Breach Indemnification Agreement
Version 1.4 - November 2016
This Aptible Breach Indemnification Agreement (“BIA”) between Aptible, Inc. (“Aptible”, “us” or “we”) and users of the Aptible Services (“you”) governs the use of the Aptible Services under the provisions of the Aptible Terms of Service (the “Terms”).
Unless otherwise provided herein, this BIA is subject to the provisions of the Terms. We reserve the right to change the terms of this BIA in accordance with the Terms.
This BIA applies separately to each of your Dedicated Environments, as that term is defined in the Terms. This BIA does not apply to shared environments, Development Accounts, or any other environment or account for which you do not have a Business Associate Agreement (“BAA”) in place with Aptible or have not applied the security controls and configurations required by the BAA.
Capitalized words and phrases have the meaning specified in the Terms.
“Aptible Containerized Services” mean your apps and databases running on Aptible.
“Breach” has the meaning specified in 45 CFR § 164.402.
“Covered Breach” means, except for Excluded Breaches, a Breach of Unsecured Protected Health Information from your Aptible Containerized Services that results directly from a failure by Aptible to properly configure or maintain the components of the Aptible Services under Aptible’s exclusive control.
“Covered Expenses” means (a) all damages, costs, and attorneys’ fees finally awarded against you in any Covered Claim; and (b) all out-of-pocket costs (including reasonable attorneys’ fees) that you reasonably incurred in connection with the defense of a Covered Claim (other than attorneys’ fees and costs incurred without Aptible’s consent after Aptible has accepted defense of the Covered Claim).
“Excluded Breach” means any Breach of PHI that in any way results from: (a) a failure to properly configure your Aptible Containerized Services to protect PHI; (b) a failure to properly configure or enforce user access policies and permissions in your Aptible Containerized Services or Aptible account to protect PHI; (c) any other vulnerability introduced by your Aptible Containerized Service itself (and not the infrastructure or Aptible platform on which it is hosted); or (d) your breach of the Aptible Terms of Service, your BAA, or this BIA.
“Governmental Agency” means any court, administrative agency or commission or other federal, state, county, or local governmental entity, instrumentality, agency or commission.
“Regulatory Investigation” means a formal investigation by the U.S. Department of Health and Human Services into your security procedures regarding Protected Health Information.
“Third Party” means, other than a Governmental Agency, an unaffiliated corporation, partnership, or other entity, or a natural person.
“Unsecured Protected Health Information” has the meaning specified in 45 CFR § 164.402.
A. Defense. Subject to Section 3(C) of this BIA, Aptible will either defend you from or settle any claim, proceeding, or suit (“Claim”) brought by a Third Party against you to the extent the Claim results directly from a Covered Breach (“Covered Claim”) if you:
- Give Aptible prompt written notice of the Covered Claim;
- Grant Aptible full control over the defense and settlement of the Covered Claim;
- Provide assistance in connection with the defense and settlement of the Covered Claim as Aptible reasonably requests; and
- Comply with any settlement or court order made in connection with the Covered Claim.
You must not defend or settle any Covered Claim without Aptible’s prior written consent. You have the right to participate in the defense of the Covered Claim at your own expense and with counsel of your own choosing, but Aptible will have sole control over the defense and settlement of the Covered Claim.
B. Indemnification. Subject to Section 3(C) of this BIA, Aptible will indemnify you from and pay:
- All Covered Expenses incurred by you in connection with a Covered Claim; and
- Any monetary fines imposed on you by a Governmental Agency in connection with a Regulatory Investigation for carrying out practices for the protection of PHI that you implemented pursuant to Aptible’s express written recommendations.
C. Exclusions. Aptible will have no obligation to you under Sections 3(A) or 3(B) of this BIA if:
- You are in breach of the Aptible Terms of Service, your BAA, or this BIA at such time the Claim or Regulatory Investigation (as applicable) arises;
The Claim or Regulatory Investigation (as applicable) relates to or arises from, directly or indirectly:
a. Conduct or other matters that constituted a breach of the Aptible Terms of Service, your BAA, or this BIA;
b. Any failure to properly configure or enforce user access policies and permissions in your Aptible Containerized Services or Aptible accounts to protect PHI; or
c. Any other vulnerability introduced by your Aptible Containerized Service itself (and not the infrastructure or Aptible platform on which it is hosted);
You fail to enter or otherwise provide accurate information to Aptible in connection with your use of the Services;
You fraudulently omitted or included any information as part of your use of the Services; or
You fail to update information that was accurate when provided to Aptible in connection with your use of the Services but which information later becomes inaccurate.
4. Dispute Resolution and Arbitration
Disputes arising under this BIA shall be resolved under the Dispute Resolution and Arbitration provisions of the Aptible Terms of Service.
5. Entire Agreement; Conflict
Except as amended by this BIA, the Aptible Terms of Service and your BAA will remain in full force and effect. This BIA, together with the Terms and your BAA:
- Is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and
- Supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
If there is a conflict between the Terms, this BIA, your BAA, or any other amendment or any addendum to those agreements, the document executed by the parties later in time will prevail.