This Data Services and Processing Agreement (“Agreement”) is a legally binding agreement between MedMe Health Limited (“MedMe”) and you or the organization you represent (“Customer”), effective as of the date you check the box or otherwise indicate your acceptance. This Agreement is only necessary if you or your organization upload or share Personal Information from external or existing systems with MedMe, or otherwise enable MedMe to process Personal Information beyond what is captured through standard use of MedMe’s services. By checking the box or otherwise indicating acceptance, you represent and warrant that you have the authority to enter into this Agreement on behalf of your organization, and that your organization agrees to be bound by these terms. If you do not engage in the foregoing activities, you are not required to accept this Agreement.

BACKGROUND:

A.        MedMe offers a clinical services management SaaS platform that empowers pharmacies to streamline workflows, build patient relationships and diversify revenue through branded instances.

B.        Customer wishes to engage MedMe to provide the data processing and system integration services necessary to facilitate the use of MedMe’s platform.

NOW THEREFORE in consideration of the mutual covenants and agreements herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by each party to the other, MedMe and Customer mutually covenant and agree as follows:

1. Definitions.

Terms used but not defined herein have the meanings given to them in the Agreement. For the purposes of this Agreement:

(a) “Customer Data” means the information provided, transmitted or made available  by Customer to MedMe to allow MedMe to perform the Services.

(b) “Personal Health Information” means any information about an identifiable individual which is personal health information as defined by Privacy Law and which is Processed by MedMe in connection with the Services.

(c) “Personal Information” means any information about an identifiable individual which is personal information as defined by Privacy Law which is: (i) incorporated in the Customer Data; and (ii) Processed by MedMe in connection with this Agreement. For greater certainty, Personal Information includes Personal Health Information.

(d) “Personnel” means employees, agents, contractors and volunteers.

(e) “Privacy Law” means the Personal Health Information Protection Act, 2004 (Ontario) and the Personal Information Protection and Electronic Documents Act, 2000 (Canada) and the respective regulations thereunder, as from time to time in force.

(f) “Processing” means the collection, use, or disclosure, including, for greater certainty, any access, retention, modification, copying, storage, safeguarding, permitted de-identification or anonymization, or destruction of Personal Information. “Processed” and “Process” have a corresponding meaning.

(g) “Security Breach” means any actual, reasonably suspected or attempted theft or loss of, unauthorized access to, or unauthorized disclosure or disposal of Personal Information.

(h) “Services” means the services set out in Schedule A to this Agreement.

(i) “Subcontractor” means any contracted MedMe, including any third party and affiliate of MedMe but excluding an employee of MedMe, that Processes Personal Information in connection with MedMe’s provisioning of the Services.

(j) “Test Customer Data” refers to data created by MedMe within the Customer’s systems for the sole purpose of testing.

2. Provision of Services.

(a) Scope of Data Processing Services. MedMe shall provide the data processing, system integration, and workflow automation services to Customer with minimal operational impact to Customer, including but not limited to:

Data Processing & System Integration

(i) Processing of Customer Data, including Personal Information, strictly in accordance with Privacy Law and the terms of the BAA and SaaS Agreement.
(ii) Integration with Customer’s existing systems, including PMS, EHR, and other healthcare platforms, as permitted by Customer.
(iii) Secure data migration, transformation, and synchronization between systems, where applicable.

Workflow & Automation Services (if enabled by Customer)

(i) AI-powered transcription, documentation, and workflow automation for clinical and operational efficiency, where explicitly authorized by Customer.
(ii) Automated notifications, scheduling, and follow-up processes.
(iii) Facilitation of Personal Information transfers between Customer and approved third-party systems (e.g., payors, insurers, healthcare networks), in accordance with the SaaS Agreement.

(b) License to Customer Data. Customer hereby grants to MedMe a royalty-free, paid-up, non-exclusive license during the term of this Agreement to use, access, copy, and modify, any “test” Customer Patient Data solely to perform the Services and as otherwise permitted under this Agreement. MedMe may access Customer Data as required for data integration, AI-driven workflow automation, or regulatory compliance purposes, but will not modify real patient records except as permitted by Customer. Except as otherwise expressly set forth in this Agreement or allowed by the Customer on a case-by-case basis, MedMe will not access any “real” Customer Patient Data.

(c) No Sale or Transfer of Customer Data. MedMe shall not sell, license or transfer the Customer Data to any third parties without prior written consent of Customer.

(d) Proprietary Rights. As between the parties:

(i) Customer shall own and retain all right, title and interest in and to the Customer Data, subject to the licenses and rights granted by Customer under this Agreement.
(ii) Each party shall retain full ownership of their respective pre-existing intellectual property used in any aspect of a party’s performance of its obligations under this Agreement, including any enhancements, modifications or derivative works in relation thereto.
(iii) The parties acknowledge that they do not anticipate that they will jointly develop any intellectual property under this Agreement. To the extent the performance of each party’s obligations carried out in connection with this Agreement will, or is reasonably likely to, result in any development of novel intellectual property rights, the parties agree that the ownership of such developed intellectual property will be subject to separate agreement.

(e) Customer Co-operation. In addition to any obligations and responsibilities described in this Agreement, Customer will be responsible for providing MedMe with all necessary information to enable MedMe to perform the Services. Each party will designate a representative as the project manager for the performance of a party’s obligations under this Agreement. Customer acknowledges and agrees that its failure to provide information, materials or approvals on a timely basis as reasonably requested by MedMe under this Agreement will have a material impact on the provision of the Services, and that MedMe shall not be responsible for any delays or failure to provide Services as a result of Customer’s failure to be responsive as reasonably required under this Agreement. Customer shall ensure that it makes available to MedMe at all reasonable times, such information, resources, subject matter experts and responses as and when agreed to by the parties under this Agreement and as MedMe reasonably requests. Customer shall be responsible for the accuracy and completeness of all Customer Data and information that it provides or causes to be provided to MedMe. Customer acknowledges that the Services are provided through close collaboration with Customer’s teams whose involvement is essential to the success of the Services. In the event there are any delays by Customer in fulfilling its responsibilities as stated above or there are errors or inaccuracies in the information provided, MedMe shall be entitled to make reasonable schedule and pricing adjustments.

(f) Fees. Fees for the Services will be determined and processed solely through MedMe’s designated payment system (e.g., Stripe) or as otherwise specified by MedMe. Any payment terms, rates, and associated conditions are presented at the point of purchase or otherwise communicated by MedMe, and by proceeding you agree to those terms.

3. Permitted Processing of Personal Information.

(a) Compliance with Privacy Law. MedMe shall at all times ensure it Processes Personal Information incorporated in the Customer Data in compliance with Privacy Law and this Agreement.

(b) Permitted Processing. MedMe shall Process Personal Information only as required to (i) fulfill its obligations under the Agreement; (ii) carry out Customer’s documented instructions; (iii) improve its services, including through aggregated, de-identified, or anonymized data derived from Customer Data, provided that such use does not compromise the confidentiality of Personal Information; or (iv) comply with Privacy Law, and for no other purposes. Except as otherwise permitted under this Agreement, MedMe shall not Process Personal Information for any other purpose without Customer’s written consent."

(c) Custody and Control of Personal Information. The Parties acknowledge and agree that MedMe is no more than the temporary holder of Personal Information and has no more than a limited temporary right to Process the Personal Information on Customer’s behalf, to the extent necessary for the provision of the Services. All Personal Information shall be under Customer’s effective custody and control at all times, including when MedMe is temporarily Processing Personal Information for the purpose of providing the Services.

4. MedMe Personnel.

(a) Access by MedMe Personnel. MedMe shall only grant access to those of its Personnel who have a need to access Customer Data for the purposes of providing the Services.

(b) Confidentiality Agreement. MedMe shall ensure that those of its Personnel who have access to Personal Information are subject to binding obligations substantially similar to those imposed upon MedMe in this Agreement.

5. MedMe Subcontractors.

(a) Permitted Processing. MedMe shall not allow any Subcontractor to Process Customer Data, including for greater certainty by way of hosting, storing or remotely accessing Customer Data, except as necessary to provide the Services in accordance with the Agreement.

(b) Contractual Agreement. MedMe shall ensure its arrangement with any Subcontractor, in connection with the provision of the Services, is governed by written agreement which offers substantially the same level of protection for Customer Data as required by Privacy Law (if such Customer Data contains Personal Information) and this Agreement. MedMe shall be liable for any breach of this Agreement attributable to its Subcontractors. 

6. Individual Requests, Inquiries, and Legally Compelled Disclosure.

(a) Individual Requests. If MedMe receives a request from an individual to exercise their rights under Privacy Law, including any applicable right of access or right to amend or correct Personal Information, MedMe shall promptly advise the requestor that it does not control Personal Information and shall direct the requestor to Customer. MedMe shall reasonably cooperate with and assist Customer in the management of any such individual request.

(b) Inquiry or Complaint. If MedMe receives notice of a complaint or inquiry involving Personal Information, MedMe shall promptly notify Customer. MedMe shall reasonably cooperate with and assist Customer in connection with responding to any complaints or inquiries involving Personal Information or investigations connected therewith.

(c) Legally Compelled Disclosure. If MedMe is required by law to disclose Personal Information, including pursuant to a subpoena or warrant, MedMe shall promptly notify Customer of such obligation, unless prevented from doing so by law, and Customer may then, at Customer’s own expense, seek a protective order or other appropriate remedy. Any such disclosure shall be limited to such Personal Information as MedMe is strictly required to provide by law.

7. Safeguards and Security Breaches.

(a) Safeguards. MedMe shall employ reasonable administrative, technical and physical safeguards to protect Customer Data against theft, loss and unauthorized Processing, consistent with industry practice.

(b) Information Policies and Procedures. MedMe represents and warrants that it has established and implemented information policies and procedures to ensure compliance with Privacy Law, including policies and procedures relating to the collection, use, disclosure, retention and disposal of Personal Information. MedMe shall monitor and enforce compliance with its own information policies and procedures.

(c) Security Breach. In the event that MedMe becomes aware of a Security Breach, MedMe shall notify Customer as soon as feasible, and no later than 24 hours after becoming aware of any Security Breach. MedMe shall reasonably cooperate with Customer to enable Customer to comply with Customer’s obligations under Privacy Law. MedMe shall not disclose to any third party the circumstances of the Security Breach without Customer’s prior written consent, except as required by law.

8. Compliance Audits.

With respect to Personal Information retained in electronic format, MedMe shall (and shall require Subcontractors, as applicable) to: 

(i) electronically log access by Personnel to Personal Information in a manner that identifies the person who accessed the information, the type of information that was accessed, the identity of the individual to whom the information relates, if applicable, and the date and time of access;

(ii) electronically log transfers of Personal Information by Personnel in a manner that identifies the person who transferred the information, the recipient and recipient address, and the date and time of the transfer;

(iii) retain the logs referred to above through the term of the Agreement and for a period of one year thereafter; and

(iv) provide the logs referred to above to Customer or the Information and Privacy Commissioner of Ontario upon request.

9. Retention and Return of Personal Information.

MedMe shall retain Customer Data only as long as necessary to provide the Services, unless otherwise required by law or per the terms of the SaaS Agreement located at [https://www.medmehealth.com/saas-agreement].

10. Confidentiality.

From time to time during the term of the Agreement, either party may disclose or make available to the other party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media/in written or electronic form or media, that is and, whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving party at the time of disclosure; (c) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (d) independently developed by the receiving party. The receiving party shall not disclose the disclosing party's Confidential Information to any person or entity, except to the receiving party's employees who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party and made a reasonable effort to obtain a protective order; or (ii) to establish a party's rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving party shall promptly return to the disclosing party all copies, whether in written, electronic, or other form or media, of the disclosing party's Confidential Information, or destroy all such copies and certify in writing to the disclosing party that such Confidential Information has been destroyed. Each party's obligations of non-disclosure with regard to Confidential Information shall survive termination or expiration of this Agreement.

11. Termination.

(a) Termination. A party may terminate this Agreement upon written notice if the other party materially breaches this Agreement and does not cure such breach (if curable) or provide reasonable mitigation within 30 days after written notice of such breach.

(b) Effect of Termination. Upon termination or expiration of this Agreement, all rights and licenses granted by Customer to MedMe under this Agreement will immediately terminate and MedMe will, immediately cease all use of Customer Data. Notwithstanding the above, termination or expiration of this Agreement shall not preclude MedMe from using Anonymized Data developed prior to termination or expiration of this Agreement

(c) Survival. All provisions of this Agreement which, by their nature, ought to survive any termination of the Agreement shall survive any such termination for as long as MedMe has custody or control of any Personal Information or as otherwise stated in this Agreement.

12. Limitation of Liability.

(a) Exclusion of Liability. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR AGGRAVATED DAMAGES, OR DAMAGES FOR LOST DATA, BUSINESS, PROFIT, REVENUE OR GOODWILL, ARISING OUT OF OR RELATING TO ANY BREACH OF THIS AGREEMENT, WHETHER OR NOT THE POSSIBILITY OF SUCH DAMAGES HAD BEEN DISCLOSED IN ADVANCE BY THE OTHER PARTY OR WAS FORESEEABLE, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH THE CLAIM IS BASED, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.

(b) Limitation of Liability. IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, EXCEED ONE MILLION CANADIAN DOLLARS ($1,000,000.00 CAD).

(c) Security Breach-Specific Limitation. NOTWITHSTANDING THE ABOVE, MEDME’S LIABILITY FOR SECURITY BREACHES SHALL NOT EXCEED THE TOTAL FEES PAID BY CUSTOMER TO MEDME IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

13. General.

(a) Assignment.  Neither party may assign or transfer this Agreement without the other party’s prior written consent; provided, however, that MedMe may assign or transfer this Agreement, without obtaining Customer’s consent so long as such assignment or transfer is to an affiliate of MedMe, or is pursuant to a reorganization, merger or amalgamation of the party, or pursuant to a purchase of all or substantially all of the shares in the capital of MedMe or of all or substantially all of MedMe’s assets.  This Agreement shall enure to the benefit of and be binding upon each party and their respective successors and permitted assigns and transfers.

(b) Relationship of Parties.  In giving effect to this Agreement, neither party will be or be deemed an agent of the other for any purpose and their relationship in law to the other will be that of independent contractors.  Nothing in this Agreement will constitute a partnership in law or a joint venture between the parties.  Neither party will have the right to enter into contracts, pledge the credit of or incur expenses on behalf of the other.

(c) Governing Law. This Agreement shall be governed in all respects, including validity, interpretation and effect, by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of laws rules. The parties shall attorn only and exclusively to the jurisdiction of courts of the Province of Ontario.

(d) Notices. All notices, payments and other required or permitted communications to either party will be in writing and delivered by registered mail, or by email to the physical address or the email address provided by a party.

(e) Entire Agreement. This Agreement and the SaaS Agreement together constitute the entire understanding and agreement of the parties and supersedes and replaces any and all previous and contemporaneous understandings, agreements, proposals or representations, written or oral, between the parties, as to the subject matter hereof. Only a writing signed by both parties may modify or amend it. In the event of a conflict between this Agreement and the SaaS Agreement regarding the retention or return of Personal Information, the terms of the SaaS Agreement shall govern.

(f) Severability and Waiver. In the event that any provision of this Agreement is held to be invalid or unenforceable, the valid or enforceable portion thereof and the remaining provisions of this Agreement will remain in full force and effect. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. All waivers must be in writing. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.

(g) Headings. Any headings and captions appearing in this Agreement have been inserted for convenience and reference only and shall not define, limit or expand the scope or meaning of this Agreement.

(h) Counterparts. This Agreement may be signed in as many counterparts as may be necessary, and may be delivered by facsimile, email or other means of electronic communication producing a printed copy, each of which so signed shall be deemed to be an original, and such counterparts together shall constitute one and the same instrument and notwithstanding the date of execution shall be deemed to bear the date set forth on the date first written above.

By checking the box indicating acceptance of this Agreement during the account registration process, the Customer acknowledges and agrees to the terms of this Agreement.

This acceptance constitutes a legally binding agreement under the Electronic Signatures in Global and National Commerce Act (ESIGN Act) and applicable state laws governing electronic contracts. No physical signature is required.