Medlytica Terms of Service

1. Definitions

Capitalized terms used in these Terms of Service have the following meanings:

• "Agreement" means these Terms of Service, together with any Order Form, the Acceptable Use Policy, the Privacy Policy, and any Business Associate Agreement entered into between the parties.
• "Authorized User" means a member of Customer's workforce who is assigned a credential to access the Services on Customer's behalf.
• "Business Associate Agreement" or "BAA" means a written agreement between Medlytica and Customer satisfying 45 C.F.R. § 164.504(e), entered into where Medlytica processes Protected Health Information on Customer's behalf.
• "Confidential Information" means non-public information disclosed by one party to the other in connection with this Agreement that is designated as confidential or that a reasonable person would understand to be confidential.
• "Customer" means the entity that has agreed to these Terms of Service, identified in the applicable Order Form.
• "Customer Data" means data that Customer or its Authorized Users submit to or generate within the Services, including practice information, employee records, training completion records (whether for Medlytica training content or for outside training content tracked through the Services), training certificates, Business Associate Agreement (BAA) documents and tracking records, and dashboard configurations, but excluding Usage Data.
• "Documentation" means the user-facing technical and operational documentation Medlytica makes available for the Services.
• "Medlytica Content" means training materials, training modules, written explanatory and educational content, scenario assessments, quiz items, signed-acknowledgment templates, and other proprietary content authored by or under the direction of Medlytica and made available through the Services. Medlytica Content is and remains Medlytica IP.
• "Outside Training" means a training course, program, or session that is not Medlytica Content but that Customer wishes to track through the Services. Outside Training records, certificates, and metadata supplied by Customer are Customer Data; Medlytica's role with respect to Outside Training is recordkeeping only and not certification of legal sufficiency. See §14.5.
• "Usage Data" means deidentified, aggregated technical and performance data regarding the use and operation of the Services that does not identify Customer or any individual. "Deidentified" has the meaning given in Cal. Civ. Code § 1798.140(m), with the standard requirement that Medlytica take reasonable measures to ensure the data cannot be associated with a person and contractually prohibit attempted re-identification by recipients.
• "Vault Tier" means the specific subscription tier of the Services purchased by Customer as identified on the Order Form, including Vault Basic, Single Module, Vault Plus, Vault Group, and Vault Enterprise. Each Vault Tier is described in §2.2.
• "Effective Date" means the date Customer first accepts these Terms of Service or executes an Order Form, whichever is earlier.
• "Medlytica," "we," "us," or "our" means Bastide Holdings, doing business as Medlytica.
• "Order Form" means the document executed by the parties (or accepted electronically by Customer) describing the Services purchased, applicable Fees, Subscription Term, and any Service-specific terms.
• "Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103.
• "Services" means the Medlytica products identified on an Order Form, including The Vault and any other Medlytica platform offerings made available to Customer.
• "Subscription Term" means the initial term and any renewal term during which Customer is entitled to access the Services.

2. Services

2.1 Provision of Services. Subject to the terms of this Agreement, Medlytica grants Customer a non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Services at the Vault Tier purchased by Customer, solely for Customer's internal business operations as a California medical or dental practice.

2.2 The Vault — Tiered Platform. The Vault is a compliance-program management platform offered in tiers. The specific tier purchased by Customer is identified on the Order Form. Tier-specific entitlements are as follows:

• "Vault Basic" — provides access to the Vault administrative dashboard, including workforce training tracking (for trainings supplied by Customer or third parties — see Outside Training), Business Associate Agreement (BAA) expiration tracking, renewal reminders, audit-supportive recordkeeping, and reporting export. Vault Basic does not include access to Medlytica Content; Customer supplies its own training content.
• "Single Module" — Vault Basic dashboard features narrowly scoped to the specific Medlytica Content module(s) Customer has purchased, plus access to that module's Medlytica Content. Customer may purchase one or more Single Module subscriptions concurrently.
• "Vault Plus" — Vault Basic dashboard features plus access to Medlytica Content modules as they ship during the Subscription Term, subject to §2.5.
• "Vault Group" — Vault Plus, scaled to support 31–100 staff. Group tier is automatically applied at renewal when Customer's staff count crosses 30; see §6.6.
• "Vault Enterprise" — Custom-quoted tier for 100+ staff or multi-state operations. Subject to a separate Order Form.

2.3 Other Services. Other Services (including Medlytica Consulting, AI Practice Integration scoping, and other Medlytica platform offerings) may be offered subject to Service-specific terms identified on the applicable Order Form, or under a separate Customer Service Agreement and Statement of Work. To the extent any Service-specific terms conflict with these Terms of Service, the Service-specific terms govern with respect to that Service.

2.4 Updates and Modifications. Medlytica may update or modify the Services from time to time. Medlytica will not materially diminish the Services during a paid Subscription Term without Customer's consent, which will not be unreasonably withheld. Modifications that improve, expand, or add functionality to the Services do not require Customer's consent.

2.5 Future Medlytica Content; Development Calendar. Vault Plus subscriptions include access to Medlytica Content modules as they ship during the Subscription Term. Medlytica publishes a public development calendar identifying Medlytica Content currently available, currently in development, and planned for development. Calendar dates, including target ship dates, are estimates and not commitments. Medlytica reserves the right, in its commercial discretion, to modify the development calendar, to defer or accelerate the release of any module, or to determine not to develop or release any module identified on the calendar. The Plus subscription's content entitlement extends to Medlytica Content that is actually released and made generally available during the Subscription Term, and does not constitute a contractual commitment to release any specific module on or by any particular date. Medlytica's commercial-discretion authority under this §2.5 shall be exercised in good faith.

3. Customer Obligations

3.1 Compliance with Laws. Customer is responsible for its own compliance with applicable laws, including its obligations under federal and California law. Customer acknowledges that the Services support — but do not substitute for — Customer's own legal compliance program.

3.2 Authorized Users. Customer is responsible for the acts and omissions of its Authorized Users under this Agreement and for ensuring Authorized Users comply with this Agreement and the Acceptable Use Policy.

3.3 Customer Data. Customer represents and warrants that it has the legal right to submit Customer Data to the Services and that Customer Data does not violate applicable law or third-party rights.

3.4 Account Security. Customer is responsible for maintaining the confidentiality of access credentials and for activities that occur under those credentials. Customer will notify Medlytica promptly of any unauthorized use.

4. Account and Access

4.1 Authorized Users. Customer may designate Authorized Users up to the limit set forth on the Order Form. Each Authorized User must be a member of Customer's workforce.

4.2 No Resale. Customer may not resell, sublicense, or otherwise make the Services available to any third party except Authorized Users.

5. Fees, Payment, and Taxes

5.1 Fees. Customer will pay the fees set forth on the applicable Order Form (the "Fees").

5.2 Payment Terms. Unless otherwise stated on an Order Form, Fees are due in advance. Recurring Fees are billed annually unless otherwise stated.

5.3 Late Payment and Suspension. Any amount not paid when due will accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. In addition, after providing Customer with at least ten (10) days' written notice and an opportunity to cure, Medlytica may suspend Customer's access to the active-training functions of the Services until all overdue amounts are paid in full. During any such suspension, Customer's existing training-completion records, certificates, and dashboard data will remain available to Customer in read-only form, so that Customer is not deprived of access to its own compliance documentation as a consequence of payment delinquency. Suspension does not terminate this Agreement or relieve Customer of payment obligations.

5.4 Taxes. Fees do not include taxes. Customer is responsible for all applicable taxes other than taxes based on Medlytica's net income.

6. Term, Renewal, and Termination

6.1 Term. This Agreement commences on the Effective Date and continues for the Subscription Term identified on the Order Form.

6.2 Auto-Renewal. Unless either party provides written notice of non-renewal at least 30 days before the end of the then-current term, the Subscription Term will automatically renew for successive 12-month terms.

6.3 Termination for Cause. Either party may terminate this Agreement for the other party's material breach if the breach remains uncured 30 days after written notice.

6.4 Effect of Termination. Upon termination: (a) Customer's right to access the Services ceases; (b) Customer may export Customer Data via Medlytica's standard export tools for 30 days following termination; (c) thereafter, Medlytica may delete Customer Data consistent with its retention practices, except as Customer requests in writing for reasonable business or legal needs.

6.5 Survival. Sections 7 (Confidentiality), 8 (Customer Data Ownership), 11 (Intellectual Property), 14 (Disclaimers), 15 (Limitation of Liability), 16 (Indemnification), 18 (Governing Law), 19 (Dispute Resolution), and 22 (General) survive termination.

6.6 Tier Transitions and Vault Group Auto-Application.

• Upgrade (Basic → Plus, Single Module → Plus, Basic → Single Module). Customer may upgrade Vault Tier at any time during a Subscription Term. Upgrade takes effect immediately. Medlytica will issue a prorated invoice for the difference between the Customer's existing tier and the new tier, calculated on a daily basis through the end of the then-current Subscription Term. Customer's existing data and configurations are preserved through the upgrade.
• Downgrade (Plus → Basic, Plus → Single Module, Single Module → Basic). Customer may elect to downgrade Vault Tier effective at the end of the then-current Subscription Term. Downgrades do not take effect mid-Term and Medlytica does not issue prorated refunds for downgrades. Customer's data is preserved through the downgrade subject to the read-only retention treatment in §5.3.
• Vault Group Auto-Application. If Customer's active workforce-staff count, as recorded in the Vault dashboard, exceeds 30 at any time during a Subscription Term, Medlytica will automatically apply the Vault Group tier to Customer's subscription effective at the next renewal of the Subscription Term. Medlytica will provide notice of the pending Group tier application no later than 30 days, 7 days, and on the day of renewal, including the new pricing and the basis for the application. Customer may elect to reduce its staff count below 30 prior to the renewal date to remain on the prior tier, or may decline the renewal under §6.2 to terminate the subscription before the Group tier takes effect. Vault Group does not auto-apply mid-Term; staff-count growth between renewals does not trigger mid-Term re-tiering or out-of-cycle billing.
• Vault Enterprise. Movement to Vault Enterprise requires a separate quote and Order Form; it does not occur via auto-application.

7. Confidentiality

7.1 Obligations. Each party will (a) protect the other's Confidential Information using at least the same degree of care it uses to protect its own confidential information of similar sensitivity, but no less than reasonable care, and (b) use the other's Confidential Information only as necessary to perform under this Agreement.

7.2 Exclusions. Confidential Information does not include information that (a) is or becomes publicly available through no fault of the receiving party, (b) was rightfully known to the receiving party before receipt, (c) is rightfully received from a third party without confidentiality obligations, or (d) is independently developed without use of the disclosing party's Confidential Information.

7.3 Compelled Disclosure. The receiving party may disclose Confidential Information as required by law, provided it gives the disclosing party prompt written notice (where legally permitted) and reasonable cooperation in seeking a protective order.

8. Customer Data Ownership

8.1 Ownership. As between the parties, Customer owns Customer Data. Customer grants Medlytica a non-exclusive, worldwide, royalty-free license to host, copy, transmit, and display Customer Data solely as necessary to provide the Services and as otherwise permitted by this Agreement.

8.2 Aggregated Data. Medlytica may use aggregated, de-identified data derived from the Services for product improvement, analytics, and benchmarking, provided the data does not identify Customer or any individual.

9. Privacy and Security

9.1 Privacy. Medlytica's collection and use of personal information in connection with the Services is governed by the Privacy Policy.

9.2 Security. Medlytica will maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, or disclosure. The current safeguards are summarized in Medlytica's then-current security documentation, which is available upon Customer's reasonable written request.

9.3 Incident Notification. Medlytica will notify Customer without undue delay after becoming aware of a confirmed security incident affecting Customer Data, and will reasonably cooperate with Customer in investigating and responding.

10. HIPAA and Business Associate Status

10.1 Default — Not a Business Associate. The Vault is designed to deliver workforce training and to record training-completion data. In the default configuration, The Vault does not require Customer to submit Protected Health Information. Customer agrees not to submit PHI through The Vault, or through any other Service not covered by an executed Business Associate Agreement, except to the extent expressly permitted under a BAA executed between the parties.

10.2 Inadvertent Receipt of PHI. If Customer submits PHI to a Service that is not covered by an executed BAA, Medlytica will (a) cease processing the PHI promptly upon becoming aware of the receipt, (b) notify Customer, (c) work with Customer to securely return or dispose of the PHI, and (d) require execution of a BAA before further processing of any PHI on Customer's behalf. Customer will indemnify Medlytica for third-party claims and breach-notification costs arising from Customer's submission of PHI outside an executed BAA. The parties acknowledge that Business Associate status under HIPAA is determined functionally under 45 C.F.R. § 160.103, and that the foregoing operational response is intended to limit, but does not by itself eliminate, regulatory obligations that may attach to the inadvertent receipt of PHI.

10.3 BAA-Required Services. If Customer's use of the Services involves Medlytica's creation, receipt, maintenance, or transmission of PHI on Customer's behalf — including through Consulting engagements covered by a separate Customer Service Agreement, AI Practice Integration, Sovereign Records, or any other Service that involves PHI — the parties will execute a BAA before any such Service commences. Access to such Services is conditioned on the BAA being in effect. The BAA, once executed, controls the parties' obligations with respect to PHI.

10.4 No Implied BAA. No course of dealing, statement, or marketing material creates a Business Associate relationship absent an executed BAA.

11. Intellectual Property

11.1 Medlytica IP. Medlytica retains all right, title, and interest in and to the Services, the Documentation, and all related intellectual property, including any improvements, modifications, or derivatives. No rights are granted to Customer except as expressly stated.

11.2 Feedback. If Customer provides Medlytica with suggestions, comments, or other feedback regarding the Services, Customer grants Medlytica a non-exclusive, perpetual, irrevocable, royalty-free license to use such feedback for any purpose.

12. Acceptable Use

Customer's use of the Services is subject to the Acceptable Use Policy, which is incorporated into this Agreement. Medlytica may suspend access for material AUP violations on prompt written notice; the parties will work in good faith to resolve the violation and restore access.

13. Limited Warranties

13.1 Mutual Warranties. Each party represents that it has the legal capacity and authority to enter into this Agreement.

13.2 Service Warranty. Medlytica warrants that during the Subscription Term, the Services will perform materially in accordance with the Documentation. Customer's exclusive remedy for breach of this warranty is, at Medlytica's option, (a) modification of the Services or (b) refund of pro-rated prepaid Fees for the deficient period.

13.3 No Other Warranties. EXCEPT AS EXPRESSLY STATED, THE SERVICES ARE PROVIDED "AS IS" AND MEDLYTICA DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

14. Important Disclaimers — Training Is Not Legal Advice

14.1 NO LEGAL ADVICE. MEDLYTICA IS NOT A LAW FIRM. THE SERVICES INCLUDE TRAINING CONTENT ADDRESSING LEGAL AND REGULATORY REQUIREMENTS APPLICABLE TO CALIFORNIA MEDICAL PRACTICES (INCLUDING HIPAA, CMIA, FEHA, SB 553, CAL/OSHA STANDARDS, MANDATED REPORTING, THE TARASOFF DOCTRINE, AND OTHERS). THE TRAINING CONTENT IS INFORMATIONAL AND EDUCATIONAL AND IS NOT LEGAL ADVICE. CUSTOMER IS RESPONSIBLE FOR OBTAINING LEGAL ADVICE TAILORED TO ITS SPECIFIC CIRCUMSTANCES FROM QUALIFIED COUNSEL.

14.2 No Compliance Guarantee. Completion of training through the Services does not guarantee compliance with any law or regulation. Compliance depends on Customer's own policies, practices, and operational implementation.

14.3 Currency of Content. Medlytica updates training content based on changes to applicable law, but cannot guarantee that content will reflect every legal change at every moment. Customer should consult its own counsel for application of current law to its specific circumstances.

14.4 NO PRACTITIONER-CLIENT RELATIONSHIP. USE OF THE SERVICES DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP BETWEEN MEDLYTICA (OR ANY MEDLYTICA PERSONNEL) AND CUSTOMER OR ANY AUTHORIZED USER. NO COMMUNICATION BETWEEN THE PARTIES IS DEEMED PRIVILEGED LEGAL COMMUNICATION.

14.5 Outside Training — Recordkeeping Only. Where Customer uses the Services to record completion of Outside Training (training Customer obtained from a source other than Medlytica), the Services function as a recordkeeping system for Customer's reported data. Medlytica does not author, review, evaluate, or certify the content, legal sufficiency, or regulatory adequacy of Outside Training. Medlytica does not represent or warrant that any Outside Training tracked through the Services satisfies any statutory, regulatory, or contractual training requirement. Customer is solely responsible for confirming the legal sufficiency of any Outside Training Customer relies upon for compliance purposes. The accuracy of Outside Training records, certificates, completion dates, and renewal cadences in the Services is Customer's responsibility; the Services display, organize, and remind based on the data Customer supplies.

15. Limitation of Liability

15.1 Cap. EXCEPT AS PROVIDED IN SECTION 15.3, EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO MEDLYTICA UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

15.2 Excluded Damages. EXCEPT AS PROVIDED IN SECTION 15.3, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, OR LOSS OF BUSINESS OPPORTUNITY.

15.3 Carve-outs. The limitations in Sections 15.1 and 15.2 do not apply to: (a) a party's indemnification obligations under Section 16; (b) Customer's payment obligations; (c) breaches of Section 7 (Confidentiality); (d) damages arising from a party's gross negligence, willful misconduct, or fraud; or (e) liabilities that cannot be limited under applicable law.

16. Indemnification

16.1 By Medlytica. Medlytica will defend Customer against any third-party claim alleging that the Services, used in accordance with this Agreement, infringe any U.S. patent, copyright, or trademark, and will pay any final judgment or settlement amount approved by Medlytica.

16.2 By Customer. Customer will defend Medlytica against any third-party claim arising out of (a) Customer's use of the Services in violation of this Agreement, (b) Customer Data, or (c) Customer's actions or omissions in its capacity as a healthcare provider, employer, or business operator.

16.3 Process. The indemnified party will (a) promptly notify the indemnifying party of the claim, (b) give the indemnifying party sole control of the defense and settlement (provided no settlement imposes obligations on the indemnified party without consent), and (c) provide reasonable cooperation.

17. Force Majeure

Neither party will be liable for any failure or delay in performance (other than payment obligations) due to causes beyond its reasonable control, including acts of God, government action, war, civil unrest, internet or utility outages, pandemics, or natural disasters.

18. Governing Law

This Agreement is governed by the laws of the State of California, without regard to its conflict-of-laws principles. The parties expressly disclaim the application of the U.N. Convention on Contracts for the International Sale of Goods.

19. Dispute Resolution

19.1 Informal Resolution. Before initiating any formal proceeding, the parties will attempt in good faith to resolve any dispute through written notice and senior-level discussion for at least 30 days.

19.2 Forum Selection. Any dispute not resolved informally will be brought exclusively in the state or federal courts located in San Mateo County, California (with respect to federal cases, the United States District Court for the Northern District of California), and each party irrevocably consents to personal jurisdiction and venue in those courts. Each party waives any right to a jury trial.

20. Notices

Notices under this Agreement must be in writing and will be deemed given upon (a) personal delivery, (b) confirmed delivery by reputable overnight courier, or (c) confirmed delivery by email to the address provided by the receiving party. Medlytica notice address:

Medlytica — Attn: Legal Department

873 Santa Cruz Avenue, Suite 202

Menlo Park, CA 94025

Email: legal@medlytica.net

Customer notice address: as provided in the Order Form.

21. Modifications

Medlytica may modify these Terms of Service from time to time. For material changes, Medlytica will provide at least 30 days' advance notice (via email or in-Service notice). If Customer does not agree to a material change, Customer may terminate the affected Services upon written notice before the change takes effect, with a pro-rated refund of prepaid Fees.

22. General

22.1 Assignment. Neither party may assign this Agreement without the other's prior written consent, except that either party may assign this Agreement to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, with notice to the other party.

22.2 Independent Contractors. The parties are independent contractors. This Agreement does not create a partnership, joint venture, or agency relationship.

22.3 No Third-Party Beneficiaries. This Agreement is for the benefit of the parties and not for any third party.

22.4 Severability. If any provision is held invalid, the remainder will continue in effect.

22.5 Waiver. No waiver is effective unless in writing and signed by the waiving party.

22.6 Entire Agreement. This Agreement, together with any Order Form, BAA, and incorporated policies, is the entire agreement between the parties on this subject and supersedes all prior agreements and communications.