This Provider Services Agreement (“PSA”) sets forth the commercial and operational terms under which Expect Fitness, Inc. (“Expect”) provides access to its clinician portal and related services to health care providers and clinics (“Customer”). Where Customer is a HIPAA Covered Entity and Expect acts as a Business Associate, the parties’ Business Associate Agreement (BAA) governs PHI/ePHI and is incorporated by reference.
Expect will provide access to its clinician portal and related services identified in an applicable order, enrollment, or written confirmation (“Order,” the “Services”).
3.1 Fees & Billing. Fees and billing frequency are stated in the Order (if any).
3.2 Term & Renewal. The initial term is as stated in the Order. Unless otherwise noted, subscriptions renew for successive one-year terms unless either party gives thirty (30) days’ written notice of non-renewal.
3.3 Suspension. Expect may suspend Services (a) to address a material security risk; (b) for non-payment after notice/cure; or (c) to comply with law. Expect will limit suspensions to the minimum necessary and restore access promptly when remedied.
Customer will administer and safeguard its user accounts, promptly de-provision separated users, ensure lawful use, and comply with the BAA (if applicable).
5.1 Ownership. As between the parties, Customer (and/or its patients) owns all right, title, and interest in data submitted to or generated within the Services on Customer’s behalf, including PHI (“Customer Data”).
5.2 License to Host. Customer grants Expect a non-exclusive, limited license to host, process, transmit, and display Customer Data solely to provide the Services and as otherwise permitted in the BAA.
5.3 Exports & Return/Deletion. During the Term and for thirty (30) days after termination, Expect will make available standard exports of Customer Data in a reasonable, industry-standard format (e.g., CSV/JSON/PDF). After such period, Expect may delete Customer Data from active systems, subject to retention in immutable backups per its documented schedule, with protections maintained until secure deletion.
Expect may de-identify Customer Data in accordance with 45 C.F.R. §164.514(b) and may use de-identified data for lawful purposes, without re-identification or association to any individual or Covered Entity.
Expect maintains an information security program appropriate to the Services and the sensitivity of Customer Data, including encryption in transit and at rest, role-based access controls, logging/monitoring, vulnerability management, workforce training, and business continuity/disaster recovery. HIPAA-specific obligations are set forth in the BAA.
Uptime targets, maintenance windows, and support response times (if applicable) are described in the SLA Exhibit (referenced by URL). The SLA’s service credits are Customer’s exclusive remedy for service-level failures.
Expect may use subprocessors to provide the Services, remains responsible for their performance, and imposes data-protection obligations no less protective than those described in this PSA and the BAA. A current list may be provided by URL or on request.
Expect warrants it will perform the Services in a professional and workmanlike manner consistent with industry standards. EXCEPT AS EXPRESSLY STATED, THE SERVICES ARE PROVIDED “AS IS,” AND EXPECT DISCLAIMS ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
Except for Excluded Claims, each party’s total aggregate liability arising out of or related to the Agreement will not exceed the fees paid or payable by Customer to Expect under the applicable Order during the twelve (12) months preceding the event. Excluded Claims: (a) willful misconduct; (b) Customer’s payment obligations; (c) IP infringement/misappropriation; and (d) where prohibited by law, breaches of confidentiality concerning non-public information other than PHI/ePHI (PHI/ePHI is governed by the BAA; the BAA references this cap to the extent permitted). IN NO EVENT WILL EITHER PARTY BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, OR LOST PROFITS/REVENUE.
Non-public information disclosed by a party (“Confidential Information”) will be protected by the receiving party and used only to perform under the Agreement. PHI/ePHI is governed by the BAA.
New York law governs, without regard to conflicts rules. Exclusive venue lies in the state or federal courts located in New York County, New York (including SDNY for federal).
If documents conflict, the following order applies: (i) the Business Associate Agreement (solely for PHI/ePHI under HIPAA); then (ii) the Order; then (iii) this PSA; then (iv) the SLA and any Security Exhibit; then (v) any other incorporated documents.
This PSA, together with the Order, the BAA (if applicable), the SLA, and any Security Exhibit, constitutes the entire agreement as to the Services and supersedes prior or contemporaneous understandings on that subject. Neither party may assign this PSA without the other party’s prior written consent, except to a successor in interest in a merger, acquisition, or sale of substantially all assets that assumes the obligations herein. Notices may be provided via email or as otherwise stated in the Order.