phiCert™ Relying Party Agreement

Updated October 5, 2019

This is a legal agreement ("Agreement") between "you" or "Relying Party" and California Mediterranean, LLC dba EMR Direct ("EMR Direct" or "Company"). BY USING OR OTHERWISE RELYING UPON A DIGITAL CERTIFICATE ISSUED BY COMPANY, YOU ARE CONSENTING TO BE BOUND BY ITS TERMS. WHEREAS, Company has issued one or more Certificates (defined below); WHEREAS, Relying Party desires to use or otherwise rely upon the Certificates; NOW THEREFORE, in consideration of the foregoing and the mutual covenants hereinafter set forth, the parties hereby agree:

1. Definitions and Abbreviations: "Certificates" means one or more X.509 digital certificates issued by Company. "Subscriber" means an individual or organization that has been issued Certificates by Company. "Relying Party" means an individual or organization that uses or otherwise relies upon Certificates in order to exchange information with a Subscriber. "CP/CPS" means the current version of the phiCert Certification Authority Certificate Policy and Certification Practices Statement on the date this agreement is entered into, as amended from time to time thereafter, located at https://www.phicert.com/cps. "PKI" means Public Key Infrastructure. "CA" means certification authority. "CAs" means certification authorities.

2. Relying Party Obligations: Relying Party agrees that assent to the terms of this Agreement is a condition of using or otherwise relying upon Certificates. Relying Party agrees that Relying Party is solely responsible for determining the suitability of a Certificate for a particular use in accordance with the CP/CPS. Relying Parties that are also Subscribers agree to be bound to the terms of both this Agreement and their respective Subscriber Agreement(s) when using Certificates. Relying Party acknowledges that EMR Direct is not responsible for assessing the appropriateness of the use of Certificates by Relying Party for any given purpose. Relying Party agrees that before any act of reliance, Relying Party must: (a) be familiar with the CP/CPS; (b) independently assess the appropriateness of the use of Certificates for any given purpose, including, but not limited to, consideration of the level of assurance asserted, and examination of all certificate extensions, including key usage and extended key usage extensions; (c) determine that Certificates will, in fact, be used for an appropriate purpose, and not for a restricted or prohibited purpose, as described in this Agreement or in the CP/CPS; (d) use appropriate hardware and/or software to properly apply the appropriate technical methods to perform digital signature verification or any other cryptographic operation they wish to perform; (e) identify the certificate chains of issuing certification authorities from the Certificates upon which they wish to rely up to and including the corresponding root certificates and verify that the digital signature on each and every certificate in the certificate chains, including the Certificates upon which they wish to rely, is a valid signature of the certification authority issuing that certificate; (f) verify that the basic constraints extension of every certificate in the certificate chain is compatible with its use in the chain in accordance with the CP/CPS; (g) verify that each and every certificate in the certificate chain is not revoked, in accordance with the CP/CPS; if no valid certificate revocation list is available, Relying Party agrees that it should not be assumed that a Certificate is not revoked; (h) further verify trust in accordance with any verification procedures or methods described in the Direct Project Applicability Statement; (i) determine, in Relying Party's sole discretion, how often to re-check for updated revocation data if caching of unexpired and valid certificate revocation lists is employed; and (j) evaluate the threats and vulnerabilities that Relying Party is willing to accept based on the sensitivity or significance of the information to be exchanged; Relying Party agrees that this evaluation must be performed by each Relying Party and is not controlled by this agreement or by the CP/CPS.

Relying Parties acknowledge that as a condition of using or otherwise relying on a Certificate: (a) they have sufficient information to make an informed decision as to the extent to which they choose to rely on the information in said Certificate, including knowledge of PKI, of the use of digital certificates, and of our policies; (b) they are solely responsible for deciding whether or not to rely on such information, and (c) they shall bear any and all legal consequences of their failure to perform the Relying Party obligations listed in the Agreement and/or in the CP/CPS.

Relying Party agrees that Relying Party must NOT rely on a Certificate if any of the following is true: (a) the level of assurance provided by the Certificate is not appropriate for the certificate use required; (b) the verification procedures above are unsuccessful; (c) one or more of the Certificates in the Certificate Chain, including the Certificate upon which Relying Party wishes to rely, is expired, is not yet valid, or has been revoked.

If all of the checks described above are successful, then Relying Party is entitled to rely on the Certificate only if reliance upon the Certificate is reasonable under the circumstances. Relying Party agrees that if circumstances warrant additional assurances, that it is the sole responsibility of the Relying Party to obtain such assurances before reliance on the Certificate can be deemed reasonable. Relying Party agrees that if government statute or regulation requires the Relying Party to have additional agreements in place with the Certificate holder prior to using the Certificate or public key, then it is the sole responsibility of the Relying Party to execute the required agreements before using the Certificate or public key.

3. Permitted Uses. Relying Parties agree that Relying Parties may use Certificates only for securing the electronic exchange of information, and related applications, in a manner compliant with the security and privacy rules of HIPAA and HITECH and any other applicable law or regulation, and in a manner consistent with the terms of this Agreement.

4. Prohibited Uses. Relying Parties agree that Relying Parties are prohibited from monitoring, interfering with, or reverse engineering the technical aspects of our PKI, or intentionally compromising the security of our PKI. Relying Parties further agree that: (a) Certificates shall be used only to the extent permitted by applicable law, including specifically any applicable import or export laws; (b) Certificates shall not be used for purposes other than described in Section 3 above; (c) Certificates shall not be used for purposes inconsistent with the permitted key usage and extended key usage asserted in each Certificate; and (d) Certificates shall not be used for any application whose failure could lead to injury or death, examples including, but not limited to, any application used as a substitute for direct verbal communication with clinicians in life-threatening situations or for communication of critical medical results.

5. Repository. The documents in our public document repository are available on our public Internet website for those with a legitimate reason to view these materials. The CA certificates and certificate revocation lists published by our CAs are available for download by Relying Parties at the location specified within the Certificates issued by each of our CAs.

Relying Party acknowledges that any access or use of any public repository materials by Relying Party shall be deemed acceptance of the terms of the CP/CPS and this Agreement. At our sole discretion, we may require any party to provide their legitimate reason for viewing these materials prior to releasing them, or we may terminate access to repository materials by any party who we determine is not acting in accordance with the CP/CPS, including, but not limited to, engaging in any activities which we deem may result in denial of service to legitimate users.

To assist Relying Parties in determining the authenticity of one of our Root CA Certificates, certificate identifiers based on a cryptographic hash of each Root CA Certificate are also listed on our website. For Relying Parties who determine that their use of our Root CA Certificate(s) requires a higher level of assurance, our Root CA certificate(s) and/or hash values may also be delivered, upon request, to a RP using a commercially reasonable out-of-band medium trusted by the RP. We may charge a fee for such delivery.

6. Proprietary Rights. All information and documents within our public document repository are proprietary products of Company and its licensors and are protected under various intellectual property laws.

7. Term and Termination. This term of this Agreement shall begin on the date of Relying Party's first use of or reliance upon Certificates and shall end after Relying Party's last use of or reliance upon Certificates.

8. Warranties. Company warrants to Relying Parties who reasonably rely on a Certificate that (a) all information in such a Certificate has been verified according to the requirements of the CP/CPS, and (b) we have substantially complied with the CP/CPS and all applicable laws and regulations when issuing the Certificate.

9. Disclaimers. RELYING PARTY ACKNOWLEDGES AND AGREES THAT CERTIFICATES AND ANY INFORMATION THEREIN, AND ANY DOCUMENTS OR INFORMATION IN OUR PUBLIC DOCUMENT REPOSITORY, ARE PROVIDED TO RELYING PARTY "AS-IS," WITH NO WARRANTY WHATSOEVER, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, ANY WARRANTY OF NON-INFRINGEMENT, OR ANY WARRANTY THAT ACCESS BY RELYING PARTY WILL BE UNINTERRUPTED OR ERROR FREE. COMPANY DISCLAIMS ANY LIABILITY FOR UNAUTHORIZED THIRD PARTY ACCESS, OR RELIANCE OR USE OF CERTIFICATES BY ANY THIRD PARTY. COMPANY DISCLAIMS ANY LIABILITY FOR ANY DAMAGES TO RELYING PARTY'S COMPUTER OR ANY THIRD PARTY'S COMPUTER OR OTHER PROPERTY CAUSED BY OR ARISING FROM RELYING PARTY'S USE OF OR RELIANCE UPON CERTIFICATES OR USE OF OUR PUBLIC DOCUMENT REPOSITORY, WHETHER DUE TO INFECTION BY A SOFTWARE VIRUS OR OTHER MALWARE OR OTHER CAUSE. Relying Party agrees that the Company and Relying Party are independent contractors and that neither has any fiduciary responsibility to the other. In furtherance of the immediately preceding sentence, each of the Company and Relying Party agree to never assert for its own benefit that the other has any fiduciary duties and to the extent permitted by applicable law, Relying Party and Company hereby disclaim any fiduciary relationship between Company on one hand and Relying Party on the other hand.

10. Limitation of Liability. IN NO EVENT AND UNDER NO CIRCUMSTANCES SHALL COMPANY OR ITS AFFILIATES, EMPLOYEES, OFFICERS OR LICENSORS BE LIABLE HEREUNDER OR WITH RESPECT TO THE CERTIFICATES, INFORMATION, OR DOCUMENTS PROVIDED HEREUNDER (I) FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, RELIANCE OR PUNITIVE DAMAGES OR LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF GOODWILL, LOSS OF BUSINESS OPPORTUNITIES, OR BUSINESS INTERRUPTION, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY, INCLUDING BUT NOT LIMITED TO CONTRACT, TORT (INCLUDING PRODUCTS LIABILITY, STRICT LIABILITY AND NEGLIGENCE), STATUTORY OR OTHERWISE, WHETHER OR NOT COMPANY WAS OR SHOULD HAVE BEEN AWARE OR ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, OR FOR ANY LIABILITY (II) ARISING FROM INFORMATION IN A CERTIFICATE, UNLESS THE FAULT IN THE INFORMATION IS DUE TO FRAUD OR WILLFUL MISCONDUCT OF THE COMPANY, (III) ARISING FROM THE USAGE OF A CERTIFICATE THAT IS NOT VALID OR HAS NOT BEEN USED IN CONFORMANCE WITH THIS AGREEMENT, (IV) ARISING FROM COMPROMISE OF A SUBSCRIBER'S PRIVATE KEY, OR (V) FOR ANY MATTER OUTSIDE THE COMPANY'S CONTROL INCLUDING, WITHOUT LIMITATION, IF COMPANY CANNOT EXECUTE THE REVOCATION OF A CERTIFICATE FOR ANY REASON OUTSIDE OF COMPANY'S CONTROL. IN NO EVENT SHALL COMPANY'S OR ITS LICENSORS' AGGREGATE LIABILITY ARISING OUT OF THIS AGREEMENT EXCEED THE NET AMOUNT COMPANY HAS ACTUALLY RECEIVED FROM RELYING PARTY UNDER THIS AGREEMENT IN THE TWELVE MONTHS PRECEDING THE FIRST CLAIM MADE BY RELYING PARTY AGAINST THE COMPANY, REGARDLESS OF THE NUMBER OF TRANSACTIONS OR CAUSES OF ACTION ARISING OUT OF OR RELATED TO SUCH CERTIFICATE OR ANY SERVICES PROVIDED IN RESPECT TO SUCH CERTIFICATE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. THE FOREGOING LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY STATED IN THIS AGREEMENT. Relying Party agrees that Relying Party is solely responsible for any liability arising from the Relying Party's failure to perform its obligations under this Agreement, the Relying Party's reliance on a Certificate that is not reasonable under the circumstances, or the Relying Party's failure to check the status of such Certificate to determine if the Certificate or any certificate in the corresponding certificate chain is expired or revoked.

11. Indemnification. Relying party agrees to indemnify, defend, and hold Company, its subsidiaries, officers, employees, agents, contractors, and licensors harmless from and against all claims, damages, and expenses ("Claims") arising out of or related to Relying Party's use of or other reliance upon Certificates, documents, or other information provided by Company, other than those Claims arising out of or related to the Company's gross negligence, willful misconduct or fraud in issuing the Certificates.

12. Privacy. Company privacy policy can be found at http://www.emrdirect.com/privacy.html. Any information included in a Certificate is deemed not private.

13. Fees. We do not charge a fee for Relying Party to use or otherwise rely upon Certificates.

14. Miscellaneous. No waiver or modification of this Agreement shall be valid unless made in writing signed by each party, except Company may modify this Agreement at any time without Relying Party's consent by posting the modified Agreement in our public document repository, and Relying Party agrees that Relying Party's continued use or reliance upon Certificates shall constitute acceptance of the modified Agreement. The waiver of a breach of any term hereof shall in no way be construed as a waiver of any other term or breach hereof. This Agreement is governed by the laws of the State of California without reference to conflict of laws principles. All disputes arising out of this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in San Diego, California, and the parties agree and submit to the personal and exclusive jurisdiction and venue of these courts. Notwithstanding the foregoing, Company shall have the right to pursue protection of its intellectual property rights in any court of competent jurisdiction. Relying Party may not assign this Agreement or any rights or obligations hereunder without the prior written consent of Company. Relying Party must give notices to the Company by Certified United States Mail. The Company may give notices to Relying Party through the Company's secure website, through our public document repository, or in the sole discretion of the Company any other method reasonably calculated and intended to provide actual notice to the Relying Party, provided that any notice from the Company received by Relying Party or any representative or agent of the Relying Party shall be effective, and Relying Party shall be deemed to have received any notice that the Company attempts to give using means reasonably calculated and intended to provide actual notice to Relying Party. Subject to the foregoing, this Agreement will inure to the benefit of and be binding upon the parties and their respective successors and permitted assigns. Any attempted assignment in violation of this section shall be null and void. If any provision of this Agreement shall be held by a court of competent jurisdiction to be contrary to law, the remaining provisions of this Agreement shall remain in full force and effect. Nonperformance of Company shall be excused to the extent that performance is rendered impossible by strike, fire, flood, earthquake or other natural disaster, failure of any electrical, communication, or other system over which Company has no control, acts of war or terrorism, acts of God, governmental acts or restrictions or for any other reason when failure to perform is beyond the reasonable control of Company whether or not the Company could have taken precautions to provide for backup or an alternate data center in another geographic location or otherwise. This Agreement constitutes the entire understanding and agreement with respect to its subject matter, and supersedes any and all prior or contemporaneous representations, understandings and agreements whether oral or written between the parties relating to the subject matter of this Agreement, all of which are merged in this Agreement, except that (if applicable) any prior confidentiality agreement executed and signed by both Relying Party and Company shall be effective through the start date of the term of this Agreement and any confidential information of Company thereunder will continue to be protected as Proprietary Information hereunder. Headings, sub-headings, and other captions in this agreement are intended only for convenience and reference and shall not be used in interpreting, construing, or enforcing any of the provisions of this agreement.

15. Copyright Notice. Copyright (c) 2019 EMR Direct. All rights reserved.