Terms of Use

SECTION 01Introduction

1.1Definitions

To keep things clear, here are some key terms we'll use throughout these Terms:

• You or UserThis refers to you, the individual or entity accessing or using our Services.
• ServicesAll the products and services provided by FortaTech Security, including but not limited to BastionGPT and any other platforms, software, or services we offer.
• ContentAll text, information, data, graphics, images, and other material provided through the Services.
• AccountThe account you create to access certain features of the Services.
• Applicable Data Protection LawAll laws and regulations applicable to our processing of personal data under these Terms, including those in the United States, Canada, and Australia.
• CustomerThe User that has entered into the Agreement with FortaTech Security, LLC, including any individual or entity using the Services on behalf of an organization.
• Customer DataAll data and content that Customer or its authorized users submit to, or that is generated through, the Services on Customer's behalf, including BastionGPT Customer Content, account and configuration information, audio and transcripts, and any Personal Data, Protected Health Information, or Part 2 Records contained in the foregoing. Customer Data does not include aggregate or de-identified data, Feedback, or FortaTech Security's own service-operations telemetry that does not contain Customer Content.
• Personal DataAny information relating to an identified or identifiable natural person.

1.2Acceptance of Terms

By accessing or using our Services, you're agreeing to these Terms, our Privacy Policy, and any additional terms that might apply to specific Services. We encourage you to read them carefully. If there's anything you're unsure about, please feel free to reach out to us. If you don't agree with these Terms, we kindly ask that you refrain from using our Services.

1.3Scope of Agreement

These Terms apply to all users of our Services, whether you've created an Account or not. If you're using the Services on behalf of an organization, you confirm that you have the authority to bind that organization to these Terms. Sometimes, if you're accessing the Services through your employer or another entity that has its own agreement with us, additional terms may apply.

SECTION 02Use of Services

2.1No Medical Advice, Diagnosis, or Treatment

2.2User Responsibilities and Conduct

By using our Services, you agree to:

• Provide Accurate Information: Ensure that all information you provide is truthful, accurate, and current.
• Maintain Confidentiality: Keep your Account credentials secure and notify us immediately of any unauthorized use or security breach.
• Comply with Laws: Use the Services in accordance with all applicable laws and regulations.
• Respectful Use: Refrain from using the Services for any unlawful, harmful, or abusive purposes.
• No Interference: Do not interfere with or disrupt the operation of the Services or servers and networks connected to the Services.
• Unauthorized Access: Do not attempt to gain unauthorized access to any part of the Services, other users' accounts, or any systems or networks.

2.3Accounts and Registration

To access certain features of our Services, you may be required to create an Account by:

• Registration: Providing a unique username, password, and other requested information.
• Account Information: Agreeing to maintain and promptly update your Account information to keep it accurate and complete.
• Responsibility: Acknowledging that you are responsible for all activities that occur under your Account.
• Security: Accepting that you are responsible for maintaining the confidentiality of your login credentials.

We reserve the right to suspend or terminate your Account if any information provided during the registration process or thereafter proves to be inaccurate, false, or misleading.

2.4License to Use Services

Subject to your compliance with these Terms, FortaTech Security grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Services for your personal or internal business purposes. You agree not to:

• Commercial Exploitation: Sell, resell, distribute, or exploit any portion of the Services for commercial purposes.
• Modification: Modify, adapt, translate, reverse engineer, decompile, or disassemble any portion of the Services.
• Unauthorized Access: Use any manual or automated means to access the Services for any purpose other than those permitted under these Terms.
• Competitive Use: Access the Services to build a similar or competitive product or service.

2.5Age Restrictions

Our Services are intended for users who are at least 18 years old. By accessing or using the Services, you represent and warrant that you are at least 18 years of age. If you are under 18, you must not use our Services. We do not knowingly collect personal information from individuals under 18. If we become aware that a person under 18 has provided us with personal information, we will take steps to delete such information.

2.6Fair and Reasonable Use

The Services are intended to support normal professional use by individual healthcare professionals and the organizations that license the Services on their behalf. Usage that, in our reasonable judgment, is disproportionate or anomalous compared to typical usage patterns for your subscription tier, including but not limited to (i) automated, scripted, or high-volume querying; (ii) sustained usage materially in excess of typical individual professional workloads; (iii) sharing of credentials across multiple individuals not licensed under your subscription; or (iv) usage that imposes infrastructure, compute, or third-party service costs disproportionate to the fees paid for your subscription, may result in any of the following, at our discretion: (a) throttling or rate limiting of your Account; (b) the requirement that your Account be migrated to FortaTech Security's published consumption-based API pricing, available at bastionintelligence.com, with billing on a usage basis on a prospective basis; (c) the assessment of additional usage-based fees corresponding to the excess usage; (d) suspension of your Account; or (e) termination of your Account in accordance with Section 8. Where reasonably practicable, we will provide notice and an opportunity to bring usage within normal patterns, or to elect migration to consumption-based pricing, before suspending or terminating an Account, except where immediate action is necessary to protect the security, stability, or availability of the Services for other users.

SECTION 03Privacy and Data Protection

3.1Handling of Personal Information

We are committed to protecting your privacy and handling your personal data in an open and transparent manner. For details on how we collect, use, store, and protect your personal information, please refer to our Privacy Policy, which is incorporated by reference into these Terms.

3.2Privacy Policy Reference

Our Privacy Policy explains our practices regarding the collection, use, and disclosure of your personal information when you use our Services. By using our Services, you agree to the collection and use of information in accordance with the Privacy Policy.

3.3Data Protection Compliance

We comply with all Applicable Data Protection Laws relevant to our processing of personal data under these Terms. This includes laws and regulations in the United States, Canada, Australia, and any other jurisdictions where we operate.

3.4Sub-processors and Third-Party Service Providers

We use third-party service providers to operate, secure, support, and improve the Services. For clarity, we distinguish between providers that may process BastionGPT Customer Content and providers that support our general business operations, marketing website, billing, scheduling, security, customer communications, advertising, and related activities.

"BastionGPT Customer Content" means prompts, uploads, documents, audio, transcripts, outputs, and other content entered into or generated through the BastionGPT application.

We do not provide BastionGPT Customer Content to our marketing, advertising, scheduling, payment, public website, affiliate/referral, or customer communications providers. The full list of providers, the purpose for which we engage each, and whether they may process BastionGPT Customer Content is available below.

We require our service providers to use personal information only as necessary to provide services to us and to protect that information using appropriate contractual, confidentiality, and security safeguards. We may update this provider list from time to time as our Services evolve.

For avoidance of doubt, our marketing, advertising, scheduling, payment, public website, affiliate/referral, customer support, and customer communications providers are not used to process BastionGPT Customer Content. BastionGPT Customer Content is not disclosed to Meta/Facebook, Reddit, LinkedIn Ads, Calendly, Webflow, Stripe, Cloudflare, Mailchimp, Twilio/SendGrid, Intercom, Rewardful, or other similar business operations providers.

3.5Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This includes encryption technologies, secure data storage facilities, access controls, and regular security assessments. For more details, please see our Security Page.

3.6Data Retention and Deletion

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Upon termination of your Account or upon your request, we will delete or anonymize your personal data, unless we are legally required to retain certain data.

3.7Confidentiality Obligations

We maintain the confidentiality of your personal data and ensure that our employees, agents, and sub-processors who have access to your personal data are subject to strict confidentiality obligations. We will not disclose your personal data to third parties except as outlined in these Terms or our Privacy Policy.

3.8Data Subject Rights

You have certain rights regarding your personal data under Applicable Data Protection Laws, which may include the right to access, correct, or delete your personal data, or to restrict or object to our processing of your personal data. To exercise these rights, please contact us as outlined in Section 16: Contact Information.

3.9Data Usage Restriction

SECTION 04Intellectual Property Rights

4.1Ownership of Services and Content

All intellectual property rights in the Services and the Content are owned by FortaTech Security or its licensors. This includes, but is not limited to:

• Software and algorithms underlying the operation of the Services.
• Designs, text, graphics, logos, and trademarks.
• Any other proprietary content provided through the Services.

Nothing in these Terms grants you any rights to use any of our intellectual property except as expressly provided in these Terms. Unauthorized use of our intellectual property is prohibited.

4.2User Content and Feedback

By submitting any content, feedback, suggestions, or ideas ("User Content") to us, you agree to the following:

• License Grant: You grant FortaTech Security a limited, non-exclusive, royalty-free, worldwide license to host, store, transmit, display, and process User Content solely as necessary to provide, maintain, secure, and improve the Services for you. This license terminates when the relevant User Content is deleted from the Services or when your right to use the Services ends, except to the extent retention is required by law or for legitimate backup, security, or audit purposes. We will not sell User Content, license it to third parties for their own commercial purposes, or use it to train, develop, or enhance any artificial intelligence model. The foregoing license does not apply to Protected Health Information, which is governed exclusively by the HIPAA Business Associate Agreement. The license granted in this Section 4.2 does not authorize any Use or Disclosure of Part 2 Records that would not be permissible under 42 CFR Part 2, and is limited accordingly with respect to Part 2 Records.
• Feedback: Separately, if you voluntarily provide suggestions, ideas, or feedback about the Services ("Feedback"), you grant FortaTech Security a perpetual, irrevocable, royalty-free, sublicensable license to use that Feedback to improve the Services. Feedback does not include User Content submitted to the BastionGPT chat or transcription functionality.
• Representation and Warranty: You represent and warrant that you have all necessary rights to grant the above license and that your User Content does not violate any third-party rights, including intellectual property rights.
• Moral Rights: To the extent permitted by law, you waive any moral rights you may have in the User Content.

4.3DMCA Notice and Copyright Policy

We respect the intellectual property rights of others and expect our users to do the same. If you believe that any content on our Services infringes your copyright, you may submit a notification pursuant to the Digital Millennium Copyright Act ("DMCA") by providing our designated agent with the following information in writing:

• Identification of the Infringed Work: A description of the copyrighted work or other intellectual property that you claim has been infringed.
• Identification of the Infringing Material: A description of where the material that you claim is infringing is located on the Services, including a URL or screenshot if possible.
• Your Contact Information: Your address, telephone number, and email address.
• Statement of Good Faith: A statement by you that you have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law.
• Statement of Accuracy: A statement by you, made under penalty of perjury, that the above information in your notice is accurate and that you are the copyright owner or authorized to act on the copyright owner's behalf.
• Signature: An electronic or physical signature of the person authorized to act on behalf of the owner of the copyright interest.

Upon receipt of a valid DMCA notice, we will respond promptly to remove or disable access to the allegedly infringing material.

4.4User Intellectual Property Rights

Users retain all rights, including intellectual property rights, to the data and information provided through BastionGPT chat and transcription services. FortaTech Security does not claim any ownership of such data and will not commercially exploit, share, or sell this information.

SECTION 05Third-Party Services

5.1Access to External Services

Our Services may contain links to or allow you to access third-party websites, applications, or services ("Third-Party Services") that are not owned or controlled by FortaTech Security. These Third-Party Services are provided solely as a convenience to you and are not endorsed by us.

5.2Third-Party Payment Processors

We may use third-party payment processors to handle payment transactions for our Services. Your use of such payment processing services is subject to the terms and conditions and privacy policies of the respective third-party payment processors. We are not responsible for any actions or omissions of such third parties.

5.3Disclaimers Regarding Third Parties

• No Endorsement: We do not endorse, recommend, or make any representations or warranties regarding any Third-Party Services.
• User Responsibility: Your use of Third-Party Services is at your own risk, and you are responsible for reviewing and complying with any terms and conditions and privacy policies of those third parties.
• Liability: We are not liable for any loss or damage that may arise from your use of Third-Party Services, including any reliance on the content, products, or services available on or through such Third-Party Services.

5.4Interaction with Third Parties

Any interactions, transactions, or dealings you have with third parties found on or through our Services are solely between you and the third party. You agree that FortaTech Security shall not be responsible or liable for any loss or damage of any sort incurred as a result of any such dealings.

SECTION 06Disclaimers and Limitation of Liability

6.1Disclaimers

Your use of the Services is at your sole risk. The Services are provided on an "as is" and "as available" basis, without warranties of any kind, either express or implied. To the fullest extent permissible pursuant to applicable law, FortaTech Security disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability, non-infringement, and fitness for a particular purpose. We do not warrant that:

• The Services will meet your requirements.
• The Services will be uninterrupted, timely, secure, or error-free.
• The results that may be obtained from the use of the Services will be accurate or reliable.
• Any errors in the Services will be corrected.

No advice or information, whether oral or written, obtained by you from FortaTech Security or through the Services shall create any warranty not expressly stated in these Terms.

6.2Limitation of Liability

To the maximum extent permitted by applicable law, FortaTech Security and its affiliates, officers, employees, agents, partners, and licensors ("FortaTech Security Parties") shall not be liable for any indirect, incidental, special, consequential, or exemplary damages, including but not limited to:

• Loss of profits, revenue, data, or other intangible losses.
• Damages resulting from the use or the inability to use the Services.
• Unauthorized access to or alteration of your transmissions or data.
• Statements or conduct of any third party on the Services.
• Any other matter relating to the Services.

6.3Cap on Liability

In no event shall the total liability of the FortaTech Security Parties to you for all damages, losses, and causes of action exceed the amount you have paid to FortaTech Security in the last twelve (12) months, or, if greater, one hundred U.S. dollars (USD $100).

6.4Indemnification

You agree to indemnify, defend, and hold harmless the FortaTech Security Parties from and against any and all claims, liabilities, damages, losses, costs, expenses, or fees (including reasonable attorneys' fees) arising from or relating to:

• Your use of the Services.
• Your violation of these Terms.
• Your violation of any rights of another party, including other users.
• Your violation of any applicable laws, rules, or regulations.

FortaTech Security reserves the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of these claims.

SECTION 07Modifications and Updates

7.1Changes to Terms and Services

FortaTech Security reserves the right to modify these Terms at any time. If we make material changes to these Terms, we will notify you by:

• Updating the "Effective Date" at the top of these Terms.
• Providing notice through the Services or by other means, such as email if you have provided it to us.

Your continued use of the Services after the effective date of the revised Terms constitutes your acceptance of the revised Terms. If you do not agree to the new Terms, you must stop using the Services.

7.2Modification of Services

We reserve the right to modify, suspend, or discontinue, temporarily or permanently, the Services or any part thereof, with or without notice. You agree that FortaTech Security shall not be liable to you or any third party for any modification, suspension, or discontinuance of the Services.

SECTION 08Termination

8.1Term and Termination

These Terms will remain in full force and effect while you use the Services. We may suspend or terminate your rights to use the Services (including your Account) at any time for any reason at our sole discretion, including for any use of the Services in violation of these Terms. Upon termination of your rights under these Terms, your Account and right to access and use the Services will terminate immediately.

8.2Effect of Termination

Upon termination:

• You must cease all use of the Services and delete any copies of the Services or Content in your possession.
• Any provisions of these Terms that by their nature should survive termination shall survive, including but not limited to ownership provisions, warranty disclaimers, indemnity, and limitations of liability.

Termination obligations specific to Part 2 Records are set forth in Section 7(c) of the 42 CFR Part 2 and Qualified Service Organization Addendum and survive in accordance with that section.

We shall not be liable to you or any third party for any termination of your access to the Services.

8.3Cancellation and Refunds

You may cancel your subscription at any time during your trial period or while your paid subscription is active. To cancel, you must either use the billing portal at bastiongpt.com/billing or email support@bastiongpt.com with your cancellation request. Cancellation will take effect when you submit the request through the billing portal or when your email cancellation request is received by our support team.

If you cancel a paid subscription, your access to the Services will generally continue through the end of your current billing period, unless otherwise specified in writing.

We offer a 45-day money-back guarantee for eligible purchases. If you submit a refund request within forty-five (45) days of your initial purchase or renewal, we will refund eligible purchases in accordance with this Section. For annual subscriptions, approved refunds will be prorated based on the portion of the subscription term already used, and a 5% processing fee will be deducted from the refund amount.

Any refund approved under this Section will be returned to the original payment method. We may deny refunds where we determine there has been abuse, misuse, fraud, or a violation of these Terms. Except where required by law or expressly stated in this Section, all fees are non-refundable.

8.4Billing Disputes and Chargebacks

You agree that, before initiating any chargeback, dispute, or reversal with your card issuer, payment network, or payment processor, you will first contact us at support@bastiongpt.com and provide us a reasonable opportunity (not less than fifteen (15) days) to investigate and resolve the issue. You acknowledge that (i) by providing payment information and accepting these Terms, you authorized the charges that appear on your billing statement, including any recurring charges associated with your subscription; (ii) cancellation must be made in accordance with Section 8.3 and a chargeback is not a substitute for cancellation; and (iii) initiating a chargeback without first contacting us, or initiating a chargeback for charges that were properly authorized and for Services that were made available to you, constitutes a material breach of these Terms.

In the event of a chargeback that is later determined to be unwarranted or that is reversed in our favor, we may, in addition to any other rights and remedies available under these Terms or applicable law: (a) suspend or terminate your Account; (b) recover from you the amount of the disputed charge, any fees imposed on us by our payment processor (including chargeback and representment fees), and reasonable costs of collection (including reasonable attorneys' fees); and (c) report the dispute to credit reporting agencies or refer the matter to a collection agency, in each case to the extent permitted by law. Nothing in these Terms limits any non-waivable chargeback or payment-card rights you may have under applicable law.

SECTION 09Dispute Resolution and Governing Law

9.1Governing Law

These Terms and any dispute or claim arising out of or relating to these Terms or the Services shall be governed by and construed in accordance with the laws of the State of Texas, United States, without regard to its conflict of law provisions.

9.2Informal Dispute Resolution

Before initiating any legal proceedings, you agree to attempt to resolve any dispute informally by contacting FortaTech Security at legal@bastionintelligence.com. We will attempt to resolve the dispute informally by contacting you via email or other means. If a dispute is not resolved within thirty (30) days of submission, either party may proceed to formal proceedings.

9.3Arbitration Agreement

You agree that any dispute or claim arising out of or in connection with your use of the Services or these Terms shall be resolved by binding arbitration, rather than in court, except for matters that may be taken to small claims court or for equitable relief in relation to intellectual property rights.

• Arbitration Rules: The arbitration will be conducted by the American Arbitration Association ("AAA") under its rules, including the AAA's Commercial Arbitration Rules.
• Arbitration Location: The arbitration shall take place in Dallas County, Texas, or at another mutually agreed location.
• Arbitrator's Authority: The arbitrator has the authority to grant any remedy that would otherwise be available in court.
• Final and Binding: The arbitrator's award shall be final and binding on all parties.

9.4Class Action Waiver

All claims and disputes within the scope of this arbitration agreement must be arbitrated on an individual basis and not on a class, collective, or representative basis. You agree not to participate in a class action, a class-wide arbitration, claims brought in a private attorney general or representative capacity, or consolidated claims involving any other person's use of the Services.

9.5Opt-Out Procedure

You may opt out of this arbitration agreement by sending a written notice of your decision to opt out to:

Your opt-out notice must be postmarked or emailed no later than thirty (30) days after the date you first accept these Terms. If you opt out of arbitration, all other parts of these Terms will continue to apply to you.

9.6Venue

If any claim proceeds in court rather than in arbitration, for any reason, you agree that such claim will be brought exclusively in the federal or state courts located in Dallas County, Texas. You and FortaTech Security consent to the jurisdiction of and venue in such courts and waive any objection as to inconvenient forum.

SECTION 10General Provisions

10.1Severability

If any provision of these Terms is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions of these Terms shall remain in full force and effect.

10.2Entire Agreement

These Terms, along with our Privacy Policy, the HIPAA Business Associate Agreement (where applicable), the 42 CFR Part 2 and Qualified Service Organization Addendum (where applicable), and any additional terms to which you agree when using specific features of the Services, constitute the entire agreement between you and FortaTech Security regarding the use of the Services. They supersede all prior or contemporaneous agreements, communications, and proposals, whether oral or written, between you and us.

10.3Assignment

You may not assign, transfer, or delegate any of your rights or obligations under these Terms without our prior written consent. Any attempted assignment or delegation without such consent will be null and void. FortaTech Security may freely assign or transfer these Terms without restriction.

10.4Force Majeure

We shall not be liable for any failure or delay in performing our obligations under these Terms due to circumstances beyond our reasonable control. Such circumstances include, but are not limited to, acts of God, natural disasters, war, terrorism, civil unrest, governmental actions, labor disputes, and failures of public utilities or communications networks.

10.5Notices and Electronic Communications

By using our Services, you consent to receive electronic communications from us. These communications may include notices about your Account, legal notices, and other information concerning or related to the Services. You agree that any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing.

10.6Waiver

Our failure to enforce any right or provision of these Terms shall not be deemed a waiver of such right or provision. A waiver must be in writing and signed by an authorized representative of FortaTech Security to be effective.

10.7Conflict of Terms

In the event of any conflict or inconsistency between these Terms and any other agreement you may have with FortaTech Security, the terms of that other agreement will prevail if it expressly states that it overrides these Terms with respect to the specific subject matter.

SECTION 11Jurisdiction-Specific Terms

These jurisdiction-specific terms apply to users located in certain regions and are in addition to the terms set forth elsewhere in these Terms. In case of any conflict between this Section and the rest of these Terms, this Section will prevail with respect to users in the applicable jurisdictions.

11.1United States

California Residents. Under the California Consumer Privacy Act (CCPA), California residents have specific rights regarding their personal information. These rights include the right to know about the personal information we collect, use, disclose, and sell, and the right to access and delete your personal information. For more information, please refer to our Privacy Policy.

11.2Canada

Data Protection Compliance. We comply with the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the collection, use, and disclosure of personal information from individuals in Canada. You have the right to access your personal information and request corrections if necessary. For more details, please see our Privacy Policy and Canada Data Protection Agreement (DPA).

11.3Australia

Privacy Act Compliance. We adhere to the Australian Privacy Principles and the Privacy Act 1988 (Cth) in relation to the handling of personal information from individuals in Australia. You have the right to access and correct your personal information. For more information, please refer to our Privacy Policy.

SECTION 12Service Level Agreement (SLA)

12.1Uptime Commitment

FortaTech Security is committed to providing a reliable and high-quality service. We offer a Service Level Agreement ("SLA") for the BastionGPT chatbot service, guaranteeing 99.9% uptime calculated on a monthly basis.

12.2Downtime and Service Credits

If the uptime of BastionGPT falls below the 99.9% threshold in a given month, you may be eligible for a service credit or refund. The service credit will be calculated as follows:

• For each full or partial hour of downtime beyond the agreed SLA, you will receive a credit of 5% of your monthly Service fee, up to a maximum of 100% of your monthly Service fee.

Service credits will be applied against future payments owed by you and are non-transferable. They cannot be exchanged for cash or other forms of credit.

12.3Exclusions

The SLA does not account for any downtime caused by circumstances beyond our reasonable control, including but not limited to:

• Acts of God, natural disasters, war, terrorism, civil unrest.
• Acts of government, strikes, or other labor problems not involving our employees.
• Internet service provider failures or delays.
• Scheduled maintenance or upgrades.

12.4Claim Procedure

To receive a service credit, you must submit a written request to us within thirty (30) days from the time the service issue occurred. Your request should include:

• Your name and account information.
• Dates and times of the downtime.
• Any relevant logs or documentation that evidence the downtime.

Please send your claim to:

Unless otherwise provided in the Agreement, the service credit described in this section is your sole and exclusive remedy for any unavailability or non-performance of the Services.

SECTION 13HIPAA Business Associate Agreement

If you are a "covered entity" or a "business associate" and include "protected health information" ("PHI") in data provided to FortaTech Security, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), the following terms apply:

13.1Application of the BAA

If you are a covered entity or business associate (as those terms are defined under HIPAA) and you transmit, upload, or otherwise provide Protected Health Information to or through the Services, our HIPAA Business Associate Agreement ("BAA") is incorporated into these Terms by reference and becomes effective when you accept these Terms and first submit, upload, transmit, or otherwise make Protected Health Information available to the Services. The full text of the BAA is available at https://bastionintelligence.com/baa. No separate signature, attestation, or in-product designation is required for the BAA to take effect. Either party may request a signed counterpart of the BAA at any time, and FortaTech Security will provide one upon reasonable written request to legal@bastionintelligence.com. If you do not wish to be bound by the BAA, you must not transmit, upload, or otherwise provide any Protected Health Information to or through the Services, and you remain solely responsible for ensuring that no Protected Health Information is so transmitted.

13.2Compliance with HIPAA

We agree to comply with all applicable requirements of HIPAA concerning the use and disclosure of PHI. You are responsible for obtaining any necessary consents or authorizations from individuals whose PHI you disclose to us and for ensuring that your use of the Services complies with HIPAA.

13.342 CFR Part 2 Addendum

If you are a Part 2 Program, a Lawful Holder of Part 2 Records, or otherwise transmit Part 2 Records to or through the Services, the 42 CFR Part 2 and Qualified Service Organization Addendum applies automatically, without further action by either party, and is incorporated into these Terms by reference. Unlike the BAA, the Part 2 Addendum has no opt-out mechanism; its contractual protections apply by operation of the Part 2 Addendum upon receipt of any Part 2 Records.

SECTION 14FERPA Compliance

14.1Compliance with FERPA

FortaTech Security is committed to complying with the Family Educational Rights and Privacy Act of 1974, as amended ("FERPA"), concerning the access to and handling of students' educational records.

14.2Access Limitation

We will limit our employees' access to students' educational records to those individuals who need access to perform the Services. Access is granted on a need-to-know basis, ensuring that only authorized personnel can access sensitive educational information.

14.3Use and Disclosure of Educational Records

We will not use or disclose students' educational records for any purpose other than as necessary to provide the Services or as required by law. We will not share these records with third parties except as permitted under FERPA and as necessary to perform the Services.

14.4Safeguards

We will maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality and integrity of students' educational records. These measures are designed to prevent unauthorized access, disclosure, alteration, and destruction of educational records in compliance with FERPA.

14.5Compliance Assurance

We will ensure that all our employees and agents who have access to students' educational records receive training on FERPA compliance and understand their responsibilities under the law.

SECTION 15Technical and Organizational Security Measures

15.1Security Program Overview

FortaTech Security has implemented a comprehensive security program designed to protect the confidentiality, integrity, and availability of your personal data. Our security measures are aligned with industry best practices and are regularly reviewed and updated to address emerging threats and vulnerabilities. Our safeguards are designed to satisfy 42 CFR § 2.16 with respect to Part 2 Records, in addition to the HIPAA Security Rule with respect to Protected Health Information.

15.2Encryption

• Data in Transit: We use secure protocols (such as TLS 1.2 or higher) to encrypt personal data transmitted over public networks, ensuring that data remains confidential and tamper-proof during transmission.
• Data at Rest: Personal data stored on our servers is encrypted using strong encryption algorithms like AES-256, providing an additional layer of security against unauthorized access.

15.3Access Controls

• User Authentication: Access to systems containing personal data requires robust authentication mechanisms, including the use of unique usernames and complex passwords. Multi-factor authentication (MFA) is implemented for administrative access.
• Access Authorization: Access rights are granted based on the principle of least privilege, ensuring that employees have access only to the data necessary to perform their job functions.
• Account Management: We have procedures in place for the creation, management, and termination of user accounts to prevent unauthorized access.

15.4Monitoring and Logging

• System Monitoring: Our systems are continuously monitored to detect and respond to security incidents promptly.
• Activity Logging: Access to personal data is logged, and logs are regularly reviewed for suspicious activities or unauthorized access attempts.
• Incident Response: We have an incident response plan that outlines the procedures for handling security incidents, including detection, containment, eradication, recovery, and reporting.

15.5Physical Security

Our data centers and facilities where personal data is processed are secured with physical controls, such as access badges, biometric scanners, surveillance cameras, and security personnel, to prevent unauthorized physical access.

15.6Data Backup and Recovery

• Regular Backups: We perform regular backups of critical systems and data to prevent data loss.
• Disaster Recovery Plan: A disaster recovery plan is in place to ensure business continuity and rapid recovery in the event of a significant disruption or disaster.

15.7Employee Training and Awareness

All employees undergo regular training on data privacy, security policies, and procedures to ensure they understand their responsibilities in protecting personal data.

15.8Sub-Processor Security Measures

We require all sub-processors to implement security measures that meet or exceed the standards outlined in these Terms. We conduct due diligence on sub-processors to verify their compliance with our security requirements.

15.9Compliance and Certifications

We regularly assess our security controls and may obtain relevant security certifications or undergo third-party audits to demonstrate our commitment to data protection.

SECTION 16Contact Information

If you have any questions, concerns, or comments regarding these Terms, our Privacy Policy, or any other aspect of our Services, please feel free to contact us using the information below:

Customer Support

For general inquiries or technical support, please visit our Contact page where you can find answers to frequently asked questions and submit support requests.