Master Service Agreement

Master Service Agreement

Version date: April 9, 2026

PLEASE READ THESE MASTER SERVICE AGREEMENT CAREFULLY BEFORE USING THE SERVICES OFFERED BY SECONDLOOK HEALTH, INC.

Introduction

This Web Master Services Agreement (“Agreement”) is between SecondLook Health, Inc., a corporation organized under the laws of the State of Delaware, with its principal place of business at 204 E 2nd Ave #612, San Mateo, CA 94401 (“SecondLook Health,” “SLH,” “we,” “us,” or “our”), and the business entity that accepts this Agreement (“Client,” “you,” or “your”). This Agreement is effective on the date you click an “I Agree” button or check a box indicating acceptance (the “Effective Date”). You represent that you have the authority to bind Client to this Agreement. Each a “Party” and collectively the “Parties.”

Online Acceptance; Order Forms; Precedence. Ordering. Client may place orders for Services through an online checkout flow or other ordering document that references this Agreement (each, an “Order Form”). Each Order Form is incorporated into this Agreement. Fees, usage metrics, and billing cadence may be specified in the Order Form or presented to Client at checkout. Precedence. This Agreement and any applicable Order Form govern access to and use of the Services. If there is any conflict between this Agreement and any other website terms or policies (including any terms of service posted at https://www.secondlookhealth.ai/terms-of-service), this Agreement controls with respect to the Services. Medical Information Handling. Section 23 (Medical Information Handling and Business Associate Addendum) governs SecondLook Health’s handling of medical records, Protected Health Information, and related materials. Section 23 applies uniformly to all Clients and, where Client is a Covered Entity or Business Associate under HIPAA, operates as a Business Associate Agreement between the Parties.

WHEREAS, SecondLook Health provides software-as-a-service and reporting (SaaS) solutions designed to assist healthcare stakeholders analyzing medical records and clinical data; and
WHEREAS, Client desires to utilize the Services provided by SecondLook Health under the terms and conditions set forth herein;
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. Services

a. Services. SecondLook Health agrees to provide the following services (“Services”) to Client: software-as-a-service and reporting tools to facilitate the analysis of clinical data.
‍b. Free Trial. SecondLook Health may, in its sole discretion, offer Client a free trial of the Services, including but not limited to a free first case. If a free trial is granted, Client may use the Services without paying fees and without an executed Order Form for the duration and scope of the free trial as communicated by SecondLook Health. The free trial is offered “as is” and is subject to all terms of this Agreement, including without limitation Section 4 (Authorization to Access Medical & Legal Records), Section 23 (Medical Information Handling and Business Associate Addendum), and Section 12 (Disclaimer of Warranties). SecondLook Health may modify, suspend, or end the free trial at any time. Conversion from a free trial to a paid plan requires Client’s acceptance of an Order Form specifying the applicable plan and fees. Client may not use the Services for billable activity beyond the scope of the free trial without first accepting an Order Form, and SecondLook Health may suspend access if Client attempts to do so.

2. Eligibility

• Client represents and warrants that it is a business entity operating within the United States.
• Compliance. Client agrees to be legally bound by and comply with this Agreement and all applicable laws and regulations.

3. Relationship Between the Parties

• Independent Contractors. Each Party is, and shall remain, an independent contractor with respect to the other. Nothing in this Agreement creates a partnership, joint venture, fiduciary duty, franchise, employer-employee, or agency relationship between the Parties.
• No Authority to Bind. Neither Party has any authority to bind or obligate the other Party, whether by contract, representation, or otherwise, except as expressly set forth in this Agreement.
• No Regulated Professional Services. The Services support retrospective quality management, peer review, compliance auditing, and similar non-treatment analytics. The Services are not clinical decision support and are not intended for diagnosis, treatment, triage, or any patient-specific care decisions. The Services do not provide legal advice or insurance determinations and are not a substitute for professional legal, claims, underwriting, reserving, or actuarial judgment. Client and its personnel remain solely responsible for all decisions and actions taken using the Services and for compliance with applicable laws and professional standards.
• Professional Judgment. The Services are informational aids, not substitutes for professional clinical or legal judgment. Client remains solely responsible for (i) all decisions and actions taken in reliance on the Service outputs, and (ii) compliance with all applicable laws, regulations, and professional standards governing the handling of health information and legal matters.
• Compliance with Laws. Each Party shall comply with all federal, state, and local laws and regulations applicable to its performance under this Agreement, including but not limited to data-privacy, healthcare, and consumer-protection statutes.
• No Third-Party Beneficiaries. This Agreement is for the sole benefit of the Parties and their permitted successors and assigns; no other person or entity shall be deemed a third-party beneficiary.

4. Authorization to Access Medical & Legal Records

• Permissions and Authorizations. Client represents and warrants that it has the necessary permissions and authorizations to access and use any medical and/or legal records and health information through the Services.
• Legal Compliance. Client agrees to comply with all applicable laws and regulations, including the confidentiality and security of medical records and health information.
• Release. Client is responsible for obtaining all necessary consents/authorizations to use the Services with PHI or legal records. This Section does not release SLH from liability caused by SLH’s negligence, data-security failures, or willful misconduct.
• Insurance. Client represents that it maintains insurance coverage appropriate for the nature and scope of its business and its use of the Services, including any professional liability or errors and omissions insurance customarily carried by similarly situated professionals in Client’s field. SecondLook Health does not require Client to maintain specific insurance coverages or limits, and the absence of any specific insurance does not relieve Client of its obligations under Section 14 (Indemnification).

5. Communications

We may send you operational and transactional notices (billing, product, security, legal) by email. Marketing emails are optional; you may opt-out at any time.

6. License

• License Grant. SecondLook Health grants Client a non-exclusive, non-transferable right to access and use the Services and Content during the Term for Client’s business purposes, subject to the terms of this Agreement. “Content” means the user interface, documentation, branding, templates, and SecondLook Health-supplied materials accessible through the Services, but does not include Client Records or Outputs (which are governed by Section 8 and Section 23).
• Permitted and Prohibited Uses. Client may use the Services and Outputs in the ordinary course of Client’s business, including incorporating Outputs into Client’s own work product and delivering that work product to Client’s customers, attorneys, courts, regulators, and other intended recipients. The license does not permit Client to:
  (i) resell, sublicense, or otherwise provide third parties with access to the Services as a service;
  (ii) reverse-engineer, decompile, disassemble, or attempt to derive the source code, models, prompts, or underlying algorithms of the Services;
  (iii) use data mining, robots, scraping, or similar automated extraction tools against the Services;
  (iv) remove, obscure, or alter any proprietary notices on the Services or Content; or
  (v) use the Services or any Outputs to build, train, or improve a competing product or service.
  
• Use of Outputs in Client Work Product. For clarity, Client may incorporate Outputs into Client’s reports, presentations, expert opinions, life care plans, and other deliverables prepared in the ordinary course of Client’s professional services, and may share those deliverables with Client’s customers and other intended recipients without further consent from SecondLook Health. Client is not required to credit SecondLook Health as the source of any Outputs but may do so at its discretion.
• Client grants SLH a non-exclusive, worldwide, royalty-free license to use Client Data solely to (i) provide, maintain, and support the Services, (ii) comply with law, and (iii) improve the Services, subject to Section 23.5. SLH may use de-identified data for internal analytics, benchmarking, and reporting. SLH will not sell or disclose Client Data in identifiable form to third parties.

7. Confidentiality

• Definition. “Confidential Information” means any non-public information disclosed by or on behalf of a party (the “Discloser”) to the other party (the “Recipient”) that is identified as confidential or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes: (i) with respect to SLH, product roadmaps, source code, model artifacts (including weights, prompts, and tuning parameters), system designs and business plans; and (ii) with respect to Client, business plans, case files, legal records, and PHI or other patient/claim data provided to or accessed via the Services (“Client Confidential Information”).
• Exclusions. Confidential Information does not include information that the Recipient can demonstrate: (i) is or becomes publicly available through no breach of this Agreement; (ii) was known to the Recipient without restriction before disclosure; (iii) is independently developed by the Recipient without use of or reference to the Discloser’s Confidential Information; or (iv) is rightfully received from a third party without a duty of confidentiality.
• Obligations. The Recipient will (i) use the Discloser’s Confidential Information only to perform or receive the Services (including supporting, securing, and improving the Services) and as otherwise permitted under this Agreement; (ii) protect it using at least the same degree of care it uses to protect its own similar information, but no less than reasonable care; and (iii) restrict access to its employees, contractors, and professional advisors who have a need to know and are bound by confidentiality obligations no less protective than those herein. The Recipient remains responsible for its recipients’ compliance with this Section.
• Compelled Disclosure. The Recipient may disclose Confidential Information to the extent required by law or court order, provided it (where legally permitted) gives prompt notice and reasonable cooperation to seek confidential treatment.
• Return/Destruction. Upon termination or the Discloser’s written request, the Recipient will return or destroy the Discloser’s Confidential Information, except that one archival copy may be retained for compliance purposes and information stored in standard backups may be deleted on the ordinary cycle. Return and destruction of Client Records is additionally governed by Section 23.10, which controls to the extent of any conflict with this Section 7(e).

8. Data & Intellectual Property

• Ownership:
  i. Each Party retains all right, title, and interest in its Background IP.
  ii. SLH owns all Improvement IP, defined as improvements, modifications, or derivative works of SLH Background IP, including without limitation machine-learning models, prompts, source code, data-processing pipelines, ontology, and quality-control logic.
  iii. Client owns all Client Records and all Outputs derived from Client Records. “Outputs” include analyses, reports, summaries, and work product generated by the Services from Client’s uploaded medical and legal records. For clarity, Outputs are not Improvement IP, and no ownership rights in Outputs vest in SLH.
  iv. Neither Party creates Joint IP under this Agreement. If the Parties wish to collaborate on the creation of jointly owned intellectual property, they will do so under a separate written agreement.
• License to Background IP. Each Party grants the other a non-exclusive, worldwide, royalty-free license to use its Background IP only as necessary to perform this Agreement. The license terminates upon expiration or termination of the Agreement.
• License to SLH Background IP in Deliverables. To the extent any Deliverable incorporates SLH Background IP, SLH grants Client a perpetual, non-exclusive, royalty-free right to use, copy, store, and distribute such Deliverable for Client’s business purposes, including delivery of Client’s work product to Client’s customers and other intended recipients in the ordinary course of Client’s business. No license is granted to reverse-engineer the Services or to build competing products from the Deliverables.
• Excluded Elements: For the avoidance of doubt, the following items are not subject to any exclusive intellectual property claim by either Party and may be used, re-used, or modified in any product or context without obligation:
  
• • generic document features such as headings, sub-headings, tables, pagination, margins, font choices, color schemes, standard medical terminology, and commonly used data-visualization techniques;
  • commonplace analytical operations or workflows, including but not limited to, instructing any software or AI model to compare two text passages, cross-reference data points, summarize or classify content, extract key terms, detect discrepancies, calculate costs, or assess the reasonableness or completeness of a section;
  • any natural-language prompt, query, script, or instruction that merely articulates or triggers the standard operations described in subsection (ii); and
    
  • any other scenes-a-faire elements that are generally accepted as industry standard or are otherwise unprotectable under applicable copyright, trade-secret, or patent law.

9. Trademarks

Certain names, logos, and other materials displayed on the Services may constitute trademarks, trade names, service marks, or logos (“Marks”) of SecondLook Health. Client is not authorized to use any such Marks without express written permission from SecondLook Health.

10. No Purchase for Resale Allowed

Purchase of Services for resale is strictly prohibited unless explicitly authorized in Order Form.

11. Term; Termination

• Term and Cancellation. The initial term, renewal mechanism, and cancellation notice period are specified in the applicable Order Form. The Order Form will state whether the Services are provided on a month-to-month basis with no minimum commitment, on a fixed initial term that auto-renews, or on another basis agreed between the Parties. In the absence of an Order Form specifying these terms, the Agreement is provided on a month-to-month basis terminable by either Party with thirty (30) days’ written notice.
• Termination for Cause. Either Party may terminate this Agreement for material breach not cured within thirty (30) days after written notice (ten (10) days for payment breaches).
• Effect of Termination. Upon expiration or termination: (i) licenses to Client cease, except as expressly stated otherwise in Section 8; (ii) each Party will return or destroy the other’s Confidential Information per Section 7 (Confidentiality) and Section 23.10 (Return or Destruction of Client Records); and (iii) Client will pay undisputed fees accrued through the effective date. For clarity, Client’s ownership of Outputs and the perpetual license to SLH Background IP in Deliverables granted in Section 8 survive termination.

12. Disclaimer of Warranties

• As-Is Basis. THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.
• No Warranties. SECONDLOOK HEALTH DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
• No Reliance on Accuracy. Client acknowledges that the Services and Deliverables may contain errors, omissions, or inaccuracies. SLH does not warrant or represent that the Services or Deliverables will be accurate, complete, or fit for any clinical, legal, insurance, or financial purpose. Client is solely responsible for verifying the accuracy of all outputs and for any reliance placed on them. Except as expressly provided in Section 14 (Indemnification) and Section 23 (Medical Information Handling and Business Associate Addendum), SLH shall not be liable for any decisions, actions, or outcomes taken by Client or its third-party customers based on the Services or Deliverables.

13. Limitation of Liability

• TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT.
• Liability Cap. Except for Excluded Claims, each Party’s aggregate liability arising out of or related to this Agreement will not exceed the fees paid or payable by Client to SLH under this Agreement in the 12 months before the event giving rise to liability.
• Excluded Claims. The liability cap in Section 13(b) does not apply to the following, each of which is uncapped: (i) breach of Section 7 (Confidentiality); (ii) breach of Section 23 (Medical Information Handling and Business Associate Addendum); (iii) a data-security breach; (iv) a Party’s willful misconduct or fraud; (v) Client’s payment obligations to SLH, including fees, late fees, and interest owed under this Agreement; (vi) Client’s indemnification obligations to SLH under Section 14(b), including all damages, defense costs, settlements, and attorneys’ fees arising from third-party claims for which Client is the indemnifying party; and (vii) SLH’s indemnification obligations to Client under Section 14(a), including all damages, defense costs, settlements, and attorneys’ fees arising from third-party claims for which SLH is the indemnifying party.

14. Indemnification

• By SLH. SecondLook Health will defend, indemnify, and hold harmless Client and its officers, directors, employees, and agents from and against any third-party claims, damages, liabilities, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to: (i) any allegation that the Services, Deliverables, or SLH Background IP infringe, misappropriate, or otherwise violate any third party’s intellectual property rights; (ii) SLH’s breach of Section 23 (Medical Information Handling and Business Associate Addendum), including any unauthorized use, disclosure, or access to PHI, Medical Information, or Client Records by SLH; and (iii) SLH’s gross negligence, willful misconduct, or fraud in providing the Services.
• By Client. Client will defend, indemnify, and hold harmless SecondLook Health and its officers, directors, employees, and agents from and against any third-party claims, damages, liabilities, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to: (i) Client’s breach of its representations or warranties in Section 4 (Authorization to Access Medical & Legal Records), including any claim by a patient, claimant, or other individual whose records were uploaded without proper authorization or consent; (ii) Client’s misuse, unauthorized use, or use of the Services in violation of this Agreement or applicable law; (iii) Client Data or other inputs supplied by Client that infringe third-party rights or violate applicable law; (iv) Client’s decisions, actions, or professional judgments taken in reliance on Outputs or Deliverables; and (v) Client’s gross negligence, willful misconduct, or fraud.
• Process. The indemnified party must promptly notify the indemnifying party of any claim, provided that failure to provide prompt notice will not relieve the indemnifying party of its obligations except to the extent actually prejudiced. The indemnifying party controls the defense and settlement of the claim, provided that no settlement admitting fault, imposing non-monetary obligations on the indemnified party, or failing to include a full release of the indemnified party will bind the indemnified party without its prior written consent (not to be unreasonably withheld). The indemnified party may participate in the defense with counsel of its own choosing at its own expense.
• IP Remedies. If a claim under Section 14(a)(i) is made or appears likely, SLH may, at its option and expense: (i) procure for Client the right to continue using the affected Services; (ii) modify or replace the affected Services so that they become non-infringing without materially degrading functionality; or (iii) if neither (i) nor (ii) is commercially reasonable, terminate the affected portion of the Services and refund any prepaid fees for the terminated portion. The remedies in this Section 14(d) are in addition to, and do not limit, SLH’s defense and indemnification obligations under Section 14(a).
• Survival. This Section 14 survives termination or expiration of this Agreement with respect to any claims arising during the term.

15. Dispute Resolution; Equitable Relief; Governing Law

• Equitable Relief. Notwithstanding the agreement to arbitrate below, either party may seek temporary or preliminary injunctive or other provisional relief in the state or federal courts located in San Mateo County, California to prevent or curtail an actual or threatened breach of the Confidentiality or Intellectual Property provisions of this Agreement. Each party consents to the exclusive jurisdiction and venue of those courts and waives any objection to inconvenient forum. Seeking or obtaining such relief does not waive arbitration of the underlying dispute (including damages or permanent remedies).
• Arbitration. All other disputes, claims, or controversies arising out of or relating to this Agreement will be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The seat and venue of the arbitration is San Mateo County, California. The arbitration will be conducted in English before one (1) arbitrator. The proceedings (including filings, orders, and award) will be confidential, and judgment on the award may be entered in any court of competent jurisdiction.
• Small-Claims. Either party may bring a claim only for monetary relief within the applicable small-claims jurisdictional limit in the small-claims court located in San Mateo County, California. No injunctive or declaratory relief may be sought in small-claims court, and no class or representative claims are permitted there. Filing a small-claims action does not waive arbitration of any counterclaim or other dispute.
• Class/Jury Waiver. To the fullest extent permitted by law, the parties waive any right to a jury trial and waive participation in any class or representative action.
• Governing Law. This Agreement is governed by California law, excluding its conflict-of-laws rules.

16. Choice of Language

This Agreement and related documents have been drawn up in the English language.

17. Severability; No Waiver; Assignment

• If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be severed, and the remaining provisions shall remain in full force and effect.
• No waiver by either Party of any term or condition set forth in this Agreement shall be deemed a further or continuing waiver of such term or condition.
• Neither Party may assign this Agreement without the other Party’s written consent, not to be unreasonably withheld, except either Party may assign without consent to an Affiliate or in connection with merger, reorganization, or sale of substantially all assets (with notice). Any non-permitted assignment is void.

18. Non-Solicitation of Personnel

• Restriction. During the Term of this Agreement and for twelve (12) months thereafter, neither Party (“Hiring Party”) shall, without the prior written consent of the other Party (“Employing Party”), directly or indirectly solicit for employment or engagement, or hire or engage, any employee, contractor, or consultant of the Employing Party.
• Permitted Recruitment. General solicitations not specifically targeted to such individuals (for example, public job postings, recruiter blasts, or career-fair announcements) do not violate this section, provided the Hiring Party does not otherwise encourage or induce the individual to apply.

19. Notices

• Method of Notice. Any notices regarding the Services or this Agreement may be given by either Party to the other by email or regular mail, using the contact information set forth in this Section 19 or as otherwise specified in an Order Form.
• Contact Information:
  To SecondLook Health:
  SecondLook Health, Inc.
  204 E 2nd Ave #612
  San Mateo, CA 94401
  Email: support@SecondLookHealth.ai
  To Client: Notices to Client will be sent to the email address associated with Client’s account, or as specified in an Order Form.

20. Entire Agreement:

This Agreement, including any Order Form and any other agreements referenced herein, constitutes the entire agreement between the Parties and supersedes all prior or contemporaneous understandings.

21. Force Majeure

Neither Party is liable for delay or failure to perform due to events beyond its reasonable control (including acts of God, labor disputes, utility failures, cyberattacks not caused by the Party’s breach of this Agreement, government action). The affected Party will use reasonable efforts to mitigate and resume performance.

22. Disclosures

The Services are offered by SecondLook Health, Inc., located at 204 E 2nd Ave #612, San Mateo, CA 94401. Contact via email at support@secondlookhealth.ai.

23. Medical Information Handling and Business Associate Addendum

23.1 Scope and Precedence. This Section 23 governs SecondLook Health’s handling of Client Records, Protected Health Information, and Medical Information. This Section 23 applies uniformly to all Clients regardless of HIPAA status. Where Client is a Covered Entity or Business Associate under HIPAA, this Section 23 operates as a Business Associate Agreement between the Parties and satisfies the requirements of 45 CFR 164.504(e). Where Client is not a Covered Entity or Business Associate, this Section 23 operates as a contractual commitment by SecondLook Health to the same privacy, security, and handling standards. This Section 23 controls over any conflicting provisions elsewhere in this Agreement, including without limitation Sections 6, 7, and 8.

‍23.2 Definitions. For purposes of this Section 23:
(a) “PHI” means Protected Health Information as defined in 45 CFR 160.103.
(b) “Medical Information” means medical information as defined in California Civil Code section 56.05(j).
(c) “Client Records” means all medical records, legal records, claim files, PHI, Medical Information, and related documents uploaded to or processed by the Services, together with all Outputs derived from such material. Client Records are a subset of Client Confidential Information as defined in Section 7 and are entitled to the protections of both Section 7 (Confidentiality) and this Section 23. To the extent of any conflict between Section 7 and this Section 23 with respect to Client Records, this Section 23 controls.
(d) “Outputs” means analyses, reports, summaries, and work product generated by the Services from Client Records.
(e) “Covered Entity” and “Business Associate” have the meanings given in 45 CFR 160.103.
(f) “CMIA” means the California Confidentiality of Medical Information Act, California Civil Code section 56 et seq.

‍23.3 Client Status; No Determination by SecondLook Health. SecondLook Health does not determine and does not represent that it has determined Client’s regulatory status under HIPAA, CMIA, or any other privacy law. Client is solely responsible for determining its own status as a Covered Entity, Business Associate, or other regulated entity, and for complying with all obligations that arise from that status. Client’s acceptance of this Agreement constitutes Client’s representation that it has made such determinations and is in compliance with applicable law.

‍23.4 HIPAA Business Associate Provisions. Where Client is a Covered Entity or Business Associate under HIPAA and SecondLook Health creates, receives, maintains, or transmits PHI on Client’s behalf, SecondLook Health agrees to the following as required by 45 CFR 164.504(e):
(a) SecondLook Health will not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
(b) SecondLook Health will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent unauthorized use or disclosure of PHI.
(c) SecondLook Health will report to Client any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410, in accordance with Section 23.8.
(d) SecondLook Health will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of SecondLook Health agree to the same restrictions, conditions, and requirements that apply to SecondLook Health with respect to such information, in accordance with Section 23.7.
(e) SecondLook Health will make available PHI in a designated record set as necessary to satisfy Client’s obligations under 45 CFR 164.524, to the extent SecondLook Health holds such information.
(f) SecondLook Health will make available PHI for amendment and incorporate any amendments to PHI as directed by Client in accordance with 45 CFR 164.526, to the extent SecondLook Health holds such information.
(g) SecondLook Health will make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528, to the extent SecondLook Health holds such information.
(h) SecondLook Health will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Client’s compliance with HIPAA.
(i) Upon termination of this Agreement, SecondLook Health will return or destroy all PHI in accordance with Section 23.10.

‍23.5 Universal Privacy and Security Commitments. The following commitments apply to all Clients and all Client Records, regardless of Client’s status under HIPAA, CMIA, or other privacy laws:
(a) Purpose Limitation. SecondLook Health will use Client Records solely to provide the Services to Client and for no other purpose, except as expressly permitted by this Agreement or required by law.
(b) No Training of Foundation Models on Client Data. SecondLook Health will not use Client Records, or any version of Client Records (including de-identified, anonymized, aggregated, or transformed versions), to train, fine-tune, or otherwise improve foundation models or large language models, whether operated by SecondLook Health or by any third-party provider including Anthropic, OpenAI, Microsoft, Google, Meta, or any other provider of foundation models. SecondLook Health will not transmit Client Records to any third-party model provider in a manner that would permit such provider to train on Client Records. This provision controls over any contrary language in Section 6(d).
(c) Private Cloud Processing. Client Records are processed within SecondLook Health’s private cloud environment. Foundation model processing occurs within this environment and does not result in Client Records being transmitted to or accessed by third-party model providers.
(d) Retention. SecondLook Health will retain Client Records only for so long as necessary to provide the Services and in accordance with Client’s configuration settings and applicable law.
(e) Ownership of Outputs. Outputs derived from Client Records are owned by Client, not SecondLook Health. For clarity, Outputs are not Improvement IP under Section 8(a)(ii) and no ownership rights in Outputs vest in SecondLook Health. Outputs are Client Confidential Information under Section 7 and Client Records under this Section 23, and are subject to the same privacy, security, purpose-limitation, and retention obligations as the Client Records from which they were derived.
(f) Safeguards. SecondLook Health will implement and maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Client Records, consistent with the HIPAA Security Rule at 45 CFR Part 164 Subpart C and with recognized industry frameworks.
(g) Access Controls. Access to Client Records by SecondLook Health personnel is restricted to those with a need to access such information in connection with providing the Services and is subject to confidentiality obligations.
(h) No Re-Disclosure. SecondLook Health will not disclose Client Records to any third party except as expressly permitted by this Agreement, as directed by Client, or as required by law.

‍23.6 CMIA Compliance. SecondLook Health will comply with the California Confidentiality of Medical Information Act, California Civil Code section 56 et seq., including without limitation sections 56.10 (disclosure restrictions), 56.11 (authorization requirements), 56.13 (recipient disclosure restrictions), 56.101 (safeguards), 56.35 (private right of action), and 56.36 (administrative and criminal penalties), to the extent applicable to SecondLook Health’s handling of Medical Information. SecondLook Health acknowledges that the CMIA provides a private right of action to individuals whose Medical Information is disclosed in violation of the statute.

‍23.7 Subcontractors. SecondLook Health processes Client Records within a private cloud environment operated by Amazon Web Services (“AWS”) under an executed Business Associate Agreement that satisfies the requirements of 45 CFR 164.504(e). Foundation model providers (including Anthropic, Microsoft, and OpenAI) supply model weights that execute within SecondLook Health’s AWS environment via Amazon Bedrock; these providers do not receive, access, store, or process Client Records, PHI, or Medical Information. SecondLook Health will maintain executed Business Associate Agreements or substantially equivalent privacy and security terms with any subcontractor that receives Client Records. Upon written request, SecondLook Health will provide Client with a current list of categories of subcontractors.

‍23.8 Breach Notification. SecondLook Health will notify Client of any Breach of Unsecured PHI or any unauthorized access, use, acquisition, or disclosure of Client Records without unreasonable delay and in no case later than sixty (60) calendar days after discovery, in accordance with 45 CFR 164.410. This notification commitment applies uniformly to all Clients regardless of HIPAA or CMIA status. Notification will include, to the extent known at the time of notice: (i) a description of what occurred; (ii) the types of Client Records involved; (iii) the steps Client should take to protect against potential harm; (iv) the steps SecondLook Health is taking to investigate, mitigate, and prevent recurrence; and (v) contact information for further inquiry. SecondLook Health will provide updates as additional information becomes available.

‍23.9 Regulatory Cooperation. SecondLook Health will cooperate with audits, investigations, or inquiries by the U.S. Department of Health and Human Services, state regulators, or other governmental authorities with jurisdiction over SecondLook Health or Client, and will provide information reasonably necessary for Client to respond to its own regulatory obligations, in each case as required by law.

‍23.10 Return or Destruction of Client Records on Termination. Upon termination or expiration of this Agreement, or upon Client’s written request, SecondLook Health will return to Client or destroy all Client Records in SecondLook Health’s possession or control, regardless of whether such Client Records contain PHI or Medical Information. SecondLook Health will complete such return or destruction within a commercially reasonable period and will confirm completion in writing upon Client’s request. This Section 23.10 controls over any conflicting provisions in Section 7(e) with respect to Client Records. Client Records stored in standard system backups will be deleted on the ordinary backup cycle and remain subject to the confidentiality and security obligations of this Section 23 until deleted.

‍23.11 Survival. The obligations of SecondLook Health under this Section 23 survive termination or expiration of this Agreement with respect to any Client Records held by SecondLook Health until such Client Records have been returned to Client or destroyed in accordance with Section 23.10.

‍23.12 No Legal Advice. Nothing in this Section 23 constitutes legal advice from SecondLook Health to Client. Client is solely responsible for obtaining its own legal advice regarding its obligations under HIPAA, CMIA, and other applicable privacy laws, and for determining whether the terms of this Section 23 are sufficient to satisfy those obligations.

24. Modifications

• General Updates. SecondLook Health may modify this Agreement from time to time by posting an updated version at https://www.secondlookhealth.ai/terms-of-service or by providing notice to Client through the Services or by email. Except as provided in Section 24(b), modifications become effective thirty (30) days after notice is provided or posted, whichever is earlier. Client’s continued use of the Services after the effective date of a modification constitutes acceptance of the modified Agreement. If Client does not accept a modification, Client may terminate this Agreement by written notice to SecondLook Health before the modification’s effective date, without penalty and with a pro rata refund of any prepaid fees for Services not yet rendered.
• Modifications to Section 23. Modifications to Section 23 (Medical Information Handling and Business Associate Addendum) that materially reduce Client’s rights or SecondLook Health’s obligations under Section 23 require sixty (60) days’ advance written notice to Client, delivered by email to the address associated with Client’s account. Such notice must specifically identify Section 23 as the provision being modified and describe the substance of the changes. If Client does not accept the modification, Client may terminate this Agreement by written notice to SecondLook Health before the modification’s effective date, without penalty and with a pro rata refund of any prepaid fees for Services not yet rendered. Modifications to Section 23 that do not materially reduce Client’s rights (including modifications required by changes in applicable law, clarifications, and non-substantive edits) are subject to Section 24(a) rather than this Section 24(b).
• No Retroactive Effect. No modification to this Agreement applies to disputes, claims, or breaches arising before the effective date of the modification.

25. Payment Terms

• Fees. Client will pay SecondLook Health the fees specified in the applicable Order Form or at checkout. All fees are stated in U.S. dollars and are exclusive of taxes. SecondLook Health may change its published pricing at any time, but published pricing changes do not affect the fees applicable to Client’s then-current term.
• Billing and Payment Methods. SecondLook Health bills fees on the cadence specified in the applicable Order Form (monthly unless otherwise stated). SecondLook Health uses Stripe to issue invoices and process payments. Depending on Client’s setup, Client may pay by (i) authorized automatic charge to a payment method on file with Stripe; (ii) manual payment through the Stripe-hosted invoice link; or (iii) check mailed to SecondLook Health at the address in Section 19. Where Client has authorized automatic charge, Client authorizes SecondLook Health to charge the payment method on file for all fees as they become due. Payment is due within thirty (30) days of the invoice date (net 30) unless otherwise stated in the Order Form.
• Prepaid Credit. Where the applicable Order Form provides for prepaid credit, Client is billed for the prepaid credit amount each month in advance. Usage fees are drawn against the prepaid credit as incurred. Unused prepaid credit rolls over within an active subscription as specified in the Order Form, but is forfeited upon cancellation, non-renewal, or termination of the subscription for any reason. SecondLook Health will not refund unused prepaid credit on cancellation, non-renewal, or termination, except as expressly provided in this Agreement.
• Overages. Usage in excess of prepaid credit in any billing period will be billed as an overage on the next invoice, at the per-page rate specified in the Order Form.
• Late Payment. If any undisputed amount is not paid when due, SecondLook Health may charge interest on the overdue amount at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, accruing from the original due date until paid in full. Client will reimburse SecondLook Health for reasonable costs of collection, including attorneys’ fees, incurred to collect overdue amounts.
• Disputes. Client must notify SecondLook Health in writing of any disputed charge within thirty (30) days of the invoice date, specifying the amount in dispute and the reason. Charges not disputed within thirty (30) days are deemed accepted. Client will continue to pay all undisputed amounts during the resolution of any dispute. The Parties will work in good faith to resolve any disputed amount promptly.
• Suspension for Non-Payment. If any undisputed amount is more than thirty (30) days past due, SecondLook Health may suspend Client’s access to the Services after providing Client with at least ten (10) days’ advance written notice of the intended suspension. Suspension does not relieve Client of the obligation to pay fees accrued through the date of suspension. SecondLook Health will promptly restore access upon payment of all undisputed past-due amounts.
• Taxes. Fees are exclusive of all taxes, duties, levies, tariffs, and similar governmental assessments (collectively, “Taxes”). Client is responsible for all Taxes associated with its purchase of the Services, except for Taxes based on SecondLook Health’s net income. If SecondLook Health is required by law to collect or pay any Taxes for which Client is responsible, SecondLook Health will invoice Client for those Taxes and Client will pay them in accordance with this Section 25.
• Pricing Changes at Renewal. SecondLook Health may adjust fees for any renewal term by providing Client with at least sixty (60) days’ advance written notice before the end of the then-current term. If Client does not wish to accept the adjusted fees, Client may decline renewal in accordance with Section 11(a) and the non-renewal notice period specified in the applicable Order Form.
• Refunds. Except as expressly provided in this Agreement, fees are non-refundable. SecondLook Health will provide pro rata refunds of prepaid fees only in the circumstances expressly provided for in this Agreement, including Sections 14(d), 24(a), and 24(b). For clarity, no refund is due for unused prepaid credit upon cancellation, non-renewal, or termination of a subscription.

23. Acceptance

By clicking an “I Agree” button or checking a box indicating acceptance, Client agrees to be bound by this Agreement as of the Effective Date.