Effective Date:

November 30, 2021

HITRUST Alliance, Inc. (“HITRUST or “Licensor”) hereby authorizes limited access to and use of the HITRUST THREAT CATALOGUE, to entities that are parties to a HITRUST MyCSF® Subscription Agreement, a HITRUST Authorized External Assessor Agreement, or who have agreed to the HITRUST® Terms of Use and downloaded a copy of the HITRUST THREAT CATALOGUE (hereinafter collectively referred to as “Licensee”). Licensee further agrees to the terms of this HITRUST THREAT CATALOGUE License Agreement. The HITRUST MyCSF Subscription Agreement, HITRUST Authorized External Assessor Agreement, and the HITRUST Terms of Use are referred to herein collectively as the “Agreements.” By accessing or using any portion of the HITRUST THREAT CATALOGUE, or signing this License Agreement, Licensee agrees to the terms of this HITRUST THREAT CATALOGUE License Agreement (the “License Agreement”). In the event of a conflict between one of the Agreements and this License Agreement, this License Agreement shall control. The Licensee may have access to and use the HITRUST Threat Catalogue for its own internal business purposes as provided in this License Agreement, and as a condition to such use and access, the Licensee agrees to the following terms:

1. Grant of License. Subject to compliance with the terms and conditions of this License Agreement, Licensor hereby grants to Licensee, and Licensee accepts from Licensor, a limited, non-exclusive, non-transferable, and non-assignable right and license (the “License”) to access the HITRUST THREAT CATALOGUE for use in their internal information security program and information sharing purposes only, including, but not limited to use in risk analysis and risk management. This License is for the sole use of the Licensee, and by any wholly-owned subsidiaries of Licensee that have been previously identified and approved in writing by HITRUST (each, an “Affiliate”). Licensee agrees that it shall not use, or attempt to use, the HITRUST THREAT CATALOGUE for any other purpose, including but not limited to any external disclosure or use with any Licensee customers, vendors or partners. There shall be no fee for the License provided herein.

2. Delivery of HITRUST THREAT CATALOGUE. During the term of this License Agreement, HITRUST shall make the HITRUST THREAT CATALOGUE available to Licensee for delivery by the Internet from the server(s) on which the HITRUST THREAT CATALOGUE is hosted. HITRUST is not responsible for ensuring the Licensee’s computer and systems are compatible with the HITRUST THREAT CATALOGUE or that Licensee is able to access the HITRUST THREAT CATALOGUE. HITRUST makes no representation or warranty to Licensee.

3. HITRUST THREAT CATALOGUE Ownership. All title and intellectual property rights and interest in and to the HITRUST THREAT CATALOGUE, including but not limited to any text, images, photographs, animations, video and audio incorporated into it, and any copies of any of the foregoing that a Licensee is expressly permitted to make herein, are and continue to be solely owned by HITRUST or its suppliers. The HITRUST THREAT CATALOGUE includes valuable, proprietary, and confidential information, compilations, methods, techniques, procedures and processes not generally known, which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for the HITRUST THREAT CATALOGUE, including but not limited to the terms of this License Agreement, to prevent their unauthorized disclosure or use. Licensee acknowledges and affirms HITRUST’s ownership and exclusive right, title and interest in the HITRUST THREAT CATALOGUE and all of its component parts. Licensee agrees that neither it nor any Affiliate or Authorized User (defined below) will attack or impair, directly or indirectly, any of HITRUST’s rights in the HITRUST THREAT CATALOGUE or any portion thereof, or any of HITRUST’s prior or subsequent registrations or applications for registration of any mark, copyright or patent arising out of or relating to any portion of the HITRUST THREAT CATALOGUE.

4. Updates. Licensor may, in its sole discretion, update and/or supplement (“Update” or “Updates”) the HITRUST THREAT CATALOGUE, in which case such updates shall be deemed to be included in the HITRUST THREAT CATALOGUE and governed by this License Agreement as such, unless HITRUST expressly notifies the Licensee that any such Update or Updates are provided under other licensing terms.

5. Prohibited Activities and Uses of HITRUST THREAT CATALOGUE. Any use of the HITRUST THREAT CATALOGUE not expressly permitted by this License Agreement is strictly prohibited. In particular, and without limitation, the Licensee shall NOT do any of the following:

• Provide or otherwise allow the disclosure of an electronic or paper copy, in whole or part, of the HITRUST THREAT CATALOGUE or any data contained therein that is not owned by Licensee, to any individual or entity that is not a duly authorized Licensee or Authorized User;
• Use the HITRUST THREAT CATALOGUE, in whole or part, to provide analyses, assessments, services or products of any kind to any other person or entity, except an Affiliate;
• Permanently store or otherwise maintain the HITRUST THREAT CATALOGUE, in whole or part, in any medium including, without limitation, any cloud service storage provider, or other electronic database;
• or Create any Derivative Work, based in whole or part on any portion of the HITRUST THREAT CATALOGUE, without Licensor’s express prior written consent. “Derivative Work” as used herein shall mean any service, software program or other work, and copies thereof, which are developed by Licensee, or its Affiliates, and which are based on or incorporate any part of the HITRUST THREAT CATALOGUE, including without limitation any modification, enhancement, translation, compilation, expansion, or any other form in which the HITRUST THREAT CATALOGUE may be recast or adapted, and that, if prepared without HITRUST’s authorization, would constitute an infringement or violation of any of HITRUST’s rights.

These prohibitions shall not apply to: Any information, compilation, method, technique, procedure or process included in the HITRUST THREAT CATALOGUE that (a) is or has become public knowledge, by publication or other public disclosure, through no action or omission of the Licensee under this License Agreement; (b) was verifiably known to the Licensee prior to the date of entry into this License Agreement, (c) was independently developed by the Licensee without use of the HITRUST THREAT CATALOGUE; or (d) was lawfully obtained by the Licensee from a third party who was in lawful possession of it and had the right to provide it to Licensee.

6. Licensee, Authorized Users. A Licensee must be a HITRUST Qualified Organization, which includes organizations employing a function or activity involving the use or disclosure of individually identifiable health information, individually identifiable information, or other confidential information provided such organization does not provide security products or services of any kind or nature. The following non-exclusive list of persons and/or entities are not HITRUST Qualified Organizations and shall not be permitted to be a Licensee or to be considered an Affiliate of a Licensee under any circumstance: IT security service providers, IT security product providers, IT security consultants, IT security vendors and suppliers. If a Licensee’s status as a HITRUST Qualified Organization is revoked or terminated at any time, HITRUST may, in its sole and absolute discretion, terminate this License and revoke Licensee’s access to the HITRUST THREAT CATALOGUE.

The Licensee may authorize unlimited individual users, provided that each authorized user must have a need to use the HITRUST THREAT CATALOGUE in order to provide internal services or perform internal functions for the Licensee, subject to this License Agreement (“Authorized Users”). The Licensee shall maintain a list of all current and past Authorized Users at all times, and promptly make it available to HITRUST upon request. Authorized Users may include both employees of the Licensee or its Affiliates and their non-employed agents, provided that all Authorized Users shall be subject to this License Agreement and provide prior written acceptance of its terms. Licensee shall not permit disclosure of an electronic or paper copy, in whole or part, of the HITRUST THREAT CATALOGUE, to any other person or entity. Upon termination of an Authorized User under this License Agreement for any reason, the Licensee shall (a) revoke the individual’s access to the HITRUST THREAT CATALOGUE, (b) remove any such electronic files from the Authorized User’s individual’s possession and from all computers, systems and devices to which the individual has access, and (c) remove any paper copies of the HITRUST THREAT CATALOGUE from the Authorized User’s possession.

7. No Interference with Intellectual Property Protections. Under no circumstances shall any Licensee or other entity or individual subject to this License Agreement disable any digital rights protections or remove, modify, interfere with, or obscure any copyright, trademark or other proprietary rights and notices that apply to, appear on, or included in the HITRUST THREAT CATALOGUE.

8. Compliance. Upon Licensor’s request, an officer of the Licensee shall promptly certify in writing to Licensor that the Licensee and all Affiliates are in full compliance with the terms and conditions of this License Agreement.

9. Notice and Cure. In the event that HITRUST receives notice that the HITRUST THREAT CATALOGUE, or any component of the HITRUST THREAT CATALOGUE, may infringe any copyright, trademark or patent, or constitute a misappropriation of a trade secret, HITRUST may, at its sole discretion:

a. Procure for the Licensee the right to continue using the potentially or allegedly infringing or misappropriated component;
b. Make an attempt to modify the HITRUST THREAT CATALOGUE to provide for substitute materially equivalent functioning or a materially functional equivalent which does not infringe and/or is not misappropriated. In this case the Licensee shall immediately stop using the allegedly infringing or misappropriated component and shall cooperate with HITRUST in implementing use of the functional substitute.

9.2. Limited Defense. HITRUST will defend the Licensee against any claims by an unaffiliated third party that any component of the HITRUST THREAT CATALOGUE infringes any copyright, trademark or patent or misappropriates any trade secret, including but not limited to an action for injunctive relief based on such a claim; on the condition precedent that the Licensee gives HITRUST prompt written notice of such claim, gives HITRUST sole control over its defense or settlement (except that HITRUST may not settle any such claim against Licensee unless it unconditionally releases Licensee of all liability), and provides HITRUST with reasonable assistance and cooperation in such defense. Defense to any other claims shall not be provided, and issues relating to defense coverage shall be resolved in the sole and absolute discretion of HITRUST.

9.3. Limitation of Duty to Defend. HITRUST shall have no obligation to defend the Licensee against any claim:

a. That relates to an allegedly infringing use, or use of misappropriated intellectual property, after HITRUST has notified the Licensee of a substitute as provided above;
b. That relates to any use or disclosure of any portion of the HITRUST THREAT CATALOGUE, in whole or in part, in breach of any term of this License Agreement; or
c. For any trade secret claim, that arises from the Licensee acquiring the trade secret through improper means, under conditions giving rise to a duty to maintain its secrecy or limit its use, or from a person other than Licensee who owed the party asserting the claim a duty to maintain the secrecy or limit the use of the trade secret.

9.4. Exclusive Remedy. The rights and remedies stated in this Section 10 state Licensor’s entire liability and the sole and exclusive remedy of Licensee and its Affiliates with respect to any claim of infringement or misappropriation of the intellectual property rights of any third party, whether arising under statutory or common law or otherwise.

10. DISCLAIMER OF WARRANTIES; ASSUMPTION OF RISK. THE HITRUST THREAT CATALOGUE IS DEEMED ACCEPTED BY THE LICENSEE AS OF THE DATE LICENSEE OR ANY OF LICENSEE’S AFFILIATES OR AUTHORIZED USERS FIRST ACCESSES ANY PORTION OF THE HITRUST THREAT CATALOGUE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HITRUST AND ITS SUPPLIERS PROVIDE THE HITRUST THREAT CATALOGUE “AS IS,” “WHERE IS” AND WITH ALL FAULTS, AND HITRUST AND ITS SUPPLIERS HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, QUIET POSSESSION, SECURITY, CONFORMITY TO DESCRIPTION, NON-INFRINGEMENT, RELIABILITY, ACCURACY OR COMPLETENESS, AND RESULTS ALL WITH REGARD TO THE HITRUST THREAT CATALOGUE OR OTHERWISE ARISING OUT OF THE USE OF THE HITRUST THREAT CATALOGUE THE ENTIRE RISK AS TO THE QUALITY OR ARISING OUT OF THE USE OF THE HITRUST THREAT CATALOGUE AT ALL TIMES REMAINS WITH THE LICENSEE AND ITS AFFILIATES.

ASSUMPTION OF RISK. THERE IS RISK INHERENT IN EVERY USE OF THE INTERNET AND/OR THE WORLD WIDE WEB. NO SYSTEM IS IMPERVIOUS TO ALL ATTACKS AND ATTEMPTS AT UNAUTHORIZED ENTRY AND ACCESS. BY ACCESSING THE HITRUST THREAT CATALOGUE, LICENSEE EXPRESSLY ASSUMES ANY AND ALL SUCH RISKS. IN NO EVENT WILL LICENSOR BE RESPONSIBLE OR LIABLE FOR ANY ERROR, OMISSION, INTERRUPTION, DELETION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, THEFT OR DESTRUCTION OR UNAUTHORIZED ACCESS OF THE HITRUST THREAT CATALOGUE, OR ANY INJURY OR DAMAGE TO ANY PROPERTY ARISING FROM LICENSEE OR ANY AFFILIATE OR AUTHORIZED USER’S ACCESS OF THE HITRUST THREAT CATALOGUE.

11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, EXEMPLARY AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HITRUST OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DATA OR INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, NEGLIGENCE, AND ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF, OR IN ANY WAY RELATED TO, THE USE OF OR INABILITY TO USE THE HITRUST THREAT CATALOGUE, THE PROVISION OF OR FAILURE TO PROVIDE THE HITRUST THREAT CATALOGUE OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS LICENSE AGREEMENT, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF HITRUST OR ANY SUPPLIER AND EVEN IF HITRUST OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12. LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY DAMAGES THAT THE LICENSEE OR ANY AFFILIATE MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE), TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, HITRUST SHALL HAVE NO LIABILITY TO LICENSEE AND/OR ITS AFFILIATES ARISING OUT OF THIS LICENSE AGREEMENT. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.

13. Indemnification. The Licensee hereby agrees to defend, indemnify and hold harmless HITRUST, its officers, directors, shareholders, employees and agents at the Licensee’s own expense from and against any and all suits, claims, actions, causes of action, liabilities, obligations, losses, costs, penalties and damages of whatsoever kind in nature, including reasonable attorney’s fees and costs, arising out of or in connection with or incident to the use by the Licensee or any Affiliate of the HITRUST THREAT CATALOGUE or any portion thereof, or any breach of this License Agreement by the Licensee or any Affiliate.

14. Injunctive Remedies for License Violations. The Licensee hereby acknowledges that any violation of this License Agreement by the Licensee and/or an Affiliate will cause irreparable injury to HITRUST, and, as a result, in addition to and without limiting any other rights and remedies available to HITRUST, HITRUST shall be entitled to seek any injunctive relief or other rights or remedies to which HITRUST is or may be entitled to under law to prevent or mitigate the effects of such violation. This expressly includes but is not limited to any breach by Licensee of the Prohibited Activities and Uses of the HITRUST THREAT CATALOGUE provided in paragraph 6 above.

15. Termination of Lease. Licensee agrees that HITRUST may terminate this License Agreement, the License granted herein, and/or any access to or use of the HITRUST THREAT CATALOGUE by Licensee at any time. It is agreed that upon such termination, HITRUST shall owe Licensee no further obligation or liability of any kind or nature arising out of this Agreement, except as set forth herein. Notwithstanding anything to the contrary contained herein, the following paragraphs shall survive the termination of this License Agreement: Paragraphs 4, 6, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20 and any other paragraphs which, by their terms, are reasonably intended to survive the earlier termination of this License Agreement.

16. Governing Law; Venue This License Agreement shall be governed by and construed in accordance with the laws of the State of Texas. The exclusive forum for any dispute regarding this License Agreement shall be the state or federal courts located in Collin County, Texas and the Licensee hereby waives any argument that such is an inconvenient forum or that venue is improper in such forum.

17. Legal Fees and Costs. in the event of legal proceedings arising from or pertaining to this License Agreement or the License, the prevailing party shall be awarded its reasonable attorney’s fees and costs of litigation, including on appeal or in bankruptcy proceedings.

18. Export Compliance. The information that HITRUST makes available under this License Agreement, and any derivatives thereof, may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that neither it nor any of its owners, directors or officers is named on any U.S. government denied-party list. You shall not permit Users to access or use any Service or Content in a U.S.-embargoed country or in violation of any U.S. export law or regulation.

19. Consent to Collection of Information. As part of this License Agreement, HITRUST will be collecting certain personal and/or identifying information from the Licensee, including the name and contact information, including email address of Licensee’s representative. Licensee’s representative, by checking the applicable box below, consents to HITRUST collecting this information and acknowledges that the processing of this information is necessary for HITRUST to administer this License Agreement. Licensee hereby warrants that it will obtain proper consent to collect and potentially share with HITRUST information on any Authorized Users as appropriate prior to providing such User access to the HITRUST Threat Catalogue.

20. Entire Agreement. This License Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior written or oral agreements with respect thereto.

21. No Assignment. Licensee may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of Licensor, which may be withheld in Licensor’s sole and absolute discretion.

BY CLICKING THE ACCEPTANCE BUTTON BELOW OR BY ACCESSING OR USING THIS INFORMATION OR ANY PORTION OF THE HITRUST THREAT CATALOGUE, I ACKNOWLEDGE THAT I HAVE READ THE HITRUST THREAT CATALOGUE LICENSE AGREEMENT, UNDERSTAND IT AND AGREE TO BE LEGALLY BOUND BY ITS TERMS AND CONDITIONS.