By providing any products or services to endpoint Clinical, Inc., together with its subsidiaries (“endpoint”), you, on behalf of yourself, your organization, and its affiliates (“Vendor”), hereby agree to the following
For good and valuable consideration, the exchange, receipt, and sufficiency of which is hereby acknowledged by the parties, it is therefore agreed as follows:
- 1. Term. Vendor shall provide specialized services to endpoint according to the project term stipulated in each Statement of Work, as defined below, until the conclusion of all Services under all Statements of Work, unless earlier terminated in accordance with Section 12 below.
- 2. Services.
2.1 Scope. The specialized professional services to be performed by the Vendor and its employees, staff, agents, consultants, and representatives for the benefit of endpoint (“Services”) are further described in a document, for example, a Statement of Work for each project, which (i) describes the nature and scope of the Services required to be provided by Vendor in respect of a particular project; (ii) specifies the price, fees and payment schedule for the required Services, and (iii) specifies any modifications of the terms of this Agreement that apply to the Services. All requirements described below shall apply equally to all staff of Vendor, and Vendor shall be liable for beaches of any obligation by any of its staff. Notwithstanding anything to the contrary in this Agreement or any Statement of Work, (a) should any term of any Statement of Work conflict with or otherwise modify any term of this Agreement, this Agreement shall control, and (b) no Services or deliverable provided under this Agreement or any Statement of Work shall incorporate, utilize, or require any intellectual property of any other party.
2.2 Vendor may not assign, delegate, share or subcontract to any third party any portion of the Services without (i) endpoint’s prior written consent, which may not be unreasonably withheld, and (ii) ensuring that its agreements with such subcontractors are consistent with the terms of this Agreement, including but not limited to confidentiality, intellectual property, anti-bribery, indemnity, audit, and compliance. The vendor must permit and procure a written commitment for any such subcontractor to permit endpoint or any regulatory authority, as necessary to audit such subcontractors or their facilities at any time. endpoint’s approval of the use of any subcontractor does not relieve Vendor of any of its obligations hereunder and Vendor will at all times remain primarily liable for all its obligations under this Agreement as if the Vendor was performing the Services itself.
2.3 The vendor shall perform the Services in a timely and professional manner in conformity with the highest industry standards, all applicable laws and regulations, and, in accordance with the confirmed standard operating procedures (“SOPs”) and instructions. Upon request, the Vendor agrees to provide evidence of the Vendor’s education, training, certifications, and qualifications or other documentation related to the ability and qualifications of Vendor to perform the Services.
2.4 Customer. Vendor acknowledges and understands that endpoint regularly provides services to third party clients who, if applicable, shall be defined in each respective Statement of Work (“Customer”). Notwithstanding the foregoing, the Vendor is engaged as an independent professional with the ability to take ownership of the assignment and accept responsibility for the proper performance of the agreed Services. Notwithstanding anything to the contrary, the Party intends that each Customer shall be considered a third-party beneficiary of this Agreement and all relevant SOWs with the rights and obligations as if it were a signatory to this Agreement.
- 2.5 Remediation. In the event endpoint is or becomes reasonably dissatisfied with the Vendor’s performance of Services or in the event the Services are not performed in compliance with this Agreement, regulatory requirements, or the instructions of endpoint, the parties shall discuss the dissatisfaction or noncompliance, and Vendor will take reasonable steps to remedy the noncompliance promptly, including but not limited to (i) re-performing the nonconforming Services at no additional cost to endpoint to endpoint’s reasonable satisfaction, or (ii) refunding fees paid or accepting reduced payment for amounts owed (in endpoint’s good-faith discretion) by an amount reasonably necessary to remedy such noncompliance. In any case of (i) or (ii) Vendor shall comply with the necessary action within fifteen (15) days of receipt of notice from endpoint. Nothing in this Paragraph 2.5 shall be considered a penalty or final remedy and does not limit any of endpoint’s rights or remedies. This Section 2.5 shall survive any expiration or termination of this Agreement.
2.6 Data Protection and Privacy Compliance in Performance of Services. Without limiting the generality of any other provision hereof, Vendor represents and warrants, and covenants that each (i) shall abide by, and perform the Services and other obligations under this Agreement in compliance with, all applicable national, state, and local laws, rules, regulations (as may be amended from time to time) providing for the protection privacy, confidentiality and security of personal information or records in any form or medium created or reviewed in the course of the Services or otherwise in performing its obligations hereunder, as well as any instructions provided by endpoint or its Customer relating to data protection and privacy. Notwithstanding anything to the contrary, Vendor represents and warrants that (a) all work under this Agreement will be performed solely within the United States and (b) no information or data, or Confidential Information will be exported by or on behalf of Vendor without endpoint’s express prior authorization.
- 2.7 Data Protection Authorization and Consent. The Vendor understands and consents to endpoint’s disclosure of the Vendor’s relevant personal details to, e.g., endpoint’s Customer, to gain the Customer’s approval of the proposed staff performing Services, managing the staff performing Services, and supporting the contractual relationship between endpoint and the Customer.
- 3. Independent Contractor Relationship.
3.1 The vendor shall perform the Services in conformity with the highest industry standards and applicable laws and regulations. The vendor is an independent contractor of endpoint with a specialized skill set. As a contractor, the Vendor shall perform the Services required using its/his/her independent professional judgment and in accordance with standards commonly accepted for independent contractors performing Services of a like nature and in accordance with the specifications agreed with endpoint.
3.2 This Agreement will not be deemed to create an employer/employee/agency relationship between endpoint and the Vendor. All Services rendered hereunder are in the capacity of an independent party performing Services and not as an employee or agent of endpoint or the Customer. Neither this Agreement nor the performance by Vendor of the Services identified herein shall be construed to render unto Vendor any of the rights or benefits available to endpoint or Customer employees. Vendor shall be solely responsible for obtaining appropriate work permits, and the payment of any income-related taxes, national health or insurance contributions, national retirement or social contributions, or any other deductions or withholdings required as a result of the payments made by endpoint to Vendor. Vendor agrees to be responsible for and shall indemnify and hold endpoint and the Customer harmless from, government taxes, insurance contributions and social contributions of every kind and nature, fees, assessments, and work-related insurance by virtue of Vendor’s performance hereunder or associated with fees or amounts paid to Vendor by endpoint in connection with the performance of the Services described herein.
3.2 Vendor shall not, offer or agree to incur or assume any obligations or commitments in the name of endpoint or for endpoint without endpoint’s written consent. Vendor shall not represent itself/himself/herself as an agent of endpoint in any manner, except as endpoint permits in writing in connection with the performance of the Services hereunder.
3.4 Neither party seeks to create or imply any mutuality of obligation between the parties in the course of the performance of this Agreement for Services or during any notice period. Neither the Customer nor endpoint is obliged to offer work to the nor is the Vendor obliged to accept work where it is offered. Neither the Customer nor endpoint is obliged to pay the Vendor when work is not available during this Agreement or for periods where no work is undertaken.
- 4. Compensation.
4.1 Vendor shall be paid at the rate and/or amounts solely as specified in each Statement of Work for Services performed for endpoint. The vendor shall not invoice endpoint for any amount over such without the prior written approval of endpoint executed as an amendment to the relevant Statement of Work.
4.2 Unless otherwise specified in a Statement of Work, invoices shall be in United States dollars and shall be sent electronically to VendorBills@endpointclinical.com. endpoint shall have no obligation to pay for Services that are not invoiced within (30) days of the last day of the month in which Services were performed. Payment for undisputed invoices shall be due within ninety (90) days of receipt and approval.
4.3 In the event Vendor is asked to travel on behalf of endpoint or incur other expenses directly related to the Services, endpoint shall reimburse Vendor solely for those actual costs of such expenses as outlined in a Statement of Work, without mark-up and including all discounts and rebates (“Expenses”), provided such are contained in the relevant Statement of Work. endpoint shall have no duty to pay for Expenses in the event the Vendor fails to submit an invoice for such Expenses within thirty (30) days of the date the expense is incurred.
4.4 Vendor shall submit a final invoice to endpoint no later than thirty (30) days after the termination or completion of the Services under each Statement of Work. No invoices for Services or Expenses will be accepted after this thirty (30) day period. Upon endpoint’s receipt of a final invoice and endpoint’s payment thereof, endpoint shall have no further obligation for compensation under this Agreement.
- 5. Equipment. If any equipment is provided to the Vendor by endpoint, it shall solely be used in the Vendor’s performance of the Services hereunder. It is agreed that any and all equipment provided by endpoint due to the special or proprietary nature of the Services shall be surrendered to endpoint at the conclusion of the relevant Statement of Work in sound working order. Vendor shall be responsible and compensate endpoint for any replacement, repairs to, or the destruction of endpoint equipment which is stolen, lost, damaged, or destroyed whilst in the care of. Additionally, any and all equipment provided to the Vendor by endpoint will not be used for any other purpose than the reason provided nor will any such equipment be transferred to another party or unapproved location.
- 6. Confidentiality.
6.1 “Confidential Information”, means all proprietary and confidential information provided orally, in writing, or as observed on visits to facilities and which relate to the existence of this Agreement, its subject matter, new or existing products and/or business operations, including, without limitation, study protocols, product development plans, standard operating procedures, pricing information, business methods, trade secrets, business processes, business plans, inventions, techniques, information provided by third parties or other third party information provided to endpoint or Customer under an obligation of confidentiality, and other information not readily available to the public, including discussions regarding subject matter of potential future Statement of Works or that which is developed by Vendor hereunder. It is agreed that failure to mark documents as “Confidential” or “Proprietary” or reduce oral disclosures to writing shall not alleviate the Vendor of obligations under this Agreement if the disclosed information would reasonably be considered confidential based upon the nature of the information or the circumstances surrounding its disclosure.
6.2 Vendor acknowledges and agrees to receive Confidential Information during the term of this Agreement which is not available to the public and:
6.2.1 will maintain such Confidential Information in strict confidence and will limit the disclosure to its staff with a need-to-know, as long as such staff are subject to written confidentiality obligations at least as protective as required herein.
6.2.2 will not use such Confidential Information for any purpose other than that which is strictly required to perform its obligations under this Agreement; and
6.2.3 will not disclose such Confidential Information to any third parties without endpoint’s prior written consent.
6.3 Vendor guarantees that it will store the Confidential Information in a secure location, separate from other information, and will handle and protect the Confidential Information with no less care than that with which it handles and protects its own highly confidential and proprietary information (but in no event less than a reasonable degree of care) to prevent unauthorized publication or disclosure of Confidential Information.
6.4 If it is reasonably necessary for Vendor to disclose the Confidential Information to a non-affiliated third party and provided that endpoint has given prior written consent, Vendor will obtain a written agreement with equivalent terms limiting the disclosure by and use of the Confidential Information by the third party. The vendor shall only use the Confidential Information for the purpose of this Agreement.
6.5 If endpoint so requests in writing, Vendor will, at the option of endpoint, return or destroy and certify that it has destroyed the Confidential Information, including other project documentation.
6.6 The period for maintaining confidentiality and non-use shall survive until the Confidential Information becomes public (or, if shorter, for the longest period permitted under applicable law); provided, that such Confidential Information does not become public as a result of a breach of this Agreement.
6.7 The confidential provisions of this Section 6 do not apply to any part of the Confidential Information which:
6.7.1 is known to the Vendor at the time it was obtained from endpoint other than as a result of Vendor’s breach of any obligation as shown by written evidence.
6.7.2 is acquired by the Vendor from a third party that did not obtain such information directly or indirectly from endpoint or Customer while under an obligation not to disclose it;
6.7.3 is or becomes published or otherwise enters the public domain other than by fault or omission by the Vendor; or
67.4 is required to be disclosed by the Vendor to comply with applicable law provided that the Vendor provides prompt written notice of such disclosure to endpoint and cooperates with endpoint’s reasonable and lawful actions to avoid and/or minimize the extent of such disclosure.
6.8 Vendor acknowledges on behalf of itself that the violation of this provision will result in significant harm and damage to both endpoint and its Customer and endpoint shall be entitled to an injunction to prevent or limit any actual or threatened disclosure or use of Confidential Information in violation of this Agreement.
- 7. Publication and Use of Names.
7.1 Vendor may not use, copy, disclose or publish the results, data, or other information, including but not limited to Confidential Information, disclosed or developed in connection with the Services without the prior written consent of endpoint and its Customer, as applicable.
7.2 Vendor guarantees it shall not use the name, trademarks, or the name of any endpoint or Customer employee in any advertising, online marketing, packaging, promotional material, or any other media or publicity relating to this Agreement without the prior written consent of endpoint or its Customer, as applicable.
- 8. Inventions; Works of Authorship. Every invention, discovery, improvement, device, design, apparatus, practice, process, method, or product, whether patentable or not, made, developed, perfected, devised, conceived of, or first reduced to practice by Vendor, either solely or in collaboration with others, in connection with performing, arising out of, or related to, the Services (“Inventions”) shall be the sole and exclusive property of endpoint or its Customer, and Vendor assigns and shall assign to endpoint or its designee all of Vendor’s right, title, and interest in and to all Inventions. All personal property, notes, data, written materials, findings, records, and documents, works of authorship and information (including Confidential Information) (collectively, “Records”) made or obtained by Vendor in connection with performing the Services are and will remain endpoint’s Confidential Information and the property of endpoint or its Customer as “works made for hire” commissioned by endpoint. Notwithstanding anything to the contrary, Vendor represents and warrants, without limitation, that (a) endpoint shall be free to publish or utilize all information, Inventions, and materials provided to it, without obligation or restriction to or from any party, whatsoever, and (b) nothing provided to endpoint, including, but not limited to any services, deliverables, Records and Inventions and all other items and materials under this Agreement and all Statements of Work shall include any intellectual property owned or controlled by any third party, nor shall any use, copy, or any distribution thereof constitute an infringement of any intellectual property rights.
- 9. Warranties by Vendor.
9.1 Vendor warrants and represents that it and its staff possess the skill, training, licenses, certifications, knowledge, qualifications, education, and experience (“Qualifications”) represented to endpoint as of the Effective Date and shall maintain such Qualifications for the duration of this Agreement. Furthermore, Vendor warrants and represents that such Qualifications are sufficient to perform the Services required in accordance with the highest standards expected of those providing similar services. In the event Vendor falsifies or otherwise misrepresents any Qualifications, Vendor shall be strictly liable, and such action shall be considered an incurable material breach of this Agreement potentially subject to criminal charges in accordance with applicable law. In such an event, endpoint reserves the right to immediately terminate this Agreement and any active Statement of Works without any liability to Vendor, including the responsibility to pay for certain Services or Expenses. The vendor may additionally be required to refund certain Service fees paid to-date. Nothing in this clause shall limit endpoint’s ability to pursue Vendor for damages or limit other remedies available to endpoint under applicable law. This clause shall survive the termination or expiration of this Agreement.
9.2 Vendor further warrants to endpoint that (a), where required, it is of good professional standing and reputation and that throughout the term of this Agreement, shall be properly authorized to perform the Services as contemplated herein and (b) all products and services provided by it or on its behalf will comply with the requirements with the Statement of Work and all other descriptions and specifications relating to such.
9.3 Vendor warrants and certifies, that it is not currently nor has been, nor will either use (now or in the future) in any capacity, any person(s) who have been (i) debarred or otherwise has had limitations on its/his/her ability to provide professional services by a regulatory body in any jurisdiction or subject to any restrictions or sanctions, (ii) convicted of a crime for which a person can be prohibited from providing medical or clinical research services or debarred in any jurisdiction. Vendor also confirms that neither it nor any person(s) working with Vendor have been (i) threatened to be debarred, restricted or sanctioned or otherwise prohibited from providing medical or clinical research services by any regulatory agency of any kind in any jurisdiction, or (ii) indicted for a crime or otherwise engaged in conduct for which a person can be prohibited from providing medical or clinical research services or debarred under any applicable law or regulation in any jurisdiction regulating the performance of services relating to pharmaceutical products or clinical studies. Vendor further confirms that neither it nor any person(s) working with Vendor has been debarred or convicted of any crime or offense which would subject Vendor or such person(s) to debarment under the laws of any country. As soon as Vendor becomes aware it shall immediately notify endpoint in writing if any person who is performing any of Services is or becomes debarred, or if any action, suit, claim, investigation, or other legal or administrative proceeding is pending or threatened that would lead to any person performing Services to becoming debarred, or would preclude Vendor from performing its obligations under this Agreement.
9.4 Vendor represents and warrants that it is free from any restrictions on its ability to enter into this Agreement and perform this Agreement and that the responsibilities and obligations assumed by Vendor hereunder are not in conflict with any other obligations of Vendor. Vendor represents and warrants to, and covenants with endpoint that as of the Effective Date, and throughout the term of this Agreement it will not undertake to provide services for any third party that would conflict with, hinders, delay or adversely impact its performance of Services or its obligations under this Agreement.
9.5 Vendor represents and warrants that all information provided in connection with any vendor qualification assessment is and shall be true, accurate, and not misleading.
9.6 Vendor agrees, notwithstanding anything to the contrary, that should it have any access to any data or systems of endpoint or any Customer, including, but not limited to any personal or other data relating to any employee thereof, it shall remain in strict compliance with the Privacy and Security Addendum, provided as Attachment A, hereto.
9.7 Vendor represents and warrants that it will comply with all applicable U.S. and foreign export, import, and customs laws and regulations, including, but not limited to, the Export Administration Regulations (“EAR”); the Foreign Trade Regulations (“FTR”), the sanctions laws, regulations, and executive orders administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control, and the U.S. Anti-boycott Laws (individually, a “Trade Control Law”, and collectively, the “Trade Control Laws”) at its sole cost and expense. In the event of a conflict between any U.S. and foreign Trade Control Laws, the U.S. Trade Control Laws shall prevail. Vendor acknowledges and agrees that in fulfilling each purchase order it, or a third party vendor, if applicable, shall be the exporter of record and U.S. Principal Party in Interest under the EAR and the FTR, and that it, or, if applicable, a third party vendor, is responsible for export compliance, including, but not limited to, accurately (i) determining the applicable export control classifications and licensing requirements; (ii) obtaining any necessary export licenses; and (iii) submitting any necessary export clearance declarations, including the Electronic Export Information, as applicable, for each export. The vendor shall further comply with all regulatory requirements that apply to the importation of the Products. If any items are shipped outside the U.S. in connection with the Services provided by endpoint, Vendor shall complete and return to endpoint the Vendor Export Classification Form attached as Exhibit B, prior to the delivery of such items, except for basic medical supplies or other commercial products that fall under the EAR99 catch-all of the EAR. If the Vendor does not provide a Vendor Export Classification Form to endpoint, the Vendor is deemed to have certified to endpoint that the respective Products are classified as EAR99. The vendor must notify endpoint before providing any technical data that is controlled under any Trade Control Law, if any, and clearly mark such data as export-controlled. endpoint will not be liable to Vendor for any loss or expense if Vendor fails to comply with any applicable Trade Control Law or with the provisions set forth herein. Vendor shall immediately notify endpoint if Vendor becomes listed on, or owned or controlled by anyone on, any restricted persons list published by the U.S. Departments of Commerce, Treasury, or State; the European Union; or the United Kingdom, or if Vendor’s export privileges are fully or partially denied, suspended, or revoked. Notwithstanding anything to the contrary set forth herein, endpoint may disclose Confidential Information to government agencies as endpoint may deem reasonably necessary for the purpose of disclosing, resolving, or remediating any violation or potential violation of any applicable Trade Control Law. Vendor acknowledges and agrees that in fulfilling each purchase order related to the provision of equipment required herein, Vendor shall be the exporter of record and U.S. Principal Party.
- 10. Workplace Rules. Vendor performing Services will fully comply and adhere to the Customer or endpoint policies and procedures as applicable including, but not limited to: building and facility security, confidentiality, professional attire, sexual harassment, anti-bribery and corruption, smoke-free work environment, workplace threats, and violence, theft and misappropriation of property, immoral or indecent conduct, substance abuse, firearms, and insubordination. endpoint and its Customer shall have the right to immediately remove from its premises any personnel of Vendor who violates any of the above policies or engages in any conduct that is inconsistent with endpoint’s or the Customer’s ongoing business activities.
- 11. Audit and Records. On giving reasonable notice in writing, endpoint, Customer, or any regulatory authority and/or its’/their representative(s), may, during normal business hours, assess Vendor’s tools, processes, study-related output, finances, personnel, and all financial and other records, and may visit any Vendor facility (if Services are being performed at a Vendor facility), in order to audit Vendor’s performance of the Services and compliance with this Agreement, including all financial records relating thereto.
- 12. Termination.
12.1 endpoint may terminate this Agreement or any Statement of Work for any reason by providing fifteen (15) days prior written notice to Vendor. Following receipt of such notice, Vendor shall immediately cease all related Services, and promptly invoice endpoint for all Services performed and Expenses incurred (and approved) to that date for which Vendor has not yet been paid. endpoint may also terminate this Agreement or any Statement of Work for cause immediately upon notice to Vendor. Cause shall include, but is not limited to, an actual or threatened material breach of this Agreement or Statement of Work by Vendor. The vendor will not be paid for Services performed where the result of such Services represents a breach by the Vendor of its obligations.
12.2 Vendor may terminate this Agreement or any Statement of Work by providing written notice of termination to endpoint, in the event endpoint commits any material breach of the Agreement or any Statement of Work that endpoint fails to cure within thirty (30) days of receipt of a written notice from Vendor reasonably describing the breach.
12.3 Upon conclusion of each Statement of Work, and in any event, upon conclusion of this Agreement, Vendor shall ensure the prompt delivery to endpoint of all information and materials, including study-related records and reports, obtained or prepared by Vendor hereunder that have not yet been delivered as of the conclusion date. Should endpoint choose to continue a project without Vendor, then Vendor shall make best efforts to ensure the smooth and timely transition of any Services to endpoint’s designee.
- 13. Insurance. Vendor warrants and represents that it has secured and shall maintain (for at least three (3) years after the termination) general commercial liability and suitable professional indemnity insurance underwritten by a reputable insurance carrier in full force throughout the performance of this Agreement in amounts appropriate to the conduct of the Vendor’s business, naming endpoint as an additional insured. A valid certificate of insurance shall be provided to endpoint upon request
- 14. Indemnification.
14.1 Vendor hereby agrees to defend, indemnify, and hold harmless endpoint and its Customer and their respective predecessors in interest, successors and assigns, subsidiaries, Affiliates, officers, directors, shareholders, employees, and agents of any kind, harmless from and against all actual and threatened claims, suits, demands, damages, losses, attorneys’ fees, costs and expenses, of whatsoever nature, whether direct or indirect, arising or alleged to have arisen out of or in connection with the Services or this Agreement and resulting from or involving (i) negligent acts or omissions by Vendor, (ii) intentional misconduct by the Vendor, (iii) Vendor’s failure to comply with applicable employment, commercial or other laws, rules and regulations, or (iv) a breach of this Agreement or any Statement of Work by Vendor or of any warranty or representations therein. “Affiliate” means those entities which (i) directly or indirectly, through one or more intermediaries, owns more than 50% of the outstanding voting securities of a Party, or (ii) that directly or indirectly through one or more intermediaries, is controlled by a Party (or any entity of (i)), in each case where the term control means possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract interest or otherwise.
14.2 endpoint will indemnify, release, and hold harmless Vendor against all third party actions, suits, claims, demands, or prosecutions (“Claims”) hereinafter including all damages, judgments (including reasonable costs) arising out of endpoint’s gross negligence or intentional misconduct under this Agreement. For the avoidance of doubt, endpoint shall not be responsible for Claims relating the products of its Customer. This obligation to indemnify, release, and hold harmless Vendor shall only be effective and enforceable to the extent that such claims do not arise from any negligence, intentional act, or breach of obligations owed under this Agreement.
14.3 It is agreed that each party shall notify the other party as soon as commercially practicable, to be followed by written notice, as soon as either party becomes aware of any claim(s) made, brought, or instituted against it based upon or arising out of the performance of this Agreement.
14.4 Any party liable to provide indemnification hereunder shall be entitled to control the defense and settlement of any claim on which it is liable. The parties shall reasonably cooperate in the investigation, defense, and settlement of any claim.
- 15. Miscellaneous
- 15.1 Governing Law/Venue. The provisions of this Agreement, each Statement of Work, and any documents delivered pursuant hereto have been freely accepted with each party having ample opportunity to seek legal counsel and shall be governed by and construed in accordance with the laws of North Carolina (excluding any conflicts-of-law rule or principle that might refer same to the laws of another jurisdiction). The parties agree that all actions and proceedings arising out of or relating directly or indirectly to this Agreement, all Statements of Work, or any ancillary agreement, or any other related obligations shall be litigated solely and exclusively in the state or federal courts located in North Carolina, USA and that such courts are convenient forums. Each party hereby submits to the personal jurisdiction of such courts for purposes of any such actions or proceedings and expressly waives objection thereto.
- 15.2 Entire Agreement. This Agreement together with each Statement of Work constitutes the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, between the parties or any of their affiliates. No supplement or modification of this Agreement shall be binding on endpoint unless executed in writing by endpoint. Notwithstanding anything to the contrary, no terms or conditions included in any other document or communication provided by Vendor, including, but not limited to, any order form, statement of work, task order, or quote shall be binding on endpoint, even if executed by endpoint.
- 15.3 Notice. Any notice, statement, copy, or other communication provided for in this Agreement, shall be in writing and shall be considered as duly delivered upon (a) actual receipt or when personally delivered, (b) when mailed by first-class, registered, or certified mail, postage prepaid, or (c) by reputable courier service to the address provided by, or to such other address as such Party may later specify by written notice.
Other than communications relating solely to invoices and billing matters, all notices provided by Vendor to endpoint shall be addressed to:
endpoint Clinical Inc.
55 Francisco Street
San Francisco, California 94133
Attention: General Counsel
With a copy to: NOTICES@endpointclincical.com
All notices provided by endpoint to Vendor shall be provided to the address above.
- 15.4 Severability. The invalidity or unenforceability of any provision hereof shall in no way affect the validity or enforceability of any other provision hereof.
15.5 Counterparts. This Agreement may be executed in two (2) or more counterparts, which taken together will constitute a single legal document. This Agreement may be executed by electronic signatures and such signatures will be deemed to bind each party as if they were originals.
- 15.6 Assignment. Neither this Agreement, nor any of the rights, interests, or obligations hereunder (including SOWs) shall be assigned by any of the Parties hereto (whether by operation of law or otherwise) without the prior written consent of the Party. Either Party may, however, assign this Agreement together with all related SOWs to an Affiliate, by providing notice thirty (30) days prior to such assignment. Any attempted assignment not in compliance with this Paragraph shall be void.
15.7 Survival. The provisions set forth in Section 15, as well as Sections 2.5, 2.6, 6, 7, 8, 11, 13, and 14 of this Agreement, shall survive the expiration or earlier termination of this Agreement.
endpoint PRIVACY AND SECURITY ADDENDUM
WHEREAS, in connection with rendering Services under the Agreement, Vendor may Process endpoint Data (as defined below) or, in some cases, may be permitted access to endpoint Systems or endpoint Facilities solely for the purpose of rendering Services, subject to the terms and conditions of the Agreement.
NOW, THEREFORE, in consideration of the foregoing premises, the mutual promises set forth in the Agreement and herein, and for other good and valuable consideration, the receipt, and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- 1. Definitions. The following terms shall have the meanings as set forth below. All capitalized terms not otherwise defined in this Addendum shall have the meaning set forth in the Agreement.
1.1 “Applicable Privacy and Data Security Laws” means laws, regulations, legal obligations, and other requirements, each as updated from time to time, that limit, restrict, or otherwise govern the collection, use, disclosure, security, storage, protection, disclosure, and Processing of data.
1.2 “Data Subject” means the particular identified or identifiable individual that Personal Information identifies, relates to, describes, or to whom it is capable of being associated and, in the event, the Personal Information is governed by the CCPA, includes households as well as individuals.
1.3 “endpoint Data” means any information Processed by Vendor in connection with the Services, including, without limitation, Personal Information and Confidential Information of endpoint (as defined in the Agreement).
1.4 “endpoint Facilities” means facilities, buildings, and other physical locations which are owned, controlled or administered by or on behalf of endpoint or a third party on behalf of endpoint, including, without limitation, any facilities, buildings, or locations in which endpoint Systems are located.
1.5 “endpoint Systems” means information system resources which are owned, controlled, or administered by or on behalf of endpoint or a third party on behalf of endpoint, including without limitation, file system, device, equipment, server, website, application, network, infrastructure, computer systems, workstations, hardware, software, and databases.
1.6 “Personal Information” means any information (a) that directly or indirectly identifies, or when used in combination with other information may identify, relates to, describes, or is capable of being associated with an individual, household, or device; (b) is otherwise defined as personal data or other similar terms for individually identifiable information under Applicable Privacy and Data Security Laws, or (c) is associated with or linked to any other Personal Information. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files.
1.7 “Process” (or derivatives thereof, such as “Processing”) means any operation or set of operations which is performed, whether or not by automatic means, such as collection, viewing, accessing, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure or destruction.
1.8 “Security Incident” means the attempted, successful, or suspected unauthorized Processing of endpoint Data or any unauthorized access to, interference with, or disruption of endpoint Systems.
1.9 “Services” means any and all services that Vendor performs for endpoint.
- 2. Data Processing, Access, and Restrictions
2.1 Restrictions on Use of endpoint Data and endpoint Systems. endpoint Data and endpoint Systems are the Confidential Information of endpoint. Unless otherwise provided by endpoint in writing, Vendor shall Process endpoint Data and endpoint Systems only: (a) for the benefit of endpoint; (b) in accordance with the Agreement; and (c) to the minimum extent necessary to perform the Services in accordance with the Agreement. Vendor shall not use, sell, rent, transfer, distribute, or otherwise disclose or make available endpoint Data or endpoint Systems for any other purpose. If Processing of endpoint Data or endpoint Systems is required by law, Vendor shall inform endpoint in writing of the legal requirement before such Processing unless prohibited by such law. Vendor shall not Process endpoint Data for marketing purposes, and shall not sell, aggregate, re-identify, analyze, or otherwise use endpoint Data unless required by the Agreement to perform the Services. Vendor agrees to Process endpoint Data solely to the extent necessary for Vendor to perform the Services. Vendor shall either return or destroy any endpoint Data not necessary for the performance of the Services in accordance with industry best practices, including, but not limited to, any historical data retained by Vendor, except as required under applicable law. A violation of this Section 2.1 shall be considered a material breach of the Agreement.
2.2 Employees and Third Parties. Unless compelled by a government authority with a subpoena or similar legal document, Vendor shall not disclose, transmit, or make available endpoint Data or endpoint Systems to third parties (including subcontractors), unless such disclosure, transmission, or making available has been explicitly authorized by endpoint in writing and then only if the third party also certifies in writing to the terms of this Addendum. Without limiting the foregoing, the Vendor shall make endpoint Data and endpoint Systems available only to its employees or third parties who need to access endpoint Data and endpoint Systems, and shall limit such access to the minimum necessary, in order to perform the Services. The vendor shall inform its employees and third parties having access to endpoint Data and endpoint Systems of the confidentiality and security requirements set out in the Agreement. Vendor’s employees and third parties may handle endpoint Data and endpoint Systems only if they are bound by legally enforceable confidentiality obligations in writing consistent with the terms of the Agreement and are qualified and trained to protect endpoint Data and endpoint Systems. The vendor is solely responsible for and shall remain liable to, endpoint for the actions and omissions of all employees and third parties to whom Vendor provides access, concerning the treatment of endpoint Data and endpoint Systems, as if they were Vendor’s own actions or omissions. Upon endpoint’s written request, Vendor shall promptly provide endpoint with a complete and up-to-date list of any third parties with which it has previously or currently grants access to, transmits, or otherwise discloses endpoint Data.
2.3 Return and Destruction. Upon endpoint’s request or upon the termination of the Agreement, Vendor shall deliver to endpoint in a mutually agreed format and transfer mechanism, or, at endpoint’s option, shall have an officer of Vendor certify the destruction of (which destruction shall be in accordance with industry best practices), all endpoint Data and endpoint Systems, including all memoranda, notes, records, reports, media, and other documents, and all copies thereof, regarding or including endpoint Data or endpoint Systems, which Vendor may then possess or have under its control. Without limiting the foregoing, in the event of termination, endpoint Data required to be retained by law shall remain subject to the applicable confidentiality, privacy, and security provisions of the Agreement.
2.4 endpoint Data Accessibility and Location. The vendor shall ensure that endpoint has uninterrupted electronic access to all endpoint Data at all times during the term of the Agreement. Subject to reasonable security requirements, the Vendor shall provide endpoint physical access to the data centers from which the Services are provided. Unless previously authorized by endpoint in writing, all work performed by or on behalf of the Vendor related to the Agreement shall be performed within the United States. Vendor shall not and shall not permit any third party to (a) transfer endpoint Data to any location outside of the United States, (b) access endpoint Data or endpoint Systems from outside of the United States, or (c) engage personnel outside of the United States for any Services.
2.5 Service Provider. Vendor agrees that it shall act solely as a “Service Provider” under the California Consumer Privacy Act (“CCPA”), and Vendor shall not take any action that would result in Vendor not acting as a Service Provider under the CCPA.
2.6 Access to endpoint Facilities and endpoint Systems. In the event that representatives of Vendor (each a “Vendor Representative”) require access to endpoint Systems and/or endpoint Facilities in connection with the provision of the Services, Vendor agrees that each proposed Vendor Representative with that access shall have a strict business need to access endpoint Systems and/or endpoint Facilities. The vendor shall provide the names, titles, and responsibilities of each Vendor Representative for whom the Vendor requests access to endpoint Systems or endpoint Facilities for endpoint’s prior approval. Vendor acknowledges that endpoint shall have sole discretion to designate those of endpoint Systems and endpoint Facilities to which the Vendor Representative will have access. Vendor shall require and cause each Vendor Representative to comply with all policies and procedures adopted by endpoint relating to access or use of endpoint Systems and/or endpoint Facilities and to access endpoint Systems and endpoint Facilities only as minimally necessary to perform the Services. Vendor shall not and shall take all actions necessary to cause Vendor Representatives to not, take any action or inaction that would create any vulnerability in, or otherwise negatively affect, the security or operation of endpoint Systems and endpoint Facilities. Upon completion of performing the Services or termination of the Agreement, Vendor shall ensure that any access to endpoint Systems and/or endpoint Facilities by any Vendor Representative shall be immediately and irrevocably terminated. Vendor shall immediately notify endpoint in the event the Vendor knows or suspects, or has any reasonable basis to know or suspect, that Vendor or a Vendor Representative has breached Vendor’s obligations under this section. Vendor shall not and shall cause each Vendor Representative not to violate or attempt to violate the security of endpoint Systems, or any third party network, system, server, website, application, or account using endpoint Data or endpoint Systems.
- 3. Information Security and Risk Management
3.1 Information Security Program. The vendor shall implement and maintain a comprehensive information security program that meets best industry standards and complies with Applicable Privacy and Data Security Laws to protect endpoint Data against accidental, unauthorized, or unlawful Processing and shall have documented those measures in a written information security program. Without limiting the foregoing, such safeguards shall conform, at a minimum, to the International Organization for Standardization’s 27000 standards, NIST 800-53, the Control Objectives for Information and related Technology (COBIT), CIS Top 20, and HITRUST.
3.2 PCI DSS. If Vendor has access to or will collect, access, use, store, process, dispose of or disclose credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including but not limited to the following:
(a) Being responsible for the security of all Cardholder Data that it processes, transmits, or stores in connection with providing the Services. “Cardholder Data” means all credit card account numbers, cardholder names, service codes, expiration date, full magnetic stripe data, CAV2/CVC2/CVV2/CID information, and PIN/PIN Block information.
(b) Vendor represents and warrants that, as of the Effective Date, it has complied with all applicable requirements of the current version of the PCI DSS, and it has performed the necessary steps to validate its compliance under the PCI DSS. The vendor shall also meet any additional industry standards with respect to the credit card information it processes, transmits, or stores in connection with providing the Services.
(c) On the Effective Date, and annually thereafter, Vendor shall give endpoint (i) written evidence of Vendor’s most recent PCI DSS Attestation of Compliance (AOC), signed by a qualified security assessor (“QSA”) where required, and (ii) written confirmation that Vendor is in full compliance with all applicable requirements of the then-current version of the PCI DSS.
(d) Vendor shall give endpoint immediate written notice if Vendor learns that it is no longer PCI DSS compliant, along with a list of steps Vendor will take to obtain compliance.
3.3 Minimum Safeguards. Without limitation to the generality of the foregoing subsection 3.1, Vendor represents, warrants and covenants that it shall, and has adopted and implemented, and shall continue to maintain, physical, administrative and technical safeguards and other security measures to: (i) maintain the security and confidentiality of endpoint Data and protect it from threats or hazards to its security and integrity, as well as accidental loss, alteration, disclosure and all other unlawful and unauthorized forms of Processing; (ii) prevent, detect, contain, recover, remediate and respond to Security Incidents; (iii) enforce the use of secure authentication protocols and devices consistent with best industry standards on any of Vendor’s systems that protect, defend, secure or Process endpoint Data, including, without limitation, through the requiring multi-factor authentication for every system or network that protects, defends, secures or Processes endpoint Data that is accessible from the public Internet, and the use of industry-standard password complexity requirements or password complexity auditing; (iv) enforce secure access control measures consistent with current leading industry standards for access to logical and physical resources on any of Vendor’s systems that protect, defend, secure or Process endpoint Data; (v) require the use of then-current best industry standard encryption for all storage and transmission of endpoint Data at a minimum of 256-bit encryption, or whatever higher level of encryption; (vi) include industry standard intrusion detection and prevention tools; (vii) apply all security-related patches and updates promptly; and (viii) include automated security measures, including but not limited to current leading industry standard auditing systems, firewalls, and endpoint protection software capable of detecting and mitigating threats from viruses, spyware, and other malicious code on any of Vendor’s systems that protect, defend, secure or Process endpoint Data or access endpoint Systems and all deliverables sent to endpoint. Vendor’s safeguards for the protection of endpoint Data shall also include strictly segregating endpoint Data from the information of Vendor or its other customers so that endpoint Data is not commingled with any other information. The vendor shall conduct penetration testing and vulnerability scans and promptly implement, at the Vendor’s sole cost and expense, a corrective action plan to correct the issues that are reported as a result of the testing.
- 4. Oversight of Security Compliance
4.1 Audit. Upon endpoint’s reasonable advance written request, Vendor shall submit its systems and/or data processing facilities involved in providing the Services for assessment or audit, which shall be carried out by endpoint (or by an independent inspection company designated by endpoint, which has signed Vendor’s standard confidentiality agreement covering Vendor’s services and data processing facilities).
4.2 Vendor Audits and Records. The vendor shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity and ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Vendor hereby represents, warrants, and covenants that: (a) Vendor shall undergo annual (or more frequent) audits of Vendor’s systems, facilities, policies, practices, controls and practices conducted by an independent third-party auditor (“Vendor Audit”) and that audit shall include in its scope all systems and facilities that Vendor uses to protect, secure, defend or Process endpoint Data and all of Vendor’s practices, controls, policies and procedures relating to the protection, security, defense or Processing of endpoint Data; (b) the Vendor Audits shall include, at a minimum, annual penetration testing and risk assessments, and quarterly vulnerability scans; and (c) Vendor shall provide endpoint with the results of the most recent such Vendor Audits prior to the effective date of this Addendum and each subsequent Vendor Audit within fifteen (15) days of completion of that audit (including whether that audit revealed any material vulnerability in Vendor’s systems, facilities, policies, practices, controls or practices). Upon endpoint’s written request, Vendor shall provide endpoint with the results of any audit performed by or on behalf of Vendor that assesses Vendor’s information security program as it relates to endpoint Data or endpoint Systems.
4.3 Vulnerability Management. The Vendor agrees to perform regular vulnerability scanning of their network and application (where applicable) and resolve identified vulnerabilities commensurate with assessed risk as outlined below. The vendor also agrees to perform penetration testing of their environment and application on at least an annual basis. Evidence that vulnerability scans and annual penetration tests have occurred shall be provided at a summary level to endpoint upon request. At a minimum, any vulnerabilities identified as critical or high risk by a Common Vulnerability Scoring System (“CVSS”) score must be resolved within 15 days of identification. Refer to Section 4.3. Remediation for further guidance.
4.4 Hardware. If Vendor supplies hardware or equipment as part of the Agreement, the Vendor shall be responsible for ensuring that any software or operating system updates or patches related to such hardware or equipment are maintained at a level conducive to preventing the introduction of security vulnerabilities into endpoint Systems. Where the need for such updates or patches is discovered, either by the Vendor or by endpoint, the Vendor agrees to facilitate and provide said updates or patches as part of this Addendum.
4.5 Software Development. If the Vendor’s Services involve the provision of software to endpoint, Vendor warrants that identified vulnerabilities or flaws in the software have either been resolved and/or disclosed to endpoint prior to installation on endpoint Systems. The vendor agrees that their software development and coding standards align with the best industry security standards and shall provide evidence of such methodology upon request.
4.6 Remediation. If during any audit, inspection, or other assessment, any material security vulnerability is discovered, the Vendor shall notify endpoint in writing of such vulnerabilities and remediate those vulnerabilities promptly and within fifteen (15) days of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon a time not to exceed sixty (60) days. If any vulnerability cannot be remedied, and such vulnerability directly impacts endpoint Data or endpoint Systems, the Vendor shall immediately notify endpoint and the parties shall work together to determine appropriate solutions.
4.7 Costs. Vendor and endpoint shall each bear their own costs associated with such assessments or audits. However, if Services are found to be non-compliant, endpoint payments shall be suspended until the Vendor becomes compliant and the Vendor shall pay the expenses associated with such audit. endpoint shall not disclose any information learned by endpoint in the course of performing any such inspection or examination except as may be reasonably necessary for endpoint to comply with obligations relating to the protection of endpoint Data, endpoint Systems, or as required by law.
4.8 Noncompliance. Vendor shall promptly notify endpoint in writing if Vendor believes Vendor or any third party performing the Services cannot (or will not in the future be able to) comply with its obligations under this Addendum. In such a case, the Vendor shall use its best efforts to remedy the situation. endpoint may, in its sole discretion and without penalty of any kind to endpoint, suspend the transfer or disclosure of endpoint Data or access to endpoint Systems to Vendor or its third party, or terminate the Agreement if necessary to comply with its legal obligations, Applicable Privacy, and Data Security Laws, or if requested by a regulator or other governmental body.
5. No License or Rights Transferred. Any access provided to Vendor under this Addendum is limited to endpoint Data and endpoint Systems expressly authorized by endpoint, and unless otherwise expressly provided by endpoint, endpoint is not granting Vendor a license to use software programs contained within endpoint Systems. The vendor shall not attempt to reverse engineer or otherwise obtain copies of any such software programs. No right title, license, or interest in or to any of endpoint Data or endpoint System, other than the express licenses hereunder, are provided to Vendor or any other person or entity.
- 6. Incident Response Procedures
6.1 Notification. Vendor shall notify endpoint in writing as soon as practicable, but in any event no later than within twenty-four (24) hours of any Security Incident which results in, or which Vendor reasonably believes may result in, unauthorized access to, modification of, disclosure of, compromise of, or other Processing of endpoint Data or endpoint Systems. The notification to endpoint shall include, to the extent known by Vendor, and shall be supplemented on an ongoing basis: (i) the general circumstances and extent of any unauthorized Processing of endpoint Data or intrusion into systems that are used by Vendor to protect or Process endpoint Data; (ii) the types and volume of endpoint Data that were involved; (iii) Vendor’s plans for corrective actions to respond to the Security Incident; (iv) the identities of all individuals whose Personal Information was or may have been affected; and (v) any other related information requested by endpoint.
6.2 Investigation. Immediately following the Vendor’s notification to endpoint of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. Vendor agrees to reasonably cooperate with endpoint in endpoint’s handling of the matter, including, without limitation, promptly: (a) assisting with any investigation; (b) providing endpoint with access to the facilities, systems, and operations affected; (c) facilitating interviews with Vendor’s employees and others involved in the matter; and (d) making available all relevant records, logs, files, data reporting and other materials, including but not limited to forensic reports, required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by endpoint. Upon endpoint’s request, the Vendor shall provide in-depth supplementary reports regarding its investigation of the Security Incident and results of findings.
6.3 Containment and Remediation. Vendor shall at its own expense take necessary steps to immediately contain and remedy any Security Incident and prevent any further Security Incident, including, but not limited to taking any and all action necessary to comply with Applicable Privacy and Data Security Laws.
6.4 Notifications. Vendor agrees that it shall not inform any third party of any Security Incident without first obtaining endpoint’s prior written consent, other than to inform a complainant that the matter has been forwarded to endpoint’s legal counsel. Further, Vendor agrees that endpoint shall have the sole right to determine: (a) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or otherwise in endpoint’s discretion, and whether Vendor shall provide notice to Data Subjects whose Personal Information was affected; and (b) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation.
6.5 Preservation of Records. The vendor agrees to maintain and preserve all documents, records, and other data related to the Security Incident. Vendor agrees to reasonably cooperate with endpoint in any litigation, investigation, or other action deemed reasonably necessary by endpoint to protect its rights relating to the use, disclosure, protection, and maintenance of endpoint Data or endpoint Systems.
6.6 Equitable Relief. Vendor acknowledges that any breach of its covenants or obligations set forth in this Addendum may cause endpoint irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, endpoint is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which endpoint may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this Addendum.
6.7 Costs. In addition to indemnification obligations outlined in the Agreement and in Section 10 below, the Vendor shall pay for all costs and expenses reasonably incurred by endpoint as a result of a Security Incident, including but not limited to, the administrative cost of opening and closing accounts, notices, print and mailing costs, call center services, forensics services, costs associated with investigating and responding to investigations and inquiries related to the Security Incident from federal and state regulatory authorities and others, and the costs to obtain two (2) years of credit monitoring services and identity theft insurance for the subjects of any Personal Information that has or may have been compromised in the Security Incident. The remedies set forth herein shall be in addition to any other remedies available to endpoint at law or in equity, including but not limited to Vendor’s indemnification obligations set forth elsewhere in the Agreement.
7. Compliance with Laws. Vendor shall comply with all laws and regulations relating to the confidentiality, integrity, availability, or security of endpoint Data and endpoint Systems applicable to Vendor’s obligations under the Agreement, including but not limited to Applicable Privacy and Data Security Laws. Vendor shall promptly make available to endpoint all reasonable information and assistance requested by endpoint for its compliance with such laws, including but not limited to reasonably assisting Vendor in responding to Data Subject or other third party requests or demands and demonstrating endpoint’s compliance with such laws. If Vendor receives a request or demand from a third party for information regarding endpoint Data or any provision in this Addendum, Vendor shall provide endpoint a copy of the request immediately, and in no event more than twenty-four (24) hours after receiving the request, subject to applicable law, and inform the requester that some or all of the information sought is the subject of a nondisclosure agreement with endpoint. The vendor shall enter into all additional terms required by any such Applicable Privacy and Data Security Laws upon request by endpoint.
8. Conflicts; Amendments. To the extent, any provision of this Addendum conflicts with (as opposed to supplements) any provision of the Agreement, the provision of this Addendum shall control. All terms and conditions of the Agreement not modified by this Addendum shall remain unchanged and in full force and effect. Where Vendor has entered into separate agreements governing its use of endpoint Data under specific laws and regulations, such as the EU General Data Protection Regulation and its Article 28 requirements on Data Processing Agreements or the Health Insurance Portability and Accountability Act and implementing regulations as amended and their business associate contract requirements for protected health information, the terms of such separate agreement shall control to the extent there is a conflict with the provisions of this Addendum. This Addendum may be modified by a written agreement executed by Vendor and endpoint. Notwithstanding anything else, endpoint may amend this Addendum by providing thirty (30) days advance written notice of such amendment if endpoint reasonably determines that such amendment is necessary for endpoint to comply with HIPAA or any other applicable laws or regulations pertaining to endpoint Data.
9. Insurance. Without limiting any of the obligations or liabilities of Vendor, Vendor shall carry and maintain, at its own expense including any applicable deductibles or retentions, as long as respectively applicable statute(s) of limitation or repose is in effect relating to the specific purposes of this Agreement, a policy of Cyber Liability insurance with limits of not less than $10 million for each occurrence and an annual aggregate of $10 million. At a minimum this insurance covers claims involving privacy violations, information theft, damage to or destruction of electronic information, intentional and/or unintentional release of private information, alteration of electronic information, extortion and network security, data restoration, event response, and network interruption. The vendor shall name endpoint as an additional insured under such Cyber Insurance policy, which shall contain separation of the insured provision or substantially similar clause.
10. Failure to Comply. Vendor shall defend (or at endpoint’s election, reimburse endpoint for defense costs, including legal and other fees) indemnify, and hold harmless endpoint from and against all losses resulting from, arising out of, or related to the failure of Vendor, or third parties to whom Vendor has made endpoint Data or endpoint Systems available, to comply with the terms of in this Addendum or related to a Security Incident. Notwithstanding the foregoing, endpoint expressly reserves the sole right, at endpoint’s option, to control the defense and/or settlement of any third-party claims, actions, investigations, enforcement proceedings, or assertions by non-affiliated third parties (including government third parties) against endpoint in connection with this Agreement (a “Claim”) and, if applicable, in addition to Vendor’s other obligations under this Agreement, Vendor agrees to assist endpoint, at Vendor’s expense, in the defense of any such Claim. The vendor shall not settle any Claim without the prior written consent of endpoint. Claims by endpoint under this Section 10 or in Section 6.7 shall not be subject to any limitation of liability in the Agreement.
11. Ongoing Obligation. At all times while endpoint Data is in the care, custody, or control of Vendor or third parties to whom Vendor has made available endpoint Data, Vendor agrees to comply with all of the provisions of this Addendum and shall ensure that endpoint Data is used and disclosed only in furtherance of the purposes of the Agreement.
SUPPLIER EXPORT CONTROL FORM
(Please enter the information below, check all applicable boxes, and email the completed form to us.)
We (the undersigned company) hereby certify that we have provided to endpoint the export control classifications of all products, software, and technology (“Items”) that we will supply to endpoint under United States Export Administration Regulations.
The export control classifications of the Items:
☒ Are attached as Appendix 1.
☐ Set forth below.
|Commerce Control List
Export Control Classification Number (ECCN)
Munitions ListCategory Number
|Other Applicable Export Control Classification|
We will provide endpoint with export-controlled technical data (check “yes” or “no” below):
☐ Yes (if you checked “yes”, please include the classification(s) of the technical data)
We further certify that in fulfilling the order we will be the exporter of record and U.S. Principal Party in Interest and that we are responsible for compliance with the Export Administration Regulations (“EAR”), the Foreign Trade Regulations, and all other applicable U.S. and foreign export, import, and customs laws and regulations (“Trade Control Laws”), including, but not limited to, obtaining any necessary export/import licenses and other authorizations, submitting export/import clearance declarations, including the Electronic Export Information, and complying with any reporting requirements under the EAR and other Trade Control Laws (as applicable). We will notify endpoint before providing any technical data that is controlled under any Trade Control Law if any, and clearly mark such data as export-controlled. endpoint will not be liable to us for any loss or expense if we fail to comply with the applicable Trade Control Laws or with the provisions set forth herein. We agree to indemnify endpoint for all liabilities, penalties, losses, damages, costs, or expenses that may be imposed on or incurred by endpoint in connection with any violations of applicable Trade Control Laws made by us or our employees, representatives, or agents. We shall immediately notify endpoint if we become listed on, or owned or controlled by anyone on, any restricted persons list published by the U.S., EU, UK, or other applicable government, or if our export privileges are otherwise fully or partially denied, suspended, or revoked.
We further understand that our obligation to comply with the Trade Control Laws is independent of this certification. If there is any change that affects the export control classification of the Items described hereinafter the date when this form is signed, we will inform endpoint in writing as soon as we become aware of such change. We hereby certify that the information provided in this form is true, complete, and accurate to the best of our knowledge and belief.
Export Control Classifications
|Product Family||Product Id||Product Desc||US ECCN*||Encryption Status||Encryption Strength||CCAT*||CCAT Review Date||ANSSI* File Number||US HS* Number||OAM* Field|
ECCN – Export Control Classification Number
CCAT – Commodity Classification Automated Tracking System
ANSSI – Agence nationale de la sécurité des systèmes d’information
HS – Harmonized Schedule
OAM – Operations, Administration, or Maintenance
CCL – Commerce Control List