GoMeyra

GoMeyra LIMS

LABORATORY INFORMATION MANAGEMENT SOLUTIONS (LIMS)

GoMeyra Policies

.

Terms and Policies

I. Introduction
GoMeyra.com, Inc. (“GoMeyra”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted Google Cloud SQL infrastructure used by health technology vendors, developers, designers, agencies, custom development shops, and enterprises, GoMeyra strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents and links to documents address core policies used by GoMeyra to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for GoMeyra Customers.

Compliance Inheritance
GoMeyra provides compliant hosted Google CloudSQL for its Customers. GoMeyra’s deployment infrastructure and support services provided by internal Staff. After successful completion of the GoMeyra Professional Certification Track (GPCT) support staff are assigned based on their certification completion to their role on the support team.

GoMeyra signs business associate agreements (BAAs) with its Customers. These BAAs outline GoMeyra obligations and Customer obligations, as well as liability in the case of a breach.
Certain aspects of compliance cannot be inherited. Because of this, GoMeyra Customers, in order to achieve full compliance, must implement certain organizational policies. These policies and aspects of compliance fall outside of the services and obligations of GoMeyra.
Below are mappings of HIPAA Rules to GoMeyra controls.

GoMeyra Organizational Concepts
The physical infrastructure environment is hosted on Google Cloud (“GC”). The network components and supporting network infrastructure is contained within (“GC”) infrastructure and managed by GoMeyra Internal staff. GoMeyra does not have physical access into the network components. The GoMeyra environment consists of a Google Cloud SQL database with several hosted web servers acting as encrypted gateways to client side agents running on systems inside the protected laboratory network. This effectively secures traffic end-point-to-end-point with ingress data entering the tunnel from a HIPPA/PCI/SOC compliant network, and egressing into the fully compliant Google Cloud.
Within the GoMeyra Cloud Application “GCA” Platform, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers – those hosting SQL databases, APIs, log servers, etc. GoMeyra assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

Additionally, the compute engine API has been enabled to utilize the build in Google Security protection known as Cloud Armor which enables the following features.
• IP-based and geo-based access control: Filter your incoming traffic based on IPv4 and IPv6 addresses or CIDRs. Enforce geography-based access controls to allow or deny traffic based on source geo using Google’s geoIP mapping.

• Support for hybrid and multi-cloud deployments: Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.

• Visibility and monitoring: Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.

• Pre-configured WAF rules: Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection. RFI, LFI, and RCE rules are also available in beta. Learn more in our WAF rules guide.

• Named IP Lists: Allow or deny traffic through a Cloud Armor security policy based on a curated Named IP List (beta).

The access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business justified reason. Remote access to the internal servers is not accessible except through the load balancers and/or secure vpn.
All Platform Add-ons and operating systems are tested end-to-end for usability, security and impact prior to deployment to production.

Version Control
Policies were last updated 10/12/2020.
All other policies are maintained online and can be accessed via hyperlink below

II. Policy Management Policy
GoMeyra implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all GoMeyra workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of polices are retained to assure ease of finding policies at specific historic dates in time.

Applicable Standards from the Trust Services Criteria COSO Framework
CC5.3 – Developing and Implementing Continuity Plans Including Information Security

Applicable Standards from the HIPAA Security Rule
164.316(a) – Policies and Procedures
164.316(b)(1)(i) – Documentation

Maintenance of Policies
1. All policies are stored and up to date to maintain GoMeyra compliance with SOC2, HIPAA, and other relevant standards. Updates and version control are done similarly to source code control procedures of software development companies and include major, minor, and revision numbers to manage revisions.

2. Policy update requests can be made by any workforce member at any time directly to the Security or Privacy Officer. Furthermore, all policies are reviewed annually by both the Security and Privacy Officers to assure accuracy, integrity, and availability of information.

3. Edits and updates made by appropriate and authorized workforce members are done on their own versions, or branches. These changes are only merged back into final, or master, versions by the Privacy or Security Officer, similarly to a pull request. All changes are linked to workforce personnel who made them and the Officer who accepted them.

4. All policies are made accessible to all GoMeyra workforce members. The current master policies are published [HYPER LINK TO POLICY WEBSITE].

5. Changes can be requested to policies by submitting a pull request to the sending an email directly to the Security or Privacy Officer.

6. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later

7. Version history of all GoMeyra policies is done via Share Point Version Control.

8. Backup storage of all policies is done via Microsoft Office 365 Share Point backup of Site Collection and the data is spread across multiple regions.

9. The policies and information security policies are reviewed and audited annually. Issues that come up as part of this process are reviewed by GoMeyra management to assure all risks and potential gaps are mitigated and/or fully addressed. The policy review form can be found here.

III. Key Definitions
• Alpha: Site owned and controlled by internal GoMeyra Web Services team to assess feature requests and software developments

• Beta: Site owned and controlled by internal GoMeyra Web Services team to test new feature requests and software developments

• third-party: An individual or organization other than the entity and its employees. Third parties may be customers, suppliers, business partners, or others.

• Application: An application hosted by GoMeyra, either maintained and created by GoMeyra, or maintained and created by a Customer or Partner.

• Application Level: Controls and security associated with an Application.

• Audit: Internal process of reviewing information system access and activity (e.g., logins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a patient complaint, or suspicion of employee wrongdoing.

• Audit Controls: Technical mechanisms that track and record computer/system activities.
• Audit Logs: Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.

• Access: Means the ability or the means necessary to read, write, modify, or communicate data or information or otherwise use any system resource.

• Backup: The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

• Breach: Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. For purpose of this definition, “compromises the security or privacy of the PHI” means poses a significant risk of financial, reputational, or other harm to the individual. A use or disclosure of PHI that does not include the identifiers listed at §164.514(e)(2), limited data set, date of birth, and zip code does not compromise the security or privacy of the PHI. Breach excludes:

a. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.

b. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.

c. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

• Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

• Covered Entity: A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form.

• collection. The process of obtaining personal information from the individual directly (for example, through the individual’s submission of an internet form or a registration form) or from another party such as a business partner.

• commitments. Declarations made by management to customers regarding the performance of one or more systems that provide services or products. Commitments can be communicated in written individualized agreements, standardized contracts, service level agreements, or published statements (for example, a security practices statement). A commitment may relate to one or more trust services categories. Commitments may be made on many different aspects of the service being provided or the product, production, manufacturing, or distribution specifications.

• component. One of five elements of internal control, including the control environment, risk assessment, control activities, information and communication, and monitoring activities.

• compromise. Refers to a loss of confidentiality, integrity, or availability of information, including any resultant impairment of (1) processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs.

• controls. Policies and procedures that are part of the entity’s system of internal control. The objective of an entity’s system of internal control is to provide reasonable assurance that principal system objectives are achieved.

• control activity. An action established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.

• consent. This privacy requirement is one of the fair information practice objectives. Individuals must be able to prevent the collection of their personal data, unless legally required. If an individual has a choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative (for example, opting in) or implied (for example, not opting out). There are two types of consent:

a. explicit consent. A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.

b. implied consent. When consent may reasonably be inferred from the action or inaction of the individual.

• COSO. The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. (See www.coso.org.)
• criteria. The benchmarks used to measure or evaluate the subject matter.
• De-identification: The process of removing identifiable information so that data is rendered to not be PHI.
• Demo: Site that a potential customer, laboratory, provider, employer, and/or any other revenue generating application uses to evaluate the GoMeyra suite of applications.
• Disaster Recovery: The process or ability to recover a system and data after being made unavailable.
• Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
• Disposal: A phase of the data life cycle that pertains to how an entity removes or destroys data or information
• Customers: Contractually bound users of GoMeyra Services (e.g. GoMeyra).
• Electronic Protected Health Information (ePHI): Any individually identifiable health information protected by HIPAA that is transmitted by, processed in some way, or stored in electronic media.
• Environment: The overall technical environment, including all servers, network devices, and applications.
• Event: An event is defined as an occurrence that does not constitute a serious adverse effect on GoMeyra, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:
• Hard drive malfunction that requires replacement;
• Systems become unavailable due to power outage that is non-hostile in nature, with redundancy to assure ongoing availability of data;
• Accidental lockout of an account due to incorrectly entering a password multiple times.
• Hardware (or hard drive): Any computing device able to create and store ePHI.
• Health and Human Services (HHS): The government body that maintains HIPAA.
• Individually Identifiable Health Information: That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
• Indication: A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:
• The network intrusion detection sensor alerts when a known exploit occurs against an FTP server. Intrusion detection is generally reactive, looking only for footprints of known attacks. It is important to note that many IDS “hits” are also false positives and are neither an event nor an incident;
• The antivirus software alerts when it detects that a host is infected with a worm;
• Users complain of slow access to hosts on the Internet;
• The system administrator sees a filename with unusual characteristics;
• Automated alerts of activity from log monitors like GCPAD;
• An alert from GCPAD about file system integrity issues.
• Intrusion Detection System (IDS): A software tool used to automatically detect and notify in the event of possible unauthorized network and/or system access.
• Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
• Logging Service: A logging service for unifying system and application logs, encrypting them and storing them for access by authorized personnel.
• Messaging: API-based services to deliver and receive SMS messages.
• Minimum Necessary Information: Protected health information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.
• Off-Site: For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.
• Organization: For the purposes of this policy, the term “organization” shall mean GoMeyra.
• Partner: Contractual bound 3rd party vendor with integration with the GoMeyra Platform. May offer Add-on services.
• Platform: The overall technical environment of GoMeyra.
• Production: Asset, Site, or Service that is currently servicing customers, laboratories, providers, and any other revenue generating application
• Protected Health Information (PHI): Individually identifiable health information that is created by or received by the organization, including demographic information, that identifies an individual, or provides a reasonable basis to believe the information can be used to identify an individual, and relates to:
• Past, present or future physical or mental health or condition of an individual.
• The provision of health care to an individual.
• The past, present, or future payment for the provision of health care to an individual.
• Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities and access prviliges.
• Sanitization: Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.
• Staging: After a demo site has been generated and a customer has established a service contract the site is moved into a staging mode where all configurations are merged into a production container from the staging container
• Trigger Event: Activities that may be indicative of a security breach that require further investigation (See Appendix).
• Restricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is stored, utilized, or accessible at any time.
• Precursor: A sign that an Incident may occur in the future. Examples of precursors include:
• Suspicious network and host-based IDS events/attacks;
• Alerts as a result of detecting malicious code at the network and host levels;
• Alerts from file integrity checking software;
• Audit log alerts.
• Risk: The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of ePHI, other confidential or proprietary electronic information, and other system assets.
• Risk Management Team: Individuals who are knowledgeable about the Organization’s HIPAA Privacy, Security and HITECH policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures outlined below.
• Risk Assessment: (Referred to as Risk Analysis in the HIPAA Security Rule); the process:
• Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;
• Prioritizes risks; and
• Results in recommended possible actions/controls that could reduce or offset the determined risk.
• Risk Management: Within this policy, it refers to two major process components: risk assessment and risk mitigation. This differs from the HIPAA Security Rule, which defines it as a risk mitigation process only. The definition used in this policy is consistent with the one used in documents published by the National Institute of Standards and Technology (NIST).
• Risk Mitigation: Referred to as Risk Management in the HIPAA Security Rule, and is a process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.
• Security Incident (or just Incident): A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:
• A system or network breach accomplished by an internal or external entity; this breach can be inadvertent or malicious;
• Unauthorized disclosure;
• Unauthorized change or destruction of ePHI (i.e. delete dictation, data alterations not following GoMeyra’s procedures);
• Denial of service not attributable to identifiable physical, environmental, human or technology causes;
• Disaster or enacted threat to business continuity;
• Information Security Incident: A violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices. Examples of information security incidents may include, but are not limited to, the following:
• Denial of Service: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources;
• Malicious Code: A virus, worm, Trojan horse, or other code-based malicious entity that infects a host;
• Unauthorized Access/System Hijacking: A person gains logical or physical access without permission to a network, system, application, data, or other resource. Hijacking occurs when an attacker takes control of network devices or workstations;
• Inappropriate Usage: A person violates acceptable computing use policies;
• Other examples of observable information security incidents may include, but are not limited to:
• Use of another person’s individual password and/or account to login to a system;
• Failure to protect passwords and/or access codes (e.g., posting passwords on equipment);
• Installation of unauthorized software;
• Terminated workforce member accessing applications, systems, or network.
• Threat: The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:
• Environmental – external fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
• Human – hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
• Natural – fires, floods, electrical storms, tornados, etc.
• Technological – server failure, software failure, ancillary equipment failure, etc. and environmental threats, such as power outages, hazardous material spills.
• Other – explosions, medical emergencies, misuse or resources, etc.
• Threat Source: Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect ePHI.
• Threat Action: The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).
• Unrestricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.
• Unsecured Protected Health Information: Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website.
. Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard.
a. Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
b. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPSec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.
c. The media on which the PHI is stored or recorded has been destroyed in the following ways:
d. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
e. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
• Vendors: Persons from other organizations marketing or selling products or services, or providing services to GoMeyra.
• Vulnerability: A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.
• Workstation: An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit ePHI. Workstation devices may include, but are not limited to: laptop or desktop computers, personal digital assistants (PDAs), tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.
• Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

IV. 3rd Party Policy
GoMeyra makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of GoMeyra or GoMeyra Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.

Applicable Standards from the Trust Services Criteria COSO Framework

• CC6.1 – The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

• CC6.2 – Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized

• CC6.3 – The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.10.1 – Outsourced Software Development

Applicable Standards from the HIPAA Security Rule

• 164.314(a)(1)(i) – Business Associate Contracts or Other Arrangements
Policies to Assure 3rd Parties Support GoMeyra Compliance

1. The following steps are required before 3rd parties are granted access to any GoMeyra systems:
• Due diligence with the 3rd party;
• Controls implemented to maintain compliance;
• Written agreements, with appropriate security requirements, are executed.

2. All connections and data in transit between GoMeyra and 3rd parties are encrypted end to end.

3. Access granted to external parties is limited to the minimum necessary and granted only for the duration required.

4. A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.

5. GoMeyra has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.

GoMeyra utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.

6. Third parties are unable to make changes to any GoMeyra infrastructure without explicit permission from GoMeyra.

7. Whenever outsourced development is utilized by GoMeyra, all changes to production systems will be approved and implemented by GoMeyra workforce members only. All outsourced development requires a formal contract with GoMeyra.

8. GoMeyra maintains and annually reviews a list all current Partners and Subcontractors.

9. GoMeyra assesses security requirements and compliance considerations with all Partners and Subcontracts.

10. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.

11. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.

12. For all partners, GoMeyra reviews activity annually to assure partners are in line with SLAs in contracts with GoMeyra.

13. Identifies and Manages the Inventory of Information Assets — The entity identifies, inventories, classifies, and manages information assets.

14. Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets.

15. Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely

16. Considers Network Segmentation — Network segmentation permits unrelated portions of the entity’s information system to be isolated from each other.

17. Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed.

18. Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.

19. Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software.

20. Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.

21. Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk

22. Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction.

23. Removes Access to Protected Assets When Appropriate — Processes are in place to remove credential access when an individual no longer requires such access.

24. Creates or Modifies Access to Protected Information Assets — Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner.

25. Removes Access to Protected Information Assets — Processes are in place to remove access to protected information assets when an individual no longer requires access.

26. Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of incompatible functions.

27. Reviews Access Roles and Rules — The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate.

V. Approved Tools Policy
GoMeyra utilizes a suite of approved software tools for internal use by workforce members. These software tools are provided by the Google Cloud Administration Platform with security role assignment managed by the GoMeyra Security Officer. Additional tools are either industry standard software packages by Microsoft with signed code base and active license including support, or in house developed applications used solely by the GoMeyra work force alongside business associate with the proper agreements in place, where appropriate. Use of other tools requires approval from GoMeyra leadership.

List of Approved Tools
• Google Cloud: Google Container Engine is used for hosting application services. Google Cloud SQL is used for hosting application databases.
• GitHub: GitHub is used for source and version control of application code written and used by GoMeyra.
• Google G Suite: Google G Suite is used for email and document collaboration.
• Share Point: Project and development planning, and development work board.
• BitRix24: Used for sales and marketing communication.

VI. Auditing Policy
GoMeyra shall audit access and activity of electronic protected health information (ePHI) applications and systems in order to ensure compliance. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. GoMeyra shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is the policy of GoMeyra to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, GoMeyra shall audit access and activity to detect, report, and guard against:
• Network vulnerabilities and intrusions;
• Breaches in confidentiality and security of patient protected health information;
• Performance problems and flaws in applications;
• Improper alteration or destruction of ePHI;
• Out of date software and/or software known to have vulnerabilities.

Applicable Standards from the Trust Services Criteria COSO Framework
• CC6.6 The entity implements logical access security measures

Applicable Standards from the HIPAA Security Rule
• 45 CFR ¬ß 164.308(a)(1)(ii)(D) – Information System Activity Review
• 45 CFR ¬ß 164.308(a)(5)(ii)(B) & (C) – Protection from Malicious Software & Log-in Monitoring
• 45 CFR ¬ß 164.308(a)(2) – HIPAA Security Rule Periodic Evaluation
• 45 CFR ¬ß 164.312(b) – Audit Controls
• 45 CFR ¬ß 164.312(c)(2) – Mechanism to Authenticate ePHI
• 45 CFR ¬ß 164.312(e)(2)(i) – Integrity Controls

Auditing Policies
1. Responsibility for auditing information system access and activity is assigned to GoMeyra’s Security Officer. The Security Officer shall:
• Assign the task of generating reports for audit activities to the workforce member responsible for the application, system, or network;
• Assign the task of reviewing the audit reports to the workforce member responsible for the application, system, or network, the Privacy Officer, or any other individual determined to be appropriate for the task;
• Organize and provide oversight to a team structure charged with audit compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
• All connections to GoMeyra are monitored. Access is limited to certain services, ports, and destinations. Exceptions to these rules, if created, are reviewed on an annual basis.

2. GoMeyra’s auditing processes shall address access and activity at the following levels listed below. Auditing processes may address date and time of each log-on attempt, date and time of each log-off attempt, devices used, functions performed, etc.
• User: User level audit trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and data and services accessed.
• Application: Application level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions.
• System: System level audit trails generally monitor and log user activities, applications accessed, and other system defined specific actions. GoMeyra utilizes Google CloudSQL. Cloud SQL data is encrypted when on Google’s internal networks and when stored in database tables, temporary files, and backups. Cloud SQL supports private connectivity with Virtual Private Cloud (VPC), and every Cloud SQL instance includes a network firewall, allowing you to control public network access to your database instance
• Network: Network level audit trails generally monitor information on what is operating, penetrations, and vulnerabilities. Custom triggers and alerts based on customer profiles are created and alerts are sent to the Security Team if there are anomalous traffic patterns detected.

3. GoMeyra shall log all incoming and outgoing traffic to into and out of its environment. This includes all successful and failed attempts at data access and editing. Data associated with this data will include origin, destination, time, and other relevant details that are available to GoMeyra.

4. GoMeyra utilizes Cloud SQL. All data is encrypted when on Google’s internal networks and when stored in database tables, temporary files, and backups. Your data is automatically encrypted, and Cloud SQL is SSAE 16, ISO 27001, and PCI DSS compliant and supports HIPAA compliance.

5. GoMeyra leverages process monitoring tools throughout its environment.

6. GoMeyra uses the Google Cloud Platform which provides a robust set of tools to ensure log file and audit log integrity. Your data is automatically encrypted, and Cloud SQL is SSAE 16, ISO 27001, and PCI DSS compliant

7. GoMeyra shall identify “trigger events” or criteria that raise awareness of questionable conditions of viewing of confidential information. The “events” may be applied to the entire GoMeyra system or may be specific to a Customer, partner, business associate, or application (See Listing of Potential Trigger Events below).

8. Logs are reviewed weekly by the Security Officer.

9. GoMeyra’s Security Officer and Privacy Officer are authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. Such tools are explicitly prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:
• Scanning tools and devices;
• Password cracking utilities;
• Network “sniffers.”
• Passive and active intrusion detection systems.

10. The process for review of audit logs, trails, and reports shall include:
• Description of the activity as well as rationale for performing the audit.
• Identification of which GoMeyra workforce members will be responsible for review (workforce members shall not review audit logs that pertain to their own system activity).
• Frequency of the auditing process.
• Determination of significant events requiring further review and follow-up.
• Identification of appropriate reporting channels for audit results and required follow-up.

11. Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.
• Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third-party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services – separation of duties).
• Testing shall be done on a routine basis, currently monthly.

12. Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all patches are applied within 90 days after testing.

Audit Requests
1. A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Privacy Officer, Security Officer, Customer, or Partner.

2. A request for an audit for specific cause must include time frame, frequency, and nature of the request. The request must be reviewed and approved by GoMeyra’s Privacy or Security Officer.

3. A request for an audit must be approved by GoMeyra’s Privacy Officer and/or Security Officer before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.
• Should the audit disclose that a workforce member has accessed ePHI inappropriately, the minimum necessary/least privileged information shall be shared with GoMeyra’s Security Officer to determine appropriate sanction/ corrective disciplinary action.
• Only de-identified information shall be shared with Customer or Partner regarding the results of the investigative audit process. This information will be communicated to the appropriate personnel by GoMeyra’s Privacy Officer or designee. Prior to communicating with customers and partners regarding an audit, it is recommended that GoMeyra consider seeking risk management and/or legal counsel.

Review and Reporting of Audit Findings
1. Audit information that is routinely gathered must be reviewed in a timely manner, currently monthly, by the responsible workforce member(s).

2. The reporting process shall allow for meaningful communication of the audit findings to those workforce members, Customers, or Partners requesting the audit.
• Significant findings shall be reported immediately in a written format. GoMeyra’s security incident response form may be utilized to report a single event.
• Routine findings shall be reported to the sponsoring leadership structure in a written report format.

3. Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis. Audit results shall not be disclosed externally without administrative and/or legal counsel approval.

4. Security audits constitute an internal, confidential monitoring practice that may be included in GoMeyra’s performance improvement activities and reporting. Care shall be taken to ensure that the results of the audits are disclosed to administrative level oversight structures only and that information which may further expose organizational risk is shared with extreme caution. Generic security audit information may be included in organizational reports (individually-identifiable ePHI shall not be included in the reports).

5. Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible workforce members, Customers, and/or Partners.
Auditing Customer and Partner Activity

1. Periodic monitoring of Customer and Partner activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between GoMeyra and the 3rd party. GoMeyra will make every effort to assure Customers and Partners do not gain access to data outside of their own Environments.

2. If it is determined that the Customer or Partner has exceeded the scope of access privileges, GoMeyra’s leadership must remedy the problem immediately.

3. If it is determined that a Customer or Partner has violated the terms of the HIPAA business associate agreement or any terms within the HIPAA regulations, GoMeyra must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.

Audit Log Security Controls and Backup
1. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.

2. All audit logs are encrypted in transit and at rest to control access to the content of the logs.

3. Audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges. This is done to apply the security principle of “separation of duties” to protect audit trails from hackers.

Workforce Training, Education, Awareness and Responsibilities
1. GoMeyra workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and ePHI. GoMeyra’s commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies. GoMeyra workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detect a workforce member’s failure to comply with organizational policies.

2. GoMeyra Customers are provided with necessary information to understand GoMeyra auditing capabilities.
External Audits of Information Access and Activity
1. Prior to contracting with an external audit firm, GoMeyra shall:
• Outline the audit responsibility, authority, and accountability;
• Choose an audit firm that is independent of other organizational operations;
• Ensure technical competence of the audit firm staff;
• Require the audit firm’s adherence to applicable codes of professional ethics;
• Obtain a signed HIPAA business associate agreement;
• Assign organizational responsibility for supervision of the external audit firm.
Retention of Audit Data
1. Audit logs shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on: A. Organizational history and experience. B. Available storage space.
2. Reports summarizing audit activities shall be retained for a period of six years.
3. Log data is currently retained and readily accessible for a 1-month period. Beyond that, log data is available via cold backup.
Potential Trigger Events
High risk or problem prone incidents or events.
• Business associate, customer, or partner complaints.
• Known security vulnerabilities.
• Atypical patterns of activity.
• Failed authentication attempts.
• Remote access use and activity.
• Activity post termination.
• Random audits.

VII. Breach Policy
To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation for this provision is September 23, 2009 (pending publication HHS regulations).

In the case of a breach, GoMeyra shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.
Applicable Standards from the Trust Services Criteria COSO Framework
• P6.0 Privacy Criteria Related to Disclosure and Notification
• CC9.1 – The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Applicable Standards from the HIPAA Security Rule
• Security Incident Procedures – 164.308(a)(6)(i)
• HITECH Notification in the Case of Breach – 13402(a) and 13402(b)
• HITECH Timeliness of Notification – 13402(d)(1)
• HITECH Content of Notification – 13402(f)(1)

GoMeyra Breach Policy
1. Discovery of Breach: A breach of ePHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to GoMeyra (includes breaches by the organization’s Customers, Partners, or subcontractors). GoMeyra shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. GoMeyra shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)

2. Breach Investigation: The GoMeyra Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years.

3. Risk Assessment: For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must constitute a violation of the HIPAA Privacy Rule. A use or disclosure of ePHI that is incident to an otherwise permissible use or disclosure that occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of the impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address:
• Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
• The type and amount of ePHI involved;
• The cause of the breach, and the entity responsible for the breach, either Customer, GoMeyra, or Partner.
• The potential for significant risk of financial, reputational, or other harm.

4. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected GoMeyra Customers no later than 24 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.

5. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall:
• If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the time period specified by the official; or
• If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
6. Content of the Notice: The notice shall be written in plain language and must contain the following information:
• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
• A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known;
• Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
• A brief description of what GoMeyra is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.

7. Methods of Notification: GoMeyra Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
8. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, GoMeyra shall maintain a process to record or log all breaches of unsecured ePHI regardless of the number of records and Customers affected. The following information should be collected/logged for each breach:
• A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
• A description of the action taken with regard to notification of patients regarding the breach.
• Resolution steps taken to mitigate the breach and prevent future occurrences.

9. Workforce Training: GoMeyra shall train all members of its workforce on the policies and procedures with respect to ePHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
10. Complaints: GoMeyra must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures.
11. Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
12. Retaliation/Waiver: GoMeyra may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

GoMeyra Customer Responsibilities
1. The GoMeyra Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured ePHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify GoMeyra of such breach. The Customer shall provide GoMeyra with the following information:
• A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
• A description of the action taken with regard to notification of patients regarding the breach.
• Resolution steps taken to mitigate the breach and prevent future occurrences.

2. Notice to Media: GoMeyra Customers are responsible for providing notice to prominent media outlets at the Customer’s discretion.

3. Notice to Secretary of HHS: GoMeyra Customers are responsible for providing notice to the Secretary of HHS at the Customer’s discretion.
Sample Letter to Customers in Case of Breach
[Date]
[Name here] [Address 1 Here] [Address 2 Here] [City, State Zip Code]
Dear [Name of Customer]:
I am writing to you from GoMeyra.com, Inc. with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:
Describe event and include the following information: A. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. B. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known. C. Any steps the Customer should take to protect themselves from potential harm resulting from the breach. D. A brief description of what GoMeyra is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. E. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, web site, or postal address.
Other Optional Considerations:
• Recommendations to assist customer in remedying the breach.
We will assist you in remedying the situation.
Sincerely,
Jaswant Tony, CEO — GoMeyra.com, tony@GoMeyra.com [PHONE NUMBER]

VIII. Configuration Management Policy
GoMeyra standardizes and automates configuration management GitHub and proprietary code management tools, as well as documentation of all changes to production systems and networks. GoMeyra configures all systems according to established and tested policies with all configurations adhering to and/or without disrupting the Disaster Recovery plan and/or process.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC8.1 – The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Applicable Standards from the HIPAA Security Rule
• 164.310(a)(2)(iii) Access Control & Validation Procedures
Configuration Management

1. Microsoft Web Deploy is used to standardize and automate configuration management. The Web Deployment Tool allows you to efficiently synchronize sites, applications or servers across your IIS 8.0 server farm by detecting differences between the source and destination content and transferring only those changes which need synchronization. The tool simplifies the synchronization process by automatically determining the configuration, content, databases and certificates to be synchronized for a specific site. In addition to the default behavior, you still have the option to specify additional providers for the synchronization, including COM, GAC and registry settings

2. All data in the Google Cloud Platform is instantly synchronized across multiple regions and all data at rest is encrypted. Any changes to data are monitored, recorded, and verified weekly by the Security Officer.

3. No systems are deployed into GoMeyra environments without approval of the GoMeyra Chief Architect and Security Officer.

4. All changes to production systems, network devices, and firewalls are approved by the GoMeyra Chief Architect before they are implemented. Additionally, all changes are tested before they are implemented in production.

5. An up-to-date inventory of systems is maintained using Google Cloud Platform dashboards. All systems are categorized as “Alpha”, “Beta”, “Demo”, “Staging”, and “Production” to differentiate based on criticality.

6. Clocks are synchronized across all systems using NTP. Modifying time data on systems is restricted and all timezones are set to GMT -0.

7. All front-end/customer facing functionality (developer dashboards and portals) is separated from backend (database and app servers) systems by using role based access to dynamically generated workflow views. Data is queried and compiled on a per use task.

8. All software and systems are tested using unit tests and end to end tests.

9. All committed code is reviewed using Microsoft Web Deploy to assure software code quality and proactively detect potential security issues in development.

10. GoMeyra utilizes Alpha and Beta development environments, as well as, staging environments that mirror production to assure proper function.

11. GoMeyra schedules production deployments every four weeks or on an as-needed basis. In all cases, all Customers are notified of production deployments at least 14 days in advance of deployment.

12. All formal change requests require unique ID and authentication.

13. All configuration changes to development, staging or production systems are logged and auditable.

IX. Data Integrity Policy
GoMeyra takes data integrity very seriously. As stewards and partners of our Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the GoMeyra mission of data protection.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC7.1 – The entity uses detection and monitoring procedures
• CC7.2 – The entity monitors system components and the operation of those components
• CC7.3 – The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives
• CC7.4 – The entity responds to identified security incidents by executing a defined incident-response program
• CC7.5 – The entity identifies, develops, and implements activities to recover from identified security incidents
Applicable Standards from the HIPAA Security Rule
• 164.308(a)(8) – Evaluation

Data integrity Policy
Production Systems that create, receive, store, or transmit customer data (hereafter “Production Systems”) and are not designated as a “Alpha”, “Beta”, “Demo”, or “Staging” systems (see configuration_management_policy) must follow the following guidelines.

Disabling non-essential services
• All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
Monitoring Log-in Attempts
• All access to Production Systems must be logged. This is done following the GoMeyra Auditing Policy.
Prevention of malware on Production Systems
• All Production Systems are to only be used for GoMeyra business needs.
Patch Management
• Patches, application, and system OS versions are kept up to date at all times by the Google Cloud SQLplatform. New versions are tested.
• Administrators subscribe to mailing lists to assure up to date on current version of all GoMeyra managed software on Production Systems.
Intrusion Detection and Vulnerability Scanning
• Production Systems are monitored using IDS systems. Suspicious activity is logged and alerts are generated.
• Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Currently it is weekly. Scans are reviewed by Security Officer, with defined steps for risk mitigation, and retained for future reference.
Production System Security
• System, network, and server security is managed and maintained by the Chief Architect and the Security Officer.
• Up to date system lists and architecture diagrams are kept for all Production environments.
• Access to Production Systems is controlled using centralized tools and two-factor authentication.
Production Data Security
• Reduce the risk of compromise of Production Data.
• Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
• Ensure that Confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
• Ensure GoMeyra customer Production Data is segmented and only accessible to customer authorized to access data.
• All Production Data at rest is stored on encrypted volumes.
Transmission Security
• All data transmission is encrypted end to end. Encryption is not terminated at the network end point and is carried through to the application.
• Encryption keys and machines that generate keys are protected from unauthorized access.
• Encryption keys are limited to use for one year and then must be regenerated.
• In the case of GoMeyra provided APIs, mechanisms are in place to assure the person sending or receiving data, is the authorized sender, saver, or receiver of the data.
• Systems log of all transmissions of Production Data access. These logs must be available for audit.

X. Data Management Policy
GoMeyra has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) stored in the GoMeyra service. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all systems used by GoMeyra.
Data backup is an important part of the day-to-day operations of GoMeyra. To protect the confidentiality, integrity, and availability of ePHI, both for GoMeyra and GoMeyra Customers, completes backups are done daily to assure that data remains available when it’s needed and in case of disaster.
Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC6.1 – The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
• CC6.2 – Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
• CC6.3 – The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.
• CC6.4 – The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
• CC6.5 – The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
• CC6.6 – The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
• CC6.7 – The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
• CC6.8 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives

Applicable Standards from the HIPAA Security Rule
• 164.308(a)(7)(ii)(A) – Data Backup Plan
• 164.310(d)(2)(iii) – Accountability
• 164.310(d)(2)(iv) – Data Backup and Storage
Backup Policy and Procedures
1. Perform daily snapshot backups of all systems that process, store, or transmit ePHI for GoMeyra Customers.

2. GoMeyra Ops Team, led by the Chief Architect, is designated to be in charge of backups.

3. Dev Ops Team members are trained and assigned to complete backups and manage the backup media.

4. Document backups
• Name of the system
• Date & time of backup
• Where backup stored (or to whom it was provided)

5. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.

6. Test backups and document that files have been completely and accurately restored from the backup media.

XI. Data Retention Policy
Despite not being a requirement within HIPAA, GoMeyra understand and appreciates the importance of health data retention. Acting as a business associate, and at times a subcontractor, GoMeyra is not directly responsible for health and medical records retention as set forth by each state. Despite this, GoMeyra has created and implemented the following policy to make it easier for GoMeyra Customers to support data retention laws.

State Medical Record Laws
• Listing of state requirements for medical record retention
Data Retention Policy
• Current GoMeyra Customers have data stored by GoMeyra as a part of the GoMeyra Service.
• Once a Customer ceases to be a Customer, as defined below, the following steps are
a. Customer is sent a notice via email of change of standing and given the option to reinstate account.
b. If no response to notice in #1 above within 7 days, or if Customer responds they do not want to reinstate account, Customer is sent directions for how to download their data from GoMeyra and/or to have GoMeyra continue to store the data at a rate of $50/month for up to 100GB. If there is more than 100GB of data, GoMeyra will work with Customer to determine storage costs.
c. If Customer downloads data or does not respond to notices from GoMeyra within 30 days, GoMeyra removed data from GoMeyra systems and Customer is sent notice of removal of data.

XII. Disaster Recovery Policy
The GoMeyra Contingency Plan establishes procedures to recover GoMeyra following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the GoMeyra Security Officer and Privacy Officer.
The following objectives have been established for this plan:
1. Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
• Notification/Activation phase to detect and assess damage and to activate the plan;
• Recovery phase to restore temporary IT operations and recover damage done to the original system
• Reconstitution phase to restore IT system processing capabilities to normal operations.
2. Identify the activities, resources, and procedures needed to carry out GoMeyra processing requirements during prolonged interruptions to normal operations.
3. Identify and define the impact of interruptions to GoMeyra systems.
4. Assign responsibilities to designated personnel and provide guidance for recovering GoMeyra during prolonged periods of interruption to normal operations.
5. Ensure coordination with other GoMeyra staff who will participate in the contingency planning strategies.
6. Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.
This GoMeyra Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.

Disaster Recovery Policy
This GoMeyra Contingency Plan is created under the legislative requirements set forth in the Federal Information Security Management Act (FISMA) of 2002 and the guidelines established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, titled “Contingency Planning Guide for Information Technology Systems” dated June 2002.
The GoMeyra Contingency Plan also complies with the following federal and departmental policies:
• The Computer Security Act of 1987;
• OMB Circular A-130, Management of Federal Information Resources, Appendix III, November 2000;
• Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations, July 1999;
• Presidential Decision Directive (PDD) 67, Enduring Constitutional Government and Continuity of Government Operations, October 1998;
• PDD 63, Critical Infrastructure Protection, May 1998;
• Federal Emergency Management Agency (FEMA), The Federal Response Plan (FRP), April 1999;
• Defense Authorization Act (Public Law 106-398), Title X, Subtitle G, “Government Information Security Reform,” October 30, 2000
Example of the types of disasters that would initiate this plan are natural disaster, political disturbances, manmade disaster, external human threats, internal malicious activities.
GoMeyra defined two categories of systems from a disaster recovery perspective.
1. Critical Systems. These systems host application servers and database servers or are required for functioning of systems that host application servers and database servers. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.
2. Non-critical Systems. These are all systems not considered critical by the definitions above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.
Applicable Standards from the Trust Services Criteria COSO Framework
• 12.c – Developing and Implementing Continuity Plans Including Information Security
Applicable Standards from the HIPAA Security Rule
• 164.308(a)(7)(i) – Contingency Plan
Line of Succession
The following order of succession to ensure that decision-making authority for the GoMeyra Contingency Plan is uninterrupted. The Chief Technology Officer (CTO) and Security Officer, Barry Wark, and Chief Architect, Rens Methratta, are responsible for ensuring the safety of personnel and the execution of procedures documented within this GoMeyra Contingency Plan. If the CTO and Chief Architect are unable to function as the overall authority or choose to delegate this responsibility to a successor, the CPO shall function as that authority. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.
• Jaswant Tony, CEO/CTO, Chief Architect: [7028463962], policy@GoMeyra.com
• Jaswant Tony, CCO/CPO: [7028463962], policy@GoMeyra.com

Responsibilities
The following teams have been developed and trained to respond to a contingency event affecting the IT system.
1. The Ops Team is responsible for recovery of the GoMeyra hosted environment, network devices, and all servers. Members of the team include personnel who are also responsible for the daily operations and maintenance of GoMeyra. The team leader is the Chief Architect and directs the Dev Ops Team.

2. The Web Services Team is responsible for assuring all application servers, and web services are working. It is also responsible for testing redeployments and assessing damage to the environment. The team leader is the Chief Architect and directs the Web Services Team.

Testing and Maintenance
The CTO and Chief Architect shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.

Tabletop Testing
Tabletop Testing is conducted in accordance with the CMS Risk Management Handbook, Volume 2 (http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH_VII_4-5_Contingency_Plan_Exercise.pdf). The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:
• Testing to validate the ability to respond to a crisis in a coordinated, timely, and effective manner, by simulating the occurrence of a specific crisis.
Technical Testing
The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:
• Process from backup system at the alternate site;
• Restore system using backups; and
• Switch compute and storage resources to alternate processing site.
1. Notification and Activation Phase
This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to GoMeyra. Based on the assessment of the Event, sometimes according to the GoMeyra Incident Response Policy, the Contingency Plan may be activated by either the CTO or Chief Architect.
The notification sequence is listed below:
1. The first responder is to notify the CTO. All known information must be relayed to the CTO.

2. The Chief Architect is to contact the Web Services Team and inform them of the event. The CTO is to to begin assessment procedures.

3. The CTO is to notify team members and direct them to complete the assessment procedures outlined below to determine the extent of damage and estimated recovery time. If damage assessment cannot be performed locally because of unsafe conditions, the CTO is to follow the steps below.
• Damage Assessment Procedures:
• The CTO and Chief Architect are to logically assess damage, gain insight into whether the infrastructure is salvageable, and begin to formulate a plan for recovery.
• Alternate Assessment Procedures:
• Upon notification from the CTO, the Chief Architect is to follow the procedures for damage assessment with combined DevOps and Web Services Teams.

4. The GoMeyra Contingency Plan is to be activated if one or more of the following criteria are met:
GoMeyra will be unavailable for more than 48 hours.
• Hosting facility is damaged and will be unavailable for more than 24 hours.
• Other criteria, as appropriate and as defined by GoMeyra.

5. If the plan is to be activated, the CTO is to notify and inform team members of the details of the event and if relocation is required.
• Upon notification from the CTO, group leaders and managers are to notify their respective teams. Team members are to be informed of all applicable information and prepared to respond and relocate if necessary.
• The CTO is to notify the hosting facility partners that a contingency event has been declared and to ship the necessary materials (as determined by damage assessment) to the alternate site.
• The CTO is to notify remaining personnel and executive leadership on the general status of the incident.
• Notification can be message, email, or phone.
2. Recovery Phase
This section provides procedures for recovering the application at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.
The following procedures are for recovering the GoMeyra infrastructure at the alternate site. Procedures are outlined per team required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.
Recovery Goal: The goal is to rebuild GoMeyra infrastructure to a production state.
The tasks outlines below are not sequential and some can be run in parallel.
1. Contact Partners and Customers affected – Web Services
2. Assess damage to the environment – Web Services
3. Begin redistribution of package via Microsoft Web Deploy. – Dev Ops
4. Test new environment using pre-written tests – Web Services
5. Test logging, security, and alerting functionality – Dev Ops
6. Assure systems are appropriately patched and up to date. – Dev Ops
7. Deploy environment to production – Web Services
8. Update DNS to new environment. – Dev Ops

3. Reconstitution Phase
This section discusses activities necessary for restoring GoMeyra operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, GoMeyra operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.1. Original or New Site Restoration
• Begin redistribution of package via Microsoft Web Deploy of new environment using automated and tested scrips. – Dev Ops
• Test new environment using pre-written tests. – Web Services
• Test logging, security, and alerting functionality. – Dev Ops
• Deploy environment to production – Web Services
• Assure systems are appropriately patched and up to date. – Dev Ops
• Update DNS to new environment. – Dev Ops
2. Plan Deactivation
If the GoMeyra environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the GoMeyra Media Disposal Policy.

XIII. Disposable Media Policy
GoMeyra recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.

GoMeyra utilizes dedicated hardware from Subcontractors. ePHI is only stored on SSD volumes in our hosted environment. All SSD volumes utilized by GoMeyra and GoMeyra Customers are encrypted. GoMeyra does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.
Applicable Standards from the Trust Services Criteria COSO Framework
• P1.0 – 0 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy
• P1.1 – The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
• P2.1 – The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
• P4.0 – Privacy Criteria Related to Use, Retention, and Disposal
• P4.3 – The entity securely disposes of personal information to meet the entity’s objectives related to privacy
• CC1.2 – The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
• CC3.3 – The entity considers the potential for fraud in assessing risks to the achievement of objectives.
• CC6.5 – The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
Applicable Standards from the HIPAA Security Rule
• 164.310(d)(1) – Device and Media Controls
Disposable Media Policy
1. All removable media is restricted, audited, and is encrypted.
2. GoMeyra assumes all disposable media in its Platform may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
3. All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the GoMeyra’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
4. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
5. Before reuse of any media, for example all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
6. All GoMeyra Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
7. Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
8. The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
9. In the cases of a GoMeyra Customer terminating a contract with GoMeyra and not longer utilize GoMeyra Services, the following actions will be taken depending on the GoMeyra Services in use. In all cases it is solely the responsibility of the GoMeyra Customer to maintain the safeguards required of HIPAA once the data is transmitted out of GoMeyra Systems.
• GoMeyra will provide the customer with 30 days from the date of termination to export data.
XIV. Employees Policy
GoMeyra is committed to ensuring all workforce members actively address security and compliance in their roles at GoMeyra. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC1.1 – The entity demonstrates a commitment to integrity and ethical values.
• CC1.4 – The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
• CC5.3 – The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Applicable Standards from the HIPAA Security Rule
• 164.308(a)(5)(i) – Security Awareness and Training
Employment Policies
1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
• Records of training are kept for all workforce members.
• Upon completion of training, a training record is recorded in GoMeyra’s organization training records.
• Ongoing security training is conducted monthly.
• Current GoMeyra training is hosted here.
2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
3. The GoMeyra Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices and social media usage.
4. GoMeyra does not allow mobile devices to be connected to any of its production networks.
5. All workforce members are educated about the approved set of tools to be installed on workstations.
6. All new workforce members are given HIPAA training within 60 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for GoMeyra and its Customers and Partners.
7. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to production systems with access to ePHI data.
8. All GoMeyra-purchased and owned computers are to display this message at login and when the computer is unlocked: This computer is owned by GoMeyra.com, Inc.. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://GoMeyra.com/policies) and have completed this training (https://training.GoMeyra.com/). Please contact us if you have problems with this – privacy@GoMeyra.com.
9. Access to internal GoMeyra systems can be requested in writing or email to the GoMeyra Security Officer. All requests for access much be granted to the GoMeyra Security Officer.
10. Request for modifications of access for any GoMeyra employee can be made by written or email request to the GoMeyra Security or Privacy Officer.
XV. Facility Access Policy
GoMeyra is completely cloud based and does not store any physical PII. Physical Access to all of GoMeyra facilities is limited to only those authorized in this policy. In an effort to safeguard ePHI from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to GoMeyra’s facility.
Of note, GoMeyra does not have direct read access to ePHI as it provides cloud-based, compliant applications to covered entities and business associates. GoMeyra administrators, with the customers prior authorization and during maintenance and/or troubleshooting, will come in contact with ePHI. Every effort will be made according to the Breach Policy to notify the customer of any infractions, at which time, the customer may notify the Patient if required. GoMeyra does not physically house any systems used by its Platform in GoMeyra facilities. Physical security of our Platform servers is outlined here.
Applicable Standards from the Trust Services Criteria COSO Framework CC6
• .1 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
• .2 – Protecting Against External and Environmental Threats
• .3 – The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
• .4 – The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives
• .5 – The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
• .6 – The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
• .7 – The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
• .8 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
Applicable Standards from the Trust Services Criteria COSO Framework CC9
• .2 – The entity assesses and manages risks associated with vendors and business partners.
Applicable Standards from the HIPAA Security Rule
• 164.310(a)(2)(ii) Facility Security Plan
• 164.310(a)(2)(iii) Access Control & Validation Procedures
• 164.310(b-c) Workstation Use & Security
GoMeyra-controlled Facility Access Policies
1. Visitor and third-party support access is recorded and supervised. All visitors are escorted.
2. Repairs are documented and the documentation is retained.
3. Fire extinguishers and detectors are installed according to applicable laws and regulations.
4. Maintenance is controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organizations maintenance program.
5. Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
6. The organization securely disposes media with sensitive information.
7. Physical access is restricted using locks and logs are kept that track all access.
• Restricted areas and facilities are locked and when unattended (where feasible).
• Only authorized workforce members receive access to restricted areas (as determined by the Security Officer).
• Access and keys are revoked upon termination of workforce members.
• Workforce members must report a lost and/or stolen key(s) to the Security Officer.
• The Security Officer facilitates the changing of the lock(s) within 7 days of a key being reported lost/stolen
8. Enforcement of Facility Access Policies
• Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
• Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
• Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from GoMeyra.
9. Workstation Security
• Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
• All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
• All workstations purchased by GoMeyra are the property of GoMeyra and are distributed to users by the company.

XVI. HIPAA Mappings to GoMeyra Controls
Below is a list of HIPAA Safeguards and Requirements and the GoMeyra controls in place to meet those.
Administrative Controls HIPAA Rule GoMeyra Control
Security Management Process – 164.308(a)(1)(i) Risk Management Policy
Assigned Security Responsibility – 164.308(a)(2) Roles Policy
Workforce Security – 164.308(a)(3)(i) Employee Policies
Information Access Management – 164.308(a)(4)(i) System Access Policy
Security Awareness and Training – 164.308(a)(5)(i) Employee Policy
Security Incident Procedures – 164.308(a)(6)(i) IDS Policy
Contingency Plan – 164.308(a)(7)(i) Disaster Recovery Policy
Evaluation – 164.308(a)(8) Auditing Policy

Physical Safeguards HIPAA Rule GoMeyra Control
Facility Access Controls – 164.310(a)(1) Facility and Disaster Recovery Policies
Workstation Use – 164.310(b) System Access, Approved Tools, and Employee Policies
Workstation Security – 164.310(‘c’) System Access, Approved Tools, and Employee Policies
Device and Media Controls – 164.310(d)(1) Disposable Media and Data Management Policies

Technical Safeguards HIPAA Rule GoMeyra Control
Access Control – 164.312(a)(1) System Access Policy
Audit Controls – 164.312(b) Auditing Policy
Integrity – 164.312(‘c’)(1) System Access, Auditing, and IDS Policies
Person or Entity Authentication – 164.312(d) System Access Policy
Transmission Security – 164.312(e)(1) System Access and Data Management Policy

Organizational Requirements HIPAA Rule GoMeyra Control
Business Associate Contracts or Other Arrangements – 164.314(a)(1)(i) Business Associate Agreements and 3rd Parties Policies

Policies and Procedures and Documentation Requirements HIPAA Rule GoMeyra Control
Policies and Procedures – 164.316(a) Policy Management Policy
Documentation – 164.316(b)(1)(i) Policy Management Policy

HITECH Act – Security Provisions HIPAA Rule GoMeyra Control
Notification in the Case of Breach – 13402(a) and (b) Breach Policy
Timelines of Notification – 13402(d)(1) Breach Policy
Content of Notification – 13402(f)(1) Breach Policy

XVII. Intrusion Detection System Policy
In order to preserve the integrity of data that GoMeyra stores, processes, or transmits for Customers, GoMeyra strong intrusion detection policies per customer via the Google Cloud Platform Alerts Dashboard. Each customer connection is proactively tracked and each trigger is retroactively investigated for unauthorized access.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC4.1 – The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
• CC4.2 – The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.10.h – Control of Operational Software
• CC6.6 – The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
• CC6.8 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
• CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
• CC7.2 – The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
• A1.2 – The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
Applicable Standards from the HIPAA Security Rule
• 164.312(b) – Audit Controls
Intrusion Detection Policy
• The Google Cloud Platform Alerts Dashboard “GCPAD” is used to monitor and correlate log data from different systems on an ongoing basis. Reports generated by “GCPAD” are reviewed by the Security Officer on a monthly basis.
• GCPAD generates alerts to analyze and investigate suspicious activity or suspected violations.
• GCPAD monitors file system integrity and sends real time alerts when suspicious changes are made to the file system.
• Automatic monitoring is done to identify patterns that might signify the lack of availability of certain services and systems (DOS attacks).
• GoMeyra firewalls monitor all incoming traffic to detect potential denial of service attacks. Suspected attack sources are blocked automatically. Additionally, our hosting provider actively monitors its network to detect denial of services attacks.
• All new firewall rules and configuration changes are tested before being pushed into production. All firewall and router rules are reviewed every quarter.
• GoMeyra utilizes redundant firewall on network perimeters.
• Static IP addresses are used for GoMeyra servers.

XVIII. Risk Management Policy
This policy establishes the scope, objectives, and procedures of GoMeyra’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC3.1 – The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
• CC3.2 – The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
• CC3.3 – The entity considers the potential for fraud in assessing risks to the achievement of objectives.
• CC3.4 – COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
• CC5.1 – COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
• CC5.2 – 2 COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.
• CC5.3 – COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
• CC9.1 – The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
• CC9.2 – The entity assesses and manages risks associated with vendors and business partners.
• 03.c – Risk Mitigation
Applicable Standards from the HIPAA Security Rule
• 164.308(a)(1)(ii)(A) – HIPAA Security Rule Risk Analysis
• 164.308(a)(1)(ii)(B) – HIPAA Security Rule Risk Management
• 164.308(a)(8) – HIPAA Security Rule Evaluation
Risk Management Policies
1. It is the policy of GoMeyra to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of the GoMeyra’s information security program.
2. Risk analysis and risk management are recognized as important components of GoMeyra’s corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).
a. Risk assessments are done throughout product life cycles:
b. Before the integration of new system technologies and before changes are made to GoMeyra physical systems; safeguards and policies are in place to verify compatibility and adequate infrastructure
• These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the GoMeyra Platform.
c. While making changes to GoMeyra physical equipment and facilities that introduce new, untested configurations.
d. GoMeyra performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
3. GoMeyra implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
a. Ensure the confidentiality, integrity, and availability of all ePHI GoMeyra receives, maintains, processes, and/or transmits for its Customers;
b. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
c. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
d. Ensure compliance by all workforce members.
4. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and GoMeyra’s Security Officer.
5. All GoMeyra workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation according to GoMeyra’s policies, which is outlined in the GoMeyra Policy Management Policy.
6. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of GoMeyra’s Security Officer (or other designated employee), and the identified Risk Management Team.
7. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
Risk Management Procedures
Risk Assessment: The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.
• Step 1. System Characterization
• The first step in assessing risk is to define the scope of the effort. To do this, identify where ePHI is received, maintained, processed, or transmitted. Using information-gathering techniques, the GoMeyra Platform boundaries are identified.
• Output – Characterization of the GoMeyra Platform system assessed, a good picture of the Platform environment, and delineation of Platform boundaries.
• Step 2. Threat Identification
• Potential threats (the potential for threat-sources to successfully exercise a particular vulnerability) are identified and documented. All potential threat-sources through the review of historical incidents and data from intelligence agencies, the government, etc., to help generate a list of potential threats.
• Output – A threat list containing a list of threat-sources that could exploit Platform vulnerabilities.
• Step 3. Vulnerability Identification
• Develop a list of technical and non-technical Platform vulnerabilities that could be exploited or triggered by potential threat-sources. Vulnerabilities can range from incomplete or conflicting policies that govern an organization’s computer usage to insufficient safeguards to protect facilities that house computer equipment to any number of software, hardware, or other deficiencies that comprise an organization’s computer network.
• Output – A list of the Platform vulnerabilities (observations) that could be exercised by potential threat-sources.
• Step 4. Control Analysis
• Document and assess the effectiveness of technical and non-technical controls that have been or will be implemented by GoMeyra to minimize or eliminate the likelihood / probability of a threat-source exploiting a Platform vulnerability.
• Output – List of current or planned controls (policies, procedures, training, technical mechanisms, insurance, etc.) used for the Platform to mitigate the likelihood of a vulnerability being exercised and reduce the impact of such an adverse event.
• Step 5. Likelihood Determination
• Determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat-source given the existing or planned security controls.
• Output – Likelihood rating of low (.1), medium (.5), or high (1). Refer to the NIST SP 800-30 definitions of low, medium, and high.
• Step 6. Impact Analysis
• Determine the level of adverse impact that would result from a threat successfully exploiting a vulnerability. Factors of the data and systems to consider should include the importance to GoMeyra’s mission; sensitivity and criticality (value or importance); costs associated; loss of confidentiality, integrity, and availability of systems and data.
• Output – Magnitude of impact rating of low (10), medium (50), or high (100). Refer to the NIST SP 800-30 definitions of low, medium, and high.
• Step 7. Risk Determination
• Establish a risk level. By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents actions that senior management must take for each risk level.
• Output – Risk level of low (1-10), medium (>10-50) or high (>50-100). Refer to the NIST SP 800-30 definitions of low, medium, and high.
• Step 8. Control Recommendations
• Identify controls that could reduce or eliminate the identified risks, as appropriate to the organization’s operations to an acceptable level. Factors to consider when developing controls may include effectiveness of recommended options (i.e., system compatibility), legislation and regulation, organizational policy, operational impact, and safety and reliability. Control recommendations provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented.
• Output – Recommendation of control(s) and alternative solutions to mitigate risk.
• Step 9. Results Documentation
• Results of the risk assessment are documented in an official report, spreadsheet, or briefing and provided to senior management to make decisions on policy, procedure, budget, and Platform operational and management changes.
• Output – A risk assessment report that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.
Risk Mitigation: Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of GoMeyra Platform ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.
• Step 1. Prioritize Actions
• Using results from Step 7 of the Risk Assessment, sort the threat and vulnerability pairs according to their risk-levels in descending order. This establishes a prioritized list of actions needing to be taken, with the pairs at the top of the list getting/requiring the most immediate attention and top priority in allocating resources
• Output – Actions ranked from high to low
• Step 2. Evaluate Recommended Control Options
• Although possible controls for each threat and vulnerability pair are arrived at in Step 8 of the Risk Assessment, review the recommended control(s) and alternative solutions for reasonableness and appropriateness. The feasibility (e.g., compatibility, user acceptance, etc.) and effectiveness (e.g., degree of protection and level of risk mitigation) of the recommended controls should be analyzed. In the end, select a “most appropriate” control option for each threat and vulnerability pair.
• Output – list of feasible controls
• Step 3. Conduct Cost-Benefit Analysis
• Determine the extent to which a control is cost-effective. Compare the benefit (e.g., risk reduction) of applying a control with its subsequent cost of application. Controls that are not cost-effective are also identified during this step. Analyzing each control or set of controls in this manner, and prioritizing across all controls being considered, can greatly aid in the decision-making process.
• Output – Documented cost-benefit analysis of either implementing or not implementing each specific control
• Step 4. Select Control(s)
• Taking into account the information and results from previous steps, GoMeyra’s mission, and other important criteria, the Risk Management Team determines the best control(s) for reducing risks to the information systems and to the confidentiality, integrity, and availability of ePHI. These controls may consist of a mix of administrative, physical, and/or technical safeguards.
• Output – Selected control(s)
• Step 5. Assign Responsibility
• Identify the workforce members with the skills necessary to implement each of the specific controls outlined in the previous step, and assign their responsibilities. Also identify the equipment, training and other resources needed for the successful implementation of controls. Resources may include time, money, equipment, etc.
• Output – List of resources, responsible persons and their assignments
• Step 6. Develop Safeguard Implementation Plan
• Develop an overall implementation or action plan and individual project plans needed to implement the safeguards and controls identified. The Implementation Plan should contain the following information:
• Each risk or vulnerability/threat pair and risk level;
• Prioritized actions;
• The recommended feasible control(s) for each identified risk;
• Required resources for implementation of selected controls;
• Team member responsible for implementation of each control;
• Start date for implementation
• Target date for completion of implementation;
• Maintenance requirements.
• The overall implementation plan provides a broad overview of the safeguard implementation, identifying important milestones and timeframes, resource requirements (staff and other individuals’ time, budget, etc.), interrelationships between projects, and any other relevant information. Regular status reporting of the plan, along with key metrics and success indicators should be reported to GoMeyra Senior Management.
• Individual project plans for safeguard implementation may be developed and contain detailed steps that resources assigned carry out to meet implementation timeframes and expectations. Additionally, consider including items in individual project plans such as a project scope, a list deliverables, key assumptions, objectives, task completion dates and project requirements.
• Output – Safeguard Implementation Plan
• Step 7. Implement Selected Controls
• As controls are implemented, monitor the affected system(s) to verify that the implemented controls continue to meet expectations. Elimination of all risk is not practical. Depending on individual situations, implemented controls may lower a risk level but not completely eliminate the risk.
• Continually and consistently communicate expectations to all Risk Management Team members, as well as senior management and other key people throughout the risk mitigation process. Identify when new risks are identified and when controls lower or offset risk rather than eliminate it.
• Additional monitoring is especially crucial during times of major environmental changes, organizational or process changes, or major facilities changes.
• If risk reduction expectations are not met, then repeat all or a part of the risk management process so that additional controls needed to lower risk to an acceptable level can be identified.
• Output – Residual Risk documentation
Risk Management Schedule: The two principle components of the risk management process – risk assessment and risk mitigation – will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of GoMeyra’s information security program:
• Scheduled Basis – an overall risk assessment of GoMeyra’s information system infrastructure will be conducted annually. The assessment process should be completed in a timely fashion so that risk mitigation strategies can be determined and included in the corporate budgeting process.
• Throughout a System’s Development Life Cycle – from the time that a need for a new, untested information system configuration and/or application is identified through the time it is disposed of, ongoing assessments of the potential threats to a system and its vulnerabilities should be undertaken as a part of the maintenance of the system.
• As Needed – the Security Officer (or other designated employee) or Risk Management Team may call for a full or partial risk assessment in response to changes in business strategies, information technology, information sensitivity, threats, legal liabilities, or other significant factors that affect GoMeyra’s Platform.
Process Documentation
Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.

XIX. Roles
GoMeyra has a Security Officer [164.308(a)(2)] and Privacy Officer [164.308(a)(2)] appointed to assist in maintaining and enforcing safeguards towards compliance. The responsibilities associated with these roles are outlined below.
Applicable Standards from the Trust Services Criteria COSO Framework
• CC2.2 – COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
• CC3.2 – COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
• CC6.3 – The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.
• CC7.4 – The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Applicable Standards from the HIPAA Security Rule
• 164.308(a)(2) – Assigned Security Responsibility
• 164.308(a)(5)(i) – Security Awareness and Training
Privacy Officer
The Privacy Officer is responsible for assisting with compliance and security training for workforce members, assuring organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities.
1. Provides annual training to all workforce members of established policies and procedures as necessary and appropriate to carry out their job functions, and documents the training provided.
2. Assists in the administration and oversight of business associate agreements.
3. Manage relationships with customers and partners as those relationships affect security and compliance of ePHI.
4. Assist Security Officer as needed.
The current GoMeyra Privacy Officer is Winston Brasor (winston@GoMeyra.com).
Workforce Training Responsibilities
1. The Privacy Officer facilitates the training of all workforce members as follows:
a. New workforce members within their first month of employment;
b. Existing workforce members annually;
c. Existing workforce members whose functions are affected by a material change in the policies and procedures, within a month after the material change becomes effective;
d. Existing workforce members as needed due to changes in security and risk posture of GoMeyra.
2. The Security Officer or designee maintains documentation of the training session materials and attendees for a minimum of six years.
3. The training session focuses on, but is not limited to, the following subjects defined in GoMeyra ‘s security policies and procedures:
a. HIPAA Privacy, Security, and Breach notification rules;
b. HITRUST Common Security Framework;
c. NIST Security Rules;
d. Risk Management procedures and documentation;
e. Auditing. GoMeyra may monitor access and activities of all users;
f. Workstations may only be used to perform assigned job responsibilities;
g. Users may not download software onto GoMeyra’s workstations and/or systems without prior approval from the Security Officer;
h. Users are required to report malicious software to the Security Officer immediately;
i. Users are required to report unauthorized attempts, uses of, and theft of GoMeyra’s systems and/or workstations;
j. Users are required to report unauthorized access to facilities
k. Users are required to report noted log-in discrepancies (i.e. application states users last log-in was on a date user was on vacation;
l. Users may not alter ePHI maintained in a database, unless authorized to do so by a GoMeyra Customer;
m. Users are required to understand their role in GoMeyra’s contingency plan;
n. Users may not share their user names nor passwords with anyone;
o. Requirements for users to create and change passwords;
p. Users must set all applications that contain or transmit ePHI to automatically log off after “X” minutes of inactivity;
q. Supervisors are required to report terminations of workforce members and other outside users;
r. Supervisors are required to report a change in a users title, role, department, and/or location;
s. Procedures to backup ePHI;
t. Procedures to move and record movement of hardware and electronic media containing ePHI;
u. Procedures to dispose of discs, CDs, hard drives, and other media containing ePHI;
v. Procedures to re-use electronic media containing ePHI;
w. SSH key and sensitive document encryption procedures.
Security Officer
The Security Officer is responsible for facilitating the training and supervision of all workforce members [164.308(a)(3)(ii)(A) and 164.308(a)(5)(ii)(A)], investigation and sanctioning of any workforce member that is in violation of GoMeyra security policies and non-compliance with the security regulations [164.308(a)(1)(ii)(c)], and writing, implementing, and maintaining all polices, procedures, and documentation related to efforts toward security and compliance [164.316(a-b)].
The current GoMeyra Security Officer is Barry Wark (barry@GoMeyra.com).
Organizational Responsibilities
The Security Officer, in collaboration with the Privacy Officer, is responsible for facilitating the development, implementation, and oversight of all activities pertaining to GoMeyra’s efforts to be compliant with the HIPAA Security Regulations, HITRUST CSF, and any other security and compliance frameworks. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of ePHI. These organizational responsibilities include, but are not limited to the following:
1. Oversees and enforces all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements.
2. Helps to established and maintain written policies and procedures to comply with the Security rule and maintains them for six years from the date of creation or date it was last in effect, whichever is later.
3. Updates policies and procedures as necessary and appropriate to maintain compliance and maintains changes made for six years from the date of creation or date it was last in effect, whichever is later.
4. Facilitates audits to validate compliance efforts throughout the organization.
5. Documents all activities and assessments completed to maintain compliance and maintains documentation for six years from the date of creation or date it was last in effect, whichever is later.
6. Provides copies of the policies and procedures to management, customers, and partners, and has them available to review by all other workforce members to which they apply.
7. Annually, and as necessary, reviews and updates documentation to respond to environmental or operational changes affecting the security and risk posture of ePHI stored, transmitted, or processed within GoMeyra infrastructure.
8. Develops and provides periodic security updates and reminder communications for all workforce members.
9. Implements procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it may be accessed.
10. Maintains a program promoting workforce members to report non-compliance with policies and procedures.
a. Promptly, properly, and consistently investigates and addresses reported violations and takes steps to prevent recurrence.
b. Applies consistent and appropriate sanctions against workforce members who fail to comply with the security policies and procedures of GoMeyra.
c. Mitigates, to the extent practicable, any harmful effect known to GoMeyra of a use or disclosure of ePHI in violation of GoMeyra’s policies and procedures, even if effect is the result of actions of GoMeyra business associates, customers, and/or partners.
11. Reports security efforts and incidents to administration immediately upon discovery. Responsibilities in the case of a known ePHI breach are documented in the GoMeyra Breach Policy.
12. The Security Officer facilitates the communication of security updates and reminders to all workforce members to which it pertains. Examples of security updates and reminders include, but are not limited to:
a. Latest malicious software or virus alerts;
b. GoMeyra’s requirement to report unauthorized attempts to access ePHI;
c. Changes in creating or changing passwords;
d. Additional security-focused training is provided to all workforce members by the Security Officer. This training includes, but is not limited to:
e. Data backup plans;
f. System auditing procedures;
g. Redundancy procedures;
h. Contingency plans;
i. Virus protection;
j. Patch management;
k. Media Disposal and/or Re-use;
l. Documentation requirements.


Supervision of Workforce Responsibilities


Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is the responsibility of all workforce members (i.e. team leaders, supervisors, managers, directors, co-workers, etc.) to supervise all workforce members and any other user of GoMeyra’s systems, applications, servers, workstations, etc. that contain ePHI.
1. Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
2. Assist the Security and Privacy Officers to ensure appropriate role-based access is provided to all users.
3. Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and GoMeyra’s security policies and procedures.
Sanctions of Workforce Responsibilities
All workforce members report non-compliance of GoMeyra’s policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
1. The Security Officer promptly facilitates a thorough investigation of all reported violations of GoMeyra’s security policies and procedures. The Security Officer may request the assistance from others.
a. Complete an audit trail/log to identify and verify the violation and sequence of events.
b. Interview any individual that may be aware of or involved in the incident.
c. All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
d. Provide individuals suspected of non-compliance of the Security rule and/or GoMeyra’s policies and procedures the opportunity to explain their actions.
e. The investigators thoroughly documents the investigation as the investigation occurs.
2. Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.
3. A violation resulting in a breach of confidentiality (i.e. release of PHI to an unauthorized individual), change of the integrity of any ePHI, or inability to access any ePHI by other users, requires immediate termination of the workforce member from GoMeyra.
4. The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).
5. In the case of an insider threat, the Security Officer and Privacy Officer are to setup a team to investigate and mitigate the risk of insider malicious activity. GoMeyra workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.
6. The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of six years after the conclusion of the investigation.

 

XX. Systems Access Policy


Access to GoMeyra systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, consultants, and any other entity, is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:
Applicable Standards from the Trust Services Criteria COSO Framework
• CC6.1 – The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
• CC6.6 – The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
• CC6.7 – The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
Applicable Standards from the HIPAA Security Rule
• 164.308a4iiC Access Establishment and Modification
• 164.308a3iiB Workforce Clearance Procedures
• 164.308a4iiB Access Authorization
• 164.312d Person or Entity Authentication
• 164.312a2i Unique User Identification
• 164.308a5iiD Password Management
• 164.312a2iii Automatic Logoff
• 164.310b Workstation Use
• 164.310c Workstation Security
• 164.308a3iiC Termination Procedures


Access Establishment and Modification
• Requests for access to GoMeyra Platform systems and applications is made formally to the Chief Architect, Privacy Officer, or Security Officer.
• Access is not granted until receipt, review, and approval by the GoMeyra Security Officer;
• The request for access is retained for future reference.
• All access to GoMeyra systems and services are reviewed and updated on an bi-annual basis to assure proper authorizations are in place commiserate with job functions.
• Any GoMeyra workforce member can request change of access by emailing the Security Officer.
• Access to systems is controlled using centralized user management and authentication. When possible, all authentication requests utilize two factor authentication using mobile devices as the second factor.
• Temporary accounts are not used unless absolutely necessary for business purposes.
• Accounts are reviewed every 90 days to assure temporary accounts are not left unnecessarily.
• Accounts that are inactive for over 90 days are removed.
• In the case of non-personal information, such as generic educational content, identification and authentication may not be required. 

 

This is the responsibility of GoMeyra Customers to define, and not GoMeyra.
• Privileged users must first access systems using standard, unique user accounts before switching to privileged users and performing privileged tasks.
• All application-to-application communication using service accounts is restricted and not permitted unless absolutely needed. Automated tools are used to limit account access across applications and systems.
• Generic accounts are not allowed on GoMeyra systems.
• In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.
• Direct system-to-system, system-to-application, and application-to-application authentication and authorization are limited and controlled to restrict access.


Workforce Clearance Procedures
• The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
• All access requests are treated on a ‘least-access principle”.
• GoMeyra maintains a minimum necessary approach to access to Customer data. As such, GoMeyra.com, Inc., including all workforce members, does not readily have access to any ePHI.


Access Authorization
• Role based access categories for each GoMeyra system and application are pre-approved by the Security Officer or Chief Architect.
• GoMeyra utilizes hardware and software firewalls to segment data, prevent unauthorized access, and monitor traffic for denial of service attacks.
Person or Entity Authentication
• Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system.
• Each Customer and Partner has and uses a unique user ID and password that identifies him/her as the user of the information system.


Unique User Identification


• Access to the GoMeyra Platform systems and applications is controlled by requiring unique User Login ID’s and passwords for each individual user and developer.
• Passwords requirements mandate strong password controls (see below).
• Passwords are not displayed at any time and are not transmitted or stored in plain text.
• Default accounts on all production systems, including root, are disabled.
• Shared accounts are not allowed within GoMeyra systems or networks.
Automatic Logoff
• Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
• Information systems automatically log users off the systems after 10 minutes of inactivity.
• The Security Officer pre-approves exceptions to automatic log off requirements.
Employee Workstation Use
All workstations at GoMeyra are company owned, and all are laptop Apple products running Mac operating system.
• Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.
• Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.
• Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
• Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
• Transmitted messages may not contain material that criticizes organization, its providers, its employees, or others.
• Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
• Workstation hard drives will be encrypted using FileVault 2.0.
• All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.
• All workstations are to have the following messages added to the lock screen and login screen: This computer is owned by GoMeyra.com, Inc.. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://policy.GoMeyra.com/) and have completed this training (https://training.GoMeyra.com/). Please contact us if you have problems with this – privacy@GoMeyra.com.


Wireless Access Use
• GoMeyra production systems are not accessible directly over wireless channels.
• Wireless access disabled on all production systems.
• When access production systems via remote wireless connections, the same system access policies and procedures apply to wireless as all other connections, including wired.
• Wireless networks managed within GoMeyra non-production facilities (offices, etc) are secured with the following configurations:
• All data in transit over wireless is encrypted using WPA2 encryption;
• SSIDs are not broadcast;
Employee Termination Procedures
• The Human Resources Department (or other designated department), users, and their supervisors are required to notify the Security Officer upon completion and/or termination of access needs and facilitating completion of the “Termination Checklist”.
• The Human Resources Department, users, and supervisors are required to notify the IS Help Desk to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
• The user has been using their access rights inappropriately;
• A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
• An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
• The Security Officer will terminate users’ access rights immediately upon notification.
• The Security Officer audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.


Paper Records
GoMeyra does not use paper records for any sensitive information. Use of paper for recording and storing sensitive data is against GoMeyra policies.


Password Management
• User IDs and passwords are used to control access to GoMeyra systems and may not be disclosed to anyone for any reason.
• Users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.
• On all production systems and application in the GoMeyra environment, password configurations are set to require that passwords are a minimum of 8 character length, 90 day password expiration, account lockout after 5 invalid attempts, and account lockout after 15 minutes of inactivity.
• All system and application passwords are generated on a per-user and limited time basis. Each information system automatically requires users to change passwords at a pre-determined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
• Passwords are inactivated immediately upon an employee’s termination (refer to the termination procedures in this policy).
• All default system, application, and Partner passwords are changed before deployment to production.
• All passwords used in configuration scripts are secured and encrypted.
• If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Office.

 

XXI. Business Associate Agreement


Last updated: 10/12/2020


1. SERVICE.
GoMeyra.com, Inc. (GoMeyra or GoMeyra Cloud Application (GCA) or Business Associate) owns and operates the websites *.GoMeyra.com, and *.labtests.com (collectively, the Site) , Platform and GoMeyra Laboratory Information Systems (GLIMS or the Service), which are accessed and used by its Customers and their Users to (among other things) organize, track and share scientific, technical and/or clinical data.
The following business associate agreement (BAA) explains GoMeyra’s obligations as a “business associate” under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH) (together HIPAA), if applicable. This BAA supplements the other terms and conditions that apply between Customer and GoMeyra, which are detailed or referenced in the Terms of Service for GoMeyra Laboratory Information Systems “GLIMS”.
This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, create, maintain, use or disclose electronic or other “protected health information” as such term is defined under HIPAA (PHI), provided PHI is understood to mean only the PHI that Business Associate creates, receives, maintains or transmits in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Services Agreement (the GCA).
2. APPLICABILITY.
Customer and Business Associate agree that this BAA applies solely with respect to PHI that Business Associate creates, receives, accesses, uses, maintains or discloses in connection with performing the GLIMS Services; it does not apply to other information, including information that would meet the definition of PHI, that Business Associate may create, receive, access, use, maintain or disclose outside of performing the GCA Services.
3. DEFINITIONS.
• Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the GCA Services or Service Data (including without limitation, measurements of GCA Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).
• Individual shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
• Required By Law shall have the same meaning as the term “required by law” in 45 CFR §164.103.
• Services Agreement shall mean the Contract between GoMeyra and Customer, taken together with the Terms of Service.
• User means each of the named individuals who is specifically identified by Customer for onboarding and use of the GCA Services under Customer’s Account.
• Capitalized terms used but not defined herein have the meanings assigned to them in the Terms of Service or HIPAA, as the case may be.
4. PERMITTED AND REQUIRED USES AND DISCLOSURES.
a. Service Offerings. Business Associate may use or disclose PHI in connection with the performance of the GCA Services if such use or disclosure of PHI would not violate HIPAA if done by Customer or if such use or disclosure is expressly permitted under this BAA or the Services Agreement.
b. Administration and Management of GCA Services. Business Associate may use or disclose PHI received by Business Associate in its capacity as “business associate” of Customer for the proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached; and (3) the person will provide Business Associate appropriate notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law.
c. Disclosures Required By Law. Business Associate may only use or disclose PHI on the basis that such disclosure is required by law after notifying Customer’s Privacy Officer or his/her designee to allow an opportunity to object to the disclosure and to seek appropriate relief. If Customer objects to such disclosure, Business Associate shall, to the extent legally permitted, refrain from disclosing the PHI until Customer has exhausted all alternatives for relief. However, if Business Associate is unable to notify Customer for reasons beyond Business Associate’s control, Business Associate may disclose PHI on the basis that such disclosure is required by law so long as Business Associate provides immediate notice to Customer’s Privacy Officer or his/her designee following the disclosure.
d. Disclosure to Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in a writing that complies with the requirements of 45 CFR §164.504(e)(2) through (e)(4), to be bound by the same restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI, including, without limitation, implementing reasonable and appropriate safeguards to protect it.


e. Data Aggregation. To the extent permitted by the Services Agreement, or as otherwise expressly agreed to in writing by Customer, Business Associate may use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations of Customer, and only to the extent that such use is permitted under HIPAA.


5. OBLIGATIONS OF BUSINESS ASSOCIATE.


a. Limit on Uses and Disclosures. Business Associate will use and disclose PHI only as permitted by this BAA or as Required by Law. If Customer notifies Business Associate that Customer has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, Business Associate and Customer shall mutually agree on the extent to which Business Associate will be bound by such additional restrictions and Business Associate shall not disclose PHI in violation of such additional mutually agreed upon restrictions.


b. Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI) as determined by Business Associate.


c. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.


d. Reporting of Security Incidents. Business Associate will report to Customer no less than fourteen (14) business days from the date Business Associate becomes aware of any Security Incidents involving PHI in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.


e. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer’s Unsecured PHI that Business Associate may discover to the extent required by 45 CFR §164.410. Business Associate will make such report without unreasonable delay, and in no case later than four (4) hours after discovery by Business Associate of such Breach. Business Associate undertakes no obligation to report network security related incidents which occur on its managed network but do not directly involve Customer’s use of the GCA Services.


f. Accounting of Disclosures. Business Associate will make available to Customer the information required to provide an accounting of Disclosures in accordance with 45 CFR §164.528 of which Business Associate is aware, if requested by Customer.


g. Internal Records. Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.


6. CUSTOMER’S OBLIGATIONS.
a. Appropriate Use of HIPAA Accounts. At all times, Customer will comply with the Privacy Rules, Security Rules and other applicable laws and regulations. By way of illustration and not limitation, Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with HIPAA and this BAA and Customer shall not include PHI in any GCA Services that are not or cannot be HIPAA compliant.


b. Necessary Consents. Customer warrants that it has obtained all necessary authorizations, consents, and other permissions from the Individuals (or their personal representatives), in the form and to the extent required by the Privacy Rules, that may be required under applicable law for Business Associate to use and disclose their PHI in the manner and for the purposes described in this BAA and the Services Agreement. Customer will promptly notify Business Associate of any changes in, or withdrawal of, such written permission provided to Customer by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 CFR §164.508. Customer will also promptly notify Business Associate of any restrictions to the use and disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restrictions affect Business Associate’s use or disclosure of PHI.


c. Restrictions on Disclosures. Customer shall not agree to any request for restrictions or place any restrictions in any notice of its privacy practices that would cause Business Associate to violate this BAA, the Services Agreement or any applicable law.


d. Compliance with HIPAA. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with this BAA, the Services Agreement, HIPAA or any other applicable law.


e. Privacy Practices. Customer will provide Business Associate with a copy of the notice of privacy practices that it provides to Individuals (or their personal representatives) who are the subject of the PHI.


f. Identity of Users. The GCA Services include means by which Customer’s Users may be permitted to import, export, review and exchange PHI. Therefore, Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the GCA Services under its Account.


7. TERM AND TERMINATION.
a. Term. The term of this BAA will commence on the BAA Effective Date and will remain in effect until the termination of the Contract.


b. Effect of Termination. At termination of this BAA, Business Associate, if feasible, will return or destroy all PHI that Business Associate still maintains in its role as Business Associate for the purposes of carrying out the GCA Services, if any. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and make no further use or disclosure of PHI.


c. Account Access. If Customer requests contemporaneously with any termination event or notice, Business Associate will allow Customer to have access to Customer’s Account for a reasonable period of time following termination as necessary for Customer to retrieve or delete any PHI at its then current monthly recurring rate; provided, however, that if the security of Customer’s servers has been compromised, or the Services Agreement was terminated by Customer’s failure to use reasonable security precautions, Business Associate may: (i) provide Customer with restricted access via a dedicated or private link or tunnel to Customer Account or (ii) refuse to allow Customer to have access to Customer’s Account but will use reasonable efforts to copy Service Data onto media Customer provides to Business Associate, and will ship the media to Customer at Customer’s risk and expense. Business Associate’s efforts to copy Service Data onto Customer-supplied media shall be billable as an Additional Service at Business Associate’s then current hourly rates.


d. De-identification. Customer owns all rights, title and interests in and to its Service Data, including, without limitation, PHI. Notwithstanding anything to the contrary herein, Business Associate may de-identify PHI, such that any resulting information does not disclose any individually identifiable information, except in de-identified (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements) (Converted Data). Customer shall own all rights, title and interests in and to such Converted Data.


Upon de-identification (as described in the immediately preceding paragraph), Business Associate shall deliver Converted Data to Customer, and Customer shall own all rights, title, and interests in and to Converted Data, subject to the license granted by Customer and each of its Users to Business Associate hereunder.


Business Associate may use Converted Data under the following license, which is granted by Customer to Business Associate. Customer and each User hereby grants and agrees to grant an exclusive, irrevocable, perpetual, worldwide, royalty-free, right and license: (i) to freely access, copy, store, process, distribute, transmit, display Converted Data; (ii) use and disclose Converted Data for Business Associate’s business purposes; (iii) to copy, store, process and use such Converted Data to develop, improve, extend and test the Platform and GCA Services; and (iv) to copy, store, process and use Converted Data to design, develop, distribute, commercialize and use Analytics.


Business Associate’s rights and license to use Converted Data shall be exclusive, except that Customer may use Converted Data solely for its internal business purposes. Unless and only to the extent expressly agreed otherwise by Business Associate and Customer in writing, Customer shall not be entitled to any revenue, royalties, or other compensation for Business Associate’s own use or disclosure of such Converted Data.


For the avoidance of doubt, Analytics shall not be understood to be the same as or overlap with Converted Data; Customer owns all rights, title and interests in and to Converted Data, and Business Associate owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Analytics.


8. MISCELLANEOUS.
a. Amendment. Customer and Business Associate agrees to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for either party to comply with the requirements of the Privacy Rule and related laws and regulations.
b. Survival. Customer and Business Associate’s respective rights and obligations under Sections 7(b) – (d) of this BAA shall survive the termination of the Services Agreement.


c. Interpretation. Any ambiguity in the Services Agreement shall be resolved to permit Business Associate and the Customer to comply with HIPAA and the Privacy Rule.


d. Entire Agreement. This BAA constitutes the entire agreement, and supersedes all prior negotiations, understandings or agreements (oral or written), between the parties regarding the subject matter hereof. All notices under this BAA will be in writing and delivered to the parties at their respective addresses as provided in the Services Agreement. Neither party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control. Nothing in this BAA confers upon any person other than the parties (and their respective successors and permitted assigns) any rights, remedies, obligations or liabilities whatsoever.


XXII. Terms of Service – Application Use


GoMeyra Laboratory Information Management Systems


Last updated: 10/12/2020


1. TERMS OF SERVICE
Thank you for choosing GoMeyra Cloud Applications “GCA” and for choosing GoMeyra Laboratory Information System “GLIMS”
Acceptance. GoMeyra.com, Inc. (GoMeyra or GoMeyra Cloud Applications “GCA”) owns and operates the websites *.GoMeyra.com and *.labtests.com (collectively, the Site) and the Platform and GoMeyra Laboratory Information Systems (GLIMS or the Service, as defined below). Your access to the Site and Platform and all other use of the Service is subject to acceptance without modification of all of the terms and conditions contained herein (Terms of Service). The Terms of Service shall also be deemed to include all other operating rules, conditions, policies and procedures that are referred to below or that may otherwise be published or implemented by GoMeyra, from time to time, within the Platform (collectively, Policies), including without limitation, the Privacy Policy and Business Associate Agreement.


IF YOU ARE ACCESSING THE PLATFORM AND USING THE SERVICE ON BEHALF OF, FOR THE BENEFIT OF OR UNDER AN ACCOUNT ESTABLISHED BY ANY CUSTOMER, THEN YOU ACKNOWLEDGE AND AGREE THAT: YOU ARE ALSO BOUND BY ALL OTHER TERMS AND CONDITIONS THAT ARE APPLICABLE TO THAT CUSTOMER (WHETHER SET FORTH IN THESE TERMS OF SERVICE OR IN ANY CONTRACT BETWEEN THAT CUSTOMER AND GOMEYRA); AND THAT IT IS YOUR RESPONSIBILITY TO IDENTIFY, UNDERSTAND AND COMPLY WITH ALL SUCH OTHER TERMS AND CONDITIONS.


IF YOU DO NOT AGREE TO ALL OF THESE TERMS OF SERVICE, OR IF YOU ARE NOT ELIGIBLE OR AUTHORIZED TO AGREE TO THESE TERMS OF SERVICE, THEN DO NOT REGISTER FOR, DOWNLOAD, ACCESS OR USE THE SERVICE. DOWNLOADING ANY APP, COMPLETING OUR REGISTRATION PROCESS OR OTHERWISE ACCESSING OR USING THE PLATFORM OR ANY OTHER PART OF THE SERVICE WILL CONSTITUTE ACCEPTANCE OF, AND CREATE A LEGALLY ENFORCEABLE CONTRACT UNDER WHICH YOU AGREE TO BE BOUND BY, ALL OF THE TERMS OF SERVICE, WITHOUT MODIFICATION.


Updates. GoMeyra reserves the right, at its sole discretion, to update, modify or replace the Terms of Service (including any Policy), in whole or in part, at any time. GoMeyra will use reasonable efforts to notify you of any material change in advance of the effective date of any change. Change notices may be communicated by postings via the Platform, email or otherwise. In any case, you should periodically check the Policies and other Terms of Service for changes. Continued access or use of the Service following any change to the Terms of Service constitutes your acceptance of those changes. The Terms of Service may not otherwise be amended, as they apply to you, except by a written agreement executed by you and GoMeyra. GoMeyra may modify, suspend or terminate the Service (including without limitation, access to the Platform), in whole or in part, at any time. In the event that GoMeyra suspends or terminates the Service, GoMeyra will use commercially reasonable efforts to continue to operate the Service in its native form (Native Operational Window) for a reasonable period of time (not to exceed 6 months) in an effort to provide you with time to plan your transition away from the Service.


Eligibility. The Service is intended by GoMeyra to be made available only to Users who are at least 18 years old or the age of majority in your jurisdiction, whichever age is older. If you do not qualify, then you are prohibited from accessing, registering for, uploading, downloading or using any aspect of the Service. GoMeyra will not collect personally identifiable information from any person who is actually known to us to be under the age of 13. For the avoidance of doubt, Service Data (as defined below) may include information about individuals under the age of 13. If we become aware that a person under 13 has provided personally identifiable information, GoMeyra will take steps to remove such information and terminate that individual’s account, access and use of the Service. GoMeyra may refuse to offer or continue offering the Service to any person or entity, and may change its eligibility criteria from time to time.


2. DEFINITIONS

Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the Service or Service Data (including without limitation, measurements of Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).


Business Associate means a “business associate,” as such term is defined under HIPAA.


Contract means the sales quotation, proposal, order form, sales confirmation or other similar writing provided by GoMeyra or its authorized distributor (as the case may be) that describes the Service, term and prices being offered to Customer, whichever is most current (or the corresponding invoice, if no such other writing exists).


Covered Entity means a “covered entity,” as such term is defined under HIPAA.


Customer means any laboratory, company, or other organization or entity that has entered into an agreement with GoMeyra to establish an account to use and pay for the Service.


Deliverable means any work product that is delivered to Customer, and which results from Work performed by GoMeyra.
Feedback means ideas, assessments, suggestions and other feedback related to the function or performance of the Platform, Service and other GoMeyra IP (including performance and benchmarking results related to the Service).


HIPAA means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH).


GoMeyra IP means the Site, Platform, Service, Analytics, Deliverables, GoMeyra Confidential Information, access credentials and all other Service-related documentation, data, know-how and information provided by GoMeyra.


PHI means electronic and other “protected health information,” as such term is defined under HIPAA; provided PHI is understood to mean only the PHI that GoMeyra creates, receives, maintains or transmits in providing the Service or Work for Customer.
Platform means the technology platform developed and/or used by GoMeyra in providing the Service (including all related ideas, concepts, inventions, systems, hardware, software, interfaces, dashboards, tools, utilities, content, templates, forms, samples, techniques, methods, processes, algorithms, know-how, trade secrets and other technologies, implementations and information), and all corrections, improvements and extensions thereto.


Results means the charts, graphs, data, messages, reports and similar work products, if any, that are generated by GoMeyra, which are based on Service Data and displayed, delivered or otherwise made available to Customer or Users as a result of using the Service.
Service means GoMeyra’s application for laboratory, information, and data management (commonly referred to as a laboratory information management system) that is made available under these Terms of Service, as such application may be hosted in a cloud environment, branded and provided on a software-as-a-service basis from time to time by GoMeyra. Among other things, the Service permits Customer and its Users to organize, track and share scientific, technical and/or clinical data. GoMeyra may use online hosting services (such as, for example, Google Cloud Services) in connection with providing the Service (including without limitation, for the purposes of processing and storing Service Data).


Service Data means non-public information and data, including, without limitation, PHI, provided by or collected or learned from Customer and Users in connection with their use of the Service (including without limitation, scientific, technical and clinical data, and files and metadata).


Statement of Work means any written work statement that references these Terms of Service and that is acceptable to and executed by Customer and GoMeyra, and which will include other information related to the Work (as the term is defined in Section 3) (such as, for example, task descriptions, schedules and payments).


Third Party Data means Service Data that is received from another User.


User means each of the named individuals who is specifically identified by Customer for onboarding and use of the Service under Customer’s Account.


3. SERVICE
License. So long as the Service is provided to Customer and subject to compliance with all Terms of Service, GoMeyra will make the Service available to Customer and hereby grants to Customer a nonexclusive right and license: to access and use the Service through a web-based interface; and to permit identified Users to do the same under its Account. The GoMeyra IP may be used only in unmodified form and solely for research and scientific purposes, clinical sample management and workflow management and Customer’s internal business purposes (which may include providing clinical laboratory services to third parties). Customer’s and Users’ access and use of the GoMeyra IP shall comply with all other conditions that may be set forth in these Terms of Service or the Contract (such as, for example, restrictions regarding the number or identity of authorized Users, data formats, size limits, time limits or prohibited uses). From time to time, Customer and Users may (at their discretion) provide Feedback to GoMeyra.


Account. GoMeyra will provide Customer with access credentials (and/or a mechanism that permits Customer to specify access credentials) as needed to identify, authorize and designate roles for Users who will have rights (as appropriate to their roles) to establish, administer, configure, manage and use the Service through a Customer-specific account (Account). Customer and Users are responsible for maintaining the confidentiality of all Account information (including access credentials). Customer agrees to be liable for all activities under its Account. Customer and Users agree to keep all Account information up-to-date and to notify GoMeyra immediately of any unauthorized use of their Account. Customer shall promptly notify GoMeyra of Users who are no longer permitted to access and use the Service under Customer’s Account. Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the Service under its Account.
Resources. As between the parties, Customer and Users are responsible for ensuring the accuracy and completeness of Service Data that they provide, and for acquiring all: (a) consents, authorizations, permissions and other rights necessary for GoMeyra to receive, access, copy, store, process, distribute, transmit, display and use Service Data as provided in these Terms of Service; (b) servers, storage, software, databases, network and communications systems and services needed by Customer and Users to access, manage and use the Service, Service Data and Results; and (c) backup, recovery, network security and maintenance services for Customer’s and Users’ internal systems (collectively, the Customer Resources).


Sharing Service Data. Using the Service, Users may share Service Data with other Users, and other Users may share Third Party Data. GoMeyra does not review the substance of Service Data, Third Party Data or communications via the Service and does not control the use of Service Data that has been shared with other Users. Authentication of the true identity of Internet users is difficult, and so GoMeyra cannot and does not confirm that any User is the person or entity who they claim to be. Accordingly, GoMeyra makes no representation or warranty, and assumes no liability, regarding the accuracy, quality, integrity, legality, reliability or appropriateness of any Third Party Data. Customer and its Users agree to assume all risk and liability arising from (a) sharing their own Service Data (including any further distribution or use for an unintended purpose) and (b) using Third Party Data (including all results that are generated using Third Party Data).


Support Services. Using commercially reasonable efforts, GoMeyra will: assist Customer to access, configure, verify and commence User operation of the Service under its Account; provide ongoing technical support for the Service (telephone, email or web-based), in accordance with its standard practices during normal business hours; and endeavor to analyze and resolve material errors. GoMeyra has no obligation to operate or support any version of the Service other than the then current version. GoMeyra may charge Customer in accordance with its then current policies for support services that result from problems, errors or inquiries related to the Service Data or Customer Resources.


Additional Services. From time to time, Customer may request and GoMeyra may agree to provide certain additional implementation, integration, data analysis, development, training or other professional services related to the Service (Work). GoMeyra agrees to undertake and use commercially reasonable efforts to complete the Work as described in the corresponding Statement of Work. GoMeyra grants Customer a nonexclusive, nontransferable right and license (without right to sublicense) to use the resulting Deliverables solely in conjunction with authorized use of the Service, subject to the terms of these Terms of Service and other rights or restrictions set forth in the Statement of Work.


Third Party Services. Certain applications, platforms and services provided by third parties (collectively, Third Party Services) may be accessed from the Service. Third Party Services are not operated or controlled by GoMeyra, and GoMeyra shall not be responsible for the availability, accuracy or any other aspect of the content or function of Third Party Services. Additional or different terms and conditions (including without limitation, privacy and security practices) apply to the use of Third Party Services, and Customer and each User hereby agrees to comply with such terms and conditions when using Third Party Services.


Compliance. If the Service is being used in connection with Customer’s provision of clinical laboratory Services, then Customer, Users and GoMeyra agree to comply with all federal, state and local laws, regulations and rules (including without limitation, HIPAA, the Physician Self-Referral Law (42 USC 1395nn), the federal Medicare/Medicaid Anti-Kickback Law and regulations promulgated thereunder). Without limiting the generality of the foregoing, it is neither a purpose nor requirement of these Terms of Service, the Contract or any other agreement between the parties to offer or receive any remuneration or benefit of any nature, to solicit, require, induce or encourage the referral of any patient, payment of which may be made in whole or in part by Medicare or Medicaid. No payment made or received under these Terms of Service is in return for the referral of patients or in return for the purchasing, leasing, ordering or arranging for or recommending the purchasing, leasing or ordering of any good, service, item or product for which payment may be made in whole or in part under Medicare or Medicaid.


Service Data Processing. GoMeyra may de-identify Service Data such that any resulting information does not disclose any individually identifiable information, except in a de-identified, including de-identified PHI, (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements) (Converted Data). GoMeyra shall then deliver such Converted Data to Customer, and Customer shall own all rights, title, and interest in and to the Converted Data that GoMeyra delivers, subject to the license granted to GoMeyra under Section 6.


4. PAYMENTS
Fees. Customer shall pay GoMeyra the fees described in the Contract and each Statement of Work, in the amounts and at the times set forth therein, and as otherwise stated in these Terms of Service. Fees may be specified as being payable in advance or in arrears; fees may be fixed, contingent or variable (e.g., depending on usage factors or per sample charges); and fees may be specified on a recurring basis (e.g., subscription fees and/or usage fees, which may be payable monthly, quarterly or annually) or non-recurring basis (e.g., one-time activation fees).


Recurring Fees. Recurring fees (e.g., subscription fees and/or usage fees) must be paid by an automatic payment method (credit card or ACH bank transfer). Generally, recurring fees will be billed monthly, in arrears. Customer will receive notice (by email) of all recurring fees (whether from GoMeyra or from a partner of GoMeyra) for current billing period by the third business day of the following month. If Customer does not dispute the charges within 15 calendar days, then GoMeyra will process the automatic payment. Customer hereby accepts all credit card charges that comply with these Terms of Service.
Payment Terms. Unless specified otherwise, all amounts due hereunder shall be paid in full (without deduction, set-off or counterclaim) within 30 days after invoice in US dollars at GoMeyra’s address or to an account specified by GoMeyra. Past due amounts shall bear a late payment charge, until paid, at the rate of 1.0% per month or the maximum amount permitted by law, whichever is less. If any payment is past due, GoMeyra shall have the right to take whatever action it deems appropriate (including without limitation, disabling the Account, suspending User access to the Service, requiring payment in advance or terminating the Contract pursuant to Section 10). Customer agrees to reimburse GoMeyra for all costs (including attorneys’ fees) incurred in collecting late payments.
Taxes. All payments required by these Terms of Service are exclusive of federal, state, local and foreign taxes, duties, tariffs, levies, withholdings and similar assessments (including without limitation, sales taxes, use taxes and value added taxes), and Customer agrees to bear and be responsible for the payment of all such charges, excluding taxes based upon GoMeyra’s net income. All amounts due hereunder shall be grossed-up for any withholding taxes imposed by any foreign government. If Customer claims exemption from any tax, then it shall furnish GoMeyra with a valid tax exemption certificate issued by or acceptable to the applicable taxing jurisdiction or entity.


5. CONFIDENTIALITY
Scope. The term Confidential Information means all trade secrets, know-how, inventions, software and other financial, business, scientific, clinical or technical information and data disclosed by or for a party in connection with using or providing the Service. The restrictions on use and disclosure of Confidential Information will not apply to any information or data that the receiving party can demonstrate is (a) rightfully furnished to it without restriction by a third party, (b) generally available to the public without breach of these Terms of Service or (c) independently developed by it without reliance on such information or data. For clarity, all Service Data will be treated as Customer’s or User’s Confidential Information, and all Feedback, GoMeyra IP and pricing information will be treated as GoMeyra’s Confidential Information.


Confidentiality. Except for the specific rights granted by these Terms of Service, and except for disclosures that are necessary to comply with any legal, regulatory, law enforcement or similar requirement or investigation, the receiving party shall not access, reproduce, use or disclose any of the other party’s Confidential Information without its written consent, and shall use reasonable care to protect the other’s Confidential Information from unauthorized access, use and disclosure (including by ensuring that its personnel who access any Confidential Information have a need to know for the permitted purpose and are bound by written obligations that are at least as protective as these Terms of Service). Each party shall be responsible for any breach of confidentiality by its personnel (including Users, in the case of Customer). Promptly after any termination (or at the disclosing party’s request at any other time), the receiving party shall, unless otherwise agreed, return all of the other’s tangible Confidential Information, erase Confidential Information from any storage media and destroy information, records and materials developed therefrom (except Confidential Information stored in accordance with automated backup procedures in the ordinary course of business). Each party may disclose only the general nature, but not the specific terms, of any Contract without the prior consent of the other party; provided, Customer or GoMeyra may provide a copy of the Contract or otherwise disclose its terms in connection with any legal or regulatory requirement, audit, financing transaction or due diligence inquiry.


PHI. If and only if (a) Customer is a Covered Entity, (b) Customer notifies GoMeyra in writing that all or any part of the Service Data constitutes PHI and (c) GoMeyra qualifies as a Business Associate of Customer as a result of the Service and/or Work provided hereunder, then the terms and conditions in the Business Associate Agreement shall apply as of the date all such conditions are met (BAA Effective Date). Otherwise, the Business Associate Agreement shall not have any force or effect.
Compelled Disclosures. These restrictions will not prevent either party from complying with any law, regulation, court order, demand by law enforcement or other legal requirement or investigation that purports to compel disclosure of any Service Data or other Confidential Information. The receiving party will promptly notify the disclosing party upon learning of any such legal requirement, and cooperate with the disclosing party in the exercise of its right to protect the confidentiality of the Confidential Information before any tribunal or governmental agency.


6. PROPRIETARY RIGHTS
Customer and Users. Customer and each User hereby grants GoMeyra a nonexclusive, royalty-free, worldwide right and license: to access, copy, store, process, distribute, transmit, display and use their Service Data to generate Results and otherwise to provide the Service to Customer and all Users under Customer’s Account; to copy, store, process and use Service Data to develop, improve, extend and test the Platform and Service; to design, develop, distribute, commercialize and use Analytics in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data. Customer and each User hereby grants and agrees to grant an irrevocable, perpetual, worldwide, royalty-free, right and license: (i) to freely access, copy, store, process, distribute, transmit, display Converted Data; (ii) use and disclose Converted Data for GoMeyra’s business purposes; (iii) to copy, store, process and use Converted Data to develop, improve, extend and test the Platform and Service; and (iv) to copy, store, process and use Converted Data to design, develop, distribute, commercialize and use Analytics. GoMeyra’s rights and license to use the Converted Data shall be exclusive, except that Customer may use the Converted Data solely for its internal business purposes. Customer and each applicable User hereby grants to GoMeyra all necessary permissions (including without limitation, any permission required under HIPAA) for GoMeyra to engage and work with trusted third parties to provide the Service, and Customer and each applicable User hereby agrees to secure any necessary third party permissions and individual authorizations. Except for the foregoing, no other right, license or option is granted, no other use is permitted and Customer or the applicable User (as the case may be) owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Results, Service Data, and Converted Data. Unless and only to the extent expressly agreed otherwise by GoMeyra and Customer in writing, Customer shall not be entitled to any revenue, royalties, or other compensation for GoMeyra’s own use or disclosure of Converted Data. For the avoidance of doubt, Analytics shall not be understood to be the same as or overlap with Converted Data, as GoMeyra owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Analytics, and Customer owns and retains all rights, title and interests to Converted Data.
GoMeyra. Except for the limited rights and licenses expressly granted hereunder, no other right, license or option is granted, no other use is permitted and (as between the parties) GoMeyra owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the GoMeyra IP. Customer agrees that GoMeyra is free to use the Feedback, and all generalized knowledge, expertise know-how and technologies related to or acquired in providing the Service, in any manner for all purposes (including developing new or improved products and services).
Restrictions. Customer and Users shall not, directly or indirectly (a) use any of GoMeyra’s Confidential Information to create any software, platform, service or documentation that is similar to any of the GoMeyra IP, (b) attempt to access any Platform component or to disassemble, decompile, reverse engineer or use any other means to discover any source code or underlying organization, structures, ideas or algorithms within the Platform (except and only to the extent these restrictions are expressly prohibited by applicable statutory law) or to circumvent any technological measure that controls access thereto, (c) encumber, sublicense, distribute, transfer, rent, lease, lend, access or use any GoMeyra IP in any time-share, service bureau or similar arrangement, (d) copy, adapt, combine, create derivative works of, translate, localize, port or otherwise modify any GoMeyra IP, (e) use or allow the transmission, transfer, export, re-export or other transfer of any product, technology or information it obtains or learns using the Service (or any direct product thereof) in violation of any export control or other laws and regulations of the United States or any other relevant jurisdiction or (f) permit any third party to do any of the foregoing.
Third Party Software. The Platform may interface, inter-operate, link or be delivered with or include software or other technology (In-Licensed Code) that is licensed from and owned by third parties (In-Licensors), the use of which may be subject to additional or different terms set forth in the applicable open source or proprietary license (In-License). Customer and each User unconditionally agrees that the In-Licensors (a) make no representation or warranty concerning the In-Licensed Code or GoMeyra IP, (b) have no obligation or liability as a result of these Terms of Service and (c) are intended third party beneficiaries of these Terms of Service in respect of their respective In-Licensed Code. Upon specific written request received prior to the third anniversary of Acceptance, GoMeyra will make available the source code for In-Licensed Code, but only if doing so is required by the applicable In-License.
## 7. LIMITED WARRANTIES AND DISCLAIMERS
Customer and Users. Customer and each User warrants to GoMeyra that the access, transfer, collection, processing, distribution and use of Service Data and Converted Data as described in these Terms of Service complies with and will not violate applicable laws, regulations, rules or proprietary rights (including without limitation, professional and scientific standards, copyrights and rights regarding privacy, publicity and defamation). Customer and each User warrants to GoMeyra that the Service Data it provides is accurate and complete and that Customer and each User has obtained all consents, authorizations, permissions and other rights necessary for GoMeyra to receive, access, copy, store, process, distribute, transmit, display and use Service Data and Converted Data as provided in these Terms of Service.
GoMeyra. GoMeyra warrants to Customer that all Work will be provided in a professional manner and that it will use commercially reasonable efforts to maintain the Service available to Users at all times, subject to downtimes for scheduled maintenance, upgrades, repairs, security issues and emergency outages. GoMeyra will not be responsible for any delay, degradation or failure in the Service resulting from or attributable to (a) unusually high usage volumes, (b) failures in Customer Resources or any third party’s services, networks or systems, (c) Customer’s or any User’s or third party’s negligence, acts or omissions, (d) any force majeure or other cause beyond GoMeyra’s reasonable control or (e) unauthorized access to the Service, breach of firewalls or other hacking.
Disclaimers. EXCEPT AS EXPRESSLY SPECIFIED HEREIN, THE RESULTS, WORK, SERVICE AND OTHER GOMEYRA IP ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. FOR CLARITY, GOMEYRA AND ITS LICENSORS DO NOT WARRANT THAT: (A) ANY INFORMATION WILL BE TIMELY, ACCURATE, RELIABLE OR CORRECT; (B) THE WORK, SERVICE OR OTHER GOMEYRA IP OR RESULTS WILL BE ERROR-FREE, UNINTERRUPTED, SECURE OR AVAILABLE AT ANY PARTICULAR TIME OR PLACE; (C) ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR (D) THE WORK, SERVICE OR OTHER GOMEYRA IP OR RESULTS WILL MEET CUSTOMER’S OR ANY USER’S REQUIREMENTS OR THAT ANY OUTCOME CAN BE ACHIEVED. TO THE FULLEST EXTENT PERMITTED BY LAW, GOMEYRA HEREBY DISCLAIMS (FOR ITSELF AND ITS LICENSORS) ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, WITH RESPECT TO THE RESULTS, WORK, SERVICE AND OTHER GOMEYRA IP, INCLUDING WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, INTEGRATION, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE AND ALL WARRANTIES ARISING FROM ANY COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE.
## 8. INDEMNIFICATION
Customer. Customer agrees to defend GoMeyra against any demand, suit, action or other claim by any third party (including any User under its Account) that is related to any Service Data provided by Customer or Users or any breach of Customer’s or any User’s obligations or warranties under these Terms of Service, and to indemnify GoMeyra for liabilities (as specified in settlements or judgment awards) that result from such claims.
GoMeyra. GoMeyra agrees to defend Customer and Users (Customer Indemnitees) against any demand, suit, action or other claim by any third party that the Service or any Deliverable misappropriates or infringes its intellectual property rights, and to indemnify Customer Indemnitees for liabilities (as specified in settlements or judgment awards) that result from such claims. If the Service or any Deliverable becomes or, in GoMeyra’s opinion, is likely to become the subject of an injunction or other claim preventing its use as contemplated herein, GoMeyra may, at its option and expense (a) obtain the rights needed to continue providing the Service or using the Deliverable, or (b) replace or modify the Service or Deliverable without substantially compromising its principal functions. If (a) and (b) are not reasonably available, then GoMeyra may (c) upon written notice to Customer, terminate Customer’s Account and stop providing the Service to Users, and refund to Customer any prepaid fees, pro-rated for the remainder of the prepaid period. The foregoing states the entire liability of GoMeyra, and Customer’s and each User’s exclusive remedy, with respect to any actual or alleged violation of intellectual property or proprietary rights by the GoMeyra IP or Work, any part thereof or their use or operation.
Exclusions. GoMeyra shall have no liability or obligation hereunder with respect to any claim attributable to (a) any use of the GoMeyra IP by Customer or any User not strictly in accord with these Terms of Service, or in an application or environment or on a platform or with devices for which it was not designed or contemplated or (b) alterations, combinations or enhancements of the GoMeyra IP not created by GoMeyra.
Conditions. The indemnifying party’s obligations hereunder are conditioned on (a) the party seeking indemnification providing prompt written notice thereof and reasonable cooperation, information, and assistance in connection therewith and (b) the indemnifying party having sole control and authority to defend, settle or compromise such claim. The indemnified party may participate in the defense at its sole cost and expense. The indemnifying party will not enter into any settlement (other than for payment of money subject to its indemnity) that adversely affects the indemnified party’s rights or interests without its prior written approval, not to be unreasonably withheld. The indemnifying party shall not be responsible for any settlement it does not approve in writing.
9. LIMITATION OF LIABILITY
EXCEPT TO THE EXTENT THAT ANY EXCLUSION OR LIMITATION OF LIABILITY IS VOID, PROHIBITED OR UNENFORCEABLE BY APPLICABLE LAW, AND EXCEPT FOR LIABILITIES TO THIRD PARTIES PURSUANT TO SECTION 8 (INDEMNIFICATION): IN NO EVENT SHALL GOMEYRA (OR ITS LICENSORS), CUSTOMER OR ANY USER BE LIABLE CONCERNING THE SUBJECT MATTER OF THE CONTRACT OR THESE TERMS OF SERVICE, REGARDLESS OF THE FORM OF ANY CLAIM OR ACTION (WHETHER IN CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE), FOR ANY (A) LOSS OF DATA, LOSS OR INTERRUPTION OF USE, OR COST TO PROCURE SUBSTITUTE TECHNOLOGIES, GOODS OR SERVICES OR (B) INDIRECT, PUNITIVE, INCIDENTAL, RELIANCE, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUES, PROFITS OR GOODWILL; AND GOMEYRA (AND ITS LICENSORS) SHALL NOT BE LIABLE TO CUSTOMER OR ANY USER FOR AGGREGATE DAMAGES IN EXCESS OF THE FEES IT, HE OR SHE (AS THE CASE MAY BE) PAID TO GOMEYRA DURING THE PRIOR 12 MONTHS OR US$25.00, WHICHEVER IS GREATER; EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS ARE INDEPENDENT FROM ALL OTHER PROVISIONS OF THESE TERMS OF SERVICE AND SHALL APPLY NOTWITHSTANDING THE FAILURE OF ANY REMEDY PROVIDED HEREIN.
FOR USERS ONLY: SOME STATES AND OTHER JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU.
10. TERM AND TERMINATION
Term. Unless as otherwise specified in the Contract, Customer’s and its Users’ ability to access the Platform and use the Service shall commence on the date of Customer’s acceptance of the proposal for GLIMS in the Contract and continue in effect on a month-to-month basis after the Go Live date (as the term is defined in the Contract). Unless as otherwise specified in the Contract, the Contract (subject to these Terms of Service) will be extended automatically on a month-to-month basis until terminated by Customer or GoMeyra. Unless as otherwise specified in the Contract, Customer or GoMeyra may terminate the Contract by giving at least 30 days prior written notice (email being sufficient) to the other. Users may discontinue their use of the Service at any time upon giving written notice to Customer.
Termination. The Contract may be earlier terminated by either party if the other party breaches any material provision of these Terms of Service and fails to cure such breach within 30 days (10 days in the case of payment issues) after receiving written notice of such breach from the non-breaching party.
Effects of Termination. Upon any expiration or termination of the Contract, all rights, obligations and licenses of the parties shall cease, except that the following shall survive: all obligations that accrued prior to the effective date of termination (including payment obligations); all remedies for any breach of these Terms of Service; and the provisions of Sections 4 (Payments), 5 (Confidentiality), 6 (Proprietary Rights), 7 (Limited Warranties and Disclaimers), 8 (Indemnification), 9 (Limitation of Liability), 11 (General Provisions) and this Section 10. GoMeyra has no obligation to retain any Service Data after any expiration or termination, except that GoMeyra will transmit a copy of the Service Data to Customer and/or applicable User if requested in writing within 30 days after the effective date of termination.
11. GENERAL PROVISIONS
Entire Agreement. These Terms of Service (including then current Policies), together with the Contract and, if any, all Statements of Work, constitute the entire agreement, and supersede all prior negotiations, understandings or agreements (oral or written), among the parties regarding the subject matter hereof (and all past dealing or industry custom). Any additional, different or inconsistent terms on any related purchase order, even if signed by the parties hereafter, shall have no effect under these Terms of Service. In the event of any conflict or inconsistency between the terms set forth in these Terms of Service and the Contract, the terms in the Contract shall control as between GoMeyra and Customer. Except as expressly provided herein, no change, consent or waiver under these Terms of Service will be effective unless in writing and signed by the party against which enforcement is sought. The failure of any party to enforce its rights under these Terms of Service at any time, for any period will not be construed as a waiver of such rights, and the exercise of one right or remedy will not be deemed a waiver of any other right or remedy. If any provision of these Terms of Service is determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that these Terms of Service will otherwise remain in full force and effect and enforceable. These Terms of Service are in English only, which language shall be controlling in all respects. No version of these Terms of Service in another language shall be binding or of any effect.
Governing Law. The parties’ rights and obligations under the Contract and these Terms of Service shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, USA, without regard to its conflicts of law provisions. In the event of any conflict between US and foreign laws, regulations and rules, US laws, regulations and rules shall govern. Neither the United Nations Convention on Contracts for the International Sale of Goods nor the implementation of the Computer Information Transactions Act in any jurisdiction shall apply to these Terms of Service.
Dispute Resolution. A printed version of these Terms of Service (and any Policy) and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to the Service, Contract or these Terms of Service (including any Policy) to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. Customer, Users and GoMeyra agree that any claim or cause of action arising out of or related to the Service, Contract or these Terms of Service (including any Policy) must be commenced within 1 year after the claim or cause of action arose. Otherwise, such claim or cause of action is permanently barred.
Except that either party may seek an injunction or other equitable relief from any court of competent jurisdiction (as described below), all disputes between the parties arising out of or in relation to or in connection with the Service, Contract or these Terms of Service (including any Policy) shall be settled by binding arbitration in accordance with the JAMS streamlined arbitration rules and procedures then in force, by one neutral arbitrator appointed in accordance with the rules. The arbitration shall take place in Boston, Massachusetts, USA. The proceedings shall be in English, all evidence shall be in English (or translated into English) and the governing law shall be as set forth herein. The arbitrator’s decision shall be in writing and shall comply with all terms and conditions in the applicable version of these Terms of Service and the Contract. The decision and award rendered shall be final and binding on all parties. The parties acknowledge and agree that the Terms of Service and any award rendered pursuant hereto shall be governed by the UN Convention on the Recognition and Enforcement of Foreign Arbitral Awards. Judgment on the award may be entered in any court of competent jurisdiction.
ANY ARBITRATION UNDER THESE TERMS OF SERVICE WILL TAKE PLACE ONLY ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CUSTOMER, USERS AND GOMEYRA UNDERSTAND AND AGREE THAT BY ENTERING INTO THE CONTRACT AND THESE TERMS OF SERVICE, EACH PARTY IS WAIVING THE RIGHT TO TRIAL BY JURY AND TO PARTICIPATE IN A CLASS ACTION.
Use of the Service is not authorized in any jurisdiction that does not give effect to all provisions of the Terms of Service, including without limitation, this section.
International Use. GoMeyra makes no representation or warranty that the Service is appropriate or legally available for use in locations outside the United States, and accessing and using the Service is prohibited from places where doing so would be illegal. Accessing or using the Service from other locations may be done at Customer’s or applicable User’s own initiative and Customer or such User shall be liable for compliance with all local laws. Customer each User hereby expressly consents to GoMeyra’s processing of Service Data in accordance with these Terms of Service. Customer and each User understands and agrees that Service Data may be stored and processed in (or transferred from) the country where it was collected and the United States, and that United States laws regarding the collection, storage, processing and onward transfer of information may be less stringent than the laws where Customer is located. Customer and each User agrees that each person who accesses or uses the Service through its Account or his/her credentials (and each person whose information is included in Service Data) has given express consent to the collection, storage, processing, transfer, distribution, display and use of his or her personal data as provided herein.
Remedies. Except as expressly specified otherwise herein, each right and remedy in these Terms of Service are in addition to any other right or remedy, at law or in equity. Each party agrees that, in the event of any breach or threatened breach of Section 5 or 6, the non-breaching party will suffer irreparable damage for which it will have no adequate remedy at law. Accordingly, the non-breaching party shall be entitled to injunctive and other equitable remedies to prevent or restrain such breach or threatened breach, without the necessity of proving actual damages or posting any bond.
Notices. All notices under these Terms of Service will be in writing, in English and delivered to the parties at their respective addresses stated herein or in the Contract (or, in the case of Users, as provided during registration), or at such other address designated by written notice. Notices will be deemed to have been duly given and effective: when receipt is electronically confirmed, if transmitted by facsimile or email; or when received, if personally delivered or sent by overnight courier or certified or registered mail, return receipt requested.
Notices to GoMeyra should be sent to the following address:
GoMeyra.com, Inc.
Attn: CEO
32 Pearl Street
Cambridge, MA 02139 USA
legal@GoMeyra.com
Publicity. Customer hereby consents to inclusion of its name and logo in customer lists and presentation materials that may be published and distributed as part of GoMeyra’s marketing and promotional efforts. From time to time upon request, Customer agrees to provide GoMeyra with reasonable cooperation and assistance in connection with other marketing efforts (such as, for example, by acting as a reference, issuing press releases and providing written or videotaped customer testimonials and case studies, with statements attributed to a named employee of Customer). Except for the foregoing or as required by any applicable law or regulation, neither Customer, User nor GoMeyra may issue any press release or other public announcement concerning the arrangements under these Terms of Service, or use the other party’s names, trademarks or logos, without the applicable other party’s prior written consent, not to be unreasonably delayed, conditioned or withheld.
Assignment. These Terms of Service and the performance contemplated hereunder are personal to each User and Users shall not have the right or ability to subcontract, delegate, assign or otherwise transfer any rights or obligations under this Agreement without the prior written consent of Customer and GoMeyra. The Contract, these Terms of Service and the rights and obligations therein and herein may not be assigned, in whole or in part, by Customer or GoMeyra without the other’s prior written consent, not to be unreasonably withheld. However, without consent, GoMeyra may subcontract performance of all or any part of the Service or Work, and GoMeyra and Customer may assign these Terms of Service together with the Contract (but not separately), and all of its rights and obligations hereunder and thereunder, to any of its affiliates or to any successor to all or substantially all of its business which concerns the Contract (whether by sale of assets or equity, merger, consolidation, reorganization or otherwise). The Contract and these Terms of Service shall be binding upon, and inure to the benefit of, the successors, representatives and permitted assigns of the parties.
Force Majeure. No party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control.
Independent Contractors. The parties shall be independent contractors under the Contract and these Terms of Service (including under the BAA and other Policies), and nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint venturers or partners for any purpose; provided, the foregoing is not intended to modify or limit any prior employment or other arrangement between Customer and any of the Users.
Government. Products within the GoMeyra IP are commercial products, developed solely at private expense and proprietary to GoMeyra.com, Inc. and its licensors. If Customer is an agency, department or other entity of the United States Government or if any User is accessing and using the Service on behalf of or for the benefit of any such entity, then the use, duplication, reproduction, modification, release, disclosure or transfer of GoMeyra IP is restricted in accordance with FAR 12.212 for civilian agencies and DFAR 227.7202 for military agencies. The Platform is “commercial computer software”, the documentation is “commercial computer software documentation”, and their use is further restricted in accordance with these Terms of Service.
XXIII.

XXIV. Terms of Service – Professional Services
GoMeyra Data Services
Last updated: 10/12/2020
1. TERMS OF SERVICE.
Acceptance. GoMeyra.com, Inc. (GoMeyra or GoMeyra Cloud Applications “GCA”) owns and operates the websites *.GoMeyra.com and *.labtests.com (collectively, the Site as defined in the Business Associate Agreement) and the Platform and GoMeyra Laboratory Information Systems (GLIMS or the Service, as defined in the Terms of Service – Application Use), and GoMeyra Data Services (GODS or the Service, as defined below). Your access to the Site and Platform and all other use of the Service is subject to acceptance without modification of all of the terms and conditions contained herein (Terms of Service). The Terms of Service shall also be deemed to include all other operating rules, conditions, policies and procedures that are referred to below or that may otherwise be published or implemented by GoMeyra, from time to time, within the Platform (collectively, Policies), including without limitation, the Privacy Policy.
IF YOU ARE ACCESSING THE PLATFORM AND USING THE SERVICE ON BEHALF OF, FOR THE BENEFIT OF OR UNDER AN ACCOUNT ESTABLISHED BY ANY CUSTOMER, THEN YOU ACKNOWLEDGE AND AGREE THAT: YOU ARE ALSO BOUND BY ALL OTHER TERMS AND CONDITIONS THAT ARE APPLICABLE TO THAT CUSTOMER (WHETHER SET FORTH IN THESE TERMS OF SERVICE OR IN ANY CONTRACT BETWEEN THAT CUSTOMER AND GOMEYRA); AND THAT IT IS YOUR RESPONSIBILITY TO IDENTIFY, UNDERSTAND AND COMPLY WITH ALL SUCH OTHER TERMS AND CONDITIONS.
IF YOU DO NOT AGREE TO ALL OF THESE TERMS OF SERVICE, OR IF YOU ARE NOT ELIGIBLE OR AUTHORIZED TO AGREE TO THESE TERMS OF SERVICE, THEN DO NOT REGISTER FOR, DOWNLOAD, ACCESS OR USE THE SERVICE. DOWNLOADING ANY APP, COMPLETING OUR REGISTRATION PROCESS OR OTHERWISE ACCESSING OR USING THE PLATFORM OR ANY OTHER PART OF THE SERVICE WILL CONSTITUTE ACCEPTANCE OF, AND CREATE A LEGALLY ENFORCEABLE CONTRACT UNDER WHICH YOU AGREE TO BE BOUND BY, ALL OF THE TERMS OF SERVICE, WITHOUT MODIFICATION.
Updates. GoMeyra reserves the right, at its sole discretion, to update, modify or replace the Terms of Service (including any Policy), in whole or in part, at any time. GoMeyra will use reasonable efforts to notify you of any material change in advance of the effective date of any change. Change notices may be communicated by postings via the Platform, email or otherwise. In any case, you should periodically check the Policies and other Terms of Service for changes. Continued access or use of the Service following any change to the Terms of Service constitutes your acceptance of those changes. The Terms of Service may not otherwise be amended, as they apply to you, except by a written agreement executed by you and GoMeyra. GoMeyra may modify, suspend or terminate the Service (including without limitation, access to the Platform), in whole or in part, at any time.
Eligibility. The Service is intended by GoMeyra to be made available only to Users who are at least 18 years old or the age of majority in your jurisdiction, whichever age is older. If you do not qualify, then you are prohibited from accessing, registering for, uploading, downloading or using any aspect of the Service. GoMeyra will not collect personally identifiable information from any person who is actually known to us to be under the age of 13. If we become aware that a person under 13 has provided personally identifiable information, GoMeyra will take steps to remove such information and terminate that individual’s account, access and use of the Service. GoMeyra may refuse to offer or continue offering the Service to any person or entity, and may change its eligibility criteria from time to time.
XXV. 2. DEFINITIONS
Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the Service or Service Data (including without limitation, measurements of Service usage and performance), which are developed in a manner that does not disclose the identity of a Source or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).
Contract means the sales quotation, proposal, order form, sales confirmation or other similar writing provided by GoMeyra or its authorized distributor (as the case may be) that describes the Service, term and prices being offered to Customer, whichever is most current (or the corresponding invoice, if no such other writing exists).
Customer means any company, laboratory, or other organization or entity that has entered into an agreement with GoMeyra to establish an account to use and pay for the Service.
Customer Data means any data that Customer generates on its own, such as search queries, and sends to GoMeyra pursuant to its access and use of the Service.
Deliverable means any work product that is delivered to Customer, and which results from Work performed by GoMeyra.
Feedback means ideas, assessments, suggestions and other feedback related to the function or performance of the Platform, Service and other GoMeyra IP (including performance and benchmarking results related to the Service).
GoMeyra IP means the Site, Platform, Service, Service Data, Deliverables, GoMeyra Confidential Information, access credentials and all other Service-related documentation, data, know-how and information provided by GoMeyra.
Source means any laboratory, company, or other organization or entity that grants or has granted to GoMeyra a license to use its data in de-identified and aggregated form.
Platform means the technology platform developed and/or used by GoMeyra in providing the Service (including all related ideas, concepts, inventions, systems, hardware, software, interfaces, dashboards, tools, utilities, content, templates, forms, samples, techniques, methods, processes, algorithms, know-how, trade secrets and other technologies, implementations and information), and all corrections, improvements and extensions thereto.
Service means GoMeyra’s application that provides Customer with access to and use of the Service Data (defined below) for commercial use through GoMeyra’s provision of its real-time search, dashboards and downloads features, and which is made available under these Terms of Service, as such application may be hosted in a cloud environment, branded and provided on a software-as-a-service basis from time to time by GoMeyra.
Service Data means all data and data sets (other than Customer Data) that GoMeyra makes available to Customer pursuant to providing access to and use of the Service and as specified under these Terms of Service.
Statement of Work means any written work statement that references these Terms of Service and that is acceptable to and executed by Customer and GoMeyra, and which will include other information related to the Work (such as, for example, professional services descriptions, schedules and payments).
User means each of the named individuals who is specifically identified by Customer for onboarding and use of the Service under Customer’s Account.
3. SERVICE
License. So long as the Service is provided to Customer and subject to compliance with all Terms of Service, GoMeyra will make the Service available to Customer and hereby grants to Customer a nonexclusive, non-transferable, revocable right and license: to access and use the Service through a web-based interface; and to permit identified Users to do the same under its Account. The GoMeyra IP, including, in particular, the Service Data, may be used only in unmodified form and solely for Customer’s internal business purposes. Customer’s and Users’ access and use of the GoMeyra IP, including, in particular, the Service Data, shall comply with all other conditions that may be set forth in these Terms of Service or the Contract (such as, for example, restrictions regarding the number or identity of authorized Users, data formats, size limits, time limits or prohibited uses). From time to time, Customer and Users may (at their discretion) provide Feedback to GoMeyra.
Account. GoMeyra will provide Customer with access credentials (and/or a mechanism that permits Customer to specify access credentials) as needed to identify, authorize and designate roles for Users who will have rights (as appropriate to their roles) to establish, administer, configure, manage and use the Service through a Customer-specific account (Account). Customer and Users are responsible for maintaining the confidentiality of all Account information (including access credentials). Customer agrees to be liable for all activities under its Account. Customer and Users agree to keep all Account information up-to-date and to notify GoMeyra immediately of any unauthorized use of their Account. Customer shall promptly notify GoMeyra of Users who are no longer permitted to access and use the Service under Customer’s Account. Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the Service under its Account.
Resources. Sources are solely responsible for ensuring the accuracy and completeness of Service Data that they provide, and for acquiring all consents, authorizations, permissions and other rights necessary for GoMeyra to receive, access, copy, store, process, distribute, transmit, display and use Service Data in de-identified and aggregated form pursuant to The Health Insurance Portability Act of 1996 and its implementing regulations (HIPAA) and as provided in these Terms of Service. Customers are solely responsible for all servers, storage, software, databases, network and communications systems and services needed by Customer and Users to access, manage and use the Service and Service Data, and backup, recovery, network security and maintenance services for Customer’s and Users’ internal systems (collectively, the Customer Resources).
Sharing Service Data. GoMeyra does not review the substance of Service Data and does not control the use of Service Data that has been provided to GoMeyra. Authentication of the true identity of Internet users is difficult, and so GoMeyra cannot and does not confirm that any user in the provenance of Service Data is the person or entity who they claim to be. Accordingly, GoMeyra makes no representation or warranty, and assumes no liability, regarding the accuracy, quality, integrity, legality, reliability or appropriateness of any such Service Data. Customer and its Users agree to assume all risk and liability arising from (a) sharing their own, if any, results derived from use of the Service Data (including any further distribution or use for an unintended purpose) and (b) using Service Data (including any and all results that are generated using such Service Data).
Support Services. Using commercially reasonable efforts, GoMeyra will: assist Customer to access, configure, verify and commence User operation of the Service under its Account; provide ongoing technical support for the Service (telephone, email or web-based), in accordance with its standard practices during normal business hours; and endeavor to analyze and resolve material errors. GoMeyra has no obligation to operate or support any version of the Service other than the then current version. GoMeyra may charge Customer in accordance with its then current policies for support services that result from problems, errors or inquiries related to the Customer Resources.
Additional Services. From time to time, Customer may request and GoMeyra may agree to provide certain additional implementation, integration, data analysis, development, training or other professional services related to the Service (Work). GoMeyra agrees to undertake and use commercially reasonable efforts to complete the Work as described in the corresponding Statement of Work. GoMeyra grants Customer a nonexclusive, nontransferable right and license (without right to sublicense) to use the resulting Deliverables solely in conjunction with authorized use of the Service, subject to the terms of these Terms of Service and other rights or restrictions set forth in the Statement of Work.
Third Party Services. Certain applications, platforms and services provided by third parties (collectively, Third Party Services) may be accessed from the Service. Third Party Services are not operated or controlled by GoMeyra, and GoMeyra shall not be responsible for the availability, accuracy or any other aspect of the content or function of Third Party Services. Additional or different terms and conditions (including without limitation, privacy and security practices) apply to the use of Third Party Services, and Customer and each User hereby agrees to comply with such terms and conditions when using Third Party Services.
4. PAYMENTS
Fees. Customer shall pay GoMeyra the fees described in the Contract and each Statement of Work, in the amounts and at the times set forth therein, and as otherwise stated in these Terms of Service. Fees may be specified as being payable in advance or in arrears; fees may be fixed, contingent or variable (e.g., depending on usage factors or per sample charges); and fees may be specified on a recurring basis (e.g., subscription fees and/or usage fees, which may be payable monthly, quarterly or annually) or non-recurring basis (e.g., one-time activation fees).
Recurring Fees. Recurring fees (e.g., subscription fees and/or usage fees) must be paid by an automatic payment method (credit card or ACH bank transfer) which may be stored. Generally, recurring fees will be automatically charged on such stored payment method 15 days following invoicing. Customer will receive an invoice (by email) of all recurring fees (whether from GoMeyra or from a partner of GoMeyra) for current billing period. By choosing a plan with recurring fees, Customer acknowledges that such recurring fees have an initial and recurring payment feature and Customer accepts responsibility for all recurring charges prior to cancellation. GOMEYRA MAY SUBMIT PERIODIC CHARGES (E.G., MONTHLY) WITHOUT FURTHER AUTHORIZATION FROM CUSTOMER, UNTIL CUSTOMER PROVIDES PRIOR NOTICE (RECEIPT OF WHICH WILL BE CONFIRMED IN WRITING BY GOMEYRA) THAT CUSTOMER HAS TERMINATED THIS AUTHORIZATION OR WISHES TO CHANGE CUSTOMER’S PAYMENT METHOD. SUCH NOTICE WILL NOT AFFECT CHARGES SUBMITTED BEFORE GOMEYRA REASONABLY COULD ACT. CUSTOMER MAY TERMINATE ITS AUTHORIZATION OR CHANGE ITS PAYMENT METHOD, BY VISITING CUSTOMER’S ACCOUNT SETTINGS ON THE SITE. Customer hereby accepts all credit card or ACH payment charges that comply with these Terms of Service.
Payment Terms. GoMeyra may collect payments from Customer directly or use a third-party payment processor (Payment Processor) to bill Customer through a payment account linked to Customer’s Account for use of the Service. The processing of payments by a Payment Processor will be subject to the terms, conditions and privacy policies of such Payment Processor in addition to these Terms of Service and the Contract or applicable Statement of Work. GoMeyra shall not be responsible for error by the Payment Processor. Unless specified otherwise, all amounts due hereunder shall be paid in full (without deduction, set-off or counterclaim) within 15 days after invoice in US dollars at GoMeyra’s address or to an account specified by GoMeyra. Past due amounts shall bear a late payment charge, until paid, at the rate of 1.0% per month or the maximum amount permitted by law, whichever is less. If any payment is past due, GoMeyra shall have the right to take whatever action it deems appropriate (including without limitation, disabling the Account, suspending User access to the Service, or terminating the Contract pursuant to Section 10). Without limiting the foregoing, if GoMeyra, through the Payment Processor, does not receive payment from Customer, Customer agrees to pay all amounts due on its Account upon demand. Customer agrees to reimburse GoMeyra for all costs (including attorneys’ fees) incurred in collecting late payments.
Taxes. All payments required by these Terms of Service are exclusive of federal, state, local and foreign taxes, duties, tariffs, levies, withholdings and similar assessments (including without limitation, sales taxes, use taxes and value added taxes), and Customer agrees to bear and be responsible for the payment of all such charges, excluding taxes based upon GoMeyra’s net income. All amounts due hereunder shall be grossed-up for any withholding taxes imposed by any foreign government. If Customer claims exemption from any tax, then it shall furnish GoMeyra with a valid tax exemption certificate issued by or acceptable to the applicable taxing jurisdiction or entity.
Current Billing Information Required. CUSTOMER MUST PROVIDE CURRENT, COMPLETE AND ACCURATE BILLING INFORMATION FOR ITS ACCOUNT. CUSTOMER MUST PROMPTLY UPDATE ALL RELEVANT INFORMATION TO KEEP ITS ACCOUNT CURRENT, COMPLETE AND ACCURATE (SUCH AS A CHANGE IN BILLING ADDRESS, CREDIT CARD NUMBER, OR CREDIT CARD EXPIRATION DATE), AND CUSTOMER MUST PROMPTLY NOTIFY GOMEYRA OR THE PAYMENT PROCESSOR IF CUSTOMER’S PAYMENT METHOD IS CANCELED (E.G., FOR LOSS OR THEFT) OR IF CUSTOMER BECOMES AWARE OF A POTENTIAL BREACH OF SECURITY, SUCH AS THE UNAUTHORIZED DISCLOSURE OR USE OF A USER NAME OR PASSWORD. CHANGES TO SUCH INFORMATION CAN BE MADE AT CUSTOMER’S ACCOUNT SETTINGS ON THE SITE. IF CUSTOMER FAILS TO PROVIDE ANY OF THE FOREGOING INFORMATION, CUSTOMER AGREES THAT GOMEYRA MAY CONTINUE CHARGING CUSTOMER FOR ANY RECURRING FEES UNDER CUSTOMER’S BILLING ACCOUNT UNLESS CUSTOMER HAS TERMINATED OR CANCELED ITS USE OF THE SERVICE.
5. CONFIDENTIALITY
Scope. The term Confidential Information means all trade secrets, know-how, inventions, software and other financial, business, scientific, clinical or technical information and data disclosed by or for a party in connection with using or providing the Service. The restrictions on use and disclosure of Confidential Information will not apply to any information or data that the receiving party can demonstrate is (a) rightfully furnished to it without restriction by a third party, (b) generally available to the public without breach of these Terms of Service or (c) independently developed by it without reliance on such information or data. For clarity, all Service Data, Feedback, GoMeyra IP and pricing information will be treated as GoMeyra’s Confidential Information.
Confidentiality. Except for the specific rights granted by these Terms of Service, and except for disclosures that are necessary to comply with any legal, regulatory, law enforcement or similar requirement or investigation, the receiving party shall not access, reproduce, use or disclose any of the other party’s Confidential Information without its written consent, and shall use reasonable care to protect the other’s Confidential Information from unauthorized access, use and disclosure (including by ensuring that its personnel who access any Confidential Information have a need to know for the permitted purpose and are bound by written obligations that are at least as protective as these Terms of Service). Each party shall be responsible for any breach of confidentiality by its personnel (including Users, in the case of Customer). Promptly after any termination (or at the disclosing party’s request at any other time), the receiving party shall return all of the other’s tangible Confidential Information, permanently erase all Confidential Information from any storage media and destroy all information, records and materials developed therefrom (except Confidential Information stored in accordance with automated backup procedures in the ordinary course of business). Each party may disclose only the general nature, but not the specific terms, of any Contract without the prior consent of the other party; provided, Customer or GoMeyra may provide a copy of the Contract or otherwise disclose its terms in connection with any legal or regulatory requirement, audit, financing transaction or due diligence inquiry.
Compelled Disclosures. These restrictions will not prevent either party from complying with any law, regulation, court order, demand by law enforcement or other legal requirement or investigation that purports to compel disclosure of any Service Data or other Confidential Information. The receiving party will promptly notify the disclosing party upon learning of any such legal requirement, and cooperate with the disclosing party in the exercise of its right to protect the confidentiality of the Confidential Information before any tribunal or governmental agency.
6. PROPRIETARY RIGHTS
Customer and Users. Customer and each User hereby grants GoMeyra a nonexclusive, royalty-free, worldwide right and license: to access, copy, store, process, distribute, transmit, display and use their Customer Data to (i) provide the Service to Customer and all Users under Customer’s Account and (ii) improve and enhance the Service and for other development, diagnostic and corrective purposes in connection with the Services and other GoMeyra products as services. If applicable, Customer and each User hereby grants to GoMeyra all necessary permissions for GoMeyra to engage and work with trusted third parties to provide the Service. Except for the foregoing, no other right, license or option is granted, no other use is permitted and Customer or the applicable User (as the case may be) owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Customer Data.
GoMeyra. Except for the limited rights and licenses expressly granted hereunder, no other right, license or option is granted, no other use is permitted and (as between the parties) GoMeyra (and its licensors, where applicable) owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) relating to the GoMeyra IP, including Service Data. Customer agrees that GoMeyra is free to use the Customer Data (pursuant to the section above), Feedback, and all generalized knowledge, expertise know-how and technologies related to or acquired in providing the Service, in any manner for all purposes (including developing new or improved products and services). Notwithstanding the foregoing sentence, the Contract entered into pursuant to these Terms of Service is not a sale and does not convey to Customer any rights of ownership in or related to any GoMeyra IP, Service Data, or any intellectual property rights.
Restrictions. Customer and Users shall not, directly or indirectly (a) use any of GoMeyra’s Confidential Information to create any software, platform, service or documentation that is similar to any of the GoMeyra IP, (b) attempt to access any Platform component or to disassemble, decompile, reverse engineer or use any other means to discover any source code or underlying organization, structures, ideas or algorithms within the Platform or other GoMeyra IP (except and only to the extent these restrictions are expressly prohibited by applicable statutory law) or to circumvent any technological measure that controls access thereto, (c) encumber, sublicense, distribute, transfer, rent, lease, lend, access or use any GoMeyra IP in any time-share, service bureau or similar arrangement, (d) copy, adapt, combine, create derivative works of, translate, localize, port or otherwise modify any GoMeyra IP, (e) use or allow the transmission, transfer, export, re-export or other transfer of any product, technology or information it obtains or learns using the Service or Service Data (or any direct product thereof) in violation of any export control or other laws and regulations of the United States or any other relevant jurisdiction, (f) re-identify or attempt to re-identify any of the Service Data, or (f) permit any third party to do any of the foregoing.
Third Party Software. The Platform may interface, inter-operate, link or be delivered with or include software or other technology (In-Licensed Code) that is licensed from and owned by third parties (In-Licensors), the use of which may be subject to additional or different terms set forth in the applicable open source or proprietary license (In-License). Customer and each User unconditionally agrees that the In-Licensors (a) make no representation or warranty concerning the In-Licensed Code or GoMeyra IP, (b) have no obligation or liability as a result of these Terms of Service and (c) are intended third party beneficiaries of these Terms of Service in respect of their respective In-Licensed Code. Upon specific written request received prior to the third anniversary of Acceptance, GoMeyra will make available the source code for In-Licensed Code, but only if doing so is required by the applicable In-License.
7. LIMITED WARRANTIES AND DISCLAIMERS
Customer and Users. Customer and each User warrants to GoMeyra that the access, transfer, collection, processing, distribution and use of Service Data as described in these Terms of Service complies with and will not violate applicable laws, regulations, rules or proprietary rights (including without limitation, professional and scientific standards, copyrights and rights regarding privacy, publicity and defamation).
GoMeyra. GoMeyra warrants to Customer that all Work will be provided in a professional manner and that it will use commercially reasonable efforts to maintain the Service available to Users at all times, subject to downtimes for scheduled maintenance, upgrades, repairs, security issues and emergency outages. GoMeyra will not be responsible for any delay, degradation or failure in the Service resulting from or attributable to (a) unusually high usage volumes, (b) failures in Customer Resources or any third party’s services, networks or systems, (c) Customer’s or any User’s or third party’s negligence, acts or omissions, (d) any force majeure or other cause beyond GoMeyra’s reasonable control or (e) unauthorized access to the Service, breach of firewalls or other hacking.
Disclaimers. EXCEPT AS EXPRESSLY SPECIFIED HEREIN, THE WORK, SERVICE, SERVICE DATA AND OTHER GOMEYRA IP ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITHOUT REPRESENTATION OR WARRANTY OF ANY KIND. FOR CLARITY, GOMEYRA AND ITS LICENSORS DO NOT WARRANT THAT: (A) ANY INFORMATION WILL BE TIMELY, ACCURATE, RELIABLE OR CORRECT; (B) THE WORK, SERVICE, SERVICE DATA OR OTHER GOMEYRA IP WILL BE ERROR-FREE, UNINTERRUPTED, SECURE OR AVAILABLE AT ANY PARTICULAR TIME OR PLACE; (C) ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR (D) THE WORK, SERVICE, SERVICE DATA OR OTHER GOMEYRA IP WILL MEET CUSTOMER’S OR ANY USER’S REQUIREMENTS OR THAT ANY OUTCOME CAN BE ACHIEVED. TO THE FULLEST EXTENT PERMITTED BY LAW, GOMEYRA HEREBY DISCLAIMS (FOR ITSELF AND ITS LICENSORS) ALL OTHER REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, WITH RESPECT TO THE WORK, SERVICE, SERVICE DATA AND OTHER GOMEYRA IP, INCLUDING WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, INTEGRATION, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE AND ALL WARRANTIES ARISING FROM ANY COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE.
8. INDEMNIFICATION
Customer. Customer agrees to defend GoMeyra against any demand, suit, action or other claim by any third party (including any User under its Account) that is related to any use of the Service or Service Data provided by Customer or Users or any breach of Customer’s or any User’s obligations or warranties under these Terms of Service, and to indemnify GoMeyra for liabilities (as specified in settlements or judgment awards) that result from such claims.
GoMeyra. GoMeyra agrees to defend Customer and Users (Customer Indemnitees) against any demand, suit, action or other claim by any third party that the Service or any Deliverable misappropriates or infringes its intellectual property rights, and to indemnify Customer Indemnitees for liabilities (as specified in settlements or judgment awards) that result from such claims. If the Service or any Deliverable becomes or, in GoMeyra’s opinion, is likely to become the subject of an injunction or other claim preventing its use as contemplated herein, GoMeyra may, at its option and expense (a) obtain the rights needed to continue providing the Service or using the Deliverable, or (b) replace or modify the Service or Deliverable without substantially compromising its principal functions. If (a) and (b) are not reasonably available, then GoMeyra may (c) upon written notice to Customer, terminate Customer’s Account and stop providing the Service to Users, and refund to Customer any prepaid fees, pro-rated for the remainder of the prepaid period. The foregoing states the entire liability of GoMeyra, and Customer’s and each User’s exclusive remedy, with respect to any actual or alleged violation of intellectual property or proprietary rights by the GoMeyra IP or Work, any part thereof or their use or operation.
Exclusions. GoMeyra shall have no liability or obligation hereunder with respect to any claim attributable to (a) any use of the GoMeyra IP by Customer or any User not strictly in accord with these Terms of Service, or in an application or environment or on a platform or with devices for which it was not designed or contemplated or (b) alterations, combinations or enhancements of the GoMeyra IP not created by GoMeyra.
Conditions. The indemnifying party’s obligations hereunder are conditioned on (a) the party seeking indemnification providing prompt written notice thereof and reasonable cooperation, information, and assistance in connection therewith and (b) the indemnifying party having sole control and authority to defend, settle or compromise such claim. The indemnified party may participate in the defense at its sole cost and expense. The indemnifying party will not enter into any settlement (other than for payment of money subject to its indemnity) that adversely affects the indemnified party’s rights or interests without its prior written approval, not to be unreasonably withheld. The indemnifying party shall not be responsible for any settlement it does not approve in writing.
9. LIMITATION OF LIABILITY
EXCEPT TO THE EXTENT THAT ANY EXCLUSION OR LIMITATION OF LIABILITY IS VOID, PROHIBITED OR UNENFORCEABLE BY APPLICABLE LAW, AND EXCEPT FOR LIABILITIES TO THIRD PARTIES PURSUANT TO SECTION 8 (INDEMNIFICATION): IN NO EVENT SHALL GOMEYRA (OR ITS LICENSORS), CUSTOMER OR ANY USER BE LIABLE CONCERNING THE SUBJECT MATTER OF THE CONTRACT OR THESE TERMS OF SERVICE, REGARDLESS OF THE FORM OF ANY CLAIM OR ACTION (WHETHER IN CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE), FOR ANY (A) LOSS OF DATA, LOSS OR INTERRUPTION OF USE, OR COST TO PROCURE SUBSTITUTE TECHNOLOGIES, GOODS OR SERVICES OR (B) INDIRECT, PUNITIVE, INCIDENTAL, RELIANCE, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUES, PROFITS OR GOODWILL; AND GOMEYRA (AND ITS LICENSORS) SHALL NOT BE LIABLE TO CUSTOMER OR ANY USER FOR AGGREGATE DAMAGES IN EXCESS OF THE FEES IT, HE OR SHE (AS THE CASE MAY BE) PAID TO GOMEYRA DURING THE PRIOR 12 MONTHS OR US$25.00, WHICHEVER IS GREATER; EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS ARE INDEPENDENT FROM ALL OTHER PROVISIONS OF THESE TERMS OF SERVICE AND SHALL APPLY NOTWITHSTANDING THE FAILURE OF ANY REMEDY PROVIDED HEREIN.
FOR USERS ONLY: SOME STATES AND OTHER JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU.
10. TERM AND TERMINATION
Term. Unless as otherwise specified in the Contract, Customer’s and its Users’ ability to access and use the Service shall commence on the date of Customer’s acceptance of the proposal for OvDs in the Contract and will automatically extend on a month-to-month basis until terminated by Customer or GoMeyra. Unless as otherwise specified in the Contract, Customer or GoMeyra may terminate the Contract by giving at least 30 days prior written notice (email being sufficient) to the other. Users may discontinue their use of the Service at any time upon giving written notice to Customer.
Termination for Cause. The Contract may be earlier terminated by either party if the other party breaches any material provision of these Terms of Service and fails to cure such breach within 30 days (10 days in the case of payment issues) after receiving written notice of such breach from the non-breaching party.
Effects of Termination. Upon any expiration or termination of the Contract, all rights, obligations and licenses of the parties shall cease, except that the following shall survive: all obligations that accrued prior to the effective date of termination (including payment obligations); all remedies for any breach of these Terms of Service; and the provisions of Sections 4 (Payments), 5 (Confidentiality), 6 (Proprietary Rights), 7 (Limited Warranties and Disclaimers), 8 (Indemnification), 9 (Limitation of Liability), 11 (General Provisions) and this Section 10. Customer and Users shall not retain any Service Data or GoMeyra IP after any expiration or termination. Upon termination of the Contract for any reason, Customer shall promptly return to GoMeyra all originals and copies of any Service Data or GoMeyra IP and destroy, upon GoMeyra’s request, all information, records and materials developed therefrom that are not Customer Data. Upon GoMeyra’s reasonable request, such return or destruction shall be confirmed in writing by the parties.
11. GENERAL PROVISIONS
Entire Agreement. These Terms of Service (including then current Policies), together with the Contract and, if any, all Statements of Work, constitute the entire agreement, and supersede all prior negotiations, understandings or agreements (oral or written), among the parties regarding the subject matter hereof (and all past dealing or industry custom). Any additional, different or inconsistent terms on any related purchase order, even if signed by the parties hereafter, shall have no effect under these Terms of Service. In the event of any conflict or inconsistency between the terms set forth in these Terms of Service and the Contract, the terms in the Contract shall control as between GoMeyra and Customer. Except as expressly provided herein, no change, consent or waiver under these Terms of Service will be effective unless in writing and signed by the party against which enforcement is sought. The failure of any party to enforce its rights under these Terms of Service at any time, for any period will not be construed as a waiver of such rights, and the exercise of one right or remedy will not be deemed a waiver of any other right or remedy. If any provision of these Terms of Service is determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that these Terms of Service will otherwise remain in full force and effect and enforceable. These Terms of Service are in English only, which language shall be controlling in all respects. No version of these Terms of Service in another language shall be binding or of any effect.
Governing Law. The parties’ rights and obligations under the Contract and these Terms of Service shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, USA, without regard to its conflicts of law provisions. In the event of any conflict between US and foreign laws, regulations and rules, US laws, regulations and rules shall govern. Neither the United Nations Convention on Contracts for the International Sale of Goods nor the implementation of the Computer Information Transactions Act in any jurisdiction shall apply to these Terms of Service.
Dispute Resolution. A printed version of these Terms of Service (and any Policy) and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to the Service, Contract or these Terms of Service (including any Policy) to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. Customer, Users and GoMeyra agree that any claim or cause of action arising out of or related to the Service, Contract or these Terms of Service (including any Policy) must be commenced within 1 year after the claim or cause of action arose. Otherwise, such claim or cause of action is permanently barred.
Except that either party may seek an injunction or other equitable relief from any court of competent jurisdiction (as described below), all disputes between the parties arising out of or in relation to or in connection with the Service, Contract or these Terms of Service (including any Policy) shall be settled by binding arbitration in accordance with the JAMS streamlined arbitration rules and procedures then in force, by one neutral arbitrator appointed in accordance with the rules. The arbitration shall take place in Boston, Massachusetts, USA. The proceedings shall be in English, all evidence shall be in English (or translated into English) and the governing law shall be as set forth herein. The arbitrator’s decision shall be in writing and shall comply with all terms and conditions in the applicable version of these Terms of Service and the Contract. The decision and award rendered shall be final and binding on all parties. The parties acknowledge and agree that the Terms of Service and any award rendered pursuant hereto shall be governed by the UN Convention on the Recognition and Enforcement of Foreign Arbitral Awards. Judgment on the award may be entered in any court of competent jurisdiction.
ANY ARBITRATION UNDER THESE TERMS OF SERVICE WILL TAKE PLACE ONLY ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CUSTOMER, USERS AND GOMEYRA UNDERSTAND AND AGREE THAT BY ENTERING INTO THE CONTRACT AND THESE TERMS OF SERVICE, EACH PARTY IS WAIVING THE RIGHT TO TRIAL BY JURY AND TO PARTICIPATE IN A CLASS ACTION.
Use of the Service is not authorized in any jurisdiction that does not give effect to all provisions of the Terms of Service, including without limitation, this section.
International Use. GoMeyra makes no representation or warranty that the Service is appropriate or legally available for use in locations outside the United States, and accessing and using the Service is prohibited from places where doing so would be illegal. Accessing or using the Service from other locations may be done at Customer’s or applicable User’s own initiative and Customer or such User shall be liable for compliance with all local laws. Customer each User hereby expressly consents to GoMeyra’s processing of Service Data in accordance with these Terms of Service. Customer and each User understands and agrees that Service Data may be stored and processed in (or transferred from) the country where it was collected and the United States, and that United States laws regarding the collection, storage, processing and onward transfer of information may be less stringent than the laws where Customer is located. Customer and each User agrees that each person who accesses or uses the Service through its Account or his/her credentials (and each person whose information is included in Service Data) has given express consent to the collection, storage, processing, transfer, distribution, display and use of his or her personal data as provided herein.
Remedies. Except as expressly specified otherwise herein, each right and remedy in these Terms of Service are in addition to any other right or remedy, at law or in equity. Each party agrees that, in the event of any breach or threatened breach of Section 5 or 6, the non-breaching party will suffer irreparable damage for which it will have no adequate remedy at law. Accordingly, the non-breaching party shall be entitled to injunctive and other equitable remedies to prevent or restrain such breach or threatened breach, without the necessity of proving actual damages or posting any bond.
Notices. All notices under these Terms of Service will be in writing, in English and delivered to the parties at their respective addresses stated herein or in the Contract (or, in the case of Users, as provided during registration), or at such other address designated by written notice. Notices will be deemed to have been duly given and effective: when receipt is electronically confirmed, if transmitted by facsimile or email; or when received, if personally delivered or sent by overnight courier or certified or registered mail, return receipt requested.
Notices to GoMeyra should be sent to the following address:
GoMeyra.com, Inc.
Attn: CEO
legal@GoMeyra.com
Publicity. Customer hereby consents to inclusion of its name and logo in customer lists and presentation materials that may be published and distributed as part of GoMeyra’s marketing and promotional efforts. From time to time upon request, Customer agrees to provide GoMeyra with reasonable cooperation and assistance in connection with other marketing efforts (such as, for example, by acting as a reference, issuing press releases and providing written or videotaped customer testimonials and case studies, with statements attributed to a named employee of Customer). Except for the foregoing or as required by any applicable law or regulation, neither Customer, User nor GoMeyra may issue any press release or other public announcement concerning the arrangements under these Terms of Service, or use the other party’s names, trademarks or logos, without the applicable other party’s prior written consent, not to be unreasonably delayed, conditioned or withheld.
Assignment. These Terms of Service and the performance contemplated hereunder are personal to each User and Users shall not have the right or ability to subcontract, delegate, assign or otherwise transfer any rights or obligations under this Agreement without the prior written consent of Customer and GoMeyra. The Contract, these Terms of Service and the rights and obligations therein and herein may not be assigned, in whole or in part, by Customer or GoMeyra without the other’s prior written consent, not to be unreasonably withheld. However, without consent, GoMeyra may subcontract performance of all or any part of the Service or Work, and GoMeyra and Customer may assign these Terms of Service together with the Contract (but not separately), and all of its rights and obligations hereunder and thereunder, to any of its affiliates or to any successor to all or substantially all of its business which concerns the Contract (whether by sale of assets or equity, merger, consolidation, reorganization or otherwise). The Contract and these Terms of Service shall be binding upon, and inure to the benefit of, the successors, representatives and permitted assigns of the parties.
Force Majeure. No party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control.
Independent Contractors. The parties shall be independent contractors under the Contract and these Terms of Service (including under our Policies), and nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint venturers or partners for any purpose; provided, the foregoing is not intended to modify or limit any prior employment or other arrangement between Customer and any of the Users.
Government. Products within the GoMeyra IP are commercial products, developed solely at private expense and proprietary to GoMeyra.com, Inc. and its licensors. If Customer is an agency, department or other entity of the United States Government or if any User is accessing and using the Service on behalf of or for the benefit of any such entity, then the use, duplication, reproduction, modification, release, disclosure or transfer of GoMeyra IP is restricted in accordance with FAR 12.212 for civilian agencies and DFAR 227.7202 for military agencies. The Platform is “commercial computer software”, the documentation is “commercial computer software documentation”, and their use is further restricted in accordance with these Terms of Service.
XXVI. Privacy Policy
Last Updated: 10/12/2020
We want to let you know about what we do with information we collect from you, how it is used, and other details about privacy.
This Privacy Policy discloses the privacy practices our websites, software, and services (collectively, “Our Products & Services” or “Services”). This Privacy Policy applies to any type of access we make available to you for Our Products & Services, such as websites, applications on your electronic devices, through APIs, and through third parties.
1. COLLECTION
a. We need some information from you in order to provide Our Products & Services and you understand that we have access to and collect information that you voluntarily give us via the enrollment process, your emails to us, or other direct contact from you. We also collect information related to your usage and access of our Services.
b. We use technology like cookies to provide and improve Our Products & Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with Our Produces & Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use Our Products & Services.
2. USE AND SHARING
a. In general, we will use your information to communicate with you, to provide Our Products & Services, and to facilitate collaboration between you and other users.
b. We will not sell your information in personally identifiable form to any third party outside of our company and in general only share such information with outsiders as necessary to fulfill your requests, such as to respond to inquiries about content or troubleshooting technology issues, and as needed to provide Our Products & Services.
c. We may de-identify information such that the resulting de-identified data, including de-identified protected health information (PHI), is not individually identifiable information as provided in 45 CFR § 164.514, and we may provide such data in de-identified or aggregated form (combined with other data, results or measurements) to our partners. However, we never disclose aggregate usage or de-identified information to a partner (or allow a partner to collect such information) in a manner that would identify you or any other individual.
d. If you are using Our Products & Services as part of a team, your team leader may have the ability to limit your access and control of Our Products & Services. Please be aware that limitations, restrictions, licenses, or any other controls placed by employers, team leaders, or other administrators that you work under may see or otherwise be provided access to information that you provide to us. We cannot be responsible for the internal agreements, policies, or practices of your university, employer, or team (for example, related to sharing of protected health information (PHI) or other confidential or proprietary data). It is your responsibility to review and ensure you are complying with those agreements, policies, and practices. If you have concerns about any of these types of entities or individuals being provided that information, please review those agreements, policies, and practices, and be mindful of the teams you join or invite others to.
e. In order to cooperate with legitimate governmental requests, subpoenas or court orders, to protect Our Products & Services and other users, or to ensure the integrity and operation of Our Products & Services, we may access and disclose any information we consider necessary or appropriate, including, but not limited to, IP addresses and traffic information, usage history, and uploaded content.
3. SECURITY
We are continuously monitoring and developing ways to keep your information secure. For example, our GoMeyra client APIs and applications use industry standard secure encryption for all communications with our Services. We also continue to work on features, including encryption of files at rest, to keep your information secure. If you wish to protect your data during transmission, it is your responsibility to use a securely encrypted connection to communicate with our Services.
4. RETENTION OF YOUR INFORMATION
We will retain information you store on Our Products & Services for as long as we need it to provide you Our Products & Services. If you delete your account, we will also delete this information. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
5. THIRD PARTY LINKS
From time to time, Our Products & Services may provide links or other access to third parties. Please be aware that we are not responsible for the content or privacy practices of such third parties. We encourage our users to be aware when they leave Our Products & Services and to read the privacy statements of any third parties that collect personally identifiable information.
6. TERMS OF SERVICE
For more information about using Our Products & Services, please refer to our Terms of Service for information on our other policies and guidelines regarding use of Our Products & Services. Although we do not think it would happen, in the event of any conflicting terms, the Terms of Service are controlling over this Privacy Policy.
8. CONTACT
If you have questions or concerns about this Privacy Policy or any of Our Products & Services, you can contact us via email at support@GoMeyra.com.
XXVII. License
GoMeyra.com HIPAA Compliance Policies by GoMeyra.com, Inc. are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and available on GitHub.