Medlytica Acceptable Use Policy

1. Purpose

This Acceptable Use Policy (the "AUP") describes how Customers and Authorized Users may and may not use the Medlytica platform and Services. The AUP is part of the Terms of Service and is binding on every Customer and Authorized User.

2. Permitted Use

Customers and Authorized Users may use the Services solely for the Customer's internal business operations as a California medical or dental practice and consistent with the Documentation, scoped to the Vault Tier purchased by Customer. Specifically, permitted uses include:

• Delivering Medlytica training content to the Customer's workforce through the Services (Single Module and Vault Plus tiers).
• Tracking workforce training completion across (i) Medlytica training content delivered through the Services, and (ii) Outside Training Customer has supplied for tracking purposes (all tiers, including Vault Basic).
• Generating training-completion certificates for trainings delivered through the Services. Outside Training certificates are uploaded by Customer; the Services do not generate certificates for Outside Training.
• Tracking Business Associate Agreement (BAA) execution, expiration, and renewal cadence for Customer's vendor relationships (all tiers).
• Configuring the Customer's organization, staff, roles, compliance deadlines, and renewal-reminder cadences through the admin portal.
• Exporting compliance reports, training-completion certificates, BAA records, and Documentation that Medlytica has expressly designated as exportable, for the Customer's internal use and personnel-file or audit-support purposes.
• Other use cases expressly contemplated in the Documentation or an Order Form.

2.1 Permitted vs. Restricted Downloads. Customer may download (a) Customer's own training-completion certificates and Outside Training records, (b) compliance reports generated by the Services for Customer's workforce, (c) BAA records Customer has uploaded or generated through the Services, and (d) Documentation Medlytica has designated for export. Customer may NOT download, record, screen-capture, or otherwise extract Medlytica's proprietary training content (including video modules, audio narration, scenario assets, quiz item banks, and the underlying curriculum), nor may Customer redistribute that content in any form, without Medlytica's prior express written permission. The Permitted-Downloads list is exhaustive on the Medlytica Content side; anything not expressly listed is not permitted to be exported.

3. Prohibited Conduct

Customers and Authorized Users may NOT:

• Use the Services in violation of applicable law or regulation, including laws governing healthcare, employment, privacy, and data protection.
• Reverse engineer, decompile, disassemble, or attempt to extract the source code or underlying algorithms of the Services, except to the extent such restriction is prohibited by applicable law.
• Resell, sublicense, distribute, lease, or otherwise make the Services available to any third party (other than Authorized Users) without Medlytica's prior written consent.
• Circumvent, disable, or interfere with security, role-based access controls, or authentication features of the Services.
• Use the Services to develop a product or service that competes with the Services.
• Use any robot, spider, scraper, automated agent, machine-learning training pipeline, or other automated means (other than Medlytica's documented APIs) to access, extract, copy, ingest, or train any model on content from the Services.
• Download, record, screen-capture, or redistribute Medlytica's proprietary training content (video modules, audio narration, scenario assets, quiz item banks, or the underlying curriculum) outside the Permitted Downloads identified in §2.1, without Medlytica's prior express written permission.
• Share access credentials, or permit two or more individuals to access the Services using a single credential. Each Authorized User must use their own unique credential. Credential sharing creates HIPAA Security Rule and platform-security exposure for both parties.
• Upload, transmit, or distribute through the Services any content that is unlawful, defamatory, fraudulent, infringing, or that contains viruses, worms, or other malicious code.
• Misrepresent the source of any communication or content sent through the Services.
• Use the Services to harass, threaten, or harm any individual.
• Permit access by individuals other than Authorized Users.
• Upload, fabricate, or falsify training-completion records, certificates, or BAA records — including (without limitation) records purporting to be issued by Medlytica that were not, training-completion records reporting completion of training a workforce member did not actually complete, or BAA records reporting an executed BAA that does not in fact exist. Audit defensibility of the Services depends on the integrity of recorded data; falsification creates exposure for Customer with regulators and inspectors and is a material AUP violation.

3.1 Irreparable Harm and Injunctive Relief. Customer acknowledges that breach of the prohibitions in this §3 relating to (a) reverse engineering, (b) automated content extraction or AI/ML training, (c) downloading or redistributing Medlytica's proprietary training content, or (d) circumvention of security or access controls would cause Medlytica irreparable harm for which monetary damages would be inadequate. Accordingly, Medlytica may seek immediate injunctive or other equitable relief from a court of competent jurisdiction without the requirement of posting a bond, in addition to any other remedies available at law or under the Agreement. This stipulation does not limit Medlytica's right to seek monetary damages or other remedies for any breach.

4. Protected Health Information and Confidential Medical Information Restrictions

4.1 DEFAULT PROHIBITION. UNLESS AN EXECUTED BUSINESS ASSOCIATE AGREEMENT IS IN PLACE BETWEEN CUSTOMER AND MEDLYTICA COVERING THE SPECIFIC SERVICE IN USE, CUSTOMER AND ITS AUTHORIZED USERS WILL NOT UPLOAD, TRANSMIT, OR OTHERWISE SUBMIT TO THE SERVICES (i) PROTECTED HEALTH INFORMATION ("PHI") AS DEFINED BY HIPAA AT 45 C.F.R. § 160.103, OR (ii) CONFIDENTIAL MEDICAL INFORMATION ("CMI") AS DEFINED BY THE CALIFORNIA CONFIDENTIALITY OF MEDICAL INFORMATION ACT (CMIA) AT CAL. CIV. CODE § 56.05(j).

4.2 The Vault Specifically. The Vault is designed for workforce training and compliance recordkeeping, not for processing PHI or CMI. The default Vault configuration does not require PHI or CMI inputs. Customer must not include PHI or CMI in workforce-training records, certificates, intake-form free-text fields, or other Vault content.

4.3 Medlytica's Response Upon Inadvertent Receipt. If Medlytica becomes aware of an inadvertent submission of PHI or CMI by Customer outside an executed BAA, Medlytica will (a) notify Customer, (b) cease processing the PHI or CMI, (c) work with Customer to securely return or dispose of the PHI or CMI, and (d) require execution of a BAA before further work proceeds with that Customer. Medlytica's inadvertent receipt of PHI or CMI does not by itself create a Business Associate relationship; however, the parties acknowledge that Business Associate status under HIPAA is determined functionally under 45 C.F.R. § 160.103 and is not eliminated by contractual disclaimer alone.

4.4 Customer's Response Upon Inadvertent Submission. If Customer becomes aware that it has inadvertently submitted PHI or CMI to a Service not covered by an executed BAA, Customer will (a) immediately notify Medlytica at compliance@medlytica.net (with the subject line beginning "PHI/CMI INADVERTENT SUBMISSION" so that the report is triaged accordingly), (b) cooperate with Medlytica to identify and securely delete or return the PHI or CMI, and (c) indemnify Medlytica for third-party claims and breach-notification costs arising from Customer's submission. The parties acknowledge that breach-notification obligations under HIPAA (45 C.F.R. Part 164, Subpart D) and CMIA (Cal. Civ. Code §§ 56.36 and 1798.82) may apply to either or both parties depending on functional Business Associate status, and the foregoing indemnification operates as a party-to-party allocation, not a unilateral allocation of regulator-facing obligations.

5. Account Security

Customer is responsible for the security of its account and access credentials. Customer will:

• Maintain the confidentiality of all access credentials.
• Promptly notify Medlytica of any actual or suspected unauthorized use.
• Not share credentials among multiple individuals; each Authorized User must use their own credential.
• Enforce reasonable password policies for its Authorized Users (length, complexity, periodic rotation as appropriate).

6. Reporting Violations

To report suspected violations of this AUP — by another user, third party, or affecting Customer's account — contact us with reasonable detail at:

Email: compliance@medlytica.net

Or by mail:

Medlytica — Attn: Compliance

873 Santa Cruz Avenue, Suite 202

Menlo Park, CA 94025

7. Enforcement

7.1 Suspension. Medlytica may suspend Customer's or any Authorized User's access for material violations of this AUP. Where practicable, Medlytica will provide notice and an opportunity to cure before suspension. For violations that present a credible immediate risk to the platform, other users, or third parties — typically including violations of §3 (Prohibited Conduct) involving security circumvention, content extraction, or malicious code, and violations of §4 (PHI / CMI Restrictions) — Medlytica may suspend access immediately and provide notice promptly thereafter.

7.2 Termination. Repeated, willful, or unresolved violations may result in termination of the Agreement consistent with the termination provisions of the Terms of Service.

7.3 Cooperation with Authorities. Medlytica will cooperate with law-enforcement and regulatory authorities as required by applicable law.

7.4 Customer Cooperation with Medlytica Investigations. Customer will cooperate in good faith with any Medlytica investigation of suspected AUP violations, including providing reasonable access to relevant logs, records, and personnel where appropriate. Medlytica will conduct any such investigation in a manner consistent with Customer's legitimate business and patient-confidentiality interests.

8. Updates

Medlytica may update this AUP from time to time. The current AUP is available at medlytica.net/aup and will be linked from the Terms of Service. Material changes will be communicated through reasonable means (such as email or in-Service notice) before they take effect.