Last Updated August 7, 2023

1. PURPOSE
   The purpose of this Builder Security Policy (“Policy”) is to provide a common set of security requirements for all Builders who use the Builder Services to access and build Applications upon the Zus Platform.  Both you and Zus each acknowledge that protecting the security and integrity of the Builder Services, the Zus Platform, and your Application and information systems requires coordination of certain security-related obligations between Zus and its Builders.  Accordingly, you also acknowledge that we have a responsibility to require you and other Builders to meet certain minimum standards for information security for the good of all Users of the Zus Platform.
   This Policy applies to all Builders and is incorporated into the Builder Terms of Service (“Builder Terms”). This Policy may be updated or amended from time to time in accordance with provisions of the Builder Terms.
2. POLICY
   1. Definitions
      1. General. Capitalized terms used but not defined in this Policy or the Builder Terms will have the meanings set forth in HIPAA or other Applicable Law.
      2. Extension of HIPAA Definitions. To make requirements for protection of Patient Data consistent, where this Policy incorporates definitions from HIPAA, this Policy has the same definition as the similar definition from HIPAA except that the term PHI or Protected Health Information is replaced by the broader term for Patient Data as defined in these Builder Terms.
      3. Policy Definitions. The following definitions will apply for purposes of this Policy.

         “Access Attempts” means unauthorized probes, scans, “pings”, and other activities which may or may not indicate threats, whose sources may be difficult or impossible to identify whose motives are generally unknown, and which do not result in access to the Builder Services, your Application or information systems, or to any Unsecured Patient Data.

         “Breach” means a Breach of Unsecured Patient Data as defined in 45 CFR 164.402 as well as any Unauthorized Use or Disclosure of Patient Data or related information to the extent that Applicable Law requires such Unauthorized Use or Disclosure to be reported to a state agency or disclosed to the individuals who are the subject of such information.

         “Security Incident” has the definition set forth in 45 CFR 164.304 with respect to the Builder Services and your information systems, but for purposes of this Policy does not include an Access Attempt.

         “Unauthorized Use or Disclosure” means any access, use or disclosure of Patient Data that is not permitted by the Builder Terms, the BAA, this Policy or Applicable Law.

   2. Security of the Builder Services
      1. Zus BAA. At a minimum, we will comply with all the information security obligations which are applicable under the Zus BAA with regard to protection of PHI, including applicable provisions of the HIPAA Security Rule.
      2. Additional Safeguards. We may implement or require information security safeguards which we deem appropriate, including safeguards that include requirements or conditions for you to use the Builder Services and access the Zus Platform and Zus Network (“Additional Safeguards”). These Additional Safeguards will not be less stringent than Applicable Law (including HIPAA) but may create obligations or responsibilities on you beyond minimum requirements of Applicable Law where we believe necessary to protect the Builder Services and the Zus Platform and create a safe environment for all Participants in the Zus Network.
      3. Your Remedies. If you reasonably determine that we have materially failed to comply with our obligations in this Section, and that such failures create a material vulnerability affecting your information systems, you will promptly notify us of your determination and you may suspend or limit access or connectivity between the Builder Services and your information systems.   Any such failures by us will be a curable breach under Section 10 of the Builder Terms.  Upon receipt of any notice by you under this Section, we will use our best efforts to come into compliance with our obligations under this Section within the applicable cure period.
   3. Builder Security Responsibilities
      1. Minimum Security Requirements. You will comply at all times with the following requirements, which are based upon and consistent with the standards required by the HIPAA Security Rule, in building and managing your Application and information systems, administering access to your Application or the Builder Services by Your Users.  You specifically agree that you will comply with the following practices:

         User Clearance. You will maintain and follow policies and procedures for determining reasonable and appropriate access privileges of Your Users.

         User Authorization. You will maintain and follow policies and procedures for authorizing, suspending, and terminating the authorization of Your Users to access the Builder Services and Zus Platform or otherwise access, use, or disclose information through the Builder Services and Zus Network.

         User Access Limitations; Minimum Necessary. You will maintain and follow policies and procedures requiring Your Users to limit their access to and use of the Builder Services, Zus Platform, or your Application, as applicable, and any information available through the Builder Services and Zus Network in accordance with the HIPAA Minimum Necessary Standard, to the extent applicable, and any other Applicable Law.

         Acceptable Use Management. You will maintain and enforce appropriate acceptable use policies which are substantially consistent with Zus’ Acceptable Use Policy  in connection with your use of and access to the Builder Services, the Zus Platform, the Zus Network, your Application, information systems, workstations, and devices whereby Your Users access the Builder Services or the Zus Platform or any information from the Builder Services.

         Access Controls. You will maintain appropriate administrative, physical and technical access control safeguards in accordance with the HIPAA Security Rule.

         Workstation and Device Management. You will maintain and follow policies and procedures for the authorization, secure operation, and disposal of all of the devices which you permit Your Users to use in order to access the Builder Services or the Zus Platform (each, an “Authorized Device”).  We may, in our discretion, limit or prohibit the use of certain devices as Authorized Devices upon notice to you.

         User Training. You will conduct, and you will require all of Your Users to undergo, privacy and security training in accordance with the requirements of all Applicable Law, the Zus BAA, and Zus Policies.

         Sanctions for Violations. You will apply sanctions and disciplinary procedures for Your Users or any other person subject to your authority for accessing or using the Builder Services, the Zus Platform or the Zus Network in violation of Applicable Law, the Builder Terms, the Zus BAA, or Zus Policies.

         Audit Trails. You will maintain audit logs for your transmission of all Patient Data to or from the Builder Services.

         Software Management. You will maintain and enforce policies and procedures related to patch management and change management for hardware and software included in your Application and your information systems which access, or which may be used to access, the Builder Services or the Zus Platform or any information from the Builder Services.

         Malware Protection. You will maintain up-to-date anti-virus and anti-malware software on all applicable components of your Application and information systems with access, or which may be used to access, the Builder Services or the Zus Platform or any information from the Builder Services.

         Additional Safeguards. You will employ such Additional Safeguards that we may identify and require as described in Section B(2)(b) of this Policy.

      2. Zus Remedies. If we determine that you have failed to comply with this Policy, we may suspend or limit your access to or use of the Builder Services in accordance with Section 10(d) of the Builder Terms.  Upon receipt of a notice by us of any suspension, you will use your best efforts to come into compliance within the applicable cure period.
   4. Mutual Responsibilities for Security Incidents and Breaches
      1. Monitoring.

         Our Responsibility. We will monitor all activity, or ensure that activity is monitored, in (i) the Builder Services and Zus Platform, and (ii) any information system or facilities that we use to host, operate or manage the Builder Services or Zus Platform.

         Your Responsibility. You will monitor all activity, or ensure that activity is monitored, in (i) your Application or information systems, (ii) Authorized Devices, and (iii) facilities where you may access the Builder Services or Zus Platform or any information from the Builder Services.

      2. Investigations.

         Zus Investigations. We will investigate any Unauthorized Use or Disclosure of your Patient Data and any Security Incident which may affect or have affected the Builder Services or any of your Patient Data promptly upon receiving notice form you or otherwise becoming aware of such an event.  We will document the results of each such investigation.

         Your Investigations. You will investigate any Unauthorized Use or Disclosure of your Patient Data received from the Builder Services and any Security Incident which may affect or have affected the Builder Services or Zus Platform or any Patient Data received from the Builder Services promptly upon receiving notice form us or your otherwise becoming aware of such an event.  You will document the results of each such investigation.

         Breach Determination. If we determine that an Unauthorized Disclosure of PHI constitutes a Breach, we will promptly notify you of this determination; provided that you will be responsible for making your own determination regarding whether the event constitutes a Breach upon receipt of the information we provide to you.

         Cooperation. Each Party will reasonably cooperate with the other Party in their performance of investigations and determinations under this Policy, and in identifying and implementing measures to mitigate the harmful effects of any event and to prevent events of the same or similar type to the extent practicable.

      3. Reporting & Notifications.

         Notice of Ongoing Access Attempts. Zus will not provide you notice of ongoing Access Attempts. You and Zus acknowledge and agree that Access Attempts fall under HIPAA’s definition of a Security Event but that our reporting and your review of information about Access Attempts would be materially burdensome to both parties without reducing risks to information systems or PHI of either Party.

         Zus Reporting Requirement. We will require our employees and any applicable subcontractors to report to us any Security Incident (not including Access Attempts) any Unauthorized or Disclosures of PHI of which they become aware. We will report to you any Security Incident (not including Access Attempts) or Breach which affects your PHI within 5 business days of our determination or within the time period(s) set forth in the Zus BAA, whichever is shorter.

         Your Reporting Requirement. You will require Your Users, your employees, and any subcontractors to report to you any Security Incident (not including Access Attempts) and Unauthorized Uses or Disclosures of PHI of which they become aware. You will report to us any Security Incident (not including Access Attempts) or Breach involving the Builder Services or Patient Data which comes from the Zus Platform within 5 business days of your becoming aware of such events.

         Breach Notifications. You and Zus each acknowledge and agree that, as between you and Zus, you have the more direct relationship with the Patient who is the subject of the Patient Data used and disclosed through the Builder Services and Zus Platform. Accordingly, you will be responsible for providing notification of Breaches to the affected individuals, applicable regulatory authorities, and the media where required by Applicable Law or elected by you.  Any notification by you to affected individuals, regulatory authorities, or media shall be deemed a notification as well by Zus, and you will identify Zus as a notifying party in the notification, except to the extent that Zus may otherwise direct you in writing.  In the event that you elect not to or fail to timely notify potentially affected individuals, regulatory authorities, or media as provided above, and we reasonably determine that it may be required by Applicable Law to give such a notification, we may give the notification at our discretion.

         Other Law Enforcement Notification. In case of any ambiguity, either you or Zus may notify appropriate law enforcement agencies in the event that you or we reasonably believe that an Unauthorized Use or Disclosure of PHI is the result of criminal activity.

   5.  Third-Party Security Audit. Upon written request, Zus will provide to Builder a summary of its annual third-party security audit.