Terms and Conditions

1. Agreement to Terms

These Terms and Conditions ("Terms") constitute a legally binding agreement between you ("Client," "you," or "your") and PeakPoint Services ("PeakPoint," "we," "us," or "our") governing your use of our services. By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and any applicable Business Associate Agreements (BAAs) or Data Processing Agreements (DPAs).

If you do not agree to these Terms, you must not access or use our services. If you are entering into these Terms on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

2. Services Description

PeakPoint provides comprehensive HealthTech services with a focus on healthcare access, AI, data intelligence and technology sectors, including:

• Healthcare Services: Medical AI data annotation, medical imaging training (MRI, CT, X-ray), healthcare revenue cycle management, medical billing and coding
• AI and Data Intelligence: Data annotation for AI training, machine learning dataset preparation, quality assurance for AI models
• Administrative Support: Virtual assistance, document processing, data entry, customer support
• Finance and Accounting: Bookkeeping, accounts payable/receivable, financial reporting
• IT Security and Compliance: SOC (Security Operations Center) services, compliance monitoring, security assessments
• Marketing and Digital Services: Content creation, social media management, digital marketing support

Specific services, deliverables, and performance metrics will be detailed in individual Service Agreements, Statements of Work (SOWs), or Master Service Agreements (MSAs).

3. HIPAA Business Associate Obligations

When PeakPoint provides services involving Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), we act as a Business Associate to Covered Entities. The following terms apply:

3.1 Business Associate Agreement (BAA)

A separate HIPAA-compliant Business Associate Agreement must be executed before any PHI is disclosed to PeakPoint. The BAA will incorporate the requirements of 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 (HIPAA Security Rule) and 45 CFR § 164.504(e) (HIPAA Privacy Rule).

3.2 Permitted Uses and Disclosures

PeakPoint will only use or disclose PHI:

• As permitted or required by the BAA and as directed by the Covered Entity
• For proper management and administration of PeakPoint's business operations
• To carry out legal responsibilities
• As required by law
• For data aggregation services relating to healthcare operations (if specified in BAA)

3.3 Minimum Necessary Standard

PeakPoint will limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

3.4 Safeguards

PeakPoint implements appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by the BAA, including:

• Encryption of PHI at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls and multi-factor authentication
• Comprehensive audit logging and monitoring
• Regular security risk assessments and vulnerability testing
• Employee HIPAA training and confidentiality agreements
• Secure data centers with physical access controls

3.5 Subcontractors

PeakPoint will ensure that any subcontractors or agents that receive PHI agree to the same restrictions and conditions that apply to PeakPoint through written agreements that meet HIPAA requirements.

3.6 Individual Rights

PeakPoint will:

• Provide access to PHI as necessary for the Covered Entity to fulfill individual access requests
• Make PHI available for amendment and incorporate amendments as directed by the Covered Entity
• Document and make available information for accounting of disclosures
• Make internal practices, books, and records available to HHS for compliance investigations

3.7 Breach Notification

PeakPoint will report any Security Incident or Breach of Unsecured PHI to the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, in accordance with 45 CFR § 164.410. Notification will include:

• Identification of each individual whose PHI was or is reasonably believed to have been breached
• Description of the breach, including date of occurrence and discovery
• Types of PHI involved
• Steps individuals should take to protect themselves
• Mitigation steps taken or to be taken
• Contact information for further inquiries

3.8 Termination and Data Return/Destruction

Upon termination of services or the BAA, PeakPoint will, at the Covered Entity's option:

• Return all PHI in PeakPoint's possession or control in the format specified by the Covered Entity
• Destroy all PHI using methods that render it unreadable, indecipherable, and unable to be reconstructed (NIST 800-88 compliant)
• Retain PHI only as required by law, with continued protection under HIPAA standards

4. GDPR Data Processing Terms

When PeakPoint processes personal data on behalf of clients subject to the General Data Protection Regulation (GDPR), we act as a Data Processor. These terms comply with GDPR Article 28:

4.1 Data Processing Agreement (DPA)

A separate GDPR-compliant Data Processing Agreement will be executed for services involving personal data of EU/EEA data subjects. The DPA will specify the subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects.

4.2 Processing Instructions

PeakPoint will process personal data only on documented instructions from the Client (Data Controller), unless required to do so by EU or Member State law. We will immediately inform the Client if we believe an instruction infringes GDPR or other data protection laws.

4.3 Confidentiality

All personnel authorized to process personal data are subject to confidentiality obligations and have received appropriate training on data protection requirements.

4.4 Security Measures (Article 32)

PeakPoint implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data
• Ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to data in a timely manner after incidents
• Regular testing, assessment, and evaluation of security effectiveness
• ISO 27001 and SOC 2 Type II certified security management systems

4.5 Sub-Processors

PeakPoint may engage sub-processors with the Client's prior written consent. Current sub-processors are listed in the DPA. We will notify Clients of any intended changes and provide opportunity to object. All sub-processors are bound by data protection obligations equivalent to those in the DPA.

4.6 Data Subject Rights (Articles 12-22)

PeakPoint will assist the Client in responding to data subject requests to exercise their rights:

• Right of access, rectification, erasure, and restriction of processing
• Right to data portability
• Right to object and rights related to automated decision-making

4.7 Data Protection Impact Assessments (Article 35)

PeakPoint will assist the Client with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities when required.

4.8 Personal Data Breach Notification (Article 33)

PeakPoint will notify the Client without undue delay and no later than 72 hours after becoming aware of a personal data breach, providing sufficient information to enable the Client to meet its own notification obligations.

4.9 Deletion or Return of Data

Upon termination of services, PeakPoint will, at the Client's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage.

4.10 Audit Rights (Article 28(3)(h))

PeakPoint will make available to the Client all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits and inspections by the Client or an authorized auditor.

4.11 International Data Transfers

For transfers of personal data outside the EEA, PeakPoint will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.

5. Service Level Agreements (SLAs)

Service level commitments will be defined in individual Service Agreements and may include:

• Availability: System uptime guarantees (typically 99.9% for critical services)
• Response Times: Initial response and resolution timeframes for support requests
• Quality Metrics: Accuracy rates for data annotation, billing, and other services
• Turnaround Times: Delivery schedules for specific deliverables
• Security Incident Response: Timeframes for breach notification and remediation

SLA credits or remedies for non-performance will be specified in Service Agreements. SLAs do not apply during force majeure events or Client-caused disruptions.

6. Client Responsibilities

Clients agree to:

• Provide accurate and complete information necessary for service delivery
• Ensure they have legal authority to share data with PeakPoint
• Comply with all applicable laws and regulations
• Maintain appropriate security for their own systems and credentials
• Provide timely feedback and approvals as required
• Pay fees according to agreed payment terms
• Notify PeakPoint of any security concerns or data breaches on their end

7. Confidentiality and Proprietary Information

Both parties agree to maintain strict confidentiality of all proprietary and confidential information disclosed during the business relationship, including:

• Business processes, strategies, and financial information
• Customer and patient data
• Technical specifications and methodologies
• Trade secrets and intellectual property
• Pricing and contractual terms

Confidential information may only be disclosed to employees, contractors, or subcontractors with a legitimate need to know and who are bound by equivalent confidentiality obligations. Confidentiality obligations survive termination of services for a period of 5 years or as required by law.

8. Intellectual Property Rights

8.1 Client-Owned IP

All intellectual property rights in deliverables created specifically for the Client (including annotated datasets, reports, and custom solutions) shall be owned by the Client upon full payment, unless otherwise agreed in writing.

8.2 PeakPoint-Owned IP

PeakPoint retains ownership of its proprietary methodologies, tools, processes, templates, and pre-existing intellectual property. Clients receive a non-exclusive, non-transferable license to use such IP solely in connection with the services.

8.3 Third-Party IP

Any third-party software, tools, or content used in service delivery remains the property of the respective owners and is subject to applicable licenses.

9. Payment Terms

Payment terms will be specified in individual Service Agreements. Standard terms include:

• Invoicing: Monthly invoicing or as specified in the Service Agreement
• Payment Due: Net 30 days from invoice date unless otherwise agreed
• Late Payments: Interest may accrue at 1.5% per month or the maximum rate permitted by law
• Disputed Charges: Must be raised within 15 days of invoice receipt
• Suspension: PeakPoint may suspend services for accounts more than 30 days overdue
• Currency: All fees in USD or as specified in Service Agreement

Fees are exclusive of taxes, duties, and levies. Client is responsible for all applicable taxes except those based on PeakPoint's income.

10. Term and Termination

10.1 Term

Service agreements commence on the effective date and continue for the initial term specified (typically 12-36 months), with automatic renewal unless either party provides written notice of non-renewal.

10.2 Termination for Convenience

Either party may terminate services with written notice as specified in the Service Agreement (typically 30-90 days depending on service complexity). Early termination may incur fees for committed resources or minimum service periods.

10.3 Termination for Cause

Either party may terminate immediately for material breach if the breach is not cured within 30 days of written notice. Material breaches include:

• Failure to pay undisputed fees
• Material violation of confidentiality or data protection obligations
• Repeated failure to meet SLAs
• Insolvency or bankruptcy proceedings

10.4 Effects of Termination

Upon termination:

• Client must pay all fees for services rendered through the termination date
• PeakPoint will return or destroy Client data as instructed (subject to legal retention requirements)
• Both parties will return or destroy confidential information
• Provisions regarding confidentiality, data protection, liability, and dispute resolution survive

11. Warranties and Disclaimers

11.1 PeakPoint Warranties

PeakPoint warrants that:

• Services will be performed in a professional and workmanlike manner
• Services will comply with applicable laws and regulations
• We have the right and authority to enter into this agreement
• We will maintain appropriate security measures and compliance certifications

11.2 Disclaimer

EXCEPT AS EXPRESSLY PROVIDED, SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. PEAKPOINT DOES NOT WARRANT THAT SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.

12. Limitation of Liability

12.1 Liability Cap

EXCEPT FOR EXCLUDED CLAIMS (DEFINED BELOW), EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID BY CLIENT TO PEAKPOINT IN THE 12 MONTHS PRECEDING THE CLAIM.

12.2 Excluded Claims

The liability cap does not apply to:

• Breaches of confidentiality or data protection obligations
• Gross negligence or willful misconduct
• Violations of intellectual property rights
• Indemnification obligations
• Payment obligations

12.3 Consequential Damages

NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.4 Healthcare-Specific Liability

For healthcare-related services, PeakPoint maintains professional liability insurance and cyber liability insurance with minimum coverage of $5 million per occurrence. Certificates of insurance available upon request.

13. Indemnification

13.1 PeakPoint Indemnification

PeakPoint will indemnify, defend, and hold harmless Client from third-party claims arising from:

• PeakPoint's gross negligence or willful misconduct
• Infringement of third-party intellectual property rights by PeakPoint's proprietary tools
• PeakPoint's violation of applicable laws

13.2 Client Indemnification

Client will indemnify, defend, and hold harmless PeakPoint from third-party claims arising from:

• Client's breach of these Terms
• Client data or content provided to PeakPoint
• Client's violation of applicable laws or third-party rights

13.3 Indemnification Process

The indemnified party must promptly notify the indemnifying party of claims, cooperate in defense, and allow the indemnifying party to control defense and settlement (provided settlements do not admit liability or impose obligations on the indemnified party without consent).

14. Compliance and Audits

PeakPoint maintains compliance with applicable healthcare and data protection regulations:

• HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164)
• GDPR (Regulation (EU) 2016/679)
• ISO 27001:2013 Information Security Management
• SOC 2 Type II Compliance
• Applicable African data protection laws

Clients may audit PeakPoint's compliance with contractual obligations upon reasonable notice (typically 30 days) and no more than once per year, unless required by regulatory authorities or in response to a security incident. Audits will be conducted during business hours and will not unreasonably interfere with operations.

15. Force Majeure

Neither party shall be liable for failure to perform obligations due to events beyond reasonable control, including natural disasters, war, terrorism, pandemics, government actions, labor disputes, or utility failures. The affected party must notify the other party promptly and use reasonable efforts to mitigate impact. If force majeure continues for more than 60 days, either party may terminate without penalty. For healthcare services, PeakPoint will maintain business continuity plans to minimize disruption to critical operations.

16. Dispute Resolution

16.1 Negotiation

Parties will first attempt to resolve disputes through good-faith negotiation between senior executives.

16.2 Mediation

If negotiation fails, parties agree to mediation before a mutually agreed mediator before pursuing litigation or arbitration.

16.3 Arbitration

Disputes not resolved through mediation may be submitted to binding arbitration under the rules of the International Chamber of Commerce (ICC), with arbitration conducted in English.

16.4 Injunctive Relief

Either party may seek injunctive relief in court for breaches of confidentiality, data protection, or intellectual property rights without waiting for mediation or arbitration.

17. Governing Law and Jurisdiction

These Terms shall be governed by and construed in accordance with the laws of the United States of America, without regard to conflict of law principles. For GDPR-related disputes, EU data protection law shall apply. For HIPAA-related disputes, U.S. federal law shall apply.

18. General Provisions

18.1 Entire Agreement

These Terms, together with Service Agreements, BAAs, DPAs, and the Privacy Policy, constitute the entire agreement and supersede all prior agreements and understandings.

18.2 Amendments

PeakPoint may update these Terms by posting revised terms on our website. Material changes will be communicated via email. Continued use of services after changes constitutes acceptance.

18.3 Assignment

Neither party may assign this agreement without the other's written consent, except to affiliates or in connection with a merger or acquisition.

18.4 Severability

If any provision is found unenforceable, it will be modified to the minimum extent necessary, and remaining provisions will remain in full effect.

18.5 Waiver

Failure to enforce any provision does not constitute a waiver of that or any other provision.

18.6 Notices

All notices must be in writing and sent to the addresses specified in Service Agreements. Email notices are acceptable for routine communications but not for termination or legal notices.

18.7 Independent Contractors

The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship.

19. Contact Information

For questions about these Terms and Conditions, please contact: