PRIVACY AND SECURITY ADDENDUM

TO PRODUCT TERMS AND CONDITIONS - US

This Privacy and Security Addendum (the "Addendum") supplements the terms and conditions set forth in the Product Terms and Conditions - US (including those product terms for the EVault SaaS SBE Service, All Other Products and Services and Trial Licenses and Trial Subscriptions) (the "Product Terms") applicable to the Products purchased by Customer. Collectively, this Addendum, the Product Terms and any Order Forms are referred to as the "Agreement."

This Addendum shall be applicable only in the event and to the extent that:

(a) Customer is a "Covered Entity" as defined in 45 CFR §160.103; EVault is, with respect to Customer, a "Business Associate" as defined in 45 CFR §160.103; and EVault receives PHI (as defined below) from Customer; and/or

(b) EVault receives Nonpublic Personal Information, Member Information and/or Consumer Information (each as defined below) from Customer; and/or

(c) EVault receives MA Personal Information (as defined below) from Customer.

1. DEFINITIONS. Capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Product Terms or applicable regulation.

"Breach", as it relates to information, has the same meaning as the term "breach" in Section 13400 of the HITECH Act.

"Consumer Information" has the same meaning as the term "consumer information" in the NCUA Regulation.

"Designated Record Set" has the same meaning as the term "designated record set" in 45 CFR §164.501.

"Electronic PHI" has the same meaning as the term "electronic protected health information" in 45 CFR §160.103, limited to the information created or received by EVault from or on behalf of Customer.

"Gramm-Leach-Bliley Act" means the Financial Services Modernization Act of 1999, 15 USC §6801.

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, as each may be amended from time to time.

"HITECH Act" means the Health Information Technology for Economic and Clinical Health Act of 2009.

"Individual" has the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

"MA Personal Information" has the same meaning as the term "Personal Information" in the Massachusetts Personal Information Protection Law.

"Massachusetts Personal Information Protection Law" means 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth.

"Member Information" has the same meaning as the term "member information" in the NCUA Regulation.

"NCUA Regulation" means that regulation of the National Credit Union Administration found at 12 CFR Part 748.

"Nonpublic Personal Information" has the same meaning as the term "nonpublic personal information" in 15 USC Subchapter 1 §6809.

"NPI" has the meaning set forth in Section 3 below.

"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

"PHI" has the same meaning as the term "protected health information" in 45 CFR §160.103, limited to the information created or received by EVault from or on behalf of Customer.

"Required By Law" has the same meaning as the term "required by law" in 45 CFR §164.103.

"Secretary" means the Secretary of the Department of Health and Human Services or his designee.

"Security Rule" means the Security Standards at 45 CFR Part 160 and Part 164.

"Unsecured PHI" has the same meaning as the term "unsecured protected health information" in Section 13402(h) of the HITECH Act.

2. BUSINESS ASSOCIATE AGREEMENT UNDER HIPAA. Effective February 17, 2010, this Section 2 applies to the extent that (a) Customer is a "Covered Entity" as defined in 45 CFR §160.103; (b) EVault is, with respect to Customer, a "Business Associate" as defined in 45 CFR §160.103; and (c) EVault receives PHI from Customer.

2.1 Obligations and Activities Of Business Associate. As a Business Associate, EVault shall have the following obligations:

(a) EVault agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law. Except as otherwise limited in this Agreement, EVault may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Customer or the minimum necessary policies and procedures of Customer of which EVault has been informed.

(b) EVault agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement including the implementation of administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Security Rule

(c) EVault agrees to mitigate, to the extent practicable, any harmful effect that is known to EVault of a use or disclosure of PHI by EVault in violation of the requirements of this Agreement.

(d) EVault agrees to report to Customer any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware. Further, EVault agrees to notify Customer of any Breach of Unsecured PHI of which it becomes aware and otherwise comply with the notification requirements set forth in Section 13401 of the HITECT Act.

(e) EVault agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by EVault on behalf of, Customer agrees to the same restrictions and conditions that apply through this Agreement to EVault with respect to such information.

(f) EVault agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by EVault on behalf of, Customer available to the Secretary, at a reasonable time designated by the Secretary, for purposes of the Secretary determining Customer's compliance with the Privacy Rule.

(g) EVault agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.

(h) EVault agrees to provide to Customer or an Individual, in time and manner agreed by the parties, information collected in accordance with Section 2(g) of this Addendum, to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.

(i) EVault agrees not to exchange any PHI of an Individual for remuneration except as permitted in Section 13405(d)(2) of the HITECH Act.

(j) EVault and Customer agree that EVault does not receive or maintain PHI from Customer in a Designated Record Set, and EVault has no ability to provide access to or amend same.

If, in the performance of its obligations set forth in Sections 2(f) through 2(h) above, EVault expends time and materials, EVault will provide Customer with an estimate of the fee for such time and materials. Following agreement by the parties as to such fees, EVault will invoice Customer, and Customer shall pay EVault such fees in accordance with the payment terms set forth in this Agreement.

Except as otherwise limited in this Agreement, EVault may (i) use PHI for the proper management and administration of EVault or to carry out the legal responsibilities of EVault, and (ii) disclose PHI for the proper management and administration of EVault, provided that disclosures are required by law, or EVault obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies EVault of any instances of which it is aware in which the confidentiality of the information has been breached.

2.2. Obligations of Covered Entity. Customer shall have the following obligations:

(a) Customer shall use the encryption features in the Products to encrypt any and all PHI that is provided to EVault. In addition to the indemnification obligations set forth in Section 9.2 of the Product Terms, Customer shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Customer to encrypt the PHI.

(b) Customer shall notify EVault of any limitation(s) in its notice of privacy practices of Customer in accordance with 45 CFR §164.520, to the extent that such limitation may affect EVault's use or disclosure of PHI.

(c) Customer shall notify EVault of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect EVault's use or disclosure of PHI.

(d) Customer shall notify EVault of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect EVault's use or disclosure of PHI.

(e) Customer shall not request EVault to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.

(f) Customer represents and warrants that it has the right and authority to provide PHI to EVault for EVault to perform its obligations and provide services to Customer and that EVault's storage and use of any PHI in providing services to Customer is permitted under Customer's privacy policy and applicable law.

2.3. Term and Termination

(a) Term. The term of this Addendum shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Customer to EVault, or created or received by EVault on behalf of Customer, is destroyed or returned to Customer, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.

(b) Termination for Cause. In addition to any termination rights set forth in the Product Terms, if EVault materially breaches this Addendum, Customer may terminate this Addendum and this Agreement if EVault fails to sure such breach within thirty (30) days after receiving written notice of such breach or immediately terminate this Addendum and this Agreement if cure is not possible.

(c) Effect of Termination.

(i) Except as provided in Section 2.3(c)(ii) below, upon termination of this Addendum, for any reason, EVault shall return or destroy all PHI received from Customer, or created or received by EVault on behalf of Customer in accordance with the terms of this Agreement. This provision shall apply to PHI that is in the possession of subcontractors or agents of EVault. EVault shall retain no copies of the PHI.

(ii) In the event that EVault determines that returning or destroying the PHI is infeasible, EVault shall provide to Customer notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, EVault shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as EVault maintains such PHI.

(d) Termination Upon Change In Law. If the Secretary provides guidance, clarification or interpretation of HIPAA or the HITECH Act or there is a change in HIPAA or the HITECH Act such that the service relationship between EVault and Customer is not considered a Business Associate relationship as defined in HIPAA, this Addendum shall terminate and be null and void.

2.4. Miscellaneous

(a) Regulatory References. A reference in this Agreement to a section in a regulation means the section as in effect or as amended.

(b) Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Customer to comply with the requirements of HIPAA.

(c) Survival. The respective rights and obligations of EVault under Section 2.3(c) of this Addendum shall survive the termination of this Agreement.

(d) Interpretation. Any ambiguity in this Addendum shall be resolved to permit Customer to comply with HIPAA.

3. GRAMM-LEACH-BLILEY ACT AND NCUA REGULATION. This Section 3 applies to the extent that EVault receives Nonpublic Personal Information, Member Information and/or Consumer Information from Customer (collectively, "NPI").

3.1 Nonpublic Personal Information. NPI is deemed to be Confidential Information of Customer under the Product Terms, if applicable. Notwithstanding anything to the contrary contained in the Product Terms, NPI will be subject to the confidentiality terms of the Product Terms indefinitely.

3.2 Information Security Program. EVault shall implement and maintain an information security program designed to: (a) ensure the security and confidentiality of NPI; (b) protect against any anticipated threats or hazards to the security or integrity of NPI; (c) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer of Customer; and (d) ensure the proper disposal of NPI. EVault will adjust its information security program as necessary, due to changes in technology, changes in the sensitivity of the information Customer maintains or has access to, or changes in law or regulation, during the term of this Agreement. Upon request, EVault will provide to Customer any available summaries of policies, test results or other information to document the efforts by EVault to implement an information security program designed to meet the objectives of the regulations.

3.3 Encryption. Customer shall use the encryption features in the Products to encrypt any and all NPI that is provided to EVault. In addition to the indemnification obligations set forth in Section 9.2 of the Product Terms, Customer shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Customer to encrypt the NPI.

4. MASSACHUSETTS STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENT OF THE COMMONWEALTH. This Section 4 applies to the extent that EVault receives MA Personal Information from Customer.

4.1 MA Personal Information. MA Personal Information is deemed to be Confidential Information of Customer under the Product Terms, if applicable. Notwithstanding anything to the contrary contained in the Product Terms, MA Personal Information will be subject to the confidentiality terms of the Product Terms.

4.2 Use of MA Personal Information and Appropriate Security Measures. EVault shall implement and maintain appropriate security measures, in accordance with the Massachusetts Personal Information Protection Law, for the protection of MA Personal Information. Further, all use by EVault of MA Personal Information shall be in accordance with the Massachusetts Personal Information Protection Law.

4.3 Encryption. Customer shall use the encryption features in the Products to encrypt any and all MA Personal Information that is provided to EVault. In addition to the indemnification obligations set forth in Section 9.2 of the Product Terms, Customer shall defend and indemnify EVault from and against any damages and costs arising from or relating to the failure of Customer to encrypt the MA Personal Information.

Version B12-20-11