HITRUST Shared Responsibility Matrix® License Agreement
Effective Date:
April 2022
HITRUST Alliance, Inc. (“HITRUST®” or “Licensor”) hereby authorizes limited access and use of the HITRUST Shared Responsibility Matrix® (“HITRUST SRM”). A limited license to the HITRUST SRM may be granted to Relying Customers and/or Inheriting Customers (“Licensee”) which have collectively agreed to this Shared Responsibility Matrix® License Agreement (“License Agreement”).
By accessing any portion of the HITRUST SRM, or by accepting the terms of this License Agreement, Licensee agrees to the terms of this License Agreement. In the event of a conflict relating to the HITRUST SRM between any other agreement with HITRUST and this License Agreement, this License Agreement shall control.
Definitions:
“Derivative Work” is any service, software program, or other work, and copies thereof, which are developed by Licensee or its Affiliates, and which are based on or incorporate any part of the HITRUST SRM, including without limitation any modification, enhancement, translation, compilation, expansion, or any other form in which the HITRUST SRM may be recast or adapted, and that, if prepared without HITRUST’s authorization, would constitute an infringement or violation of any of HITRUST’s rights.
“Relying Customer” is an organizational user, qualified affiliate, or agent that has acquired use of products and/or services offered by a third-party, whereby, the customer must evaluate and rely upon control implementation of common controls shared with the third-party.
“External Inheritance” is functionality offered by the HITRUST MyCSF platform that enables a HITRUST customer, as an assessed entity, to inherit HITRUST CSF controls, testing results, associated maturity scores, and commentary from another provider directly into the assessed entity’s HITRUST Validated Assessment.
“External Inheritance Provider” is an organizational user, qualified affiliate, or agent (i.e., external assessor) of a Provider that has a HITRUST Validated Assessment enabled for External Inheritance.
“Inheriting Customer” is a Relying Customer, as an assessed entity, actively pursuing a HITRUST Validated Assessment that utilizes External Inheritance.
“HITRUST Shared Responsibility Model” is a standard methodology and associated taxonomy for evaluating shared responsibility of common control ownership between providers and their customers based on a distinct set of inheritance assertions and qualifying types of shared control implementation use cases.
Grant of License. Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, and non-assignable license (the “License”) for the sole purpose of: (1) Supporting the Relying Customer in the process in evaluating and allocating HITRUST CSF control responsibilities that are shared with their HITRUST-compliant service providers; and/or (2) Supporting the Inheriting Customer in the process of inheriting HITRUST CSF controls, testing results, associated maturity scores, and commentary from qualified External Inheritance Provider(s).
Delivery of HITRUST SRM. During the term of this License Agreement, HITRUST shall make the HITRUST SRM available to Licensee for delivery by the Internet from the server(s) on which the HITRUST SRM is hosted. HITRUST is not responsible for ensuring the Licensee’s computer and systems are compatible with the HITRUST SRM or that Licensee is able to access the HITRUST SRM. HITRUST makes no representation or warranty to Licensee.
HITRUST SRM Ownership Rights. All title and intellectual property rights and interest in and to the HITRUST SRM, including but not limited to any text, images, photographs, animations, video, and audio incorporated into it, and any copies of any of the foregoing that a Licensee is expressly permitted to make herein, are and continue to be solely owned by HITRUST or its suppliers. The HITRUST SRM includes valuable, proprietary, and confidential information, compilations, methods, techniques, procedures, and processes not generally known, which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for the HITRUST SRM, including but not limited to the terms of this License Agreement, to prevent unauthorized disclosure or use. Licensee acknowledges and affirms HITRUST’s ownership and exclusive right, title, and interest in the HITRUST SRM and all its component parts. Licensee agrees and warrants that neither it nor any affiliate will attack or impair, directly or indirectly, any of HITRUST’s rights in the HITRUST SRM or any portion thereof, or any of HITRUST’s prior or subsequent registrations or applications for registration of any mark, copyright, or patent arising out of or relating to any portion of the HITRUST SRM.
Updates. Licensor may, in its sole discretion update and/or supplement the HITRUST SRM, in which case, such updates shall be deemed to be included in the HITRUST SRM and governed by this License Agreement, unless HITRUST expressly notifies the Licensee that any such update or updates are provided under other licensing terms.
Prohibited Activities and Uses of HITRUST SRM. Any use of the HITRUST SRM not expressly permitted by this License Agreement is strictly prohibited. In particular, and without limitation, the Licensee shall NOT do any of the following:
- Provide or allow the disclosure of the HITRUST SRM via electronic, paper, or other applicable medium, in whole or part, or any data contained therein that is not owned by Licensee, to any individual or entity that is not an authorized Licensee or Authorized User(s); or
- Use the HITRUST SRM, in whole or part, to provide analyses, assessments, services, or products of any kind to any other person or entity; or
- Create any Derivative Work, based in whole or part on any portion of the HITRUST SRM, without Licensor’s express prior written consent.
- Use restricted or confidential HITRUST IP, as designated by HITRUST, without Licensor’s express prior written consent.
These prohibitions shall not apply to any information, compilation, method, technique, procedure, or process included in the HITRUST SRM that (a) is or has become public knowledge, by publication or other public disclosure, through no action or omission of the Licensee under this License Agreement; (b) was verifiably known to the Licensee prior to the date of entry into this License Agreement; (c) was independently developed by the Licensee without use of the HITRUST SRM; or (d) was lawfully obtained by the Licensee from a third party who was in lawful possession of it and had the right to provide it to Licensee.
Licensee and Authorized Access. The Licensee understands that this is a limited license, with restrictions as to use of the HITRUST SRM and the content in the HITRUST SRM as provided by the Licensor. The Licensee may accept these terms on behalf of the organization that he/she works for (“Organization”). The Licensee may authorize unlimited individual users (“Authorized Users”) at the Organization, provided that each user understands and accepts the terms of the limited license. The Licensee shall always maintain a list of all current and past Authorized Users, and promptly make it available to HITRUST upon request. Authorized Users may include both employees of the Licensee or its Affiliates and their non-employed agents, provided that all Authorized Users shall be subject to this License Agreement and provide prior acceptance of its terms. NOTWITHSTANDING THE FOREGOING, LICENSEE SHALL NOT PERMIT DISCLOSURE OF AN ELECTRONIC OR PAPER COPY, IN WHOLE OR PART, OF THE HITRUST SRM, TO ANY OTHER PERSON OR ENTITY. Upon termination of an Authorized User under this License Agreement for any reason, the Licensee shall (a) revoke the individual’s access to the HITRUST SRM, (b) remove any such electronic files from the Authorized User’s individual’s possession and from all computers, systems, and devices to which the individual has access, and (c) remove any paper copies of the HITRUST SRM from the Authorized User’s possession.
No Interference with Intellectual Property Protections. Under no circumstances shall any Licensee or other entity or individual subject to this License Agreement disable any digital rights protections or remove, modify, interfere with, or obscure any copyright, trademark, or other proprietary rights and notices that apply to, appear on, or are included in the HITRUST SRM.
Compliance. Upon Licensor’s request, an officer of the Licensee shall promptly certify in writing to Licensor that the Licensee and all Affiliates are in full compliance with the terms and conditions of this License Agreement.
DEFENSE OF INFRINGEMENT AND MISAPPROPRIATION CLAIMS.
Notice and Cure. If HITRUST receives notice that the HITRUST SRM, or any component of the HITRUST SRM, may infringe any copyright, trademark, or patent, or constitute a misappropriation of a trade secret, HITRUST may, at its sole discretion:
- Procure for the Licensee the right to continue using the potentially or allegedly infringing or misappropriated component; or
- Attempt to modify the HITRUST SRM to provide for substitute materially equivalent functioning or a materially functional equivalent that does not infringe and/or is not misappropriated. In this case, the Licensee shall immediately stop using the allegedly infringing or misappropriated component and shall cooperate with HITRUST in implementing use of the functional substitute.
Limited Defense. HITRUST will defend the Licensee against any claims by an unaffiliated third party that any component of the HITRUST SRM infringes any copyright, trademark, or patent, or misappropriates any trade secret including but not limited to an action for injunctive relief based on such a claim on the condition precedent that the Licensee gives HITRUST prompt written notice of such claim, gives HITRUST sole control over its defense or settlement (except that HITRUST may not settle any such claim against Licensee unless it unconditionally releases Licensee of all liability), and provides HITRUST with reasonable assistance and cooperation in such defense. Defense to any other claims shall not be provided, and issues relating to defense coverage shall be resolved in the sole and absolute discretion of HITRUST.
Limitation of Duty to Defend. HITRUST shall have no obligation to defend the Licensee against any claim:
- That relates to an allegedly infringing use, or use of misappropriated intellectual property, after HITRUST has notified the Licensee of a substitute as provided above;
- That relates to any use or disclosure of any portion of the HITRUST SRM, in whole or in part, in breach of any term of this License Agreement; or
- For any trade secret claim that arises from the Licensee acquiring the trade secret through improper means, under conditions giving rise to a duty to maintain its secrecy or limit its use, or from a person other than Licensee who owed the party asserting the claim a duty to maintain the secrecy or limit the use of the trade secret.
Exclusive Remedy. The rights and remedies stated in this section, state Licensor’s entire liability, and the sole and exclusive remedy of Licensee and its Affiliates with respect to any claim of infringement or misappropriation of the intellectual property rights of any third party, whether arising under statutory or common law or otherwise.
DISCLAIMER OF WARRANTIES; ASSUMPTION OF RISK.
THE HITRUST SRM IS DEEMED ACCEPTED BY THE LICENSEE AS OF THE DATE LICENSEE OR ANY OF LICENSEE’S AFFILIATES OR AUTHORIZED USERS FIRST ACCESSES ANY PORTION OF THE HITRUST SRM. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HITRUST AND ITS SUPPLIERS PROVIDE THE HITRUST SRM“AS IS,” “WHERE IS” AND WITH ALL FAULTS, AND HITRUST AND ITS SUPPLIERS HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, QUIET POSSESSION, SECURITY, CONFORMITY TO DESCRIPTION, NON-INFRINGEMENT, RELIABILITY, ACCURACY OR COMPLETENESS, AND RESULTS ALL WITH REGARD TO THE HITRUST SRM – PUBLIC OR OTHERWISE ARISING OUT OF THE USE OF THE HITRUST SRM THE ENTIRE RISK AS TO THE QUALITY OR ARISING OUT OF THE USE OF THE HITRUST SRM – PUBLIC AT ALL TIMES REMAINS WITH THE LICENSEE AND ITS AFFILIATES.
THERE IS RISK INHERENT IN EVERY USE OF THE INTERNET AND/OR THE WORLD WIDE WEB. NO SYSTEM IS IMPERVIOUS TO ALL ATTACKS AND ATTEMPTS AT UNAUTHORIZED ENTRY AND ACCESS. BY ACCESSING THE HITRUST SRM – PUBLIC, LICENSEE EXPRESSLY ASSUMES ANY AND ALL SUCH RISKS. IN NO EVENT WILL LICENSOR BE RESPONSIBLE OR LIABLE FOR ANY ERROR, OMISSION, INTERRUPTION, DELETION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, THEFT OR DESTRUCTION, OR UNAUTHORIZED ACCESS OF THE HITRUST SRM – PUBLIC, OR ANY INJURY OR DAMAGE TO ANY PROPERTY ARISING FROM LICENSEE OR ANY AFFILIATE OR AUTHORIZED USER’S ACCESS OF THE HITRUST SRM.
EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, EXEMPLARY AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HITRUST OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DATA OR INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, NEGLIGENCE, AND ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF, OR IN ANY WAY RELATED TO, THE USE OF OR INABILITY TO USE THE HITRUST SRM , THE PROVISION OF OR FAILURE TO PROVIDE THE HITRUST SRM – PUBLIC OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS LICENSE AGREEMENT, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF HITRUST OR ANY SUPPLIER AND EVEN IF HITRUST OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY DAMAGES THAT THE LICENSEE OR ANY AFFILIATE MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE), TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, HITRUST SHALL HAVE NO LIABILITY TO LICENSEE AND/OR ITS AFFILIATES ARISING OUT OF THIS LICENSE AGREEMENT. THE FOREGOING LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.
Indemnification. The Licensee hereby agrees to defend, indemnify, and hold harmless HITRUST and its affiliates, officers, directors, shareholders, employees, and agents at the Licensee’s own expense from and against any and all suits, claims, actions, causes of action, liabilities, obligations, losses, costs, penalties, and damages of whatsoever kind in nature, including reasonable attorney’s fees and costs, arising out of or in connection with or incident to the use by the Licensee or any Affiliate of the HITRUST SRM or any portion thereof, or any breach of this License Agreement by the Licensee or any Affiliate.
Injunctive Remedies for License Violations. The Licensee hereby acknowledges that any violation of this License Agreement by the Licensee and/or an Affiliate will cause irreparable injury to HITRUST, and, as a result, in addition to and without limiting any other rights and remedies available to HITRUST, HITRUST shall be entitled to seek any injunctive relief or other rights or remedies to which HITRUST is or may be entitled to under law to prevent or mitigate the effects of such violation. This expressly includes but is not limited to any breach by Licensee of the prohibited activities and uses of the HITRUST SRM provided in the section above entitled the same.
Termination of License. Licensee agrees that HITRUST may terminate this License Agreement, the License granted herein, and/or any access to or use of the HITRUST SRM by Licensee at any time without cause. It is agreed that upon such termination, HITRUST shall owe Licensee no further obligation or liability of any kind or nature arising out of this Agreement, except as set forth herein. Notwithstanding anything to the contrary contained herein, the relevant paragraphs shall survive the termination of this License Agreement.
Governing Law; Venue. This License Agreement shall be governed by and construed in accordance with the laws of the State of Texas. The exclusive forum for any dispute regarding this License Agreement shall be the state or federal courts located in Collin County, Texas and the Licensee hereby waives any argument that such is an inconvenient forum, or that venue is improper in such forum.
Legal Fees and Costs. In the event of legal proceedings arising from or pertaining to this License Agreement or the License, the prevailing party shall be awarded its reasonable attorney’s fees and costs of litigation, including on appeal or in bankruptcy proceedings.
Export Compliance. The information that HITRUST makes available under this License Agreement, and any derivatives thereof, may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that neither it nor any of its owners, directors, or officers is named on any U.S. government denied-party list. You shall not permit Users to access or use any Service or Content in a U.S. embargoed country or in violation of any U.S. export law or regulation.
CONSENT TO COLLECTION OF INFORMATION. As part of this License Agreement, HITRUST will be collecting certain personal and/or identifying information from the Licensee, including the name and contact information, including the email address of the Licensee’s representative. Licensee’s representative, by checking the applicable box below, consents to HITRUST collecting this information and acknowledges that the processing of this information is necessary for HITRUST to administer this License Agreement. Licensee hereby warrants that it will obtain proper consent to collect and potentially share with HITRUST information on any Authorized Users as appropriate prior to providing such user access to the HITRUST SRM.
Entire Agreement. This License Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior written or oral agreements with respect thereto.
No Assignment. Licensee may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of Licensor, which may be withheld in Licensor’s sole and absolute discretion.