Definitions. Wherever necessary to make the context of these Exhibits applicable, capitalized terms shall have the meanings set forth below.

1. “Customer” shall mean Calm.com, Inc. or its subsidiary entering into the Agreement with Vendor.
2. “Vendor” shall mean the third party entering into the Agreement with Customer.
3. “Agreement” shall mean the agreement entered into by Customer and Vendor.
4. “Services” shall mean the platform(s), application(s), software, professional services, implementation services, training, consulting, support, maintenance, or other services provided by Vendor to Customer in connection with the Agreement; (b) any data processing, hosting, storage, or infrastructure services provided by Vendor to Customer; (c) any APIs, integrations, or interoperability services that enable Customer to connect the Vendor’s software with third-party systems or Customer’s own systems; and (d) any other deliverables or work product provided by Vendor to Customer under the Agreement, whether performed by Vendor or its subcontractors, affiliates, or agents.
5. “Customer Data” shall mean (a) all data, information or other materials provided by Customer to Vendor and intended for use with the Services or stored or processed by Vendor as part of the Services, (b) end user input, and (c) data generated by the Vendor or Services due to such data or end user input.

---

Exhibit A

BUSINESS ASSOCIATE AND DATA SECURITY AGREEMENT

This Business Associate and Data Security Agreement (“BAA”) is entered into between Calm.com, Inc., a Delaware corporation and a business associate of certain Covered Entity (as defined below) clients (“Business Associate”), and Vendor, a subcontractor of Business Associate under 45 CFR Parts 160.103 and 164.502(e)(1)(ii) (“Vendor”).  This BAA is effective as of the effective date of the Agreement (as defined below) between Business Associate and Vendor (“Effective Date”).

Recitals

1. In order to perform certain functions, activities or services to Business Associate under the terms of the agreement between Business Associate and Vendor (“Agreement”), Vendor may create, receive, maintain, and transmit Protected Health Information (including Electronic Protected Health Information) for or on behalf of Business Associate in order to perform the functions, activities or services contemplated in the Agreement (“Services”).  This BAA shall be considered part of the Agreement.
2. The purpose of this BAA is to set forth the terms and conditions of Use and Disclosure of Protected Health Information (including Electronic Protected Health Information), and to ensure the confidentiality, integrity and availability of Electronic Protected Health Information that Vendor  creates, receives, maintains or transmits on behalf of Business Associate for the benefit of Covered Entity.  Business Associate and Vendor intend to protect the privacy and provide for the security of Protected Health Information (including Electronic Protected Health Information) in accordance with HIPAA, HITECH, the HIPAA Rules, and State Privacy and Security Laws.
3. Capitalized terms not otherwise defined in these recitals shall have the same meaning as those terms in Section I Definitions below.

I. Definitions

Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as those terms in final regulations relating to privacy and security of individually identifiable health information at 45 CFR Parts 160, 162, and 164 implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH) (also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009), and the HIPAA Rules (defined below), as amended from time to time.

1. Breach Notification Rule—means the final regulatory provisions set forth at 45 CFR Subtitle A, Subchapter C, Parts 160 and 164, Subparts A and D.
2. Compliance Date—means the later of (1) the date that compliance is required under the relevant provision of the HIPAA Rules, and (2) the Effective Date of this BAA.
3. HIPAA Rules—means, collectively, the Breach Notification Rule, Privacy Rule, and Security Rule.
4. Individual—has the same meaning as in the HIPAA Rules, as well as a person who qualifies as a personal representative in accordance with the HIPAA Rules.
5. Internal Material—means Vendor’s documented internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI created, received, maintained, or transmitted by, Vendor for or on behalf of Business Associate.
6. Privacy Rule—means final regulatory provisions set forth at 45 CFR Subtitle A, Subchapter C, Parts 160 and 164, Subparts A and E.
7. Protected Health Information or PHI, Electronic Protected Health Information or ePHI—have the same meaning as “protected health information” and “electronic protected health information” in the HIPAA Rules, but limited to the information created, received, maintained, or transmitted by Vendor for or on behalf of Business Associate.
8. Security Rule—means final regulatory provisions set forth at 45 CFR Subtitle A, Subchapter C, Parts 160 and 164, Subparts A and C.
9. State Privacy and Security Laws—means all applicable state laws relating to privacy, security, and data breach and confidentiality of the information provided to Vendor under this BAA.

II. Obligations and Activities of Vendor

1. General Requirements.  Except as otherwise limited in this BAA, Vendor may Use or Disclose PHI (1) to perform functions, activities, or services for, or on behalf of, Business Associate as specified in, or as otherwise permitted or required by, the Agreement provided that such use or disclosure would not violate the Privacy Rule if done by a Covered Entity, (2) as permitted or required by this BAA, or (3) as Required By Law.  All Uses and Disclosures of PHI must comply with the Minimum Necessary requirements under the Privacy Rule as well as any additional guidance or regulations issued by the Department of Health and Human Services.  Any Use, Disclosure, or request of PHI must be limited to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or request.  After the Compliance Date of subsequent implementing guidance and/or regulations on the meaning of Minimum Necessary, Vendor shall comply with such guidance or regulations.
2. Uses Permitted by Law.  To the extent permitted by law, including without limitation, the Privacy Rule, Vendor may (1) Use PHI for the proper management and administration of Vendor, or to carry out the legal responsibilities of Vendor; and (2) Disclose PHI for the purposes described in Section II.(B)(1) above, provided that disclosures are Required By Law, or Vendor obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Vendor of any instances of which it becomes aware in which the confidentiality of the information has been breached.
3. Safeguards.  Vendor agrees (1) to use appropriate safeguards (a) to prevent use or disclosure of PHI other than as provided for by this BAA; and (b) to develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that Vendor creates, receives, maintains or transmits on behalf of Business Associate; (2) to comply with the Security Rule with respect to ePHI, and document and keep the security measures current in accordance with 45 CFR § 164.316; (3) to prevent Use or Disclosure of PHI other than as provided for by this BAA; and (4) that it is obligated by law to meet the provisions of the Privacy Rule and the Security Rule that are applicable to Business Associates to the extent applicable to its activities.  Notwithstanding the foregoing, any hard drives on any computers or laptops that are used to access, receive, send, or maintain Business Associate’s ePHI must be Encrypted and all communications must be Encrypted if sending ePHI over an open network.  Mobile devices or external or removable media, including, without limitation backup tapes, used for sending, receiving, or storing ePHI must be Encrypted and password protected.
4. Location.   Without prior written consent from an authorized officer of Business Associate, neither Vendor nor its agents or downstream subcontractors shall store, transfer or export any PHI provided by Business Associate outside the United States.
5. Reporting of Security Incidents.  If the Vendor creates, receives, maintains, or transmits ePHI, Vendor shall appropriately report any Security Incident to Business Associate; provided, however, that any security incident that is a Breach of Unsecured Protected Health Information shall be reported pursuant to Section II.(F).  Notwithstanding the foregoing, if Vendor provides services in California, Vendor shall notify Business Associate by email or fax of any suspected Security Incident or intrusion within 24 hours after discovery.  This Section constitutes notice by Vendor  to Business Associate of the ongoing occurrence of attempted Unsuccessful Security Incidents for which no additional notice to Business Associate shall be required. “Unsuccessful Security Incidents” means pings and other broadcast attacks or reconnaissance scans on Vendor’s firewall, port scans, unsuccessful log-on attempts, and any combination of the above, so long as no such incident results in any Breach of ePHI or access, Use or Disclosure of ePHI in violation of this BAA.
6. Reporting of Breaches of Unsecured Protected Health Information.  Vendor,  following the discovery of a Breach of Unsecured Protected Health Information, subject to any law enforcement delay permitted by 45 CFR § 164.412, shall notify Business Associate of the Breach immediately, but in no event later than five (5) calendar days thereafter, in the manner described or defined by the HIPAA Rules.  A Breach shall be treated as discovered by the Vendor pursuant to the provisions of 45 CFR § 164.410(a)(2).  The information included in Vendor’s notification shall be in accordance with the HIPAA Rules, including, without limitation, 45 CFR § 164.410(c), and guidance provided by the Secretary.  Notwithstanding the foregoing, if Vendor provides services in California, Vendor shall notify Business Associate by telephone, plus email and fax, immediately upon the discovery of a Breach of Unsecured Protected Health Information.
7. Notices of Prohibited Uses or Disclosures.  Except in the case of a Breach of Unsecured Protected Health Information, which shall be governed by the provisions of Section II.(F), Vendor shall provide written notice to Business Associate of any Use or Disclosure of PHI that is in violation of this BAA, the Privacy Rule, or other applicable federal or state law within five (5) business days of becoming aware of such Use or Disclosure.  Vendor shall also notify Business Associate in writing within five (5) business days of receipt of any complaint that Vendor receives concerning the handling of PHI or compliance with this BAA.  Notwithstanding the foregoing, if Vendor provides services in California, Vendor shall notify Business Associate of any access, Use or Disclosure of PHI in violation of this BAA by telephone, plus email or fax, immediately upon discovery, and shall notify Business Associate of any suspected unauthorized access, Use or Disclosure of PHI in violation of this BAA by email or fax within 24 hours after discovery.
8. Disclosures to Downstream Subcontractors.  Vendor agrees to ensure that any downstream subcontractor that creates, receives, maintains or transmits PHI (including ePHI) for or on behalf of Vendor agrees to the same restrictions and conditions that apply through this BAA with respect to such information, including but not limited to, the applicable compliance requirements of 45 CFR Parts 160 and 164.  Such agreement between Vendor and the downstream subcontractor must be made in writing and must comply with the terms of this BAA and the requirements outlined in 45 CFR §§ 164.504(e) and 164.314.
9. Accounting.   Vendor agrees to document any Disclosures of PHI and to provide to Business Associate within five (5) days of request, information related to such Disclosures as necessary for Business Associate to respond to a request directly or indirectly by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.  Vendor shall notify Business Associate of any request provided directly to Vendor within five (5) business days.
10. Government Officials.  Vendor agrees to make available to the Secretary, Vendor’s Internal Material for use by the Secretary in determining whether Business Associate and/or Vendor is in compliance with the HIPAA Rules.
11. Access.  Vendor agrees to provide to Business Associate, within five (5) days of a request, all PHI that has been identified by Business Associate as part of a Designated Record Set, to respond to an Individual’s request for access to, or amendment of, PHI pursuant to 45 CFR §§ 164.524 or 164.526.  If PHI subject to this paragraph is maintained electronically, Vendor will provide the PHI in the requested electronic form and format, if it is readily producible in such form and format; if the PHI is not readily producible by Vendor in the requested form and format, Vendor will provide the PHI to Business Associate in a readable electronic form as agreed by Business Associate and Vendor.  Vendor shall notify Business Associate of any request provided directly to Vendor within five (5) business days.
12. Amendment.  Upon written instructions from Business Associate, Vendor agrees to incorporate any amendment to PHI agreed to by Business Associate pursuant to 45 CFR § 164.526.
13. Confidential Communications.  Vendor agrees to honor any restriction on use or disclosure of PHI or request for confidential communications as agreed to by Business Associate pursuant to 45 CFR § 164.522.
14. Mitigation.  Vendor shall mitigate promptly, to the extent practicable, any harmful effect (1) that is known to Vendor of a Use or Disclosure of PHI by Business Associate in violation of this BAA, the Privacy Rule, or other applicable federal or state law, or (2) of a Security Incident for which Vendor is responsible, or of which Vendor is aware, that involves ePHI and is in violation of this BAA, the Security Rule, or other applicable federal or state law.
15. Ongoing Compliance.  Vendor agrees that as of the Compliance Date of any amendments to the HIPAA Rules, it will conform its practices to comply with amended requirements applicable to Vendor.
16. Insurance.  Vendor shall maintain or cause to be maintained sufficient insurance coverage as shall be necessary to insure Vendor and its downstream subcontractors against any claim or claims for damages arising under this BAA.  Such insurance coverage shall apply to all site(s) of Vendor and to all services provided by Vendor or its downstream subcontractors under this BAA.  This provision shall govern the Vendor’s insurance obligations under this Section II.(P) and its indemnity obligations under this BAA Section II.(Q).
17. Indemnity.  Vendor shall indemnify, hold harmless and defend Business Associate and its officers, directors, employees, agents, affiliates, successors and assigns from and against any and all claims, losses, liabilities, costs and other expenses (including reasonable attorneys’ fees and costs, and administrative penalties and fines) incurred as a result of, or arising directly or indirectly out of or in connection with either:  (1) any act or omission of Vendor or its downstream subcontractors under this BAA including, but not limited to, negligent or intentional acts or omissions; (2) Vendor’s breach of its obligations under this BAA; and/or (3) any third-party claim based upon any breach of this BAA, violation of HIPAA, HITECH, the HIPAA Rules or State Privacy and Security Laws by Vendor or by its employees, agents or downstream subcontractors.  The indemnification obligation of Vendor shall survive termination of this BAA and the Agreement.

III. Obligations of Business Associate

1. Notice of Privacy Practices.  Business Associate shall notify Vendor of any material limitations in an applicable Covered Entity’s Privacy Practices or Business Associate’s Notice of Privacy Practices, to the extent such limitations may reasonably be expected to affect Vendor’s use or disclosure of PHI.
2. Individual Permission.  Business Associate shall notify Vendor of any changes in, or revocation of, permission granted by any Individual to use or disclose PHI, to the extent such changes or revocations may reasonably be expected to affect Vendor’s use or disclosure of PHI.
3. Restrictions.  Business Associate shall notify Vendor of any restrictions on the use or disclosure of PHI to which Business Associate has agreed in accordance with 45 CFR § 164.522, to the extent such restrictions may reasonably be expected to affect Vendor’s use or disclosure of PHI.

IV. Permissible Requests by Business Associate

Subject to Section II of this BAA, Business Associate shall not request Vendor to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if made by Business Associate.

V. Term and Termination

1. Term.  This BAA shall become effective as of the Effective Date and shall terminate on the earlier of (1) the date of termination of the Agreement; or (2) the date of termination of this BAA for cause or otherwise.  Notwithstanding the foregoing, (1) the protections of this BAA will remain in place until all of the PHI is destroyed or returned to Covered Entity; or (2) if it is infeasible to return or destroy such PHI, the protections of this BAA will be extended to such PHI in accordance with the termination provisions in Section V.(C) of this BAA.
2. Termination for Cause.  Upon Business Associate’s knowledge of a breach of a material term of this BAA by Vendor, Business Associate shall:
   1. Provide an opportunity for Vendor to cure the breach and, if Vendor does not cure the breach within a reasonable time, terminate this BAA;
   2. Immediately terminate this BAA if Business Associate has determined, in its sole discretion, that Vendor has breached a material term of this BAA and cure is not possible; or
   3. If neither termination nor cure is feasible, report the violation to the Secretary.
3. Effect of Termination.
   1. Except as provided in Section V.(C)(2) of this BAA, upon termination of the BAA for any reason, Vendor shall return or destroy all PHI or ePHI within fifteen (15) business days following the date of termination.  This provision shall also apply to PHI that is in the possession of downstream subcontractors of Vendor.  Vendor shall retain no copies of the PHI.
   2. If Vendor determines that returning or destroying the PHI is infeasible, Vendor shall, within fifteen (15) business days following termination, provide notification to Business Associate of the conditions that make return or destruction infeasible and extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Vendor retains such PHI.  The rights and obligations of Business Associate shall survive termination of this BAA.

VI. Miscellaneous

1. Regulatory References.  A reference in this BAA to a section in the HIPAA Rules means the section as in effect or amended, if such amendment is final and the Compliance Date for such amendment has passed.
2. Amendment.  The parties agree to negotiate in good faith to amend this BAA from time to time as is necessary for Business Associate to comply with any new or revised final requirements of the HIPAA Rules, HIPAA, and HITECH.  Except as provided by paragraph (I), below, this BAA may be amended only by a writing signed by both Business Associate and Vendor.
3. Interpretation.  If Business Associate or Vendor determines that there is any ambiguity in this BAA, they shall discuss the provision(s) in question and shall attempt, in good faith, to resolve the ambiguity in a manner that permits Business Associate to comply with the HIPAA Rules and that permits Vendor to comply with the terms of this BAA and to render Services.  In the event of a conflict between this BAA and the Agreement, the provisions of this BAA will override and govern.
4. No Third-Party Beneficiaries.  Nothing in this BAA confers on any person other than Business Associate and Vendor any rights, remedies, obligations, or liabilities.
5. Severability.  If any provision of this BAA is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the remaining provisions of this BAA shall not be affected.
6. Counterparts.  This BAA may be executed in counterparts, all of which together shall constitute a single agreement and any one of which shall be deemed an original. A facsimile copy of a signed counterpart shall be treated as an original.
7. Waiver.  A waiver by Business Associate or Vendor of any requirement of this BAA shall not be construed as a continuing waiver, a waiver of any other requirement, or a waiver of any right or remedy otherwise available.
8. Compliance with State Law.  Vendor shall comply with State Privacy and Security Laws.
9. Notices.  Any notice required by this BAA shall be provided to the address below, using a national courier service for next business day delivery. In addition, and not in lieu of such notice, an e-mail with a copy of the notice shall also be provided and sent to the email address below, not later than the date such notice is deposited with the national courier service. An address for notice may be changed by giving notice as required by this paragraph.

---

Exhibit B

CONFIDENTIALITY

1.1 Confidentiality Obligations. During the term of this Agreement, from time to time, either party may disclose (the “Disclosing Party”) or make available to the other party (the “Receiving Party”), whether orally, electronically or in physical form, confidential or proprietary information concerning the Disclosing Party and/or its business, products or services in connection with this Agreement (together, “Confidential Information”). Confidential Information of Customer includes, without limitation, business plans, health plan relationships, acquisition plans, systems architecture, information systems, technology, Customer Data, computer programs and codes, processes, methods, operational procedures, finances, budgets, policies and procedures, customer, employee, provider, member, patient and beneficiary information, claims information, vendor information (including agreements, software and products), product plans, projections, analyses, plans or results, and any other information which is normally and reasonably considered confidential. Each party agrees that during the term of this Agreement and thereafter: (A) it will use Confidential Information belonging to the Disclosing Party solely for the purpose(s) of this Agreement; and (B) it will not disclose Confidential Information belonging to the Disclosing Party to any third party (other than the Receiving Party’s employees, contractors and/or professional advisors on a need-to-know basis who are bound by obligations of nondisclosure and limited use at least as stringent as those contained herein) without first obtaining the Disclosing Party’s written consent. Upon request by the Disclosing Party, the Receiving Party will return all copies of any Confidential Information to the Disclosing Party. Vendor hereby agrees that every individual person who performs under this Agreement shall execute the appropriate documents to undertake obligations of confidentiality consistent with the terms set forth herein. Vendor hereby agrees to provide evidence and/or copies of such duly executed documents to Customer upon request.

1.2 Confidentiality Exclusions. For purposes hereof, Confidential Information will not include any information that the Receiving Party can establish by written evidence: (A) was independently developed by the Receiving Party without use of or reference to any Confidential Information belonging to the Disclosing Party; (B) was acquired by the Receiving Party from a third party having the legal right to furnish same to the Receiving Party without disclosure restrictions; (C) was at the time in question (whether at disclosure or thereafter) generally known by or available to the public (through no fault of the Receiving Party); or (D) was at the time of disclosure was already known to Receiving Party and not subject to an obligation of confidentiality.

1.3 Required Disclosures. These confidentiality obligations will not restrict any disclosure required by order of a court or any government agency, provided that the Receiving Party gives prompt notice to the Disclosing Party of any such order and reasonably cooperates with the Disclosing Party at the Disclosing Party’s request and expense to resist such order or to obtain a protective order.

1.4 Injunctive Relief. The parties acknowledge and agree that the disclosure of Confidential Information may result in irreparable harm for which there is no adequate remedy at law. The parties therefore agree that the Disclosing Party may be entitled to seek an injunction in the event the Receiving Party violates or threatens to violate the provisions of this Section 3, and that no bond will be required. This remedy will be in addition to any other remedy available at law or equity.

1.5 HIPAA and GLBA. Vendor understands and acknowledges that Exhibit A (Business Associate and Data Security Agreement) attached hereto will apply in the event thatVendor has access to, receives from, creates, or receives on behalf of Customer Protected Health Information, or Vendor has access to, creates, receives, maintains or transmits on behalf of Customer Electronic Protected Health Information (as those terms are defined under the privacy or security regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and/or nonpublic personal information, as defined under the Gramm-Leach-Bliley Act and implementing regulations (“GLBA”), during the performance of its obligations under this Agreement.

1.6 EU Data Protection. If the Services involve the creation, processing, retention, deletion, use or disclosure of personal data (as that term is defined under the GDPR), including of Customer employees and other individuals (“Personal Data”), then Vendor will comply, and will require that its personnel and subcontractors comply, with all applicable requirements of the GDPR, including, without limitation, ensuring that transfers of Personal Data to third countries are made only in accordance with the following: (a) the transfer is to a jurisdiction deemed by the European Commission to have an adequate level of protection; (b) the transfer is subject to contractual provisions approved by the European Commission; or (c) pursuant to a framework deemed adequate and approved by the European Commission. For purposes of this Agreement, “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). If the parties decide to process Personal Data pursuant to this provision, then the parties agree to enter into a separate data processing agreement.

1.7 Customer IT Systems Security. To the extent that Vendor accesses Customer’s information technology systems for any reason, Vendor shall comply with Customer’s security requirements necessary to protect that access, and which are either provided in this Agreement or otherwise provided to Vendor by Customer. This shall include compliance with usage terms of Customer-managed user accounts, prompt notification to Customer if Vendor suspects unauthorized access to their user accounts, and cooperation with Customer questions applicable to Vendor personnel security practices prior to being given access.

All access by Vendor personnel to Customer information technology systems shall be subject to prior approval by Customer and shall follow Customer-provided procedures. Vendor shall only have access to Customer information technology systems authorized by Customer and shall use such access solely to the extent minimally necessary for providing Services to Customer. Vendor shall not attempt to access any applications, systems or data which Customer has not authorized Vendor to access or which Vendor does not need to access in order to perform Services for Customer. Vendor’s attempt to access any applications, data or systems in violation of the terms in this Section shall be a material breach of the Agreement. If Vendor personnel with access to Customer information technology systems no longer require access, Vendor will notify Customer promptly.

---

Exhibit C

HITRUST VENDOR ADDENDUM

This Addendum is incorporated into and forms part of the Agreement between Calm.com, Inc. (“Customer”) and Vendor, for Vendor’s provision of Services to Calm (the “Agreement”). Capitalized terms not defined herein have the meanings set forth in the Agreement.

This HITRUST Vendor Addendum (the “Addendum”) is entered into as of the Effective Date of the Agreement by and between Calm and Vendor.

1. Information Security Policies and Procedures. Vendor shall maintain and enforce:
   1. A comprehensive information security policy governing the services provided under the Agreement;
   2. Documented procedures to protect organizational assets, including information, software, and hardware used in connection with the services;
   3. Procedures to promptly determine whether any compromise of assets has occurred, including loss or modification of information, software, or hardware;
   4. A clearly specified change management process for systems and services provided to Calm; and
   5. A formal authorization process governing user access and privileges to Calm’s data and systems.
2. Security Controls. Vendor shall implement and maintain:
   1. Physical protection controls and mechanisms appropriate to the sensitivity of Calm’s data;
   2. Controls to protect against malicious software, including regular updates and monitoring;
   3. Processes to ensure the return or secure destruction of Calm’s information and assets upon termination of the Agreement or at any agreed point during the term;
   4. Restrictions on copying and disclosing Calm’s information, consistent with applicable confidentiality obligations;
   5. Clear responsibilities regarding hardware and software installation and maintenance for systems handling Calm’s data;
   6. A current list of individuals authorized to access Calm’s data, including their specific access rights and privileges;
   7. Documented processes for promptly revoking access rights and interrupting system connections when required; and
   8. Documented escalation processes for timely resolution of issues arising under this Addendum or the Agreement.
3. Monitoring and Access Control. Calm may monitor and revoke Vendor’s access to Calm’s assets at any time upon written notice.
4. Data Protection. Vendor shall ensure:
   1. The confidentiality, integrity, and availability of Calm’s data at all times;
   2. That users and administrators receive training in security methods, procedures, and best practices relevant to their roles;
   3. That personnel are aware of their information security responsibilities; and
   4. That access to Calm’s data is limited to what is necessary for Vendor to perform its obligations under the Agreement.
5. Personnel Requirements. Vendor shall:
   1. Notify Calm within fifteen (15) calendar days of any personnel transfers or terminations affecting staff with Calm credentials or system access;
   2. Maintain a clear reporting structure with agreed reporting formats for security matters;
   3. Control access through unique identifiers (such as user IDs and passwords) and permit only authorized access methods; and
   4. Ensure that all access not explicitly authorized is forbidden.
6. Target Service Levels. Vendor shall establish and maintain service levels that support the availability, reliability, and performance requirements necessary for business operations.
   1. Unacceptable Service Levels. Conditions that constitute unacceptable service performance shall be identified, including but not limited to sustained downtime, material degradation of service functionality, or failure to meet agreed response or resolution expectations (“Unacceptable Service Event”). Upon the occurrence of an Unacceptable Service Event, Vendor shall take prompt corrective action to restore normal service.
   2. Service Continuity. Vendor shall implement and maintain appropriate measures, including business continuity and disaster recovery capabilities, to ensure the continued availability and reliability of the Services in accordance with business priorities.
   3. Service Definitions. Vendor shall document and maintain clear definitions of service availability, reliability, response times, and any other performance indicators used to measure the delivery of the Services.
7. Breach Notification. Vendor shall:
   1. Notify Calm of any security breach affecting Calm’s data without unreasonable delay and in no case later than sixty (60) calendar days after discovery, including identification of each individual whose personally identifiable information has been affected;
   2. Maintain evidence that all required breach notifications were made promptly; and
   3. Cooperate with Calm’s incident response team in handling and jointly reviewing security incidents.
8. Audit Rights.
   1. Calm retains the right to audit Vendor’s compliance with this Addendum, either directly or through a third party, upon reasonable notice;
   2. Vendor shall provide access to relevant systems, documentation, and personnel during audits;
   3. The parties’ respective liabilities under the Agreement apply to this Addendum; and
   4. Vendor acknowledges and agrees that failure to meet the security requirements in this Addendum may result in penalties or termination rights as specified in the Agreement.
9. Legal Compliance and Intellectual Property.
   1. Vendor shall comply with all applicable data protection laws and regulations, including those applicable in jurisdictions where Calm’s data is stored or processed;
   2. Vendor is responsible for ensuring compliance with legislation in all countries where it operates in connection with the services; and
   3. All intellectual property rights, copyright, and ownership of Calm’s data remain with Calm. Vendor acquires no rights except as necessary to perform its obligations under the Agreement.
10. Data Exchange Standards. For any exchange or sharing of data, Vendor shall:
    1. Apply controls addressing responsibility, procedures, technical standards, and solutions appropriate to the sensitivity of Calm’s data;
    2. Classify business information according to its sensitivity and apply appropriate protections;
    3. Maintain management oversight of data transmission, dispatch, and receipt;
    4. Implement procedures for notifying Calm of transmission, dispatch, and receipt of sensitive data;
    5. Ensure traceability and non-repudiation of data exchanges;
    6. Meet minimum technical standards for packaging and transmission of data;
    7. Use agreed labeling systems for sensitive information to ensure appropriate protection;
    8. Maintain clear ownership and responsibilities for data protection, copyright, and software license compliance;
    9. Apply technical standards for recording and reading information and software; and
    10. Implement special controls to protect sensitive items, including cryptographic keys where applicable.
11. Escrow. If applicable to the services provided, the parties shall enter into a separate escrow agreement for source code and related materials as mutually agreed.
12. General. This Addendum may be executed in counterparts and may be signed electronically.
    1. This Addendum supplements and does not replace the Agreement. In the event of conflict between this Addendum and the Agreement, the Agreement shall control.
    2. In the event of conflict between this Addendum and Exhibit D (Security), Exhibit D shall control.

---

Exhibit D

SECURITY

1. General Requirements and Definitions.

1.1 Security Program. Vendor shall maintain a comprehensive security program under which Vendor documents, implements and maintains the physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of Vendor Processing Resources and Customer Information and comply with applicable Law and the requirements of this Exhibit.

1.2   Vendor Security Contact. Vendor shall designate one or more privacy and data security contacts who are responsible for overseeing compliance with this Exhibit and provide Customer with contact information for these security representatives. Vendor will also identify its chief information security officer (or an equivalent individual) and maintain an up-to-date succession plan for the chief information security officer.

1.3   Policies and Procedures. Vendor shall maintain written security management policies and procedures designed to identify, prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, availability, or security of Vendor Processing Resources and Customer Information. Such policies and procedures shall: (a) assign specific data security responsibilities and accountabilities to specific individual(s); (b) include a formal risk management program which includes periodic risk assessments at least annually to ensure continued compliance with obligations imposed by Law or contract; and (c) provide an adequate framework of controls that safeguard Vendor Processing Resources, Customer Information Systems which vendor has access to, and Customer Information.

1.4   Subcontractors. To the extent that any current Vendor subcontractor accesses Customer Information or creates, has access to, or receives from or on behalf of Customer any Customer Information in electronic format, Vendor represents that it has a written agreement with such subcontractor, which agreement incorporates provisions which are substantially similar to those in this Exhibit. Prior to providing any new Vendor subcontractor with access to Customer Information, or prior to new Vendor subcontractor creating or receiving any Customer Information in electronic format, Vendor shall have written agreements in place with such subcontractor, which agreements shall incorporate provisions which are substantially similar to those in this Exhibit.

1.5   Audit. In addition to any audit requirements set forth elsewhere in the Agreement, Vendor will provide to Customer, its auditors (including internal audit staff and external auditors), inspectors, regulators and other representatives as Customer may from time to time designate in writing, but not more than once per twelve (12) month period (unless otherwise required by governmental entities that regulate Customer), access at all reasonable times (and in the case of regulators at any time required by such regulators) to any facility or part of a facility at which either Vendor or any of its subcontractors is performing Vendor Processing or which contains Vendor Processing Resources, and to data and records relating to Vendor Processing, Vendor Processing Resources, and information security for the purpose of performing audits and inspections of Vendor and any of its subcontractors to (a) verify the integrity of Customer Information and examine the systems that process, store, secure, support and transmit Customer Information; (b) verify Vendor’s and its subcontractors’ compliance with the requirements of this Exhibit, and (c) review general controls and security practices and procedures. Vendor will cooperate fully with Customer or its designees in connection with audit functions and with regard to examinations by regulatory authorities. Customer’s auditors and other representatives will comply with Vendor’s reasonable security requirements in the performance of such audit.

1.6 Definitions. Capitalized terms defined elsewhere in the Agreement shall have the same meanings when used in this Exhibit. Capitalized terms used but not defined in this Exhibit shall have the meaning set forth below.

1. “Customer Information” means any Confidential Information of Customer that includes or is comprised of any of the following: (i) protected health information (i.e., any information that would be termed “protected health information” under the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations); (ii) non-public personal information (i.e., any information that would be termed “non-public personal information” under the Federal Gramm-Leach-Bliley Act, any related state statutes, and any related federal or state regulations); (iii) personal data (i.e., any information relating to an identified or identifiable natural person, as further defined under the GDPR, which shall be defined as the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and each EU member state’s implementing laws, including any regulations and codes of conduct issued under such laws); (iv) cardholder data, as that term is defined in the most current version of the Payment Card Industry (PCI) Data Security Standard; or (v) other personal information (i.e., other personally identifiable information about individuals, or information that can be used to identify individuals, the disclosure and/or use of which is restricted by applicable federal or state Law, including social security numbers).
2. “Customer Information Systems” means information systems resources supplied or operated by Customer or its contractors, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity that are owned, controlled or administered by or on behalf of Customer.
3. “Vendor Processing” means any information collection, storage or processing performed by Vendor or its subcontractors that: (i) directly or indirectly supports the Services or functions now or hereafter furnished to Customer; and (ii) involves the storage, processing, use or creation of, or access to, any Customer Information.
4. “Vendor Processing Resources” means information processing resources supplied or operated by Vendor, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, Internet connectivity, printers and hard copies which are used, either directly or indirectly, in support of Vendor Processing.

2. Security Risk Assessment

2.1   Assessment Timing. At Customer’s request, Vendor shall complete a security assessment conducted by Customer’s Enterprise Information Security department (“Security Assessment”) (a) before the Effective Date, and (b) if Customer determines an annual periodic review is required to ensure Vendor’s controls properly address current legal, regulatory, and security requirements, or (i) the Parties add Statements of Work for new or additional Services, (ii) Vendor makes any material change that may degrade the security of Customer Information, or (iii) a Security Incident occurs.

2.2  Assessment Requirements. In Customer’s discretion, the Security Assessment may rely on Vendor’s Independent Certification, or, to the extent an Independent Certification does not fully cover the scope of applicable security controls or Services, be in addition to such Independent Certification. As part of the Security Assessment, Vendor shall provide the full Independent Certification report, security management policies and procedures, and other information required by Customer to evidence that critical controls are in place. This documentation may be provided directly to Customer or presented over a mutually agreed-upon screen-sharing application.

2.3  Remediation Requirements. Vendor shall document the results of the Security Assessment and remediation activities taken in response to such evaluations and provide a copy to Customer upon Customer’s request. If the Security Assessment reveals that Vendor does not meet any of the requirements of this Exhibit or the Agreement, then Vendor shall complete such remediation requirements, and provide evidence of this to Customer, within the timeframe specified by Customer. Material remediation requirements may also be included in this Exhibit in Attachment 1 or in a Statement of Work.

3. Independent Certification

3.1 Independent Certification Requirements. Vendor will maintain an Independent Certification, as further set forth in this Section 3, until the later of: (a) the expiration or earlier termination of the Agreement; or (b) Vendor no longer maintains (including in archived or secure storage) or otherwise has access to, any Customer Information. As used herein, “Independent Certification” means the approved certification(s) or attestation(s) listed in Section 3.2, in each case covering all Vendor Processing Resources and Vendor Processing, as well as applicable Vendor facilities used in connection with the provision of the Services. If Vendor does not have an Independent Certification at the Effective Date, the requirements of Section 3.3 shall apply.

3.2   Acceptable Independent Certifications. The Independent Certification approved by Customer, along with a description of the relevant control objectives or similar requirements, shall be set forth in the table in this Section 3.2. Upon Customer request, Vendor will provide supplementary documentation to Customer to verify that the scope of certification covers the scope of Services.

Certification/Attestation	Conditions
HITRUST Certification	Vendor shall maintain a HITRUST certification covering all Vendor Processing Resources

3.3   In-Flight Certifications. If Vendor has not obtained the required Independent Certification as of the Effective Date, then Vendor will obtain such certification, including meeting any interim requirements set forth in this exhibit, within the timeframes set forth in the table in this Section 3.3. Vendor shall provide Customer with progress reports and copies of relevant deliverables at Customer’s request. Vendor will provide Customer with relevant information associated with any corrective action plans or gaps noted by their external auditor, as reasonably requested by Customer.

Requirement	Deadline
HITRUST Certification	24 months after the Effective Date

3.4   Certifications for New or Additional Services. To the extent that additional Services which have not been audited in Vendor’s Independent Certification come into scope of this Agreement, Vendor shall add those Services to their Independent Certification in its next Independent Certification audit cycle. Until the new Service has been added to the scope of the Independent Certification, Vendor shall ensure that new or additional Services meet security requirements set forth in Sections 1, 2, 4, and 5 of this Exhibit.

3.5   Lapsed Certification for Data Migration. Vendor shall notify Customer in writing of any lapses in coverage of Independent Certification due to migration of data to a new location at least 60 days prior to the data migration. Vendor shall also notify Customer of the planned re-certification date, which shall not exceed 12 months past the date of the data migration. During re-certification, Vendor shall continue to maintain security requirements set forth in Sections 1, 2, 4, and 5 this Exhibit.

4. Security Incident Response

4.1   General. Vendor shall maintain formal processes to detect, identify, report, respond to, Contain, and Resolve Security Incidents in a timely manner. Additionally, Vendor shall maintain mechanisms to capture, record, and examine information relevant to Security Incidents and other security-related events. As used herein, “Security Incident” means the unauthorized access, use, disclosure, modification, or destruction of Customer Information or interference with the operations of any Customer Information Systems which Vendor has access to or Vendor Processing Resources; “Contain” or “Containment”, means Vendor has deployed security controls as necessary to reduce the adverse effects of a Security Incident to a level reasonably acceptable by Customer; and “Resolve” or “Resolution”, as applicable, means that Vendor has finalized a response to the Security Incident, such that the Security Incident no longer poses a risk to Customer Information Systems or Vendor Processing Resources, as applicable.

4.2  Security Incidents – Notification. Vendor will notify Customer by telephone and in writing within 24 hours from the time Vendor becomes aware of a Security Incident. Vendor shall provide Customer with a written Resolution plan within 48 hours of Customer request.

4.3  Security Incidents – Containment and Resolution. Upon becoming aware of a Security Incident, Vendor will Mitigate within 24 hours from the time Vendor becomes aware of the incident. With respect to Security Incidents that are Contained (but not Resolved), Vendor must Resolve such Security Incidents within five business days after being Contained. At Customer’s sole discretion, the Resolution timeframe for a Security Incident can also be conducted within a mutually agreed upon timeframe between Vendor and Customer, determined after discovery of the Security Incident.

4.4 Attempted Access. Vendor shall maintain appropriate mechanisms and processes for detecting, recording, analyzing, and resolving unauthorized attempts to access Customer Information or Vendor Processing Resources. The reporting obligations in Section 4.4 do not apply to Unsuccessful Security Incidents (as defined below). Notwithstanding the foregoing, to the extent that Vendor accesses, processes, or stores protected health information as described in Section 1.6(a) above, Vendor shall, at Customer’s request, provide quarterly reports of trend data regarding Unsuccessful Security Incidents and will promptly notify Customer of any material changes from normal trends. As used herein, “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Vendor’s firewall, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the above that do not directly impact any Customer Information Systems, Vendor Processing Resources, or Customer Information, and that do not result in the unauthorized access, use or disclosure of Customer Information.

5. Baseline Security Requirements.

5.1   Change Management. In addition to any specific requirements and subject to any specific conditions set forth in the Agreement or the applicable Statement of Work, Vendor shall provide Customer with at least 30 days’ prior written notice of any relevant changes to Vendor Processing Resources which may materially degrade the security of Customer Information.

5.2  Infrastructure Protection. Vendor shall maintain industry standard controls to protect Vendor Processing Resources, including, at a minimum:

1. Data loss prevention mechanisms designed to segment, monitor, restrict, and prevent Customer Information from moving to unauthorized internal or external network locations.
2. Router filters, firewalls, intrusion detection and prevention systems, and other mechanisms to restrict access to the Vendor Processing Resources, including without limitation, all local site networks that may be accessed via the Internet (whether or not such sites transmit information);
3. Resources used for mobile access to Customer Information Systems shall be protected against attack and penetration through the use of firewalls, malware detection/prevention, and encryption;
4. Processes to prevent, detect, and eradicate malicious code (e.g., antivirus applications) and to notify Customer of instances of malicious code detected on Vendor Processing Resources that may affect Customer Information or Customer Information Systems; and
5. Patch Management processes to ensure Vendor Processing Resources have patches applied without undue delay, and operating systems or applications which no longer are supported by the original equipment manufacturers are not used to support Services.

5.3  Vulnerability Management. Vendor shall maintain formal processes to detect, identify, report, respond to, Mitigate, and Remediate Security Vulnerabilities in a timely manner. As used herein, “Security Vulnerability” means a vulnerability to Vendor’s infrastructure or applications that allows for but has not resulted in direct unauthorized access to Customer Information or Customer Information Systems; “Mitigate” or “Mitigation”, as applicable, means Vendor has deployed security controls as necessary to reduce the adverse effects of threats and reduce risk exposure to a level reasonably acceptable by Customer; and “Remediate” or “Remediation”, as applicable, means that Vendor has resolved a Security Vulnerability, such that the vulnerability no longer poses a risk to Customer Information Systems or Vendor Processing Resources, as applicable. Upon becoming aware of a Security Vulnerability, Vendor will assign a risk level aligned to the open industry standard Common Vulnerability Scoring System (CVSS) and the definitions set forth in the table below, and Mitigate and Remediate Security Vulnerabilities within the timeframes set forth in the table below.

Risk Level	Definition	Required Timeframe
		Mitigation	Remediation
Critical	CVSS Scores 9.0-10. Exploitation is straightforward and could result in significant data loss or downtime. Vulnerability is actively being exploited. Perimeter defenses are ineffective.	24 hours	5 days
High	CVSS Scores 7.0-8.9. Exploitation is moderate to difficult. An attacker could gain elevated privileges and cause data loss or downtime. Either a) perimeter defenses are effective or b) the vulnerability is not actively being exploited.	24 hours	30 days
Medium	CVSS Scores 4.0-6.9. May require social engineering tactics. Denial of service vulnerabilities that are difficult to set up. Exploits that require an attacker to reside on the same local networks as the victim. Exploitation provides only very limited access or requires user privileges for successful exploitation.	5 days	60 days

Vendor shall perform penetration tests of Vendor Processing Resources, including perimeter vulnerability testing, internal infrastructure vulnerability testing, and application testing. Vendor shall provide an executive summary of vulnerability scans and penetration tests upon Customer’s reasonable request.

5.4  Security Training. Vendor shall instruct its personnel on industry standard security practices and applicable privacy laws and regulations and their responsibilities for protecting the Customer Information and ensure compliance by all Vendor personnel assigned to Customer’s account. Vendor shall conduct annual training on the same and agrees to provide a certification that Vendor personnel have completed training upon Customer’s request. Vendor shall maintain a sanction policy to address violations of Vendor’s internal security requirements or the requirements of this Exhibit.

5.5  Physical Security. Vendor shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Vendor Processing Resources and areas in which Customer Information is stored or processed. Where practicable, this obligation shall include controls to physically protect hardware (e.g., lockdown devices). Vendor shall adopt and implement a written facility security plan which documents such controls and the policies and procedures through which such controls will be maintained. Vendor shall maintain appropriate records of maintenance performed on Vendor Processing Resources and on the physical control mechanisms used to secure Vendor Processing Resources. Subject to any other restrictions in the Agreement, to the extent that location of Customer Information has been identified and agreed upon in this Agreement or an applicable Statement of Work, Vendor shall obtain Customer’s prior written approval prior to changing location of Customer Information.

5.6  Customer Information and Communications Security.

1. Exchange of Customer Information. Vendor shall utilize a method of transmitting Customer Information electronically that protects against the unauthorized access to and/or modification of such information.
2. Customer Data Retention. Vendor shall not retain any Customer Data following completion of the applicable Services, except to the extent (a) required by Law, (b) required pursuant to Exhibit F (Medicare Advantage Regulatory Requirements Appendix), or (c) expressly required by Customer in writing. Subject to the foregoing, Vendor shall ensure that following the completion of the applicable Services, the Customer Data used in connection with such Services is Securely Deleted in accordance with Vendor’s records retention policy. At Customer’s request, Vendor shall certify to Customer in writing that all Customer Data has been Securely Deleted as required hereunder. As used herein, “Securely Deleted” means that, as applicable, (i) hard copy materials are destroyed (e.g., shredded) and cannot be reconstructed; or (ii) electronic files are deleted, overwritten, or made inaccessible to a level sufficient to ensure that they cannot be retrieved or reconstructed and that any Customer Data contained in the files is rendered unreadable, unusable and indecipherable; or (iii) Vendor Processing Resources are physically destroyed, degaussed or overwritten in accordance with NIST Special Publication 800-88.
3. Encryption. Vendor shall ensure that all Customer Information whether stored (i.e., “data at rest”) or that Vendor transmitted (i.e., “data in motion”) over the public internet is encrypted using valid encryption processes. Customer Information must be encrypted on any server where it is stored or processed. Full disk encryption must be implemented on any desktop, laptop, or mobile device on which Customer Information is stored or processed. Valid encryption processes shall be consistent with, as applicable, (a) NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, (b) NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; (c) NIST Special Publications 800-77, Guide to IPsec VPNs, or (d) Federal Information Processing Standards (FIPS) 140-2, or (e) the requirements of applicable data security and/or privacy Laws in the country from which the Customer Information originates.
4. Protection of Systems, Devices and Storage Media. Vendor shall ensure all reasonable, industry standard measures are taken to physically secure Vendor Processing Resources to prevent any unauthorized disclosure while in transit and while at rest. Vendor shall ensure that all Customer Information on Vendor Processing Resources is Securely Deleted before they are used for any other purpose. Vendor shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of Vendor Processing Resources.
5. Personal Devices and Removable Media. Vendor shall ensure that Vendor personnel will not be permitted to, and will not, utilize personal computing equipment for accessing Customer Information Systems or processing Customer Information. Vendor shall monitor and prevent Customer Information from being sent via social media, personal email accounts, or non-approved medium of communication. Vendor shall restrict access to, and the use of removable media, such as USB ports, writable optical media, portable hard drives, and other removable media. Vendor may not (and shall cause Vendor personnel to not) use any such removable media to store or transfer Customer Information without Customer’s prior written approval.
6. Data Integrity. Vendor shall maintain processes to prevent unauthorized or inappropriate modification of Customer Information, for both data in transit and data at rest.

5.7  Access Control.

1. Account Administration. Vendor shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Vendor Processing Resources and Customer Information. These processes shall be required for both Customer-related accounts and Vendor’s internal accounts for Vendor Processing Resources and shall include procedures for granting and revoking emergency access to Vendor Processing Resources and Customer Information.
2. Access to Vendor Processing Resources. Vendor shall maintain appropriate access control mechanisms to prevent all access to Customer Information and/or Vendor Processing Resources, except by (a) specified users expressly authorized by Customer and (b) Vendor personnel who have a “need to access” to perform a particular function in support of Vendor Processing. The access and privileges granted shall be limited to the minimum necessary to perform the assigned functions. Vendor shall maintain processes to ensure that Vendor personnel access to Customer Information is revoked no later than two business days upon termination and immediately in the case of involuntary termination.
3. Access to Customer Information Systems. All access by Vendor personnel to Customer Information Systems shall be subject to prior approval by Customer and shall follow Customer-provided procedures. Vendor shall only have access to Customer Information Systems authorized by Customer and shall use such access solely to the extent minimally necessary for providing Services to Customer. Vendor shall not attempt to access any applications, systems or data which Customer has not authorized Vendor to access or which Vendor does not need to access in order to perform Services for Customer. Vendor’s attempt to access any applications, data or systems in violation of the terms in this Section shall be a material breach of the Agreement. If Vendor personnel with access to Customer Information Systems no longer require access, Vendor will notify Customer within three business days. In the case of involuntary termination, Vendor will notify Customer within 24 hours.
4. Multi-Factor Authentication Requirements. All access to any Customer Information or any Vendor Processing Resources shall utilize Multi-Factor Authentication (MFA) as defined in this Section, or another appropriate authentication technique approved by Customer in a Security Assessment. Multi-Factor Authentication (MFA) is an element of layered security controls to reduce risk associated with high-risk online activities. MFA must have at least two of the three following factors:
   1. Something the user knows (e.g. a password or PIN);
   2. Something the user has (e.g. a smart card, hard token, or registered device); and
   3. Something the user is (e.g. a biometric characteristic, such as a fingerprint or voice imprint).

5.8  Hosting, Cloud Services, and Data Aggregation.

1. Limits on Shared Hosting and Virtualization. As used herein, “Cloud” means a network of remote servers hosted on the Internet and used to store, manage, and process data in place of local servers or personal computers. Vendor shall notify Customer in writing of any shared hosting or virtualized Cloud hosting arrangements in support of Customer Services.
2. Shared Responsibilities. Vendor shall ensure that controls in their Cloud model are appropriately implemented to ensure the Confidentiality, Integrity, and Availability of the Customer Information. Vendor shall re-evaluate the shared responsibilities for security controls in their Cloud model on a periodic basis, no less than annually, to ensure that any shifts in responsibility for security controls are responded to in a timely manner by Vendor.
3. Logical and Physical Segregation. Vendor shall physically and/or logically segregate Customer Information from data of other Vendor customers.

5.9  Software Development. To the extent that Vendor engages in software development in support of Services, Vendor shall employ reasonable processes, consistent with industry best practices, for change management, secure coding principles, code inspection, repeatable builds, separation of development and production environments, testing plans, and code escrow. Code inspections must include a comprehensive process to identify vulnerabilities and malicious code. In addition, Vendor shall ensure that processes are documented and implemented for vulnerability management, patching, and verification of system security controls prior to their connection to production networks.

Attachment 1 Remediation Requirements

#	Remediation Requirement	Implementation Date
	None.	N/A

---

Exhibit E

FEDERAL ACQUISITION REGULATION CLAUSES

Wherever necessary to make the context of the clauses applicable, the terms “Government,” “Contracting Officer” and equivalent phrases shall be Customer excluding: (1) in the clauses containing references to “Government Property,” “Government-Owned Property,” “Government Equipment,” “Government-Furnished Property,” and “Government-Owned Equipment,” (2) when a right, act, authorization, or obligation can be granted or performed only by the applicable government end customer or its duly authorized representative, (3) when access to proprietary financial information or other proprietary data is required, other than as expressly provided in the Agreement, and (4) when title to property is to be transferred directly to the applicable government end customer.

1. The following Federal Acquisition Regulation (FAR) clauses apply to the Agreement and can be found at 48 C.F.R. et seq and at www.acquisition.gov:
   • 52.203-13, Contractor Code of Business Ethics and Conduct (Nov 2021).
   • 52.203-15, Whistleblower Protections Under the American Recovery and Reinvestment Act of 2009 (Jun 2010).
   • 52.203-17, Contractor Employee Whistleblower Rights (Nov 2023).
   • 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (Jan 2017).
   • 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Dec 2023) (Section 1634 of Pub. L. 115-91).
   • 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (Dec 2023) (Section 889(a)(1)(A) of Pub. L. 115-232).
   • 52.204-27, Prohibition on a ByteDance Covered Application (Jun 2023).
   • 52.204-28, Federal Acquisition Supply Chain Security Act Orders—Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts.
   • 52.204–30, Federal Acquisition Supply Chain Security Act Orders—Prohibition. (Dec 2023).
   • 52.222-21, Prohibition of Segregated Facilities (Apr 2015).
   • 52.222-26, Equal Opportunity (Sep 2016) (E.O. 11246).
   • 52.222-35, Equal Opportunity for Veterans (Jun 2020) (38 U.S.C. 4212).
   • 52.222-36, Equal Opportunity for Workers with Disabilities (Jun 2020) (29 U.S.C. 793).
   • 52.222-37, Employment Reports on Veterans (Jun 2020).
   • 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496).
   • 52.222-41, Service Contract Labor Standards (Aug 2018) (41 U.S.C. 67).
   • 52.222-50, Combating Trafficking in Persons (Oct 2020) (22 U.S.C. 78 and E.O. 13627).
   • 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) (41 U.S.C. 67).
   • 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services – Requirements (May 2014) (41 U.S.C. 67).
   • 52.222-54, Employment Eligibility Verification (Oct 2015) (E.O. 12989).
   • 52.222-55, Minimum Wages for Contractor Workers Under Executive Order 14026 (Jan 2022).
   • 52.222-62, Paid Sick Leave Under Executive Order 13706 (Jan 2022).
   • 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Jun 2020).
   • 52.232-40, Providing Accelerated Payments to Small Business Subcontractors (Mar 2023).
   • 52.211-5, Material Requirements.
   • 3.502-2, Subcontractor kickbacks (Sep 2023).
   • 52.203-5, Covenant Against Contingent Fees (May 2014).
   • 52.203-7, Anti-Kickback Procedures (Jun 2020).
   • 52.219-8, Utilization of Small Business Concerns (Oct 2022).
   • 52.223-15, Energy Efficiency in Energy Consuming Products (May 2020).
   • 52.224-1, Privacy Act Notification (Apr 1984).
   • 52.224-2, Privacy Act (Apr 1984).
   • 52.224-3, Privacy Training (Jan 2017) (5 U.S.C. 552a).
   • 52.225-13, Restrictions on Certain Foreign Purchases (Feb 2021).
   • 52.225-26, Contractors Performing Private Security Functions Outside the United States (Oct 2016).
   • 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (Jun 2020).
   • 52.244-6 Subcontracts for Commercial Products and Commercial Services (Feb 2024).
   • 52.247-64, Preference for Privately Owned U.S. Flag Commercial Vessels (Nov 2021).

---

Exhibit F

​​Medicare Advantage Regulatory Requirements Appendix

VENDOR – DELEGATED ENTITY

THIS MEDICARE ADVANTAGE REGULATORY REQUIREMENTS APPENDIX (this “Appendix”) supplements and is made part of the Agreement.

SECTION 1

APPLICABILITY

This Appendix applies to the administrative services performed and products provided by Vendor pursuant to the Agreement as such services and products relate to Medicare Advantage Benefit Plans. In the event of a conflict between this Appendix and other appendices or any provision of the Agreement, the provisions of this Appendix shall control except: (1) with regard to Benefit Plans outside the scope of this Appendix; or (2) as required by applicable law.

SECTION 2

DEFINITIONS

For purposes of this Appendix, the following terms shall have the meanings set forth below.

2.1 Benefit Plan: A certificate of coverage, summary plan description, or other document or agreement, whether delivered in paper, electronic, or other format, under which a Payer is obligated to provide coverage of Covered Services for a Customer.

2.2 CMS Contract: A contract between the Centers for Medicare & Medicaid Services (“CMS”) and a Medicare Advantage Organization for the provision of Medicare benefits pursuant to the Medicare Advantage Program under Title XVIII, Part C of the Social Security Act.

2.3 Covered Service: A health care service or product for which a Customer is entitled to receive coverage from a Payer, pursuant to the terms of the Customer’s Benefit Plan with that Payer.

2.4 Customer: A person eligible and enrolled to receive coverage from a Payer for Covered Services.

2.5 Medicare Advantage Benefit Plans: Benefit Plans sponsored, issued or administered by a Medicare Advantage Organization as part of the Medicare Advantage program or as part of the Medicare Advantage program together with the Prescription Drug program under Title XVIII, Part C and Part D, respectively, of the Social Security Act (as those program names may change from time to time).

2.6 Medicare Advantage Customer or MA Customer: A Customer eligible for and enrolled in a Medicare Advantage Benefit Plan that is covered under the Agreement.

2.7 Medicare Advantage Organization or MA Organization: For purposes of this Appendix, MA Organization is: (a) UnitedHealthcare Insurance Company or one of its affiliates (“United”) that has entered into a contract with CMS for the purpose of offering a Benefit Plan to MA Customers; or (b) Payer.

2.8 Payer: An entity obligated to a Customer to provide reimbursement for Covered Services under the Customer’s Benefit Plan.

SECTION 3

DELEGATED ACTIVITIES

3.1 MA Organization Accountability; Delegated Activities. Vendor acknowledges and agrees that MA Organization oversees and is accountable to CMS for any functions and responsibilities described in the CMS Contract and applicable Medicare Advantage regulations, including those that MA Organization has delegated to Vendor under the Agreement. In addition to the other provisions of this Appendix, the following shall apply with respect to any functions and responsibilities under the CMS Contract that MA Organization has delegated to Vendor pursuant to the Agreement:

1. Vendor shall perform those delegated activities specified in the Agreement, if any, and shall comply with any reporting responsibilities as set forth in the Agreement.
2. If MA Organization has delegated to Vendor any activities related to the credentialing of health care providers, Vendor must comply with all applicable CMS requirements for credentialing, including but not limited to the requirement that the credentials of medical professionals must either be reviewed by MA Organization, or the credentialing process must be reviewed, preapproved, and audited on an ongoing basis by MA Organization.
3. If MA Organization has delegated to Vendor the selection of health care providers to be participating providers in MA Organization’s Medicare Advantage network, or the selection of contractors or subcontractors to perform services under the CMS Contract, MA Organization retains the right to approve, suspend or terminate the participation status of such health care providers and the agreements with such contractors or subcontractors.
4. Vendor acknowledges that MA Organization shall monitor Vendor’s performance of delegated activities on an ongoing basis. Such monitoring activities may include site visits and periodic audits. If CMS or MA Organization determines that Vendor has not performed satisfactorily, or has failed to meet all reporting and disclosure requirements in a timely manner, MA Organization may revoke any or all of the delegated activities and reporting requirements. Vendor shall cooperate with MA Organization regarding the transition of any delegated activities or reporting requirements that have been revoked by MA Organization.

SECTION 4

VENDOR REQUIREMENTS

4.1 Customer Protection. Vendor agrees that in no event including, but not limited to, non-payment by MA Organization, insolvency of MA Organization, or breach by United of the Agreement, shall Vendor bill, charge, collect a deposit from, seek compensation, remuneration or reimbursement from, or have any recourse against any MA Customer or person (other than MA Organization) acting on behalf of the MA Customer for any fees that are the legal obligation of MA Organization under the CMS Contract.

4.2 Eligibility. Vendor agrees to immediately notify MA Organization in the event Vendor is or becomes excluded from participation in any federal health care program under Section 1128 or 1128A of the Social Security Act. Vendor also shall not employ or contract for the provision of health care services, utilization review, medical social work or administrative services and products, (collectively “Eligibility Services”), with or without compensation, with any individual or entity that is or becomes excluded from participation in any federal health care program under Section 1128 or 1128A of the Social Security Act. Vendor shall review the (1) Department of Health and Human Services Officer of Inspector General List of Excluded Individuals and Entities and (2) the System for Award Management (SAM), a portal for the Federal Procurement System, (and any successor lists) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member or subcontractor for the provision of Eligibility Services. Vendor must continue to review these lists on a monthly basis thereafter to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs. MA Customers shall not have any financial liability for services or items furnished by an individual or entity that is excluded from participation in any federal health care program under Section 1128 or 1128A of the Social Security.

4.3 Laws. Vendor shall comply with all applicable federal and Medicare laws, regulations, and CMS instructions, including but not limited to: (a) federal laws and regulations designed to prevent or ameliorate fraud, waste, and abuse, including but not limited to, applicable provisions of federal criminal law, the False Claims Act (31 U.S.C. §3729 et seq.), and the anti-kickback statute (§1128B of the Social Security Act); and (b) HIPAA administrative simplification rules at 45 CFR Parts 160, 162, and 164.

4.4 Federal Funds. Vendor acknowledges and agrees that MA Organization receives federal payments under the CMS Contract and that payments Vendor receives from or on behalf of MA Organization are, in whole or in part, from federal funds. Vendor is therefore subject to certain laws that are applicable to individuals and entities receiving federal funds.

4.5 CMS Contract. Vendor shall perform the services and provide the products set forth in the Agreement in a manner consistent and compliant with MA Organization’s contractual obligations under the CMS Contract.

4.6 Records.

1. Privacy and Confidentiality; Customer Access. Vendor shall safeguard MA Customer privacy and confidentiality, including, but not limited to, the privacy and confidentiality of any information that identifies a particular MA Customer, and shall comply with all federal and state laws regarding confidentiality and disclosure of medical records or other health and enrollment information, including the requirements established by MA Organization and the Medicare Advantage program, as applicable.
2. Retention. Vendor shall maintain records and information related to the services performed and products provided by Vendor under the Agreement, in an accurate and timely manner. Vendor shall maintain such records for the longer of the following periods:
   1. in the case of records containing information related to the medical loss ratio information reported to CMS by the MA Organization, including, for example, information related to incurred claims and quality improvement activities, at least ten (10) years from the date such medical loss ratio information is reported to CMS by the MA Organization, or
   2. in the case of all other records, at least ten (10) years from the final date of the CMS Contract period in effect at the time the records were created, or such longer period as required by law.
3. Government Access to Records. Vendor acknowledges and agrees that the U.S. Department of Health and Human Services, the Comptroller General, or their designees shall have the right (directly or through the MA Organization) to audit, evaluate, collect, and inspect any pertinent books, contracts, computer or other electronic systems (including medical records and documentation), and other records and information of Vendor related to the CMS Contract. Vendor shall make available to its premises, physical facilities, and equipment, records relating to the services performed and the products provided under the Agreement and any additional relevant information CMS may require. This right shall extend through the longer of the time periods identified in subsection 4.6(b)(i) and (ii), or ten (10) years from date of completion of any audit, whichever is later in time.
4. MA Organization Access to Records. Vendor shall grant MA Organization or its designees such audit, evaluation, collection and inspection rights identified in subsection 4.6(c) as are necessary for MA Organization to comply with its obligations under the CMS Contract. Whenever possible, MA Organization will give Vendor reasonable notice of the need for such audit, evaluation, collection, or inspection, and will conduct such audit, evaluation, collection, or inspection at a reasonable time and place.

4.7 Subcontracts. If Vendor has any arrangements, in accordance with the terms of the Agreement, with affiliates, subsidiaries, or any other subcontractors, directly or through another person or entity, to perform any of the services or provide any products Vendor is obligated to perform or provide under the Agreement that are the subject of this Appendix, Vendor shall ensure that all such arrangements are in writing, duly executed, and include all the terms contained in this Appendix. Vendor shall provide proof of such to MA Organization upon request. In addition, Vendor agrees to oversee and monitor, on an ongoing basis, the services Vendor has subcontracted to another person or entity. Vendor further agrees to promptly amend its agreements with such subcontractors, in a manner consistent with the changes made to this Appendix by MA Organization, to meet any additional CMS requirements that may apply to the performance of the services or the provision of the products.

4.8 Offshoring. All services provided by Vendor pursuant to the Agreement that are subject to this Appendix and that involve MA Customer’s protected health information (“PHI”) must be performed within the United States, the District of Columbia, or the United States territories unless Vendor previously notifies MA Organization in writing and submits required offshoring information to, and receives approval from, MA Organization.

The following provisions apply to Medicare-related services performed pursuant to the Agreement at locations outside of one of the fifty United Sates, the District of Columbia, or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands):

1. Vendor represents and warrants to MA Organization that Vendor has in place and will comply with policies and procedures to ensure that all PHI and other personal information remains secure. Vendor will provide written evidence of the policies and procedures upon MA Organization’s request.
2. Vendor will provide prior written notice to MA Organization of (a) any material change in the Medicare-related services that involve PHI that Vendor performs offshore, (b) any material change in Vendor’s policies and procedures to ensure that all PHI and other personal information remains secure, and (c) any material change in the tools and systems used by Vendor to ensure that all PHI and other personal information remains secure.
3. Vendor is prohibited from receiving access to any PHI or other personal information of MA Customers that is not associated with services performed and products provided by Vendor pursuant to the Agreement. If Vendor receives access to PHI or other personal information of MA Customers that is not associated with services performed and products provided by Vendor pursuant to the Agreement, Vendor will immediately notify MA Organization that it has received such access, return all PHI or personal information accessed by Vendor, and destroy any such PHI or personal information that remains in Vendor’s possession after doing so (i.e. copies, electronic records, back-ups or temporary files).
4. Vendor’s services under the Agreement may be terminated immediately upon discovery of a significant security breach.
5. Vendor authorizes MA Organization or its designee to conduct an audit of Vendor’s offshore activities at least annually.
6. Vendor acknowledges and agrees that MA Organization will use the results of its audit of Vendor to evaluate the continuation of MA Organization’s relationship with Vendor.
7. Vendor authorizes MA Organization or its designee to share the results of audits of Vendor with CMS.

SECTION 5

OTHER

5.1 Regulatory Amendment. MA Organization may unilaterally amend this Appendix to comply with applicable laws and regulations and the requirements of applicable regulatory authorities including, but not limited to, CMS. MA Organization shall provide written or electronic notice to Vendor of such amendment and its effective date. Unless such laws, regulations, or regulatory authority(ies) direct otherwise, the signature of Vendor will not be required in order for the amendment to take effect.

---

Exhibit G

MASTER COMMUNITY & STATE APPENDIX

THIS MASTER COMMUNITY & STATE APPENDIX (this “Exhibit”) supplements and is made part of the Agreement. This Exhibit applies with respect to the provision of services Vendor provides for any Customer health plan Affiliate administering a Medicaid or other state-specific (“State”) government funded and regulated program (“State Program”). In the event of a conflict between this Exhibit and other appendices or any provision of the Agreement, the provisions of this Exhibit shall control except with regard to benefit plans outside the scope of this Exhibit or unless otherwise required by law or applicable State regulatory agency. Vendor will comply with the following requirements to the extent applicable to Vendor’s performance of services under the Agreement. Capitalized terms used but not defined in this Exhibit shall have the meaning assigned to them in the Agreement or other applicable appendix.

1. Regulatory Approval and Filing. In the event Customer is required to file the Agreement with federal, state or local governmental authorities, Customer shall be responsible for filing the Agreement with such authorities as required by any applicable law or regulation. If following any such filing, the governmental authority requests changes to the Agreement, Vendor agrees to cooperate with Customer in preparing the response to the governmental authority.

2. Compliance with Law and Government Contracts. Vendor and Customer agree to comply with all applicable federal, State, and local laws, rules, and regulations in connection with the performance of their obligations under the Agreement. All tasks under the Agreement also must be performed in accordance with the requirements of applicable contracts between any Customer Affiliate and State and/or federal regulatory agencies. Customer will provide or otherwise communicate such requirements to Vendor. Vendor shall ensure all agents, employees, assigns and subcontractors, if any, that are involved in providing services under the Agreement also comply with this Section.

3. Delegation and Oversight. In compliance with the delegation and oversight obligations imposed on Customer Affiliates under their contracts with State and/or federal regulatory agencies, Customer reserves the right to revoke any functions or activities delegated to Vendor under the Agreement, if in the reasonable judgment of Customer or an applicable Customer Affiliate, Vendor’s performance under the Agreement does not comply with obligations under applicable government contracts. This right shall be in addition to Customer’s termination rights under the Agreement.

4. Press Release; Marketing; Advertising; Use of Name and Trademarks. Except as otherwise set forth in the Agreement, Vendor shall not publicly use the name, logo, trademark, trade name, or other marks of Customer without Customer’s prior written consent. The parties mutually agree to provide, at a minimum, at least 48 hours advance notice and opportunity to comment on all press releases, advertisements or other media statements and communications regarding the Agreement, the services or the business relationship between the parties. A party shall obtain the other party’s written consent prior to any publication or use of such materials or communications. Nothing herein shall be construed to create a right or license to make copies of any copyrighted materials.

5. Offshoring. Unless previously authorized in writing by the appropriate Customer health plan Affiliate and State governing agency, if required, all work performed under the Agreement shall be performed from location(s) in the 50 United States. If Vendor receives authorization pursuant to this Section 5 to offshore certain obligations under the Agreement, Customer will provide, and Vendor shall comply with, all applicable offshoring regulations, requirements or restrictions, including any applicable security controls. The parties agree that any offshoring restrictions or requirements may be updated at any time to comply with applicable law and any other requirements.

6. Subcontracts. To the extent required by any regulatory agency governing any Medicare or Medicaid or other governmental benefit plans (or as may be set forth in an appendix) or any accrediting agency, Vendor shall provide advance notice to Customer and obtain Customer’s consent prior to any subcontracting of any of its responsibilities under the Agreement.

7. Regulatory Amendment. Customer may unilaterally amend this Exhibit to comply with applicable regulatory requirements required under law. Upon Customer’s notification of such changes, Customer will provide notice to Vendor. If such regulatory amendment materially affects the position of either party or renders it illegal for a party to continue to perform under the Agreement in a manner consistent with the parties’ intent, then the parties shall negotiate further amendments to this Exhibit or the Agreement as necessary to correct any inequities, to the greatest extent possible.

8. Excluded Individuals and Entities. Vendor agrees to immediately notify Customer in the event Vendor is or becomes debarred, suspended or excluded from participation in any federal or state health care program under Section 1128 or 1128A of the Social Security Act. Vendor shall not employ or contract for the provision of services under the Agreement, with or without compensation, with any individual or entity that is or becomes debarred, suspended or excluded from participation in any federal or state health care program under Section 1128 or 1128A of the Social Security Act. Vendor shall review: (1) the Department of Health and Human Services Officer of Inspector General List of Excluded Individuals and Entities; (2) the System for Award Management (SAM), a portal for the Federal Procurement System and (3) the applicable State Programs exclusion lists, (and any successor lists) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member or subcontractor for the provision of services under the Agreement. Vendor must continue to review these lists on a monthly basis thereafter to ensure that none of these persons or entities are or become debarred, suspended, or excluded from participation in federal programs of State Programs.

9. Effect of Termination or Expiration. Within 30 days after the expiration or termination for any reason (or to any extent) of the Agreement and/or this Exhibit, Vendor shall return or destroy all applicable PHI, if feasible to do so, including all applicable PHI in possession of Vendor’s agents or subcontractors. To the extent return or destruction of the PHI is not feasible, Vendor shall notify Customer in writing of the reasons return or destruction is not feasible and, if Customer agrees, may retain the PHI subject to this section. Under any circumstances, Vendor shall extend any and all protections, limitations and restrictions contained in this Exhibit to Vendor’s use and/or disclosure of any applicable PHI retained after the expiration or termination (to any extent) of the Agreement and/or this Exhibit, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.

---

Exhibit H

EXCHANGE REGULATORY APPENDIX

THIS EXCHANGE REGULATORY APPENDIX (this “Exhibit”) supplements and is made part of the Agreement and shall survive termination of the Agreement to the extent it or applicable law imposes continuing obligations.

SECTION 1

APPLICABILITY

Customer is operating as a certified Qualified Health Plan Issuer (“QHP Issuer”) in one or more public Health Care Exchanges (“Exchange”) created under the terms of the Federal Patient Protection and Affordable Care Act (“PPACA”) and any implementing State law. Customer may be delegating certain of its QHP Issuer’s activities, reporting responsibilities, and/or other obligations, to Vendor.

This Exhibit applies solely to the services performed and provided with respect to any Exchange business delegated by United to Vendor pursuant to the Agreement. In the event of a conflict between this Exhibit and other appendices or any provision of the Agreement, the provisions of this Exhibit shall control, except as required by applicable law. Terms in this Agreement shall be as defined in PPACA, as supplemented by any applicable State Exchange law.

SECTION 2

PROVISIONS

This Exhibit is intended to comply with Exchange laws and substantive requirements.

1. The delegated activities and reporting responsibilities are set forth in the Agreement to which this Exhibit is attached. To the extent such delegated activities and reporting responsibilities serve Exchange business, they are designated as “QHP Services”.

2. Vendor acknowledges and agrees that Customer may revoke the delegated activities and reporting standards of Vendor or specify other remedies, for the respective Exchange, in instances where the U.S. Department of Health and Human Services (“HHS”), a State Exchange regulator, or Customer determines that such parties have not performed satisfactorily. To the extent that HHS or a State Exchange regulator directs the revocation, Customer shall provide immediate written notice of such to Vendor, and such revocation shall become effective as directed by HHS or the State Exchange regulator. Vendor shall cooperate with Customer regarding the transition of any QHP Services that have been revoked by United.

3. Vendor must comply with all applicable laws and regulations relating to the standards specified in 45 CFR § 156.340, as it may be amended from time to time, and all other Federal and/or State laws relevant to Customer’s Exchange business being serviced.

4. Vendor must permit access by the Secretary of HHS and the Office of Inspector General or their designees, in the case of Federally Facilitated Exchange (“FFE”) business, or comparable State regulators,

in the case of State Exchange business, in connection with their right to evaluate through audit, inspection, or other means, to Vendor’s books, contracts, computers, or other electronic systems, including medical records and documentation, relating to the Customer’s obligations as a QHP Issuer in accordance with Federal standards under 45 CFR §156.340, as it may be amended from time to time, with all records retained for at least 10 years from the final date of the Agreement period or such lesser period which may be specified in State law for State Exchanges.

5. If submitting FFE data is involved, Vendor is bound by the terms of Customer’s agreement between Qualified Health Plan Issuer and The Centers for Medicare and Medicaid Services or any applicable trading partners or comparable State Exchange agreement, to test its software, and receive Customer’s approval of software as being in the proper format and compatible with the FFE or the applicable State system.

6. If any State Exchange or HHS for FFEs requires additional specific provisions to be in Customer’s agreement with any delegated or downstream entity, they will be provided to Vendor by Customer and are incorporated herein by reference or by attaching a copy of such provisions to this Exchange Regulatory Exhibit.

7. If Vendor delegates any QHP Services to a downstream entity (as such term is defined in 45 C.F.R. § 156.20), Vendor shall provide written advance notification to Customer of such delegated activities and reporting responsibilities before the applicable effective date of the delegation under federal regulations, Vendor shall bind the downstream entity to all the terms of this Exhibit, including providing for revocation of the delegated activities.