We've updated the HITRUST MyCSF Subscription Agreement, effective as of 8/1/2025.

If you want to view Version 1 (effective 7/1/2024 to 3/20/2025), click here.
If you want to view Version 2 (effective 3/21/2025 to 7/31/2025), click here.
If you want a PDF of this version, Version 3 (effective 8/1/2025 to present), click here.

HITRUST MyCSF® Subscription Agreement

PLEASE READ THIS AGREEMENT CAREFULLY, AS IT CONTAINS IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS AND REMEDIES.

  THIS HITRUST MyCSF SUBSCRIPTION AGREEMENT (this “Agreement”) governs the acquisition and use of Services by Customer (defined below). By executing an Order Form (defined below) that references this Agreement and identifies the company or other legal entity identified on the Order Form (“Customer”), the signer of each Order Form represents that such signer has the authority to bind the Customer to this Agreement. HITRUST and Customer are each a “Party” hereto, and collectively, they are the “Parties”.

For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

The following capitalized terms, as used in this Agreement, shall have the meanings set forth below.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Customer. For purposes of HITRUST only, “Affiliate” means HITRUST and its wholly owned subsidiaries.

“Agreement” means this MyCSF Subscription Agreement, as may be amended from time to time by HITRUST, and any supplement, addendum, amendment, and other document that either: (i) specifically references this Agreement and is signed by both parties (unless not required), or (ii) is specifically incorporated by reference to the terms of this Agreement; and the applicable Order Form(s).

“Assessed Entity” means an organization that has started the HITRUST CSF assessment process.

“Assessment” means a data protection assessment that is generated through Customer’s use of the Services in accordance with the standards and requirements set forth by HITRUST and the HITRUST CSF.

“Content” means any information (e.g. scoring and related assessment reports) created by HITRUST or obtained by HITRUST from HITRUST’s content licensors or other publicly available sources and provided to Customer in the course of providing the Services, as more fully described in the Documentation.

“Controller” means the entity which determines the purpose and means of the Processing of Personal Data, including, as applicable, a “business” as that term is defined under applicable Data Privacy Laws.

“HITRUST CSF” means the framework for managing information security, privacy risks, and compliance for organizations that is owned, marketed, and licensed by HITRUST as the HITRUST CSF.

“Customer Data” means electronic data and information uploaded by or for Customer to the Services or collected and otherwise Processed by or for Customer as a result of using the Services, including Personal Data, but excluding Content. Customer Data shall not upload PHI, as defined below.

“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data. For the avoidance of doubt, if HITRUST’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Agreement.

“De-Identified Data” means de-identified and anonymized sets of Customer Data that have been gathered by HITRUST for the purpose of aggregating statistical data and performance information for the provision, enhancement, and operation of HITRUST’s Property. For the avoidance of doubt, De-Identified Data does not include any Personal Data, Customer Data or other information that could be used to identify, or re-identify, the Customer or its Customer Data.

“Documentation” means HITRUST’s MyCSF User Guide, Assessment Handbook, help and training materials, and any other reference documents, as updated from time to time, accessible by paper, digital, or via login relating to the Services.

“Effective Date” means the date Customer signs the initial Order Form under this Agreement.

“HITRUST” means HITRUST Services LLC, a Delaware limited liability company.

“HITRUST Authorized Assessor” means an organization that has been approved by HITRUST for performing assessments and services associated with the HITRUST Assurance Program and the HITRUST CSF.

“HITRUST’s Property” means the HITRUST CSF, Services, Documentation, Content, HITRUST Technology, HITRUST IP Rights, and any other property of HITRUST incorporated into or generated by any of the foregoing (but excluding Content not owned by HITRUST).

“Initial Term” means the period as described in Section 10.2.

“Malicious Code” means code, files, scripts, agents, or programs intended to do harm, permit harmful conduct, or that cause harm, including, for example, disabling codes, logic bombs, Trojan horses, bugs, viruses, and any other code, key, or other devices that are intended to do harm to computing systems.

“Order Form” means the ordering document specifying the Services and Content that are acquired by the Customer and provided by HITRUST that is entered into between the Parties, or its Resellers, including any addenda, supplements, or future Order Forms.

“Personal Data” includes “personal data,” “personal information,” “personally identifiable information” or “PII”, and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.

“PHI” means protected health information, as that term is defined in 45 C.F.R. § 160.103, or any successor federal regulation.

“PII” means personally identifiable information as that term is defined in National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

“Process”, “Processed” and “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, retention, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction, including as such terms may be defined under applicable Data Privacy Laws.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined in applicable Data Privacy Laws.

“Renewal Term” means the period as described in Section 10.2.

“Reseller” means one of HITRUST’s preferred partner resellers through whom a Customer purchases and utilizes the Services.

“Services” means the products and services ordered by Customer under an Order Form, and made available online or otherwise by HITRUST, including the assessment software and tools and associated offline components, hosted by or on behalf of HITRUST as described in the Documentation.

“Term” means the period as described in Section 10.1.

“User” means an individual who is authorized by Customer to use the Services for the sole benefit of Customer, and to whom Customer (or HITRUST at Customer’s request) has supplied a User ID. Users may include, for example, Customer’s employees, consultants, contractors and agents, and third parties with which Customer transacts business.

“User ID” means the identification name and password for access to and use of the Services by a User.

2. HITRUST RESPONSIBILITIES

  2.1.  Access and License. Subject to and conditioned upon Customer’s compliance with all of the terms and conditions of the Agreement, HITRUST hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable, revocable, non-assignable, limited right to access and use the Services and HITRUST CSF, and to use and make copies of the Content during the applicable Term, solely for Customer’s internal business use, subject to applicable HITRUST IP Rights and in accordance with the Agreement.

  2.2.  Provision of Services. HITRUST will (i) make the Services and Content available to Customer pursuant to the Agreement and applicable Order Form, (ii) provide support for the Services to Customer at no additional charge through available website chat, phone, and email, and (iii) use commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for: (a) planned maintenance windows (of which HITRUST shall give at least eight (8) hours electronic notice and which HITRUST shall schedule, to the extent practicable, during hours between 6:00 p.m. Thursday and 3:00 a.m. Friday Central time), (b) planned release windows (of which HITRUST shall give at least two (2) weeks electronic notice and which HITRUST shall schedule to the extent practicable during hours between 6:00 p.m. Friday and 3:00 a.m. Sunday Central time), (c) emergency maintenance, (d) any unavailability caused by Customer or Users, including but not limited to breach of any term or condition of the Agreement, and (e) any unavailability caused by a Force Majeure Event.

  2.3.  Protection of Customer Data. HITRUST will endeavor to maintain reasonable industry-standard administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Data. Those safeguards will include, but will not be limited to, measures for preventing inappropriate access, use, modification, or disclosure of Customer Data by HITRUST personnel. Notwithstanding the foregoing, no system is completely impervious to unlawful access and theft of data, and accordingly, HITRUST cannot and does not warrant or represent that Customer Data will be free from unauthorized access or use.

  2.4.  HITRUST Personnel. HITRUST will be responsible for the performance of HITRUST personnel (including HITRUST employees) and their compliance with HITRUST’s obligations under the Agreement, except as otherwise specified herein.

3. USE OF SERVICES AND CONTENT

  3.1.  Subscriptions. Unless otherwise provided in the applicable Order Form: (i) Services and access to Content are purchased as subscriptions through an Order Form for use during the Term, (ii) subscriptions for other Services may be added during a Term at HITRUST’s then-current pricing, prorated for the portion of the Term remaining at the time the other Services are added if applicable, (iii) any added Services will terminate on the same date as the associated Term, and (iv) any additional Order Forms to renew a subscription past the original Term will remain under the terms of the Agreement.

  3.2.  Usage Limits. Services and Content are subject to usage limits, including, for example, the quantities specified in the applicable Order Form. Unless otherwise specified: (i) a quantity in an Order Form refers to Users and/or Assessments and the Services or Content may not be accessed by more than that number of Users or used for more than that number of Assessments, (ii) no User ID may be shared with any other individual, and (iii) a User ID may be reassigned to a new User replacing one who no longer requires ongoing use of the Services or Content, but such User ID may not be reassigned more than once within any thirty (30) day period during a 12-month Term. If Customer exceeds the contractual usage limit, HITRUST may work with Customer to seek to reduce Customer’s usage to conform to that limit. If, notwithstanding HITRUST’s efforts Customer is unable or unwilling to abide by the contractual usage limit, Customer may incur additional fees for excess usage if it does not reduce overuse within ten (10) days after notice from HITRUST, and Customer shall remit payment in accordance with Section 4.3 (Overdue Charges).

  3.3.  Customer Responsibilities. Customer will: (i) ensure Users comply with the Agreement; (ii) be responsible for the accuracy, quality, appropriateness, and legality of Customer Data and ensure the means by which Customer acquired the Customer Data does not violate any Data Privacy Laws, any third-party’s rights, or any term or condition of the Agreement; (iii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services and Content, and notify HITRUST promptly, and in any event within twenty-four (24) hours, of any such unauthorized access or use; (iv) assign a unique User ID for each User and maintain the security of each User’s User ID; and (v) use the Services and Content only in accordance with the Agreement and applicable laws and government regulations.

  3.4.  Usage Restrictions. Customer will not: (i) sell, resell, license, sublicense, distribute, translate, decompile, reverse engineer, create derivative works of, disassemble, broadcast, modify, alter, rent, lease, or commercially exploit HITRUST’s Property, or include any of HITRUST’s Property in a service bureau or outsourcing offering; (ii) use any “deep link,” “page scrape,” “robot,” “spider,” or other automatic device, program, script, algorithm or methodology, or any similar or equivalent process, to access, acquire, copy, or monitor any of HITRUST’s Property or in any way reproduce or circumvent the navigational structure or presentation of any of HITRUST’s Property to obtain any materials, documents, or information through any means not purposely made available by HITRUST; (iii) probe, scan, or test the vulnerability of the Services or Content, or any network connected thereto, or breach the security or authentication measures used to protect any Services or Content; (iv) reverse look-up, trace, or seek to trace any information on any other User of the Services or owner of any of the Content; (v) take any action that, in HITRUST’s sole judgment and discretion, imposes an unreasonable or disproportionately large load on the Services, or any of HITRUST’s networks or systems or any networks or systems connected thereto; (vi) use any device, software, or routine to interfere with the proper working of HITRUST’s systems or networks or any transaction conducted thereon, or with any other person’s use of the Services or Content; (vii) forge headers, impersonate a person, or otherwise manipulate identifiers in order to disguise Customer’s identity or the origin of any message or transmittal Customer sends to HITRUST; (viii) use any of HITRUST’s Property to harvest or collect email addresses or other information; (ix) market, co-brand, private label, separately distribute, resell, or otherwise permit third parties to access and/or use any portion of HITRUST’s Property without HITRUST’s express, separate, and prior written permission; (x) send or cause to be sent to HITRUST, or use the Services to store or transmit, any infringing, libelous, obscene, threatening, or otherwise unlawful or tortious material, or any material in violation of any third-party right, including but not limited to privacy rights; (xi) send or cause to be sent to HITRUST, or use the Services to store or transmit Malicious Code; (xii) interfere with or disrupt the integrity or performance of the Services, or third-party data contained therein; (xiii) attempt to gain unauthorized access to the Services or Content, or its related systems or networks; (xiv) permit direct or indirect access to or use of the Services or Content in a way that circumvents a contractual usage limit; (xv) copy the Services or any part, feature, function, or user interface thereof; (xvi) copy the Content, except as permitted herein, an Order Form, or the Documentation; (xvii) frame or mirror any part of the Services or Content, other than framing on Customer’s own intranets or otherwise for Customer’s own internal business purposes or as permitted herein or in the Documentation; (xviii) access any Services or Content in order to build a competitive product or service; (xix) provide or cause to be provided any false or inaccurate information or materials to HITRUST; or (xx) use any of HITRUST’s Property in an unlawful manner or a manner that could damage, disparage, or otherwise negatively impact HITRUST. HITRUST reserves the right to suspend or terminate Customer’s access and use of the Services or Content by providing five (5) days’ advance notice for violating any of the prohibited uses outlined in this Section.

  3.5.  Intended Use. The Services and Content are intended solely for Customer use in performing a self-evaluation of Customer compliance within the HITRUST CSF framework. Customer shall not, and shall not cause or permit any other person to, upload, transmit, or store any information or data in or to the Services: (i) that is protected under any law or regulation governing the protection of patents, copyrights, trademarks, service marks, trade secrets, or other intellectual property; (ii) that constitutes PHI; or (iii) that constitutes Personal Data beyond that required to create, authenticate, and maintain a User account or the minimum amount needed to supply a piece of evidence required under an Assessment. Customer expressly assumes the risk of any and all losses that could arise or result from the uploading, transmission, or storage of any such information or data to the Services, and Customer agrees that HITRUST will have no liability to Customer as a result of the uploading, transmission, or storage of any such information or data.

  3.6.  Uploading of Personal Data. The uploading of Personal Data into the Services must be consistent with the Agreement, including, but not limited to, this Section 3 (Use of Services and Content). Additionally, Customer acknowledges that Customer will not upload or otherwise cause HITRUST to Process any Personal Data subject to foreign Data Protections Laws without prior written notice and approval from HITRUST. Should HITRUST provide such written approval, Customer shall not upload or otherwise cause HITRUST to Process any such Personal Data other than as set forth in this Section 3. Customer further acknowledges and agrees that Customer, not HITRUST, is responsible for determining if any laws, other than United States federal and state Data Privacy Laws, apply.

  3.7.  Lawfulness of Instructions. HITRUST acts as a Processor for Personal Data as it is held in the Services, and Customer is the Controller. HITRUST will therefore abide by the instructions for use of Personal Data provided by Customer in writing, including as set forth in the Agreement, or potentially, if agreed to in writing by both Parties, separate instructions from Customer. Customer hereby represents and warrants that the Processing of Personal Data, when done in reasonable accordance with Customer instructions, will not cause HITRUST to violate any Data Privacy Laws or other relevant laws or regulations.

  3.8.  Personal Data Legal Compliance by Customer. Customer acknowledges and agrees that Customer is responsible for ensuring its compliance with any Data Privacy Laws or other relevant laws or regulations regarding Personal Data in the use of the Services and Customer’s Processing of Personal Data, and that Customer has the right to transfer or provide access to, or Process any Personal Data uploaded or otherwise entered into the Services, and to permit HITRUST’s Processing of such Personal Data in accordance with and as set forth in the Agreement.

  3.9.  Reseller Purchases. If Customer purchases the Services and Content through a Reseller, all payment-related terms (including, but not limited to, pricing, invoicing, billing, payment methods, and late payment charges) will be set forth in Customer’s agreement directly with such Reseller, and such payment-related terms will supersede any conflicting terms set forth in this Agreement. HITRUST may suspend or terminate Customer’s access to the Services in the event of non-payment of the applicable Fees to HITRUST by the Reseller, or Customer’s uncured breach of the Agreement. Notwithstanding anything to the contrary, the agreement between Customer and a Reseller: (i) shall not modify any of the terms set forth herein other than those portions related to billing and payments, and (ii) is not binding on HITRUST. Reseller’s offerings may include implementation, customization, and other consulting services related to Customer’s use of software that works in conjunction with the Services, such as by exchanging data with the Services or by offering additional functionality within the user interface of the Services through use of the Reseller’s application programming interface. Any exchange of data, other than certain Customer Data required by HITRUST to perform the Services, is solely between Reseller and Customer. HITRUST DOES NOT WARRANT, AND CUSTOMER HEREBY RELEASES HITRUST FROM LIABILITY, FOR ANY SUCH RESELLER AND THEIR PRODUCTS AND SERVICES, WHETHER OR NOT SUCH PRODUCTS AND SERVICES ARE DESIGNATED BY HITRUST AS “CERTIFIED”, “VALIDATED”, OR OTHERWISE.

  3.10.  Compliance with HITRUST Assessments. Effective from the commencement of the Assessment process, the Customer, then known as the Assessed Entity, shall comply with the following terms and conditions:

    3.10.1.  The Assessed Entity shall adhere to the requirements and procedures outlined in the Documentation, specifically the HITRUST Assessment Handbook, as well as any additional requests made by HITRUST and/or a HITRUST Authorized Assessor;

    3.10.2.  The Assessed Entity shall provide written confirmation, in the form of a Validated Report Agreement and/or Management Representation Letter, that all evidence and information submitted to HITRUST and/or a HITRUST Authorized Assessor is complete, truthful, and accurate;

    3.10.3.  When sharing the results of an Assessment report to a third party, the Assessed Entity shall provide the complete report and/or certification letter as provided by HITRUST. A report or certification letter may not be modified in any way, including altering or removing proprietary marks, trademarks, restrictions, or disclaimers added by HITRUST, and the Assessed Entity shall not misrepresent its compliance status to any third parties;

    3.10.4.  The Assessed Entity shall be entitled promote its Assessment compliance status strictly pursuant to HITRUST’s directions and instructions, and only during the term of the respective report and/or certification letter, provided that: (i) it remains in material compliance with the Agreement and Documentation, (ii) its compliance status is active and unchanged, and (iii) no Security Event has occurred as that term is defined in the HITRUST Assessment Handbook. Upon request, the Assessed Entity must certify in writing to HITRUST that these conditions are still met;

    3.10.5.  The Assessed Entity shall immediately upon the expiration of a report and/or certification letter, or upon HITRUST’s demand resulting from the violation of this Section, cease all use of the report and/or certification letter, and promptly remove all associated representations and materials from all platforms, communications, and documentation; and

    3.10.6.  The Assessed Entity’s failure to comply with any of the terms and conditions of this Section shall be deemed a breach and may result in termination of the respective report and/or certification letter, and/or the Agreement.

  3.11.  HITRUST Results Distribution System Terms of Use. HITRUST offers a secure, API-enabled system that allows organizations to electronically share HITRUST Assessment results with its customers, partners, and stakeholders in a standardized, structured format. If Customer decides to utilize HITRUST’s Results Distribution System services, such use shall be governed by the HITRUST Results Distribution System Terms of Use as set forth in the following link: https://hitrustalliance.net/rds-terms

4. FEES AND PAYMENT FOR SERVICES

  4.1.  Fees. Customer agrees to pay all fees specified in an Order Form (the “Fees”). Except as otherwise specified herein or in an Order Form, (i) Fees are based on the Services and Content purchased, (ii) payment obligations are non-cancelable and Fees paid are non-refundable, and (iii) quantities purchased cannot be decreased during the relevant Term.

  4.2.  Invoicing and Payment. HITRUST will invoice Customer the Fees for the Services and Content set forth in the relevant Order Form. Unless otherwise stated in the Order Form, invoiced Fees are due net thirty (30) days from the invoice date. Customer is responsible for providing complete and accurate billing and contact information to HITRUST and notifying HITRUST of any changes to such information (email shall suffice). All payments made under the Agreement shall be in United States dollars.

  4.3.  Overdue Charges. Any undisputed invoice that remains unpaid, in whole or in part, for more than sixty (60) days from the date of the invoice will be charged interest on the total outstanding balance at a rate equal to the lesser of 1.5% per month or the highest rate permitted by law. Customer shall not offset any amounts owed under an Order Form against any other Order Form. Customer shall also reimburse HITRUST for all costs incurred in collecting any late payments, including, without limitation, attorneys’ fees.

  4.4.  Suspension of Service for Non-Payment. If any amount owed by Customer under the Agreement or any other agreement between Customer and HITRUST is thirty (30) or more days overdue, HITRUST may, without limiting any of HITRUST other rights or remedies, suspend HITRUST’s Services or any other services to Customer until such amounts are paid in full. HITRUST will give Customer at least five (5) days prior written notice that Customer’s account is overdue before suspending Services or any other services to Customer.

  4.5.  Taxes. Except as otherwise required by state, federal, or international law, HITRUST’s Fees do not include any taxes, levies, duties, or similar governmental assessments of any nature, including, for example, value-added, sales, excise, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with Customer’s purchases hereunder unless HITRUST is legally required to do so. If HITRUST has the legal obligation to pay or collect Taxes for which Customer is responsible under this subsection, HITRUST will invoice Customer and Customer will pay that amount unless Customer provides HITRUST with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, HITRUST is solely responsible for taxes assessable against HITRUST based on HITRUST’s income, property, and employees.

  4.6.  Adjustment to Fees. HITRUST reserves the right to annually increase its Fees set forth on an Order Form by providing Customer with written notice (email shall suffice) of such price increase delivered not less than sixty (60) days prior to the expiration of the Initial Term or then-current Renewal Term, as applicable.

5. PROPRIETARY RIGHTS AND LICENSES

  5.1.  Reservation of Rights. Customer acknowledges that in providing the Services and Content, HITRUST utilizes (i) the HITRUST name, the HITRUST logo, the HITRUST domain name, the product and service names associated with the Services, and other trademarks and service marks, (ii) certain audio and visual information, documents, software, and other works of authorship, and (iii) MyCSF software, and other technology, software, hardware, products, processes, algorithms, user interfaces, know-how, and other trade secrets, techniques, designs, inventions, and other tangible or intangible technical material or information (collectively, “HITRUST Technology”) and that HITRUST owns or licenses patent rights, trademark rights, copyrights and other intellectual property rights to the HITRUST Technology (collectively, “HITRUST IP Rights”). HITRUST and HITRUST licensors reserve all of HITRUST’s/their right, title, and interest in and to HITRUST’s Property not expressly granted under the Agreement. No rights are granted to Customer hereunder other than as expressly set forth herein. There are no implied licenses under the Agreement. All title and intellectual property rights and interest in and to HITRUST’s Property, and any copies of any of the foregoing that Customer is expressly permitted to make herein, are and continue to be solely owned by HITRUST or its licensors and/or suppliers. HITRUST’s Property includes valuable, proprietary, and confidential information, compilations, methods, techniques, procedures, and processes not generally known which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for HITRUST’s Property, including but not limited to the terms of the Agreement, to prevent its unauthorized disclosure or use. Customer acknowledges and affirms HITRUST’s ownership and exclusive right, title, and interest in HITRUST’s Property and all of its component parts. Customer agrees that neither Customer nor any of Customer’s Affiliates will attack or impair, directly or indirectly, any of HITRUST’s rights in HITRUST’s Property or any portion thereof or any of HITRUST’s prior or subsequent registrations or applications for registration of any trademark, copyright, or patent arising out of or relating to any portion of HITRUST’s Property.

  5.2.  Ownership of De-Identified Data. HITRUST shall have the right to access, compile, and aggregate information certain Customer Data into De-Identified Data. HITRUST shall own all De-Identified Data and may use, host, copy, reproduce, alter, create derivative works of, transmit, display, and otherwise modify the De-Identified Data as necessary for HITRUST to provide the Services in accordance with the Agreement, for purposes of preparing reports, providing statistical analysis, and other similar uses, relating to the usage and functioning of the Services, improving any of HITRUST’s Property, creating new HITRUST solutions to serve industry needs, conducting research, and for internal and external marketing and reporting purposes related to the Services; provided that no personally identifiable information of Customer is retained. Other than as expressly set forth in the Agreement, HITRUST acquires no right, title, or interest from Customer or Customer licensors under this Agreement in or to the Customer Data.

  5.3.  License by Customer to Use Feedback. Customer hereby grants to HITRUST and HITRUST’s Affiliates, and if required shall execute any appropriate documentation evidencing said grant, a worldwide, perpetual, irrevocable, royalty-free, fully paid-up, transferable, sublicensable license to use and incorporate into the Services any suggestions, ideas, enhancement requests, recommendations, corrections, or other feedback (the “Feedback”) provided by Customer or Users relating to the operation of the Services without attribution to Customer. Any Feedback is and shall be given voluntarily. Feedback, including if submitted on HITRUST’s public feedback forum, will not be considered confidential and does not create any obligation of confidentiality under this Agreement.

  5.4.  Federal Government End User Provisions. HITRUST provides the Services for ultimate federal government end user solely in accordance with the following: (i) Government technical data and software rights related to the Services include only those rights customarily provided to the public as defined in this Agreement. This customary commercial license is provided in accordance with FAR 12.211 (Technical data) and FAR 12.212 (Computer software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Products and Commercial Services) and DFAR 227.7202-3 (Rights in commercial computer software or commercial computer software documentation). If a government agency has a need for rights not granted under these terms, it must negotiate with HITRUST to determine if there are acceptable terms for granting those rights, and a mutually acceptable written addendum specifically granting those rights must be included in any applicable agreement.

6. CONFIDENTIALITY

  6.1.  Definition of Confidential Information. “Confidential Information” means all information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Customer’s Confidential Information includes Customer Data. HITRUST’s Confidential Information includes HITRUST’s Property and the terms and conditions of the Agreement and all Order Forms (including pricing and related metrics). Confidential Information of each Party includes business and marketing plans, technology and technical information, security reports and associated documentation, product plans and designs, financial information, and business and analytical information, pricing and pricing proposals, and processes disclosed by such Party. However, Confidential Information does not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without breach of any obligation owed to the Disclosing Party.

  6.2.  Protection of Confidential Information. The Receiving Party agrees: (i) to use the same degree of care that it uses to protect the confidentiality of its own Confidential Information of like kind (but not less than reasonable care); (ii) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of the Agreement; and (iii) except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ directors, officers, employees, agents, advisors, consultants, business partners, and contractors (“Representatives”) who need that access for purposes consistent with the Agreement and are subject to the confidentiality obligations consistent with this Agreement. Neither Party will disclose the terms of the Agreement to any third party, other than its Representatives, without the other Party’s prior written consent, provided that a Party that makes any such disclosure to its Representatives will remain responsible for such Representatives’ compliance with this subsection.

  6.3.  Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior written notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party and the Disclosing Party is not contesting the disclosure, the Receiving Party may disclose only that portion of the Confidential Information which is legally required to be disclosed; provided that: (i) the Receiving Party shall exercise commercially reasonable efforts to preserve the confidentiality of the Confidential Information, including, without limitation, obtaining reliable assurance that confidential treatment will be accorded such Confidential Information; and (ii) such disclosure was not caused by or resulted from a previous disclosure by the Receiving Party in violation of the Agreement. The Receiving Party shall cooperate fully with (and shall not oppose any action by) the Disclosing Party to obtain a protective order or other relief to prevent or narrow the disclosure of the Confidential Information or to obtain reliable assurance that confidential treatment will be accorded such Confidential Information. The Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

  6.4.  Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of this Section 6, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts without the requirement of a bond or other assurance, it being specifically acknowledged by the Parties that any other available remedies are inadequate.

7. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES, AND DISCLAIMERS

  7.1.  Mutual Representations and Warranties. Each Party represents and warrants that (i) it is duly organized, validly existing and in good standing under the applicable laws of the state or country of its incorporation or formation, (ii) it has the right and full power and authority to enter into and perform all terms and conditions of the Agreement, (iii) it will comply, at all times, with all applicable laws, rules, and regulations in connection with the Agreement, and (iv) the Agreement does not conflict with any other contract, agreement, ruling, or order by which the Party is bound.

  7.2.  Customer Representations and Warranties. By using any of HITRUST’s Property, or accepting any other benefit under any of the rights or licenses granted to Customer hereunder, Customer represents and warrants to HITRUST that, during the entire Term of the Agreement:

    7.2.1.  Customer is not and will not be a direct competitor of HITRUST or any of its Affiliates;

    7.2.2.  Neither Customer nor any of its Affiliates will: (i) exceed any usage limits or restrictions imposed by HITRUST; (ii) knowingly introduce Malicious Code into the Services or any of HITRUST’s systems or networks; or (iii) sell, resell, sublicense, distribute, translate, decompile, reverse engineer, create derivative works of, disassemble, broadcast, modify, alter, rent, lease, transmit, or commercially exploit any of HITRUST’s Property;

    7.2.3.  Customer has obtained and will maintain all consents, permissions, authorizations, rights, and licenses to provide Customer Data and Personal Data to HITRUST in accordance with the terms of and in connection with HITRUST’s provision of Services under the Agreement, and HITRUST is authorized to access and use Customer Data and Personal Data consistent with the terms of the Agreement.

  7.3.  HITRUST Representations and Warranties. HITRUST represents and warrants to Customer that, during the entire Term of the Agreement, HITRUST has used commercially reasonable efforts to detect and prevent the introduction of Malicious Code into the Services.

  7.4.  Exclusive Remedies. For any breach by HITRUST of the warranties set forth in this Section, Customer’s sole and exclusive remedies are those described in Section 10.3 (Procedure Upon Termination) and Section 10.4 (Refund or Payment upon Termination).

  7.5.  Disclaimers. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 7.1 (Mutual Representations and Warranties) AND SECTION 7.3 (HITRUST Representations and Warranties), HITRUST PROVIDES THE SERVICES AND CONTENT “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ACCURACY OF RESULTS, AVAILABILITY, OR RELIABILITY, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SPECIFICALLY, HITRUST MAKES NO WARRANTY THAT: (i) THE SERVICES, CONTENT, AND DOCUMENTATION, OR COMPONENTS ASSOCIATED THEREWITH, WILL MEET YOUR REQUIREMENTS OR EXPECTATIONS, (ii) YOUR ACCESS TO THE SERVICES, CONTENT, AND DOCUMENTATION WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, OR (iii) THAT THE SERVICES, CONTENT, AND DOCUMENTATION, OR COMPONENTS ASSOCIATED THEREWITH, WILL BE COMPLETE AND ACCURATE. CUSTOMER ASSUMES THE SOLE RISK OF USING AND/OR RELYING ON THE SERVICES, CONTENT, AND DOCUMENTATION, OR COMPONENTS ASSOCIATED THEREWITH. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS. HITRUST IS NOT RESPONSIBLE FOR ANY POSTINGS PROVIDED BY CUSTOMER OR ANY OTHER PERSON THAT ARE AVAILABLE THROUGH OR FROM THE SERVICES OR CONTENT. HITRUST MAY MAKE MODIFICATIONS TO THE SERVICES, CONTENT, AND DOCUMENTATION, OR COMPONENTS ASSOCIATED THEREWITH, AT ANY TIME AND FOR ANY REASON.

8. INDEMNIFICATION

Customer shall defend, indemnify, and hold harmless HITRUST and all of its Affiliates, and each of their respective directors, officers, shareholders, members, owners, managers, agents, attorneys, employees, and representatives for, from, and against any and all suits, claims, liabilities, causes of action, obligations, losses, damages, and cost (including attorneys’ fees) incurred as a result of a third-party claim: (i) alleging that Customer Data or Customer’s use of Customer Data with the Services and Content infringes, misappropriates, or violates the intellectual property rights, privacy rights, or any other right of a third party; (ii) arising out of or relating to Customer’s or Users’ use of HITRUST’s Property in violation of applicable laws, rules, or regulations, or the Agreement; or (iv) arising out of or relating to Customer’s or Users’ gross negligence or willful misconduct; provided that HITRUST: (a) promptly gives written notice of the claim to Customer; (b) gives Customer sole control of the defense and settlement of the claim (provided that Customer may not settle or defend any claim unless it unconditionally releases HITRUST of all liability); and (c) provides to Customer, at Customer’s cost, all reasonable assistance.

9. LIMITATION OF LIABILITY; EXCLUSION OF DAMAGES

  9.1.  Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF HITRUST, HITRUST’S AFFILIATES, AND HITRUST’S AND ITS AFFILIATES’ LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, AND DIRECTORS ARISING OUT OF OR RELATED TO THE AGREEMENT EXCEED AN AMOUNT EQUAL TO THE FEES PAID BY CUSTOMER TO HITRUST HEREUNDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY BUT WILL NOT LIMIT CUSTOMER’S AND ITS AFFILIATES’ PAYMENT OBLIGATIONS UNDER THE “FEES AND PAYMENT FOR SERVICES” SECTION ABOVE.

  9.2.  Exclusion of Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HITRUST, HITRUST’S AFFILIATES, AND HITRUST’S AND ITS AFFILIATES’ LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, AND DIRECTORS SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF BUSINESS, LOSS OF DATA, LOSS OF PROFITS, OR THE LIKE) ARISING UNDER THE AGREEMENT, OR RELATED TO THE SERVICES OR CONTENT, WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE, EVEN IF HITRUST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN CUSTOMER AND HITRUST.

10. TERM AND TERMINATION

  10.1.  Term of Agreement. Unless otherwise specified in the applicable Order Form, the initial term of this Agreement shall begin on the Effective Date and continue for the period as specified in the Order Form (the “Initial Term”), and will automatically renew for successive twelve (12) month periods (each, a “Renewal Term”) (collectively, the Initial Term, together with all Renewal Terms (if any), the “Term”), unless (i) either Party provides written notice of non-renewal no less than thirty (30) days prior to the end of the Initial Term or then-current Renewal Term, as applicable, or (ii) earlier terminated as provided in this Section 10.

  10.2.  Termination. A Party may terminate the Agreement or any Order Form hereunder for cause (i) if the other Party materially breaches any obligation under the Agreement and such breach remains uncured thirty (30) days after written notice thereof, or (ii) immediately if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors. In addition, HITRUST may terminate the Agreement or any Order Form hereunder immediately if (i) Customer introduces Malicious Code into the Services or any of HITRUST’s systems or networks, (ii) Customer uses any of HITRUST’s Property for an illegal purpose or any purpose not expressly authorized hereunder, (iii) Customer is or becomes a direct competitor of HITRUST, (iv) Customer undergoes a change of control where voting or other control of its company is acquired, directly or indirectly, in a single transaction or series of related transactions by a direct competitor of HITRUST, or (v) a majority of Customer assets or equity interests are acquired by a direct competitor of HITRUST. For the avoidance of doubt, in the event the Agreement is terminated, all Order Forms thereunder shall also immediately terminate.

  10.3.  Procedure Upon Termination. Immediately upon expiration or termination of the Agreement or any Order Form hereunder, Customer will discontinue all access to and use of the Services. Customer will not attempt to gain access to any such Services, and Customer will return to HITRUST or, at HITRUST’s option, destroy all copies of HITRUST’s Property in Customer’s possession.

  10.4.  Refund or Payment upon Termination. If the Agreement or any Order Form hereunder is terminated by Customer for cause in accordance with Section 10.2 (Termination), HITRUST will refund to Customer any prepaid Fees covering the remainder of the Term of the applicable Order Form. If the Agreement or any Order Form hereunder is terminated by HITRUST in accordance with Section 10.2 (Termination), Customer will pay any unpaid Fees covering the remainder of the Term of such applicable Order Form. In no event will termination relieve Customer of its obligation to pay any Fees due to HITRUST for the period prior to the effective date of termination.

  10.5.  Customer Data Portability and Deletion. Upon request by Customer made within thirty (30) days after the effective date of termination or expiration of the Agreement or of an Order Form, HITRUST will make Customer Data available to Customer for export or download. After such 30-day period, HITRUST will have no obligation to maintain or provide Customer Data, and, as provided in the Documentation, will thereafter delete or destroy all such copies of Customer Data in HITRUST’s systems, or otherwise in its possession or control, unless legally prohibited.

  10.6.  Surviving Provisions. Section 4 (Fees and Payment for Services), Section 5 (Proprietary Rights and Licenses), Section 6 (Confidentiality), Section 7.5 (Disclaimers), Section 8 (Indemnification), Section 9 (Limitation of Liability; Exclusion of Damages), Section 10.4 (Refund or Payment upon Termination), Section 10.5 (Customer Data Portability and Deletion), Section 10.6 (Surviving Provisions), and Section 11 (General Provisions) will survive any termination or expiration of this Agreement, and Section 2.4 (Protection of Customer Data) will survive any termination or expiration of this Agreement for so long as HITRUST retains possession of Customer Data.

11. GENERAL PROVISIONS

  11.1.  Notices. Any notice, demand, request, or other communication required or permitted to be given under the Agreement must be made in writing, properly addressed to the Party to receive notice at the office address and/or email address set forth on the most recent Order Form, or at such other office address or email address as such Party may hereafter designate by written notice (electronic mail shall suffice) to the other Party. Notices will be deemed received: (i) upon receipt, if personally delivered; (ii) on the next business day after delivery to a nationally-recognized overnight courier service; (iii) on the third business day after deposit with the U.S. Postal Service if sent by certified or registered mail, return receipt requested, postage prepaid; or (iv) if by electronic mail, upon confirmed receipt by the receiving Party. Billing-related notices to the Customer shall be addressed to the relevant billing contact designated by Customer in the applicable Order Form.

  11.2.  Agreement to Governing Law; Forum Selection; Attorneys’ Fees. The Agreement (and the rights and obligations of the Parties with respect to their relationship under this Agreement) are governed by and must be construed and enforced in accordance with the laws of the State of Texas, excluding its conflict of laws rules to the extent such rules would apply the law of another jurisdiction. The Parties hereto consent to the jurisdiction of the State of Texas and agree that venue of any suit arising in connection with this Agreement shall be exclusively in the state or federal courts having jurisdiction over Collin County, Texas. In the event of any litigation involving the construction or interpretation of the Agreement, the prevailing Party shall be entitled to recover from the non-prevailing Party all costs, including reasonable attorneys’ fees.

  11.3.  Export Compliance. The Services, Content, other technology HITRUST makes available, and derivatives thereof, may be subject to export laws and regulations of the United States and other jurisdictions. Each Party represents that neither it nor any of its owners, directors, or officers is named on any U.S. government denied-party list. Customer shall not permit Users to access or use any Service or Content in a U.S.-embargoed country or region or in violation of any U.S. export law or regulation.

  11.4.  Anti-Corruption. Customer has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of HITRUST’s employees or agents in connection with the Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly notify HITRUST at notices@hitrustalliance.net.

  11.5.  Assignment. Customer shall not transfer or assign the Agreement or any rights or obligations under the Agreement (whether by operation of law or otherwise) or delegate any duties under the Agreement without the prior written consent of HITRUST, which consent may be withheld in its sole discretion, and any purported attempt to do so in violation of this Section will be null and void. Notwithstanding the foregoing, the Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns.

  11.6.  Relationship of the Parties. The relationship between HITRUST and Customer has been and will continue to be that of independent contractors. Neither Party is the legal representative, agent, joint venturer, partner, employee, or employer of the other Party under the Agreement for any purpose whatsoever. Neither Party has any right, power, or authority under the Agreement to assume or create any obligation of any kind or to make any representation or warranty on behalf of the other Party, whether expressed or implied, or to bind the other Party in any respect.

  11.7.  Third-Party Beneficiaries. HITRUST’s Content licensors shall have the benefit of HITRUST’s rights and protections hereunder with respect to the applicable Content. There are no other third-party beneficiaries under the Agreement.

  11.8.  No Waiver; Cumulative Remedies. No failure or delay by either Party in exercising any right under the Agreement will constitute a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.

  11.9.  Severability. If any provision of the Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of the Agreement will remain in effect.

  11.10.  Headings. The headings in the Agreement are provided for convenience only and do not affect its meaning.

  11.11.  Force Majeure. Neither Party will be liable nor be deemed to have defaulted under or breached the Agreement for any failure or delay in fulfilling or performing any obligation of the Agreement (except for Customer obligations to make payments hereunder) for any delays, changes in performance, or nonperformance directly or indirectly resulting from circumstances or causes beyond its reasonable control, including, without limitation, fire, epidemic, or other casualties, act of God, strike or labor dispute, war or other violence, or any law, order, or other requirements of any governmental agency or authority, or any problem, issue, order, cancelation, or other similar act by a third party based on which the Party is unable to perform its obligations as described herein (each a “Force Majeure Event”).

  11.12.  Counterparts. The Agreement may be executed in counterparts, by manual, facsimile, email (via signed .pdf documents exchanged via email), or electronic signature, each of which will be deemed an original and all of which together will constitute one and the same instrument.

  11.13.  Entire Agreement and Order of Precedence. The Agreement is the entire agreement between Customer and HITRUST regarding Customer’s use of HITRUST’s Property, and any other products and services hereunder, and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of the Agreement will be effective unless in writing and signed by the Party against whom the modification, amendment, or waiver is to be asserted. Notwithstanding any language to the contrary therein, no terms or conditions stated in Customer’s purchase order(s) or in any other Customer order documentation (excluding HITRUST’s Order Forms) shall be incorporated into or form any part of the Agreement, and all such terms or conditions shall be null and void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable HITRUST Order Form, (2) this Agreement, and (3) the Documentation.