# Bioscope AI Legal Agreements & Policies This file contains all legal agreements, terms, and policies for Bioscope AI services. Generated automatically from https://security.bioscope.ai/ --- This HIPAA Business Associate Agreement ("**BAA**") is entered into between Bioscope.ai, Inc. ("**Bioscope.ai**") and the medical group or medical practice that has agreed to the Master Services Agreement (the "**Covered Entity**" or "**Customer**"), and supplements, amends, and is incorporated into the Master Services Agreement (the "**Agreement**") solely with respect to Covered Services (defined below). This BAA will be effective as of the date Customer executes an Order (the "**BAA Effective Date**"). Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party's respective obligations regarding Protected Health Information (defined below). You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not execute an Order referencing this BAA. ## 1. Definitions **"Breach"** has the definition given to it under HIPAA. **"Business Associate"** has the definition given to it under HIPAA. **"Covered Entity"** has the definition given to it under HIPAA. **"Covered Services"** means the Bioscope.ai products and/or services specifically listed in Attachment 1 to this BAA, as may be updated from time to time by Bioscope.ai with notice to Customer. Bioscope.ai may only remove a Covered Service from Attachment 1 with at least twelve (12) months prior notice. **"Designated Record Set"** has the definition given to it under HIPAA. **"Genetic Data"** means Protected Health Information concerning an individual's genetic characteristics, including raw sequence data from whole genome sequencing, processed variant data, genetic test results, Lab Results, and any information derived from the analysis of such genetic information. **"HIPAA"** means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including the Privacy Rule, Security Rule, and Breach Notification Rule. **"HITECH Act"** means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended. **"Individual"** has the definition given to it under HIPAA and includes a person who qualifies as a personal representative under HIPAA. **"Lab Results"** means the raw genomics and microbiomics data and any resulting reports, findings, or derivations thereof generated by Bioscope.ai's designated lab testing facility as a result of processing a Patient's biological sample. **"Patient"** means an Individual who is a patient of Customer and for whom Customer is using the Covered Services in connection with treatment. **"Protected Health Information"** or **"PHI"** has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Licensee Data to which Bioscope.ai has access through the Covered Services in connection with Customer's permitted use of Covered Services. PHI includes Genetic Data where applicable. **"Required by Law"** has the definition given to it under HIPAA. **"Secretary"** means the Secretary of the U.S. Department of Health and Human Services or their designee. **"Security Incident"** has the definition given to it under HIPAA. **"Subcontractor"** means a person or entity to whom Bioscope.ai delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI. ## 2. Applicability This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Bioscope.ai, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer. Customer acknowledges that this BAA does not apply to: (a) any Bioscope.ai product, service, or feature that is not a Covered Service; (b) any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services; or (c) services provided by third parties that are not Subcontractors of Bioscope.ai, including without limitation any third-party applications or integrations that Customer elects to use. If Customer is not a Covered Entity and does not act as a Business Associate, Customer shall comply with the Data Processing Agreement available at https://security.bioscope.ai/legal/data-processing-agreement/ in lieu of this BAA. ## 3. Permitted Use and Disclosure of PHI ### 3.1 General Limitations Except as otherwise stated in this BAA, Bioscope.ai may use and disclose PHI only (i) as permitted or required by the Agreement and/or this BAA; (ii) as Required by Law; or (iii) as otherwise permitted under HIPAA. ### 3.2 Proper Management and Administration Bioscope.ai may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if: (a) Required by Law; or (b) Bioscope.ai obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Bioscope.ai will be notified of any Breach or Security Incident. ### 3.3 Data Aggregation and De-Identification Subject to the terms of the Agreement, Bioscope.ai may: (a) use PHI to provide data aggregation services relating to the health care operations of Customer; and (b) de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c). Once de-identified in compliance with HIPAA, such data is no longer PHI and is not subject to this BAA. ### 3.4 AI and Machine Learning Processing Customer acknowledges that the Covered Services include AI-powered analysis features that process PHI, including Genetic Data, to provide genomic insights and health analysis. Such processing is considered part of the clinical decision support operations for which Customer has engaged Bioscope.ai. Bioscope.ai will not use PHI to train or improve AI models except to the extent such PHI has been de-identified in accordance with Section 3.3. ### 3.5 Communications Regarding Research Opportunities Covered Entity authorizes Business Associate to use PHI, including Individual contact information, to communicate with Individuals regarding opportunities to participate in research studies, clinical programs, or similar initiatives. Such communications shall: (a) Be made only to Individuals who have consented to receive such communications from Business Associate; (b) Describe the nature of the opportunity in general terms; (c) Not disclose PHI to any third party as part of the communication; (d) Not condition treatment, payment, enrollment, or eligibility on the Individual's response; and (e) Inform the Individual that participation is voluntary and that any participation would require separate authorization. ## 4. Customer Obligations ### 4.1 Permissible Requests Customer will not request that Bioscope.ai or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate). ### 4.2 Implementation and Configuration For Authorized Users that use the Covered Services in connection with PHI, Customer will use controls available within the Covered Services to ensure its use of PHI is limited to the Covered Services. Customer acknowledges that Customer is solely responsible for ensuring that its and its Authorized Users' use of the Covered Services complies with HIPAA and HITECH. ### 4.3 Patient Consents Customer is solely responsible for obtaining all necessary authorizations and consents from Patients as required by HIPAA and other applicable laws prior to submitting PHI, including Genetic Data, through the Covered Services. Bioscope.ai will provide genetic testing consent forms to Patients on Customer's behalf as described in the Agreement, but Customer remains responsible for ensuring all required authorizations are obtained. ### 4.4 Minimum Necessary Customer will ensure that its disclosures of PHI to Bioscope.ai are limited to the minimum necessary to accomplish the intended purpose, except for disclosures for treatment purposes. ## 5. Appropriate Safeguards Bioscope.ai and Customer will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services. Bioscope.ai will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains, or transmits on behalf of Customer, in accordance with 45 C.F.R. Part 164, Subpart C. Such safeguards include, without limitation: (a) Encryption of PHI at rest using AES-256 or equivalent; (b) Encryption of PHI in transit using TLS 1.3 or higher; (c) Access controls limiting access to PHI to authorized personnel; (d) Multi-factor authentication for access to systems containing PHI; (e) Audit logging of access to PHI; (f) Regular security assessments and penetration testing; (g) Workforce training on privacy and security requirements; and (h) Additional safeguards for Genetic Data given its particularly sensitive nature. ## 6. Reporting and Related Obligations ### 6.1 Breach Notification Bioscope.ai will promptly notify Customer of: (a) any Security Incident of which Bioscope.ai becomes aware, subject to Section 6.3; and (b) any Breach that Bioscope.ai discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than forty-eight (48) hours after confirmation of such Breach. ### 6.2 Notification Contents Notifications made under this section will describe, to the extent possible: (a) the nature of the Breach or Security Incident, including the categories and approximate number of Individuals affected and the categories and approximate number of PHI records affected; (b) the steps taken to mitigate the potential risks; (c) steps Bioscope.ai recommends Customer take to address the Breach or Security Incident; and (d) contact information for Bioscope.ai's designated security contact. ### 6.3 Unsuccessful Security Incidents Notwithstanding Section 6.1, this Section 6.3 will be deemed as notice to Customer that Bioscope.ai periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Bioscope.ai's systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident, Bioscope.ai will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6.3. ### 6.4 Notification Method Bioscope.ai will send any applicable notifications to the notification email address provided by Customer in the Order or via direct communication with Customer's designated administrator. ## 7. Subcontractors Bioscope.ai will take appropriate measures to ensure that any Subcontractors used by Bioscope.ai to perform its obligations under the Agreement that require access to PHI on behalf of Bioscope.ai are bound by written obligations that provide the same material level of protection for PHI as this BAA. Such Subcontractors include, without limitation, Bioscope.ai's designated laboratory testing facility for processing genetic samples. Bioscope.ai maintains a current list of Subcontractors at https://security.bioscope.ai/legal/subprocessors, which Bioscope.ai shall update prior to engaging any new Subcontractor that will have access to PHI. To the extent Bioscope.ai uses Subcontractors in its performance of obligations hereunder, Bioscope.ai will remain responsible for their performance as if performed by Bioscope.ai. ## 8. Access and Amendment Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services. Bioscope.ai will provide Customer with access to Customer's PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals' rights of access and amendment. Bioscope.ai will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI, except to the extent such assistance is requested by Customer and Bioscope.ai is reasonably able to provide such assistance. Customer is responsible for managing its use of the Covered Services to appropriately respond to Individual requests, including requests for access to Genetic Data and Lab Results. ## 9. Accounting of Disclosures Bioscope.ai will document disclosures of PHI by Bioscope.ai and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under 45 C.F.R. § 164.528. Upon Customer's reasonable request, Bioscope.ai will provide information necessary for Customer to respond to an Individual's request for an accounting of disclosures within thirty (30) days of such request. ## 10. Access to Records To the extent required by law, and subject to all applicable legal privileges, Bioscope.ai will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Bioscope.ai on behalf of Customer, available to the Secretary for the purpose of the Secretary determining compliance with this BAA and HIPAA. ## 11. Expiration and Termination ### 11.1 Term This BAA will terminate on the earlier of: (a) a permitted termination in accordance with Section 11.2; or (b) the expiration or termination of all Orders under which Customer has access to a Covered Service. ### 11.2 Termination for Breach If either party materially breaches this BAA, the non-breaching party may terminate this BAA on thirty (30) days' written notice to the breaching party unless the breach is cured within the thirty-day period. If a cure under this Section 11.2 is not reasonably possible, the non-breaching party may immediately terminate this BAA. If neither termination nor cure is reasonably possible under this Section 11.2, the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges. ### 11.3 Effect of Early Termination If this BAA is terminated earlier than the Agreement, Customer may continue to use the Covered Services in accordance with the Agreement, but must delete any PHI it maintains in the Covered Services and cease to further create, receive, maintain, or transmit such PHI to Bioscope.ai. ## 12. Return/Destruction of Information On termination of the Agreement, Bioscope.ai will return or destroy all PHI received from Customer, or created or received by Bioscope.ai on behalf of Customer; provided, however, that if such return or destruction is not feasible, Bioscope.ai will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. Bioscope.ai may retain PHI to the extent required by applicable law, in which case Bioscope.ai will isolate and protect such PHI from any further processing except as required by law and will delete such PHI when no longer required to be retained. ## 13. Miscellaneous ### 13.1 Survival Sections 10 (Access to Records), 12 (Return/Destruction of Information), and 13 (Miscellaneous) will survive termination or expiration of this BAA. ### 13.2 Regulatory Changes The parties agree to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for compliance with changes in HIPAA or other applicable law. ### 13.3 Interpretation Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA. In the event of any conflict between this BAA and the Agreement with respect to PHI, this BAA will govern. ### 13.4 Effect of BAA This BAA is subject to the governing law and dispute resolution provisions in the Agreement. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect. ### 13.5 No Third-Party Beneficiaries Nothing in this BAA is intended to confer any rights or remedies on any person other than the parties hereto, except that Individuals may exercise their rights under HIPAA as provided by law. ### 13.6 Entire Agreement This BAA, together with the Agreement and any applicable Orders, constitutes the entire agreement between the parties with respect to the subject matter hereof. ## Contact Information For questions about this Business Associate Agreement, please contact: **Privacy Inquiries:** privacy@bioscope.ai **Security Inquiries:** security@bioscope.ai **General Support:** support@bioscope.ai **Mailing Address:** Bioscope.ai, Inc. Attn: Privacy Officer 880 Monon Green Blvd Carmel, IN 46032 --- **Last Updated:** December 5, 2025 --- # Cookie Policy **Effective Date:** December 8, 2025 **Last Updated:** December 8, 2025 ## 1. Introduction This Cookie Policy explains how Bioscope AI Inc. ("Bioscope," "we," "us," or "our") uses cookies and similar tracking technologies across our digital properties. We operate two distinct online environments with different cookie practices: 1. **bioscope.ai** - Our marketing and informational website that uses various types of cookies including analytics, marketing, and functional cookies to enhance user experience and provide relevant content. 2. **app.us.bioscope.ai** - Our HIPAA-compliant healthcare platform that uses only strictly necessary cookies to maintain security, authentication, and essential functionality. This platform operates under enhanced privacy and security standards to protect Protected Health Information (PHI). This policy describes what cookies are, how we use them, what choices you have regarding cookies, and how to manage your cookie preferences. By using our websites and services, you consent to the use of cookies as described in this policy, subject to applicable law and your consent choices. ## 2. What Are Cookies? Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. They are widely used to make websites work more efficiently and provide information to website owners. ### Types of Cookies **Session Cookies:** These are temporary cookies that expire when you close your browser. They allow websites to link your actions during a single browsing session. **Persistent Cookies:** These cookies remain on your device for a set period specified in the cookie or until you manually delete them. They help websites remember your preferences and actions across multiple visits. **First-Party Cookies:** These cookies are set directly by the website you are visiting. Only that website can read and use these cookies. **Third-Party Cookies:** These cookies are set by a domain other than the one you are visiting. They are commonly used for advertising and analytics purposes across multiple websites. ## 3. Cookie Usage on bioscope.ai (Marketing Website) Our marketing website uses various types of cookies to provide an optimal user experience, understand how visitors interact with our site, and deliver relevant marketing messages. We obtain your consent before placing non-essential cookies on your device, in compliance with applicable laws including GDPR and CCPA. ### 3.1 Strictly Necessary Cookies These cookies are essential for the website to function properly and cannot be disabled in our systems. They are usually set in response to actions you take, such as setting your privacy preferences, logging in, or filling out forms. Our website is hosted on Webflow, which may set additional session and security cookies. | Cookie Name | Purpose | Duration | Type | Provider | |-------------|---------|----------|------|----------| | `__cf_bm` | Cloudflare bot management to distinguish humans from bots | 30 minutes | First-party | Cloudflare | | `cf_clearance` | Cloudflare security verification to prove visitor passed security challenge | 1 year | First-party | Cloudflare | | `CookieConsent` | Stores user's cookie consent preferences | 1 year | First-party | Bioscope AI | | `cookie_notice_accepted` | Records whether user has acknowledged cookie notice | 1 year | First-party | Bioscope AI | ### 3.2 Analytics Cookies These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. This data helps us improve our website performance and user experience. | Cookie Name | Purpose | Duration | Type | Provider | |-------------|---------|----------|------|----------| | `__hstc` | Main tracking cookie to track visitors and sessions | 6 months | First-party | HubSpot | | `hubspotutk` | Keeps track of visitor identity for analytics and form submissions | 6 months | First-party | HubSpot | | `__hssc` | Keeps track of sessions for analytics purposes | 30 minutes | First-party | HubSpot | | `__hssrc` | Determines if visitor has restarted their browser (used with __hssc) | Session | First-party | HubSpot | **HubSpot Analytics Configuration:** We use HubSpot for website analytics and form tracking to: - Track visitor sessions and page views - Analyze website traffic patterns and user behavior - Connect form submissions to visitor analytics - Measure content effectiveness and engagement - Generate reports on website performance ### 3.3 Marketing and Advertising Cookies These cookies track your browsing habits to deliver advertising that is relevant to you and your interests. They also help us measure the effectiveness of our marketing campaigns and limit the number of times you see an advertisement. | Cookie Name | Purpose | Duration | Type | Provider | |-------------|---------|----------|------|----------| | `__hstc` | Tracks visitors across sessions for marketing attribution | 6 months | First-party | HubSpot | | `hubspotutk` | Links form submissions and conversions to marketing campaigns | 6 months | First-party | HubSpot | | `li_sugr` | Browser identifier for LinkedIn Insights (Partner ID: 8219476) | 90 days | First-party | LinkedIn | | `bcookie` | Browser identifier cookie for LinkedIn advertising | 1 year | Third-party | LinkedIn | | `lidc` | Used for routing and security on LinkedIn platform | 1 day | Third-party | LinkedIn | | `UserMatchHistory` | LinkedIn Ads ID syncing for cross-device targeting | 30 days | Third-party | LinkedIn | | `AnalyticsSyncHistory` | Stores information about time sync took place with LinkedIn Marketing Solutions | 30 days | Third-party | LinkedIn | **Marketing Cookie Usage:** We use these cookies to: - Track conversions from advertising to website visits or form submissions - Measure the effectiveness of our marketing campaigns - Attribute leads and conversions to specific marketing sources - Retarget visitors who have shown interest in our services on LinkedIn - Build custom audiences and lookalike audiences for targeted advertising - Analyze marketing ROI and campaign performance across multiple channels ### 3.4 Functional Cookies These cookies enable enhanced functionality and personalization, such as videos, forms, and remembering your preferences. They may be set by us or by third-party providers whose services we use on our pages. Our website uses Webflow for forms and content management. | Cookie Name | Purpose | Duration | Type | Provider | |-------------|---------|----------|------|----------| | `lang` | Remembers user's language preference | Session | First-party | Bioscope AI | | `timezone` | Stores user's timezone for displaying localized times | 1 year | First-party | Bioscope AI | | `viewed_demo_video` | Tracks if user has watched product demo video | 90 days | First-party | Bioscope AI | | `newsletter_dismissed` | Records if user dismissed newsletter signup prompt | 30 days | First-party | Bioscope AI | | `webflow_session` | Maintains form submission state and user interaction with Webflow-powered forms | Session | First-party | Webflow | ## 4. Cookie Usage on app.us.bioscope.ai (HIPAA-Compliant Healthcare Platform) Our HIPAA-compliant healthcare platform operates under strict privacy and security requirements to protect Protected Health Information (PHI). Unlike our marketing website, this platform uses only strictly necessary cookies required for security, authentication, and essential platform functionality. ### 4.1 Strictly Necessary Cookies Only The healthcare platform uses only essential cookies that are technically necessary for the platform to function securely. These cookies enable critical security features, maintain authenticated sessions, and ensure the integrity of healthcare data. Our platform uses Auth0 for secure authentication and session management. | Cookie Name | Purpose | Duration | Type | Provider | |-------------|---------|----------|------|----------| | `auth0` | Encrypted session identifier for authenticated users (HttpOnly, Secure) | Session (max 24 hours, idle timeout: 15 minutes) | First-party | Auth0 / Bioscope AI | | `auth0_compat` | Compatibility cookie for Auth0 authentication across browsers | Session | First-party | Auth0 / Bioscope AI | | `auth0..is.authenticated` | Authentication status flag to indicate active user session | Session | First-party | Auth0 / Bioscope AI | | `_legacy_auth0..is.authenticated` | Legacy authentication status for backward compatibility | Session | First-party | Auth0 / Bioscope AI | | `did` | Device identifier for security monitoring and anomaly detection (HttpOnly, Secure) | Persistent (long-lived) | First-party | Auth0 / Bioscope AI | | `did_compat` | Device identifier compatibility cookie for cross-browser support | Persistent (long-lived) | First-party | Auth0 / Bioscope AI | **Security Characteristics:** - All cookies are transmitted only over HTTPS with Secure flag enabled - HttpOnly flag prevents JavaScript access to sensitive authentication cookies (`auth0`, `did`) - SameSite=Lax attribute balances security and functionality for authentication flows - Auth0 encrypts and signs all sensitive cookie values to prevent tampering - Short session expiration times reduce exposure window for compromised credentials - Automatic session termination after 15 minutes of inactivity - Device identifiers enable detection of suspicious login patterns and account takeover attempts ### 4.2 No Analytics or Marketing Cookies **Important:** The app.us.bioscope.ai platform does NOT use: - Analytics cookies (no Google Analytics, no tracking pixels) - Marketing or advertising cookies (no remarketing, no conversion tracking) - Social media cookies (no Facebook Pixel, no LinkedIn Insights) - Third-party tracking cookies of any kind - Cross-site tracking or fingerprinting technologies This restriction is intentional and critical to maintaining HIPAA compliance and protecting patient privacy. We do not track user behavior, build user profiles, or share any usage data with third parties on our healthcare platform. ## 5. Similar Technologies In addition to cookies, we use other tracking technologies that serve similar purposes: ### Web Beacons (Pixels) Web beacons are tiny graphics with a unique identifier, similar in function to cookies. Unlike cookies, which are stored on your device, web beacons are embedded invisibly on web pages or in emails. **Usage on bioscope.ai:** - Email open tracking to measure newsletter engagement - Conversion tracking for marketing campaigns - Page view analytics and user flow analysis **Usage on app.us.bioscope.ai:** - Not used for any purpose ### Local Storage and Session Storage HTML5 local storage and session storage allow websites to store data in your browser with no expiration date (local storage) or for a single session (session storage). **Usage on bioscope.ai:** - Storing user interface preferences (theme, layout settings) - Caching static resources for faster page loads - Temporary storage for form data to prevent loss **Usage on app.us.bioscope.ai:** - Encrypted storage of UI state for clinical workflows - Temporary caching of non-PHI interface elements - Session-scoped storage for in-progress form data (automatically cleared) - All local storage is encrypted and subject to same security controls as cookies ### Server Logs Our web servers automatically collect certain information in log files, including: - IP addresses - Browser type and version - Operating system - Referring URLs - Pages visited and time spent on pages - Date and time stamps **bioscope.ai:** Standard web server logging with 90-day retention for security and analytics purposes. **app.us.bioscope.ai:** Enhanced logging with 7-year retention for HIPAA compliance, including comprehensive audit trails of all access to PHI. All log data is encrypted and access-controlled. ## 6. Your Cookie Choices and Controls You have several options to manage and control cookies on your device. Please note that restricting cookies may impact your ability to use certain features of our websites. ### 6.1 Cookie Consent (bioscope.ai) When you first visit bioscope.ai, you will see a cookie consent banner that allows you to: - Accept all cookies - Reject non-essential cookies - Customize your cookie preferences by category - Change your preferences at any time via the cookie settings link in our footer Your consent choices are stored in a cookie (`CookieConsent`) so we remember your preferences on future visits. **Important:** Strictly necessary cookies cannot be disabled as they are essential for the website to function. Analytics, marketing, and functional cookies require your consent and can be disabled at any time. ### 6.2 Browser Controls Most web browsers allow you to manage cookies through their settings. You can typically: - View what cookies are stored and delete them individually - Block third-party cookies - Block cookies from specific sites - Delete all cookies when you close your browser - Browse in "private" or "incognito" mode **Browser-Specific Instructions:** - **Chrome:** Settings > Privacy and security > Cookies and other site data - **Firefox:** Options > Privacy & Security > Cookies and Site Data - **Safari:** Preferences > Privacy > Cookies and website data - **Edge:** Settings > Cookies and site permissions > Cookies and site data - **Opera:** Settings > Privacy & security > Cookies For detailed instructions, visit your browser's help pages or see [www.allaboutcookies.org](https://www.allaboutcookies.org). **Impact of Blocking Cookies:** - **bioscope.ai:** Blocking cookies may prevent you from accessing certain features, customizing preferences, or receiving personalized content. The website will still function for basic browsing. - **app.us.bioscope.ai:** Blocking strictly necessary cookies will prevent you from logging in and accessing the platform. The healthcare platform cannot function without these essential security cookies. ### 6.3 Third-Party Opt-Outs You can opt out of third-party advertising cookies through industry opt-out programs: - **Network Advertising Initiative (NAI):** [www.networkadvertising.org/choices](https://www.networkadvertising.org/choices) - **Digital Advertising Alliance (DAA):** [www.aboutads.info/choices](https://www.aboutads.info/choices) - **European Interactive Digital Advertising Alliance (EDAA):** [www.youronlinechoices.eu](https://www.youronlinechoices.eu) **Platform-Specific Opt-Outs:** - **HubSpot:** Manage your HubSpot tracking preferences by adjusting your cookie consent settings on our website or contacting us at privacy@bioscope.ai - **LinkedIn:** Control advertising preferences at [www.linkedin.com/psettings/advertising](https://www.linkedin.com/psettings/advertising) Please note that opting out of advertising cookies does not mean you will no longer see advertisements; it means the ads you see will not be targeted based on your browsing behavior. ### 6.4 Do Not Track Signals Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Currently, there is no industry standard for how websites should respond to DNT signals. **Our Response:** - **bioscope.ai:** We do not currently respond to DNT signals but respect your cookie consent choices made through our cookie banner. - **app.us.bioscope.ai:** The platform does not use tracking cookies, so DNT signals are not applicable. For users in jurisdictions with specific privacy laws (such as GDPR or CCPA), we provide additional controls as described in our Privacy Policy. ## 7. Mobile Applications Currently, Bioscope AI does not offer mobile applications. This Cookie Policy applies only to our web-based platforms accessed through browsers. If we develop mobile applications in the future, we will update this policy to describe how we use cookies and similar technologies in mobile contexts, including: - Mobile device identifiers - SDK-based tracking - In-app analytics - Push notification tokens - App-specific storage mechanisms We will provide appropriate notice and obtain required consents before implementing any tracking technologies in mobile applications. ## 8. International Users Bioscope AI operates primarily in the United States, and our servers are located in the United States. However, we serve users globally and comply with applicable international privacy laws. ### European Union (GDPR) For users in the European Economic Area (EEA), United Kingdom, or Switzerland: **Legal Basis for Cookie Processing:** - **Strictly Necessary Cookies:** Processed based on legitimate interests (Article 6(1)(f) GDPR) to ensure website security and functionality. - **Analytics, Marketing, and Functional Cookies:** Processed based on your explicit consent (Article 6(1)(a) GDPR), which you can withdraw at any time. **Your Rights:** - Right to withdraw consent for non-essential cookies - Right to access data collected through cookies - Right to erasure (deletion) of cookie data - Right to object to processing for direct marketing purposes - Right to lodge a complaint with your local data protection authority **Data Transfers:** When we use third-party services (HubSpot, LinkedIn) that may transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions. ### California (CCPA/CPRA) For California residents: **Your Rights:** - Right to know what personal information is collected through cookies - Right to delete personal information collected through cookies - Right to opt out of the "sale" or "sharing" of personal information (which may include certain cookie-based advertising) - Right to limit use of sensitive personal information **How to Exercise Rights:** - Use our cookie consent banner to manage cookie preferences - Contact us at privacy@bioscope.ai to request deletion or access to cookie data - Use our "Do Not Sell or Share My Personal Information" link for CCPA opt-out rights **No Discrimination:** We will not discriminate against you for exercising your privacy rights. ### Other Jurisdictions If you have questions about how cookie laws apply to you based on your location, please contact us at privacy@bioscope.ai. ## 9. Contact Us If you have questions, concerns, or requests regarding this Cookie Policy or our cookie practices, please contact us: **Bioscope AI Inc.** Email: privacy@bioscope.ai Privacy Officer: Chief Privacy Officer **Response Time:** We strive to respond to all privacy inquiries within 30 days (or within applicable legal timeframes for formal privacy rights requests). **Escalation:** If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority or seek other legal remedies available under applicable law. ## 10. Related Policies This Cookie Policy should be read in conjunction with our other privacy and security policies: - **[Privacy Policy](/legal/privacy-policy)** - Comprehensive information about how we collect, use, and protect your personal information across all Bioscope AI services. - **[Business Associate Agreement (BAA)](/legal/business-associate-agreement)** - For healthcare providers and covered entities using app.us.bioscope.ai, our BAA governs the handling of Protected Health Information. - **[Data Processing Agreement (DPA)](/legal/data-processing-agreement)** - For enterprise customers, our DPA covers data processing activities including cookie data. - **[Master Services Agreement (MSA)](/legal/master-services-agreement)** - Master services agreement for Bioscope AI services. --- Thank you for taking the time to understand our cookie practices. Your privacy and security are our top priorities, and we are committed to transparency in how we use cookies and similar technologies across our platforms. --- # Data Processing Agreement (DPA) This Data Processing Agreement ("DPA") is entered into as of the Effective Date set forth in the Order, by and between the medical group or medical practice identified in the Order ("Controller" or "Business") and Bioscope.ai, Inc. ("Processor" or "Service Provider"). ## Recitals WHEREAS, Controller and Processor have entered into a SaaS Agreement (the "Agreement") pursuant to which Processor provides certain software services and related services to Controller; WHEREAS, in connection with such services, Processor may process Personal Information on behalf of Controller; WHEREAS, certain states have enacted comprehensive privacy laws regulating the processing of Personal Information, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Virginia Consumer Data Protection Act ("VCDPA"), and similar laws (collectively, "State Privacy Laws"); WHEREAS, the parties desire to comply with applicable State Privacy Laws and to protect the privacy rights of individuals whose Personal Information is processed under the Agreement; NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this DPA, the parties agree as follows: ## 1. Definitions Terms used, but not otherwise defined, in this DPA shall have the same meaning as those terms in applicable State Privacy Laws or, if not defined therein, in the Agreement. **1.1 "Applicable Law"** means any statute, law, regulation, ordinance, rule, judgment, order, decree, directive, guideline, policy, requirement, or other governmental restriction or any similar form of decision of, or determination by, any governmental authority, in each case as amended, that is binding upon a party. **1.2 "Consumer"** or "Individual" means a natural person who is a resident of a state with an applicable State Privacy Law, as defined in such State Privacy Law. **1.3 "Consumer Health Data"** means Personal Information that is identified as consumer health data under the My Health My Data Act (Washington) or Nevada's consumer health data privacy law, or similar definitions under other state laws, including: - Individual's health conditions, treatment, diseases, or diagnosis; - Social, psychological, behavioral, and medical interventions; - Health-related surgeries or procedures; - Use or purchase of prescribed medication; - Bodily functions, vital signs, measurements, or symptoms; - Diagnoses or diagnostic testing, treatment, or medication; - Gender-affirming care information; - Reproductive or sexual health information; - Biometric data; - Genetic data; - Precise location information that could reasonably indicate an individual's attempt to acquire or receive health services or supplies; - Data that identifies an individual seeking health care services; or - Any information that is derived from or inferred from such data. **1.4 "Controller" or "Business"** means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information. For purposes of this DPA, "Controller" includes the entity defined as "Business" under the CCPA. **1.5 "De-identified Data"** means information that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, provided that the party possessing such information: (a) takes reasonable measures to ensure that such information cannot be associated with a natural person or household; (b) publicly commits to process such information only in a de-identified fashion and not attempt to re-identify such information; and (c) contractually obligates any recipients of such information to satisfy the criteria set forth in this definition. **1.6 "Genetic Data"** means Personal Information concerning an individual's genetic characteristics including raw sequence data from whole genome sequencing, processed variant data, genetic test results, and any information derived from the analysis of such genetic information. **1.7 "Personal Information"** means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household, as defined under applicable State Privacy Laws. Personal Information includes, without limitation, Consumer Health Data and Genetic Data. **1.8 "Processing" or "Process"** means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. **1.9 "Processor" or "Service Provider"** means a natural or legal person who Processes Personal Information on behalf of the Controller. For purposes of this DPA, "Processor" includes the entity defined as "Service Provider" under the CCPA and similar terms under other State Privacy Laws. **1.10 "Sale"** shall have the meaning given to such term under applicable State Privacy Laws, generally meaning the exchange of Personal Information for monetary or other valuable consideration. **1.11 "Security Incident"** means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. **1.12 "Sensitive Personal Information"** means Personal Information that reveals an individual's social security, driver's license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email, and text messages unless the business is the intended recipient; genetic data; biometric information processed for the purpose of uniquely identifying an individual; personal information collected and analyzed concerning an individual's health, sex life, or sexual orientation; and Consumer Health Data, as defined under applicable State Privacy Laws. **1.13 "Share"** or "Sharing" means to release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, as defined under applicable State Privacy Laws. **1.14 "State Privacy Laws"** means comprehensive state privacy laws including but not limited to: California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. §§ 42-515 et seq.), Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.), Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 et seq.), Washington My Health My Data Act (RCW 19.373), Nevada consumer health data privacy law (NRS 439\.), and any similar successor legislation or implementing regulations. **1.15 "Subprocessor"** means any third party engaged by Processor to Process Personal Information on behalf of Controller in connection with the Services. ## 2. Scope and Applicability **2.1 Scope.** This DPA applies to Processor's Processing of Personal Information on behalf of Controller in connection with the Services, to the extent such Processing is subject to State Privacy Laws. **2.2 Roles.** The parties acknowledge and agree that: - Controller is the Controller or Business with respect to Personal Information Processed under the Agreement; - Processor is the Processor or Service Provider with respect to such Personal Information; - Controller shall determine the purposes and means of Processing Personal Information; - Processor shall Process Personal Information only as a Processor or Service Provider on behalf of Controller. **2.3 Categories of Personal Information.** Processor may Process the following categories of Personal Information on behalf of Controller: - Identifiers (name, contact information, government-issued identifiers); - Personal information as defined in Cal. Civ. Code § 1798.80(e) (signature, physical characteristics or description, contact information); - Protected classification characteristics (age, sex, gender, race, ethnicity, national origin); - Health and medical information (medical conditions, diagnoses, treatments, procedures, medications, test results, vital signs, symptoms); - Genetic Data (whole genome sequences, variant data, genetic test results, family health history, pharmacogenomics data); - Biometric information (physical characteristics from photographs, body composition data, fingerprints or other unique biological identifiers if collected); - Internet or other electronic network activity information (usage data, device information, IP address, browsing history within the Software Service); - Geolocation data (if collected through the Software Service); - Professional or employment-related information (medical practice information, professional licenses); - Education information; - Inferences drawn from any of the above to create a profile about health status, preferences, or characteristics; - Sensitive Personal Information, including Consumer Health Data and Genetic Data. **2.4 Purposes of Processing.** Processor shall Process Personal Information solely for the following purposes: - Providing the Software Service as described in the Agreement; - Performing genetic data analysis and generating health insights; - Enabling AI-powered analysis of genetic and health data; - Integrating with electronic health records as requested by Controller; - Providing technical support and customer service; - Maintaining and improving the Software Service; - Ensuring security and integrity of the Software Service; - Complying with legal obligations; - Detecting and preventing fraud, security incidents, and illegal activity; - Other purposes expressly authorized in writing by Controller. **2.5 Data Subjects.** Personal Information Processed under this DPA relates to the following categories of data subjects: - Patients of Controller who have authorized genetic testing and health analysis; - Authorized Users of Controller (physicians, clinicians, and other healthcare professionals); - Other individuals whose Personal Information is provided by Controller in connection with the Services. ## 3. Processor's Obligations **3.1 Processing Instructions.** Processor shall: - Process Personal Information only on documented instructions from Controller, including with respect to transfers of Personal Information to jurisdictions outside the United States, unless required to do so by Applicable Law; - Immediately inform Controller if, in Processor's opinion, Controller's instructions violate State Privacy Laws or other Applicable Law; - Not Process Personal Information for any purpose other than as necessary to provide the Services or as otherwise permitted under this DPA or the Agreement. **3.2 Compliance with State Privacy Laws.** Processor shall: - Comply with all applicable obligations of Processors or Service Providers under State Privacy Laws; - Not Sell Personal Information; - Not retain, use, or disclose Personal Information outside of the direct business relationship with Controller, except as otherwise permitted under State Privacy Laws; - Not combine Personal Information received from Controller with Personal Information received from other sources, except as permitted by State Privacy Laws; - Certify that Processor understands the restrictions in this Section 3.2 and will comply with them. **3.3 Prohibited Processing of Sensitive Personal Information.** Processor shall not: - Use or disclose Sensitive Personal Information (including Consumer Health Data and Genetic Data) for any purpose other than providing the Services; - Sell Sensitive Personal Information; - Process Sensitive Personal Information for purposes of inferring characteristics about Consumers, except as necessary to provide the Services; - Retain, use, or disclose Sensitive Personal Information for any commercial purpose other than providing the Services. **3.4 Security Measures.** Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Information against Security Incidents and to ensure a level of security appropriate to the risk, including: (a) **Technical Measures:** - Encryption of Personal Information at rest using AES-256 or equivalent; - Encryption of Personal Information in transit using TLS 1.3 or higher; - Secure key management practices; - Network security controls including firewalls, intrusion detection/prevention systems; - Secure authentication mechanisms including multi-factor authentication; - Secure software development practices; - Regular vulnerability assessments and penetration testing; - Secure logging and monitoring of system access and activities. (b) **Organizational Measures:** - Access controls limiting access to Personal Information to authorized personnel with legitimate need-to-know; - Workforce training on data protection and security; - Confidentiality agreements with personnel who have access to Personal Information; - Incident response procedures; - Business continuity and disaster recovery plans; - Regular security assessments and audits; - Vendor management program for Subprocessors; - Data retention and deletion procedures. (c) **Specific Measures for Genetic Data and Consumer Health Data:** - Additional encryption and access control measures given the sensitive nature of genetic information; - Separation of genetic data from other Personal Information where technically feasible; - Audit logging of all access to genetic data; - Procedures to prevent unauthorized re-identification of de-identified genetic data. **3.5 Confidentiality.** Processor shall ensure that all personnel who have access to Personal Information are subject to confidentiality obligations and are trained on the requirements of this DPA and applicable State Privacy Laws. **3.6 Subprocessors.** (a) Controller hereby provides general authorization for Processor to engage Subprocessors to Process Personal Information, subject to the requirements of this Section. (b) Processor shall enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA. (c) Processor maintains a current list of Subprocessors at https://security.bioscope.ai/legal, which Processor shall update prior to engaging any new Subprocessor or replacing an existing Subprocessor. Controller may raise concerns regarding any Subprocessor by contacting Processor, and Processor shall consider such concerns in good faith. **3.7 Assistance with Consumer Rights Requests.** Processor shall, taking into account the nature of the Processing: (a) Provide reasonable assistance to Controller in responding to requests from Consumers to exercise their rights under State Privacy Laws, including rights to: - Know what Personal Information is collected, used, disclosed, or Sold; - Access their Personal Information; - Delete their Personal Information; - Correct inaccurate Personal Information; - Opt-out of the Sale or Sharing of Personal Information; - Limit the use and disclosure of Sensitive Personal Information; - Not be subject to automated decision-making; - Data portability. (b) Notify Controller within five (5) business days if Processor receives a request directly from a Consumer to exercise any rights under State Privacy Laws. (c) Not respond directly to such requests without Controller's prior written authorization. (d) Provide Controller with the information and assistance necessary to respond to Consumer requests within the time periods required by State Privacy Laws (generally 45 days with a possible 45-day extension). **3.8 Assistance with Compliance Obligations.** Processor shall provide reasonable assistance to Controller in: (a) Conducting data protection impact assessments where required by State Privacy Laws; (b) Implementing appropriate technical and organizational measures to comply with State Privacy Laws; (c) Responding to inquiries from regulatory authorities regarding Processing of Personal Information; (d) Preparing for and responding to regulatory audits or investigations. **3.9 Data Breach Notification.** (a) Processor shall notify Controller without unreasonable delay, and in no event later than forty-eight (48) hours after the confirmation of a Security Breach that affects Personal Information. (b) Such notification shall include, to the extent available: - A description of the nature of the Security Incident, including the categories and approximate number of Consumers affected and the categories and approximate number of Personal Information records affected; - The contact information of Processor's data protection officer or other relevant contact; - A description of the measures taken or proposed to be taken to address the Security Incident and to mitigate its possible adverse effects; (c) Processor shall: - Investigate the Security Incident promptly and thoroughly; - Take reasonable steps to mitigate the effects of the Security Incident; - Cooperate with Controller in Controller's investigation and response to the Security Incident; - Preserve all evidence relating to the Security Incident; - Provide Controller with periodic updates on the investigation and remediation efforts; - Implement measures to prevent similar Security Incidents in the future. (d) Controller shall be responsible for determining whether notification to affected Consumers, regulatory authorities, or other parties is required under Applicable Law, and for making any such notifications. **3.10 Deletion of Personal Information.** (a) Upon termination or expiration of the Agreement, or upon Controller's written request, Processor shall, at Controller's option: - Delete all Personal Information in Processor's possession or control; or - Return all Personal Information to Controller in a commonly used and machine-readable format; or - If deletion or return is not technically feasible, de-identify all Personal Information in accordance with State Privacy Laws. (b) Processor shall complete the deletion or return of Personal Information within sixty (60) days of the termination date or Controller's request. (c) Processor shall certify in writing to Controller that it has completed deletion or return of Personal Information in accordance with this Section. (d) Processor shall ensure that all Subprocessors delete or return Personal Information in accordance with this Section. (e) Processor may retain Personal Information to the extent required by Applicable Law, provided that Processor shall: - Isolate and protect such Personal Information from any further Processing except as required by Applicable Law; - Implement appropriate technical and organizational measures to ensure the security of such Personal Information; - Delete such Personal Information as soon as the legal retention requirement expires. **3.11 Audits and Inspections.** (a) Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and State Privacy Laws. (b) If an audit reveals non-compliance with this DPA, Processor shall remediate such non-compliance within thirty (30) days or such other timeframe as agreed by the parties. **3.12 Records and Documentation.** Processor shall maintain accurate and up-to-date records of: - Categories of Personal Information Processed; - Purposes of Processing; - Categories of Consumers whose Personal Information is Processed; - Categories of recipients to whom Personal Information is disclosed; - Security measures implemented to protect Personal Information; - Security Incidents and responses thereto; - Consumer rights requests and responses thereto; - Data retention and deletion practices. **3.13 Training.** Processor shall provide regular training to its personnel on State Privacy Laws, data protection principles, and the requirements of this DPA. **3.14 Designated Contacts.** Processor shall designate and maintain a data protection officer or other appropriate contact person responsible for overseeing compliance with this DPA and State Privacy Laws. ## 4. De-Identification **4.1 Authorization to De-identify.** Subject to any limitations set forth in the Order, Processor may de-identify Personal Information in accordance with State Privacy Laws, provided that Processor: (a) Takes reasonable measures to ensure that the information cannot be associated with a Consumer or household; (b) Publicly commits to maintain and use the information in de-identified form and not attempt to re-identify the information; (c) Contractually obligates any recipients of the de-identified information to comply with all provisions of this Section. **4.2 Use of De-identified Data.** Once Personal Information is properly de-identified in accordance with Section 4.1: (a) The de-identified information is no longer subject to the restrictions of this DPA; (b) Processor may use and disclose de-identified information for any lawful purpose, including: - Research and development; - Quality assurance and improvement; - Algorithm training and improvement; - Training of artificial intelligence and machine learning models; - Scientific publication; - Development of new products and services; - Benchmarking and analytics; - Any other lawful commercial purpose. (c) Processor shall not attempt to re-identify de-identified information or enable third parties to do so. **4.3 Patient Communications Regarding Research Opportunities.** Controller acknowledges that Processor may, from time to time, contact Data Subjects to inform them of voluntary opportunities to participate in scientific research, clinical studies, or similar programs that may advance understanding of genetic conditions and treatments. Such contact shall: - (a) Be limited to Data Subjects who have provided consent to receive such communications; - (b) Clearly identify the communication as coming from Processor; - (c) Not obligate the Data Subject to participate in any program; - (d) Not condition access to Services on participation; and - (e) Comply with applicable laws regarding electronic communications. ## 5. Controller's Obligations **5.1 Lawful Processing Instructions.** Controller shall ensure that its Processing instructions comply with State Privacy Laws and other Applicable Law. **5.2 Consumer Consents and Notices.** Controller shall be responsible for: (a) Providing Consumers with all required notices regarding the collection, use, and disclosure of Personal Information, including Consumer Health Data and Genetic Data; (b) Obtaining all necessary consents from Consumers for the Processing of their Personal Information, including explicit consent for the Processing of Sensitive Personal Information where required by State Privacy Laws; (c) Informing Consumers of their rights under State Privacy Laws; (d) Ensuring that Consumers have the ability to exercise their rights under State Privacy Laws. **5.3 Lawful Collection.** Controller represents and warrants that: (a) Controller has collected Personal Information lawfully and in compliance with State Privacy Laws; (b) Controller has the necessary legal basis to disclose Personal Information to Processor for Processing in accordance with this DPA; (c) Controller's disclosure of Personal Information to Processor does not violate any rights of Consumers or any third parties. **5.4 Changes to Processing Instructions.** Controller shall notify Processor of any changes to Processing instructions that may affect Processor's obligations under this DPA. **5.5 Notification of Restrictions.** Controller shall notify Processor of any Consumer requests to opt-out of Sale or Sharing, limit use of Sensitive Personal Information, or impose other restrictions on Processing, to the extent such restrictions affect Processor's Processing of Personal Information. ## 6. Washington and Nevada Specific Provisions **6.1 Applicability.** This Section applies to the Processing of Consumer Health Data of residents of Washington and Nevada. **6.2 Additional Definitions.** (a) For Washington residents, the terms "Collect," "Consumer," "Consumer Health Data," "Deidentified Data," "Disclose," "Geofencing," "Homepage," "Person," "Process," "Regulated Entity," "Sale," "Share," "Small Business," and "Valid Authorization" shall have the meanings set forth in the Washington My Health My Data Act (RCW 19.373). (b) For Nevada residents, applicable terms shall have the meanings set forth in Nevada's consumer health data privacy law (NRS 439.). **6.3 Washington-Specific Requirements.** With respect to Consumer Health Data of Washington residents, Processor shall: (a) Not Collect, Share, or use Consumer Health Data except: - With valid authorization from the Consumer obtained by Controller; - To provide a product or service that the Consumer requested from Controller; - To effectuate a product or service request transaction; - For treatment activities conducted by or at the direction of a health care provider; - As otherwise permitted under RCW 19.373. (b) Not Sell Consumer Health Data to a third party; (c) Not use any Consumer Health Data for any of the following purposes: - Marketing or advertising to a Consumer based on the Consumer seeking health care services; - Discriminating against a Consumer in the provision of lawful products or services based on the Consumer seeking health care services; - Engaging in the unauthorized practice of medicine under RCW 18.71; (d) Not use any geofencing technology around any entity that provides in-person health care services; (e) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices including, at minimum: - Conducting data security risk assessments; - Limiting access to Consumer Health Data to individuals with authorized access; - Establishing, implementing, and complying with a data retention policy; - Disposing of Consumer Health Data in accordance with the data retention policy; - Establishing, implementing, and complying with a data disposal policy; (f) Obtain valid authorization from Consumers (obtained by Controller) before sharing Consumer Health Data, which includes disclosure for any of the following purposes: - Marketing; - Sale of Consumer Health Data; - Licensing, renting, trading, or other exchange of Consumer Health Data to or with a third party for monetary or other valuable consideration. **6.4 Nevada-Specific Requirements.** With respect to Consumer Health Data of Nevada residents, Processor shall comply with all applicable requirements of Nevada's consumer health data privacy law, including restrictions on collection, use, and disclosure of Consumer Health Data. **6.5 Consumer Requests.** For Washington and Nevada residents, Processor shall assist Controller in responding to Consumer requests to: - Confirm whether Consumer Health Data is being Collected, Shared, or Sold; - Access their Consumer Health Data; - Withdraw consent to further Collection, Sharing, or Sale of Consumer Health Data; - Delete Consumer Health Data. ## 7. California-Specific Provisions **7.1 Applicability.** This Section applies to Personal Information of California residents subject to the CCPA. **7.2 Service Provider Certification.** Processor certifies that it understands the restrictions in this DPA and Section 1798.140(ag) of the CCPA and will comply with them. **7.3 Prohibited Uses.** Processor shall not: (a) Sell or Share Personal Information; (b) Retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services; (c) Retain, use, or disclose Personal Information outside of the direct business relationship between Processor and Controller. **7.4 Sensitive Personal Information.** With respect to Sensitive Personal Information, including Consumer Health Data and Genetic Data, Processor shall: (a) Only use or disclose Sensitive Personal Information for purposes of providing the Services and as otherwise permitted by CCPA § 1798.121; (b) Not use or disclose Sensitive Personal Information to infer characteristics about Consumers except as necessary to provide the Services; (c) Implement additional security measures appropriate to the sensitivity of such information. **7.5 Automated Decision-Making.** If Processor uses Personal Information for automated decision-making, including profiling, Processor shall: (a) Provide meaningful information about the logic involved; (b) Disclose the significance and envisioned consequences of such Processing for Consumers; (c) Comply with California Civil Code § 1798.185(a)(16) regarding automated decision-making technology. ## 8. Term and Termination **8.1 Term.** This DPA shall commence on the Effective Date of the ORDER and shall remain in effect for as long as Processor Processes Personal Information on behalf of Controller. **8.2 Termination for Cause.** Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof. **8.3 Effect of Termination.** Upon termination or expiration of this DPA: (a) Processor shall cease all Processing of Personal Information; (b) Processor shall delete or return Personal Information in accordance with Section 3.10; (c) The obligations set forth in Sections 3.10 (Deletion of Personal Information), 3.11 (Audits), 8.3 (Effect of Termination), 9 (Liability and Indemnification), and 10 (General Provisions) shall survive termination. ## 9. Liability and Indemnification **9.1 Limitation of Liability.** Notwithstanding any provision in this DPA to the contrary, Processor's maximum aggregate liability to Controller under this DPA shall be subject to the limitations of liability set forth in the Agreement, **except** for claims arising under Section 9.1(a) and 9.1(b) below, which shall not be subject to the monetary cap set forth in the Agreement but shall remain subject to the exclusions of liability set forth in the Agreement (e.g., exclusion of indirect or consequential damages). **(a)** Security Incidents resulting from Processor's breach of this DPA; **(b)** Violations of State Privacy Laws caused by Processor; **(c)** Unauthorized Sale or Sharing of Personal Information by Processor; **(d)** Claims by Consumers or regulatory authorities arising from Processor's failure to comply with this DPA or State Privacy Laws. **9.2 Indemnification.** Processor shall indemnify, defend, and hold harmless Controller from and against any **third-party** claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to: **(a)** Processor's breach of this DPA; **(b)** Processor's violation of State Privacy Laws; **(c)** Security Incidents in Processor's possession or control; **(d)** Claims by Consumers arising from Processor's improper Processing of Personal Information; **(e)** Regulatory fines, penalties, or sanctions resulting from Processor's non-compliance with State Privacy Laws; **(f)** Any claim that Processor Sold or Shared Personal Information in violation of this DPA or State Privacy Laws. **Notwithstanding the foregoing, Processor shall have no indemnification obligation to the extent a claim arises from or is attributable to Controller's or its Authorized Users' breach of the Agreement or this DPA, or Controller's negligence or willful misconduct.** **9.3 Notice and Cooperation.** Controller shall promptly notify Processor of any claims subject to indemnification under this Section and shall reasonably cooperate with Processor in the defense of such claims. Processor shall have sole control over the defense and settlement of any such claims, provided that **Processor shall not settle any claim that admits fault on behalf of Controller without Controller's prior written consent, which shall not be unreasonably withheld or delayed.** ## 10. General Provisions **10.1 Relationship to Agreement.** This DPA supplements and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Information, this DPA shall prevail. **10.2 Amendments.** The parties agree to amend this DPA from time to time as necessary to comply with changes in State Privacy Laws or other Applicable Law. Processor shall provide Controller with notice of any such changes at least thirty (30) days prior to the effective date of the changes, except where immediate compliance is required by law. **10.3 Severability.** If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect and shall be construed to give effect to the parties' intent as reflected in the invalid, illegal, or unenforceable provision. **10.4 Waiver.** No waiver of any provision of this DPA shall be effective unless it is in writing and signed by the party against whom the waiver is sought to be enforced. No waiver shall be deemed a continuing waiver or a waiver of any other provision. **10.5 Entire Agreement.** This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral. **10.6 Assignment.** Neither party may assign this DPA without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of all or substantially all of its assets. **10.7 Governing Law.** This DPA shall be governed by and construed in accordance with the laws of the State of Indiana, without regard to its conflicts of law principles, and the applicable State Privacy Laws. **10.8 Notices.** All notices under this DPA shall be in writing and shall be sent to the addresses specified in the Agreement or as otherwise designated by either party in writing. **10.9 No Third-Party Beneficiaries.** This DPA is for the sole benefit of the parties and does not create any third-party beneficiary rights, except that Consumers may enforce their rights under State Privacy Laws as expressly provided by such laws. --- **Last Updated:** 12/05/2025 For questions about this Data Processing Agreement, please contact privacy@bioscope.ai --- **Bioscope.ai Genetic Testing Consent Form** This Genetic Testing Consent Form (“Consent Form”) will provide you with information regarding the genetic test provided by Bioscope.ai, Inc. (“Bioscope”) which your health care provider has ordered for you. You should discuss the genetic test with your health care provider or a genetic counselor. To assist you in understanding the reason for this testing, this form provides information about the testing process and potential results. **Purpose and Implications of Genetic Testing** The purpose of genetic testing is to determine if a genetic disease may be present, if there is an increased risk for a genetic disease, or if there is an increased risk of passing a genetic disease onto a child. Genetic testing can provide information that can assist your health care provider in making a diagnosis or help provide information for symptom management, treatment, or lifestyle changes. However, genetic testing cannot always determine when or what symptoms of a condition may show, which symptoms will occur first, how severe the condition will be, or how the condition will progress over time. Genetic testing may also be used to identify genetic characteristics and traits to provide information about how an individual will respond to medications or the effectiveness of a particular drug, which can assist your health care provider in determining which medications to prescribe. In rare cases, persons that have undergone genetic testing and have been diagnosed with a genetic condition have experienced problems with health insurance coverage, employment, and social discrimination if the genetic test results or genetic data become known to others. For more information about how you are protected against discrimination based on your genetic information, you can visit https://www.genome.gov/about-genomics/policy-issues/Genetic-Discrimination. **Description of Bioscope’s Genetic Testing** The Testing Laboratory (defined below), on behalf of Bioscope and your health care provider, will perform whole genome sequencing, which is a genetic test. This kind of genetic testing is not necessarily meant to identify one disease or condition, but instead to identify genetic characteristics and risk factors, including, but not limited to cancer, neurodegenerative disease, metabolic disorders and drug response. The sequencing is performed on DNA extracted from tissue collected from a biological sample. The purpose of this testing is to analyze DNA to find any genetic variants, including common variants and abnormal variants that might cause disease, make it more likely to develop a disease, and/or increase the chance of having a child affected by a disease. The testing may also identify other genetic variants, characteristics, and traits to identify ancestry information and predict how an individual will respond to a particular medication. Whole genomic sequencing examines essentially all of the DNA in the human genetic code, including coding and non-coding regions. **Possible Results and Significance of the Results** This genetic test aims to identify a wide variety of genetic variants, genetic characteristics, and genetic trait correlation. The results of the test could provide information about the geographic origins of your ancestors and provide insights into your genetic traits. The results may also provide you with information about you or your genetic relatives that you do not expect or that makes you uncomfortable, such as potential health risks. Results of genetic tests could also reveal that reported familial relationships are not true biological relationships. Moreover, the genetic test could include findings that are: * Positive, meaning some variants have been identified that are known to cause disease symptoms or impact the effectiveness or safety of a particular medication based on available scientific evidence at the time of testing. Results that indicate that some variants may (i) contribute to the diagnosis of a genetic condition or impact how your health care provider treats a health condition, (ii) reveal carrier status for a genetic condition, (iii) reveal a predisposition or an increased risk for developing a genetic disease in the future, or (iv) have implications for other family members. If the results of your genetic test come back as positive for certain variants, you may wish to consider further independent testing, consult with your health care provider or pursue genetic counseling. * Indeterminate, meaning some variants have been identified that could potentially contribute to disease symptoms, but there is no conclusive evidence either way. An indeterminate result may (i) lead to a suggestion that testing additional family members may be helpful, (ii) remain uncertain for the foreseeable future, or (iii) be resolved over time. * Negative, meaning some variants that are known or likely to cause disease symptoms or impact the effectiveness or safety of a particular medication based on the available scientific evidence at the time of testing have not been identified. Such results may (i) reduce but not eliminate the possibility that any of your diagnosed health conditions has a genetic basis, (ii) impact how your health care provider treats your health condition, (iii) reduce but not eliminate your predisposition or risk for developing a genetic disease in the future, or (iv) be uninformative. **Limitations and Effectiveness of Genetic Testing** Please note that genetic tests are not definitive. Due to limitations in technology or incomplete medical knowledge, some disease-causing variants may not be detected. Therefore, it is not possible to completely exclude all risks for all possible genetic diseases for you and your family members, including your children. Moreover, in some cases, the genetic test may indicate an abnormality in a gene, however, that does not always mean a genetic disorder will manifest. In addition, the genetic test may indicate a genetic abnormality when the individual is unaffected (false positive) or may indicate no genetic abnormality when the individual is affected (false negative). There may also be possible sources of error including, but not limited to, trace contamination, rare technical errors in the laboratory, rare DNA variants that compromise data analysis, inconsistent scientific classification systems, and inaccurate reporting of family relationships or clinical diagnosis information. **Performance of the Genetic Testing** If you sign this Consent Form, a genetic test, specifically whole genome sequencing (the “Test”) will be performed on a sample containing your biological materials, collected via a cheek swab (the “Sample”). Gene by Gene, a laboratory that has been contracted to conduct the testing (the “Testing Laboratory”) will perform the Test. The results of the Test and the genomic sequencing data and other genetic data derived from the Test will be disclosed back to Bioscope for processing in the Bioscope software application. Bioscope will make the results of the Test available to your healthcare provider who will discuss the results with you. Depending on your state of residence, you may have the right to receive a copy of the results of the Test. If you would like to request to receive a copy of the results of the test, please contact your health care provider. **Sample Collection** Your health care provider will provide you with a Sample collection kit or have one delivered to a mailing address of your choosing, which you will use to collect a Sample using a cheek swab. The Sample collection kit will include the information and material you need to send the Sample to the Testing Laboratory. The Sample will only be used to perform the Test. No other tests will be performed on the Sample. You have the right to have your Sample destroyed after completion of the genetic test, and the Sample will be destroyed after the genetic testing services have been provided, unless you have expressly authorized the retention of the Sample for a longer period. **Privacy and Confidentiality** In order to perform the Test and provide you with the services you have requested, in addition to the Sample, your health care provider will disclose certain personal data about you to Bioscope, including your name, address, date of birth, sex, information related to your medical history, and other health information (“Sensitive Data”). Bioscope will also receive the results from the Test, the genomic sequencing data and other genetic data generated from the Test (the “Genetic Data”). You have the right to confidential treatment of your Sample, Sensitive Data, and Genetic Data. Only your health care provider, Bioscope, and the Testing Laboratory and their respective service providers will have access to the Sample, Sensitive Data, and Genetic Data. The Sample, Sensitive Data, and Genetic Data will be used, disclosed, and otherwise processed for the purpose of the performance of the Test and associated services, including processing the Genetic Data and Sensitive Data in the Bioscope software solution, which includes the use of artificial intelligence to process the Genetic Data and Sensitive Data. Bioscope may retain and use the Sensitive Data and Genetic Data for internal research, product development, and quality assurance testing to improve its products and services. The Sample, Sensitive Data, and Genetic Data may also be used, disclosed, and otherwise processed for purposes otherwise permitted or required by applicable law. Bioscope will retain the Genetic Data and Sensitive Data for as long as necessary to provide the services associated with the Test. Bioscope may also deidentify Sensitive Data and Genetic Data and analyze that deidentified data for statistical or any other purposes permitted by law. The Sensitive Data and Genetic Data will be retained for the time needed to provide the genetic test and associated services or as is required to comply with applicable laws and regulations. The results of the Test and Genetic Data will only be released to your health care provider, Bioscope and its service providers, those individuals you have authorized to receive the results in writing, and those allowed access to the results by law. **Keeping You Informed About Research Opportunities** Medical research depends on people like you who are willing to contribute to scientific discovery. From time to time, there may be research studies or programs — conducted by Bioscope or in partnership with universities, hospitals, or other research organizations — that could benefit from your participation. We'd like your permission to let you know about these opportunities when they arise. Here's what this means: * We'll reach out to you by email or other contact method you've provided to tell you about the opportunity * You decide whether you want to learn more or participate — there's no obligation * Your data stays private — we will never share your genetic data or health information with anyone unless you specifically authorize it at that time * Your care isn't affected — whether you participate or not has no impact on your relationship with your healthcare provider or access to Bioscope services * You can opt out anytime — just let us know at privacy@bioscope.ai **Your Rights** Depending on your state of residence, you may have certain rights with respect to your Genetic Data and Sensitive Data. Those rights may include: * The right to inspect and obtain your Genetic Data. * The right to request correction of your Genetic Data. * The right to request the destruction of your Genetic Data. You may exercise your rights by contacting your health care provider. The genetic testing discussed in this Consent Form is voluntary. You are not required to consent to the collection, use, and disclosure of your Sensitive Data, Sample, and Genetic Data for the purposes described above. However, if you do not consent, your health care provider will not be able to order the genetic testing for you, as the collection, use, and disclosure of your Sensitive Data, Sample, and Genetic Data is necessary to conduct the Test and provide the results. If you consent, you have the right to withdraw your consent at any time by contacting your health care provider. **Further Questions** If you have any further questions about the information contained in this Consent Form, please contact your health care provider. **Authorization** By signing this Consent Form, I confirm that I have received, read, and understood the preceding written explanation about genetic testing. I have been adequately informed regarding the purpose, scope, type, and significance of such analysis and its possible results. I understand that genetic testing is voluntary. Furthermore, I confirm that I have had sufficient opportunities to ask questions, and such questions were answered in an understandable manner and to my full satisfaction. I hereby give consent to Bioscope and the Testing Laboratory to collect my Sample and perform the Test on my Sample. I hereby consent to the collection, use, disclosure, and other processing of my Sensitive Data and Genetic Data for the purposes of the provision of the genetic testing as described above. --- **Last Updated:** December 8, 2025 --- # List of Covered Services (HIPAA) The following Bioscope.ai products and services are covered by our Business Associate Agreement (BAA) when used in accordance with the Agreement and the BAA: ## 1. Bioscope.ai Software Service The cloud-based genetic analysis platform, including: - **AI-Powered Insights** - Machine learning-driven interpretation and analysis - **Patient and Clinician Interfaces** - Secure portals for data access and review - **AI Chat Interface** - The AI-powered conversational interface for clinicians to query and receive insights about patient data. ## 2. Lab Results Processing - Processing and storage of Lab Results from Bioscope.ai's designated laboratory testing facilities. ## 3. EHR Integration Services - Integration capabilities with electronic health record systems as specified in the applicable Order. --- **Last Updated:** December 5, 2025 --- **Bioscope.ai** This Master Services Agreement, including all terms, conditions and policies linked herein (the "Agreement") governs the access and use of the Software Service provided by Bioscope.ai ("Bioscope.ai") pursuant to an Order. BY EXECUTING AN ORDER, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT AND HEREBY REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO ENTER INTO THIS AGREEMENT ON BEHALF OF YOUR MEDICAL GROUP OR MEDICAL PRACTICE SPECIFIED IN THE ORDER (THE "LICENSEE") SUCH THAT YOU HAVE FULL AUTHORITY TO BIND THE LICENSEE TO THE TERMS OF THIS AGREEMENT. REFERENCES TO "YOU" IN THIS AGREEMENT ARE DEEMED TO ALSO INCLUDE THE LICENSEE. YOU AND LICENSEE UNDERSTAND BIOSCOPE.AI MAY MODIFY THE TERMS OF THIS AGREEMENT FROM TIME TO TIME AND WILL PROVIDE NOTICE TO YOU THAT MODIFICATIONS HAVE BEEN MADE UPON YOUR NEXT LOGIN TO THE SOFTWARE. WE MAY ALSO PROVIDE YOU WITH NOTICE VIA THE EMAIL ADDRESS ASSOCIATED WITH YOUR ACCOUNT. IF YOU DO NOT AGREE WITH THE UPDATED TERMS AND CONDITIONS, YOU AND LICENSEE SHOULD IMMEDIATELY CEASE USE OF THE SOFTWARE. ## 1. Definitions “Aggregated Data” means all data, content and information collected or related to an Authorized User’s use of the Software Service and all aggregated and deidentified Licensee Data. “Applicable Laws” mean all foreign, domestic, federal, state, local, and regional laws, rules, regulations, ordinances and orders, guidelines, and industry self-regulatory principles. “Authorized User” means any individual employed or contracted by Licensee who is authorized by Licensee to use the Software Service as a clinician providing treatment to a Patient. “Bioscope.ai Intellectual Property” means the Software Service (and the underlying technology, software code, know-how and models), Documentation, Aggregated Data and Feedback. “Confidential Information” means any non-public information that is marked or identified as confidential (or under the circumstances of the disclosure or the nature of the information, it would reasonably be understood to be confidential or proprietary) at the time of disclosure. “Equipment” means any and all internet access, computer hardware, computer networking and other services needed to access and use the Software Service. “Feedback” means feedback, comments, ideas or suggestions about the features, functions, or operation of the Software Service. "Intellectual Property Rights" means all registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world. "Losses" means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses (including reasonable attorneys' fees). “Lab Results” means the raw genomics and microbiomics data and any resulting reports, findings, or derivations thereof generated by Bioscope.ai’s designated lab testing facility as a result of processing Patient’s cheek swab. “Licensee Data” means data, content or information (i) inputted by or on behalf of a Patient or any Authorized User regarding a Patient into the Software Service or (ii) comprising the Lab Results (including, without limitation and as applicable, PHI). Licensee Data excludes the Aggregated Data. “Order” means an executed order form that references and incorporates this Agreement. “Patient” means an individual who meets the following criteria: (a) is a patient of Licensee, (b) who has authorized treatment by Licensee and/or an Authorized User and (c) for whom Licensee is using the Software Service in connection with such treatment. “PHI” means Protected Health Information as defined in Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191 (1996) as amended, and the implementing regulations. “Software Service” means the Bioscope.ai cloud-based software offering(s), and associated services listed in the Order. “State Privacy Law” means any applicable law, regulation or other legal requirement protecting an individual’s privacy with respect to processing of personal information (as defined under such State Privacy Law) including, without limitation, the California Consumer Protection Act, as amended, including by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100–99) and its implementing regulations, the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301–13), the Connecticut Data Privacy Act of 2022, the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101–404), the Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575–85), and any similar or successor legislation or implementing regulations. “Subscription Fees” means the subscription fees listed in the Order to access and use of the Software Service. “Subscription Term” means the subscription term listed in the Order and any and all renewal terms. “Third Party Services” means software or technology services or other services provided by a third party. ## 2. Scope of Use 1. Subject to the terms and conditions of this Agreement and Licensee's complete payment of the applicable Subscription Fees, Bioscope.ai hereby grants to Licensee (and its Authorized Users) a non-exclusive, limited, royalty-free, fully paid up right to access and use the Software Service and applicable user guides and technical documentation relating to the Software Service which may be made available to you and/or Licensee electronically (the "Documentation"), solely in connection with providing treatment to the applicable Patient during the Subscription Term. Licensee is solely responsible for all of its Authorized Users' and its Patients' compliance with this Agreement and their acts and omissions, including, without limitation, in connection with the use of the Software Service and the completion of the On-Boarding Requirements. Bioscope.ai will provide technical support and updates for the Software Service during the Subscription Term (at no additional charge) in accordance with https://security.bioscope.ai/legal/support-terms (the "Support Terms"), which are hereby incorporated by reference. Bioscope.ai may make changes to the Software Service, Support Terms and/or Documentation from time to time, including to comply with Applicable Laws (including, without limitation, State Privacy Law), resolve errors and add or remove functionality. 2. Licensee and its Authorized Users shall not, and shall not permit any third party to: a. copy, modify, or create derivative works or improvements of any Bioscope.ai Intellectual Property; b. rent, lease, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available any of the Bioscope.ai Intellectual Property to any third party; c. remove, circumvent, disable, damage, or otherwise interfere with any: (1) security-related features in the Bioscope.ai Intellectual Property; (2) features of the Bioscope.ai Intellectual Property that prevent or restrict use or copying of any content accessible through the Software Service; or (3) features of the Bioscope.ai Intellectual Property that enforce limitations on use of the Bioscope.ai Intellectual Property; d. interfere with or damage operation of the Bioscope.ai Intellectual Property, or any other licensee's or user's enjoyment of them, by any means, including inputting, uploading, transmitting, or otherwise submitting any materials that are unlawful or injurious, or contain or transmit any viruses, disabling code or other malware; e. attempt to gain unauthorized access to the Bioscope.ai Intellectual Property, other accounts, computer systems or networks connected to the Bioscope.ai Intellectual Property, or any part of it, through hacking, password mining or other improper or illegal means; f. use any robot, spider, scraper, or other automated means to access the Bioscope.ai Intellectual Property (for example, to scrape or copy content) for any purpose without Bioscope.ai's express prior written permission, or bypass any robot exclusion headers or other measures which may be used to prevent or restrict access to the Bioscope.ai Intellectual Property, as applicable, or modify the Bioscope.ai Intellectual Property in any manner or form; g. reverse engineer, disassemble, decompile, adapt, or otherwise attempt to derive or gain access to the source code of any of the Bioscope.ai Intellectual Property; h. remove, delete, alter, or obscure any trademarks or other proprietary or confidential markings from the Bioscope.ai Intellectual Property; i. access or use the Bioscope.ai Intellectual Property to develop a competing service or product; or j. otherwise access or use the Bioscope.ai Intellectual Property beyond the scope of this Agreement. 3. If Licensee becomes aware of any actual or threatened activity prohibited by this Agreement, Licensee shall, and shall cause its Authorized Users to, immediately notify Bioscope.ai and immediately take all measures necessary (including reasonably cooperating with Bioscope.ai) to stop such activity and Bioscope.ai may suspend Licensee's and its Authorized Users' access to the Software Service until such time that the actual or threatened activity has been resolved, based on Bioscope.ai's reasonable judgment. ## 3. Licensee's Obligations 1. Licensee shall determine the access controls and permissions of its Authorized Users. Licensee is solely responsible for all activity occurring under the Licensee's and its Authorized User's accounts. Licensee agrees to (and will ensure that its Authorized Users will) safeguard all usernames and passwords and not allow others (including other Authorized Users) to access or use the Software Service under another Authorized User's account. Licensee agrees to immediately notify Bioscope.ai in the event that (i) a password is lost or stolen or (ii) Licensee or an Authorized User becomes aware of any unauthorized use of a username or password or other breach of security of the Software Service. Licensee reserves the right to reject or revoke access rights to any Authorized User for any reason, including any Authorized User who does not meet the applicable criteria for use of the Software Service, who are otherwise not authorized, whose authorization lapses or terminates, or who otherwise violates the terms of this Agreement or any Applicable Law. 2. Licensee shall operate in good repair all Equipment required to access and use the Software Service. 3. Licensee is solely responsible for all Licensee Data, including their accuracy, legality and quality, and Licensee represents and warrants that Licensee has the necessary rights to the Licensee Data, so that Bioscope.ai's use of such Licensee Data will not infringe or misappropriate any third-party Intellectual Property Rights, rights or privacy, or violate any Applicable Law. Without limiting the foregoing, Licensee agrees that, as between Bioscope.ai and Licensee, Licensee is solely responsible for ensuring that each Patient has authorized Licensee to collect, generate and disclose the applicable data and information, including all PHI and Lab Results, for use and disclosure in accordance with this Agreement. Licensee further agrees that it has all rights and necessary authority to bind the Patient to the applicable terms and conditions of this Agreement (and applicable Orders). 4. Licensee understands that it or its Patient may be required to complete certain processes and/or requirements in order to view Patient-specific data and generate Patient-specific outputs using the Software Services. Such processes may include submitting samples to generate Lab Results, executing necessary consents to collect and share such data, uploading Patient records and/or integrating the Software Services with other software applications. If and to the extent integration with a third-party system is desirable, Licensee represents and warrants that it has obtained all necessary permissions from its third party providers, as applicable, to permit Licensee to integrate with such third-party systems. Licensee agrees to indemnify, defend, and hold harmless Bioscope.ai and its employees officers, affiliates directors and subcontractors for any claims, damages, expenses, and costs (including attorneys' fees) arising from or relating to Licensee's breach of the foregoing sentence. 5. If required under Applicable Law, Bioscope.ai will provide access to consents obtained from Patients by Licensee through the Software Services to assist Licensee in complying with Licensee's legal requirements to maintain such consents; provided, however, that Licensee (and not Bioscope.ai) will be ultimately responsible for compliance with any Applicable Laws and Licensee shall obtain all further consents and permissions deemed necessary by Licensee from its Patients to access and use the Software Services and Licensee Data. 6. LICENSEE UNDERSTANDS AND AGREES THAT ITS FAILURE TO PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT WILL IMPACT THE DATA, CONTENT AND RESULTS AVAILABLE THROUGH THE SOFTWARE SERVICE FOR WHICH BIOSCOPE.AI MAY NOT BE HELD RESPONSIBLE AND, IN SUCH CASE, NO SUBSCRIPTION FEES WILL BE REFUNDED. FURTHER, LICENSEE UNDERSTANDS AND AGREES THAT BIOSCOPE.AI MAKES NO REPRESENTATIONS OR WARRANTIES AND EXPLICITLY DISCLAIMS THE APPROPRIATENESS OR APPLICABILITY OF ANY COMPONENT OF THE SOFTWARE SERVICE, ANY OUTPUTS GENERATED BY THE SOFTWARE SERVICE OR BIOSCOPE.AI INTELLECTUAL PROPERTY, TO ANY SPECIFIC PATIENT'S CARE OR TREATMENT. WHEN SEEKING TO TREAT A PATIENT USING ANY CONTENT OR OUTPUT MADE AVAILABLE BY THE SOFTWARE SERVICE OR BISCOPE.AI INTELLECTUAL PROPERTY, LICENSEE (ON ITS BEHALF AND ON BEHALF OF ALL AUTHORIZED USERS) ACKNOWLEDGES AND AGREES THAT IT IS EXPECTED TO USE ITS INDEPENDENT MEDICAL JUDGMENT IN THE CONTEXT OF INDIVIDUAL CLINICAL CIRCUMSTANCES OF A SPECIFIC PATIENT'S CARE OR TREATMENT. ## 4. Subscription Term and Fees 1. The Subscription Term shall be as specified in the applicable Order. Except as otherwise specified in an Order, subscriptions will automatically renew for additional periods equal to the expiring Subscription Term, unless either party gives the other notice of non-renewal at least 60 days before the end of the relevant Subscription Term. Irrespective of Subscription Term, all Licensee obligations set forth in this Agreement shall remain in effect so long as the Licensee is still using Bioscope.ai Software Services. 2. If set forth in an Order, professional services may be provided by Bioscope.ai in connection with the configuration and implementation of the Software Service, such professional services shall be delivered in accordance with that Order, or, if applicable, will be described in a separate statement of work (each an "SOW"). This Agreement will apply to any such professional services provided. Such professional services will be billed according to the schedule set forth in the Order or SOW, as applicable. 3. Unless otherwise set forth in the Order: Subscription Fees and any other mutually agreed fees and charges are due and payable within 30 days from the invoice date, and invoices will be sent directly to the billing contact identified on the Order, which Licensee may update by providing written notice to Bioscope.ai. Late payments (on any undisputed amounts) may be subject to interest charges of 1.5% per month, or the maximum permitted by Applicable Law, whichever is lower, and the expenses associated with those collections. **All payment obligations are non-cancelable and once paid are nonrefundable. Failure to pay an invoice timely may result in a suspension of the Software Service.** 4. All Subscription Fees hereunder do not include any applicable sales or use taxes (such as GST or VAT). These taxes (if applicable) will be charged separately on the Order, unless Licensee provides (in advance) a valid tax exemption certificate authorized by the applicable taxing authority. Licensees are liable for applicable sales and use taxes. ## 5. Data Privacy 1. For each Patient receiving genetic testing services, Bioscope.ai will provide the Patient with a genetic information consent form and shall make the executed form available to the Licensee. 2. Licensee will be solely responsible for obtaining and retaining any additional patient consent required to provide the services under this Agreement consistent with Applicable Laws. 3. If Licensee is a Covered Entity, or becomes one and notifies Bioscope.ai in writing, as defined by the Health Insurance Portability and Accountability Act 45 at CFR § 103, Bioscope.ai, Licensee and its Authorized Users will perform their respective obligations under this Agreement consistent with the Business Associate Agreement available at https://security.bioscope.ai/legal/baa, hereby incorporated by reference. 4. If Licensee is not a Covered Entity, or ceases to be one, Bioscope.ai, Licensee and its Authorized Users will perform their respective obligations under this Agreement consistent with the Data Processing Agreement available at https://security.bioscope.ai/legal/data-processing-agreement/, hereby incorporated by reference. ## 6. Security Bioscope.ai will maintain commercially reasonable administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Licensee Data stored Bioscope.ai in connection with the provision of the Software Service. ## 7. Ownership 1. Subject to right and licenses granted herein, Licensee retains all rights, title and interest to the Licensee Data. Licensee assumes full and complete responsibility for resolving any dispute regarding the right to use the Licensee Data by a party, as set forth in this Agreement. Bioscope.ai shall have no obligation whatsoever to resolve or intervene or incur any cost in any dispute or claim related to Licensee Data. Licensee hereby grants to Bioscope.ai a nonexclusive, worldwide, sublicensable, assignable, fully paid-up and royalty-free right and license to collect, process, use, transmit, and store the Licensee Data for the purpose of providing the Software Service (and applicable Bioscope.ai services, as contemplated herein) and as permitted under Applicable Law. 2. Bioscope.ai owns all right, title and interest, including all Intellectual Property Rights, in and to the Bioscope.ai Intellectual Property, including any modifications and enhancements thereto. This Agreement does not grant any ownership rights in or to the Bioscope.ai Intellectual Property and all rights not expressly granted under this Agreement to the Bioscope.ai Intellectual Property are reserved by Bioscope.ai. 3. If Licensee or any Authorized User provides Feedback, Licensee agrees (and shall cause its Authorized Users to) hereby assign all rights, title and interest, including all Intellectual Property Rights, in and to such Feedback to Bioscope.ai. For the purpose of clarity, Bioscope.ai may freely use and exploit the Feedback provided without any obligations or restrictions. 4. Licensee agrees that Bioscope.ai may collect or generate Aggregated Data, and all rights in and to such Aggregated Data, including all Intellectual Property Rights, belong to Bioscope.ai. Nothing in this Agreement restricts Bioscope.ai's use of the Aggregated Data, including but not limited to, with respect to the provision, development, modification, or training of Bioscope.ai's Software Services and other technologies, such machine learning or artificial intelligence models. 5. Licensee acknowledges that Bioscope.ai may communicate with Patients who have consented to receive such communications regarding opportunities to participate in research initiatives or programs. Any such communication shall clearly identify Bioscope.ai as the sender and shall inform the Patient that participation is voluntary. Bioscope.ai shall not disclose identifiable Patient Data to any third party, outside of designated service subprocessors, without first obtaining the Patient's separate written authorization. ## 8. Termination; Suspension 1. A party may terminate this Agreement if the other party commits a material breach of this Agreement and does not cure the breach within 30 days from receiving written notice. If Licensee terminates this Agreement for Bioscope.ai's uncured, material breach, Bioscope.ai will refund to Licensee the pro-rata portion of the Subscription Fees that were paid for the Software Service for the remainder of the Subscription Term net any fees due to obtain Lab Results. 2. In addition to the suspension rights set forth in this Agreement, Bioscope.ai reserves the right to temporarily suspend access to the Software Service if (i) Licensee has amounts more than 30 days past due, (ii) Licensee has not paid the Subscription Fees for renewal when due, or (iii) Bioscope.ai reasonably determines that Licensee or an Authorized User is using the Software Service in a way that creates a security vulnerability to the Software Service, is in breach of this Agreement, or violates Applicable Laws. Bioscope.ai will use commercially reasonable efforts to give Licensee prior notice if access will be suspended and will use commercially reasonable efforts to promptly restore access once the issue has been resolved. 3. On the expiration or termination of this Agreement, Licensee shall (and will cause its Authorized Users to) (i) immediately cease accessing the Software Service and (ii) promptly pay to Bioscope.ai any Subscription Fees that have accrued (but have not been paid) prior to the effective date of termination. In the event that there is no termination for cause by Licensee, the entire unpaid Subscription Fees shall promptly be due as there is no provision for early termination. Sections 3.d, 4.c, 7.b through 7.d, 8.a, 9, 11, 12, and, and 13.6 through 13.8 will survive any expiration or termination of this Agreement, along with any other provisions that by their nature should survive. ## 9. Confidentiality 1. Each party may need to provide the other with certain Confidential Information, which shall include the pricing and other terms and conditions set forth in this Agreement and on the Order (with the pricing and other terms and conditions set forth in this Agreement and on the Order being considered Bioscope.ai's Confidential Information). The receiving party may only use this Confidential Information for the purpose for which it was provided and may only share this Confidential Information with its employees, agents, and representatives who need to know it, provided they are subject to similar confidentiality obligations. The receiving party will use the same degree of care to protect and prevent any unauthorized use or disclosure of the disclosing party's Confidential Information that it uses to protect its own confidential information, but in no event less than reasonable care. 2. Confidential Information does not include any information that (i) was known (without any confidentiality obligations) prior to disclosure by the disclosing party, (ii) is publicly available (through no fault of the receiving party), (iii) is rightfully received by a third party (without a duty of confidentiality), or (iv) is independently developed (without access or use of Confidential Information). The receiving party may disclose Confidential Information when compelled to do so by law, so long as the receiving party provides prior written notice of the disclosure (if legally permitted) to allow the disclosing party the opportunity to seek protection or confidential treatment or to limit or prevent such disclosure. The receiving party also agrees to cooperate with the disclosing party if the disclosing party chooses to contest the disclosure requirement, seek confidential treatment of the information to be disclosed, or to limit the nature or scope of the information to be disclosed. 3. Each party acknowledges and agrees that violation of any covenants with respect to the Confidential Information of the other party may cause such other party irreparable harm, and that such other party will be entitled to seek an injunction and other equitable relief, without payment of any bond and in addition to all other remedies available to it as provided above or otherwise by law, to prevent any such violation or to secure enforcement of this Agreement. ## 10. Representations and Warranties 1. Each party represents and warrants that: (i) it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation; (ii) it has the full power and authority to enter into this Agreement and perform its obligations hereunder; and (iii) this Agreement, when executed and delivered, will constitute a valid and binding obligation of such party and will be enforceable against such party in accordance with its terms. 2. Biscope.ai further represents and warrants that the Software Service shall be provided in material compliance with the Documentation. As Licensee's sole and exclusive remedy for a breach of the foregoing warranty, Bioscope.ai will use commercially reasonable efforts to remediate the error identified in writing by Licensee. 3. Licensee further represents and warrants that (i) Licensee has obtained and shall maintain all necessary rights, licenses, consents, permissions, and lawful bases in compliance with all Applicable Laws to (A) use Licensee Data for the purpose of using the Software Service, (B) provide to Bioscope.ai the Licensee Data for the purpose of performing Bioscope.ai's obligations under this Agreement; and (ii) Licensee shall access and use the Bioscope.ai Intellectual Property provided to Licensee consistent with Applicable Laws. 4. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES MADE IN THIS SECTION, THE SOFTWARE SERVICE, ANY ASSOCIATED SERVICES AND ALL BIOSCOPE.AI INTELLECTUAL PROPERTY ARE PROVIDED "AS IS" AND BIOSCOPE.AI SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, OR THAT ANY OF THE FOREGOING WILL BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE. BIOSCOPE.AI MAKES NO WARRANTY THAT THE SOFTWARE SERVICE, ANY ASSOCIATED SERVICES, OUTPUT GENERATED BY THE SOFTWARE SERVICE, AND ALL BIOSCOPE.AI INTELLECTUAL PROPERTY WILL MEET LICENSEE'S OR REQUIREMENTS OR OPERATE WITHOUT INTERRUPTION, BE COMPATIBLE OR WORK WITH ANY OTHER SOFTWARE, HARDWARE OR SYSTEM. WITHOUT LIMITING THE FOREGOING, LICENSEE UNDERSTANDS THAT BIOSCOPE.AI MAKES NO WARRANTIES AND EXPRESSLY DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE ACCURACY, COMPLETENESS, CURRENCY OR RELIABILITY OF THE BIOSCOPE.AI INTELLECTUAL PROPERTY, INCLUDING ALL CONTENT PROVIDED THEREWITH, OR THAT ANY ERRORS IN THE BIOSCOPE.AI INTELLECTUAL PROPERTY OR ANY SUCH CONTENT CAN OR WILL BE CORRECTED. LICENSEE EXPRESSLY ACKNOWLEDGES AND AGREES THAT USE OF THE BIOSCOPE.AI INTELLECTUAL PROPERTY AND CONTENT PROVIDED THEREWITH IS AT LICENSEE'S SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH LICENSEE. ## 11. Indemnification 1. Bioscope.ai shall indemnify, defend, and hold harmless Licensee from and against any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses (including reasonable attorneys' fees) ("Losses") resulting from a third-party claim alleging that the Software Service infringes such third party's United States copyright or patent rights; provided, however, that Licensee promptly notifies Bioscope.ai in writing of any such claim, cooperates with Bioscope.ai in the defense of such claim, and allows Bioscope.ai sole authority to control the defense and settlement of such claim. This Section will not apply to the extent that the claim arises from: (i) use of the Software Service in combination with data, software, hardware, or technology not provided by Bioscope.ai; (ii) modifications to the Software Service not made by Bioscope.ai; (iii) the Licensee Data; or (iv) any Third Party Services. If the Software Service is, or in Bioscope.ai's opinion is likely to be, claimed to infringe a third party's United States patent or copyright, or if Licensee's use is enjoined or threatened to be enjoined, Bioscope.ai may, at its sole option: (1) obtain the right for Licensee to continue to use the applicable Software Service; (2) modify or replace the Software Service, in whole or in part; or (3) terminate this Agreement and all Orders. THIS SECTION SETS FORTH LICENSEE'S SOLE REMEDIES AND BIOSCOPE.AI'S SOLE LIABILITY FOR ANY CLAIM THAT THE BIOSCOPE.AI INTELLECTUAL PROPERTY INFRINGES, MISAPPROPRIATES, OR OTHERWISE VIOLATES ANY INTELLECTUAL PROPERTY RIGHT. 2. Licensee shall indemnify, defend, and hold harmless Bioscope.ai and its and their respective officers, directors, employees, agents, successors, service providers and assigns (each, a "Bioscope.ai Indemnitee") from and against all Losses incurred by the Bioscope.ai Indemnitee resulting from a third-party claim that arises out of or results from (i) Licensee's (or its Authorized Users') use or misuse of the Bioscope.ai Intellectual Property, (ii) Licensee Data, (iii) Licensee's breach of or any actual or alleged violation of Applicable Laws, any representations and warranties provided under this Agreement or the applicable Patient Agreement, or (iv) any claim or allegation by or on behalf of any Patient relating to or arising from the provision of patient care or related outcome; provided, however, that Bioscope.ai promptly notifies Licensee in writing of such claim, cooperates with Licensee in the defense of such claim, and allows Licensee sole authority to control the defense and settlement of such claim. Bioscope.ai may participate in the proceedings at its own cost with counsel of its own choosing. Licensee may not settle any claim in any manner that adversely affects Bioscope.ai without Bioscope.ai's prior written consent (which may not be unreasonably withheld). ## 12. Limitation of Liability EXCEPT FOR ANY GROSS NEGLIGENCE, WILLFUL MISCONDUCT, A PARTY'S INDEMNIFICATION OBLIGATIONS, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, OR EXEMPLARY DAMAGES, LOSS OF REVENUE, OR LOSS OF PROFITS, SALES, CUSTOMERS, GOODWILL, OR DATA OR OTHER INTANGIBLE LOSSES (REGARDLESS OF THE BASIS OR TYPE OF CLAIM AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). IN ADDITION, IN NO EVENT WILL BIOSCOPE.AI BE LIABLE HEREUNDER FOR ANY AMOUNT OF DIRECT DAMAGES THAT EXCEEDS THE SUBSCRIPTION FEES DUE UNDER THE APPLICABLE ORDER DURING THE 12-MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY. THESE EXCLUSIONS ARE MEANT TO APPLY TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF THE FAILURE OF ANY SPECIFIC REMEDY. THE FOREGOING LIMITATIONS APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. Customer acknowledges and agrees that the above limitations of liability, together with the other provisions in this Agreement that limit liability, are essential terms and that Bioscope.ai would not be willing to grant the rights set forth in this Agreement but for Licensee's agreement to the above limitations of liability. Licensee agrees that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to this Agreement must be filed within twelve (12) months after such claim or cause of action arose or such claim or cause of action will be forever barred. ## 13. General 1. This Agreement does not create or imply any agency, partnership, or franchise relationship. This Agreement is intended for the benefit of the parties and is not intended to benefit any third party. Neither party has the authority to assume or create any obligation on behalf of the other party. 2. Neither party may assign the Order or this Agreement without the other party's prior written consent (except to an affiliate or in connection with a merger, acquisition, reorganization, or sale of all or substantially all of the assets or equity of such party). Any attempt to assign the Order or this Agreement other than as permitted in this Agreement will be null and void. 3. The parties are independent contractors under this Agreement and nothing in this Agreement will be construed to create a partnership, joint venture, agency, or employer-employee relationship between Licensee and Bioscope.ai. Neither party will act in a manner that expresses or implies a relationship other than that of independent contractor, nor bind the other party. 4. Any notice, approval, consent, or other communication intended to have legal effect under this Agreement must be given to the other party in writing to address set forth in the applicable Order, and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. 5. Neither party will be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement (excluding payment obligations) as a result of any cause or condition beyond its reasonable control, so long as that party uses all commercially reasonable efforts to avoid or remove the causes of non-performance. 6. This Agreement shall be governed by the laws of the State of Indiana (which applies without regard to any conflicts of law principles) and the jurisdiction and venue for any disputes arising out of or relating to this Agreement will be a federal or state court in Indianapolis, Indiana, and each party irrevocably submits to the jurisdiction and venue of any such court in any such action or proceeding. The parties agree that the United Nations Convention on Contracts for the International Sales of Goods is specifically excluded from application to this Agreement. 7. In the event that any provision of this Agreement is illegal or otherwise unenforceable, such provision will be severed and the remaining portion of this Agreement will remain unaffected and will continue in full force and effect. 8. The Order and this Agreement constitute the complete and exclusive understanding and agreement between the parties regarding this subject and supersede all prior or contemporaneous agreements or understandings (written or verbal) relating to this subject matter of this Agreement. No terms in any purchase order or in any order documentation (other than the Order) are incorporated into or form any part of this Agreement. If any terms are found to be void or unenforceable, the remaining terms of this Agreement will remain in full force and effect. --- **Last Updated:** December 5, 2025 For questions about this Master Services Agreement, please contact legal@bioscope.ai --- # Bioscope.ai Privacy Policy **Last Updated:** December 8, 2025 Bioscope.ai, Inc. ("Bioscope," "we," "us," "our") are committed to protecting the privacy of our website visitors, individuals who purchase our services, and other consumers who we interact with ("consumers," "you," "your"). This Privacy Policy provides details about how we collect, use, and disclose personal information, including genetic data, through our websites, web apps, genetic testing services, and other online and offline services (collectively, the "Services"). Before you use our Services, please read this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services. ## Our Digital Properties Bioscope operates two distinct online environments with different privacy practices: 1. **bioscope.ai** — Our marketing and informational website. This site uses cookies for analytics and marketing purposes (as described in our Cookie Policy) and collects personal information as described in this Privacy Policy. This site does not process Protected Health Information (PHI) or genetic data. 2. **app.us.bioscope.ai** — Our HIPAA-compliant healthcare platform. This platform operates under enhanced privacy and security standards to protect electronic Protected Health Information (ePHI), including genetic data. The platform uses only strictly necessary cookies for security and authentication, does not use analytics or marketing tracking, and processes data in accordance with HIPAA, our Business Associate Agreements, and this Privacy Policy. The specific data practices applicable to each environment are noted throughout this Privacy Policy where relevant. ## 1. Personal Information Collection Bioscope collects personal information about consumers in the following ways: **Information Provided by Consumers.** We collect personal information voluntarily provided to us, when a consumer signs up for our Services, contacts us via our Services, sends us an email, or otherwise interacts with us. We typically collect the following categories of personal information in this manner: - Contact details, such as name, email address, and mailing address. - Demographic information, such as state of residence and age/date of birth. - Professional information, such as your employer, business name, and business contact information. - Financial information, such as credit or debit card number or bank account information. - Health-related information, such as information related to your medical history and other health records. - Audio/electronic recordings, such as recordings of customer service calls. - Inferences drawn from any of the information listed above to create a profile about you reflecting your preferences, characteristics, behavior, and attitudes. **Genetic Data Collection.** For consumers who sign up for our genetic testing services we, or our service providers, will also collect your genetic data, genomic sequencing data, and other data generated from the results of the genetic test ("Genetic Data"). To the extent required by applicable law, we will obtain your written consent prior to conducting the genetic test and obtaining your Genetic Data. **Information Passively Collected from Consumers.** We may collect personal information passively through our Services, such as via cookies and other tracking technologies. This information may include: - IP addresses, mobile advertising IDs, and other unique identifiers. - Internet or other electronic network activity information, including, but not limited to, computer or mobile phone model, operating system version, mobile network information, and information regarding a consumer's interaction with our website, application, or advertisement, including materials downloaded from our Services. - Geolocation data, such as device location. - Inferences drawn from any of the information listed above to create a profile about you reflecting your preferences, characteristics, behavior, and attitudes. These cookies and other tracking technologies have various purposes. Some of them help our Services function properly, while others help us analyze consumers' use of our Services, market our Services, and provide consumers with information that is most likely to appeal to them. Depending on your Internet browser, you may be able to change your settings to block and/or erase cookies from your device. You can check your browser instructions to learn more about these functions. Please note that if you block or reject cookies and similar technologies on our Services, functionality of the Services may be limited. For detailed information about the cookies and similar technologies used on our websites, including your choices regarding cookies, please see our [Cookie Policy](/legal/cookie-policy). **Information Provided by Third Parties.** Bioscope may also collect the above categories of personal information from our service providers and other third parties who provide us personal information. **Sample Collection, Use, and Retention**. If you sign up for our genetic testing services, we will direct the laboratory we have contracted with, Gene by Gene with an address at 1445 North Loop W Ste 820, Houston, Texas (the “Testing Laboratory”) to collect a sample containing your biological materials (“Sample”) and perform the whole genome sequencing on that Sample. Your Sample will only be disclosed to the Testing Laboratory and its service providers. Bioscope will not access the Sample. The Testing Laboratory will only use the Sample to perform the test as part of the genetic testing services. Unless you have expressly authorized the retention of your Sample for a longer period, your Sample will be destroyed after the genetic testing services have been provided, in accordance with the Testing Laboratory’s sample retention and destruction policy. The Testing Laboratory will disclose the Genetic Data generated from the genetic testing to Bioscope and Bioscope shall use and disclose the Genetic Data as further described in this Privacy Policy. ## 2. Purposes for Processing Personal Information We collect, process, and disclose the personal information, including Genetic Data, we collect about consumers to: - Provide our products and services to you. - Communicate with consumers. - Conduct internal business analysis and research. - Analyze and improve our products and services and develop new products and services. - Ensure our products and services meet our quality standards. - Engage with our service providers. - Comply with our legal and regulatory obligations, and enforce our rights and policies. - Administer, monitor, and secure our information technology systems, websites, applications, databases, and devices, including detecting and preventing security incidents and fraudulent activity. - Other purposes for which you have provided consent. We may also aggregate and/or deidentify personal information, including Genetic Data, and analyze those data for statistical or any other purposes permitted by law. ### Artificial Intelligence and Automated Processing Bioscope uses artificial intelligence (AI) and machine learning (ML) technologies to analyze your Genetic Data and health information in order to provide our genetic testing and clinical decision support services. Specifically: - **Analysis of Genetic Data:** We use AI-powered tools to analyze whole genome sequencing data and identify clinically relevant genetic variants, potential health risks, and actionable insights for your healthcare provider. - **Clinical Decision Support:** Our platform provides AI-generated insights to licensed healthcare providers to support clinical decision-making. These AI outputs are intended to augment, not replace, the professional judgment of healthcare providers. - **HIPAA-Compliant AI Services:** AI processing of your ePHI occurs only through HIPAA-compliant cloud services with which we have executed Business Associate Agreements. - **De-identified Data for Improvement:** We may use de-identified or aggregated data (which cannot reasonably identify you) to improve our AI models and services, in accordance with applicable law. You have the right to request information about the AI processing of your data. Contact us at privacy@bioscope.ai for more information. ## 3. Disclosure of Personal Information excluding Genetic Data and Personal Health Data We may disclose personal information, excluding Genetic Data and Personal Health Data, we collect about consumers in the following situations: - To service providers who process personal information on our behalf, including the Testing Laboratory and other service providers who provide data hosting, information technology support, email hosting, marketing and analytics services, and other services for the operation of our business. We impose contractual limitations on our service provider's use of personal information they collect in conjunction with providing services to us. - To third parties as necessary to protect our rights, defend or pursue a legal claim, or investigate or prosecute illegal activities. - To government or judicial authorities to comply with a subpoena, court order, governmental inquiry, legal process, legal obligation, or to protect the rights, property, or safety of other users or the public. - To a successor entity or purchaser upon a merger, consolidation, or other corporate reorganization in which we participate, a sale of all or a portion of our assets, or pursuant to a financing arrangement. In this situation, we will seek assurances that the successor entity or purchaser will process personal information collected by us in accordance with this notice. We may also disclose aggregated and/or deidentified data to any other entities to the extent permitted by law. ## 4. Disclosure of Genetic Data and Personal Health Data We may disclose Genetic Data and Personal Health Data, we collect about consumers in the following situations: - To service providers who process Genetic Data and Personal Health Data on our behalf, including the Testing Laboratory and other service providers who provide data hosting, information technology support, and other services for the operation of our business. We impose contractual limitations on our service providers' use of Genetic Data and Personal Health Data they collect in conjunction with providing services to us. - To third parties as necessary to protect our rights, defend or pursue a legal claim, or investigate or prosecute illegal activities. - To government or judicial authorities to comply with a subpoena, court order, governmental inquiry, legal process, legal obligation, or to protect the rights, property, or safety of other users or the public. - To a successor entity or purchaser upon a merger, consolidation, or other corporate reorganization in which we participate, a sale of all or a portion of our assets, or pursuant to a financing arrangement. In this situation, we will seek assurances that the successor entity or purchaser will process personal information collected by us in accordance with this notice. We may also disclose aggregated and/or deidentified data to any other entities to the extent permitted by law, including de-identified Genetic Data to third parties for research conducted in accordance with the U.S. Department of Health and Human Services policy for the protection of human subjects, 45 C.F.R. Part 46. You may obtain more information about the specific third parties to whom Bioscope discloses Genetic Data by emailing us at privacy@bioscope.ai. ## 5. Retention We will retain the personal information, including Genetic Data, we collect about consumers for the time needed to provide the Services, to fulfil our legitimate and lawful business purposes, or as is required to comply with applicable laws and regulations. ## 6. Children's Privacy Our Services are not intended for children under age 13 and are not designed to attract the attention of anyone under age 13. Further, for compliance with the Children's Online Privacy Protection Act of 1998, we do not knowingly collect personal information of children under age 13. If you are a parent or guardian and believe we have collected personal information about your child in error, please contact us immediately at privacy@bioscope.ai so that we can make reasonable efforts to promptly remove all personal information relating to the child from our systems. ## 7. Third-Party Links on our Services Our Services may contain links to websites and apps owned by other entities. If you decide to use these links, you will leave our Services. We are not responsible for the privacy practices or the content of such third parties, and we make no representations or endorsements about them. If you decide to leave our Services to access third party links, it will be at your own risk, and you should be aware that this Privacy Notice will no longer govern. You should review the applicable terms and policies, including privacy and data gathering practices, of any other third party when you navigate away from our Services. ## 8. Security We implement reasonable security measures to promote the confidentiality, integrity, and availability of personal information, including Genetic Data, in our possession or control. Such measures are designed to protect your personal information from loss, unauthorized access, disclosure, alteration, or destruction. However, while the security of your personal information is of the utmost importance to us, we cannot fully guarantee the security of any information you choose to disclose online. Any information you choose to disclose to us is done at your own risk. ## 9. Additional Disclosures **Disclosure About Direct Marketing for California Residents.** California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of personal information to other entities for their direct marketing purposes in the preceding calendar year. To make such a request, please send an email to [privacy@bioscope.ai](mailto:privacy@bioscope.ai) with the subject "Shine the Light Request." **Disclosure for Nevada Residents.** We may sell "Covered Information" as defined under Nevada law, but we generally do not disclose or share "Personal Information" as defined under Nevada law for commercial purposes. Under Nevada law, you have the right to direct us to not sell your Covered Information to third parties, as defined under Nevada law. To exercise this right, if applicable, you or your authorized representative may contact us at privacy@bioscope.ai. ## 10. Complaints If you believe we have processed your Genetic Data in violation of applicable law, you may submit a complaint to the Attorney General of your state of residence. ## 11. Changes to this Privacy Policy We may update this Privacy Policy from time to time. When we do so, we will post the updated version of our Privacy Policy here. ## 12. Contact Us If you have any questions regarding this Privacy Policy or our Services generally, please contact us at privacy@bioscope.ai. --- # Bioscope.ai Consumer Health Data Privacy Policy **Last Updated:** December 8, 2025 This Consumer Health Data Privacy Policy applies to "Consumer Health Data," as that term has been defined by applicable laws, ("Bioscope," "we," "us," "our") collects from our website visitors, individuals who purchase our services, and other consumers who we interact with ("consumers," "you," "your"). Any terms appearing in this Consumer Health Data Privacy Policy that has been defined under applicable Consumer Health Data laws shall have the meanings afforded to them therein. ## The Categories of Consumer Health Data Collected We collect the following categories of Consumer Health Data from Consumers: - Individual health conditions, treatment, diseases, or diagnosis - Social, psychological, behavioral, and medical interventions - Health-related surgeries or procedures - Use or purchase of prescribed medication - Bodily functions, vital signs, symptoms, or measurements of health information - Diagnoses or diagnostic testing, treatment, or medication - Gender-affirming care information - Reproductive or sexual health information - Biometric data - Genetic data - Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies - Data that identifies a consumer seeking health care services - Any inferences of the above categories of health data derived or extrapolated from non-health information ## How Consumer Health Data Will be Used We use the categories of Consumer Health Data listed in Section 1 for the following purposes: - Provide our products and services to you. - Communicate with consumers. - Conduct internal business analysis and research. - Analyze and improve our products and services and develop new products and services. - Ensure our products and services meet our quality standards. - Engage with our service providers. - Comply with our legal and regulatory obligations, and enforce our rights and policies. - Administer, monitor, and secure our information technology systems, websites, applications, databases, and devices, including detecting and preventing against security incidents and fraudulent activity. - Other purposes for which you have provided consent. We may also aggregate and/or anonymize Consumer Health Data and analyze that data for statistical or any other purposes permitted by law. ## Categories of Sources from Which We Collect Consumer Health Data We collect the categories of Consumer Health data listed in Section 1 directly from consumers, from cookies and other tracking technologies, and from our service providers and third parties when they disclose Consumer Health Data to us. ## Categories of Consumer Health Data We Share We Share all of the categories of Consumer Health Data that we Collect, as disclosed above in Section 1. ## Third Parties and Affiliates with Whom We Share Consumer Health Data We Share your Consumer Health Data with the following Third Parties: - Service providers who process Consumer Health Data on our behalf, including our laboratory service provider (Gene by Gene Ltd.) for genetic testing, cloud service providers for secure data hosting and AI-powered analysis, and other service providers who support our platform operations. We impose contractual limitations on our service providers' use of Consumer Health Data. - Third parties as necessary to protect our rights, defend or pursue a legal claim, or investigate or prosecute illegal activities. - Government or judicial authorities to comply with a subpoena, court order, governmental inquiry, legal process, legal obligation, or to protect the rights, property, or safety of other users or the public. - Successor entity or purchaser upon a merger, consolidation, or other corporate reorganization in which we participate, a sale of all or a portion of our assets, or pursuant to a financing arrangement. In this situation, we will seek assurances that the successor entity or purchaser will process Consumer Health Data collected by us in accordance with this notice. - We may also disclose aggregated and/or anonymized data to any other entities to the extent permitted by law. ## How to Exercise Your Rights with Respect to your Consumer Health Data To exercise your rights with respect to your Consumer Health Data, depending on your state of residence, you may contact us by email at privacy@bioscope.ai. ## Supplement to Consumer Health Data Privacy Policy for Nevada Consumers This Supplement applies to Nevada Consumers for purposes of providing additional disclosures required by Nevada's Consumer Health Data privacy law. Terms used herein that are defined terms under Nevada's Consumer Health Data privacy law shall have the meanings afforded to them therein. **A. Purposes & Manner of Processing.** We Collect, use, Process, and Share Consumer Health Data for the purposes and in the manners described in our Consumer Health Data Privacy Policy, which also provides additional disclosures relevant to Nevada Consumers. **B. Review & Revision of Consumer Health Data.** If You would like to review and/or revise Your Consumer Health Data, you may submit a request to us via the methods listed in our Consumer Health Data Privacy Policy. We will respond to your requests to exercise your rights in accordance with applicable law, but in any case, no later than 45 days after receiving Your request. We may extend this period up to 45 days only where doing so is permitted under applicable law. **C. Changes to this Supplement.** We will notify you before making any changes to our privacy practices with respect to Your Consumer Health Data by posting an updated notice on this page, with an updated effective date. **D. Third Party Collection of Consumer Health Data.** Please note that some Third Parties may collect Consumer Health Data about you over time and across different websites or online services you may visit. ## Supplement to Consumer Health Data Privacy Policy for Washington Consumers This Supplement applies to Washington State Consumers for purposes of providing additional disclosures required by the Washington My Health My Data Act ("MHMDA"). Terms used herein that are defined under MHMDA shall have the meanings afforded to them therein. **A. Categories of Consumer Health Data Collected** We Collect the categories of Consumer Health Data described in Section 1 of our Consumer Health Data Privacy Policy, which may include information that identifies a consumer seeking healthcare services, biometric data, genetic data, and precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies. **B. Purposes for Collection** We Collect Consumer Health Data for the purposes described in Section 2 of our Consumer Health Data Privacy Policy, including to provide genetic testing and clinical decision support services, communicate with consumers, analyze and improve our services, and comply with legal obligations. **C. Categories of Sources** We Collect Consumer Health Data directly from consumers, from our laboratory service provider (Gene by Gene Ltd., etc), and from healthcare providers who use our platform on behalf of their patients. **D. Third Parties and Affiliates** We Share Consumer Health Data with the categories of third parties described in Section 5 of our Consumer Health Data Privacy Policy, including service providers who assist with data hosting, laboratory services, and AI-powered analysis. **E. Your Rights Under MHMDA** Washington consumers have the following rights with respect to their Consumer Health Data: - **Right to Confirm and Access:** You may confirm whether we are Collecting or Sharing your Consumer Health Data and access such data. - **Right to Deletion:** You may request deletion of your Consumer Health Data. - **Right to Withdraw Consent:** You may withdraw consent previously provided for Collection or Sharing of Consumer Health Data. **F. How to Exercise Your Rights** To exercise your rights, contact us at privacy@bioscope.ai. We will respond to your request within 45 days. We may extend this period by an additional 45 days where reasonably necessary. **G. Geofencing Prohibition** Bioscope does not use geofencing technology around healthcare facilities to collect Consumer Health Data or to identify or track consumers seeking healthcare services. **H. No Sale of Consumer Health Data** Bioscope does not Sell Consumer Health Data without valid authorization that meets the requirements of MHMDA. **I. Appeal Process** If we deny your request to exercise a right under MHMDA, you may appeal the decision by contacting us at privacy@bioscope.ai with the subject line "MHMDA Appeal." We will respond to your appeal within 45 days. --- # Subprocessors Bioscope AI uses the following third-party subprocessors to provide our services: ## Current Subprocessors | Subprocessor | Service Provided | |--------------|-----------------| | Gene by Gene, Ltd. | CLIA-certified laboratory for whole genome sequencing | | Amazon Web Services, Inc. | Cloud infrastructure and AI services (via AWS Bedrock) | | Microsoft Corporation | AI services (via Azure OpenAI) | | Google LLC | Cloud infrastructure and AI services (via GCP Vertex AI) | | Groq, Inc. | AI services and inference | | Cmbio | Laboratory services | ## Updates This list is current as of the last update to this page. Bioscope AI may update this list from time to time as we add or remove subprocessors. For questions about our subprocessors, please contact privacy@bioscope.ai --- **Last Updated:** December 5, 2025 --- # Support Terms These Support Terms govern the technical support and maintenance services ("Support Services") provided by Bioscope.ai, Inc. ("Bioscope.ai") to customers ("Customer" or "Licensee") who have entered into a SaaS Agreement with Bioscope.ai. These Support Terms are incorporated by reference into the SaaS Agreement. ## 1. Scope of Support Services **1.1 Included Support.** During the Subscription Term, Bioscope.ai will provide the following Support Services at no additional charge: (a) **Technical Support:** - Assistance with Software Service functionality and usage - Troubleshooting of technical issues and errors - Guidance on best practices for using the Software Service - Assistance with data upload and integration issues - Help with user account management and access controls (b) **Platform Maintenance:** - Routine maintenance and updates to the Software Service - Security patches and vulnerability fixes - Performance monitoring and optimization - Infrastructure maintenance and upgrades - Disaster recovery and business continuity measures (c) **Software Updates:** - Regular feature enhancements and improvements - Bug fixes and error corrections - Compatibility updates for supported integrations - Documentation updates reflecting new features or changes (d) **Customer Success Support:** - Onboarding assistance for new Authorized Users - Training resources and documentation - Platform usage best practices **1.2 Excluded from Support.** The following are not included in standard Support Services and may be available as professional services for an additional fee: - (a) Customization or modification of the Software Service - (b) Integration with third-party systems not listed as supported integrations - (c) Training beyond standard onboarding and documentation - (d) Data migration from legacy systems - (e) On-site support services - (f) Issues caused by Customer's breach of the SaaS Agreement - (g) Issues resulting from Customer's Equipment, internet connectivity, or third-party software - (h) Restoration of data lost due to Customer's actions or negligence - (i) Support for unsupported browsers, operating systems, or devices - (j) Consultation on medical, legal, or regulatory compliance matters ## 2. Support Channels **2.1 Available Channels.** Customer may submit support requests through the following channels: (a) **Email Support:** - Primary support email: support@bioscope.ai - Security issues: security@bioscope.ai - Privacy inquiries: privacy@bioscope.ai (b) **Documentation:** - Online documentation at docs.bioscope.ai - Tutorials and user guides - FAQ and troubleshooting articles ## 3. Support Hours and Response Times **3.1 Priority Levels.** Support requests are prioritized based on severity: **Priority 1 - Critical:** - **Definition:** Complete loss of Software Service functionality affecting all or substantially all Authorized Users, or Security Incident involving PHI or genetic data. - **Examples:** Platform completely unavailable; data breach; complete inability to access patient genetic data; security vulnerability actively being exploited. - **Target Response Time:** 2 hours - **Target Resolution Time:** 8 hours (or continuous efforts until resolved) - **Availability:** 24/7/365 **Priority 2 - High:** - **Definition:** Significant functionality is impaired, affecting multiple Authorized Users' ability to perform critical tasks, but workarounds may exist. - **Examples:** Major feature unavailable; AI chat interface not functioning; inability to upload genetic test results; EHR integration failure; significant performance degradation. - **Target Response Time:** 4 business hours - **Target Resolution Time:** 48 business hours - **Availability:** Business Hours **Priority 3 - Medium:** - **Definition:** Minor functionality issues affecting one or few Authorized Users, with workarounds available. - **Examples:** Non-critical feature malfunction; cosmetic UI issues; minor data display errors; slow report generation. - **Target Response Time:** 1 business day - **Target Resolution Time:** 5 business days - **Availability:** Business Hours **Priority 4 - Low:** - **Definition:** General questions, feature requests, documentation clarifications, or issues with minimal business impact. - **Examples:** "How do I..." questions; feature enhancement requests; documentation corrections; general inquiries. - **Target Response Time:** 2 business days - **Target Resolution Time:** Best effort - **Availability:** Business Hours **3.2 Business Hours.** Bioscope.ai's standard business hours are: - Monday through Friday, 9:00 AM to 5:00 PM Eastern Time (ET) - Excluding U.S. federal holidays **3.3 Priority Assignment.** Bioscope.ai reserves the right to determine the appropriate priority level for each support request based on the criteria above. If Customer believes a request should be escalated, Customer may request escalation with justification. **3.4 Response Time Calculation:** - Response times are measured from the time a support request is received by Bioscope.ai to the time Bioscope.ai provides an initial substantive response. - Resolution times are measured from initial receipt to the time the issue is resolved or a workaround is provided. - Response and resolution times for non-Critical issues are calculated during Business Hours only. - Holidays and weekends are excluded from Business Hours calculations. **3.5 Continuous Effort for Critical Issues.** For Priority 1 - Critical issues, Bioscope.ai will use commercially reasonable efforts to provide continuous updates and work toward resolution until the critical functionality is restored or an acceptable workaround is implemented. ## 4. Customer Responsibilities **4.1 Required Information.** When submitting a support request, Customer must provide: (a) Contact information (name, email, phone) (b) Description of the issue, including: - Steps to reproduce the problem - Expected behavior vs. actual behavior - Error messages or screenshots (if applicable) - Impact on operations (which Authorized Users affected, business criticality) (c) Customer's environment details: - Browser and version (if applicable) - Operating system - Date and time issue occurred - Patient identifier or account information (if relevant and permitted under HIPAA) **4.2 Cooperation.** Customer agrees to: - (a) Provide timely and accurate information necessary to diagnose and resolve issues - (b) Cooperate with Bioscope.ai's troubleshooting efforts - (c) Designate a primary contact person for support communications - (d) Implement workarounds or temporary solutions suggested by Bioscope.ai while permanent fixes are developed - (e) Notify Bioscope.ai if issues persist after attempted resolution - (f) Maintain appropriate backups of Customer Data independent of the Software Service **4.3 Reasonable Use.** Customer agrees to use support resources reasonably and not to: - (a) Submit excessive support requests for issues covered in documentation - (b) Use support channels for purposes other than technical assistance - (c) Request support for unauthorized users or third parties - (d) Abuse emergency contact methods for non-critical issues ## 5. Maintenance Windows and Scheduled Downtime **5.1 Scheduled Maintenance.** Bioscope.ai may perform scheduled maintenance on the Software Service: (a) **Standard Maintenance Windows:** - Timing: Sundays, 2:00 AM - 6:00 AM Eastern Time - Frequency: Up to twice per month (b) **Emergency Maintenance:** - May be performed at any time to address security vulnerabilities, critical bugs, or system stability issues - Notice: As much advance notice as reasonably practicable under the circumstances, but may be performed without advance notice if necessary to prevent or mitigate harm **5.2 Service Level Commitment.** Bioscope.ai will use commercially reasonable efforts to maintain the following service levels: - (a) **Uptime:** 99.5% uptime per calendar month, excluding scheduled maintenance and force majeure events - (b) **Measurement:** Calculated as: (Total minutes in month - Downtime minutes) / Total minutes in month × 100% - (c) **Downtime Definition:** Period when the Software Service is unavailable to all or substantially all Authorized Users **5.3 Exclusions from Uptime Calculation:** - Scheduled maintenance windows - Downtime caused by Customer's Equipment, internet connectivity, or third-party services - Force majeure events beyond Bioscope.ai's reasonable control - Issues caused by Customer's breach of the SaaS Agreement - Beta features or services marked as "experimental" or "preview" ## 6. Support for Subcomponents **6.1 AI Services.** Support for AI-powered analysis features: (a) **AI Chat Interface:** - Incorrect or confusing responses should be reported with conversation context - Response quality feedback helps improve the AI models - Hallucinations or medical inaccuracies: Priority 2 (b) **Report Generation:** - Issues generating genomic or microbiome reports: Priority 2 - Inaccurate or incomplete report content: Priority 2 - Report formatting or export issues: Priority 3 (c) **AI Model Updates:** - Bioscope.ai may update underlying AI models to improve accuracy and capabilities - Changes may affect response styles or formatting ## 7. Support During Beta and Pilot Phases **7.1 Beta Feature Support.** Features marked as "beta," "preview," or "experimental": - (a) Are provided "as-is" with no warranty - (b) May have limited support availability - (c) May be modified or discontinued without notice - (d) Feedback is highly encouraged and prioritized **7.2 Transition to General Availability.** When Customer transitions from beta to commercial: - (a) Support terms transition to standard support as defined herein - (b) Response times and service level commitments apply in full ## 8. Limitations and Disclaimers **8.1 Best Efforts.** Response times and resolution times are targets based on commercially reasonable efforts. Bioscope.ai does not guarantee that all issues will be resolved within the specified timeframes. **8.2 Workarounds.** Bioscope.ai may provide workarounds or temporary solutions while permanent fixes are developed. Workarounds may require Customer to modify workflows or accept temporary limitations. **8.3 Third-Party Issues.** Bioscope.ai is not responsible for issues caused by: - Third-party services or integrations - Customer's internet service provider or network infrastructure - Customer's Equipment or computing environment - Force majeure events or circumstances beyond Bioscope.ai's reasonable control **8.4 Medical Advice Disclaimer.** Support Services do not include medical, clinical, legal, or regulatory advice. Authorized Users are responsible for using independent medical judgment when treating patients. Bioscope.ai support personnel are not licensed healthcare providers and cannot interpret genetic results or make clinical recommendations. **8.5 Data Recovery.** While Bioscope.ai maintains backup systems, Customer is responsible for maintaining independent backups of Customer Data. Bioscope.ai cannot guarantee recovery of all data in all circumstances. ## 9. Modifications to Support Terms **9.1 Changes.** Bioscope.ai may modify these Support Terms from time to time by: - (a) Posting updated Support Terms at security.bioscope.ai - (b) Providing notice via email to Customer's primary contact - (c) Displaying notification in the Software Service **9.2 Effective Date.** Changes become effective 10 days after notice is provided, except: - Changes required by law take effect immediately - Changes that expand support coverage or improve service levels may take effect immediately **9.3 Continued Use.** Customer's continued use of the Software Service after changes take effect constitutes acceptance of the modified Support Terms. ## 10. Contact Information **Support Contacts:** - **General Support:** support@bioscope.ai - **Security Issues:** security@bioscope.ai - **Privacy Inquiries:** privacy@bioscope.ai **Mailing Address:** Bioscope.ai, Inc. 880 Monon Green Blvd Carmel, IN 46032 --- These Support Terms are effective as of the Effective Date specified in the Order and are incorporated into the SaaS Agreement between Customer and Bioscope.ai. --- **Last Updated:** December 5, 2025 ---