Terms & Conditions

1. Acceptance of Terms

These Terms of Service ("Terms") are entered into by and between the health plan, payer, or other organization accessing or using the OneDash platform ("Customer," "you," or "your") and One Clinical Engine Inc., a Delaware corporation doing business as OneDash ("Company," "OneDash," "we," or "us"). These Terms, together with any executed Master Services Agreement ("MSA"), Statement of Work ("SOW"), Business Associate Agreement ("BAA"), and any other documents expressly incorporated herein, govern your access to and use of the OneDash software-as-a-service platform and associated services (collectively, the "Service" or "Services").

PLEASE READ THESE TERMS CAREFULLY BEFORE ACCESSING OR USING THE SERVICE. By executing an MSA, SOW, or other order document that references these Terms, or by accessing or using the Service, you accept and agree to be bound by these Terms. If you do not agree to these Terms, you may not access or use the Service.

The Service is a business-to-business ("B2B") enterprise software platform intended solely for use by authorized organizational customers and their designated personnel. These Terms are not intended for, and do not apply to, individual consumers or health plan members. If you are an individual accessing the Service on behalf of a Customer organization, you represent and warrant that you have the authority to bind that organization to these Terms.

2. Definitions

As used in these Terms, the following capitalized terms have the meanings set forth below:

• "Authorized Users" — employees, contractors, care managers, pharmacists, administrators, and other personnel of Customer who are authorized by Customer to access and use the Service on Customer's behalf.
• "BAA" — a Business Associate Agreement executed between OneDash and Customer governing the processing of Protected Health Information, as required under HIPAA.
• "Confidential Information" — any non-public information disclosed by one party to the other in connection with the Service that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including technical data, trade secrets, business plans, financial information, and the terms of any SOW or MSA.
• "Customer Data" — all data, information, and content submitted to or processed through the Service by Customer or its Authorized Users, including member data, claims data, EHR data, and other health-related information.
• "HIPAA" — the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) and the HIPAA Security Rule.
• "Managed Services" — the clinical staffing services described in Section 17, including pharmacist and pharmacy technician services provided by or arranged by OneDash on behalf of Customer.
• "MSA" — a Master Services Agreement executed between OneDash and Customer.
• "PHI" or "Protected Health Information" — has the meaning assigned to it under HIPAA, and refers to individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or Business Associate.
• "Platform" — OneDash's proprietary SaaS platform, including all dashboards, analytics tools, care gap workflows, automated outreach features, AI-powered features, EHR integration capabilities, APIs, and associated software and documentation.
• "SOW" — a Statement of Work executed between OneDash and Customer specifying the scope of Services, fees, and other commercial terms applicable to a particular engagement.
• "TCPA" — the Telephone Consumer Protection Act, 47 U.S.C. § 227, and any regulations promulgated thereunder, including applicable Federal Communications Commission rules.

3. Changes to These Terms

OneDash reserves the right to modify these Terms at any time. Material changes will be communicated to Customer via email to the designated contact on file or through a prominent notice on the Service or OneDash website, at least thirty (30) days prior to the effective date of the change. Non-material changes take effect upon posting. Your continued use of the Service following notice of any changes constitutes acceptance of the updated Terms. The current version of these Terms is available at onedashengine.com. Any conflict between these Terms and an executed MSA or SOW shall be resolved in favor of the MSA or SOW with respect to the subject matter of that agreement.

4. Access to the Service and Account Security

Subject to Customer's compliance with these Terms and the terms of any applicable MSA and SOW, OneDash grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Service during the applicable subscription or service term solely for Customer's internal business purposes.

Account Setup and Authorized Users

Customer is responsible for (a) provisioning and managing Authorized User accounts; (b) ensuring that Authorized Users are aware of and comply with these Terms; (c ) maintaining the confidentiality and security of all login credentials issued to Authorized Users; and (d) all activities that occur under Customer's account. Customer agrees to notify OneDash immediately at legal@onedashengine.com of any unauthorized access to or use of its account or any known or suspected security breach.

Access Restrictions

Customer shall not, and shall ensure that Authorized Users do not: (a) provide access to the Service to any person who is not an Authorized User; (b) sublicense, resell, or otherwise make the Service available to any third party; (c ) use the Service in any manner that exceeds the scope or usage rights specified in the applicable SOW; or (d) use the Service in a way that violates applicable law. OneDash reserves the right to suspend or terminate access to the Service in accordance with Section 15 if OneDash reasonably believes that a security risk exists or that Customer is in material breach of these Terms.

5. Intellectual Property Rights

OneDash IP

The Service and Platform, including all software, algorithms, workflows, dashboards, user interfaces, documentation, AI models, trademarks, and other content and technology comprising or underlying the Service, are owned exclusively by OneDash or its licensors and are protected by applicable intellectual property laws. These Terms do not transfer to Customer any ownership interest in the Service or any component thereof. All rights not expressly granted herein are reserved by OneDash.

Customer Data

As between the parties, Customer retains all right, title, and interest in and to Customer Data. Customer grants OneDash a limited, non-exclusive, royalty-free license to access, process, and use Customer Data solely to: (a) provide and operate the Service; (b) comply with OneDash's obligations under these Terms, the applicable MSA, SOW, and BAA; and ( c ) as otherwise instructed by Customer. OneDash will not use Customer Data for any purpose other than those expressly set forth herein, or as required by applicable law.

Feedback

If Customer or any Authorized User provides OneDash with suggestions, feedback, or ideas regarding the Service ("Feedback"), Customer grants OneDash a worldwide, perpetual, irrevocable, royalty-free license to use such Feedback for any purpose, including incorporating it into the Service, without any obligation of compensation or attribution.

Aggregated and De-Identified Data

OneDash may generate aggregated, anonymized, or de-identified data derived from Customer Data ("Aggregated Data") that does not identify Customer, any individual member, or any other individual, and may use such Aggregated Data to operate, improve, and develop the Service. OneDash does not use one Customer's data to benchmark, train models, or generate insights that identify or expose another Customer's data.

6. Trademarks

"OneDash," "One Clinical Engine," and associated logos and product names are trademarks or service marks of One Clinical Engine Inc. Customer must not use these marks without the prior written permission of OneDash. Nothing in these Terms grants Customer any right to use OneDash's trademarks, trade names, service marks, logos, domain names, or other distinctive brand features.

7. Prohibited Uses

Customer agrees to use the Service only for lawful purposes and in accordance with these Terms, the applicable MSA and SOW, and all applicable federal, state, and local laws and regulations. Without limiting the foregoing, Customer agrees not to:

• Use the Service in any manner that violates any applicable law or regulation, including HIPAA, TCPA, applicable state privacy laws, anti-kickback statutes, or any other federal or state healthcare law;
• Access or use the Service to process PHI without an executed BAA in place with OneDash;
• Use the Service to send automated communications to any individual without first obtaining all legally required consents, including any consents required under TCPA or applicable state telemarketing laws;
• Attempt to gain unauthorized access to, interfere with, damage, or disrupt any parts of the Service, its underlying infrastructure, or any data stored therein;
• Use the Service to introduce malware, viruses, or other malicious code;
• Reverse engineer, decompile, disassemble, or attempt to derive the source code of any software component of the Service;
• Scrape, harvest, or otherwise collect data from the Service using automated means not authorized by OneDash;
• Share PHI or other sensitive data with the Service's AI features except as expressly permitted under an applicable BAA;
• Use or permit use of the Service in any manner that could damage OneDash's reputation or expose OneDash to liability.

8. Customer Regulatory Compliance

Customer is solely responsible for ensuring that its use of the Service — including all workflows, programs, and communications conducted through the Platform — complies with all applicable federal, state, and local laws and regulations. This includes, without limitation, HIPAA and applicable state health privacy laws, the TCPA and applicable state telemarketing and communication laws, federal and state fraud and abuse laws (including the Anti-Kickback Statute and Stark Law to the extent applicable), applicable state pharmacy and clinical practice laws, and any other regulatory requirements governing Customer's health plan operations, member engagement programs, or clinical activities.

OneDash does not provide legal or regulatory compliance advice. The availability of a feature or workflow within the Service does not constitute a representation by OneDash that Customer's use of that feature or workflow complies with applicable law. Customer should consult its own legal counsel regarding compliance obligations applicable to its use of the Service.

OneDash does not provide medical care, treatment, or healthcare services to individuals and is not a Covered Entity under HIPAA. OneDash acts solely as a technology platform provider and Business Associate to its health plan customers.

9. Automated Member Outreach and TCPA Compliance

Outreach Features

The Service includes features that enable Customer to conduct automated outreach to its health plan members, including automated SMS messages, voice calls, fax, email, and other communications, as part of care gap closure, medication adherence, and quality improvement workflows. OneDash sends these communications strictly as a service provider acting on behalf of and under the direction of Customer.

Customer's TCPA Obligations

Customer is solely and exclusively responsible for:

• Obtaining all legally required prior express written consents from health plan members prior to initiating any automated outreach through the Service, in full compliance with TCPA and any applicable state law governing automated communications;
• Ensuring that the content of all communications transmitted through the Service is accurate, lawful, and compliant with applicable laws;
• Maintaining complete and accurate records of member consents and making such records available to OneDash upon request;
• Honoring all member opt-out requests in a timely manner, including implementing opt-out mechanisms that comply with TCPA;
• Ensuring that Customer's use of the Service's outreach features does not violate any applicable healthcare law, including laws governing patient communications or clinical decision-making.

OneDash's Role

OneDash designs the Platform to include technical features intended to support TCPA-compliant operations, including opt-out processing and consent management tools. However, OneDash does not independently verify the sufficiency or validity of consents obtained by Customer, and OneDash's provision of these technical tools does not constitute legal advice or a representation that Customer's use of the Service complies with TCPA or any other law. Customer bears full and independent legal responsibility for its own TCPA compliance.

Mobile opt-in data and consent information collected in connection with member outreach programs conducted through the Platform is used solely to deliver the communications authorized by Customer and will not be shared with any third party for marketing or promotional purposes.

TCPA Indemnification

Without limiting Section 19 (Indemnification), Customer agrees to defend, indemnify, and hold harmless OneDash and its affiliates, officers, directors, employees, agents, and service providers from and against any and all claims, demands, liabilities, damages, fines, penalties, settlements, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) any alleged violation of TCPA or applicable state communication laws in connection with Customer's use of the Service's outreach features; (b) Customer's failure to obtain or maintain adequate member consents; or ( c ) the content of communications transmitted through the Platform by or on behalf of Customer.

10. AI CoPilot and AI-Powered Features

Description

The Service includes AI-powered features, including but not limited to the OneDash AI CoPilot ("AI Features"), which assists care teams with medication intelligence, comprehensive medication reviews, drug interaction monitoring, care gap identification, and clinical decision support. AI Features process inputs submitted by Authorized Users and return machine-generated outputs using large language model ("LLM") technology.

Not Medical Advice

AI Features are provided for informational and decision-support purposes only and do not constitute the practice of medicine, pharmacy, nursing, or any other licensed healthcare profession. AI Feature outputs are machine-generated and may not always be accurate, complete, current, or appropriate for a particular patient or clinical situation. All clinical recommendations, guidance, or information produced by AI Features must be independently reviewed and evaluated by a qualified, licensed healthcare professional before being acted upon. OneDash does not warrant the accuracy of AI-generated outputs and is not liable for decisions made in reliance on them.

Customer acknowledges and agrees that: (a) AI Features should not be used as a substitute for professional medical judgment; (b) AI Feature outputs may contain errors or omissions; ( c ) AI Features are subject to ongoing modification and improvement; and (d) Customer assumes all risk associated with its reliance on or use of AI Feature outputs. Customer is solely responsible for all clinical decisions, care delivery, and patient outcomes arising from its use of the Service, including any reliance on AI Feature outputs.

PHI and AI Features

Authorized Users must not submit PHI into AI Features unless Customer has executed a BAA with OneDash that expressly covers AI feature usage and appropriate safeguards are in place for such processing. If Customer is uncertain whether its BAA covers AI feature usage, Customer should contact its OneDash account manager or privacy@onedashengine.com before submitting any PHI.

Third-Party LLM Providers

To power AI Features, inputs submitted by Authorized Users may be transmitted to third-party LLM providers engaged by OneDash. OneDash does not share Authorized User account information — such as names, usernames, or email addresses — with third-party LLM providers. Where AI Features process PHI, such processing occurs only as permitted under the applicable BAA.

11. EHR Integrations, API Access, and Data Feeds

EHR Integrations

OneDash offers unidirectional and bidirectional EHR integration capabilities as described in applicable SOWs. Customer is responsible for: (a) obtaining all necessary authorizations and approvals from EHR vendors to enable such integrations; (b) ensuring that any data transmitted through EHR integrations complies with applicable HIPAA requirements and is covered by an executed BAA; and ( c ) maintaining the accuracy and integrity of data submitted through EHR integrations. OneDash shall implement integrations in accordance with the specifications set forth in applicable SOWs and is not responsible for the accuracy, completeness, or timeliness of data originating from Customer's EHR systems, nor for any failures, outages, or errors caused by third-party EHR systems or other external platforms outside OneDash's control.

API Access

To the extent an SOW grants Customer API access or custom data feeds, such access is subject to the technical specifications, usage limits, and security requirements set forth in that SOW and OneDash's API documentation. Customer shall not use API access in a manner that: (a) disrupts or degrades the Service; (b) circumvents rate limits or other technical controls; or ( c ) is inconsistent with these Terms or the applicable SOW.

12. HIPAA, Protected Health Information, and Business Associate Agreements

OneDash as Business Associate

OneDash operates as a Business Associate (as defined under HIPAA) to its health plan customers, which are Covered Entities under HIPAA. OneDash processes PHI on behalf of and under the direction of Customer solely as permitted by the applicable BAA and consistent with HIPAA. OneDash does not provide medical care, treatment, or healthcare services to individuals and is not a Covered Entity under HIPAA. OneDash acts solely as a technology platform provider and Business Associate to its health plan customers and does not have a direct HIPAA relationship with health plan members whose data flows through the Platform.

BAA Requirement

No Customer may submit, upload, or transmit any PHI to the Platform without first executing a BAA with OneDash. The BAA governs the permitted uses and disclosures of PHI, security obligations, breach notification procedures, and data return or destruction upon termination. If Customer has not yet executed a BAA, Customer must contact legal@onedashengine.com before submitting any PHI. Customer acknowledges and agrees that OneDash's execution of an MSA or SOW does not, by itself, constitute or substitute for a BAA.

Security

OneDash implements administrative, physical, and technical safeguards designed to protect PHI in accordance with the HIPAA Security Rule, as further described in the applicable BAA and OneDash's security documentation. Customers may request OneDash's security documentation by contacting privacy@onedashengine.com.

Member Rights

Health plan members whose PHI is processed through the Platform should direct requests to exercise HIPAA rights to Customer. OneDash will cooperate with Customer in responding to member rights requests as required by the applicable BAA and HIPAA.

13. Data Ownership, Confidentiality, and Data Use

Data Ownership

As between the parties, all Customer Data (including PHI and member data) remains the exclusive property of Customer. OneDash acquires no ownership rights in Customer Data. OneDash shall process Customer Data only as necessary to provide the Service and as directed by Customer, or as required by applicable law.

Confidentiality Obligations

Each party agrees to: (a) hold the other party's Confidential Information in strict confidence using at least the same degree of care it uses for its own confidential information, but in no event less than reasonable care; (b) not disclose Confidential Information to any third party without the disclosing party's prior written consent, except as necessary to perform obligations or exercise rights under these Terms; and ( c ) use Confidential Information solely for purposes of performing its obligations or exercising its rights under these Terms. These obligations do not apply to information that: (i) is or becomes publicly known through no breach of these Terms; (ii) was rightfully known by the receiving party prior to disclosure; (iii) is independently developed by the receiving party without use of the Confidential Information; or (iv) is required to be disclosed by law or court order, provided reasonable advance notice is given.

No Cross-Customer Data Use

OneDash shall not use Customer Data to benchmark, train, or derive insights that identify or expose any other customer's data. Aggregated Data generated by OneDash will not identify Customer or any individual.

Data Upon Termination

Upon termination or expiration of the applicable SOW or MSA, OneDash will handle Customer Data in accordance with the terms of such SOW or MSA and the applicable BAA, including with respect to return and destruction of PHI. OneDash may retain backup copies for a limited period following termination, after which such data will be securely deleted.

14. Service Levels and Support

Service Level Commitments

OneDash will use commercially reasonable efforts to maintain the availability and performance of the Service in accordance with the service level commitments set forth in applicable SOWs. Unless otherwise specified in an SOW, OneDash's baseline support response targets are:

• Priority 1 (P1) — Critical Issues — Service unavailable or data integrity materially impacted. Target initial response: 2 business hours.
• Priority 2 (P2) — Major Issues — Core feature unavailable or severely degraded. Target initial response: 8 business hours.
• Priority 3 (P3) — Minor Issues — Non-critical feature degraded or minor bug. Target initial response: 2 business days.

These response targets are goals and not guaranteed service levels unless otherwise expressly specified as binding commitments in an applicable SOW. Support requests should be submitted to OneDash's designated support channel as specified in the applicable SOW or communicated during onboarding.

Planned Maintenance

OneDash will provide reasonable advance notice of planned maintenance that is expected to affect Service availability and will use commercially reasonable efforts to schedule maintenance during low-usage periods.

No Guarantee of Uninterrupted Service

OneDash does not guarantee uninterrupted or error-free operation of the Service. OneDash is not liable for outages or performance degradation caused by factors outside OneDash's reasonable control, including Customer's infrastructure, third-party services, force majeure events, or factors arising from Customer's data or configuration.

15. Term and Termination

Term

The term of these Terms begins on the date Customer first executes an MSA or SOW incorporating these Terms and continues until all applicable SOWs have expired or been terminated, unless earlier terminated in accordance with this Section.

Termination for Cause

Either party may terminate these Terms or any applicable SOW upon written notice if the other party materially breaches these Terms or such SOW and fails to cure such breach within thirty (30) days after receiving written notice specifying the breach. OneDash may immediately suspend or terminate Customer's access, without prior notice, if: (a) Customer's use of the Service poses an immediate security risk; (b) Customer fails to pay undisputed amounts when due after a cure period; or ( c ) Customer uses the Service in a manner that violates applicable law, including HIPAA.

Termination for Convenience

Either party may terminate any SOW for convenience upon the notice period specified in that SOW. In the absence of a specified notice period, sixty (60) days' written notice is required. Termination for convenience does not relieve Customer of any payment obligations for Services rendered or fees committed prior to the effective date of termination.

Effect of Termination

Upon any termination or expiration: (a) Customer's right to access and use the Service immediately ceases; (b) each party will return or destroy the other party's Confidential Information in accordance with the applicable agreement; ( c ) Customer Data and PHI will be handled as set forth in Section 13 and the applicable BAA; (d) any accrued payment obligations survive; and (e) Sections 5, 6, 13, 16, 18, 19, 20, 28, 29, and 30 of these Terms survive any termination or expiration.

16. Fees and Payment

All fees for the Service are set forth in the applicable SOW or MSA. Unless otherwise specified, OneDash invoices Customer monthly in arrears, and payment is due net thirty (30) days from the invoice date. Customer is responsible for all taxes associated with its purchase of Services, excluding taxes on OneDash's income. Amounts not paid when due are subject to a late payment fee of the lesser of 1.5% per month or the maximum rate permitted by applicable law. OneDash reserves the right to suspend Service for nonpayment of undisputed invoices following reasonable written notice and a cure period as specified in the applicable MSA or SOW. All fee commitments are governed by the applicable MSA or SOW, which controls in the event of any conflict with these Terms.

17. Managed Services and Clinical Staffing

Scope of Managed Services

To the extent an applicable SOW provides for Managed Services, OneDash may provide clinical staffing services, including licensed pharmacists and pharmacy technicians, to perform comprehensive medication reviews (CMR), medication adherence calls, pharmacy coordination, and related services on behalf of Customer. Managed Services are a distinct service layer separate from the SaaS platform license and are subject to the specific terms and pricing set forth in the applicable SOW.

Independent Professional Judgment

Pharmacists and pharmacy technicians providing Managed Services exercise their independent professional judgment in accordance with applicable state and federal law, their professional licenses, and applicable clinical standards. OneDash does not direct the clinical content of professional judgment exercised by licensed pharmacists. Customer acknowledges that pharmacists providing Managed Services are acting within their scope of professional practice and that OneDash is not responsible for clinical outcomes arising from the exercise of independent professional judgment by licensed staff.

No Employment Relationship

The provision of clinical staffing services under these Terms does not create an employer-employee relationship between Customer and OneDash or between Customer and any individual staff member. Clinical staff provided by OneDash perform Managed Services on behalf of Customer under Customer's program direction, subject to their independent professional obligations.

Customer's Oversight Obligations

Customer is responsible for: (a) providing appropriate clinical oversight and program direction for Managed Services staff performing work on its behalf; (b) ensuring that the clinical protocols and program materials provided to Managed Services staff comply with applicable law; and ( c ) maintaining appropriate records of services performed on Customer's behalf.

Clinical Liability

OneDash's clinical staffing services are performed on behalf of Customer. Customer retains ultimate responsibility for its clinical programs, patient engagement strategies, member safety, and any outcomes resulting from Managed Services. OneDash is not liable for clinical outcomes or adverse events arising from Customer's program design, from member-specific clinical decisions, or from circumstances outside OneDash's reasonable control. Each party shall maintain appropriate insurance coverage for its respective activities.

18. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ONEDASH AND ITS AFFILIATES, LICENSORS, AND SERVICE PROVIDERS EXPRESSLY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION: (A) ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT; (B) ANY WARRANTY THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR VIRUS-FREE; ( C ) ANY WARRANTY REGARDING THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY INFORMATION PROVIDED THROUGH THE SERVICE, INCLUDING AI FEATURE OUTPUTS; AND (D) ANY WARRANTY THAT THE SERVICE WILL MEET CUSTOMER'S REQUIREMENTS OR EXPECTATIONS. THE FOREGOING DOES NOT AFFECT ANY WARRANTIES THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

19. Indemnification

Customer's Indemnification Obligations

Customer agrees to defend, indemnify, and hold harmless OneDash and its affiliates, officers, directors, employees, agents, licensors, and service providers from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses, and fees (including reasonable attorneys' fees) arising out of or relating to:

• Customer's violation of these Terms, including any breach of Customer's TCPA obligations under Section 9;
• Customer's misuse of the Service or use of the Service in violation of applicable law;
• Any automated communications sent through the Service on Customer's behalf, including any claims arising under TCPA or applicable state telemarketing laws;
• Customer's failure to obtain or maintain required member consents;
• Any unauthorized processing or disclosure of PHI by Customer or its Authorized Users;
• The content of communications transmitted through the Platform by or on behalf of Customer;
• Customer's violation of any third party's intellectual property rights in Customer Data;
• Customer's program design or clinical protocols in connection with Managed Services; and
• Customer's failure to comply with its BAA obligations.

OneDash's Indemnification Obligations

OneDash agrees to defend, indemnify, and hold harmless Customer from and against any third-party claims alleging that the Platform, as provided by OneDash and used by Customer in accordance with these Terms, infringes any United States patent, copyright, trademark, or trade secret. OneDash's indemnification obligation does not apply to the extent that a claim arises from: (a) Customer Data; (b) Customer's modification of the Service or use in a manner not authorized by these Terms; ( c ) Customer's combination of the Service with products not provided by OneDash; or (d) Customer's continued use after OneDash notifies Customer to discontinue use due to a potential infringement claim.

Procedure

The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim; (b) grant the indemnifying party sole control of the defense and settlement; and ( c ) provide reasonable cooperation. The indemnifying party may not settle any claim that imposes obligations or liability on the indemnified party without the indemnified party's prior written consent.

20. Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ONEDASH, ITS AFFILIATES, LICENSORS, OR SERVICE PROVIDERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR THE COST OF SUBSTITUTE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY AND WHETHER OR NOT ONEDASH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ONEDASH'S TOTAL CUMULATIVE LIABILITY TO CUSTOMER ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO ONEDASH IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

The foregoing limitations do not apply to: (a) Customer's indemnification obligations under Section 19; (b) Customer's payment obligations under Section 16; ( c ) a party's breach of its confidentiality obligations under Section 13; (d) damages arising from a party's gross negligence or willful misconduct; (e) obligations arising under applicable data protection or healthcare laws, including HIPAA, to the extent such obligations cannot be contractually limited; or (f) any other liability that cannot be limited under applicable law. The limitation of liability in this Section reflects a reasonable allocation of risk and is a fundamental basis of the bargain between the parties.

21. Security

OneDash maintains a security program designed to protect the Service and Customer Data against unauthorized access, use, disclosure, alteration, and destruction. OneDash's security program includes administrative, physical, and technical safeguards consistent with industry standards and HIPAA requirements where applicable. Customers may request OneDash's security documentation, including any available security assessments or certifications, by contacting privacy@onedashengine.com.

Customer is responsible for maintaining the security of its own systems, network environments, and Authorized User credentials. Customer agrees to implement reasonable security controls for access to the Service, including multi-factor authentication where required by OneDash or applicable law. Customer shall promptly notify OneDash of any known or suspected security incident affecting Customer's access to or use of the Service.

22. Monitoring and Enforcement

OneDash reserves the right to monitor use of the Service to ensure compliance with these Terms, applicable law, and OneDash's security policies. OneDash may take any action it deems necessary or appropriate in its reasonable discretion, acting in good faith, including suspension of access or termination of Customer's account, if OneDash determines that Customer has violated these Terms or applicable law. Where reasonably practicable, OneDash will provide Customer with notice before taking enforcement action and an opportunity to cure, except where immediate action is required to address a security risk or ongoing legal violation. OneDash will cooperate with law enforcement authorities or courts as required by applicable law.

23. Content Standards and Acceptable Use

All content and data submitted to the Service by Customer or its Authorized Users must comply with applicable federal, state, local, and international laws and regulations. Without limiting the foregoing, Customer shall not submit to the Service any content that: (a) violates any applicable law or regulation; (b) infringes any third party's intellectual property rights; ( c ) contains PHI in violation of the BAA requirement under Section 12; (d) is defamatory, fraudulent, misleading, or constitutes harassment; or (e) introduces malicious code or compromises the security or integrity of the Service.

24. Third-Party Services and Links

The Service may include integrations with or links to third-party services, applications, or websites. OneDash does not control and is not responsible for the content, privacy practices, or terms of any third-party services. Customer's use of any third-party services is governed by the applicable third-party terms and conditions. OneDash is not liable for any loss or damage arising from Customer's use of third-party services.

25. Changes to the Service

OneDash reserves the right to modify, update, or discontinue any feature or component of the Service at any time with reasonable notice. OneDash will use commercially reasonable efforts to provide Customer with advance notice of changes that materially affect functionality committed under an applicable SOW. OneDash is not liable for any changes to the Service that do not materially impair the core functionality committed in an applicable SOW.

26. Privacy

OneDash's collection and use of information about platform users and website visitors is governed by OneDash's Privacy Policy, available at onedashengine.com, which is incorporated into these Terms by reference. Processing of PHI is governed by the applicable BAA, not the Privacy Policy. By accessing or using the Service, Customer acknowledges the Privacy Policy on behalf of its Authorized Users.

27. Copyright Infringement

OneDash respects intellectual property rights. If you believe that any content on the Service infringes your copyright, please contact us at legal@onedashengine.com with the following information: (a) a description of the copyrighted work you claim has been infringed; (b) a description of where the allegedly infringing material is located on the Service; ( c ) your contact information; (d) a statement that you have a good faith belief that the use is not authorized by the copyright owner; and (e) a statement, under penalty of perjury, that your claim is accurate and that you are authorized to act on behalf of the copyright owner.

28. Governing Law and Jurisdiction

These Terms and any dispute or claim arising out of or related thereto (including non-contractual disputes or claims) shall be governed by and construed in accordance with the internal laws of the State of Delaware, without giving effect to any choice or conflict of law provision or rule.

Any legal suit, action, or proceeding arising out of or related to these Terms or the Service shall be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware. Customer waives any and all objections to the exercise of jurisdiction over it by such courts and to venue in such courts.

Notwithstanding the foregoing, OneDash retains the right to bring any suit, action, or proceeding against Customer for breach of these Terms in Customer’s jurisdiction of residence or any other relevant jurisdiction.

The foregoing is subject to any alternative dispute resolution mechanism agreed to by the parties in an applicable MSA or SOW.

29. Arbitration

These Terms do not contain a mandatory arbitration clause. The parties may elect to resolve disputes through binding arbitration, but only if they have expressly agreed to do so in a written MSA or SOW. Any such arbitration agreement, if present, shall specify the applicable rules (such as those of the American Arbitration Association), the seat of arbitration, and the governing law. In the absence of a written arbitration agreement in an applicable MSA or SOW, all disputes shall be resolved through litigation in accordance with Section 28.

30. Limitation on Time to File Claims

ANY CAUSE OF ACTION OR CLAIM ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE MUST BE COMMENCED WITHIN TWO (2) YEARS AFTER THE CAUSE OF ACTION ACCRUES; OTHERWISE, SUCH CAUSE OF ACTION OR CLAIM IS PERMANENTLY BARRED. NOTHING IN THIS SECTION LIMITS THE APPLICABLE STATUTE OF LIMITATIONS WITH RESPECT TO CLAIMS THAT CANNOT BE SHORTENED UNDER APPLICABLE LAW.

31. Waiver and Severability

No waiver by OneDash of any term or condition of these Terms shall be deemed a further or continuing waiver of such term or condition, and any failure by OneDash to assert a right or provision under these Terms shall not constitute a waiver of such right or provision. If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

32. Entire Agreement

These Terms, together with the Privacy Policy, any executed MSA, SOW, BAA, and any other documents expressly incorporated by reference herein, constitute the entire agreement between Customer and OneDash with respect to the Service and supersede all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to the Service. In the event of a conflict between these Terms and an executed MSA or SOW, the MSA or SOW controls with respect to the subject matter of that agreement.

33. Assignment

Customer may not assign or transfer any rights or obligations under these Terms without OneDash's prior written consent. OneDash may assign these Terms or any rights or obligations hereunder, without consent, in connection with a merger, acquisition, or sale of all or substantially all of OneDash's assets. Any purported assignment in violation of this Section is void. These Terms are binding on and inure to the benefit of the parties and their respective permitted successors and assigns.

34. Force Majeure

Neither party shall be liable for any delay or failure to perform its obligations under these Terms (other than payment obligations) to the extent that such delay or failure is caused by events or circumstances beyond that party's reasonable control, including acts of God, natural disasters, war, terrorism, civil unrest, government action, labor disputes, or failures of third-party infrastructure. The affected party shall provide prompt written notice and shall use commercially reasonable efforts to resume performance as soon as practicable.

35. Notices

All notices, requests, or other communications required or permitted under these Terms shall be in writing and delivered to:

OneDash: One Clinical Engine Inc. d/b/a OneDash, 1444 I St NW, Suite 600, Washington, DC 20005, Attn: Legal, legal@onedashengine.com.

Customer: The address or email designated in the applicable MSA or SOW, or as updated by Customer in writing. Notices will be deemed received when personally delivered, when delivered by a recognized overnight courier, or three (3) business days after being sent by certified mail, return receipt requested.

36. Contact Information

If you have questions, comments, or concerns about these Terms, please contact us at:

One Clinical Engine Inc. d/b/a OneDash
1444 I St NW, Suite 600
Washington, DC 20005
Email: legal@onedashengine.com
Website: onedashengine.com

‍