursuance of an Order Form shall constitute a joint venture, partnership or agency for the other for any purpose or in any sense whatsoever and neither party shall have the right to make any warranty or representation to such effect.

8.6   Headings and Captions.  Section headings are used for convenience only and shall in no way affect the construction or interpretation of these Terms.   

8.7   Counterparts.  Order Forms may be executed in counterparts and by facsimile or PDF signature, all of which taken together constitute a single agreement between the parties.  Each signed counterpart, including a signed counterpart reproduced by reliable means (such as facsimile and PDF), will be considered as legally effective as an original signature.

8.8   Waiver and Severability.  An individual waiver of a breach of any provision of these Terms or any Order Form requires the consent of the party whose rights are being waived and such waiver will not constitute a subsequent waiver of any other breach.  Any provision of these Terms or any Order Form held to be unenforceable shall not affect the enforceability of any other provisions of these Terms or any Order Form, and the unenforceable provision shall be construed to reflect the economic effect of the unenforceable provision.

8.9   Governing Law.  The laws of the State of Delaware govern all matters arising out of these Terms or any Order Form, without regard to any conflict of law principles applied therein. The UN Convention on Contracts for the International Sale of Goods and Uniform Computer Information Transactions Act (UCITA) will not apply to these Terms or any Order Form.  The Parties may bring any disputes arising out of or related to these Terms or any Order Form non-exclusively in a court located in New Castle County, Delaware and submit to the personal jurisdiction of such courts. Each party expressly waives its rights to a trial by jury in connection with any dispute arising out of or related to these Terms or any Order Form.  

8.10 Entire Agreement.  These Terms, all Order Forms, and all exhibits and addenda thereto are incorporated herein and constitute the entire agreement of the parties with respect to the subject matter hereof and thereof. These Terms and any executed Order Form supersede all prior or contemporaneous negotiations, representations, promises, and agreements concerning the subject matter herein whether written or oral.

8.11 Force Majeure.  Except for the payment of money, neither party will be liable for any default or delay in the performance of any Order Form if and to the extent such default or delay is caused by an event (including, fire, flood, terrorism, pestilence, earthquake, pandemic, elements of nature or acts of God, riots, or civil disorders) beyond the reasonable control of such party.

8.12 Compliance. By entering into an Order Form, the parties specifically intend to comply with all applicable state and federal laws, rules and regulations, including (i) the federal anti-kickback statute (42 U.S.C. 1320a-7(b) and its implementing regulations) and (ii) the federal physician self-referral law, also referred to as the “Stark Law” (42 U.S. C. 1395nn and its implementing regulations).  Accordingly, the parties agree that Invitae has not conditioned Client’s access to the Services upon any agreement by Client to purchase, use or recommend or influence another person’s decision to purchase or use any product or service offered by Invitae or any affiliate of Invitae.  

The following terms apply depending on the Application(s) subscribed to in the Order Form:

PRODUCT TERMS

  1. Archer Analysis Unlimited (AAU) Application Terms

1.1. SUPPORT SERVICES. 

1.1.1. Invitae will provide to Client the support services described in this Section 1 for the support and maintenance of the Application and SaaS Services provided in the applicable Order Form (“AAU Support Services”).

1.1.2. Support Channel. Client may make a request for AAU Support Services by emailing Invitae at adx-tech-support@invitae.com or through other such other method as may be designated by Invitae. Invitae will use commercially reasonable efforts to respond to emails received during Business Hours within two hours and assign the request a Severity Level. Invitae will use commercially reasonable efforts to respond to emails received outside of Business Hours within two hours on the next Business Day after the email is received and assign the request a Severity Level. “Business Days” means Monday through Friday, except for generally recognized U.S. holidays, and “Business Hours” means 8:00 am to 5:00 pm Pacific Time Zone adjusted for daylight saving time during Business Days.

1.1.3. Updates. Updates (if any) are included at no additional charge during the term of the applicable Order Form. If applicable, Client agrees to install any Updates provided by Invitae in a timely manner.  Invitae is under no obligation to offer any Updates or Upgrades. “Updatesmeans, collectively, any modifications, alterations, enhancements and updates to the SaaS Services offered in the applicable Order Form. 

1.1.4. Severity Levels.

1.1.4.1. Severity Level 1. For Severity Level 1 requests, Invitae shall use commercially reasonable efforts to attempt to resolve the request within three hours after classification if reported during Business Hours. If initiated outside of Business Hours, then Invitae shall use commercially reasonable efforts to attempt to resolve the request within three hours of the beginning of the next Business day. “Severity Level 1means the SaaS Service offered in the applicable Order Form, as a whole, is non-functional or is not accessible.

1.1.4.2. Severity Level 2. For Severity Level 2 requests, Invitae shall use commercially reasonable efforts to attempt to resolve the request within six hours after classification if reported during Business Hours. If initiated outside of Business Hours, then Invitae shall use commercially reasonable efforts to attempt to resolve the request within six hours of the beginning of the next Business day. “Severity Level 2means any of the following: (a) a function of the SaaS Service offered in the applicable Order Form is interrupted; or (b) any other problem that is not a Severity Level 1 or 3.

1.1.4.3. Severity Level 3. For Severity Level 3 requests, Invitae shall use commercially reasonable efforts to attempt to resolve the request within 24 hours after classification if reported during Business Hours. If initiated outside of Business Hours, then Invitae shall use commercially reasonable efforts to attempt to resolve the request within 24 hours of the beginning of the next Business Day. “Severity Level 3means a general question regarding the SaaS Service offered in the applicable Order Form. 

1.1.5. Limitations. Invitae shall not be obligated to provide AAU Support Services with respect to: (a) any modifications, customizations, alterations or additions to the SaaS Services made by Client; or (b) any computer program incorporating all or any part of the SaaS Services; (c) use of the SaaS Services in a manner not in accordance with these Terms or in conjunctions with any unauthorized other software, equipment or operating environments; or (d) gross negligence or intentional misconduct by any user of the SaaS Services. AAU Support Services does not include any services to be performed at Client’s location or any other location outside of Invitae’s premises.

1.1.6. Additional Services. Any additional support services rendered by Invitae and not specified in this Section 5, will be charged to Client on an hourly basis at Invitae’s then-current service fee.

1.1.7. Sole Remedy. Provision of AAU Support Services as described in this Section 1 is Invitae’s sole obligations and Client’s sole remedy with respect to maintenance and support of the SaaS Services described in the applicable Order Form Invitae shall not have other liability or obligation with respect to any errors or other problems with the SaaS Services described in the applicable Order Form.

 

 

Exhibit A

INVITAE CORPORATION (ACTING AS BUSINESS ASSOCIATE)

BUSINESS ASSOCIATE AGREEMENT 

Last Updated: May 24, 2022

This Business Associate Agreement (“BAA”) is by and between the customer purchasing services from Invitae pursuant to a written agreement (“Customer”) and Invitae Corporation, a Delaware corporation having its principal place of business at 1400 16th Street, San Francisco, CA 94103, together with its affiliates and subsidiaries, (“Invitae”) (each a “Party” and collectively the “Parties”) to comply with the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations as amended from time to time, including the Privacy Standards adopted by the U.S. Department of Health and Human Services, 45 C.F.R. parts 160 and 164, subparts A and E (“the Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services, 45 C.F.R. parts 160, 162 and 164, subpart C (“the Security Rule”), and the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”) (collectively, “HIPAA”).

BACKGROUND

Invitae provides software and professional services (“Services”) to healthcare customers.  Customer has entered into a separate, written agreement with Invitae relating to the Services, which includes Invitae’s Software Terms of Service (the “Agreement”).  Pursuant to the Agreement, Customer, in its capacity as a covered entity, may disclose to Invitae, in its capacity as a business associate, Protected Health Information (“PHI”) (as defined below) regulated under HIPAA.  This BAA is intended to comply with HIPAA, which requires that Customer receive adequate assurances regarding Invitae’s safeguarding of PHI that may be created, received, maintained, transmitted, used, or disclosed by Invitae as part of the provision of Services to Customer. The Parties agree that the terms of this BAA will have no effect unless and until Invitae provides Services to Customer that involve the creation, receipt, maintenance, transmission, use or disclosure of PHI by Invitae.

AGREEMENT

In consideration of this background and the mutual promises in this BAA and the Agreement, the Parties agree as follows:

  1. Definitions.  Unless otherwise provided, all capitalized terms in the BAA will have the same meaning as provided under HIPAA.  “Protected Health Information” or “PHI”, as defined by the Privacy Rule, for this BAA means PHI that is created, received, maintained, transmitted, used, or disclosed by Invitae in connection with providing the Services.
  1. Compliance with Laws.  The Parties agree to comply with HIPAA to the extent applicable to the provision of the Services. 
  1. Use and Disclosure of PHI.  

a. Permitted Uses and Disclosures. Invitae may use or disclose PHI only as necessary to provide Services, as otherwise expressly permitted under this BAA, or as Required by Law, but will not otherwise use or disclose any PHI. 

b. Uses for Proper Management and Administration. Invitae may use or disclose PHI as necessary for the proper management and administration of Invitae, or to carry out its legal responsibilities. 

c. De-identification.  Invitae may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Invitae may disclose de-identified health information for any purpose permitted by law.

d. Disclosure to Subcontractors.  If Invitae discloses PHI received from Customer to a Subcontractor or engages a Subcontractor to create, receive, maintain, transmit, use, or disclose PHI in connection with the Services, Invitae shall require the Subcontractor to enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2).  Invitae shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as stringent as the restrictions and conditions that apply to Invitae under this BAA. 

  1. Safeguards.  Invitae shall maintain appropriate safeguards to prevent use or disclosure of PHI in violation of this BAA.  Invitae shall comply with the HIPAA Security Rule with respect to electronic PHI and implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits in providing Services to Customer.
  1. Individual Rights.  

a. Individual Right to Copy or Inspection.  To the extent Customer uses Invitae or its Subcontractors to maintain PHI in a Designated Record Set, if an Individual requests access to PHI in a Designated Record Set pertaining to him or her, Invitae may make the PHI in the Designated Record Set directly available to such Individual. 

b. Amendment of an Individual’s PHI or Record.  To the extent Customer uses Invitae or its subcontractors to maintain PHI in a Designated Record Set, if an Individual makes a request for an amendment of his or her PHI in a Designated Record Set pertaining to him or her, Invitae will make the PHI in the Designated Record Set available to Customer for amendment within ten (10) business days of receiving a request from the Customer for such PHI so that Customer can comply with 45 CFR § 164.526.  If instructed to do so by Customer, Invitae will incorporate amendments in accordance with Customer’s instructions and within ten (10) business days of receiving such instructions. If Invitae receives a request for amendment of PHI in a Designated Record Set directly from an Individual, Invitae will forward the request to Customer within five (5) business days.  Customer will be solely responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and Invitae will make no such determinations.

c. Accounting of Disclosures.  Invitae agrees to maintain documentation of the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Customer upon Customer’s request, to allow Customer to respond to an Individual’s request for accounting of disclosures.  Such accounting is limited to disclosures that were made in the six (6) years prior to the request, provided that Invitae will be obligated to provide the accounting only for as long as Invitae maintains the PHI to which it pertains. If Invitae receives a request for an accounting of disclosures directly from an Individual, Invitae will forward the request to Customer within five (5) business days.  Except as Required by Law, Customer will be responsible for preparing and delivering the accounting to the Individual.  Invitae will not provide an accounting of disclosures directly to any Individual.

  1. Internal Practices, Policies and Procedures.  Except as otherwise specified herein, Invitae shall make available its internal practices, policies, and procedures relating to the use and disclosure of PHI received from or on behalf of Customer, to the Secretary of the Department of Health and Human Services or his or her agents for the purpose of determining Customer’s and Invitae’s compliance with HIPAA.  Nothing in this Section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.  
  1. Reporting Requirements.

a. Security Incidents.  Invitae will report to Customer any Security Incident of which Invitae becomes aware without unreasonable delay and no later than five (5) business days after the date on which Invitae first learns of the Security Incident.  The Parties agree that this Section shall hereby serve as notice, and no additional reporting shall be required by Invitae, of any attempted or unsuccessful Security Incident(s), such as pings, broadcast attacks on firewalls, port scans, or unsuccessful log-in attempts.

b. Unauthorized Uses and Disclosures.  Invitae will report to Customer any acquisition, access, use, or disclosure of PHI in violation of this BAA or HIPAA by Invitae, its employees, other agents or contractors, or by a third party to which Invitae disclosed PHI (each an “Unauthorized Use or Disclosure”) of which Invitae becomes aware without unreasonable delay and no later than five (5) business days after the date on which Invitae first learns of the Unauthorized Use or Disclosure. 

c. Breaches of Unsecured PHI. Invitae will report in writing to Customer any Breach of Unsecured Protected Health Information, as defined in the Breach Notification Rule without unreasonable delay and no later than five (5) business days after the date on which Invitae first learns of the incident giving rise to the Breach.  Invitae will provide such information to Customer as required in the Breach Notification Rule.

  1. Obligations of Customer.  

a. Permissible Requests. Customer shall not request Invitae to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (except as permitted under HIPAA and this BAA).

b. Minimum Necessary PHI. When Customer discloses PHI to Invitae, Customer shall provide the minimum amount of PHI necessary for the accomplishment of Invitae’s purpose.

c. Permissions; Restrictions. Customer warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Invitae. Customer shall notify Invitae of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Invitae’s use or disclosure of PHI. Customer shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Invitae’s use or disclosure of PHI under this Agreement unless such restriction is Required By Law or Invitae grants its written consent, which consent shall not be unreasonably withheld.

d. Notice of Privacy Practices. Except as Required By Law, with Invitae’s consent or as set forth in the Agreement or this BAA, Customer shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Invitae’s use or disclosure of PHI under the Agreement. 

  1. Term and Termination.

a. Term.  The term of this BAA shall commence on the effective date of the Agreement ) and shall continue until the sooner of (a) termination of the Agreement or (b) termination of this BAA.

b. Termination for Breach. Either Party may terminate this BAA upon written notice to the other party if the non-breaching Party determines that the other Party has materially breached this BAA, provided that the non-breaching Party will first provide the other Party with written notice of the breach of this BAA and afford the other Party the opportunity to cure the breach within thirty (30) days of the date of such notice.  If the other Party fails to timely cure the breach, the non-breaching Party may terminate this BAA.  

Effect of Termination.  Upon termination of this BAA for any reason, Invitae agrees to return or destroy all PHI received from Customer or created or received by Invitae on behalf of Customer and that Invitae still maintains in any form within thirty (30) days of termination. If Invitae’s return or destruction of PHI is not feasible, Invitae shall extend the protections of this BAA to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Invitae retains the PHI.

  1. Miscellaneous.

a. Amendments.  This BAA may not be changed or modified in any manner except by in writing and signed by an authorized officer of each of the Parties hereto.  The Parties agree that any future amendments to HIPAA that affect Invitae agreements are hereby incorporated by reference into this BAA as if set forth in this BAA in their entirety, effective on the later of the effective date of this BAA or such subsequent date as may be specified by HIPAA. 

b. No Waiver.  Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof.  No provision of this BAA may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.

c. Severability.  The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

d. No Third Party Beneficiaries.  Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not a party to this BAA nor imposing any obligations on either Party hereto to persons not a party to this BAA.

e. Interpretation.  Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.  The provisions of this BAA shall prevail over the provisions of any other prior agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this BAA or HIPAA.

 

 

Exhibit B

Invitae Corporation

Data Processing Addendum (Invitae as Processor)

Last Update: May 24, 2022 

Invitae Corporation, together with its affiliates and subsidiaries, (“Invitae”) provides software and professional services (“Services”) pursuant to a written Agreement (“Agreement”) between Invitae and the customer completing the Agreement (“Customer”). Under such Agreement and this Data Processing Addendum (“DPA”), Invitae process data that Customers provide to Invitae (“Customer Data”). Customer Data may include personal data and special categories of personal data (health and genetic data).  

  1. Instruction.  Customer instructs Invitae to process and use Customer Data as specified in the Agreement and as necessary to perform the Services.  Invitae acts as a processor in performance of the Services.  
  1. Audits. Invitae submits to reasonable data security and privacy compliance audits and will share information relating to its audits with Customer on request.
  1. Breach Notifications. Invitae will notify Customer of security breaches as required by applicable law.
  1. No Third Party Beneficiary Rights.  This DPA shall not create third party beneficiary rights. 
  1. Security. Invitae applies technical, administrative and organizational data security measures as described in Appendix 1.  Invitae may update and modify these measures from time to time, provided that Invitae must not reduce the level of security provided thereunder.

 

 

Appendix 1 

INVITAE’S TECHNICAL AND ORGANIZATIONAL MEASURES

Invitae maintains a comprehensive Information Security Program (“Security Program”) to manage information within Invitae that includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity and availability of Customer Data. Invitae’s Security Program includes following elements: 

  1. Policies and Procedures

Invitae maintains policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from accidental, unauthorized or improper disclosure, use, alteration or destruction.

  1. Access Controls

Invitae maintains policies, procedures, and operational processes that:  

2.1. limit physical access to Customer Data and the facility or facilities in which it is stored to properly authorized persons; 

2.2. ensure that all members of the Invitae workforce (including contractors) who require access to Customer Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; 

2.3. authenticate and permit access only to authorized individuals and prevent members of Invitae workforce from providing Customer Data or information relating thereto to unauthorized individuals;

2.4. assign a unique ID to each person with computer access to Customer Data;  

2.5. restrict access to Customer Data to only those people with a “need-to-know” for a permitted purpose;

2.6. regularly review the list of people and services with access to Customer Data, and remove accounts that no longer require access;

2.7. maintain and enforce “account lockout” by disabling accounts with access to Customer Data when an account exceeds a threshold number of consecutive incorrect password attempts;

2.8. regularly review access logs for signs of malicious behavior or unauthorized access.

  1. Security Awareness and Training

Invitae maintains an ongoing security awareness and training program for all members of Invitae’s workforce (including contractors and management).

  1. Security Incident Procedures 

Invitae maintains policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. If Invitae becomes aware of any security incident that leads to a data breach impacting Customer Data, Invitae will: 

4.1. notify customer without undue delay; 

4.2. reasonably cooperate with the impacted Customer to investigate and remediate the breach and mitigate any further risk to Customer Data. 

  1. Contingency Planning 

Invitae maintains policies, procedures, and operational processes for responding to an emergency, or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Data or systems that contain Customer Data.

  1. Device and Media Controls

Invitae does not permit Customer Data to be downloaded, or otherwise stored on laptops or other portable devices, unless they are subject to all of the protections required herein. Such protective measures shall include, at a minimum, that all devices accessing Customer Data shall be encrypted and use up-to-date anti-malware detection prevention software.

  1. Audit Controls  

Invitae maintains hardware, software, services, platforms and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

  1. Storage and Transmission Security

Invitae maintains technical security measures to guard against unauthorized access to Customer Data that is being transmitted over an electronic communications network. Invitae will:

8.1. maintain a working and up-to-date network firewall to protect data accessible via the Internet; 

8.2. use anti-malware software at all times and will keep the anti-malware software up-to-date;

8.3. maintain technical and security measures to encrypt Customer Data in transit and at rest;

8.4. regularly review access logs for signs of malicious behavior or unauthorized access;

8.5. keep Invitae’s systems and software up-to-date with the latest applicable upgrades, updates, new versions and other modifications necessary to ensure security of Customer Data.

  1. Assigned Security Responsibility

Invitae has a designated security official responsible for the development, implementation, and maintenance of the Security Program. 

  1. Testing

Invitae regularly tests key controls, systems and procedures of Invitae’s Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. 

  1. Third Party Vendor Management 

Invitae may use third party vendors in support of Invitae’s services to Customer. Invitae performs a security and privacy risk-based assessment of prospective vendors before working with vendors to validate that they meet Invitae’s privacy and security standards. 

  1. Disclosure by Law 

In the event Invitae is required by law, regulation, or legal process to disclose any Customer Data, Invitae will (a) give customer, to the extent possible, reasonable advance notice prior to disclosure so customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed. 

  1. Updates

Invitae continually monitors, evaluates, and adjusts, as appropriate, the Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Data, and internal or external threats to Customer Data.