Lynx.MD Terms and Conditions
These terms and conditions (the “Agreement”) constitute a binding contract between the Lynx entity identified pursuant to Sections 14.1-14.2 below (“Lynx”, "we", "us", "our"), and you, the user accessing Lynx’s Service (“User”).
1.1. “Accepted PO” means, where applicable, a purchase order document that User’s organization has accepted or signed (if any), specifying, among others, the User’s details, their designation either as a “Data Provider” or “Data Consumer”, the Fees, and payment terms applicable to this Agreement, and where applicable also the Service enrollment plan and subscription cycle applicable to the User, and the usage metrics, parameters, and limitations for the User’s use of the Service. Such Accepted PO, if signed, is incorporated by reference to this Agreement, it is subject to the Agreement and constitutes an integral part of it.
1.2. “Business Associate Agreement” means the agreement available below on this web page.
1.3. ”Confidential Information” means any information disclosed by one party (”Disclosing Party”) to the other (”Receiving Party”) regarding past, present, or future marketing and business plans, customer lists, lists of prospective customers, technical, financial or other proprietary or confidential information of the Disclosing Party, formulae, concepts, discoveries, data, designs, ideas, inventions, methods, models, research plans, procedures, designs, formulations, processes, specifications and techniques, prototypes, samples, analyses, computer programs, trade secrets, methodologies, techniques, non-published patent applications, Input and Output (as such terms are defined below) and any other data or information, as well as improvements and know-how related thereto.
1.4. “Data Protection Law” means (a) with respect to Medical Data subject to the laws of the United States: the U.S. federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and related regulations promulgated by the Secretary of the Department of Health and Human Services or his or her designee; and (b) with respect to Medical Data subject to the laws of the State of Israel: the Israeli Protection of Privacy Law, regulations promulgated thereunder and binding guidelines of the Israeli Privacy Protection Authority, the Israeli Patient’s Rights Law, and the directives and applicable circulars issued by the Israeli Ministry of Health relating to secondary use of Medical Data for research purposes.
1.5. “Data Consumer” means User using the Service to access De-Identified Medical Data available from one or more Data Providers.
1.6. “Data Provider” means an entity that makes De-Identified Medical Data available to Data Consumer through the Service.
1.7. “Data Provider Agreement” means an agreement executed by and between the Data Consumer and the Data Provider, pursuant to which Medical Data or De-Identified Medical Data will be made available to the Data Consumer through the Service.
1.8. “De-Identify” (and its cognate terms) means (a) with respect to Medical Data subject to the laws of the United States: to de-identify in accordance with 45 C.F.R. § 164.514(b); and (b) with respect to Medical Data subject to the laws of the State of Israel: to de-identify in accordance with the applicable circulars issued by the Israeli Ministry of Health relating to secondary use of Medical Data for research purposes, as amended or superseded.
1.9. “Documentation” means the manuals, technical guide, and publication, relating to the Service and issued by Lynx, all of which shall be consistent with and subject to the terms of this Agreement.
1.10. “Feedback” means information or content concerning enhancements, changes, or additions to the Service, or other Lynx offerings, that are requested, desired, or suggested by the User.
1.11. “Fees” the amount due and payable by the User to Lynx as specified in the Accepted PO, if signed.
1.12. “Input” means any content, information, code, and data (including, but not limited to, Medical Data) uploaded by User or any third party on its behalf, to the Service.
1.13. “Intellectual Property Rights” means all rights under the laws of any jurisdiction in the world with respect to patent, copyrights, trademark rights and know-how, and any and all other intellectual property rights, including, without limitation, designs, ideas, concepts, inventions, innovations, original works of authorship, formulas, algorithms, computer code, concepts, techniques, methods, systems, processes, compositions of matter, materials and trade secrets; each of the above whether or not patentable, copyrightable or protectable as trade secrets, irrespective of whether it has been registered in a patent, copyright, trademark or other form, and irrespective of whether it constitutes a commercial or trade secret.
1.14. “Medical Data” means health information relating to an identifiable individual (including, where subject to the laws of the United States, protected health information as defined by HIPAA and 45 C.F.R. § 160.103; and where subject to the laws of Israel, as such term is defined in the Patient's Rights Law, 5756 - 1996), together with and any other medical data and information directly or indirectly relating to an identifiable individual’s medical condition or medical treatment, clinical records such as medication, diagnoses and other treatment entries, imaging and genetic data, logistics and financial records relating to treatment, payment for treatment, and information about the individual’s behavior which can impact their medical condition or the treatment given to them.
1.15. “Output” means any subset or derivative of the Input, and De-Identified information that is created by the Service or by a Data Provider and made available to through the Service to the User who is a Data Consumer.
1.16. “Service” means Lynx’s proprietary cloud-based software-as-a-service solution, enabling to upload Inputs and access Outputs, including without limitation any computer software, algorithms whether in source code and/or object code, scripts, APIs, and any derivatives, enhancements, and modifications thereto and/or improvements thereon and any Intellectual Property Rights therein.
1.17. "Service Data” means statistical or aggregated information about User’s use of the Service, performance of the Service, its compatibility and interoperability. Service Data expressly excludes any Input and Output.
1.18. “Term” means the period of this Agreement as specified in Section 11 below.
2. Interpretation. The following order of precedence shall apply to the documents signed by the User and Lynx:
2.1.1. Business Associate Agreement (if applicable as per Section 6.3)
2.1.2. This Agreement;
2.1.3. Accepted PO (if signed); and
3. Access to the Service
3.1. Subject to the provisions of this Agreement, Lynx grants the User access to use the Service (including by way of the User uploading Input for processing and use on the Service), and to access and use the Output, during the Term, strictly for the purposes permitted under the Data Provider Agreement, or if no Data Provider Agreement is in place regarding the Output, then, subject to applicable law, for commercially oriented, scientific-oriented, or academic-oriented research purposes.
3.2. The User authorizes Lynx to process the Input provided by User, solely for the purpose of operating and providing the Service to the User as specified in section 3.1 above.
3.3. If the User acts as a Data Provider, then subject to the provisions of this Agreement, the usage parameters, limits, and metrics specified in the Accepted PO, Lynx grants such User a subscription-based access, during the Term, to use the Service to upload Medical Data or De-Identified Medical Data, for the purpose of having the Service De-Identify such Medical Data (if not already De-Identified) and make the De-Identified Medical Data available both to the Data Provider and, subject to monetary consideration, to other Users, for commercially oriented, scientific-oriented or academic-oriented research purposes (and for illustrating to Users the availability of such De-Identified information and its utility for the above purposes). This Section 3.3 does not apply if Lynx has a separate agreement with the Data Provider governing its access to and use of the Service.
3.4. The User shall use the Service in accordance with the Documentation.
3.5. The Service includes certain open-source code software and materials (as may be listed in the Documentation and updated from time to time (“Open Source Software”)), that are subject to their respective open-source licenses (“Open Source Licenses”). Such Open Source Licenses contain a list of conditions with respect to warranty, copyright policy and other provisions. Lynx warrants and represents that nothing in the Open Source Licenses restricts or otherwise prevents granting the User the rights to access and use the Service, Input, and the Output pursuant to this Agreement.
3.6. The Data Provider and Lynx recognize that subsequent to a Data Consumer’s research based on the Output, the Data Consumer may need to provide a copy of the specific data segment it has used in the research, to regulatory authorities, for example, in connection with the Data Consumer’s application for regulatory certification or approval of a pharmaceutical drug or medical device. To facilitate the foregoing, Lynx will provide the Data Provider with the information necessary to enable the Data Provider to identify the original, specific data segment from which the Output originated, so that the Data Provider may, if it elects, retain the correct copy of the original, specific data segment.
4.1. The User shall not:
4.1.1. Transfer or assign the access to the Service or any part thereof to any third party, with or without consideration;
4.1.2. remove, or in any manner alter, any product identification, proprietary, trademark, copyright or other notices contained in the Service;
4.1.3. interfere with, or disrupt the Service’s functionality;
4.1.4. work around any technical limitations of the Service;
4.1.5. knowingly breach the security of the Service; identify, probe, or scan any security vulnerabilities in the Service;
4.1.6. use any tool to enable features or functionalities that are otherwise disabled, inaccessible or undocumented in the Service;
4.1.7. knowingly send any virus, worm, Trojan horse or other malicious or harmful code or attachment;
4.1.8. use robots, crawlers and similar applications to scrape, harvest, collect or compile content from or through the Service.
4.1.9. Attempt to re-identify the De-Identified Output;
4.1.10. decompile, disseminate, disassemble, recreate, generate, reverse assemble, reverse compile, reverse engineer, or otherwise attempt to identify the underlying source code of the Service; or
4.1.11. use the Service in order to develop, or create, or permit others to develop or create a product or service similar or competitive to the Service.
4.2. Without prejudice to any other right Lynx has under the Agreement or under law, Lynx may employ technological measures to detect and prevent fraudulent or unauthorized use of the Service. Lynx may suspend the User’s use of the Service following notice to the User and discussion in good-faith with the Data Provider (if a Data Provider Agreement is in place) and the User, if Lynx reasonably believes that the User’s continued use of the Service is fraudulent or unauthorized.
5. Representations and Obligations
5.1. Lynx and the User each represent and warrant that they have the full corporate or personal power and authority to enter into and perform this Agreement and have taken all necessary action to authorize the entry into and performance of this Agreement.
5.2. The User represents and warrants that it has the full power and authority to upload the Input it uploads to the Service for processing and use in accordance with Section 3.2, and that the foregoing does not constitute a default under, or breach of, any agreement, undertaking or other instrument which the User is bound by.
5.3. Lynx and the User shall comply with: (A) all applicable laws in the performance of their respective duties and obligations under this Agreement; and (B) the Business Associate Agreement, if applicable as between Lynx and the User per Section 6.3. In particular, the User shall comply with all applicable laws with respect uploading Input to the Service for processing and use in accordance with Section 3.2. User shall obtain and maintain during the term of the Agreement, all necessary approvals, permissions, and authorization required under applicable law and Data Protection Law (if at all required) to upload the Input for processing and use in accordance with Section 3.2. The Data Provider shall obtain and maintain during the term of the Agreement, all necessary approvals, permissions, and authorization required under applicable law and Data Protection Law (if at all required) to upload the Medical Data or De-Identified Medical Data for processing and use in accordance with Section 3.3.
5.4. To facilitate Lynx’s proper provision of the Service, the User shall provide Lynx and its personnel with such cooperation and information as reasonably requested by Lynx.
5.5. The User is exclusively responsible for maintaining the security of its own internal network and safeguarding it from unauthorized access. The User’s access to the Service is authenticated by a username and password, or by other means authentication Lynx may establish from time to time. The User is responsible for maintaining the confidentiality of their credentials.
5.6. The User assumes the exclusive responsibility for all activities that it, or others on its behalf conduct through the Service, and for all consequences resulting from such activities or actions.
5.7. Lynx will implement security measures in connection with the Service, which are designed to safeguard the Input and the Output. For information on Lynx’s privacy practices, the security measures it takes and how it is committed to protecting Medical Data, Input and Output within the Service, please review Annex A below.
6. Service Data; HIPAA Business Associate
6.1. User acknowledges and agrees that Lynx will handle and use (by itself or by using trusted third-party service providers) the Service Data as follows:
6.1.1. To provide the Service to User, conduct administrative and technical activities necessary to maintain and provide the Service and to improve and customize the Service;
6.1.2. To conduct analysis or generate metrics related to the Service;
6.1.3. For commercial and marketing purposes, publication of case studies and white papers regarding the Service itself (only in a form not identifying the User and not disclosing the Input or Output);
6.1.4. To bill and collect fees (if applicable), to enforce this Agreement, and to take any action in any case of dispute or legal proceeding of any kind involving User with respect to this Agreement;
6.1.5. To prevent fraud, misappropriation, infringements, and other illegal activities and misuse of the Service;
6.1.6. To develop new products and services, and for research and testing, provided that no information identifying the User is publicly shared and that the Input and Output are not used.
6.2. The User will not be entitled to any remuneration from Lynx for the foregoing uses.
6.3. If the User’s organization is domiciled in the United States, and it is a Data Provider that uploads to the Service Medical Data that is subject to HIPAA and is not in De-Identified form (or otherwise shares with Lynx Medical Data that is subject to HIPAA), then the parties agree to be bound by the Business Associate Agreement which is hereby incorporated by reference to this Agreement.
7. Intellectual Property
7.1. Lynx acknowledges and agrees that, as between Lynx and the User, the User is the sole and exclusive owner of the Input the User has uploaded to the Service. Lynx acknowledges and agrees that, as between Lynx and the Data Provider, the Data Provider is the sole and exclusive owner of the Medical Data and De-Identified Medical Data that it has uploaded to the Service.
7.2. User may provide Lynx with Feedback, including information pertaining to bugs, errors and malfunctions of the Service, performance of the Service, content and accuracy of the Service, the Service’s compatibility and interoperability, and information or content concerning enhancements, changes, or additions to the Service that User requests, desires, or suggests. User gives Lynx the full and free-of-charge right to use such Feedback, including the right to make commercial use thereof, for any purpose Lynx deems appropriate.
7.3. The Service itself is a proprietary offering of Lynx, protected under copyright laws and international copyright treaties, patent law, trade secret law and other intellectual property rights of general applicability. The Service is offered to the User for use and access only in accordance with the terms of this Agreement and is not sold in any way.
7.4. All rights, title, and interest, including copyrights, patents, trademarks, trade names, trade secrets and other intellectual property rights, and any goodwill associated therewith, in and to the Service, or any part thereof, including computer code, graphic design, layout and the user interfaces of the Service, (but excluding the Input and the Output) whether or not based on or resulting from Feedback, are and will remain at all times, owned by, or licensed, to Lynx.
7.5. Subject to User’s prior written consent, Lynx may identify User as a User and indicate User as a user on its website and in other online or offline marketing materials and press releases. Where the User grants its consent pursuant to the foregoing, the User thereby also grants Lynx a worldwide, non-exclusive, non-transferable, royalty-free, and free of charge, license, to use User’s name, logo, and website URL on its website and in other online or offline marketing materials relating to the Service. Lynx will use this content strictly in accordance with any usage guidelines provided by the User in advance.
7.6. In the event that the Service is found to be infringing Intellectual Property Rights of third parties, or if Lynx, based on the advice of competent IP litigator, believes the Service is likely to be found to be infringing Intellectual Property Rights of third parties, as a result of which Lynx is prohibited from operating the Service, Lynx shall, at its own choice and expense: (i) Modify or substitute the Service so that it is no longer infringing but retain substantially similar features and functionality; (ii) Obtain any required license or right that would enable it to fulfill its obligations and provide the services under this Agreement; or (iii) if Lynx is unable to perform sub-section (i) and despite its best commercial efforts, is unable to obtain the license or right (as the case may be) under sub-section (ii) under commercially reasonable terms, Lynx may terminate this Agreement subject to a reasonable prior notice in writing to the Data Provider and to the User, and such termination shall be without liability of Lynx to the User.
8.1. Each party to this Agreement must hold any Confidential Information in confidence using the same degree of care, but in no case less than a reasonable degree of care, that it uses to prevent the unauthorized dissemination or publication of its own confidential information.
8.2. A Receiving Party may use Confidential Information only for the purpose of (i) performing the Data Provider Agreement (where applicable); and (ii) performing or enforcing this Agreement. A Receiving Party may disclose Confidential Information only to third parties who need to know the information for the purpose of performing or enforcing this Agreement, and who are bound by appropriate confidentiality and restricted-use obligations regarding that Confidential Information.
8.3. The obligations regarding Confidential Information shall not apply to information that: (i) is now or subsequently becomes generally available in the public domain through no fault or breach on Receiving Party's part; (ii) Receiving Party can demonstrate in its prior established records to have had rightfully in Receiving Party's possession prior to disclosure of the same by the Disclosing Party; (iii) Receiving Party can demonstrate by written records that it had rightfully obtained the same from a third party who has the right to transfer or disclose it, without default or breach of confidentiality obligations; (iv) Disclosing Party has provided its prior written approval for disclosure; or (v) Receiving Party is required to disclose pursuant to a binding order or request by court or other governmental authority, or a binding provision of applicable law, provided that, to the extent permissible, Receiving Party provide the Disclosing Party notice of the requested disclosure as soon as practicable, to allow the Disclosing Party, if it so chooses, to seek an appropriate protective or preventive order.
9. Technical Support; Availability
9.1. During the Term, Lynx, either directly or with the assistance of third parties, will provide User technical support for technical issues regarding the Service. Lynx will attempt to respond to User’s technical questions, problems, and inquiries as soon as practicably possible Where Lynx and a Data Provider have agreed to an SLA applicable to particular Users, in accordance with Lynx’s SLA separately agreed between Lynx and the Data Provider and conveyed to the User (“SLA”), that SLA shall control and apply to the User. For the purpose of the provision of technical support for the User’s technical questions, problems and inquiries, the User will cooperate, and work closely with Lynx, to reproduce malfunctions, including conducting diagnostic or troubleshooting activities, as Lynx reasonably requests.
9.2. Lynx may suspend the Service for planned maintenance work (‘Planned Maintenance’) or for rectifying critical outages (‘Unplanned Maintenance’). In relation to Planned Maintenance, Lynx shall provide the User at least 14 calendar days’ prior notice stating the scope, time, and duration of the Planned Maintenance. In relation to Unplanned Maintenance, Lynx shall endeavor to provide the User with such advance notice as is reasonably practicable in the circumstances.
10.1. If an Accepted PO has been signed, then in consideration of the Service, the User will pay Lynx the fees specified in the Accepted PO according to the payment schemes, payment terms and payment cycles specified therein.
10.2. If User is a Data Provider, then in consideration for the monetization of the Data Provider’s De-Identified Medical Data, Lynx will remit to the Data Provider the “Access Fee Revenue” specified in the Accepted PO, in accordance with the payment schemes, payment terms and payment cycles specified therein. This Section 10.2 does not apply if Lynx has a separate agreement with the Data Provider governing its access to and use of the Service.
10.3. User’s failure to settle any overdue fee within thirty (30) calendar days of its original due date constitutes a material breach of this Agreement and, without limiting any remedies available to Lynx, Lynx may: (i) terminate this Agreement in accordance with, and subject to, the procedure set forth in Section 11.2.2 below; or (ii) suspend performance of or access to the Service, following notice to the User and discussion in good-faith with the Data Provider (if a Data Provider Agreement is in place), until payment is made current. Late payments shall bear interest at the rate of six percent (6%) per annum. User will reimburse Lynx for all legal costs and attorney fees Lynx incurs in the course of collecting User’s overdue fees.
10.4. All Fees due to Lynx are quoted in US Dollars and, if an Accepted PO has been signed, the User shall pay Lynx in US Dollars, unless stated differently in the Accepted PO. Fees are payable by the methods indicated in the Accepted PO. Lynx may, from time to time, and without specific notice to User, add additional payment methods to the then-current payment methods, or cease to use previously supported payment methods. User represents and warrants that it is lawfully permitted to use the selected payment method in connection with the Service. Lynx may require additional information from User before completing payment transactions. User must keep the billing information it provides to Lynx current, complete, and accurate, and notify Lynx promptly in case of any change in User’s billing information. By providing any credit card, online account or bank information, User authorizes Lynx to automatically charge or debit the selected payment method for the full amount due on a recurring basis (if applicable) until User notifies us in writing with an alternative, authorized payment method. User must ensure that it has sufficient funds or credit (as applicable) associated with the selected method of payment. User understands that the amounts charged or debited may vary and that this authorization will remain in effect until the expiration or termination of this Agreement. If a payment is returned from a bank account for insufficient or uncollected funds or erroneous information, Lynx may reinitiate the returned debit to the applicable bank account.
10.5. If an Accepted PO has been signed, Lynx may update the Fees applicable to the Accepted PO by prior written notice to the User of at least 30 days. If a Data Provider Agreement is in effect covering the Data Consumer Lynx may effectuate such update to the Fees applicable to the Data Consumer only where: (a) such an update is necessary due to increased third-party costs (e.g., cloud service provider costs), or (b) such an update is done not more than once annually as a reasonably limited increase in non-third party costs (provided that where no Fees other than third-party costs apply in the first place, Lynx will not introduce non-third party costs other than for new features, enhanced performance, or broader usage capacity of the Service).
10.6. Payment may be processed and handled through relevant third-party payment processors. Any payments processed through third party payment processors are therefore subject not only to this Agreement, but also the terms and conditions of the applicable third-party payment processor pursuant to User’s agreement with them. User acknowledges that such third-party payment processors may charge commission from the User. Lynx is not responsible for such commission, which is strictly between User and the relevant payment processor. Fees that Lynx is unable to charge through the payment method User provided is deemed an overdue fee.
10.7. If an Accepted PO has been signed , then unless stated differently in the Accepted PO, Fees due to Lynx are exclusive of any VAT, withholding tax or other governmental charges or transaction charges. User shall bear all such taxes and charges, excluding taxes based solely on Lynx’s net income.
11. Term and Termination
11.1. If an Accepted PO has been signed, then this Agreement will be in effect for the period or subscription cycle specified in the Accepted PO, and unless specified differently in the Accepted PO, it shall renew automatically for indefinite successive periods of equal length unless the User notifies Lynx in writing of the User’s desire not to renew the subscription at least 10 days before the end of the then-current cycle (the “Term”). Notwithstanding the foregoing, where a Data Provider Agreement is in effect covering the Data Consumer, the Term shall mean the term of the Data Provider Agreement.
11.2. Notwithstanding the above:
11.2.1. Lynx may terminate this Agreement for convenience upon 90 days prior written notice to User, but: (A) if a Data Provider Agreement is in effect covering the Data Consumer, Lynx will not terminate this Agreement with the Data Consumer for convenience so long as that Data Provider Agreement continues; and (B) if an Accepted PO has been signed which prohibits early termination for convenience, Lynx will not terminate this Agreement for convenience. In addition, if Lynx is entitled to terminate this Agreement for convenience as per the foregoing, Lynx may, in lieu of termination, inform the User, through a 90 days prior written notice, of amendments to this Agreement. The User’s continued use the Services following the prior written notice period constitutes User assent to the amended Agreement, which then becomes binding on the parties henceforth.
11.2.2. Either party may terminate this Agreement in the event of a breach of this Agreement by the other party, where the breach remains uncured for thirty (30) days (in case of a material breach) or forty-five (45) days (in case of non-material breach) following written notice thereof from the non-breaching party to the breaching party (and, in the event of breach by the Data Consumer, a corresponding notice to the Data Provider where a Data Provider Agreement is in effect covering the Data Consumer), but if a breach is of a nature that cannot be cured, then the non-breaching party may terminate the Agreement following a seven (7) days’ notice to the other party (and, in the event of breach by the Data Consumer, a corresponding notice to the Data Provider where a Data Provider Agreement is in effect covering the Data Consumer); the foregoing notwithstanding, neither party shall terminate the Agreement without attempting, (together with the Data Provider where a Data Provider Agreement is in effect covering the Data Consumer), to resolve the dispute between the parties in an amicable manner.
11.2.3. Either party may terminate this Agreement if it is required to do so by law;
11.2.4. Either party may terminate this Agreement if the other party becomes or is declared insolvent or bankrupt, is the subject of any proceeding related to its liquidation or insolvency (whether voluntary or involuntary) which proceedings are not dismissed within sixty (60) days of their commencement, makes an assignment for the benefit of creditors, or takes or is subject to any such other comparable action in any relevant jurisdiction.
11.3. Following termination of this Agreement:
11.3.1. User’s access to and use of the Service will be terminated (and any associated data that remains be deleted), 30 days from such termination (such period shall be referred to hereinafter as the “Additional Access Period”). During the Additional Access Period, Lynx will enable the User ordinary access to the Service in order to retrieve its data from the Service, and shall enable the User to (i) uninstall any program/software/code/algorithms etcetera that the User installed on the Service; and (ii) retrieve its data, subject to the provisions of Section 11.3.2 below. To dispel any doubt, the User shall pay Lynx for the Additional Access Period at the same rates of Lynx which apply to the User at the time of termination.
11.3.2. Within 5 calendar days of User’s instruction, Lynx will: (a) return to the User or delete all of the User’s Input that the User uploaded to the Service and the Output resulting from that Input; and (b) at the joint and consistent instructions of the respective Data Provider and Data Consumer, return or delete Input or Output stored on the Service which co-mingles the Data Provider’s Input with the Data Consumer’s Input.
11.3.3. Lynx will charge User for all then-outstanding Fees (if any).
11.4. The following sections of this Agreement will survive termination: 3.6, 6, 7, 10, and 12-15.
12. Limitation on Liability
12.1. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF INTENTIONAL MISCONDUCT, FRAUD, OR INFRINGEMENT OF A PARTY’S INTELLECTUAL PROPERTY RIGHTS BY THE OTHER PARTY, A PARTY, INCLUDING ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF, WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, STATUTORY OR PUNITIVE DAMAGES, LOSSES (INCLUDING LOSS OF PROFIT, LOSS OF BUSINESS OR BUSINESS OPPORTUNITIES AND LOSS OF DATA), COSTS, EXPENSES AND PAYMENTS, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, INDEMNITY, OR IN ANY OTHER FORM OR THEORY OF LIABILITY ARISING FROM, OR IN CONNECTION, WITH THIS AGREEMENT, ANY USE OF, OR THE INABILITY TO USE THE SERVICE, THE OUTPUT DATA, ANY RELIANCE UPON THE OUTPUT DATA OR ANY ERROR, INCOMPLETENESS, INCORRECTNESS OR INACCURACY OF THE SERVICE, OR THE OUTPUT DATA.
12.2. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF INTENTIONAL MISCONDUCT, FRAUD, INFRINGEMENT OF ONE PARTY’S INTELLECTUAL PROPERTY RIGHTS BY THE OTHER PARTY, A BREACH OF SECTION 8 (CONFIDENTIALITY), OR USER’S PAYMENT OBLIGATIONS TO LYNX PURSUANT TO SECTION 10, THE TOTAL AND AGGREGATE LIABILITY OF A PARTY (INCLUDING ITS RESPECTIVE EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF), FOR: (A) DIRECT DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICE, SHALL BE LIMITED TO THE FEES THE USER HAS PAID TO LYNX FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE EVENT PURPORTEDLY GIVING RISE TO THE CLAIM; (B) BREACH OF SECTIONS 5 OR 8, THE BUSINESS ASSOCIATE AGREEMENT (IF APPLICABLE AS PER SECTION 6.3) OR THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 13, SHALL BE CAPPED AT A TOTAL AND AGGREGATE OF TWO MILLION US DOLLARS.
13.1. The User and Lynx each agree to indemnify and hold harmless the other party and its directors, officers, employees, and subcontractors, from and against all claims, losses, costs, demands, causes of action, liabilities, expenses (including reasonable legal costs) and suits of whatsoever kind or nature made or brought by any third party to the extent it is based on: (a) the indemnifying party’s breach of its obligations under Sections 5 above; or (b) an allegation that the Service infringes the Intellectual Property Rights of a third party (excluding a claim alleging that the Service infringes the Intellectual Property Rights of a third party when the User uses the Service in breach of this Agreement).
13.2. The indemnified party shall promptly notify the indemnifying party in writing of any claim for which it seeks indemnification hereunder; provided that the failure to provide such notice shall not relieve the indemnifying party of its indemnification obligations hereunder except to the extent of any material prejudice directly resulting from such failure. The indemnifying party shall bear full responsibility for, and shall have the right to solely control, the defense (including any settlements) of any such claim; provided, however, that (a) the indemnifying party shall keep the indemnified party informed of, and consult with the indemnified party in connection with the progress of such litigation or settlement and (b) the indemnifying party shall not have any right, without the indemnified party’s written consent (which consent shall not be unreasonably withheld), to settle any such claim in a manner that does not unconditionally release the indemnified party. At the indemnifying party’s request, the indemnified party will provide reasonable cooperation with respect to any defense or settlement.
14. Governing Law and Jurisdiction
14.1. This Section 14.1 applies if the User’s organization is domiciled in the United States. The Lynx entity contracting with the User under this Agreement is Lynx US, Inc, a corporation incorporated under the laws of the State of Delaware, having its principal place of business at 550 California Avenue, Palo Alto, California, 94306. Regardless of User’s jurisdiction of incorporation, the jurisdiction where it engages in business, or access the Service from, this Agreement and User’s use of the Service will be exclusively governed by and construed in accordance with the laws of the State of California. Any dispute relating to this Agreement, or the Service shall be under the sole jurisdiction and venue of the California state courts located in San Francisco County, California, and the federal district court for the Northern District of California.
14.2. This Section 14.3 applies if the User’s organization is domiciled outside the United States. The Lynx entity contracting with the User under this Agreement is Lynx MD Ltd, a company registered under the laws of the State of Israel, with its principal place of business at 90 HaHashmonaim Street, Tel Aviv-Yafo, Israel. Regardless of User’s jurisdiction of incorporation, the jurisdiction where it engages in business or accesses the Service from, this Agreement and User’s use of the Service will be exclusively governed by and construed in accordance with the laws of the State of Israel. Any dispute relating to this Agreement, or the Service shall be under the sole jurisdiction and venue of the competent courts located in the Tel Aviv district in Israel.
14.3. Notwithstanding the foregoing, a party may lodge a claim against the other party: (a) pursuant to the indemnity clause above, in any court adjudicating a third-party claim against the other party; and (b) for interim, emergency, or injunctive relief in any other court having general jurisdiction over the other party.
15.1. Assignment. Except as set forth below, neither party may assign this Agreement without obtaining the other’s prior written consent. Except as set forth below, any purported assignment without both parties’ prior written consent is void. Either party may assign this Agreement in its entirety, including all rights, duties, liabilities, performances, and obligations herein, upon notice to the other party and without obtaining the other party’s further specific consent, to a third-party, upon a merger, acquisition, change of control or the sale of all or substantially all of the assigning party’s equity or assets. By virtue of such assignment, the assignee assumes the assignor’s stead, including all rights, duties, liabilities, performances, and obligations hereunder, and assignor shall be released therefrom.
15.2. Relationship of the Parties. The relationship between the parties hereto is strictly that of independent contractors, and neither Party is an agent, partner, joint venture, or employee of the other.
15.3. Subcontracting. Lynx may subcontract or delegate the performance of its obligations under this Agreement, or the provision of the Service (or any part thereof), to any third party of its choosing, provided, however, that it remains liable to User for the performance of its obligations under this Agreement.
15.4. Complete Terms and Severability. This Agreement constitutes the entire and complete agreement between the parties concerning the subject matter herein and supersedes all prior oral or written statements, understandings, negotiations, and representations with respect to the subject matter herein. If any provision of this Agreement is held invalid or unenforceable, that provision shall be construed in a manner consistent with the applicable law to reflect, as nearly as possible, the original intentions of the parties, and the remaining provisions will remain in full force and effect. Except as set forth in Section 11.2.1 above, this Agreement may not otherwise be modified or amended unless in writing, signed by the duly authorized representatives of both parties.
15.5. No Waiver. Neither party will, by the mere lapse of time, without giving express notice thereof, be deemed to have waived any breach, by the other party, of any terms or provisions of this Agreement. The waiver, by either party, of any such breach, will not be construed as a waiver of subsequent breaches or as a continuing waiver of such breach.
Annex A - Security Measures on the Lynx.MD Platform
This document details the security mechanisms that Lynx.MD activates on the work environment of users to protect their code, uploaded data, and generated work.
The execution area inside the data provider’s cloud environment where the analysts work
All assets and by-products of the work on the Lynx platform, in the form of code, data, and files residing in the Work Environment.
All data assets (datasets and data sources) made available for interaction in the Work Environment.
Data can be structured or unstructured (EMR, radiology, genomics, etc.)
1. AUTHENTICATION AND AUTHORIZATION
Users are logged into the Lynx platform using a multi-factor authentication mechanism.
The first factor is username and password and the second factor is a text message or one-time password (OTP).
All Work Environment access and Data access are controlled, and authorized only when sufficient permission level is met. Only then is access granted.
2. ISOLATION AND NETWORK SECURITY
The Work Environment operates in an isolated manner, with no internet connection.
All communications in and out of the Work Environment is through a handpicked set of services, IP addresses, and ports (e.g., Lynx package repository, Lynx Privacy Firewall, etc.).
The Work Environment is isolated from the rest of the environment. All Work Environments are in a separate private subnet and are governed by a set of security groups to enforce IP and port restrictions.
All Data is encrypted at rest using AES-256-GCM symmetric encryption and in-transit with TLS v1.2.
Keys are managed and rotated by Lynx using AWS KMS.
All Work Products in the Work Environment are backed up once a day and kept for 30 days.
Note that backups older than 30 days and work lost between the daily backups will not be saved and are not restorable.
5. LOGGING AND MONITORING
All activity in the Work Environment is monitored and logged for privacy and security purposes.
6. VULNERABILITY SCANS
The Work Environment set up by Lynx is scanned for known vulnerabilities before the release of a new version. Packages available for installation from the Lynx package repository are scanned periodically for known vulnerabilities.
Work Products and files uploaded by the user to the Work Environment are not scanned for vulnerabilities and, if harmful, may interfere with the user's work. Therefore, user discretion is required and user-implemented security measures are mandatory.
7. ANTI-MALWARE SCANS
All Data is scanned for malware when uploaded to the Lynx platform.
Work Products and files uploaded by the user to the Work Environment are not scanned for malware and, if harmful, may interfere with the user's work. Therefore, user discretion is required and user-implemented security measures are mandatory.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “Agreement”) is entered into on the commencement of the Accepted PO (the “Effective Date”), by and between the Lynx entity identified in Sections 14.2 – 14.2 of the Terms and Condition which this Business Associate Agreement is incorporated by reference into (“Business Associate”), and the organization identified in the Accepted PO (“Covered Entity”). Business Associate and Covered Entity will each be referred to as a “Party”, and both collectively, the “Parties”.
Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions.
WHEREAS, the Business Associate proposes to establish and maintain for the Covered Entity a data science platform (the “Platform”) aimed at making medical data lawfully accessible to researchers (the “Services”); and
WHEREAS, the Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health Act of 1996 (“HIPAA”), and the implementing regulations promulgated thereunder from time to time by the U.S. Department of Health and Human Services (“HHS”), including but not limited to the Privacy, Security, Breach Notification and Enforcement Rules set forth in 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Regulations” or “Privacy Rule”); and
WHEREAS, HIPAA Regulations require the Covered Entity to enter into a contract with the Business Associate in order to provide for certain protections for the privacy and security of Protected Health Information, and to prohibit the disclosure to, or use of Protected Health Information by the Business Associate if such contract is not in place; and
WHEREAS, the Parties desire to enter into this Agreement to govern the terms and conditions under which the Business Associate may use, receive and access Covered Entity’s Protected Health Information to provide the Services, in accordance with HIPAA and the HIPAA Regulations.
NOW, THEREFORE, in consideration of the foregoing, each intending to be legally bound, the Parties agree as follows:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Regulations: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
“Accepted PO” shall have the meaning ascribed to it in the Terms and Condition which this Business Associate Agreement is incorporated by reference into.
Scope. As of the Effective Date, this Agreement applies to all present and future agreements between Covered Entity and Business Associate, pursuant to which Business Associate receives from or receives or creates on behalf of, Covered Entity, protected health information (each agreement, an “Applicable Agreement” and collectively, the “Applicable Agreements”). As of the Effective Date, this Agreement, in addition to standing on its own, automatically extends to and amends all Applicable Agreements in effect on the Effective Date. This Agreement automatically shall be incorporated into all Applicable Agreements entered into by and between Covered Entity and Business Associate after the Effective Date. For clarity, the Terms and Condition which this Business Associate Agreement is incorporated by reference into is an Applicable Agreement.
Use and Disclosure of Protected Health Information. Business Associate may not use or disclose Protected Health Information (as defined in the Privacy Rule), received from, or received or created on behalf of, Covered Entity, except as follows:
a. Business Associate is permitted to use or disclose Protected Health Information as permitted or required by this Agreement or as required by law
b. Business Associate is permitted to use or disclose Protected Health Information to perform functions, activities and the Services for, or on behalf of, Covered Entity pursuant to an Applicable Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. In particular, Business Associate is permitted to use Protected Health Information to: (a) de-identify it such that is not individually identifiable health information pursuant to 45 C.F.R § 164.514(b) and (b) render it a limited data set pursuant to 45 C.F.R § 164.514(e); and the Business Associate is permitted to use and disclose the data resulting from (a) and (b) for the Services, subject always to all other applicable use and disclosure requirements and restrictions under any Applicable Agreements and the HIPAA Regulations. For the avoidance of doubt, Business Associate may use and disclose to any third party de-identified data that is not individually identifiable health information pursuant to 45 C.F.R § 164.514(b), for any purpose.
c. Business Associate is permitted to use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
d. Business Associate is permitted to disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) such disclosure is required by law or (ii) Business Associate obtains reasonable assurance from the person or entity to whom the Protected Health Information will be disclosed that it will remain confidential and be used or further disclosed only for the specific purpose for which Business Associate disclosed it to the person or organization or as required by law, and the person or entity will notify Business Associate of any instance of which the person or organization becomes aware in which the confidentiality of such Protected Health Information was breached.
e. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures o Protected health information in accordance with 45 C.F.R. § 164.528.
f. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and state authorities, consistent with § 164.502(j)(1).
Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of Protected Health Information received other than as permitted or required by this Agreement.
Reporting of Disclosures of Protected Health Information. Business Associate shall promptly report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information of which it becomes aware that is other than as provided for in an Applicable Agreement or this Agreement.
Agreement by Third Parties. Business Associate shall ensure, to the extent required by law, that any of its agents, including, but not limited to, subcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agree to substantially the same restrictions and conditions that apply to Business Associate under this Agreement with respect to such Protected Health Information.
Access to Protected Health Information. Business Associate shall provide access, at the request of Covered Entity, to Protected Health Information in a designated record set (as defined in the Privacy Rule), to Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements of 45 C.F.R. § 164.524.
Amendment of Protected Health Information. Business Associate agrees to amend Protected Health Information in a designated record set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an individual. Covered Entity shall notify Business Associate in writing of any amendment agreed to by Covered Entity with respect to any Protected Health Information.
Accounting of Disclosures. At the request of Covered Entity, Business Associate shall make available the information required to provide an accounting to an individual of disclosures of Protected Health Information about that individual, in accordance with 45 C.F.R. § 164.528.
Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services (“HHS”) or any other officer or employee of HHS to whom the applicable authority has been delegated, as designated by HHS, for purposes of determining Covered Entity’s compliance with the Privacy Rule.
Obligations of Covered Entity. Covered Entity shall promptly notify Business Associate in writing of (a) any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information; (b) any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information; (c) any amendments to Protected Health Information in a designated record set in accordance with 45 C.F.R. § 164.526; and (d) any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity except that Business Associate may use or disclose protected health information for data aggregation or management and administrative activities of Business Associates.
Termination. In the event that Business Associate breaches any material provision contained in this Agreement, Covered Entity shall give Business Associate at least 10 days’ written notice to cure the breach. In the event that Business Associate fails to cure the breach within the specified period, Covered Entity may terminate this Agreement and/or any and all of the Applicable Agreements which relate to the breach. In the event that the termination of any or all of the Applicable Agreements, as the case may be, and/or this Agreement is, in Covered Entity’s sole discretion, not feasible, Covered Entity may report the breach to HHS.
Return or Destruction of Protected Health Information upon Termination. Upon termination of any of this Agreement and/or all of the Applicable Agreements, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies of such Protected Health Information. However, in the event that Business Associate determines that it is not feasible for Business Associate to return or destroy such Protected Health Information, Business Associate shall notify Covered Entity. The terms and provisions of this Agreement shall survive termination of this Agreement and any or all of the Applicable Agreements with regard to such Protected Health Information, and such Protected Health Information shall be used or disclosed solely for such purpose or purposes that make the return or destruction of such Protected Health Information infeasible. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associates.
Effect. The terms of this Agreement shall supersede any other conflicting or inconsistent terms in any and all Applicable Agreements to which this Agreement applies, including all exhibits or other attachments thereto and all documents incorporated therein by reference, except such provisions in the Applicable Agreements that explicitly provide that they shall supersede this Agreement. Except as modified by this Agreement, all other terms of the Applicable Agreements shall remain in force and effect. The limitation of liability provisions of the Applicable Agreements apply to this Agreement as well.
Amendment. The parties agree to amend this Agreement, such amendment to be in form and substance reasonably acceptable to each party, to the extent necessary to allow either party to comply with the Privacy Rule, the Standards for Electronic Transactions (45 C.F.R. Parts 160 and 162), and the Security Standards (45 C.F.R. Part 142) including any changes required by the American Recovery and Reinvestment Act of 2009 (“HITECH Act”). All amendments to this Agreement must be documented in a writing signed by both parties.
No Third-Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything confer, upon any persons other than Covered Entity and Business Associate, and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
a. This Agreement shall be governed in all respects, whether as to validity, construction, capacity, performance or otherwise, by the laws of the State of California and applicable Federal laws.
b. All notices or communications required or permitted pursuant to the terms of this Agreement shall be in writing and will be delivered in person or by means of certified or registered mail, postage paid, return receipt requested, to such Party at its address as set forth above, or such other person or address as such Party may specify by similar notice to the other party hereto, or by facsimile with a hard copy sent by mail with delivery on the next business day. All such notices will be deemed given upon delivery or delivered by hand, on the third business day after deposit with the U.S. Postal Service, and on the first business day after sending if by facsimile.
c. If any provision of this Agreement shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this Agreement.
d. The waiver by either Party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions of this Agreement.
e. This Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument.
f. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns. Neither Party shall assign or delegate its rights, duties, or obligations under this Agreement, without the prior written consent of the other Party, except that the Recipient may assign this Agreement, including all rights, obligations, performance and liabilities, in the event of a corporate merger or sale of its assets related to the performance of this Agreement, to the acquiring or merging third party, upon notice to the Covered Entity, provided that the assignee assumes the Recipient’s stead for all rights, obligations, performance and liability under this Agreement.
g. In the performance of the duties and obligations of the Parties pursuant to this Agreement, each of the Parties shall at all times be acting and performing as an independent contractor, and nothing in this Agreement shall be construed or deemed to create a relationship of employer and employee, or partner, or joint venture, or principal and agent between the Parties.
h. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
i. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.