T&C - Customer Security Standards - Mayo Clinic Platform

Mayo Clinic Platform
Customer Security Standards

Last Updated: November 12, 2025

This Exhibit shall be applicable in all cases in which Customer is permitted to access or use the Mayo Cloud and Cloud Data (as defined herein), as applicable, pursuant to the Agreement and any Schedules between Customer and Mayo. The Agreement contains necessary and customary provisions including, without limitation, standard transaction representations and warranties and insurance, service levels and performance expectations, indemnification, and limitation of liability provisions that are customary for transactions of this type and size.

Customer has established and maintains environmental, safety, facility, and data security policies, procedures, and other safeguards designed to maintain the confidentiality, integrity, and availability of the Mayo Cloud and Cloud Data, as applicable, and to prevent access, intrusion, alteration or other interference by any unauthorized third parties of the same, that are compliant with (i) the requirements of this Exhibit; (ii) applicable laws and regulations; and, solely to the extent not inconsistent with this Exhibit, (iii) industry best practices; and (iv) no less rigorous than those maintained by Customer for its own information. These policies, procedures, and safeguards shall be collectively referred to as “Customer Security Procedures.”

Except as otherwise limited in the Agreement, Customer shall use the Mayo Cloud and Cloud Data, as applicable, solely and exclusively for the purposes authorized by Mayo pursuant to the Agreement. Customer will not, and will ensure that its Users (as defined herein) and subcontractors do not, use the Mayo Cloud or Cloud Data, as applicable, other than as permitted or required by this Exhibit. Customer’s access and right to use the Mayo Cloud may be revoked at any time without prior cause or notice; provided however, that unless otherwise provided in a Schedule, Customer shall be entitled to credits for future Platform and/or extension to the applicable Schedule as mutually agreed upon by the parties. Unless otherwise permitted in the Agreement, Customer shall not de-identify (pursuant to all applicable legal requirements, including HIPAA) Cloud Data or otherwise aggregate Cloud Data without the prior written consent of Mayo.

In the event of a conflict among agreements between the parties regarding the security and protection of the Mayo Cloud, including, but not limited to, the Agreement and any Schedule, the provision providing the most rigorous protection for the Mayo Cloud and Cloud Data shall take precedence.

Definitions.
1. “Mayo Cloud” means various online and cloud-based services and related Mayo technology systems and databases made available to Customer by Mayo in connection with the Agreement.
2. “Cloud Data” means all proprietary or other non-public information that will be stored or accessed in the Mayo Cloud as described in the Agreement.
3. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system with access to the Mayo Cloud; provided, however, Customer shall not be required to report pings and other broadcast attacks on Customer’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident Output in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of Cloud Data, as applicable, or access to the Mayo Cloud.
4. “User” means Customer’s personnel and agents who have direct or incidental access to the Mayo Cloud or Cloud Data, as applicable.
Security Requirements. During the Term of the Agreement, Customer agrees that it will maintain a system with at least the following security requirements to access and use the Mayo Cloud and Cloud Data, as applicable.
1. Asset Protection. Customer shall do the following things to protect the integrity and security of the Mayo Cloud and Cloud Data, as applicable:
  1. Customer shall employ up-to-date and commercially available virus, anti-malware, and other commercially reasonable system security agents (i.e. whitelisting) protection on devices and systems used to access the Mayo Cloud, and such protection systems shall include real-time or periodic scans for viruses.
  2. Customer shall apply operating system service packs and security patches to any devices and systems used to access the Mayo Cloud that may compromise or effect the confidentiality, integrity, or availability of the Mayo Cloud and Cloud Data, as applicable, as soon as practicable after they are released.
  3. Customer shall limit access to Cloud Data solely to Customer owned and managed devices. Access to or use of the Mayo Cloud is not permitted on any device other than Customer owned and managed devices.
  4. Customer shall employ procedures to determine whether any compromise of Cloud Data, as applicable, has occurred (e.g. loss or modification of data).
2. Customer shall ensure that access to the Mayo Cloud via the internet shall be controlled via secure technologies employing cryptographic techniques and encryption.
3. Access by Users. Customer shall limit access to the Mayo Cloud and Cloud Data, as applicable, to Customer’s Users who need access to the Mayo Cloud for the Customer’s business purposes as outlined in the Agreement. Customer shall implement discretionary access controls designed to permit each User access to the Mayo Cloud as necessary to accomplish assigned tasks on behalf of Customer. Remote access to the Mayo Cloud must include a multi-factor or other authentication process and corresponding security controls as set forth in the Agreement. All access that is not explicitly authorized is forbidden. Customer shall expressly prohibit its Users from copying or improperly disclosing the information stored in the Mayo Cloud. Prior to being granted access to the Mayo Cloud and/or Cloud Data each User may be required by Mayo to accept certain end user terms and conditions. Failure to accept the terms will result in the User being denied access to the Mayo Cloud and Cloud Data.
4. Access Control. Unless otherwise provided in a Schedule, Customer shall strictly control electronic access to the Mayo Cloud and Cloud Data, as applicable, in the following manner:
  1. Federated Identity Management. In connection with the performance of the Agreement, Customer may obtain certain federated identity management services from Mayo, including provisioning/de-provisioning, authenticating, authorizing and enabling electronic communications between the parties’ respective systems (collectively, “FIMS”) to achieve the goal of “federated single sign-on” capabilities. Mayo may require use of FIMS by Customer as a condition for receiving certain Cloud Services from Mayo. Customer understands that use of the FIMS is a privilege, not a right, that can be terminated or suspended at any time, without prior notice, by Mayo to protect its systems and data, to protect it from liability, or to comply with applicable laws and regulations. Customer acknowledges and agrees termination of the FIMS will require the parties to cooperate to establish and implement alternative identity management methods and procedures that are mutually satisfactory to both parties for ongoing performance of the Agreement.
    1. Reliance and Compliance. Mayo is entitled to rely upon and to accept as authentic the credentials required for use of the FIMS. Customer represents and warrants that the use of the FIMS will be for (i) the sole purpose of creating and providing users a login for accessing the Mayo Cloud, and (ii) users of the FIMS will comply with all applicable laws. Customer will be solely responsible for employing NIST, HITRUST, and/or ISO-compliant security procedures and policies with respect to its use of the FIMS, and that Mayo shall not have responsibility to verify users’ identities or authorized access levels. Mayo is relying on Customer to utilize NIST, HITRUST, and/or ISO-compliant practices in regard to password policies, user provisioning and de-provisioning, and the creation of persistent, unique and static user IDs. Customer will use the FIMS in accordance with the reasonable instructions and reasonable policies established by Mayo from time-to-time and communicated to Customer.
    2. Implementation. The parties will meet and confer in good faith and engage in such activities reasonably necessary to implement FIMS for use by Customer in connection with the Agreement. The parties will be responsible for their own respective costs and expenses in implementing and using the FIMS.
    3. Security Incidents. Customer will immediately notify the Privacy Officer of Mayo of any Security Incident involving the Customer’s internal systems which provisions and/or stores credentials to access the FIMS and associated Mayo systems. Notification may also be required under Section II.F. It is expected that the Customer has an identity management system in place with appropriate security logging, retention, and transaction sharing processes in place. Customer agrees to share any appropriate logs required for Mayo to complete any necessary forensics in the event of a Security Incident. It is therefore expected that any logs would be available for at least twelve (12) months. The notification referred to above may lead to the joint decision to cease all access (either directly or indirectly) to the FIMS and/or Mayo systems until the security issues are resolved to both parties’ mutual agreement.
    4. Termination. Mayo may, in its sole discretion, terminate or suspend provision of the FIMS on written notice to Customer. In addition, provision of the FIMS will terminate on any expiration or termination of the Agreement.
  2. Password Requirements. For Customers who cannot or do not wish to implement FIMS, each User shall utilize a password that meets the following password standard:
    1. HITRUST 01.d (version 9.1 or newer) – Level 2, plus 12-character password minimum and required password changes at least every 90 days.
  3. Electronic Access.
    1. If applicable, as described above, each User shall utilize the FIMS or have a unique identifier.
    2. Users shall be authenticated by one of the following methods: unique token, card key, biometric reader, or individual password. Users shall be advised that their unique identifier and authentication tool (e.g. password) shall not be shared with others.
    3. Where password authentication is employed to authenticate Users, Customer shall:
      1. Prohibit guest accounts;
      2. Instruct Users not to write down passwords or store them on hard copy or locally on devices; and
      3. Periodically review User accounts and inactivate them when access is no longer required.
  4. Revocation of Access Rights. Mayo shall maintain a process to revoke Customer’s access rights or interrupt the connection to the Mayo Cloud. Mayo may exercise such process at any time without prior cause or notice; provided however, that unless otherwise provided in a Schedule, such revocation shall entitle Customer to credits for future Platform and/or extension to the applicable Schedule, as mutually agreed upon by the parties.
5. Communication Systems and Access to Information. During the Term of the Agreement, Customer will receive access to the Mayo Cloud. Use of and access to the Mayo Cloud is intended for legitimate business use related to Customer’s business. Customer acknowledges that Customer does not have any expectation of privacy as between Customer and Mayo in the use of or access to the Mayo Cloud and that all communications made with the Mayo Cloud are subject to Mayo’s scrutiny, use and disclosure, in Mayo’s discretion. Mayo reserves the right, for business purposes, to monitor, review, audit, intercept, access, archive, and/or disclose materials sent over, received by or from, or stored in the Mayo Cloud. This includes, without limitation, email communications sent by users across the internet and intranet from and to any domain name owned or operated by Mayo. This also includes, without limitation, any electronic communication system that has been used to access the Mayo Cloud. Customer further agrees that Customer will use all appropriate security, such as, for example, encryption and passwords, to protect Cloud Data from unauthorized disclosure (internally or externally) and that the use of such security does not give rise to any privacy rights in the communication as between Customer and Mayo. Mayo reserves the right to override any security passwords to obtain access to Customer accounts on the Mayo Cloud.
6. Security Incident Procedures. Customer will notify the Privacy Officer of Mayo, in writing, of any Security Incident affecting the Mayo Cloud and Cloud Data, as applicable, of which Customer becomes aware as soon as practicable but in no event more than three calendar days (3) after the discovery of the Security Incident.
  1. In any event, if a Security Incident caused by Customer requires notification to an individual or regulator under any law or regulation, Mayo will have sole control over the timing, content, and method of notification and Customer will promptly reimburse Mayo for all costs and expenses incurred as a result of the breach, including but not limited to, notice, print and mailing costs, and the costs of obtaining one year of credit reporting or monitoring services and identity theft insurance for the individuals whose data was or may have been compromised. Customer will mitigate, to the extent practicable, any harmful effect that is known to Customer of an unauthorized use or disclosure of Cloud Data by Customer in violation of the requirements of this Exhibit, the Agreement, or applicable law.
Revocation of Access.
1. In the event Customer fails to comply with the requirements of this Exhibit, Mayo may, without prior notice, suspend access to the Cloud Services and/or Cloud Data until the failure is resolved.
2. Customer’s Customer Security Procedures shall contain comprehensive change management procedures, including a requirement to remove a terminated or transferred User’s access (and Users without a job function that requires such access) immediately or no later than twenty-four (24) hours after termination or transfer, which shall include termination of: Mayo Cloud credentials, User’s passwords, and VPN access to any physical or electronic access to the Mayo Cloud, Cloud Data, and any related assets, including, but not limited to the deactivating of any security tokens, card keys, user names, and passwords as applicable.
Contractual Modifications. Mayo reserves the right to renegotiate in good faith the terms of the Agreement, including this Exhibit upon a material change to the Customer Security Procedures or other security requirements provided herein.