Mayo Clinic Platform_Discover Access Terms

Last updated: November 26, 2024

These Mayo Clinic Platform_Discover Access Terms (together, with all its attachments and exhibits, the “Terms”) are entered into by Mayo Foundation for Medical Education and Research, through its Mayo Clinic Platform (“MCP” or “Mayo”). These Terms are incorporated by reference into the relevant Platform Subscription Agreement (the "Agreement") and applicable Order Form(s) between Mayo and the customer identified therein ("Customer"). By accessing or using MCP_Discover, Customer agrees to comply with these Terms, the Agreement, and the applicable Order Form(s). In the event of any conflict between these Terms, the Agreement, or an Order Form, these Terms shall control unless otherwise expressly stated.

These Terms govern Customer’s access to and use of MCP_Discover and is effective upon the date that an Order Form is executed by Mayo and Customer that references these Terms, (the "Effective Date"). Unless Mayo and Customer expressly agree to alternative or additional terms in an Order Form, Customer agrees to the following terms and conditions beginning on the Effective Date and throughout the duration of Customer’s access to MCP_Discover until the later of: (i) the termination or expiration of the applicable Order Form, or (ii) the termination of Customer’s access to MCP_Discover and the subsequent deletion or removal of Customer Loaded Materials from the Hosted Environment, in accordance with these Terms (the “Term”).

  1. Definitions.  Capitalized terms used in these Terms without definition have the meaning ascribed to them in the Agreement.  Additionally, for purposes of these Terms:
    1. Authorized User” means those individuals (up to the number of users as set forth in the Order Form) nominated by Customer to access the Hosted Environment under the applicable Order Form, who shall at all times be Customer’s employee(s), contractor(s) or officer(s) located wholly or mainly at, the jurisdiction(s) expressly permitted by Mayo.
    2. Cloud Services” means the cloud-based services, including the provision of a Hosted Environment, furnished by Mayo under these Terms.
    3. “Customer Loaded Materials” means Customer’s Ontologies, algorithms, and Customer Models, including any developments thereto. Customer Loaded Materials are Confidential Information of Customer.
    4. Customer Model” or “Customer Models” means any and all (a) computer programs, including any and all software implementation of algorithms, models and methodologies, whether in source code, object code, human readable form or other form; (b) Ontologies; and (c) descriptions, flow charts and other work product used to design, plan, organize and develop any of the foregoing; each to the extent provided or made accessible by Customer pursuant to these Terms.
    5. “Customer Products” means any product or service that Customer offers for sale to any third party (whether a consumer, business, government entity or any other third party) that was developed via MCP_Discover
    6. “De-identified” means, with respect to Platform Data, such data has been de-identified pursuant to 45 C.F.R. 164.514(b)(2) or determined by an expert to be de-identified pursuant to 45 C.F.R. 164.514(b)(1); both methods will be in accordance with HIPAA and the Department of Health and Human Services’ Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA).
    7. Documentation” means Mayo’s then current generally available documentation, specifications, user manuals, etc., for MCP_Discover. For the avoidance of doubt, Documentation is Confidential Information of Mayo.
    8. Fees” means the fees and charges set forth in the Order Form.
    9. Field of Use” means the scope of use described in the Order Form.
    10. Generative AI” means a model, including but not limited to an LLM, using artificial intelligence that can create original content such as text, video, audio, software code, or other media in response to a prompt or request.
    11. Hosted Environment” means that environment described in Exhibit 1 to these Terms.
    12. Large Language Model” or “LLM”  is a model with a deep neural network that satisfies all the following conditions, such that it: (i) contains one hundred million (100,000,000) learnable parameters or more, (ii) is based on transformer architecture, (iii) is designed to consume and generate natural language, and (iv) is pretrained on a language corpus that contains one billion (1,000,000,000) tokens or more. Due to the rapidly evolving nature of LLMs, Mayo reserves the right to update this definition upon prior written notice to Customer; Customer and Mayo agree to negotiate in good faith an amendment to the Order Form to reflect such changes and to address any related issues, which may include credits for future use of Mayo Clinic Platform Products or Professional Services.
    13. Mayo Data” means: (i) the collection of De-identified data that is owned by Mayo and licensed to Customer pursuant to and in accordance with the terms of the Order Form and these Terms, comprising electronic health record information of approximately ten million (10,000,000) patients, De-identified under expert determination; and (ii) any derivatives of such data, including metadata, created by Customer, excluding Output. Mayo Data will exclude data comprising digital pathology images and other De-identified data elements as determined by Mayo.
    14. “MCP_Discover” is a Mayo Clinic Platform Product that includes access to the (i) Hosted Environment, (ii) Platform Data, (iii) Workspaces, when applicable, (iv) Support and (v) Tools. For the avoidance of doubt, MCP_Discover is the Confidential Information of Mayo.
    15. Ontology” or “Ontologies” means tables, graphs or other structured fields used for organizing, categorizing or relating limited categories or properties. For avoidance of doubt, Ontologies exclude Platform Data.
    16. Order Form” means an underlying agreement or ordering document agreed upon and executed by Mayo and Customer for MCP_Discover that references these Terms.
    17. Other Contributor Data” means data that has been De-identified or anonymized in accordance with the laws applicable to such data that govern its collection, processing, use, storage, and transfer and is licensed from such Other Contributor by Mayo incorporated into MCP_Discover. Other Contributor Data includes any derivatives of such data, including metadata, created by Customer, excluding Output.
    18. Output” means algorithms, Customer Models, or machine learning training results, reports, analyses, or summaries, in each case consisting of purely technical aggregated or processed information that an Authorized User develops or derives from the Platform Data (for example, Output may include graphical or tabular summaries of analyses, such as average lab test results for various cohorts of patients or various endpoints or outcomes for cohorts of patients taking a given medication). Output expressly excludes any Platform Data, and all information, derived, or extracted from the Platform Data to produce Output must be in aggregate form that corresponds with more than ten (10) individual patients.
    19. “Pass Through Fees” means cost to Mayo and/or its affiliates, as invoiced by a third party, related to Customer’s access to and use of the Hosted Environment, along with storage, management, and other associated costs, which may include Security Tools.
    20. Platform Data” means Mayo Data and Other Contributor Data made available to Customer via the MCP_Discover product in accordance with the terms of these Terms.
    21. “Project” means a segmented Workspace in the Hosted Environment with a defined group of Authorized User and cohort of data, to the extent applicable and set forth in the Order Form.
    22. “Security Tools” means the security or monitoring tools or agents within the Hosted Environment that are provided by a third party.
    23. Software” means the object code form of any software furnished by Mayo to Customer for installation on Customer’s systems for use in connection with any Product.
    24. Support” means Mayo’s support of MCP_Discover as set forth in Exhibit 3 to these Terms.
    25. Tools” means data exploration and query tools for the creation of AI/ML algorithms and discovery of insights, provided by Mayo with the Hosted Environment as set forth in Exhibit 1 to these Terms, excluding any Third Party Items.
    26. Workspaces” means a partitioned, Customer-specific data science environment as part of a Project, to the extent applicable and set forth in the Order Form.
  2. Customer Loaded Materials.
    1. Grant. To the extent a Workspace is provisioned to Customer in an Order Form, Customer grants Mayo a limited, non-exclusive, world-wide, royalty-free license to use Customer Loaded Materials for the purpose of providing MCP_Discover to Customer. Customer will be responsible for obtaining all rights, licenses, permissions, and authorizations to grant the foregoing license. Except for the limited license granted in these Terms, nothing contained in these Terms will be construed as granting Mayo any right, title, or interest in the Customer Loaded Materials. Customer Loaded Materials will be deemed Customer’s Confidential Information.
    2. Return of Customer Loaded Materials and Output. Except as otherwise provided described in the Order Form, for a period of thirty (30) days following expiration or termination of the Term, Mayo shall store and protect, and shall not delete, destroy, or in any way modify, any and all Customer Loaded Materials and Output in the Hosted Environment, and Mayo will afford Customer the opportunity to download a copy of the Customer Loaded Materials and Output in a format then-supported by the Documentation, as approved by Mayo. Notwithstanding anything to the contrary herein, as of the thirty-first (31st) day following the expiration or termination of the Term, Mayo may, in its sole discretion, securely delete, destroy, or otherwise dispose of any portions of the Cloud Services allocated to Customer, including any Customer Loaded Materials and Output therein.
  3. License Grant and Restrictions. 
    1. MCP_Discover Access. Subject to the terms and conditions of these Terms and any Order Form, including Customer’s payment of all relevant fees under the Order Form, Mayo grants Customer a limited, non-exclusive, non-transferable right during the Term, with no right to sublicense or offer access as a service to a third party (except as permitted below to Authorized Users), within the Field of Use, to: (i) upload Customer Loaded Materials to and use them within the Hosted Environment to interact with the Discover  Data and use Tools to generate Output; (ii) design, train, assess, and develop (including generation, training, optimization, validation and ongoing maintenance and improvements) Customer Models for the Customer Product; and (iii) use and export Customer Loaded Materials and Output (in whole or in part as requested by Customer) from time-to-time from the Hosted Environment to Customer’s systems as reviewed and approved by Mayo in accordance with these Terms (the “Grant”).
    2. Restrictions.
      1. The Grant is limited to accessing and using the Platform Data and Tools in Mayo’s Hosted Environment, and Customer will have no right to download, remove, copy, duplicate, grant access to third parties, sell, license, or otherwise distribute Platform Data and/or Tools.
      2. Customer may publish articles or white papers about the Customer Product and Customer Loaded Materials; provided, however, that such publications will not include the Output or identify Mayo or any Other Contributor, including any use of Mayo’s or Other Contributor’s name or MCP_Discover, unless approved in writing by Mayo in advance of such publication. articles or white papers about the Customer Product including the Output or otherwise make such Output available to any third parties, unless approved expressly permitted by Mayo.
      3. The number of Authorized User permitted to access MCP_Discover at any one time to use the Grant will be set forth in an Order Form, or in its absence, the maximum number of Authorized Users is five (5).
      4. Customer agrees to the requirements for export of Customer Loaded Materials and Output as set forth in Mayo’s policy for exporting files from MCP_Discover, as may be updated from time to time (the “Export Policy”). Mayo shall provide a copy of the Export Policy to Customer upon request; the Export Policy sets forth requirements for prohibited content for export, file requirements, file rejection limits, and other export limitations standard for MCP_Discover.
      5. Mayo reserves the right to evaluate and remove any Customer Models to ensure ethical and safe use of Platform Data and reduce potential risks to Mayo systems and Platform Data. In particular, with regard to Generative AI, Customer must notify Mayo in advance and coordinate with Mayo in assessing the impact such Generative AI. No Generative AI may be uploaded to MCP_Discover without express authorization by Mayo, and Mayo reserves the right to prohibit the export of any files associated with such Generative AI in its sole discretion, in accordance with Mayo’s Export Policy, as defined herein. Customer acknowledges and agrees that it will not, nor will it attempt to, create, establish, or build Generative AI within the Hosted Environment. Customer’s violation of this section shall constitute a material breach. Absent any material changes to the corresponding Generative AI license terms that would increase legal liability for Mayo or otherwise jeopardize the quality and privacy of the Platform Data, some Generative AI tools may be pre-approved for use by Customer within the Hosted Environment as Third Party Items, in accordance with Section 6.1 of these Terms and Mayo’s Export Policy.
      6. As a requirement for access to MCP_Discover, Authorized Users must first review and electronically sign a standardized, click-through acknowledgement form that outlines access and use requirements for MCP_Discover.
      7. Customer shall not use, or provide or offer Output to any third party: (i) for any purpose outside the Field of Use, (ii) to improve a product or service that is similar to, or competitive with, MCP_Discover, (iii) the practice of medicine or provision of clinical care, or to make clinical decisions for patients (without limiting development and commercialization of products and services directed to physicians and/or patients generally), (iv) indicates that Mayo endorses or approve Customer’s research and Customer Product, unless Mayo otherwise consents in writing; or (v) conduct clinical or quality benchmarking (including performing analysis or comparisons of practice patterns, referral patterns, prescription practices, and payment related matters) of Mayo.
  4. Platform Data Reservation of Rights.  All rights granted to Customer in the Platform Data are subject to: (a) the rights and requirements of and obligations to the U.S. government, if any have arisen or may arise, to or regarding the Platform Data, including as set forth in 35 U.S.C. §§200 et al., 37 C.F.R. Part 401 et al. (“Bayh-Dole Act”); and (b) Mayo’s and its affiliates’ reserved, irrevocable, unrestricted right to (i) further license and (ii)  use the Platform Data in connection with the commercial, educational, research and clinical programs of Mayo, Mayo’s affiliates, including Mayo’s reference laboratory and Mayo Collaborative Services, LLC, Mayo Clinic Platform and the Mayo Clinic Care Network. Customer will comply with the provisions of the Bayh-Dole Act, including promptly providing to Mayo information requested to enable Mayo to meet its compliance requirements.
  5. Changes in Platform Data. Mayo in its sole discretion will have the right to: (a) immediately and permanently remove certain records from the Platform Data and the Hosted Environment; and (b) determine that Customer must delete any Customer Loaded Materials or Output in the Hosted Environment that arises from such impermissible Platform Data or other records and/or data sets upon written notice from Mayo. In such a circumstance, Mayo will have no liability to Customer for any losses or damages arising from such removal including, but not limited to, loss or damage to Customer Loaded Materials, Output, or other Customer Confidential Information and/or work product. To the extent such a circumstance occurs, Mayo will work in good faith with Customer to replace the removed Platform Data with different Platform Data on which Mayo and Customer agree (subject to the availability of additional data that is eligible to be Platform Data). If Mayo and Customer cannot agree on such replacement Platform Data, and to the extent the absence of the removed Platform Data has a substantial business impact on Customer, then Mayo and Customer will discuss in good faith whether the removal of the Platform Data (on a going forward basis only) should result in an extension to the Term and/or credits for future use.
  6. Third Party Cloud Provider; Disclaimer.  Mayo may make all or any portion of the Cloud Services available through its third party cloud provider. Access to and use of the third party cloud provider’s environment is subject to certain Pass Through Terms, as defined in herein. Mayo may change its hosting provider from time-to-time on written or electronic notice to Customer. Mayo will acquire and provision the required virtual servers and other functionality within the Hosted Environment from the third-party hosting provider. For the avoidance of doubt, Customer understands and agrees the third-party hosting provider is not the employee, agent, or contractor of Mayo. As such, Mayo is not responsible for the actions or performance of the third party hosting provider. To the extent permissible under Mayo’s agreement with the third party hosting provider, Mayo will pass through to Customer the terms and conditions set forth in that agreement. In any event, Mayo will use reasonable efforts to enforce the terms of the agreement with the third-party hosting provider and to pursue all remedies available to Mayo or Customer under the applicable agreement. The foregoing, however, will not be construed as requiring Mayo to institute any litigation against the third party hosting provider. No breach of the third party hosting agreement or other failure to perform by the third party hosting provider will constitute a breach by Mayo of these Terms. The sole and exclusive remedies for the third party hosting provider’s failure to perform or breach of the applicable hosting agreement will be as set forth in the third party hosting agreement.
    1. Third Party Items.  In addition to the Cloud Services provided in whole or in part by a third-party hosting provider, certain other services of third parties may be furnished or made available to Customer by Mayo in connection with MCP_Discover (the “Third Party Items”). Third Party Items may be subject to third party terms and conditions, including end user license agreements, and expressly including the terms set forth in these Terms (the “Third Party Terms”). Customer’s use of the Third Party Items will indicate its agreement to be bound by the Third Party Terms.  Nothing herein shall be construed to create any agreement or obligation between Customer and any third party other than Customer’s agreement to comply with the Third Party Terms. EXCEPT AS EXPRESSLY SET OUT HEREIN, MAYO MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED WITH REGARD TO ANY THIRD PARTY ITEMS. EXCEPT AS OTHERWISE EXPRESSLY SET OUT HEREIN, MAYO EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE/NON-INFRINGEMENT, QUALITY OF INFORMATION, QUIET ENJOYMENT, AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO THE THIRD PARTY ITEMS. CUSTOMER SHOULD CONSULT THE RESPECTIVE SELLERS/LICENSORS OF THE THIRD PARTY ITEMS FOR WARRANTY AND PERFORMANCE INFORMATION, INCLUDING ANY THIRD PARTY TERMS.
  7. Mayo Information Security Requirements.  Consistent with any law or regulation applicable to Mayo in its performance of these Terms, the Agreement and applicable Order Form, and consistent with Mayo’s then current practices and procedures, Mayo represents and warrants that it will maintain and enforce administrative, technical, and physical safeguards to reasonably protect the confidentiality, availability, and integrity of Customer’s Confidential Information and the Customer Loaded Materials, and ensure the security of MCP_Discover. With respect to tMCP_Discover, Hosted Environment, and related systems and networks, Mayo will implement commercially reasonable technical, operational and organizational security controls and protocols (including appropriate administrative, technical and physical safeguards, with industry appropriate monitoring) designed to prevent the use, access or disclosure of Platform Data and Customer Loaded Materials by unauthorized individuals, or in any manner other than as permitted by these Terms, and to prevent re-identification of any individual who is the subject of Platform Data. Such controls shall be (i) no less rigorous than the controls generally maintained by Mayo in respect of its own data, and (ii) documented and maintained for so long as Customer uses MCP_Discover and Mayo has access to Customer Loaded Materials. Mayo shall employ procedures to determine whether any compromise of Platform Data or Customer Loaded Materials, as applicable, has occurred (e.g. loss or modification of data).
  8. Customer Security and Monitoring.  Unless otherwise agreed in an Order Form, Customer represents and warrants that it shall comply with the security standards as set forth on Exhibit 4 to these Terms which may be updated by Mayo from time-to-time on written or electronic notice to Customer. With respect to Customer’s systems and networks relevant to Customer’s access to and use of MCP_Discover, Customer will implement commercially reasonable technical, operational and organizational security controls and protocols (including appropriate administrative, technical and physical safeguards, with industry appropriate monitoring) designed to prevent the use, access or disclosure of Platform Data by unauthorized individuals, or in any manner other than as permitted by these Terms, and to prevent re-identification of any individual who is the subject of Platform Data. Such controls will be (i) no less rigorous than the controls generally maintained by Customer in respect of its own data, and (ii) documented and maintained for so long as Customer has access to the Platform Data. Customer shall employ procedures to determine whether any compromise of Platform Data, as applicable, has occurred (e.g. loss or modification of data).
  9. Service Restrictions.  Customer may not: (i) reverse engineer, disassemble, decompile or otherwise attempt to reveal the trade secrets or know how underlying MCP_Discover or the Mayo Data, except to the extent expressly permitted under applicable law; (ii) use Mayo Data, Mayo’s intellectual property and/or Mayo Confidential Information to develop a product or service that is similar to MCP_Discover; (iii) use any Mayo Confidential Information to contest the validity of any Mayo intellectual property; (iv) remove or destroy any copyright notices, other proprietary markings or confidentiality legends placed on or made available through MCP_Discover or the Mayo Data; (v) directly or indirectly export or import MCP_Discover or any Mayo Data to any country, person, or entity to which such export or transmission is restricted or prohibited; (vi) use MCP_Discover or Platform Data in any manner or for any purpose inconsistent with these Terms or the Documentation; or vii) use Output for clinical or quality benchmarking of Mayo to Customer or any third party. 
  10. Re-Identification.  With respect to re-identification of Platform Data, Mayo and Customer agree that (a) Platform Data licensed to Customer includes De-identified patient information; (b) Customer is prohibited from re-identifying, including any attempt to re-identify the Platform Data provided hereunder; and (c) unless otherwise required by law, Customer shall not disclose to any third party any Platform Data unless such third party is contractually bound to the same or stricter requirements governing re-identification and unless otherwise specifically authorized by Mayo in these Terms.
  11. Support Services and Service Level Agreements.   Mayo will furnish Support and achieve the service levels and performance obligations set forth in the Service Level Agreement attached as Exhibit 3 of these Terms, which Mayo may update from time to time.
  12. Pass Through Terms.  In addition to any Third Party Terms, MCP_Discover is subject to the third party terms and conditions (the “Pass Through Terms”) attached as Exhibit 2 (Pass Through Terms), which may be updated by the relevant third parties from time-to-time. In particular, the Cloud Services are subject to all relevant Pass Through Terms, including pricing, service levels and credits, disaster recovery plan, backup environment, and security tools and requirements, that a third party provider provides to Mayo for its other uses of such third party provider’s services. Mayo’s terms with the third party provider will require that the Cloud Services will be provided with a goal of 24x7x365 availability other than for normal changes.       
  13. Suspension and Discontinuation of MCP_Discover. 
    1. Suspension. Notwithstanding any other provision of these Terms or the Agreement, Mayo may, in its reasonable discretion, suspend Customer’s access to MCP_Discover and/or Third Party Items for any of the following reasons: (a) to prevent damages or risk to, or degradation of, MCP_Discover or Third Party Items; (b) to comply with any law, regulation, court order, or other governmental request; (c) to otherwise protect Mayo from potential legal liability; or (d) in the event an invoice remains unpaid for more than forty-five (45) days from the invoice date. Mayo will use commercially reasonable efforts to provide Customer with notice prior to or promptly following any suspension of access to MCP_Discover. Mayo will promptly restore access to MCP_Discover as soon as the event giving rise to the suspension has been resolved. This Section will not be construed as imposing any obligation or duty on Mayo to monitor use of MCP_Discover by Customer.
    2. Discontinuation of Third Party Hosted Environment. Notwithstanding anything to the contrary in these Terms or the Agreement, in the event Mayo no longer is able or willing to continue provision of the third party hosted environment for the Cloud Services, Mayo will use commercially reasonable efforts to provide Customer with at least sixty (60) days’ prior written notice, after which the Term will expire. Mayo, in its sole discretion, may attempt to negotiate a replacement agreement between Mayo and a new third party hosting provider for such service with certain restrictions to include, but not limited to, Mayo’s right to control access to the Platform Data, as defined herein, and the Hosted Environment. Mayo will have sole control in choosing the third party hosting provider.
    3. Other Unavailability of the Third Party Hosted Environment. To the extent the Hosted Environment becomes unavailable, whether due to the expiration, termination, invalidity, lapse or other conclusion of the current, or any future, statistician certification (including due to the acts or omissions of either party) or otherwise, the Grant will immediately terminate, and Customer will immediately cease accessing the Platform Data upon written notice from Mayo. Mayo will provide Customer with prompt notice of such termination. Customer and Mayo agree to negotiate in good faith an amendment to the Order Form to reflect such changes and to address any related issues, which amendment may include an extension to the Term.
    4. Customer Onboarding. Customer shall cooperate with the standard onboarding process for MCP_ Discover, which includes actions such as completion of a standard intake form, product training, and a security review, and provide all information and documentation requested by Mayo in order to complete this process. Such onboarding process shall include review and prior written permission by Mayo of any and all Authorized Users who may access MCP_Discover outside of the United States. In the event that Customer fails the required onboarding and screening necessary to access the Platform Data, Mayo may immediately terminate these Terms without penalty to either party.
    5. Other Contributor Data. Other Contributor Data and any hosting providers of Other Contributors are provided as Third Party Items hereunder, and Other Contributors are intended third-party beneficiaries of these Terms and capable of directly enforcing its terms. In addition to the disclaimer set forth in these Terms, Mayo does not guarantee or certify the accuracy, completeness, currency, timeliness, or correct sequencing of the Other Contributor Data made available through MCP_Discover but shall use commercially reasonable efforts to review such Other Contributor Data for accuracy and completeness. All Other Contributor Data is provided “as-is” and “as-available.” Customer agrees that neither Mayo nor the applicable Other Contributor shall be liable in any way for the accuracy, completeness, timeliness, or correct sequencing of the Other Contributor Data, or for any decision made or action taken by Customer relying upon the Other Contributor Data. Mayo does not endorse or approve any of the Other Contributor Data and only makes such Other Contributor Data available as a service and convenience. The Other Contributor Data may be subject to additional Third Party Terms set forth in an Order Form. In any event, Customer may use the Other Contributor Data solely and exclusively in connection with MCP_Discover according to these Terms.
  14. Intellectual Property.
    1. Mayo Intellectual Property. This is not a work made-for-hire agreement (as that term is defined in Section 101 of Title 17 of the United States Code). Mayo and its licensors own all right, title, and interest, including intellectual property rights, in and to MCP_Discover and all enhancements, modifications, and updates thereto. Except for express licenses granted in these Terms, Mayo is not granting or assigning to Customer any right, title, or interest, express or implied, in or to Mayo’s intellectual property. Mayo reserves all rights in such property. Mayo shall have the sole right but not an obligation to defend its property rights, to include tangible and any intellectual property rights, to MCP_Discover. Customer will register and give required notice concerning these Terms, at its expense, in each country for sale of its products and services where an obligation under law exists to so register or give notice. Customer acknowledges Mayo has expended significant resources gathering, assembling and compiling the Platform Data, and that the Platform Data is the valuable property of Mayo or its Other Contributors. Customer acknowledges that the Platform Data is an original compilation protected by U.S. copyright laws.
    2. Customer Intellectual Property. Customer owns all right, title, and interest, including intellectual property rights, in and to the Customer Loaded Materials, Customer Products, and Output. Except for express licenses granted herein, Customer is not granting or assigning to Mayo any right, title, or interest, express or implied, in or to Customer’s intellectual property and Customer reserves all rights in such property.
  15. Feedback. Customer may provide Mayo with suggestions, comments, or other feedback (collectively, “Feedback”) with respect to MCP_Discover. Feedback is voluntary. Mayo may use Feedback for any purpose without obligation of any kind, subject to any use of name or trademark restrictions in the Agreement. To the extent a license is required under any Customer intellectual property rights to make use of the Feedback, Customer grants Mayo an irrevocable, non-exclusive, perpetual, royalty-free license to use the Feedback in connection with Mayo’s business, products, and services, including the enhancement of the MCP_Discover.
  16. Product Usage Data. Customer grants Mayo a worldwide, non-exclusive, perpetual, irrevocable, fully-paid-up, royalty free license to use data derived from use of MCP_Discover (the “Product Usage Data”) for Mayo’s business purposes, including improvement of MCP_Discover and provision of MCP_Discover to Mayo’s customers; provided the Product Usage Data is combined with similar data from other sources, is not identifiable as associated with Customer, and, with regard to personally identifiable information, including Protected Health Information, used and maintained in compliance with applicable law.
  17. Warranties and Disclaimers.
    1. Mutual Warranties.  Both parties warrant as follows: (i) they have sufficient rights to enter into and perform the obligations of these Terms; (ii) they shall use commercially reasonable efforts to prevent the transmission of viruses and other malware to the other party’s systems; (iii) they will comply with all laws applicable to them in the performance of these Terms; and (iv) they are not listed on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List, or located in a U.S. embargoed country.
    2. Mayo Representation and Warranties.  In addition to and cumulative of the other express warranties in these Terms, Mayo warrants and represents that (i) Mayo will provide the Support in a professional, workmanlike manner; (ii) during the Term, MCP_Discover will materially conform to their descriptions in the Documentation; (iii) Mayo is authorized and has the right to make the Grant provided hereunder; (iv) Platform Data is De-Identified; and (v) Mayo has the right to furnish or make available to Customer the Third Party Items.
    3. Customer Representations and Warranties.  In addition to and cumulative of the other express warranties herein and in these Terms, Customer warrants and represents that:  (a) Customer will independently evaluate the scope of the Platform Data and its applicability or utility in Customer’s activities, is entering into these Terms on the basis of its own evaluation and not in reliance of any representation by Mayo and assumes all risk and liability in connection with such evaluation; (b) Customer will not share, transfer to or allow any third party to access or use the Platform Data for any purpose and shall keep the Platform Data confidential by only allowing access by Customer’s Authorized Users who (i) have a bona fide need to access the Platform Data to exercise the rights and perform the duties and obligations of Customer under these Terms, the applicable Order Form and the Agreement, and (ii) promise to keep the Platform Data from being disclosed for as long as Mayo considers and treats the Platform Data as its proprietary trade secret or other form of Confidential Information; (c) Customer shall ensure that its Authorized Users who work with any of the Platform Data access, handle, use, safeguard, and dispose of the Platform Data in compliance with these Terms and all applicable laws; (d)  Customer will not access or use the Platform Data for any purpose other than those purposes expressly granted under the Order Form; (e) Customer will not, nor will it permit any third party to remove, download, copy, or otherwise transfer the Platform Data from the Hosted Environment; (f) Customer will notify Mayo in writing as soon as practicable but in no event later than forty-eight (48) hours after Customer becomes aware of any unauthorized access, use, or disclosure of or attempt to re-identify Platform Data. To the extent known by Customer after reasonable inquiry, the notification will identify: (i) the nature of the non-permitted or violating use or disclosure; (ii) the Platform Data used or disclosed; (iii) who made the non-permitted or violating use or disclosure; (iv) who received the non-permitted or violating use or disclosure; (v) what corrective action Customer took or will take to prevent further non-permitted or violating uses or disclosures; (vi) what Customer did or will do to mitigate any deleterious effect of the non-permitted or violating use or disclosure; and (vii) other information as Mayo may reasonably request; (g) Customer will not by any means or manner link the Platform Data to other resources that would influence the re-identification risk or re-identify or attempt to re-identify any individual who is the subject of any Platform Data, nor facilitate or allow any such re-identification of Platform Data by a third party; (h) except as specifically permitted by the Grant, Customer will not use, provide a service to, aggregate, combine, or model the Platform Data with any other data (nor perform any other function with respect to the Platform Data); (i) except as specifically permitted in the Grant, Customer will not place any data from other sources in the Hosted Environment; (j) Customer has implemented, and Customer shall continue to maintain during the Term, reasonable procedures to protect against the introduction of viruses, worms, time bombs, Trojan horses or other harmful or destructive code in the Hosted Environment (and any development or other environments to which Mayo grants Customer access in connection with these Terms, the applicable Order Form or Agreement) or Platform Data; (k) Customer has all rights and licenses to Customer Loaded Materials; (l) Customer is responsible for the accuracy, quality and legality of Customer Loaded Materials, the means by which Customer acquired Customer Loaded Materials, and its use of Customer Loaded Materials with MCP_Discover; and (m) any third party use, including all end users, of the Customer Product shall include terms waiving all warranties, express or implied of Mayo, disclaiming all liability of Mayo (the “Customer Product Disclaimer”).
    4. Disclaimers.  EXCEPT FOR THE LIMITED WARRANTIES IN THIS SECTION, MCP_DISCOVER ARE PROVIDED “AS IS,” WITH ALL FAULTS, AND WITHOUT WARRANTIES OF ANY KIND. EXCEPT FOR THE LIMITED WARRANTIES IN THIS SECTION, MAYO EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS AND IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, QUIET ENJOYMENT, QUALITY OF INFORMATION, TITLE/NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. MAYO DOES NOT WARRANT THAT THE OPERATION OF MCP_DISCOVER WILL BE UNINTERRUPTED OR ERROR-FREE OR THAT DEFECTS IN MCP_DISCOVER WILL OR CAN BE CORRECTED. NO ORAL OR WRITTEN INFORMATION, MARKETING OR PROMOTIONAL MATERIALS, OR ADVICE GIVEN BY MAYO OR MAYO’S AUTHORIZED REPRESENTATIVES WILL CREATE ANY OTHER WARRANTIES OR IN ANY WAY INCREASE THE SCOPE OF MAYO’S OBLIGATIONS UNDER THESE TERMS.

      MCP_DISCOVER MAY BE USED TO ACCESS AND TRANSFER INFORMATION OVER THE INTERNET. CUSTOMER ACKNOWLEDGES AND AGREES THAT MAYO AND ITS VENDORS AND LICENSORS DO NOT OPERATE OR CONTROL THE INTERNET AND THAT: (I) VIRUSES, WORMS, TROJAN HORSES, OR OTHER UNDESIRABLE DATA OR SOFTWARE; OR (II) UNAUTHORIZED USERS (E.G., HACKERS) MAY ATTEMPT TO OBTAIN ACCESS TO AND DAMAGE CUSTOMER DATA, WEB SITES, COMPUTERS, OR NETWORKS. MAYO WILL NOT BE RESPONSIBLE FOR THOSE ACTIVITIES.
  18. Indemnification.   
    1. Mayo Indemnity.  Mayo will defend and indemnify Customer and hold it harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, and expenses (including but not limited to reasonable attorneys’ fees) arising from a claim by a third party arising from Mayo’s breach of its representations or warranties made under these Terms or that Customer’s authorized use of MCP_Discover infringes that third party’s United States patent, copyright, or trade secret rights. The foregoing indemnification obligation of Mayo is contingent upon Customer promptly notifying Mayo in writing of such claim (provided, however, that any failure to provide such notice will not relieve the Mayo of its obligations under this Section except to the extent Mayo is materially prejudiced by such failure), permitting Mayo sole authority to control the defense or settlement of such claim and providing Mayo reasonable assistance (at Mayo’s sole expense) in connection therewith. If a claim of infringement under this Section occurs, or if Mayo determines a claim is likely to occur, Mayo will have the right, in its sole discretion, to either (i) procure for Customer the right or license to continue to use MCP_Discover free of the infringement claim, or (ii) modify MCP_Discover to make them non-infringing, without loss of material functionality. If neither of these remedies is reasonably available to Mayo, Mayo may, in its sole discretion, immediately terminate these Terms and, upon return of the infringing MCP_Discover from Customer, refund the prorated portion of any prepaid fees for such MCP_Discover. Notwithstanding the foregoing, Mayo will have no obligation with respect to any claim of infringement that is based upon or arises out of (i) the use or combination of the MCP_Discover with any hardware, software, products, data, or other materials not provided by Mayo, (ii) modification or alteration of MCP_Discover by anyone other than Mayo, (iii) use of MCP_Discover in excess of the rights granted in these Terms, or (iv) any specifications or other intellectual property provided by Customer, including the Customer Loaded Materials (collectively, the “Excluded Claims”). The provisions of this Section state the sole and exclusive obligations and liability of Mayo and its licensors and suppliers for any claim of intellectual property infringement arising out of or relating to MCP_Discover or these Terms, and are in lieu of any implied warranties of non-infringement, all of which are expressly disclaimed.
    2. Customer Indemnity.  Customer will defend and indemnify Mayo and hold it harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, expenses fines, sanctions, or penalties, (including but not limited to reasonable attorneys’ fees) incurred by Mayo, including those imposed by any regulator, as a result of any claim by a third party arising from (i) Customer’s use of MCP_Discover in breach of these Terms, or Customer’s use of any Third Party Item in breach of the Third Party Terms; (ii) Mayo’s licensed use of the Customer Loaded Materials; (iii) Customer’s breach of its representations or warranties made under these Terms, (iv) the Excluded Claims, or (v) Customer’s failure to obtain the Customer Product Disclaimer relating to, or brought in connection with, such third party’s access to, license of, or use of the Customer Product.
    3. Mayo shall provide Customer with all reasonable assistance (as Customer’s sole expense) in connection with the defense of any such claim, and Customer shall have authority to control the defense of any such claim, provided that Customer shall not settle any matter that would incur liability for Mayo or require Mayo to make any admission of liability without Mayo’s prior written consent.
    4. The indemnification obligations in this Section are specific to Customer’s use of MCP_Discover and shall take precedence over the terms of the Agreement and exclusively govern with respect to indemnification liability and obligations arising in connection with the applicable Order Form or Agreement.
  19. Limitations of Liability.
    1. NEITHER MAYO NOR ITS VENDORS AND LICENSORS WILL HAVE ANY LIABILITY TO CUSTOMER OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, SALES, BUSINESS, DATA, OR OTHER INCIDENTAL, CONSEQUENTIAL, OR SPECIAL LOSS OR DAMAGE, INCLUDING EXEMPLARY AND PUNITIVE DAMAGES, OF ANY KIND OR NATURE RESULTING FROM OR ARISING OUT OF THESE TERMS. THE TOTAL LIABILITY OF MAYO AND ITS VENDORS AND LICENSORS TO CUSTOMER OR ANY THIRD PARTY ARISING OUT OF THESE TERMS AND CUSTOMER’S USE OF MCP_DISCOVER FOR ANY AND ALL CLAIMS OR TYPES OF DAMAGES WILL NOT EXCEED THE AGGREGATE FEES PAID BY CUSTOMER TO MAYO FOR ACCESS TO MCP_DISCOVER UNDER AN ORDER FORM IN THE (TWELVE) 12 MONTHS PRIOR TO THE FIRST EVENT GIVING RISE TO LIABILITY. IN THE ABSENCE OF AN ORDER FORM, MAYO’S TOTAL LIABILITY WILL NOT EXCEED $10,000.00 USD. THE EXCLUSIONS AND LIMITATIONS OF DAMAGES SET FORTH IN THIS SECTION DO NOT APPLY TO NOR LIMIT DAMAGES ARISING FROM MAYO’S: (i) GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, (ii) BREACH OF CONFIDENTIALITY, (iii) AMOUNTS TO BE PAID BY MAYO PURSUANT TO THE INDEMNIFICATION OBLIGATIONS IN THESE TERMS, AND (iv) MAYO’S INFRINGEMENT OR MISAPPROPRIATION OF CUSTOMER’S INTELLECTUAL PROPERTY.
    2. NEITHER CUSTOMER NOR ITS VENDORS AND LICENSORS WILL HAVE ANY LIABILITY TO MAYO OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, SALES, BUSINESS, DATA, OR OTHER INCIDENTAL, CONSEQUENTIAL, OR SPECIAL LOSS OR DAMAGE, INCLUDING EXEMPLARY AND PUNITIVE DAMAGES, OF ANY KIND OR NATURE RESULTING FROM OR ARISING OUT OF CUSTOMER’S USE OF THE PRODUCT UNDER THESE TERMS. THE TOTAL LIABILITY OF CUSTOMER UNDER THESE TERMS FOR ANY AND ALL CLAIMS OR TYPES OF DAMAGES WILL NOT EXCEED TWO HUNDRED FIFTY THOUSAND U.S. DOLLARS ($250,000.00). THE EXCLUSIONS AND LIMITATIONS OF DAMAGES SET FORTH IN THIS SECTION DO NOT APPLY TO NOR LIMIT DAMAGES ARISING FROM (I) THE VIOLATION OF LAW, NEGLIGENCE, OR MISCONDUCT OF CUSTOMER OR ITS AUTHORIZED USERS(S), (II) BREACHES OF CONFIDENTIALITY, (III) FAILURE TO COMPLY WITH ANY SECURITY STANDARDS OR RE-IDENTIFICATION REQUIREMENTS UNDER THESE TERMS (IV) BREACHES OF REPRESENTATIONS AND WARRANTIES BY CUSTOMER REGARDING PLATFORM DATA, (V) AMOUNTS TO BE PAID BY CUSTOMER PURSUANT TO THE INDEMNIFICATION OBLIGATIONS UNDER THESE TERMS, (VI) THIRD PARTY CLAIMS REGARDING CUSTOMER’S OR ITS AUTHORIZED USERS’ UNAUTHORIZED USE OF PLATFORM DATA, AND (VII) INFRINGEMENT OR MISAPPROPRIATION OF MAYO’S INTELLECTUAL PROPERTY RIGHTS.
    3. THIS LIMITATION OF LIABILITY IS SPECIFIC TO CUSTOMER’S USE OF MCP_DISCOVER AND SHALL TAKE PRECEDENCE OVER THE TERMS OF THE UNDERLYING AGREEMENT GOVERNING THE ORDER FORM AND SHALL EXCLUSIVELY GOVERN WITH REGARD TO LIABILITY ARISING IN CONNECTION WITH THESE TERMS. The allocations of liability in this Section represent the agreed, bargained-for understanding of the parties and the consideration hereunder reflects such allocations. The limitation of liability and types of damages stated in this Section are intended by the parties to apply regardless of the form of lawsuit or claim a party may bring, whether in tort, contract or otherwise, and regardless of whether any limited remedy provided for in these Terms or the Agreement fails of its essential purpose. No action arising out of Customer’s use of MCP_Discover may be brought by either party more than two (2) years after such cause of action accrues.
  20. Additional Termination Right.  In addition to and cumulative of the termination rights granted elsewhere in these Terms or the Agreement:
    1. Customer may discontinue its use of MCP_Discover at any time. Subject to any financial obligations provided in the Agreement and Order Form, Customer may terminate these Terms after providing thirty (30) days’ prior written notice to Mayo and, upon termination, must cease use of the applicable MCP_Discover.
    2. Mayo may terminate these Terms if it ceases to generally provide MCP_Discover.
    3. Upon expiration or termination of the applicable Order Form or the Agreement for any reason, (a) Customer’s access to and use of MCP_Discover will cease as of the effective date of termination; (b) Customer will pay to Mayo all Fees due to Mayo related to Customer’s use of MCP_Discover,  through the effective date of such expiration or termination (prorated as appropriate); and (c) Mayo will reasonably cooperate with Customer in transitioning the Customer Loaded Materials and Customer Products to Customer.
  21. Miscellaneous Provisions.
    1. Customer will continuously carry occurrence-based cyber and general liability insurance in an amount and for a time period sufficient to cover the liability assumed by Customer under these Terms and the Agreement during the Term and for a period of six (6) years thereafter, such amount being at least Five Million U.S. Dollars ($5,000,000). The cyber and general liability insurance requirements may be substituted by self-funded liability coverage. The minimum limits of any insurance coverage required herein shall not limit Customer’s liability.
    2. These Terms constitutes the entire understanding between the parties related to the subject matter of these Terms which understanding supersedes and merges all prior understandings and all other proposals, letters, agreements, oral or written. The parties further agree that there are no other inducements, warranties, representations or agreements regarding the matters herein between the parties except as expressly set forth in these Terms. The terms of these Terms shall be read in harmony with the terms of the Order Form and, in the event the terms of these Terms irreconcilably conflict with the terms of the applicable Order Form, those terms of the Order Form will govern only to the extent the Order Form specifically states that it will control over such provision that conflicts with the term in these Terms. As used herein, the term “including” will mean “including, without limitation”; the term “includes” as used herein will mean “includes, without limitation”; and terms appearing in the singular will include the plural and terms appearing in the plural will include the singular. These Terms may not be modified, amended or altered in any manner except by a written agreement in the applicable Order Form or amendment to these Terms signed by both parties, and any attempt at oral modification will be void and of no effect.
    3. Customer may not assign its rights or delegate its duties under these Terms either in whole or in part without the prior written consent of Mayo. Any attempted assignment or delegation without such consent will be void ab initio and Mayo may immediately terminate these Terms for cause. Except as provided above, these Terms will apply to, inure to the benefit of, and be binding upon the parties hereto and their successors and assigns.
    4. Customer shall obey all applicable laws or regulations in Customer’s applicable jurisdictions and shall also obey the U.S. Foreign Corrupt Practices Act (“FCPA”) (15 USC §§ 78dd-1, et seq.) and any similar applicable anti-bribery provisions, laws or regulations. Each party shall reasonably assist the other party to assure such compliance at all times during the term of these Terms. Customer’s failure to adhere to the requirements of this Section shall be grounds for Mayo to terminate these Terms immediately for cause. 
    5. Notwithstanding anything to the contrary, Mayo will have the right to seek injunctive or pre-judgment relief in any court of competent jurisdiction to prevent or enjoin the misappropriation, misuse, infringement or unauthorized disclosure of Mayo’s Confidential Information or intellectual property rights. No Federal Acquisition Regulations will be construed to apply to Mayo without Mayo’s written agreement thereto. Neither the United Nations Convention for the International Sale of Goods nor the Uniform Commercial Code will apply to these Terms. In the event any provision of these Terms is held by a tribunal of competent jurisdiction to be contrary to law, the remaining provisions of these Terms will remain in full force and effect.
    6. All provisions of these Terms relating to confidentiality, non-disclosure, intellectual property, disclaimers, limitation of liability, indemnification, payment, and any other provisions which must survive in order to give effect to their meaning, will survive the termination of these Terms.

Exhibit 1
Hosted Environment, Tools, and Third Party Items Description

1. Hosted Environment and Tools:

The Hosted Environment provides Authorized User with the infrastructure and services to analyze, visualize, and process datasets and to build, validate, and deploy statistical and machine learning based models and analytics. The MCP Discover Product is Mayo’s next generation data science product, which utilizes the Hosted Environment to allow Authorized User to analyze, visualize, and process datasets and build, train, and validate statistical and machine learning models. The data science applications available to Authorized User are:

Application NameDescription
Cohort VisualizerBuild patient cohorts based on inclusion and exclusion criteria. View and analyze information about the cohort compared to the full population or by comparison to another cohort by viewing demographic information, medication volume, procedures and more.
WorkspacesWorkspaces is an advanced data science workbench with access to infrastructure and tools to provision computing resources, analyze record-level patient information, and gain insights to customized questions.
Schema VisualizerExplore the underlying data dictionary and schema. Understand what data columns are available and what their fill rates are.
Patient ExplorerRead individual patient notes and visualize a timeline of their events.
Patient SignalsSee how often any search term (e.g. a disease, drug, or any other word) is mentioned across all patient notes, and identify related concepts. Identify patients fitting criteria that has not been captured in structured data.
Cohort LibraryView cohorts you have created and edit tags or descriptions for that cohort.
AI StudioApplication for image viewing and annotation

2. Third Party Items:

 Additional Third Party Items may be approved by Mayo for use by Customer within the Hosted Environment via a standardized software development kit, provided that Customer’s use of such Third Party Items is governed by one or more of the following license terms:

Third Party Item License NameLicense Terms
Mozilla Public License 2.0Mozilla Public License, 2.0 Terms
MIT LicenseThe MIT License Terms
Apache License 2.0Apache License, Version 2.0 Terms
GNU General Public LicenseThe GNU General Public License v3.0 Terms
GNU Lesser General Public LicenseGNU Lesser General Public License v3.0 Terms
BSD LicensesBSD 3-Clause Terms
Creative Commons LicensesCreative Commons Licenses Terms
BigScience OpenRAIL-M LicenseBigScience OpenRAIL-M Terms
CreativeML OpenRAIL-M LicenseCreativeML OpenRAIL-M Terms
Eclipse Public LicenseEclipse Public License Terms
Meta Llama 3 LicenseMeta Llama 3 License Terms
Falcon LicenseFalcon License Terms

Exhibit 2
Pass Through Terms

Google:

SLA: https://cloud.google.com/terms/sla

Disaster Recovery Plan:  https://cloud.google.com/solutions/dr-scenarios-planning-guide

Backup Environments:  https://cloud.google.com/solutions/dr-scenarios-planning-guide

AUP: https://cloud.google.com/terms/aup

Customer shall not use the Cloud Services for: (i) activities such as the operation of nuclear facilities, air traffic control, or life support systems, where the use or failure of the Cloud Services could lead to death, personal injury, or environmental damage.; (ii) creation of multiple web or other applications created using the Cloud Services; Cloud Services accounts; or groupings of computing, storage, and API resources in order to simulate or act as a single version of the same or otherwise access the Cloud Services in a manner intended to avoid incurring Pass Through Fees; (iii) use the Cloud Services to place calls or to receive calls from any public switched telephone network; or (iv) process or store any Customer Loaded Materials that is subject to the International Traffic in Arms Regulations maintained by the U.S. Department of State.

Exhibit 3
Service Level Agreement

The obligations and remedies in this Exhibit 3 are in addition to Mayo’s and Customer’s obligations elsewhere in the Terms. In the event of a conflict between this Exhibit 3 and any other terms of the Agreement or Order Form, this Exhibit shall control.

1. Background

1.1 Purpose

This document is a Service Level Agreement (“SLA”) between Mayo and Customer to document and define the internal working relationships for supporting the Hosted Environment. The SLA remains valid until revised or terminated. The goal of this SLA is to obtain consensus for service provision between Mayo’s and Customer’s teams.

1.2 Objectives

The objectives of this SLA are to:

  • Provide clear reference to service ownership, accountability, roles and/or responsibilities.
  • Present a clear, concise, and measurable description of service provision to Customer.

1.3 Definitions and Assumptions

For purposes of this Exhibit 3:

  • The term “Service Provider” refers to Mayo.
  • The term “Service Manager” refers to the leader on the Hosted Environment team responsible for the administration of these Terms.
  • “ServiceNow” means the Saas application used to provide ITSM (as defined herein) processes including but not limited to Incident, Change, Problem, Service catalog/request fulfillment processes.
  • This document represents the current configuration to support the Hosted Environment. Changes to the Hosted Environment service will be addressed as separate service projects outside the scope of this document. Such changes will not materially affect the terms of this SLA without a written amendment to this SLA.
  • Major upgrades are treated as a project outside the scope of this SLA.

2. Service Providers Roles and Responsibilities

The Hosted Environment is hosted on the third-party hosting cloud platform. Customer can request systems in an established environment which will provide a dynamically allocated computation space.

2.1 Service Provider

The Service Provider has the following responsibilities:

  1. Meet response times associated with the priority assigned to Customer incidents and service requests (see Section 4.02).
  2. Notify Customer in writing at least seven (7) business days prior to any all scheduled maintenance via the ServiceNow change management process which is based on Mayo’s IT Service Management (“ITSM”) urgency and impact processes.
  3. Facilitate all service support activities involving incident, problem, change, release, and configuration management.
  4. Training of Authorized User for use of MCP_Discover at mutually agreed upon times and for reasonable durations of time

2.2 Service Manager

The Service Manager has the following responsibilities:

  1. Act as a trustworthy intermediary for finding solutions.
  2. Oversee and ensure basic interoperability and security.
  3. Manage the integration and architectural infrastructure design for tight collaboration.
  4. Manage the customization and given capabilities with potential new functionality.
  5. Review response incident times and take corrective action to meet Customer’s requests as set out in this SLA.
  6. Verify that support staff are trained on service support tools.

3. Data Usage Level and Restrictions

The use of the Hosted Environment has the following usage level and restrictions.  

3.1 De-identified Information

The privacy and security of information is a priority concern for individuals using the Hosted Environment. Existing standards and restrictions concerning de-identified information are applicable. These include policies and security safeguards to protect unauthorized access of information. Customer must follow established Mayo standards for protecting de-identified information. The Terms and this Exhibit explicitly state obligations relative to the data. The Platform Data will be maintained in a secure data container.  This system will be secured such that only encrypted connections by Authorized User are permitted.  In addition, all interactions with the Platform Data will be recorded such that subsequent auditing and evaluation of a Authorized User’s actions can be reviewed. Customer Authorized Users who have authorized access to Platform Data are expected to adhere to the Mayo Clinic Code of Conduct, as may be updated from time to time, and must take the appropriate measures to ensure the data is protected from an Authorized User.

3.2 Usage Hours 

The hours of operation are seven days a week, 24 hours a day, 365 days a year outside of planned maintenance.

4. Problem Reporting and Resolution

The process for obtaining Hosted Environment support and reporting of incidents will be through ServiceNow. The use of ServiceNow will allow the Hosted Environment services team to respond to and record Customer’s requests. 

4.1 Service Provider Support Hours 

Normal business hours for Mayo are Monday – Friday 7 am – 6 pm CST. The Hosted Environment services team will provide availability of staff during normal business hours. Mayo shall provide a support service desk seven days a week, 24 hours a day, 365 days per year for technical issues relating to the Hosted Environment, available by calling 1-507-266-3500. If the support service desk is unable to resolve the issue, a ticket will be escalated to the applicable service team for additional troubleshooting. 

4.2 Mayo Clinic Incident Management Prioritization 

Prioritization of an incident is determined by reviewing incident urgency and its impact to the business, based on the severity levels set forth below.  The priority of the incident is used to determine the order which incidents shall be worked on. Higher priority incidents should take precedence over incidents with lower priority. Mayo shall provide Customer with updates on the status of Mayo’s efforts by telephone, e-mail, or such other means according to the table below, particularly during Critical or High severity incidents. Mayo shall respond to all Customer requests, and address all vulnerabilities, in accordance with the response and resolution times identified in the table below:

Severity Level Definition Response TargetResolution Target
CriticalAn incident shall be categorized as “Critical” if:
  • Authorized User are unable to complete their work, there is no viable workaround, and the health or safety of Customer’s staff or customers is threatened.
Acknowledgement of receipt of Customer request within fifteen (15) minutesMayo shall provide a solution as soon as practicable and no later than four (4) hours of such incident being notified to Mayo.
HighAn incident shall be categorized as “High” if:
  • Authorized User are unable to complete their work and there is no viable workaround;
  • service restoration must be completed immediately or there may be a significant loss to Customer of revenue, reputation, or productivity;
  • the incident threatens Customer’s ability to meet its operational goals; or
  • the incident will cause major legal, compliance or regulatory ramifications for Customer.
Acknowledgement of receipt of Customer request within one (1) hourMayo shall provide a solution as soon as practicable and no later than twenty-four (24) hours of such incident being notified to Mayo.
MediumAn incident shall be categorized as “Medium” if:
  • Authorized User are unable to complete their work, but there is a viable workaround; or
  • Authorized User are unable to complete their work, and there is no viable workaround; however, such service restoration can be delayed by up to five (5) business days without a significant loss to Customer’s productivity or operational goals.
Acknowledgement of receipt of Customer request within one (1) business dayMayo shall provide a solution as soon as practicable and no later than five (5) business days of such incident being notified to Mayo.
StandardAn incident shall be categorized as “Standard” if:
  • Authorized User are unable to complete their work, but there is a viable workaround; or
  • Authorized User are unable to complete their work, and there is no viable workaround; however, such service restoration can be delayed by up to seven (7) business days without a significant loss to Customer’s productivity or operational goals.
Acknowledgement of receipt of Customer request within two (2) business daysMayo shall provide a solution as soon as practicable and no later than seven (7) business days of such incident being notified to Mayo

As requested by Customer, in the event of a High severity incident, Mayo shall provide Customer as soon as reasonably practicable with a report specifying in reasonable detail Mayo’s performance in relation to the availability, service levels and other obligations of the Hosted Environment.   

5. Hosted Environment Maintenance/Support

Maintenance of the Hosted Environment including cloud infrastructure, software releases, and enhancement will occur on a periodic basis. Maintenance will be tracked via change management.  Incidents will be submitted and logged via Incident management. A change record will be issued against the environment and will inform Customer of planned maintenance. Any environmental outages for maintenance activities that impact the Authorized Users will be at forty-eight (48) hours in advance. 

5.1 Cloud environment management and administration responsibility and ownership 

Managing the Cloud environments used for Cloud deployments and their life cycles will be both Customer and Mayo’s responsibility. This will include monitoring, troubleshooting, providing consistency checks, and ensuring health of the cloud resources.

5.2 Technical Support

Mayo shall establish, sufficiently staff, and maintain the organization and processes necessary to provide technical support, troubleshooting, incident identification, isolation, response and remediation, and other assistance. The contact information for Mayo’s technical support organization shall be provided by Mayo from time to time, in any event upon Customer’s request. Mayo’s personnel shall provide Customer with technical guidance and expertise and will participate in high priority incident troubleshooting calls as reasonably requested by Customer from time to time.

5.3 Availability

Mayo will ensure that the Hosted Environment will have a minimum monthly availability service level of 95.0%, excluding scheduled downtime or emergency maintenance of the Hosted Environment. The Hosted Environment will be deemed unavailable, and subject to “downtime” in response to a High incident that requires an emergency change to remediate the issue. 

Scheduled downtime shall only occur during the hours of 10pm to 4am CST. 

5.4 Backup and Recovery

Mayo will be responsible for the initial backup of all Platform Data and for updates thereto provided by Mayo; however, Customer will be responsible for all backups of any analyses or machine learning conducted on such Platform Data. Mayo s not responsible for the backup and recovery of the Customer application host systems nor other files or artifacts residing upon the host systems.  It is the responsibility of Customer to maintain a secured copy of its data and Customer’s work (where applicable), outside of the Hosted Environment. The parties may agree otherwise in writing on a case-by-case basis. 

Exhibit 4
Customer Security Standards

This Exhibit shall be applicable in all cases in which Customer is permitted to access or use the Mayo Cloud and Platform Data (as defined herein), as applicable, pursuant to the Terms and underlying Agreement between Customer and Mayo. The Terms and said Agreement contain necessary and customary provisions including, without limitation, standard transaction representations and warranties and insurance, service levels and performance expectations, indemnification, and limitation of liability provisions that are customary for transactions of this type and size.

Customer has established and maintains environmental, safety, facility, and data security policies, procedures, and other safeguards designed to maintain the confidentiality, integrity, and availability of the Mayo Cloud and Platform Data, as applicable, and to prevent access, intrusion, alteration or other interference by any unauthorized third parties of the same, that are compliant with (i) the requirements of this Exhibit; (ii) applicable laws and regulations; and, solely to the extent not inconsistent with this Exhibit, (iii) industry best practices; and (iv) no less rigorous than those maintained by Customer for its own information. These policies, procedures, and safeguards shall be collectively referred to as “Customer Security Procedures.”

Except as otherwise limited in the Terms, Customer shall use the Mayo Cloud and Platform Data, as applicable, solely and exclusively for the purposes authorized by Mayo pursuant to the Terms and applicable Order Form. Customer will not, and will ensure that its Authorized Users (as defined herein) and subcontractors do not, use the Mayo Cloud or Platform Data, as applicable, other than as permitted or required by this Exhibit. Customer’s access and right to use the Mayo Cloud may be revoked at any time without prior cause or notice; provided however, that unless otherwise provided in an Order Form, Customer shall be entitled to an extension to the applicable Order Form and/or credits for future use as mutually agreed upon by the parties. Unless otherwise permitted in the Terms, Customer shall not de-identify (pursuant to all applicable legal requirements, including HIPAA) Platform Data or otherwise aggregate Platform Data without the prior written consent of Mayo.

In the event of a conflict among agreements between the parties regarding the security and protection of the Mayo Cloud, including, but not limited to, the Terms, the Agreement and any Order Form, the provision providing the most rigorous protection for the Mayo Cloud and Platform Data shall take precedence.

  1. Definitions.
    1. Security Incident”means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system with access to the Hosted Environment; provided, however, Customer shall not be required to report pings and other broadcast attacks on Customer’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of Platform Data, as applicable, or access to the Hosted Environment.
  2. Security Requirements. During the Term, Customer agrees that it will maintain a system with at least the following security requirements to access and use the Hosted Environment and Platform Data, as applicable.
    1. Asset Protection. Customer shall do the following things to protect the integrity and security of the Hosted Environment and Platform Data, as applicable:
      1. Customer shall employ up-to-date and commercially available virus, anti-malware, and other commercially reasonable system security agents (i.e. whitelisting) protection on devices and systems used to access the Hosted Environment, and such protection systems shall include real-time or periodic scans for viruses.
      2. Customer shall apply operating system service packs and security patches to any devices and systems used to access the Hosted Environment that may compromise or effect the confidentiality, integrity, or availability of the Hosted Environment and Platform Data, as applicable, as soon as practicable after they are released.
      3. Customer shall limit access to Platform Data solely to Customer owned and managed devices. Access to or use of the Hosted Environment is not permitted on any device other than Customer owned and managed devices.
      4. Customer shall employ procedures to determine whether any compromise of Platform Data, as applicable, has occurred (e.g. loss or modification of data).
    2. Customer shall ensure that access to the Hosted Environment via the internet shall be controlled via secure technologies employing cryptographic techniques and encryption.
    3. Access by Authorized Users. Customer shall limit access to the Hosted Environment and Platform Data, as applicable, to Customer’s Authorized User who need access to the Hosted Environment for the Customer’s business purposes as outlined in the Terms. Customer shall implement discretionary access controls designed to permit each Authorized User access to the Hosted Environment as necessary to accomplish assigned tasks on behalf of Customer. Remote access to the Hosted Environment must include a multi-factor or other authentication process and corresponding security controls as set forth in the Terms. All access that is not explicitly authorized is forbidden. Customer shall expressly prohibit its Authorized Users from copying or improperly disclosing the information stored in the Hosted Environment. Prior to being granted access to the Hosted Environment and/or Platform Data each Authorized User may be required by Mayo to accept certain end Authorized User terms and conditions. Failure to accept the terms will result in the Authorized User being denied access to the Hosted Environment and Platform Data.
    4. Access Control. Unless otherwise provided in an Order Form, Customer shall strictly control electronic access to the Hosted Environment and Platform Data, as applicable, in the following manner:
      1. Federated Identity Management. In connection with the performance of the Terms and applicable Order Form, Customer may obtain certain federated identity management services from Mayo, including provisioning/de-provisioning, authenticating, authorizing and enabling electronic communications between the parties’ respective systems (collectively, “FIMS”) to achieve the goal of “federated single sign-on” capabilities. Mayo may require use of FIMS by Customer as a condition for receiving certain Cloud Services from Mayo. Customer understands that use of the FIMS is a privilege, not a right, that can be terminated or suspended at any time, without prior notice, by Mayo to protect its systems and data, to protect it from liability, or to comply with applicable laws and regulations. Customer acknowledges and agrees termination of the FIMS will require the parties to cooperate to establish and implement alternative identity management methods and procedures that are mutually satisfactory to both parties for ongoing performance of the Terms and applicable Order Form.
        1. Reliance and Compliance.  Mayo is entitled to rely upon and to accept as authentic the credentials required for use of the FIMS. Customer represents and warrants that the use of the FIMS will be for (i) the sole purpose of creating and providing Authorized Users a login for accessing the Hosted Environment, and (ii) Authorized Users of the FIMS will comply with all applicable laws. Customer will be solely responsible for employing NIST, HITRUST, and/or ISO-compliant security procedures and policies with respect to its use of the FIMS, and that Mayo shall not have responsibility to verify Authorized Users’ identities or authorized access levels. Mayo is relying on Customer to utilize NIST, HITRUST, and/or ISO-compliant practices in regard to password policies, Authorized User provisioning and de-provisioning, and the creation of persistent, unique and static Authorized User IDs. Customer will use the FIMS in accordance with the reasonable instructions and reasonable policies established by Mayo from time-to-time and communicated to Customer.
        2. Implementation.  The parties will meet and confer in good faith and engage in such activities reasonably necessary to implement FIMS for use by Customer in connection with the Terms and applicable Order Form. The parties will be responsible for their own respective costs and expenses in implementing and using the FIMS.
        3. Security Incidents.  Customer will immediately notify the Privacy Officer of Mayo of any Security Incident involving the Customer’s internal systems which provisions and/or stores credentials to access the FIMS and associated Mayo systems. Notification may also be required under Section II.F. It is expected that the Customer has an identity management system in place with appropriate security logging, retention, and transaction sharing processes in place. Customer agrees to share any appropriate logs required for Mayo to complete any necessary forensics in the event of a Security Incident. It is therefore expected that any logs would be available for at least twelve (12) months. The notification referred to above may lead to the joint decision to cease all access (either directly or indirectly) to the FIMS and/or Mayo systems until the security issues are resolved to both parties’ mutual agreement.
        4. Termination.  Mayo may, in its sole discretion, terminate or suspend provision of the FIMS on written notice to Customer. In addition, provision of the FIMS will terminate on any expiration or termination of the Terms or applicable Order Form.
      2. Password Requirements. For Customers who cannot or do not wish to implement FIMS, each Authorized User shall utilize a password that meets the following password standard:
        1. HITRUST 01.d (version 9.1 or newer) – Level 2, plus 12-character password minimum and required password changes at least every 90 days.
      3. Electronic Access.
        1. If applicable, as described above, each Authorized User shall utilize the FIMS or have a unique identifier.
        2. Authorized Users shall be authenticated by one of the following methods: unique token, card key, biometric reader, or individual password. Authorized Users shall be advised that their unique identifier and authentication tool (e.g. password) shall not be shared with others.
        3. Where password authentication is employed to authenticate Authorized Users, Customer shall:
          1. Prohibit guest accounts;
          2. Instruct Authorized Users not to write down passwords or store them on hard copy or locally on devices; and
          3. Periodically review Authorized User accounts and inactivate them when access is no longer required.
      4. Revocation of Access Rights.  Mayo shall maintain a process to revoke Customer’s access rights or interrupt the connection to the Hosted Environment. Mayo may exercise such process at any time without prior cause or notice; provided however, that unless otherwise provided in an Order Form, such revocation shall entitle Customer to an extension to the applicable Order Form and/or credits for future use as mutually agreed upon by the parties.
    5. Communication Systems and Access to Information. During the Term, Customer will receive access to the Hosted Environment. Use of and access to the Hosted Environment is intended for legitimate business use related to Customer’s business. Customer acknowledges that Customer does not have any expectation of privacy as between Customer and Mayo in the use of or access to the Hosted Environment and that all communications made with the Hosted Environment are subject to Mayo’s scrutiny, use and disclosure, in Mayo’s discretion. Mayo reserves the right, for business purposes, to monitor, review, audit, intercept, access, archive, and/or disclose materials sent over, received by or from, or stored in the Hosted Environment. This includes, without limitation, email communications sent by Authorized Users across the internet and intranet from and to any domain name owned or operated by Mayo. This also includes, without limitation, any electronic communication system that has been used to access the Hosted Environment. Customer further agrees that Customer will use all appropriate security, such as, for example, encryption and passwords, to protect Platform Data from unauthorized disclosure (internally or externally) and that the use of such security does not give rise to any privacy rights in the communication as between Customer and Mayo. Mayo reserves the right to override any security passwords to obtain access to Customer accounts on the Hosted Environment.
    6. Security Incident Procedures. Customer will notify the Privacy Officer of Mayo, in writing, of any Security Incident affecting the Hosted Environment and Platform Data, as applicable, of which Customer becomes aware as soon as practicable but in no event more than three calendar days (3) after the discovery of the Security Incident.
      1. In any event, if a Security Incident caused by Customer requires notification to an individual or regulator under any law or regulation, Mayo will have sole control over the timing, content, and method of notification and Customer will promptly reimburse Mayo for all costs and expenses incurred as a result of the breach, including but not limited to, notice, print and mailing costs, and the costs of obtaining one year of credit reporting or monitoring services and identity theft insurance for the individuals whose data was or may have been compromised. Customer will mitigate, to the extent practicable, any harmful effect that is known to Customer of an unauthorized use or disclosure of Platform Data by Customer in violation of the requirements of this Exhibit, the Terms, applicable Order Form, or applicable law.
  3. Revocation of Access.
    1. In the event Customer fails to comply with the requirements of this Exhibit, Mayo may, without prior notice, suspend access to the Cloud Services and/or Platform Data until the failure is resolved.
    2. Customer’s Customer Security Procedures shall contain comprehensive change management procedures, including a requirement to remove a terminated or transferred Authorized User’s access (and Authorized Users without a job function that requires such access) immediately or no later than twenty-four (24) hours after termination or transfer, which shall include termination of: Hosted Environment credentials, Authorized User’s passwords, and VPN access to any physical or electronic access to the Hosted Environment, Platform Data, and any related assets, including, but not limited to the deactivating of any security tokens, card keys, Authorized User names, and passwords as applicable.
  4. Contractual Modifications.  Mayo reserves the right to renegotiate in good faith the terms of the Terms and the applicable Order Form, including this Exhibit upon a material change to the Customer Security Procedures or other security requirements provided herein.