Webinar: The future of Diabetic Neuropathy Management - May, 28th

Terms and Conditions

Withings Terms and Conditions

These Terms and Conditions and appendices define the conditions of sale from WITHINGS Inc, a WITHINGS company with its principal office at 225 Franklin Street, Suite 1250, Boston, MA 02110, hereunder called WITHINGS, to the CLIENT, as named in the Purchase Order, as defined below. By signing the Proforma Purchase Order, the CLIENT hereby agrees to the terms and conditions, which may be updated at any point by notice. The Parties may be referred to as a “Party” or the “Parties”.

CONTENTS

ARTICLE 1. DEFINITIONS

ARTICLE 2. PURPOSE OF THE AGREEMENT

ARTICLE 3. SALES CONDITIONS FROM WITHINGS TO THE CLIENT

ARTICLE 4. SPECIAL TERMS

ARTICLE 5. DESCRIPTION OF THE SERVICES

ARTICLE 6. DURATION OF THE SERVICES

ARTICLE 7. TRACEABILITY – MATERIAL VIGILANCE – PRODUCT RECALL – QUALITY MANAGEMENT – COMPLIANCE

ARTICLE 8. DEVICE WARRANTIES

ARTICLE 9. SUPPORT OF THE SERVICES

ARTICLE 10. CHANGES OF THE SERVICES

ARTICLE 11. QUALITY OF THE SERVICES

ARTICLE 12. DATA PROTECTION

ARTICLE 13. CONFIDENTIALITY

ARTICLE 14. INTELLECTUAL PROPERTY

ARTICLE 15. TERMINATION OF THE AGREEMENT

ARTICLE 16. REPRESENTATIONS & WARRANTIES

ARTICLE 17. INSURANCE – LIABILITY – INDEMNIFICATION

ARTICLE 18. MISCELLANEOUS 

ARTICLE 1. DEFINITIONS

“Agreement” means the Sale Conditions herein.

“CLIENT Data” means (a) all data and information the CLIENT submits or transmits to WITHINGS, excluding any PHI (as defined below) necessary for the Services; and (b) data, records and information WITHINGS generates that relates directly to the Services for the CLIENT under this Agreement, exclusive of information or documentation that WITHINGS generates for use in WITHINGS’ business generally or for use with multiple clients and exclusive of De-Identified Data as defined below. CLIENT Data explicitly does not include PHI (defined below), which is defined in and governed by the Business Associate Agreement entered into between the Parties.

“Commitment” means the CLIENT’s engagement to resell the Devices exclusively for its wellness or health management Program.

“Confidential Information” as used in Article 4. Special Terms means any information relating to the business of the other Party that may be divulged to the other Party while not generally known to the public.

“Delivery address” means the delivery address as mentioned in the Purchase Order.

“End Users” means the participants in the CLIENT’s wellness or health management Program.

“Effective Date” means the execution date agreed by both parties in the Purchase Order.

“Device” or “Devices” are product(s) designed and manufactured by WITHINGS.

“Programmeans the CLIENT’s wellness or health management program, for which the CLIENT is entering into the Agreement. 

“Purchase Order” means a written agreement between WITHINGS and the CLIENT, authorizing the purchase of goods and services.

“Territory” means the United States of America.

“WITHINGS Data” means: (a) all data, software (in any form) and information WITHINGS submits or transmits to the CLIENT regarding WITHINGS; (b) all data, records and information generated in WITHINGS’s business or operations, including any information relating to WITHINGS’s subcontractors and/or affiliates; (c) all WITHINGS Intellectual Property (defined below), together with all derivative works of the WITHINGS Intellectual Property; and (d) data, records or information occurring in any form, including written, graphic, electronic, visual or fixed in any tangible medium of expression and whether developed, generated, stored, possessed or used by WITHINGS, CLIENT, or a third party if related to the items described in (a) through (c) above. WITHINGS Data does not include any data or information that relates exclusively to CLIENT or CLIENT’s business, operations or activities.

ARTICLE 2. PURPOSE OF THE AGREEMENT

2.1. Superiority of the Conditions on orders. Any order of the CLIENT to WITHINGS requires an acceptance of these Conditions. These Conditions cannot be modified by different conditions that would appear on the CLIENT’s order. An order is executory only after WITHINGS has expressly accepted it. 2.2. Right to redistribute. The CLIENT commits to resell the Devices exclusively for its health management Program (the Commitment), without any right of redistribution outside of its Program. Failure to respect the Commitment may cause termination of the Agreement without notice. WITHINGS will be entitled to seek redress, by any means it deems appropriate. The Commitment not to resell the Devices survives the Agreement. WITHINGS reserves the right to update these terms at any time upon written notice.

ARTICLE 3. SALES CONDITIONS FROM WITHINGS TO THE CLIENT

3.1. Purchase Orders. Conditions of the Purchase Orders. All Purchase Orders specify the quantity and type of Device(s) ordered and are subject to these Conditions. The CLIENT notifies WITHINGS, via Purchase Orders, automatic ordering system or such other process mutually agreed by the Parties, of new orders and provides WITHINGS all End Users’ necessary information to ship the Devices to the End Users. WITHINGS will only process Purchase Orders that strictly respect its template. 3.2. Acceptation of the Purchase Order. A Purchase Order is enforceable after WITHINGS has expressly accepted it. WITHINGS processes the Purchase Order within 3 business days of receipt of the order. WITHINGS may reject orders for, without limitation, non-compliance with these Conditions, being out-of-stock, existence of overdue amounts unpaid by the CLIENT. A Purchase Order cannot be modified once shipped by WITHINGS. 3.3. Delivery of the Devices. a. For bulk shipment, WITHINGS will arrange the shipment of the Devices under the Incoterms DAP Delivery Address (INCOTERMS 2020). WITHINGS will ship the Devices to the CLIENT logistic facility within the Territory, as defined on the Purchase Order. WITHINGS will charge the incurred shipping costs to the CLIENTb. For drop shipment. WITHINGS sends the ordered Devices to the addresses contained in the order transmitted by the CLIENT, provided that it is located in the United States, on the exclusion of any other territory, under the Incoterms DAP Delivery Address (INCOTERMS 2020). If an incorrect address is supplied by the CLIENT to WITHINGS: (i) WITHINGS cannot change the address once the order is processed. The End user is responsible for changing the address with the shipping carrier, (ii) If the End user cannot manage to change the shipping address, the CLIENT must submit a new order and will be invoiced for it. WITHINGS provides shipping and tracking information to the CLIENT and sends a shipment confirmation email to the End user. WITHINGS will charge the incurred shipping costs to the CLIENT. 3.4. Suspension of delivery. If the CLIENT fails to comply with its obligations after a period of thirty (30) days following notification by WITHINGS, WITHINGS is authorized to suspend the shipments. These are fully restored as soon as the CLIENT has paid the full amount due to WITHINGS.

ARTICLE 4.  SPECIAL TERMS

4.1 Entry into force and duration. This agreement enters into effect on the date of signature of both Parties on the Purchase Order until a mutually agreed-upon date as written on the Purchase Order. 4.2 Application of the present Agreement. If WITHINGS should continue to sell its products to the CLIENT after termination of this Agreement, such sales shall be subject to new terms and conditions, and such additional sales by WITHINGS shall not constitute a renewal of this Agreement. 4.3 Payment Terms. All orders of Devices and Services are invoiced and paid as outlined on the applicable pro forma for each Purchase Order. Payment terms are subject to a credit check performed by WITHINGS. WITHINGS reserves the right to charge interest on any past due amounts at a rate of the lesser of one and one-half (1.5%) percent per month or the highest rate allowed by law, and CLIENT shall indemnify WITHINGS for all costs, including expenses and attorney’s fees, incurred by WITHINGS in the collection of overdue payments. Upon signature of the Purchase Order, a separate invoice will be generated for the integration work of the API Enterprise and/or SDK, where applicable. The invoice for the integration work will be due upon receipt. 4.4. Conditionality of the sales conditions. The Purchase Price is designed especially for the CLIENT according to the shipment conditions. Any modifications of the sales conditions as outlined in the Purchase Order may result in a change of the Purchase Price. 4.5 Price of the Products sold by WITHINGS to the CLIENT. Products are invoiced by WITHINGS to the CLIENT at the unitary price listed on the Purchase Order. The CLIENT commits to order each Product in multiples of the Case Quantities listed on the relevant Purchase Order. These prices do not include applicable local taxes and shipment. 4.6. Discounts and Disclosures. When Federal Funding is involved, prices invoiced for Products purchased reflect the negotiation between WITHINGS and the CLIENT (such as “Discounts or Other Reductions in Price” under 42 U.S.C. Section 1320a-7b(b)(3)(A), here called the “Concession”). CLIENT shall report any Concession in the fiscal year in which it was earned or the year after. WITHINGS shall provide additional information requested by applicable Medicare or state health care program to assist CLIENT in meeting its reporting requirement. 4.7. Provision of Services. WITHINGS grants the CLIENT a license to use data Services such as SDK, HUB, and/or API, if desired, as outlined in Article 5 of this Agreement. 4.8. Contact Points for Incident and Security Management. WITHINGS reports to the CLIENT any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information and any security incident of which it becomes aware in a timely manner of the breach. The CLIENT shall provide WITHINGS with relevant contact points for security and privacy. The CLIENT can contact WITHINGS (i) Security Officer at security@withings.com (ii) Data Privacy Officer at privacy@withings.com. 4.9. Data Protection Commitments Applicable to the Agreement. WITHINGS and the CLIENT ensure that they are processing personal data in conformity with laws, regulations and the Business Associate Agreement. 4.10. Confidentiality of Sale Conditions. The Parties agree to keep confidential sales conditions established in the Purchase Order, especially the unitary sale price of Products.

ARTICLE 5.  DESCRIPTION OF THE SERVICES

5.1. Provision of Services. WITHINGS grants the CLIENT a license to use data Services such as SDK, HUB, and/or API, as outlined on the relevant Purchase Order. 5.2. Implementation of the SDK. a) Description of Services. The description of the SDK is available online and validated by CLIENT before starting integration: https://developer.withings.com/sdk/#/?id=native-sdk. b) Implementation fee. The SDK has a single implementation fee, agreed upon by the Parties in the Purchase Order, invoiced by WITHINGS to the CLIENT at the activation of the SDK.  5.3. Cellular connectivity. a) Description of Services. The description of the Hub is available online and validated by CLIENT before starting integration: https://developer.withings.com/developer-guide/v3/withings-solutions/cellular-solutions. b) Pricing. The Pro Device/Cellular Data Hub pricing includes one (1) year of cellular connectivity via the Cellular Data Hub/Pro Devices starting from the first activation of a Device. At the end of the first year, WITHINGS will invoice the CLIENT for cellular connectivity at the agreed upon rate in the Purchase Order, unless the CLIENT has terminated the cellular connectivity feature. 5.4 Subscription to WITHINGS Enterprise API Services. a). Description of Services. The description for the Platform is available online and validated by CLIENT before starting integration: https://developer.withings.com/oauth2/. WITHINGS grants the “Enterprise API” CLIENT the following functionalities:

– Access to WITHINGS health and wellness data

– Recommended for apps with more than five thousand (5,000) unique active users

– 1,500 requests per minute (more upon request)

– Instant data update notification service

– Enterprise SLA

– Email support

As part of the Services, the CLIENT has access to the Dashboard to monitor the Services. In the event that the CLIENT exceeds the allowed requests per minute, the CLIENT and WITHINGS meet to accommodate the number of requests. b). Fees. The price of the API Services consists of a yearly fee, as agreed upon by the Parties in the Purchase Order, for access to the advanced API services. 5.5. Service Price Increase. WITHINGS reserves its right to increase the price of the Services for the following years, providing that the price increase will not exceed 20%.

ARTICLE 6. DURATION OF THE SERVICES

6.1. Entry into force of the subscription. The subscription to the Services starts as of the day of the activation of the Service by WITHINGS. 6.2. Term of the subscription. The subscription to the Services is entered into for a period of twelve (12) months and automatically renewable for a period of twelve (12) months. 6.3. Termination without cause. Subscription to the Services may be terminated by either Party upon two (2) months’ written notice. 6.4. Termination with cause. Each Party may terminate the subscription to the Services in the event of non-performance by the other Party of one of its obligations under the Agreement and which has not been remedied within thirty (30) days of notification of such non-performance by the other Party by written notice.

ARTICLE 7. TRACEABILITY – MATERIAL VIGILANCE – PRODUCT RECALL – QUALITY MANAGEMENT

7.1. Traceability. The Parties agree to implement and maintain traceability procedures to enable them to know the location of each Device at all times. WITHINGS shall implement the necessary procedures to ensure the traceability of the Devices until its delivery and the CLIENT shall implement and maintain the necessary procedures to ensure the traceability of the Devices from the date of delivery. 7.2. Device vigilance. As soon as an incident or risk of incident involving the Devices is reported, the CLIENT shall send WITHINGS  notification prior to sending any declaration to any administrative authorities in question and a copy of any declaration sent by the CLIENT to any administrative authorities as soon as possible. 7.3. Procedure for the administrative withdrawal of the Devices. The Party informed of a decision by a competent administrative authority to withdraw the Devices shall inform the other Party without delay, specifying in particular: (i) the serial numbers of the Devices concerned; (ii) the diagnosis of the defect identified and the estimation of the recurrence of this defect in all the Devices delivered; (iii) the possible consequences of the failure for the users; (iv) the repair measures to be implemented and the action plan proposed for this purpose and, where applicable, the communication plan envisaged. In the case of Devices installed at users’ premises and subject of a withdrawal decision by the competent administrative authority, the CLIENT must alert and inform users and, where applicable, proceed to the withdrawal of the Devices concerned. WITHINGS will replace the Devices withdrawn. Shipping costs by post shall be borne by the CLIENT for the shipment to WITHINGS and by WITHINGS for the return shipment to the CLIENT. 7.4. Cooperation. The CLIENT provides WITHINGS a summary of feedback including complaints received for the supplied Device at least every quarter. 7.5. Quality Management System. WITHINGS and the CLIENT shall implement and maintain a quality management system in accordance with the applicable regulatory requirements (or parts thereof), including 21 CFR 820 where applicable. 7.6. Specific provisions applying within the United-States of America. a) Mandated Disclosures. Where applicable, until the expiration of four (4) years after the furnishing of any WITHINGS Devices pursuant to this Agreement, WITHINGS shall make available, upon written request from the Secretary of the United States Department of Health and Human Services or from the United States Comptroller General, or any of their duly authorized representatives, this Agreement and such books, documents and records as are necessary to certify the nature and the extent of the reasonable cost of WITHINGS Devices to CLIENT. B) No Exclusion. Each party warrants that it is not, nor hires, retains or uses any individual or entity that is excluded, debarred, suspended or otherwise ineligible to participate in (collectively, “debarred”) federal or state healthcare programs, or federal or state procurement or non-procurement programs in connection with obligations set forth in this Agreement, including without limitation persons or entities listed on the HHS/OIG List of Excluded Individual/Entities (http://exclusions.oig.hhs.gov/search.aspx) or the SAM exclusion database:(https://www.sam.gov/portal/public/SAM), or persons or entities debarred by the FDA. Either party shall have the right to terminate this Agreement immediately without further obligation in the event that the other party becomes debarred or hires, retains, or uses an individual or entity that is debarred. c) Compliance Program. The Parties acknowledge that WITHINGS maintains a corporate compliance program. WITHINGS Compliance Program is intended to prevent compliance violations and to promote education related to fraud, abuse, false claims (including but not limited to the Deficit Reduction Act provisions), excess private benefit, and inappropriate referrals. CLIENT may report any regulatory compliance concern to WITHINGS. CLIENT acknowledges WITHINGS commitment to the WITHINGS Compliance Program and agrees to consider WITHINGS reasonable requests for information relative to the WITHINGS Compliance Program. d) Non-Discrimination. The Parties do not unlawfully discriminate in any way on the basis of race, color, gender, religion, ancestry, national origin, sexual preference or orientation, veteran status, age, physical or mental handicap.

ARTICLE 8. DEVICES WARRANTIES

8.1. Devices provided as described by WITHINGS.  WITHINGS warrants that the Devices are compliant with the descriptions of the Devices, which are available online and validated by CLIENT prior to the sales of the Devices to CLIENT: https://www.withings.com/. 8.2. Support of the Devices by WITHINGS. Support of the Devices to final users is Provided by CLIENT. CLIENT may contact WITHINGS’ support for additional assistance following the documentation provided by WITHINGS. 8.3. Allocation of liabilities between the Parties. WITHINGS is liable for warranty and support towards the CLIENT and the CLIENT is liable for warranty and support towards end users. 8.4. Devices’ Return. Except for Devices covered under the WITHINGS Device Warranty, WITHINGS does not accept Device returns for any reason once a Device has been provided to an end user. The CLIENT shall not return nor be refunded by WITHINGS (nor permit or direct end users to return or receive a refund) units of the Device to WITHINGS except and only to the extent pursuant to a WITHINGS-verified warranty claim based on WITHINGS’s Standard Device Warranty as available on its website. The CLIENT is responsible for the cost of transportation to WITHINGS’ designated warehouse. RMA procedures can be modified by WITHINGS.

ARTICLE 9. SUPPORT OF THE SERVICES 

9.1. Support Services. WITHINGS will provide technical and/or the customer support services to the CLIENT (including Participating Patients, physicians, and staff) via telephone and internet on weekdays between 9:00am to 6:00pm CET, 9:00 am to 5:00 pm EST; and 6:00 am to 2:00pm PST (Support Hours). The CLIENT may initiate the CLIENT Support ticket 24 hours a day, seven days a week through the WITHINGS Help Center. WITHINGS will use commercially reasonable efforts to respond to all the CLIENT Support tickets within two (2) business days during Support Hours, but WITHINGS does not represent, warrant, or guarantee that all tickets will be responded to within such time frame. 9.2. Maintenance of the Services. WITHINGS reserves the right to suspend access to the Services, in the event of maintenance of the Services, with one week’s notice, provided that the suspension does not last more than 2 (two) hours from Monday to Friday from 9am to 6pm EST, and 8 (eight) hours the rest of the time. 9.3. Suspension of the Services. WITHINGS reserves the right to temporarily suspend access to the Services, without prior notice and without payment of any compensation to the CLIENT in the event of the detection of a malfunction specific to the CLIENT that could damage the data management system. During the temporary suspension of access to the Services, WITHINGS continues to provide the other Services and the CLIENT assumes its obligations. In the event that the CLIENT fails to comply with its obligations at the end of a period of fifteen (15) days following the notification sent to the CLIENT by WITHINGS that has remained without effect, WITHINGS is entitled to suspend the Services. The Services are fully restored as soon as the CLIENT has complied with its obligations. 9.4. Quality Commitments. a) CLIENT’s Commitment. CLIENT agrees to implement reasonable and appropriate physical, technical and administrative security measures to (i) protect the CLIENT Application from unauthorized access, and (ii) to prevent the introduction of Malicious Code into the Platform and/or Services. CLIENT also agrees it is responsible for backing up all Customer Data. b) WITHINGS’ Commitment. WITHINGS agrees to implement reasonable and appropriate physical, technical and administrative security measures to (i) help secure data against accidental or unlawful loss, access or disclosure, (ii) protect the integrity of the Services, and (iii) to prevent the introduction of Malicious Code into the CLIENT’s application.  In addition, WITHINGS maintains a compliance program that includes third party audits and certifications. 

ARTICLE 10. CHANGES OF THE SERVICES

10.1. Embedded software improvements. In order to improve the quality of the Services, WITHINGS reserves the right to improve the software embedded in the Devices by replacing it with new versions without reducing the quality of the Services. 10.2. Evolution of the Services. WITHINGS reserves the right to make changes to the configuration of the technical solutions relating to the data server at any time, provided that the quality of the agreed Services is at least maintained at the technical, organizational, and financial levels and that the CLIENT is notified thereof. 10.3. Updates to the Services. In order to improve the quality of the Services, WITHINGS reserves the right to update the Services in the form of new versions. 10.4. Degradation of services. If any of the modifications in this section cause a material degradation to the Services, including any degradation rendering the Services impossible to use, then the CLIENT may terminate the Services for breach. By continuing to use the Services after the effective date of any modifications mentioned in this Section, the CLIENT unconditionally agrees to the changes.

ARTICLE 11. QUALITY OF THE SERVICES

11.1. Availability of Services. WITHINGS will use its best efforts in accordance with the Description of the Services to reach a monthly uptime percentage of the Services of 99.9 percent, as part of its duty of care, to provide the Services.  In case WITHINGS delivers the API Enterprise Services below the monthly uptime percentage, WITHINGS provides a credit note to the CLIENT in the limit of one-month fee for the API Enterprise Subscription of the Services. WITHINGS reserves the right to suspend access to the Services, in the event of necessity related to the maintenance of the Services, with one week’s notice, provided that the suspension does not last more than 2 (two) hours from Monday to Friday from 9am to 6pm EST, and 8 (eight) hours the rest of the time. 11.2. Exceptional Situations. In the event of suspension of the Services, WITHINGS undertakes to restore the availability of the Services under the following conditions: (i) in the event of a critical incident (i.e. a customer-facing service is down for all customers, confidentiality or privacy is breached, customer data loss) or a major incident (i.e. a customer-facing service is unavailable for a subset of customers, core functionality is significantly impacted), WITHINGS undertakes to correct the malfunction to provide a workaround within a period of seventy-two (72) hours following notification of such malfunction on the US cloud, or five (5) business days following notification of such malfunction on the EU cloud ; (ii) in the event of a minor incident (i.e. a minor inconvenience to customer, usable performance degradation), WITHINGS undertakes to correct the malfunction or provide a workaround within fourteen (14) working days following notification of such malfunction.11.3. Data transmission services thanks to the HUB. The CLIENT acknowledges that the data is transmitted via the HUB using cellular connectivity and that the technologies contain inherent limitations: a) if a natural disaster, incident, or any other emergency situation occurs or is likely to occur, the data transmission may be restricted use in order to give priority to communications whose content are necessary for the prevention of or relief from calamities, for the securing of transportation, communications or electric power supply, the maintenance of public order or any other public interest, if b) the Patient lives in dead zone that benefits from poor connection, the data transmission cannot be guaranteed. 

ARTICLE 12. DATA PROTECTION

12.1. Guarantee. WITHINGS and the CLIENT ensure that they are processing personal data in conformity with applicable laws and regulations, and the relevant Annex. 12.2. Sanction. If one of the Parties violates one of the applicable regulations, including the relevant Annex on data protection through the use of Devices, the other one will have the right to terminate the Agreement plainly and without previous notice, nor effect on the remaining due sums between the Parties until the termination date of the present Agreement, delivered Devices, and unpaid still due, the ordered Devices remaining to be delivered and paid. 

ARTICLE 13. CONFIDENTIALITY

13.1. Confidential Information Defined. Confidential Informationmeans any and all non-public technical and non-technical information disclosed by one Party (the Disclosing Party) to the other Party (theReceiving Party) in any form or medium, exchanges between the Parties. Confidential Information includes, without limitation, (a) techniques, inventions, know-how, processes, algorithms, software programs, software source and object codes and documents, APIs, and other creative works; (b) financial information, customer lists, business forecasts, and marketing plans and information; (c) the business relationships and affairs of either party and its customers, patients, and referral sources; (d) the internal policies and procedures of either Party; (e) proprietary or confidential information of any third party who may disclose such information to Disclosing Party or Receiving Party in the course of Disclosing Party’s business; and (f) the terms of this Agreement. WITHINGS’s Confidential Information includes the Services and WITHINGS Data. Confidential Information of the CLIENT includes the CLIENT Data. Confidential Information also includes all summaries and abstracts of Confidential Information. In addition, Confidential Information excludes PHI, which must be protected according to the BAA. 13.2. Exceptions.  The term Confidential Informationshall not include any information which, as evidenced by Receiving Party’s records: (i) was known by the Receiving Party prior to receipt from the Disclosing Party either itself or through receipt directly or indirectly from a source with no obligation of confidentiality to the Disclosing Party; (ii) was developed by the Receiving Party without use of the Disclosing Party’s Confidential Information, or (iii) becomes publicly known or otherwise ceases to be secret or confidential, except as a result of a breach of this Agreement or any obligation of confidentiality by the Receiving Party. 13.3. Confidential Information Terms. The Receiving Party will, at all times, both during the term and thereafter, keep in confidence and trust all of the Disclosing Party’s Confidential Information. The Receiving Party will not use the Disclosing Party’s Confidential Information other than as necessary to fulfill the Receiving Party’s obligations or to exercise the Receiving Party’s rights under this Agreement. Either Party may disclose the other Party’s Confidential Information upon the order of any competent court or government agency; provided that, prior to disclosure and to the extent possible, the receiving Party must (i) assert the confidential nature of the Confidential Information to the agency; (ii) immediately notify the Disclosing Party in writing of the order or request; and (iii) cooperate fully with the Disclosing Party in protecting against any such disclosure and/or narrowing the scope of the compelled disclosure. Each Party agrees to secure and protect the other Party’s Confidential Information with the same degree of care and in a manner consistent with the maintenance of such Party’s own Confidential Information (but in no event less than reasonable care). The Receiving Party will not disclose Confidential Information of the Disclosing Party to any person or entity other than its officers, employees, affiliates and agents who need access to such Confidential Information in order to effect the intent of this Agreement and who are subject to confidentiality obligations at least as stringent as the obligations set forth in this Agreement. 13.4. Injunctive Relief. The Parties agree that any unauthorized disclosure of Confidential Information may cause immediate and irreparable injury to the Disclosing Party and that, in the event of such breach, the Receiving Party will be entitled, in addition to any other available remedies, to seek immediate injunctive and other equitable relief, without bond and without the necessity of showing actual monetary damage. 

ARTICLE 14. INTELLECTUAL PROPERTY

14.1. Trademarks’ Licenses. a) CLIENT’s Trademarks. The CLIENT hereby grants to WITHINGS and its affiliates a worldwide, non-exclusive, non-transferable, royalty free right to use the CLIENT trade names, trademarks, service marks or logos (the “CLIENT’s Marks”) in connection with certain promotional materials identifying them as a WITHINGS client. All advertisements and other promotional materials using CLIENT’s Marks which are prepared by WITHINGS shall include an appropriate notice indicating that such Marks are the property of CLIENT. b) WITHINGS’ Trademarks. All Devices sold to the CLIENT bear WITHINGS’ trade names, trademarks, service marks or logos (“WITHINGS’ Marks”). The CLIENT shall not remove, conceal, nor alter any WITHINGS’ Marks. The CLIENT acknowledges and agrees that this Agreement grants them no rights in WITHINGS’ Marks, except that WITHINGS grants the CLIENT a limited, non-exclusive license during the term of this Agreement to reproduce WITHINGS’s Marks in advertisements and other promotional materials relating to the Devices in accordance with this Agreement. All advertisements and other promotional materials using WITHINGS’s Marks which are prepared by the CLIENT shall include an appropriate notice indicating that such Marks are the property of WITHINGS. 14.2. WITHINGS Intellectual Property. As between WITHINGS and the CLIENT, all Intellectual Property Rights, in the WITHINGS Marks, Services, WITHING, and any other WITHINGS property or materials furnished or made available as part of the Services, and all modifications and enhancements of the same (WITHINGS Intellectual Property), belong to and are retained solely by WITHINGS. Nothing in this Agreement is construed to transfer any such rights in any part of the Services to the CLIENT other than as explicitly provided for in this Agreement. The CLIENT shall not re-distribute and/or sublicense the Services or the Devices other than as specifically provided for in this Agreement. 14.3. Developments and Feedback Ownership. Except as otherwise explicitly set forth in this Agreement, all developments generated by or on behalf of WITHINGS, solely or jointly with feedback related to the Services provided by the CLIENT, and all Intellectual Property Rights in the same, is the exclusive property of WITHINGS. The CLIENT agrees to execute any documents or take any actions as may reasonably be necessary to perfect WITHINGS’ ownership of the WITHINGS Developments. 14.4. Limitation. Notwithstanding the above, nothing in this Agreement shall grant either Party ownership interest, license or other right to the other Party’s trade names, trademarks or service marks, except as expressly provided in this Agreement. 

ARTICLE 15. TERMINATION OF THE AGREEMENT 

15.1. Termination without cause. This Agreement may be terminated by either Party at any time upon sixty (60) days prior written notice to the other Party. Parties agree that a notice of two (2) months is deemed sufficient regarding trade usages. 15.2. Termination with cause. a) Material Breach. Each Party may terminate the Agreement in the event of a material breach by the other Party if the breach is not cured within thirty (30) days of written notice from the non-breaching Party to the breaching Party. b) Other Causes. Either Party may terminate this Agreement immediately by providing written notice to the other Party upon the occurrence of any of the following events: (i) Either Party reasonably determines the other Party has been or is engaged in unlawful activity associated with the use of the Services; (ii) The indictment or conviction of either Party or its principals, employees, or agents for any felony or misdemeanor involving moral turpitude; (iii) The filing, with respect to either Party, of a voluntary or involuntary petition in bankruptcy if such petition is not dismissed within thirty (30) days of such filing. 15.3. Effect of Termination. Upon expiration or termination of this Agreement for any reason, (a) the License shall terminate and the CLIENT shall not use or access, directly or indirectly, the Services; (b) WITHINGS’ obligation to perform support services shall cease; and (c) all fees and other amounts owed to WITHINGS accrued prior to expiration or termination will be immediately due and payable. Further, if the CLIENT has made any copies of any WITHINGS property or materials furnished or made available under this Agreement, the CLIENT shall, within thirty (30) days of the effective date of the expiration or termination, either destroy or return to WITHINGS all such copies along with a certificate signed by the CLIENT that all such copies have been either destroyed or returned, respectively, and that no copy or any part of the Services, data, or other materials has been retained by the CLIENT in any form.

ARTICLE 16 – REPRESENTATION AND WARRANTIES

16.1. Mutual Representations and Warranties.  Each Party represents, warrants and covenants that: (a) it has the full power and authority to enter into this Agreement and to perform its obligations hereunder, without the need for any consents or approvals not yet obtained;(b) its acceptance of and performance under this Agreement will not breach any oral or written agreement with any third party or any obligation it owes to any third party; and (c) it will comply with any and all applicable local, state, and/or national laws or regulations applicable to such party, including, without limitation, those related to PHI, Covered Entities, and Business Associates as each term is defined under HIPAA, and to any other laws or regulations regarding data privacy and transmission of personal data. 16.2. Third-Party Materials. The CLIENT understands that using, accessing, or obtaining information, materials, or data through the Services from a source other than WITHINGS (Third Party Materials) is at its own discretion and risk and that the CLIENT will be solely responsible for any damages to its or its authorized users’ property or loss of data that results from the download of such material or data. 16.3. Practice of Medicine. The CLIENT agrees and acknowledges that WITHINGS is in no way acting as a medical provider, nor is WITHINGS providing 24/7 continuous, synchronous, or emergency monitoring or alerting. The CLIENT further acknowledges and agrees that any information, processes, Devices, and other items references by WITHINGS or its services are not intended as a recommendation or endorsement or that information, process, product, or other item and that the ultimate responsibility for diagnosing and treating any patient rests with the CLIENT and / or its healthcare providers treating such patient. 16.4. Disclaimer. Except for the express warranties set forth in this section, the Services, Support documentation, and any other services, data, and content (inclusive of third-party services, Devices, devices and materials) are provided on an as-is basis. The CLIENT’s use and/or purchase of the Services are at its own risk. WITHINGS does not make any other express or implied warranties, including without limitation, fitness for purpose, noninfringement and accuracy (of data or any other information or content). WITHINGS does not guarantee continuous, error-free, virus free or secure operation and access to the Services. 16.5. Basis of the Bargain. The warranty disclaimers and the limitation of liability reflect a reasonable and fair allocation of risk between the CLIENT and WITHINGS, and form an essential basis of the agreement, without which WITHINGS would not enter in such agreement. 

ARTICLE 17. INSURANCE, LIABILITY AND INDEMNIFICATIONS

17.1. Scope of Liability. a) Parties’ Liability. Except for breaches of confidentiality or for the indemnification obligations under Section 16.3 (“CLIENT indemnification”) below, a Party has no liability to the other party for any loss of profits, business interruption, lost profits, lost revenue or lost business arising out of or in in connection with this Agreement, or for any indirect, special, incidental, consequential, exemplary, or punitive damages. Neither party shall be liable for any amount greater than the amounts paid and payable by the CLIENT to WITHINGS under this Agreement during the six (6) months period preceding the date on which the claim first accrued, without regard to whether such claim is based in contract, tort, product liability or otherwise. b) CLIENT’s Liability. The CLIENT is solely liable for (i) the use of the Services in compliance with the laws in force, medical secrecy, and the CLIENT’s internal Rule, (ii) the fitness of the Services to its needs, (iii) the compatibility of its hardware and software environment with the Services, (iv) the lawfulness and accuracy of the data. 17.2. WITHINGS’ Indemnification. a) Content of WITHINGS’ Indemnification. Subject to Section 13.1.a) (“Parties’ Liability”) above, WITHINGS agrees to defend, indemnify and hold harmless the CLIENT and its Affiliates,  from and against successful third-party claims and all liability (including, but not limited to, reasonable expense of litigation and settlement of such claims), assessments, losses, costs, or damages resulting from or arising out of WITHINGS’ infringement or violation of any intellectual property rights, or other third party’s rights or privacy, including any personally identifiable data’s breach (“Infringement Claim”). b) Remedies. WITHINGS may, at its election, and sole expense, (i) modify the Services so that such Services is non-infringing and functionally equivalent; or (ii) obtain the right for the CLIENT and the CLIENT’s patients to continue using the Services at no additional cost to the CLIENT. If none of the foregoing is commercially practicable, WITHINGS may immediately terminate this Agreement upon reasonable notice to the CLIENT. 17.3. CLIENT’s Indemnification. CLIENT agrees to defend, indemnify and hold harmless WITHINGS from and against third party claims and all liability (including, but not limited to, reasonable expense of litigation and settlement of such claims), assessments, losses, costs, or damages resulting from or arising out of the improper use or operation by CLIENT’s, and users of the Services as well.  CLIENT also agrees to defend, indemnify and hold harmless WITHINGS from and against (i) a breach of the Agreement, (ii) the accuracy, quality, integrity, legality, reliability or appropriateness of the CLIENT Data or any other content or data introduced to any part of the Services by any User; (iii) violation of any applicable law, rule or regulation by the CLIENT or any of the users, (iv) the diagnosis and/or treatment of any of the CLIENT’s patients; and/or (v) the negligent acts or willful misconduct of the CLIENT or its personnel. The CLIENT will pay such losses (whether by settlement or award of by a final judicial judgment) incurred by WITHINGS from any such claim. 17.4. Indemnification Procedure. Each Party shall promptly notify the other Party in writing of any Claim for which they are seeking indemnification. Such claim for indemnification shall include (i) the amount that the Party believes the other Party must pay for the damages (ii) the basis upon which the amount of such damages is calculated, (iii) and the nature and evidence of the facts giving rise to the claim or which serve as basis for the claim. The failure of the Party seeking indemnification to give prompt notice to the other Party shall not adversely affect its right to indemnification, except to the extent that it would adversely affect the right of the other Party to assert a reasonable defense to such claim. 17.5. Limitations of liabilities. a) Exemption of WITHINGS’ liability due to third parties. The Services are provided by third party carriers (such as, but not limited to Internet or telecom providers) whether owned, maintained, and/or serviced by third party carriers that are beyond WITHINGS’ control, and WITHINGS bears no liability for any damage arising from the action or inaction of such carriers. b) Force Majeure. If any Party is unable to perform any of its obligations under this Agreement (with the exception of payment obligations) because of any cause beyond the reasonable control of and not the fault of the Party invoking this Section, including any act of God, fire, casualty, flood, earthquake, war, strike, lockout, epidemic or pandemic, destruction of production facilities, riot, insurrection or material unavailability, and if the non-performing Party has been unable to avoid or overcome its effects through the exercise of commercially reasonable efforts, such non-performing Party will give prompt notice to the other Party, its performance will be excused, and the time for its performance will be extended for the period of delay or inability to perform due to such occurrences.  If performance is extended under this Section for more than sixty (60) days, then at any time before reinstatement of the performance, the other Party may terminate this Agreement upon notice to the non-performing Party. 17.6. Limitation of Action. No action (regardless of form) arising out of this Agreement may be commenced by the CLIENT against WITHINGS more than two (2) years after the cause of action arose. 17.7. Insurance. a) Procedure. If the CLIENT discovers several defective or non-conforming Devices, the CLIENT must inform WITHINGS without delay and provide WITHINGS with all available information about the Devices concerned. Except in the case of a dispute justifying the use of an expert assessment or, in the case of an administrative decision by a competent authority preventing the CLIENT from doing so, the CLIENT shall return the Devices in question to WITHINGS, at its first request, in order to enable WITHINGS or its insurers to carry out any inspection and any analysis of the causes of the defect or non-conformity of the Devices concerned, at any place that WITHINGS may deem appropriate. b) Insurance’s Coverage. During the Term, the CLIENT and WITHINGS shall each maintain, at its own expense and in the minimum amounts specified herein, commercially reasonable insurance coverage in accordance with applicable industry standards and state and federal laws, rules, and regulations.

(i) Professional Errors & Omissions insurance with limits of Five Million Dollars ($5,000,000) per occurrence and Five Million Dollars ($5,000,000) in aggregate.

(ii) Commercial General Liability insurance with limits of Two Million Dollars ($2,000,000) per occurrence and Two Million Dollars ($2,000,000) in aggregate.

ARTICLE 18. MISCELLANEOUS

18.1. Independent Relationship. The sole relationship between the Parties is solely that of independent contractors. This Agreement will not create a joint venture, partnership, agency, employment or other relationship between the Parties. 18.2. Amendments. No amendment or modification to this Agreement shall be effective unless mutually agreed to, in writing and signed by both parties. 18.3. Assignment. This Agreement shall be binding on and inure to the benefit of permitted successors and assigns. Neither Party may assign or transfer this Agreement or any of its rights or obligations hereunder to any third party without the other Party’s prior written consent, however, WITHINGS may assign or transfer this Agreement, without the CLIENT’s consent, to any of WITHINGS’ affiliates, subsidiaries, entities controlled by or under common control with WITHINGS, or in the event of a merger, change of control or sale of substantially all of its assets. 18.4. Waiver. A Party’s right to enforce a provision of this Agreement may only be waived in writing and signed by the Party against which the waiver is to be enforced. Failure to enforce any provision of this Agreement in any one instance will not be construed as a waiver of future performance of that provision, and the Party’s obligations under that provision will continue in full force and effect. 18.5. Subcontractors. WITHINGS may use its affiliates or subcontractors to perform its obligations under this Agreement. 18.6. Survival. Any term of this Agreement that contemplates performance after termination of this Agreement will survive expiration or termination and continue until fully satisfied. 18.7. Severability. The provisions of this Agreement are severable. The invalidity or unenforceability of any provision in any jurisdiction will be construed and enforced as if it has been narrowly drawn so as not to be invalid, illegal or unenforceable to the extent possible and will in no way affect the validity or enforceability of this entire Agreement or any of its other provisions, except if such invalidity or unenforceability undermines the essence of this Agreement. 18.8. Construction of the Agreement. The Parties had the opportunity to review the Agreement with an attorney of their respective choice and have agreed to all its terms. Under these circumstances, the rule of construction that a contract be construed against the drafter shall not be applied in interpreting this Agreement and that in the event of any ambiguity in any of the terms or conditions of this Agreement, including any Annexes hereto, such ambiguity shall not be construed for, or against, any party on the basis that such party did or did not draft the Agreement. 18.9. Law & Venuea) Governing law. This Agreement, any additional applicable terms and conditions, and each Party’s rights and obligations under each will be governed by and construed in accordance with the laws of the State of Massachusetts without giving effect to conflicts of law principles. b) Jurisdiction. The Parties shall use their best efforts to amicably settle any dispute arising out of the Agreement.  Unless an amicable settlement is found, any persistent dispute relating to the formation, interpretation, application, performance or termination of the Agreement shall be subject to the jurisdiction of the State of Massachusetts and both parties waive any objection to the jurisdiction of such courts. 18.10 Notices. Any notices, requests, consents, demands or other communications required or permitted under this Agreement will be in writing and deemed to have been duly given either delivered by certified mail (return receipt requested), or delivered personally by commercial courier. 18.11. Signature. A signed copy of the Purchase Order transmitted by means of electronic transmission shall be deemed to have the same legal effect as delivery of an original executed copy of this Agreement. 

APPENDIX 2A – BUSINESS ASSOCIATE AGREEMENT 

This Business Associate Agreement (the “BAA”) is made and entered into on the “Effective Date” by and between WITHINGS and the CLIENT, hereinafter referred to individually as a “Party” and together as “the Parties.”

WHEREAS,  

  • WITHINGS provides certain functions, activities, and services (the “Services”) to CLIENT, as a Business Associate
  • CLIENT is either  a  “Covered Entity(and WITHINGS may create, receive, maintain, or transmit Protected Health Information (“PHI”) for, or on behalf of, CLIENT a Covered Entity); or a  “Business Associate of a Covered Entity” (and WITHINGS may create, receive, maintain, or transmit Protected Health Information (“PHI”) for, or on behalf of, CLIENT; who is a Business Associate of its Covered Entity clients and WITHINGS’ provision of the Services would make WITHINGS a Business Associate of Customer as its subcontractor);
  • The Parties intend to comply with requirements under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”) to protect the privacy and security of PHI and wish to set forth the terms and conditions pursuant to which PHI will be used and disclosed. 
  • THEREFORE, WITHINGS and CLIENT agree as follows:

SUMMARY

ARTICLE 1. DEFINITIONS

ARTICLE 2. GENERAL TERMS

ARTICLE 3. OBLIGATIONS AND ACTIVITIES OF WITHINGS

ARTICLE 4. PERMITTED USES AND DISCLOSURES BY WITHINGS

ARTICLE 5. OBLIGATIONS OF CLIENT

ARTICLE 6. TERM AND TERMINATION

ARTICLE 7. MISCELLANEOUS

ARTICLE 1. DEFINITIONS

Breach shall have the same meaning as the term “breach” at 45 CFR § 164.402.

Business Associate shall have the same meaning as the term “business associate” at 45 CFR § 160.103.

Covered Entity shall have the same meaning as the term “covered entity” at 45 CFR § 160.103.

Designated Record Set shall have the same meaning as the term “designated record set” at 45 CFR § 164.501.

Electronic Protected Health Information (“ePHI”) shall have the same meaning as the term “electronic protected health information” at 45 CFR § 160.103.

HHS shall mean the United States Department of Health and Human Services.

Individual shall have the same meaning as the term “individual” at 45 CFR § 160.103.

Protected Health Information (“PHI”) shall have the same meaning as the term “protected health information” at 45 CFR § 160.103, limited to the information created or received by WITHINGS from or on behalf of CLIENT. References to PHI shall include, but not be limited to, ePHI.

Secretary shall mean the Secretary of the United States Department of Health and Human Services or his or her designee. 

Security Incident shall have the same meaning as the term “security incident” at 45 CFR § 164.304.

Unsecured Protected Health Information (“Unsecured PHI”) shall have the same meaning as the term “unsecured protected health information” at 45 CFR § 164.402.

ARTICLE 2. GENERAL TERMS

2.1. Interpretation of Provisions. In the event of an inconsistency between the provisions of this BAA and the mandatory terms of HIPAA (as may be expressly amended from time to time), HIPAA shall prevail.

2.2. Provisions Permitted by HIPAA. Where provisions of this BAA are different from those mandated by HIPAA, but are nonetheless permitted by HIPAA, the provisions of this BAA shall control.

2.3. Compliance with Security policy for Health information. The CLIENT is required to use the Services in conformity with the CLIENT’s privacy and security policies regarding protected health information. The CLIENT is in particular responsible for the accuracy of the data and their updating, for determining a retention period, for deleting the data, for prior information of the individuals, of the management of Patient’s access to health data, and of the security of the latter.

2.4. Conflicts with General and Special Terms. In the event of an inconsistency between the provisions of this BAA and the General Terms and Special Terms, the provisions of this BAA shall prevail to the extent necessary to allow the Parties to comply with HIPAA.

ARTICLE 3. OBLIGATIONS AND ACTIVITIES OF WITHINGS

3.1. Limits on Use and Disclosure. WITHINGS agrees not to use or further disclose PHI other than as permitted or required by this BAA or as Required by Law. 

3.2. Safeguards. WITHINGS agrees to use reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI and to prevent the use or disclosure of PHI not provided for by this BAA. 

3.3. Report of Improper Use or Disclosure. Without unreasonable delay after discovery, WITHINGS agrees to report to CLIENT any use or disclosure of the PHI not provided for by this BAA, including any Breach of Unsecured PHI as required at 45 CFR § 164.410 and any Security Incident of which it becomes aware. A Breach of Unsecured PHI or Security Incident is considered “discovered” as of the first day on which the Breach of Unsecured PHI or Security Incident is known, or reasonably should have been known, to WITHINGS. The Parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents which are trivial in nature and the Parties agree that no additional notification to the CLIENT of such Unsuccessful Security Incidents is required. “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on WITHINGS’ firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above.  

3.4. Subcontractors.  In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, WITHINGS will enter into a written agreement with any subcontractor that creates, receives, maintains or transmits PHI on behalf of WITHINGS for services provided to the CLIENT, providing that the subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to WITHINGS with respect to such PHI. WITHINGS agrees to obtain from any agent, including a subcontractor to whom it provides PHI, reasonable assurances that it will adhere to substantially similar restrictions and conditions that apply to Business Associate under the Agreement and this Addendum. 

3.5. Data Hosting. WITHINGS subcontracts physical infrastructure hosting services to a certified hosting company: Google Cloud Platform with servers in Ashburn, Virginia, United States or if the Withings  application is used as patient facing app, BSO with servers in France, 114 rue Ambroise Croizat, Saint Denis, 93200 and 110 bis avenue du Général Leclerc, Pantin, 93500. Data backups are stored in different companies: (i) GCS, US-West- Dalles, Oregon and (ii) AWS S3, North California, or stored according to the regionalization principle within Google Cloud Storage servers in Poland, Finland, Spain, Belgium, Germany, Netherlands, Italy and France. Data stored in backups will be used in case of operational problems to ensure the continuity of our services and products. For security reasons, WITHINGS is not able to reflect the deletion or modification of data on backups already made, in order to protect the integrity of the backup data. The CLIENT acknowledges that the Withings patient facing app is hosted on the European Cloud. If the CLIENT does not wish to be hosted within the European Union, the CLIENT agrees that its users will not be able to use the Withings patient facing-app.

3.6. Access to Records. Upon written request, WITHINGS shall make available PHI in a Designated Record Set for CLIENT and/or CLIENT’s Covered Entity client to comply with its obligations under 45 CFR § 164.524 with respect to providing an Individual with access to PHI in a Designated Record Set.

3.7. Amendments to PHI. Upon written request, WITHINGS shall amend PHI in a Designated Record Set or take other measures as reasonably necessary for CLIENT and/or CLIENT’s Covered Entity client to comply with its obligations under 45 CFR § 164.526 with respect to amending PHI in a Designated Record Set.

3.8. Documentation of DisclosuresUpon written request, WITHINGS shall provide documentation of disclosures for CLIENT and/or CLIENT’s Covered Entity client to respond to a request for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 

3.9. Availability of Internal Practices, Books, and Records. WITHINGS shall make internal practices, books, and records relating to the use and disclosure of PHI received from CLIENT or created or received by WITHINGS on behalf of CLIENT available to CLIENT or at the request of CLIENT to the Secretary, in a time and manner designated by CLIENT or the Secretary, for purposes of determining CLIENT’s compliance with HIPAA.

3.10. Performance of audits by the CLIENT. Upon CLIENTs written request, WITHINGS shall make available to the CLIENT any necessary documentation to demonstrate compliance with its obligations under this BAA and to enable the performance of confidential audits, and shall cooperate, together with its Data Privacy Officer, with these audits. The scope of the audit shall be exclusively to verify WITHINGS’s compliance with the applicable regulations for the protection of CLIENT and/or CLIENT’s Covered Entity’s data, as outlined in this BAA. These audits shall be carried out at the expense of the CLIENT and performed by the CLIENT or an auditor appointed by the CLIENT who: (i) is subject to strict confidentiality obligations and (ii) is previously approved of in good faith by WITHINGS. The audit will exclusively cover documents provided by WITHINGS to certify compliance with its commitments under this BAA, including the procedures implemented to ensure compliance by WITHINGS. 

3.11. Audit procedure. Except in cases of proven urgency and when justified by the CLIENT in writing, the aforementioned audit carried out by the CLIENT: (i) may only take place after the first year of execution of the Services, and from that date, once a year; (ii) and WITHINGS must be notified at least one month in advance. The conclusions of the audit will only be communicated to the parties by the auditor and the audit report itself will be retained by the auditor. Any communication of the audit findings outside of the Parties or the auditor is strictly forbidden. All audit operations will be at the expense of the CLIENT. If the findings of the audit reveal non-compliance to the applicable regulation by WITHINGS and these findings are not contested, WITHINGS shall undertake the necessary corrective measures and the CLIENT is entitled, at its discretion, either to wait for compliance or to terminate this Agreement.

ARTICLE 4. PERMITTED USES AND DISCLOSURES BY WITHINGS

4.1. Use or Disclosure to Perform Services. Subject to the provisions in this BAA, WITHINGS may use or disclose on behalf of CLIENT the minimum amount of PHI necessary to provide the Services and as otherwise provided in this BAA if such use or disclosure of PHI would not violate HIPAA if done by CLIENT, or Client’s Covered Entity Client. 

4.2. Data Aggregation. WITHINGS may use or disclose PHI to perform data aggregation services as permitted by 45 CFR § 164.504(e)(2)(i)(B).

4.3. De-identification. WITHINGS may de-identify any and all PHI received or created by WITHINGS for or on behalf of CLIENT in accordance with 45 CFR §§ 164.514(a)-(c). CLIENT acknowledges that such de-identified information no longer constitutes PHI and is not subject to this BAA.

4.4. Use of PHI for Management and Administration. Except as otherwise limited in this BAA, WITHINGS may use PHI for the proper management and administration of WITHINGS or to carry out WITHINGS’ legal responsibilities.

4.5. Disclosure of PHI for Management and Administration. Except as otherwise limited in this BAA, WITHINGS may disclose PHI to a third party for the proper management and administration of WITHINGS or to carry out WITHINGS’ legal responsibilities, provided that (a) the disclosures are Required by Law, or (b) WITHINGS obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies WITHINGS of any instances of which it is aware in which confidentiality of the information has been breached.

4.6 Legal demands. In addition, if WITHINGS is required to transfer personal data to a third party under applicable regulations or in the event of a final court ruling, arbitration award or decision of an administrative authority, it shall inform the Data Controller of this legal obligation prior to any action, unless such information is prohibited by the relevant law for important reasons of public interest. WITHINGS rejects manifestly unlawful requests and informs the CLIENT thereof. WITHINGS traces and records data communications to third parties in such circumstances.

ARTICLE 5. OBLIGATIONS OF CLIENT

5.1. Notice of Privacy Practices. CLIENT shall notify WITHINGS of any limitations in the applicable Notice of Privacy Practices required by 45 CFR § 164.520 to the extent that such limitations may affect WITHINGS’ permitted uses or disclosures of PHI.

5.2. Change or Revocation of Permission. CLIENT will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing WITHINGS with PHI. CLIENT shall notify WITHINGS of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect WITHINGS’ permitted uses and disclosures. 

5.3. Restrictions on Use or Disclosure. CLIENT shall notify WITHINGS of any restriction on the use or disclosure of PHI that CLIENT/ CLIENTS Covered Entity client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect WITHINGS’ use or disclosure of PHI. The Parties agree to negotiate in good faith appropriate amendment(s) to this BAA to give effect to these revised restrictions.

5.4. Permissible Requests by CLIENT. Except as necessary for the management, administrative, and legal activities of WITHINGS as allowed in this BAA, CLIENT shall not request that WITHINGS use or disclose PHI in any manner that would not be permissible under HIPAA if done by CLIENT/ or CLIENT’S Covered Entity Client.

ARTICLE 6. TERM AND TERMINATION

6.1. Term. This BAA shall be effective as of the Effective Date and shall have a term that runs concurrently with that of the Solution Purchase Agreement. 

6.2. Termination of Solution Purchase Agreement. If the Agreement terminates for any reason, this BAA shall also terminate.

6.3. Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible. Otherwise, the non-breaching party will provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching party does not cure the breach or if cure is not possible. If termination is not feasible, the non-breaching party may report the breach or violation to the Secretary.

6.4. Effect of Termination. Upon termination of this BAA, WITHINGS shall return or destroy, if return or destruction is feasible, all PHI received from CLIENT or created or received by WITHINGS on behalf of CLIENT. In the event that WITHINGS determines returning or destroying the PHI is infeasible, WITHINGS shall provide to CLIENT notification of the conditions that make return or destruction infeasible, extend the protections of this BAA to such PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as WITHINGS maintains such PHI.

ARTICLE 7. MISCELLANEOUS

7.1. Assignment. This BAA shall be binding upon and inure to the benefit of the respective legal successors of the Parties. Neither this BAA nor any rights or obligations hereunder may be assigned, in whole or in part, without the prior written consent of the other Party.

7.2. Survival. WITHINGS’ obligations under Article 6 of this BAA shall survive termination of this BAA.

7.3. Amendment. The Parties agree to make reasonable efforts to amend this BAA from time to time as is necessary for compliance with HIPAA requirements.

7.4. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect, or as amended, and for which compliance is required.

7.5. Reversibility of the Data. At the end of the Contract, or certification’s withdrawal, the CLIENT may make an express request to WITHINGS notified by LR within 30 days in order to choose to recover the personal data processed by WITHINGS on behalf of the CLIENT. WITHINGS transfers this data to the CLIENT in CSV (Comma Separated Values) format.

7.6. Entire BAA. This document, together with any written schedules, amendments, and addenda, constitute the entire BAA of the Parties and supersedes all prior oral and written BAAs or understandings between them with respect to the matters provided for herein.

7.7. Modifications. Any modification to this BAA shall be valid only if made in writing and signed by a duly authorized agent of both Parties.

7.8. Severability. The Parties agree that if a court determines, contrary to the intent of the Parties, that any of the provisions or terms of this BAA are unreasonable or contrary to public policy, or invalid or unenforceable for any reason in fact, law, or equity, such unenforceability or invalidity shall not affect the remaining terms and provisions of this BAA. Should any particular provision of this BAA be held unreasonable or unenforceable for any reason, then such provision shall be given effect and enforced to the fullest extent that would be reasonable and enforceable.

7.9. Waiver of Breach. No failure or delay by either Party in exercising its rights under this BAA shall operate as a waiver of such rights, and no waiver of any breach shall constitute a waiver of any prior, concurrent, or subsequent breach.

7.10. Titles. Titles or headings are used in this BAA for reference only and shall not have any effect on the construction or legal effect of this BAA.

7.11. Independent Contractors. For purposes of this BAA, WITHINGS is and will act at all times as an independent contractor of CLIENT. None of the provisions of this BAA are intended to create, nor shall be deemed or construed to create, any relationship other than that of independent entities contracting with each other. None of the provisions of this BAA are intended to establish, nor shall be deemed or construed to establish, any partnership, agency, employment agreement, or joint venture between the Parties.

7.12. No Third-Party Beneficiaries. It is the intent of the Parties that this BAA is to be effective only in regards to their rights and obligations with respect to each other. It is expressly not the intent of the Parties to create any independent rights in any third party or to make any third-party beneficiary of this BAA. 

Each Party warrants that it has full power and authority to enter into this BAA, and by signing the Purchase Order the Parties hereby agree to be bound by this BAA. 

APPENDIX 2.B. DATA PROTECTION APPENDIX

Within the framework of the solution provided by WITHINGS to the CLIENT, WITHINGS is the Data Processor, and the CLIENT is the Data Controller. 

SUMMARY
ARTICLE 1. OBLIGATIONS OF THE DATA CONTROLLER
ARTICLE 2. DATA PROCESSING
ARTICLE 3. SCOPES OF DATA PROCESSING
ARTICLE 4. RESPECT OF USER’S RIGHTS
ARTICLE 5. SECURITY MEASURES
ARTICLE 6. TRANSFER TO THIRD COUNTRIES
ARTICLE 7. DATA CONTROLLER’S RIGHTS AT THE END OF THE AGREEMENT
ARTICLE 8. AUDIT
ARTICLE 9. RESPECT OF PATIENTS’ RIGHTS
ARTICLE 10. DOCUMENTED INSTRUCTIONS

ARTICLE 1. OBLIGATIONS OF THE DATA CONTROLLER
1.1. Data Controller. The CLIENT is Data Controller.
1.2. Collection of consent. The Data Controller obtains the express consent of the Users to the collection of their data and informs the Users of the conditions under which their personal data is hosted. The Data Controller also informs Users of the identity of WITHINGS, the identity of the company or companies responsible for hosting the data and the identity of the recipient(s) of the data.
1.3. Contact points for incident management. The Data Controller undertakes to communicate to WITHINGS the identity and contact details of a contact person in charge of processing the incidents having an impact on the health data hosted as part of the Service. WITHINGS’ Data Protection Officer can be contacted at the following address: privacy@withings.com.
1.4. Compliance with Security policy for Health information. The Data Controller is required to comply with the general policy on the security of health information systems. The Data Controller is in particular responsible for the accuracy of the data and their updating, for determining a retention period, for deleting the data, for prior information of the individuals, of the management of end-user access to health data, and of the security of the latter.

ARTICLE 2. DATA PROCESSING
2.1. Authorization of the Data Controller for the use of subcontracting. The Data Controller authorizes WITHINGS to use subcontracting as part of the performance of the Contract between the parties and in compliance with Article 28 of Regulation 2016/679. WITHINGS’ subcontractors agree to restrictions and conditions that are substantially similar to those that apply through this DPA to WITHINGS.
2.2. Subcontracting of hosting services. WITHINGS subcontracts physical infrastructure hosting services to a certified hosting company : BSO with servers in France, 114 rue Ambroise Croizat, Saint Denis, 93200 and 110 bis avenue du Général Leclerc, Pantin, 93500. Data backups are stored according to the regionalization principle within Google Cloud Storage servers in Poland, Finland, Spain, Belgium, Germany, Netherlands, Italy and France. Data stored in backups will be used in case of operational problems to ensure the continuity of our services and products. For security reasons, WITHINGS is not able to reflect the deletion or modification of data on backups already made, in order to protect the integrity of the backup data.
2.3. Procedure in the event of a new subcontractor. In the event of a change of host for the processing of personal data related to the performance of this Contract or use of any new subcontractor, WITHINGS will inform the Data Controller in advance, who may not refuse without reasonable cause. The silence of the Data Controller for more than 15 days will be considered as a acceptance of the new subcontractor. In the event of an objection by the Data Controller, WITHINGS and the Data Controller will consider in good faith a solution that preserves, in compliance with the applicable regulations, their respective interests. If no agreement is reached on such a solution within thirty (30) days from receipt of the notification of the objection, the Controller may notify WITHINGS, within a further period of fifteen (15) days, by registered letter with acknowledgement of receipt, that the provision of the Solution is terminated without compensation on either side. In the absence of such notice of termination from the Controller, the objection shall be deemed waived and the relevant subprocessor authorized by the Controller.
2.4. Treatment register. WITHINGS declares that it keeps a written record of the processing carried out on behalf of the Data Controller, including the categories of processing carried out on behalf of the Data Controller.
2.5. Documentation. Upon request from the Data Controller, WITHINGS provides the Data Controller with the necessary documentation to justify compliance with its obligations under the GDPR.
2.6. Notification of breach. WITHINGS notifies the Data Controller of any privacy breach as soon as possible after becoming aware of it. This notification is accompanied by the documentation allowing the Data Controller to notify this violation to the competent supervisory authority.
2.7. Privacy Impact Analysis. WITHINGS undertakes to contribute, insofar as it is concerned and according to the information it has on the CLIENT’s processing, to the data protection impact analyses that the CLIENT carries out.
2.8. Assistance of the Data Controller. WITHINGS assists the CLIENT in any exchanges or consultations that the latter has with the supervisory authorities.

ARTICLE 3. SCOPES OF DATA PROCESSING
3.1. Purpose(s) of the Data Processing. The purpose(s) of the data processing is the performance of WITHINGS’ obligations to the CLIENT and solely in accordance with the Agreement which includes, at a minimum, the collection and transfer of health data relating to their end-users to provide the CLIENT with services to monitor the health of their end-users. WITHINGS processes the data at the instruction of the CLIENT. The processing is performed by WITHINGS as long as the Contract remains in force.
3.2. Processed treatments. As a data processor, WITHINGS processes data in accordance with the instruction of the Data Controller and for the purposes defined in article 3.1. If WITHINGS believes that an instruction from the CUSTOMER goes against the applicable regulations, it will immediately inform the CUSTOMER. The data processed by WITHINGS are personal data concerning the end users of the solution, and include identification data (name, surname, date of birth, postal address, email address), as well as health data (weight, height, data from the use of connected devices).
3.3. Anonymous Data. WITHINGS may use the data to create anonymous information in accordance with highest standards for anonymization such as provided within the Opinion 05/2014 on Anonymization Techniques of the article 29 Data Protection Working Party Adopted on 10 April 2014.

ARTICLE 4. RESPECT OF USER’S RIGHTS
4.1. Information to users by the Data Controller. The Data Controller informs the User of his rights to access, rectify and delete his personal data as well as his right to object to the processing of data as provided for in Chapter III of Regulation 2016/679 under the conditions defined by the applicable regulations: right of access, rectification, deletion and portability of data, and right to limit and oppose the processing of data. The Data Controller also informs Users of the procedures for exercising these rights, and that they also have the possibility of lodging a complaint with the supervisory authority.
4.2. Verification of the request by the Data Controller. When a User requests to exercise these rights, the Data Controller ensures the compliance and legitimacy of the request before reporting it to WITHINGS.
4.3 WITHINGS Assistance. WITHINGS organizes the procedures and implements the User’s request reported by the Data Controller. The Data Controller does not under any circumstances make these requests after the expiry of the Contract

ARTICLE 5. SECURITY MEASURES
5.1. Data integrity. WITHINGS implements and updates appropriate technical and organizational security measures against unauthorized or unlawful processing of personal data and against accidental loss, destruction or deterioration of personal data.
5.2. Privacy by design. WITHINGS implements appropriate technical and organizational measures to ensure that, by design, only the personal data necessary for each purpose is processed.
5.3. Confidentiality. WITHINGS ensures that access to personal data is strictly limited to employees who need access to personal data strictly necessary for the purposes of performing the Contract, such employees are subject to confidentiality commitments.
5.4. Human resources.
Each employee has a confidentiality agreement attached to his contract,
IT security practices training is regularly organized,
A Security charter for the proper use of IT resources is signed with all employees,
A declaration of the security policy signed by management is shared with all employees,
Access to systems and tools is granted only on strict necessity, on a limited scope,
Regular internal safety audits validate compliance with good safety practices,
Entrances, exits and movements within the company are managed by automated processes.
5.5. Supplementary security measures. The Security insurance plan describes all the security measures that WITHINGS maintains and implements.

ARTICLE 6. TRANSFER TO THIRD COUNTRIES
6.1. Prior authorization of the Data Controller. WITHINGS only transfers or allows the transfer of personal data to a third country or an international organization on the written instructions of the Data Controller and as long as this transfer respects the Personal Data Protection Laws. The Data Controller makes this transfer request at a reasonable frequency and in no case at the expiration of the Agreement
6.2. Exception. Furthermore, if WITHINGS is required to transfer personal data to a third party under the Data Protection Laws or the law of the Member State to which it is subject, it shall inform the Data Controller of this legal obligation before the processing, unless such information is prohibited by the law concerned for important reasons of public interest.
6.3. Legal demands. In addition, if WITHINGS is required to transfer personal data to a third party under applicable regulations or in the event of a final court ruling, arbitration award or decision of an administrative authority, it shall inform the Data Controller of this legal obligation prior to any action, unless such information is prohibited by the relevant law for important reasons of public interest. WITHINGS rejects manifestly unlawful requests and informs the CLIENT thereof. WITHINGS traces and records data communications to third parties in such circumstances.

ARTICLE 7. DATA CONTROLLER’S RIGHTS AT THE END OF THE AGREEMENT
7.1. Data output. At the end of the Agreement, WITHINGS undertakes, at the choice of the Parties :
– to destroy the personal data or,
– to return all personal data to the CLIENT or,
– to return the personal data to the subcontractor designated by the CLIENT.
7.2. Reversibility of Data. At the end of the Contract, the CLIENT may make an express request to WITHINGS notified by LR within 30 days in order to choose to recover the personal data processed by WITHINGS on behalf of the CLIENT. WITHINGS transfers this data to the CLIENT in CSV (Comma Separated Values) format.

ARTICLE 8. AUDIT
8.1. Performance of audits by the CLIENT. WITHINGS shall make available to the CLIENT the necessary documentation to demonstrate compliance with its obligations under this Data Protection Annex and to enable the performance of audits that are confidential in nature, and undertakes to contribute, together with its Data Protection Officer, to these audits: the purpose of these audits is to verify WITHINGS’s compliance with the regulations applicable to the protection of Users’ personal data. These audits shall be carried out at the expense of the CLIENT and performed by the CLIENT or an auditor appointed by the CLIENT (i) subject to strict confidentiality obligations and (ii) previously approved in good faith by WITHINGS. They will cover the documents provided by WITHINGS to certify compliance with its commitments under this Data Protection Annex, including the procedures implemented to ensure compliance by WITHINGS with said commitments.
8.2. Audit procedure. Except in cases of proven urgency and justified by the CLIENT, an audit or control carried out by the latter: (i) may only take place after the first year of execution of the Services, and from that date, once a year, (ii) and must be notified to WITHINGS with at least one month’s notice. In strictest confidence, only the conclusions of the audit will be communicated to the parties by the auditor and the audit report itself will be retained by the auditor. The audit operations will remain at the expense of the Data Controller. If the findings of the audit reveal non-compliance of WITHINGS with the GDPR and these findings are not contested by WITHINGS, the latter undertakes to take the necessary corrective measures and the CLIENT is entitled, at its discretion, either to wait for compliance or to terminate the Mission.

ARTICLE 9. RESPECT OF PATIENTS’ RIGHTS
9.1 Patient information by the CLIENT. The CLIENT informs the patient of his rights of access, rectification and deletion of his personal data as well as his right to object to the processing of the data as provided for in Chapter III of Regulation 2016/679.
9.2. Verification of the request by the CLIENT. When a patient asks to benefit from these rights, the CLIENT verifies the conformity and legitimacy of the request before forwarding it to WITHINGS.
9.3. Assistance from WITHINGS. WITHINGS organizes the procedures and implements the patient’s request reported by the CLIENT. The CLIENT does not formulate these requests after the expiration of the Contract.

ARTICLE 10. DOCUMENTED INSTRUCTIONS
The responsibilities between the Data Controller, WITHINGS and the WITHINGS host are divided as follows: