Breach Indemnification Agreement
Version 11.2 – November 2017
This SNX Breach Indemnification Agreement (“BIA”) between SNX Consulting, LLC. (“SNX”, “us” or “we”) and users of the SNX Services (“you”) governs the use of the SNX Services under the provisions of the SNX Terms of Service (the “Terms”).
Unless otherwise provided herein, this BIA is subject to the provisions of the Terms. We reserve the right to change the terms of this BIA in accordance with the Terms.
1. Applicability
This BIA applies separately to each of your Dedicated Environments, as that term is defined in the Terms. This BIA does not apply to shared environments, Development Accounts, or any other environment or account for which you do not have a Business Associate Agreement (“BAA”) in place with SNX or have not applied the security controls and configurations required by the BAA.
2. Definitions
Capitalized words and phrases have the meaning specified in the Terms.
“SNX Containerized Services” mean your apps and databases running on SNX.
“Breach” has the meaning specified in 45 CFR § 164.402.
“Covered Breach” means, except for Excluded Breaches, a Breach of Unsecured Protected Health Information from your SNX Containerized Services that results directly from a failure by SNX to properly configure or maintain the components of the SNX Services under SNX’s exclusive control.
“Covered Expenses” means (a) all damages, costs, and attorneys’ fees finally awarded against you in any Covered Claim; and (b) all out-of-pocket costs (including reasonable attorneys’ fees) that you reasonably incurred in connection with the defense of a Covered Claim (other than attorneys’ fees and costs incurred without SNX’s consent after SNX has accepted defense of the Covered Claim).
“Excluded Breach” means any Breach of PHI that in any way results from: (a) a failure to properly configure your SNX Containerized Services to protect PHI; (b) a failure to properly configure or enforce user access policies and permissions in your SNX Containerized Services or SNX account to protect PHI; (c) any other vulnerability introduced by your SNX Containerized Service itself (and not the infrastructure or SNX platform on which it is hosted); or (d) your breach of the SNX Terms of Service, your BAA, or this BIA.
“Governmental Agency” means any court, administrative agency or commission or other federal, state, county, or local governmental entity, instrumentality, agency or commission.
“Regulatory Investigation” means a formal investigation by the U.S. Department of Health and Human Services into your security procedures regarding Protected Health Information.
“Third Party” means, other than a Governmental Agency, an unaffiliated corporation, partnership, or other entity, or a natural person.
“Unsecured Protected Health Information” has the meaning specified in 45 CFR § 164.402.
3. Indemnity
A. Defense. Subject to Section 3(C) of this BIA, SNX will either defend you from or settle any claim, proceeding, or suit (“Claim”) brought by a Third Party against you to the extent the Claim results directly from a Covered Breach (“Covered Claim”) if you:
- Give SNX prompt written notice of the Covered Claim;
- Grant SNX full control over the defense and settlement of the Covered Claim;
- Provide assistance in connection with the defense and settlement of the Covered Claim as SNX reasonably requests; and
- Comply with any settlement or court order made in connection with the Covered Claim.
You must not defend or settle any Covered Claim without SNX’s prior written consent. You have the right to participate in the defense of the Covered Claim at your own expense and with counsel of your own choosing, but SNX will have sole control over the defense and settlement of the Covered Claim.
B. Indemnification. Subject to Section 3(C) of this BIA, SNX will indemnify you from and pay:
- All Covered Expenses incurred by you in connection with a Covered Claim; and
- Any monetary fines imposed on you by a Governmental Agency in connection with a Regulatory Investigation for carrying out practices for the protection of PHI that you implemented pursuant to SNX’s express written recommendations.
C. Exclusions. SNX will have no obligation to you under Sections 3(A) or 3(B) of this BIA if:
- You are in breach of the SNX Terms of Service, your BAA, or this BIA at such time the Claim or Regulatory Investigation (as applicable) arises;
- The Claim or Regulatory Investigation (as applicable) relates to or arises from, directly or indirectly:a. Conduct or other matters that constituted a breach of the SNX Terms of Service, your BAA, or this BIA;
b. Any failure to properly configure or enforce user access policies and permissions in your SNX Containerized Services or SNX accounts to protect PHI; or
c. Any other vulnerability introduced by your SNX Containerized Service itself (and not the infrastructure or SNX platform on which it is hosted); - You fail to enter or otherwise provide accurate information to SNX in connection with your use of the Services;
- You fraudulently omitted or included any information as part of your use of the Services; or
- You fail to update information that was accurate when provided to SNX in connection with your use of the Services but which information later becomes inaccurate.
4. Dispute Resolution and Arbitration
Disputes arising under this BIA shall be resolved under the Dispute Resolution and Arbitration provisions of the SNX Terms of Service.
5. Entire Agreement; Conflict
Except as amended by this BIA, the SNX Terms of Service and your BAA will remain in full force and effect. This BIA, together with the Terms and your BAA:
- Is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and
- Supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
If there is a conflict between the Terms, this BIA, your BAA, or any other amendment or any addendum to those agreements, the document executed by the parties later in time will prevail.