Exhibit 6.4
20/20 GeneSystems PARTICIPATION AGREEMENT
THIS 20/20 GeneSystems PARTICIPATION AGREEMENT (the “Agreement’’) is made as of the 6th day of January 2025 (the “Effective Date”) by and between 20/20 GeneSystems, Inc., and Ahold Delhaize USA Services LLC f/k/a Retail Business Services LLC (“ADUSAS”) and Affiliates, 20/20 and ADUSAS Affiliate Giant of Maryland, LLC (“Giant Food”).
WHEREAS, 20/20 GeneSystems maintains a high complexity CAP accredited CLIA laboratory and is offering and providing clinical lab testing services to consumers of pharmacies of ADUSAS Affiliates including tests for infectious diseases (such as COVID-19) and cancer screening tests (such as OneTest); and
WHEREAS, ADUSAS wishes to provide access to clinical lab testing services and
WHEREAS, ADUSAS desires to participate in 20/20 GeneSystems pursuant to the terms and provisions contained herein; and
WHEREAS, GeneSystems shall perform the Services set out in one or more statements of work for ADUSAS and participating Affiliates in accordance with this Participation Agreement. Statements of Work shall be numbered sequentially and shall become part of this Agreement. This Participation Agreement (and the Exhibits hereto), together with such Statements of Work (and any attachments thereto), shall be referred to herein as the “Agreement.”
WHEREAS, GeneSystems shall at all times comply with all ADUSAS policies and procedures provided to GeneSystems in writing.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the parties, the parties hereby agree as follows:
| 1. | Grant of Right to Participate in 20/20 GeneSystems |
20/20 GeneSystems hereby grants to ADUSAS the right to participate with 20/20 GeneSystems for the purposes stated herein and pursuant to the terms and provisions contained herein and in one or more statements of work agreed upon and signed by the parties (each, a “Statement of Work” or “SOW’’) for ADUSAS or its Affiliates identified in each such Statement of Work and in accordance with this Agreement. Statements of Work shall be numbered sequentially and shall become part of this Agreement. This Agreement, together with such Statements of Work, shall be referred to herein as the “Agreement.”
| 2. | Terms of Participation |
Services and Reimbursement Rates. The services that shall be provided at the Pharmacies through 20/20 GeneSystems (the “Services”) and the reimbursement rates for the Services (the “Reimbursement Rates”) shall be set forth on one or more Statements of Work. Individual customers shall have the right to obtain the Services at any Pharmacy of their choice.
Payment. Payment for the Services provided by the Pharmacies through 20/20 GeneSystems pursuant to a Statement of Work will be made by 20/20 GeneSystems to ADUSAS at the Reimbursement Rates/Fees as set forth in the applicable Statement of Work. If no payment terms are set forth in a Statement of Work, payment will be made within thirty (30) days of receipt of an invoice supplied to 20/20 GeneSystems within 5 business days of the last day of each calendar month by ADUSAS.
| 3. | Fees for Participation in 20/20 GeneSystems |
Except as otherwise agreed by the parties, in writing, ADUSAS will not pay any fees to 20/20 GeneSystems for participation.
| 4. | Term |
This Agreement will become effective upon the Effective Date and shall, be reassessed for renewal for a term of three (3) months on each successive anniversary of the Effective Date unless terminated by either party at least thirty (30) days prior to the expiration of the then current term.
| 5. | Termination |
Either party may terminate this Agreement, without cause, upon thirty (30) days prior written notice to the other party specifying the date on which termination is effective.
| 6. | Insurance |
ADUSAS
As a further condition of ADUSAS’ participation with 20/20 GeneSystems, ADUSAS must, at its own cost and expense, obtain and maintain in full force and effect, during the term of this Agreement and for a period of at least two (2) years thereafter, insurance coverage in the minimum amounts set forth hereinafter.
| (a) | Commercial general liability insurance with limits of not less than one million dollars ($1,000,000) per occurrence and two million dollars ($2,000,000) in the aggregate, for bodily injury, death, and property damage, including personal injury, advertising injury, contractual liability, independent contractors, broad-form property damage, and products and completed operations coverage. | |
| (b) | Excess umbrella policy of one million dollars ($1,000,000). |
ADUSAS shall also obtain Workers Compensation Insurance with a limit of one million dollars ($1,000,000) for each claim, or as required by law, whichever shall be greater. Each policy shall contain a waiver of subrogation and name 20/20 GeneSystems as an additional insured. ADUSAS will provide 20/20 GeneSystems with a certificate of insurance evidencing all such coverages, from time to time, upon 20/20 GeneSystems’ request.
2
Notwithstanding anything to the contrary contained herein, so long as ADUSAS’ net worth shall exceed one hundred million dollars ($100,000,000.00), ADUSAS shall have the right to self- insure its insurance obligations under this Agreement.
20/20 GeneSystems
20/20 GeneSystems shall at its own expense secure and maintain, and shall require any subcontractor to secure and maintain, throughout the Term, the insurance coverages specified herein with companies demonstrating an AM Best rating of no less than A-. 20/20 GeneSystems shall provide ADUSAS with certificates evidencing such insurance (“Certificates”) upon execution of this Agreement, and thereafter within ten (10) days following reasonable request of ADUSAS or any change in coverage or insurance providers. ADUSAS may withhold any payment due to 20/20 GeneSystems until receipt of all Certificates. The insurance coverage and limits required to be maintained by 20/20 GeneSystems shall be primary and shall not contribute with any insurance coverage by ADUSAS. To the maximum extent permitted by applicable law, all insurance policies maintained by 20/20 GeneSystems in accordance with this Section 6 and any other insurance maintained applicable to 20/20 GeneSystems’ performance under the Agreement shall provide a waiver of subrogation in favor of ADUSAS. Required coverages are as follows:
| (a) | Workers’ Compensation Insurance which shall fully comply with the statutory requirements of all applicable Laws |
| (b) | Commercial General Liability Insurance with a minimum combined single limit of liability of One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) aggregate for bodily injury and/or death and/or property damage and/or personal injury, including products/completed operations coverage and shall also include Broad Form Contractual coverage specifically for the Agreement. America Holding, Inc. shall be named as an additional insured. | |
| (c) | Business Automobile Liability Insurance covering all owned, hired and non-owned vehicles and equipment used by 20/20 GeneSystems to travel to ADUSAS premises with a minimum combined single limit of liability of One Million Dollars ($1,000,000) for injury and/or death and/or property America Holding, Inc. shall be named as an additional insured. |
| (d) | Professional Liability or Errors and Omissions coverage in the minimum amount of Two Million Dollars ($2,000,000) per occurrence. |
| (e) | Excess umbrella liability coverage with a minimum combined single limit of Three Million Dollars ($3,000,000). |
If 20/20 GeneSystems has Access to ADUSAS’ Customer Data or Personal Information (as each term is defined herein), cyber liability insurance in the minimum amount of One Million Dollars $1,000,000 during the 3 months pilot.
| (f) | Certificates of insurances should be sent to: rbs-coimac.group@retailbusinessservices.com |
3
| 7. | Confidentiality |
As used in this Agreement, “Confidential Information” means any information disclosed by either party to the other party (and in the case of ADUSAS, including its Affiliates), either directly or indirectly, in writing, orally, or by inspection of tangible objects and whether or not identified by the disclosing party as confidential or proprietary. “Affiliate” means an entity that, now or hereafter, directly or indirectly, controls, is controlled by, or is under common control a party to this Agreement. For purposes of this definition, the term “control” (including the terms controlling, controlled by and under common control with) means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.
Confidential Information may also include confidential or proprietary information disclosed to a disclosing party by a third party. The receiving party will: (i) use the degree of care necessary to bold the disclosing party’s Confidential Information in confidence; (ii) restrict disclosure of such Confidential information to those of its employees or agents with a need to know such information to perform its obligations hereunder and who are bound (i.e., as a condition to their employment or agency) by obligations respecting the protection of confidential information, which are substantially similar to those of this Agreement and which would extend to the disclosing party’s Confidential Information (and the receiving party shall remain liable for any breach of this provision by such persons or entities; (iii) use such Confidential Information only for the purposes for which it was disclosed and as necessary to fulfill its obligations or exercise its rights under the Agreement, unless otherwise set forth herein, or upon the prior written consent of the disclosing party, given in the disclosing party’s sole discretion. The foregoing restrictions will not apply to Confidential Information to the extent it (i) was in the public domain at the time of disclosure; (ii) became publicly available after disclosure to the receiving party without breach of this Agreement; (iii) was lawfully received by the receiving party from a third party without such restrictions; (iv) was known to the receiving party, its employees or agents without such restrictions prior to its receipt from the disclosing party; (v) was independently developed by the receiving party without breach of this Agreement; (vi) was generally made available to third parties by the disclosing party without such restriction; or (vii) is required to be disclosed by the receiving party pursuant to judicial order or other compulsion of law, provided that the receiving party will provide to the disclosing party prompt notice of such order so that the disclosing party may seek a protective order or other appropriate remedy and will cooperate with the disclosing party’s reasonable, lawful efforts to resist, limit or delay disclosure if such protective order or other remedy is not obtained, the receiving party will (i) furnish only that portion of the Confidential Information that it is legally required to furnish and, (ii) at the request of the disclosing party, use reasonable efforts to ensure that the party compelling disclosure of the Confidential Information will preserve its confidentiality.
The parties agree that any unauthorized disclosure or use of the Confidential Information of the disclosing party could cause irreparable harm and significant injury to the disclosing party, for which monetary damages alone may not be an adequate remedy. Accordingly, the Recipient agrees that in the event of a breach or threatened breach of this Section, the disclosing party shall be entitled to seek an injunction or other equitable relief as a remedy for such breach or anticipated breach without the necessity of posting a bond or proving that actual damages have been or will be sustained.
4
The receiving party agrees that any and all Confidential Information of the disclosing party is and shall remain the proprietary and confidential information and exclusive property of the disclosing party and that nothing in the Agreement shall be construed to convey to the receiving party any license to use, sell, exploit, copy or further develop any Confidential Information of the disclosing party except as expressly provided in the Agreement.
Upon termination or expiration of this Agreement, or at any time upon the request of the disclosing party, the receiving party shall, at the election of the disclosing party, either return or securely destroy all Confidential Information of the disclosing party in the possession of the receiving party or in the possession of any third party over which the receiving party has or may exercise control. Notwithstanding the foregoing, the receiving party may retain the Confidential Information of disclosing party as required by law or if the return or destruction of such Confidential Information is not commercially reasonable, in which case, the receiving party’s obligations in this Section 7 shall continue until such time as such Confidential Information is returned or securely destroyed.
If 20/20 GeneSystems will have access to Personal Information or ADUSAS’ Customer Data (as either term is defined herein), 20/20 GeneSystems will establish and maintain during the Term an information security program that: (i) ensures the security of the DUSA Customer Data and the computer system(s), hardware, software or other equipment (“Systems”) that access, use, process or store ADUSAS Customer Data; (ii) ensures the confidentiality of the ADUSAS Customer Data in accordance with this Section 7; (iii) protects against any anticipated threats or hazards to the security or integrity of the ADUSAS Customer Data and the Systems; and protects against unauthorized access to or misuse of the ADUSAS Customer Data and Systems. “Customer Data” means all (i) data and information generated, provided or submitted by, or on behalf of, ADUSAS or any of its Affiliates in connection with the Services, including Personal Information, and (ii) data and information regarding ADUSAS and/or its Affiliates collected, generated or submitted by 20/20 GeneSystems or any of its Personnel. Each party shall be liable for all acts and omissions of its personnel.
If 20/20 GeneSystems will collect, process, use, store, disclose, access or dispose of Personal Information for or on behalf of ADUSAS, or if 20/20 GeneSystems will have access to any Systems of ADUSAS or its Affiliates (collectively, “Access”), then 20/20 GeneSystems shall: (i) be subject to the Business Associate Agreement between the parties dated November 26, 2024 and the Security Addendum, attached hereto as Exhibit A and incorporated herein by reference, and may be required, in DUSAS’ sole discretion, to undergo a vendor information security assessment; and (ii) 20/20 GeneSystems shall comply, and cause 20/20 GeneSystems ’ Personnel to comply, with the ADUSAS security policies (as may be revised by the ADUSAS from time to time and which shall be promptly provided to 20/20 GeneSystems by ADUSAS), and will not tamper with, compromise or circumvent any security or audit measures employed by the ADUSAS. 20/20 GeneSystems and its Personnel to be given access to Systems, may be required to execute a separate Systems access agreement. 20/20 GeneSystems represents and warrants that it will collect and process Personal Information in compliance with applicable law and not use or disclose Personal Information except to the extent necessary to provide the test screening services where each patient has been informed that such use is necessary to provide this service.
5
As used herein, “Personal Information” means any information relating to an identified or identifiable individual, including, but not limited to, name, postal or email address (or other online contact information such as an online user ID), telephone number, Social Security number (or its equivalent), driver’s license number (or other government-issued identification number), date of birth, demographic information, health or medical information, health insurance information, biometric data, account information (including checking, credit card, or other financial account information), personal identification number, access code, password, security questions and answers, next of kin contact information, Internet Protocol (IP) address, or any other unique identifier or one of more factors specific to the individual’s physical, physiological, mental, economic or social identity, in whatever format, including that contained in communications, documents, databases, records, or materials of any kind whether such data is in individual or aggregate form, and regardless of the media in which it is contained, that may be (i) disclosed at any time to the Personnel, officers, directors, advisors, consultants or other party or person acting on behalf of or at the direction of 20/20 GeneSystems (collectively, “20/20 GeneSystems Disclosees”) by ADUSAS or any of its Affiliates, or any of their respective Personnel, in anticipation of, in connection with or incidental to the performance of the Agreement; (ii) processed at any time by 20/20 GeneSystems Discloses in connection with or incidental to the performance of the Agreement; or (iii) derived by 20/20 GeneSystems Discloses from the information described in (i) or (ii) above. Personal Information includes cardholder data from any of ADUSAS’ or its Affiliates’ customers, including but not limited to, transaction authorization information, primary account numbers, service codes, expiration dates, full magnetic stripe data or equivalent on a chip, CAV2/CVC2/CVV21CID, PIN number and other information within the scope of the Payment Card Industry Data Security Standard of the PCI Security Standards Council, as may be amended from time to time, which can be found athttps://www.pcisecuritystandards.org/.
Except as otherwise provided in the Agreement, the covenants of confidentiality and other restrictive covenants set forth in this Section 7 will continue for a period of five (5) years after the termination or expiration of the Agreement and (a) with respect to trade secrets, until such trade secrets no longer qualify as trade secrets under applicable law; and (b) with respect to Personal Information, indefinitely.
| 8. | Proprietary Rights |
20/20 GeneSystems is protected by intellectual property laws and other laws of the United States and international laws and treaties, including intellectual property laws. Except for the limited rights expressly granted by 20/20 GeneSystems to ADUSAS in Section 1, ADUSAS acknowledges and agrees that, as between ADUSAS and 20/20 GeneSystems, all right, title and interest in and to 20/20 GeneSystems, including all copyright, trademark, patent, trade secret, intellectual property and other proprietary rights, belong exclusively to 20/20 GeneSystems. All rights not expressly granted under this Agreement are reserved by 20/20 GeneSystems.
Ownership of ADUSAS Data. As between 20/20 GeneSystems and ADUSAS, ADUSAS owns all rights, title and interest in and to the ADUSAS Customer Data. 20/20 GeneSystems will not acquire any right in, or assert any lien against, the ADUSAS Customer Data.
6
| 9. | Warranties |
20/20 GeneSystems does not warrant that ADUSAS’ participation in 20/20 GeneSystems will meet all of ADUSAS’ requirements or that use of 20/20 GeneSystems will be uninterrupted or error-free.
Each party warrants, as applicable, that: (i) it has the necessary corporate power and authority to enter into and perform this Agreement, including securing all permits, licenses, regulatory approvals and registrations required to perform its obligations hereunder, including, without limitation, registration with the appropriate taxing authorities for remittance of taxes; (ii) the Services shall conform to the written description set forth herein and any specifications or documentation provided by 20/20 GeneSystems and agreed to by ADUSAS in writing; (iii) the Services shall be performed in a timely, professional and workmanlike manner in accordance with industry best practices and standards and using competent Personnel having expertise suitable to their assignments; (iv) each party shall comply with all applicable laws; (v) this Agreement does not and will not conflict with any other agreement or understanding to which such party is a party or by which it is bound; and (vii) the person signing this Agreement on such party’s behalf has been duly authorized and empowered to enter into this Agreement.
| 10. | Disclaimer and Waivers |
EXCEPT AS EXPRESSLY SET FORTH HEREIN, 20/20 GENESYSTEMS MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO ADUSAS’ PARTICIPATION IN 20/20 GENESYSTEMS, AND 20/20 GENESYSTEMS HEREBY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, RELATING TO T H I S AGREEMENT OR ADUSAS’ PARTICIPATION IN 20/20 GENESYSTEMS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
| 11. | Limitation of Liability |
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED HEREIN, IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY TO THE OTHER PARTY, CONTINGENT OR OTHERWISE, FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, STATUTORY OR EXEMPLARY DAMAGES IN ANY WAY ARISING OUT OF OR RELATING TO THIS AGREEMENT, OR ADUSAS’ PARTICIPATION IN 20/20 GENESYSTEMS, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOST OR CORRUPTED DATA, LOSS OF GOODWILL, PERSONAL INJURY, PROPERTY DAMAGE OR ANY OTHER DAMAGES OR LOSSES, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY THEREOF, AND REGARDLESS OF THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT, STATUTE, INDEMNITY OR OTHERWISE) UPON WHICH ANY SUCH LIABILITY IS BASED; AND THE ENTIRE AGGREGATE LIABILITY OF 20/20 GENESYSTEMS AND ITS AFFILIATED ENTITIES AND THE SOLE REMEDY AVAILABLE TO EITHER PARTY IN ANY CASE IN ANY WAY ARISING OUT OF OR RELATING TO THIS AGREEMENT, OR ADUSAS’ PARTICIPATION IN 20/20 GENESYSTEMS, SHALL BE LIMITED TO TERMINATION OF THIS AGREEMENT. THE FOREGOING LIMITATIONS SHALL NOT APPLY TO ANY CLAIMS ARISING OUT OF (A) BREACH OF A PARTY’S CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT; (B) A PARTY’S INDEMNIFICATION OBLIGATIONS, (C) A PARTY’S WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, (D) A PARTY’S FAILURE TO COMPLY WITH LAW, OR (E) AN INFORMATION SECURITY INCIDENT. AS USED HEREIN, “Information Security Incident” means any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or access to any ADUSAS Customer Data.
7
| 12. | Indemnification |
(iv) By 20/20 GeneSystems. 20/20 GeneSystems shall indemnify, defend and hold harmless ADUSAS and its Affiliates and their respective current, future and former officers, directors, managers, employees, representatives, agents, contractors, successors and permitted assigns (collectively, the “ADUSAS indemnitees”), from and against any and all losses, liabilities, penalties, fines, expenses, damages, judgments, settlements and other costs (including reasonable attorneys’ fees and costs of investigation) incurred by ADUSAS Indemnitees (“Damages”), and defend the ADUSAS Indemnitees against all third party claims, suits, proceedings and actions (“Claims”), which arise out of or relate to: (i) any act or omission by 20/20 GeneSystems or any Personnel; (ii) any material breach of a representation, warranty or covenant of 20/20 GeneSystems contained in the Agreement; (iii) any failure by 20/20 GeneSystems to comply with applicable laws; (iv) any breach of 20/20 GeneSystems’ confidentiality or data security obligations in the Agreement; (iv) an Information Security Incident; or (vi) any Claims by a third party alleging that any Deliverables or other Services, or the ADUSAS lndemnitees’ use thereof, infringes, violates or misappropriates any Intellectual Property right of a third party.
20/20 GeneSystems will have the right to conduct the defense of any Claim covered by this Section 12(a) and all negotiations for its settlement or compromise, except that ADUSAS may, in its sole discretion, participate in the defense of any such Claim at ADUSAS’ expense. Without limiting the foregoing, 20/20 GeneSystems may not, without ADUSAS’ prior written consent, settle, compromise or consent to the entry of any judgment in any such commenced or threatened Claim, unless such settlement, compromise or consent (i) includes an unconditional release of the relevant ADUSAS Indemnitees from all liability arising out of such commenced or threatened Claim; and (ii) is solely monetary in nature and does not include a statement as to, or an admission of fault, culpability or failure to act by or on behalf of, any ADUSAS Indemnitees or otherwise adversely affect any ADUSAS Indemnitee.
| 13. | General |
Relationship of the Parties. The parties are independent contractors. Neither this Agreement, nor any of the activities contemplated by the Parties under this Agreement creates a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties or any of their Affiliates, subcontractors or representatives. Neither ADUSAS nor any of its Affiliates shall be responsible for any salary, benefits or other employee-related expenses including, without limitation, holidays, sick days, personal days, health insurance and worker’s compensation, with regard to 20/20 GeneSystems’ employees, subcontractors or agents.
8
Nothing in this Agreement creates an exclusive relationship or in any way prevents (i) 20/20 GeneSystems from entering into similar arrangements with other entities, including, without limitation, other similar customers; or (ii) ADUSAS from entering into similar arrangements with other entities, including without limitation, other service providers offering similar services.
Compliance with Applicable Laws. Each party shall comply with all Laws, ordinances, statutes, rules and regulations of any federal, state, or local governmental body or unit applicable to the Services provided hereunder, including but not limited to, any and all contractual, statutory, or common law rights and obligations and applicable restrictions concerning intellectual property rights, all privacy and data security laws, immigration laws, Department of Labor regulations. The parties acknowledge and agree that ADUSAS’ participation in 20/20 GeneSystems will not be subject to the U.S. Department of Labor’s Federal Contract Compliance Programs.
Entire Agreement. This Agreement, including any Exhibits, Schedules, and Statements of Work, constitutes the final, complete and exclusive agreement between the parties regarding the subject matter hereof and supersedes all prior or contemporaneous agreements or understandings, whether in written, oral, electronic, or other form, relating to the subject matter hereof. No amendments of any provision of the Agreement shall be valid unless made in writing and signed by both parties specifically referencing the portion of the Agreement being amended. No terms and conditions contained in any “shrink-wrap,” “click-through” or “click- wrap” license or similar electronic notification or contract shall be of force or effect, whether or not accepted by any user.
Waiver. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right or any other rights under the Agreement. No waiver of any provision of the Agreement shall be valid unless made in writing and signed by an authorized representative of the waiving Party. The waiver of any breach or provision of this Agreement will not be deemed a waiver of any different or subsequent breach.
Governing Law; Venue. This Agreement is governed by and will be construed using New York law, without giving effect to conflict of law provisions. All actions arising out of or relating to this Agreement will be heard and determined exclusively by the state and federal courts located in Boston, Massachusetts and the parties hereby consent to and waive any objections with respect to such jurisdiction and venue.
Severability. The provisions of this Agreement are severable. If any provision or portion thereof is found by any court or agency of competent jurisdiction to be invalid or otherwise unenforceable, then that part shall be limited or curtailed to the extent necessary to make such provision valid, and the remainder of this Agreement will not be affected and shall remain in full force and effect.
9
Records; Audit Rights. During the Term and for a period of five (5) years thereafter or longer, if required by law (the “Retention Period”), each party shall maintain, at no additional cost to the other party, complete and accurate records pertaining to the Services provided and the prices charged therefor; provided, however, that in the event of any dispute arising under or with respect to the Agreement, the Retention Period shall last until the resolution of such dispute becomes final and non-appealable and all obligations of the parties to such resolution have been satisfied in full. Each party shall, at its expense, make such records available for inspection by the other party or its agents, upon request from time to time during the Retention Period. Either party (or its agents) shall have the right to make copies of or extracts from any records kept pursuant to the Agreement. If an auditor or certified public accountant determines that 20/20 GeneSystems has underpaid ADUSAS, 20/20 GeneSystems shall promptly pay ADUSAS the amount of the underpayment. The costs of the audit shall be borne by ADUSAS unless there is an intentional underpayment in excess of 5% of the amount due, in which event 20/20 GeneSystems shall bear such costs and pay or promptly reimburse ADUSAS therefor. 20/20 GeneSystems agrees to promptly take all reasonable actions at its expense to correct any deficiencies identified by the audit.
Dispute Resolution. The Parties agree that prior to the commencement of litigation, they will attempt in good faith to resolve any controversy promptly by negotiations between senior management of the parties (and, if appropriate, with their respective counsel). If such negotiations fail, the parties may agree to pursue non-binding mediation (under the mediation rules of the American Arbitration Association) prior to Litigation. This provision shall not apply to claims involving confidentiality or any other claim seeking injunctive or equitable relief.
Notices. All notices required to be provided under the Agreement shall be in writing and shall be deemed delivered if (i) sent by overnight courier, by the date after mailing, (ii) by hand delivery, upon actual receipt, or (iii) by certified mail, return receipt requested and postage prepaid, on the third business day after deposit in the mail, to the addresses specified on the signature page, or at such other address(es) as a party may designate by notice given pursuant to this Section 13.
Survival of Terms. The rights and obligations of the parties which by their nature must survive termination of the Agreement in order to achieve its fundamental purposes shall survive any expiration or earlier termination of the Agreement, including without limitation, the provisions of the following Sections: Section 6 (Insurance), Section 7 (Confidentiality), Section 8 (Proprietary Rights), Section 9 (Warranties), Section 11 (Limitation of Liability), Section 12 (Indemnification), and Section 13 (General).
Cumulative Remedies. Other than those remedies specifically disclaimed in the Agreement, all remedies set forth in the Agreement shall be in addition to all other remedies available under the Agreement or at law or in equity. The remedies under the Agreement shall be cumulative and are not exclusive. Election of one remedy shall not preclude pursuit of other remedies.
Rules of Construction. Section headings are included for convenience or reference only and are not intended to define, limit or expand the scope of any provision of the Agreement and should not be used to construe or interpret the Agreement. Notwithstanding these general rules of construction, both ADUSAS and 20/20 GeneSystems acknowledge that both parties were given an equal opportunity to negotiate the terms and conditions contained in the Agreement and agree that the identity of the drafter of the Agreement is not relevant to any interpretation of the terms and conditions of the Agreement.
Publicity. All media releases, public announcements and public disclosures by a party, or its representatives, employees or agents, relating to the Agreement, or the name or logo of ADUSAS or any ADUSAS Affiliate or 20/20 GeneSystems, including, without limitation, promotional or marketing material or customer lists, but not including any disclosure required by legal, accounting or regulatory requirements beyond the reasonable control of the releasing party, shall be coordinated with and approved by the other party in writing prior to the release thereof.
Counterparts. This Agreement may be executed by the Parties in one or more counterparts. Each counterpart, when so executed, shall be an original but all such counterparts shall constitute one and the same instrument. A signed counterpart transmitted electronically shall be deemed an original.
Sanctions Compliance. During the Term of this Agreement, 20/20 GeneSystems agrees to comply with all Sanctions Compliance terms attached hereto as Exhibit B.
[SIGNATURE PAGE TO FOLLOW]
10
IN WITNESS WHEREOF, each of the parties has caused this Agreement to be duly executed as of the date first above written.
| 20/20 GeneSystems | ||
| By: | /s/ Jonathan Cohen | |
| Name: | Jonathan Cohen | |
| Title: | President & CEO | |
| Ahold Delhaize USA Services LLC | ||
| By: | /s/ Moira O’Toole | |
| Name: | Moira O’Toole | |
| Title: | Vice President, Pharmacy Services | |
11
EXHIBIT A
AHOLD DELHAIZE
SERVICE PROVIDER INFORMATION SECURITY
REQUIREMENTS
Koninklijke Ahold Delhaize N.V. and its individual operating companies, divisions, subsidiaries and affiliates (collectively,“Ahold Delhaize”) must ensure that access to its information systems, networks, facilities and other resources (collectively, “Ahold Delhaize Systems”) and its data is appropriately controlled and that these resources are adequately protected. This includes access by Service Providers, other third parties and their respective employees, agents, subcontractors and representatives (collectively, “Service Providers” and each individually, a “Service Provider”). This Service Provider Information Security Requirements document (this “VISR”) sets forth the obligations that apply to Service Providers that receive access to (i) Ahold Delhaize Systems, (ii) Ahold Delhaize Data (as defined below) and/or (iii) Ahold Delhaize premises in connection with receipt of access to Ahold Delhaize Systems and/or Ahold Delhaize Data, when engaged in business with any Ahold Delhaize entity (such entity, “Company”). This VISR supplements the terms and conditions set out in any agreement between Company and Service Provider to which this VISR is attached or that otherwise incorporates this VISR by reference (the “Agreement’’). Ahold Delhaize Systems and Ahold Delhaize Data are confidential information of Ahold Delhaize. For purposes of this VISR, “Ahold Delhaize Data” means personally identifiable information of Ahold Delhaize’s customers or associates, protected health information, payment card information, and any other highly proprietary or sensitive confidential information or data of Ahold Delhaize that if disclosed to the public or unauthorized parties (including competitors) is likely to cause significant harm or competitive disadvantage to Ahold Delhaize (e.g. ,trade secrets, marketing plans, financial information, budgets, IP (internet protocol) addresses and IP ranges, strategic plans, employee compensation and performance information).
| 1. | General obligations |
As part of its engagement with Company, Service Provider shall for the entire duration of the engagement:
| a) | maintain information security policies and guidelines that are aligned with industry best practice and comply with such Service Provider security policies and guidelines; |
| b) | notify Company of any unauthorized use of, disclosure of, or access to Ahold Delhaize Systems or Ahold Delhaize Data, or any failure to comply with this VISR, promptly and in no event more than twenty-four (24) hours after Service Provider knows or suspects of such prohibited activity, and shall cooperate with Company in taking necessary or advisable corrective actions; |
| c) | use industry standard information technology (“IT”) security protocols for the protection of Service Provider’s systems and confidential data, validate Service Provider’s compliance with these security protocols on at least an annual basis, and upon request from Company, provide written confirmation to Company of this validation based upon an industry standard based security framework (e.g., SOC2, ISO certification); |
| d) | cooperate with security audits/assessments (such as Penetration Tests) as may be periodically requested by Company (and no more than annually unless a problem is identified) upon prior written notice to Service Provider, to be performed by or on behalf of Ahold Delhaize to confirm Service Provider’s compliance with this VISR; provided that such audits/assessments shall be conducted at a time(s) mutually agreed by the parties, during Service Provider’s normal business operations, in a manner minimally disruptive to Service Provider’s business, and subject to reasonable confidentiality requirements consistent with the confidentiality provisions in the Agreement); |
| e) | ensure that Service Provider personnel or representatives that receive access to Ahold Delhaize Systems or Ahold Delhaize Data (“Service Provider Personnel”) are competent, properly trained in IT security matters and understand Service Provider’s obligations under this VISR; |
| f) | accept and agree that if and while using any Ahold Delhaize Systems, Service Provider Personnel may be subject to monitoring of their activity to the extent allowed by law and pursuant to all reasonable security instructions and Ahold Delhaize policies or guidelines for the purpose of monitoring performance that are in effect from time to time. Service Provider expressly consents to such monitoring on behalf of Service Provider Personnel, and no advanced notice or warning shall be required for such monitoring. |
| 2. | Accessto Ahold Delhaize premises |
If Service Provider is provided physical access to any Ahold Delhaize location or premises as part of its engagement with Company and the engagement involves Service Provider’s receipt of access to Ahold Delhaize Systems and/or Ahold Delhaize Data, Service Provider shall for the entire duration of the engagement:
| a) | refrain from interfering with Ahold Delhaize’s network and infrastructure, or causing any damage or threat to such network and infrastructure; |
| b) | ensure that Service Provider Personnel shall not actively look to gain access to any information or data outside of the purpose of the engagement, and shall promptly notify Company regarding any information or data accidentally obtained and promptly follow Company’s instructions regarding handling of such information or data; |
| c) | ensure that Service Provider Personnel shall treat security and identification devices (such as access badges) provided to them by Company with the utmost care and confidentiality to prevent unauthorized access; |
12
| d) | and ensure that Service Provider Personnel shall comply with Company’s procedures for workplace and building safety and security while working on site at Company’s premises. |
| 3. | Access to Ahold Delhaize Data or Ahold Delhaize Systems containing Ahold Delhaize : |
Data If Service Provider is provided access to Ahold Delhaize Data or to Ahold Delhaize Systems as part of its engagement with Company, Service Provider shall for the entire duration of the engagement
| a) | maintain at all times a comprehensive written information security program that complies with applicable law and good industry practice, and upon Company’s request, provide a summary or overview of the security program; |
| b) | maintain a written information security program that describes appropriate administrative, technical. physical, organizational and operational safeguards and other security measures designed to (a) establish minimum standards to be met in connection with the safeguarding of Ahold Delhaize Data contained in both paper and electronic records; (b) protect the security and confidentiality of Ahold Delhaize Data in a manner consistent with applicable industry standards; (c) protect against any anticipated threats or hazards to the security or integrity of Ahold Delhaize Data; and (d) protect against any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or access to any Ahold Delhaize Data; |
| c) | ensure that Service Provider Personnel shall treat all authentication credentials provided to access Ahold Delhaize Data such as usernames, passwords, digital certificates, tokens and smartcards. are uniquely assigned and handled with the utmost care and confidentiality to prevent unauthorized disclosure or misuse: |
| d) | ensure that, unless expressly authorized in writing by Ahold Delhaize, no Ahold Delhaize Data shall be stored on or accessed by laptops, USB drives, mobile devices, or any other portable storage media belonging to Service Provider or Service Provider Personnel, except as required for the performance of the engagement and in such instances, appropriate security (e.g., encrypted thumb drives) must be used; |
| e) | ensure that all remote access to Ahold Delhaize Data by Service Provider personnel or representatives must be secured using multi factor authentication via a secure method or another authentication mechanism as agreed upon with Ahold Delhaize; |
| f) | ensure that, unless expressly authorized in writing by Ahold Delhaize, Service Provider and Service Provider Personnel do not access any production environment of Ahold Delhaize; |
| g) | grant access to Ahold Delhaize Data only on a need-to-know basis, and not distribute such Ahold Delhaize Data outside the purpose of the engagement; |
| h) | have “next generation” endpoint protection in place for Service Provider systems that can be exposed to malware (e.g., servers and end-points), i.e. an endpoint security solution for multiple platforms that supports capabilities such as prevention, dynamic exploit protection, dynamic malware protection, mitigation, remediation and forensics; |
13
| i) | as soon as the engagement with Company ends, upon request of Company, or at any such other time as may be required by applicable law, securely return or securely destroy or render unreadable or undecipherable all Ahold Delhaize Data provided to Service Provider that remains in Service Provider’s possession or control; and Service Provider shall provide Company with a written certification that such return or alternate action has occurred. |
| 4. | Housing services, hosting services and cloud services |
If Service Provider provides housing services, hosting services and/or cloud services to Company as part of the engagement with Company, Service Provider shall for the entire duration of such engagement:
| a) | comply with the SOC2 control framework and regulations, or a similar control framework with at least an equal security standard; |
| b) | periodically provide Company with an unqualified SOC 2 (Type II) examination in accordance with the AICPA AT Section 101, or any successor or equivalent standards, by qualified. independent auditors engaged and compensated by Service Provider, covering Service Provider’s controls and systems relating specifically to all aspects of the services provided (“SOC 2 Report”); |
| c) | ensure that access and authentication are compliant with Ahold Delhaize’s Privileged Access Guidelines attached hereto as Appendix A, which may be modified by Ahold Delhaize upon written notice to Service Provider in the event of a change in law or industry standard; , |
| d) | provide security operational integration such as logs, monitoring and remediation, for integration with Ahold Delhaize’s SOC requirements; |
| e) | comply with Ahold Delhaize’s cloud hosting requirements, policies and standards that are provided to Service Provider by Company. |
| 5. | Developing or maintaining software |
If Service Provider develops and/or maintains software for Ahold Delhaize as part of the engagement with Company, Service Provider shall for the entire duration of the engagement:
| a) | maintain a secure Systems Development Life Cycle (or “SDLC”) |
process, including at a minimum:
| ● | evidence of secure code review process; |
| ● | periodic application penetration test executed by a specialized third party and provide the report to Company; |
14
| ● | security checkpoint in change management; |
| ● | a procedure that ensures the timely resolution of all high and medium risk vulnerabilities (using the Common Vulnerability Scoring System (or “CVSS”) rating that are discovered. |
| b) | apply the following measures io accordance with Ahold Delhaize’s security policies: |
| ● | patch management; |
| ● | vulnerability assessment; |
| ● | strong access control; |
| ● | system hardening; |
| c) | ensure that access and authentication are compliant with Ahold Delhaize’s Privileged Access Guidelines attached hereto as Appendix A, which may be modified by Ahold Delhaize upon written notice to Service Provider in the event of a change in law or industry standard; |
| d) | periodically (no more than annually) provide Company with an ISO or similar certification reflecting the compliance of Service Provider with the above obligations; |
| e) | have next generation endpoint protection in place for Service Provider systems that can be exposed to malware (e.g., servers and end-points) as described under Section 3(h) above. |
| 6. | Maintaining hardware |
If Service Provider maintains hardware for Ahold Delhaize as part of the engagement with Company, Service Provider shall for the entire duration of the engagement:
| a) | apply the following measures with respect to the hardware it provides and/or maintains: |
| ● | hardware hardening according to industry best-practices or Ahold Delhaize instructions; |
| ● | industry standard based security or prevention measures (anti-tampering, air gapping etc.). |
| b) | ensure that access and authentication are compliant with Ahold Delhaize’s Privileged Access Guidelines attached hereto as Appendix A, which may be modified by Ahold Delhaize upon written notice to Service Provider in the event of a change in law or industry standard. |
15
Appendix A
VISR Privileged Access Guidelines
Introduction
Ahold Delhaize needs to enforce access controls to ensure that IT suppliers managing IT systems (hardware or software) for Ahold Delhaize are in control of Identity and Access Management (IAM). This document provides guidelines for IT Suppliers to comply with Ahold Delhaize privileged access controls. Next to these guidelines the Ahold Delhaize IAM Policy applies to IT supplier services and service employees. Each IT supplier is required to operate in line with these VISR IAM Privileged Access Guidelines and the Ahold Delhaize IAM Policy.
Access Control Policy
Supplier shall establish, document, and review an access control policy based on Ahold Delhaize security requirements for privileged access. Privileged access control rules and rights for Supplier Employees shall be clearly stated in Supplier’s access control policy. Supplier’s access control policy shall be based on the least privilege principle. Access to information resources must be limited to only those individuals whose job requires such access. Access to information resources must be prevented unless explicitly allowed. Supplier shall disclose upfront the way in which the policy will be distributed amongst its personnel.
Lifecycle Procedures
Supplier’s procedures, to control the allocation of privileged access rights to Ahold Delhaize Information and Systems, shall cover all stages in the life-cycle of Supplier Employees’ access, from the initial onboarding to the final off-boarding of Supplier’s Employees who no longer require access to the Ahold-Delhaize Information and/or Systems. To establish and maintain full control on IAM lifecycle processes, supplier must adhere to the following lifecycle phases:
Joiner:
| ● | Creation of a privileged account in the Ahold Delhaize IAM Tool |
| ● | Allocate privileged roles (providing entitlements) to the created account |
| ● | Provision privileged roles to the target services or systems |
Mover:
| ● | Allocate privileged roles to an account in the Ahold Delhaize 1AM Tool |
| ● | Withdraw privileged roles that are no longer required |
| ● | (de)Provision changes to the target services or systems |
| ● | a move can be triggered by job changes and system changes (new systems or new roles in existing systems by changes in configuration) |
Leaver:
| ● | Withdraw privileged roles in the Ahold Delhaize IAM Tool |
| ● | Revoke privileged access in the Ahold Delhaize 1AMTool |
| ● | Remove/ suspend roles in the target services or systems by provisioning |
Supplier has to ensure that all privileged account requests and changes will be registered in the Ahold Delhaize 1AM Tool. Internal supplier procedures contain all the lifecycle phases as described above. Automated user account clean-up is an integral part of the user lifecycle processes and must be performed regularly.
16
Approval Procedures
Approval procedures for requested privileged accounts should be in place. Approval procedures must also be in place for the creation of privileged roles. Ahold Delhaize internals must be part of the approval procedures. The approval flow must be traceable at any time. On request of Ahold Delhaize the supplier will report on the status of approvals.
Recertification Procedures
Ahold Delhaize is subject to regulations which require proof that procedures and controls are in place, to ensure proper recertification of access including privileged access. Recertification is the ongoing process of revalidating roles and permissions granted to users. Recertification has a high priority in governance, risk and compliance. Supplier shall review Supplier Employees’ access rights at regular intervals (every 3 months) and after any changes, such as promotion, demotion, or termination of employment. Supplier should take into account the following aspects while executing periodic recertification:
| · | Correlate identities with their access to systems and applications; |
| · | Evaluate the risk associated with that access; |
| · | Review access deemed as risky or inappropriate; |
| · | Review the validity of each account |
| · | Review the status of each account (still active, still granted permissions etc.) |
| · | Review that the list of employees on the account is still valid |
Supplier should be able to provide a report of carried out actions for recertification. At random Ahold Delhaize can request an audit on the controls
Emergency Procedure
Supplier will implement a ‘red envelope’ provisioning procedure for additional temporary access or revocation of an account in the Ahold Delhaize IAM Tool and in the services of target systems. The Service Provider account owner must change the password of an emergency (break glass) account after each use. The new password must be protected against unauthorized access.
Restriction on use of privileges
Supplier shall restrict and control the allocation and use of privileges through a formal authorization process. Supplier shall document the access privileges associated with each system product, e.g. network, operating system, database management system and each application, and the user group(s) to which they need to be allocated. Privileges should be allocated to Supplier Employees on a need-to-use basis and on an event-by-event basis in line with the access control policy, i.e. the minimum requirement for their functional role only when needed. Supplier shall ensure that all created accounts fit in the account-types as described in Annex A of these guidelines. Supplier shall provide traceability of all system management actions of employees that can impact the confidentiality, integrity or availability of services or systems. System management actions shall be traceable to an individual and must not be executed from non-personal accounts.
Monitoring
Supplier shall adequately log all changes to authorization profiles gaining or revoking administrative or privileged access rights. All privileged access to Ahold Delhaize Information and Systems shall be monitored by Supplier and anomalies shall be reported to Ahold-Delhaize via regular service management reporting.
17
Secure and identifiable log-on
Supplier shall implement controls to ensure secure log-on procedures, quality passwords and session time-out for inactive sessions on network, operating system and database level. All Supplier Employees shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a Supplier Employee. This control shall be applied for all types of users (including for technical and functional support personnel, operators, network administrators, system programmers, and database administrators). User ID’s should be used to trace activities to the responsible individual. Regular user activities should not be performed from privileged accounts. Users who are assigned privileged access for special purposes should use a different user identity for normal business use.
Name convention
Privileged account names are often set by target applications. To create transparency in the amount of roles IT Suppliers are required to use privileged naming conventions.
Annex A
Ahold Delhaize makes a distinction between Personal Accounts and Non-Personal Accounts.
Personal Account
Personal accounts are accounts assigned to an actual person. Personal accounts can only be used by the actual person. Sharing a personal account is prohibited. All personal accounts must have a responsible owner. If persons want to maintain an application, system, data or another IT component the person needs to get the right privileged roles in order to access these resources.
Non personal accounts
Non-Personal Accounts (NPA) are system accounts. These accounts are setup for system activities, or system maintenance only and therefore not for altering data. Personal use is prohibited due to legislation and accountability. Examples of Non-Personal accounts are:
| Used name | Description | |
| Admin/root accounts | Admin/root accounts of Windows, Linux, Unix, etc. are highly privileged system accounts because these accounts: | |
| · are authorized at the highest level; | ||
| · have access to every file and process running on a platform; | ||
| · can be used to change other accounts, roles and rights; | ||
| · have permissions to change the behavior of the system; | ||
| Service account | Accounts for middleware processes like DBMS’s, ESB’s or other ICT components that run on top of the Windows or Linux operating systems. A special form of a non-personal account is an application account in a DBMS, to give database access to an application | |
| Batch account | An account used by a batch job process, it is most commonly used for scheduled batch jobs, like nightly file transfers. | |
| Backup account | An account used by backup software with read rights on all data. |
18
EXHIBIT B
SANCTIONS COMPLIANCE
1. For purposes of this section, a “Restricted Party” means any individual, legal entity or organization that is listed on any Sanctions List, or that is located in or incorporated under the laws of a country or territory subject to Sanctions, or otherwise a target of Sanctions. The meaning of a Restricted Party also includes any person owned or controlled by or acting on behalf of one or more persons (i) listed on any Sanctions List, or (ii) located in or incorporated under the laws of a country or territory subject to Sanctions.
2. For purposes of this section, “Sanctions” means any trade, economic or financial sanctions laws, regulations, embargoes or restrictive measures administered, enacted, or enforced by: the United States government; the United Nations; the European Union; any member state of the European Union; the United Kingdom; or the respective governmental institutions and agencies of any of the foregoing (together the “Sanctions Authorities”).
3. For purposes of this section, “Sanctions List” means any list maintained by, or public announcement of Sanctions designation made by, any of the Sanctions Authorities, each as amended, supplemented, or substituted from time to time.
4. Service Provider (aka GeneSystems) represents that neither it nor its subsidiaries, joint ventures and affiliates is a Restricted Party.
5. Service Provider undertakes that it and its subsidiaries, joint ventures and affiliates shall not violate Sanctions in relation to any business contemplated under the Agreement.
6. Service Provider undertakes that it shall inform the Company (ADUSA) within 30 days after Service Provider receives notice of or is aware of any claim, action, suit, proceeding or investigation with respect to Sanctions in relation to any business contemplated under the Agreement.
7. To the extent the Company purchases goods or services from Service Provider, Service Provider represents that the goods or services the Company purchases under the Agreement (i) do not originate from any country or territory that is subject to comprehensive Sanctions and (ii) do not originate from, have not been manufactured or produced by and have not been purchased from a Restricted Party.
8. To the extent the Company delivers goods to Service Provider, Service Provider undertakes to ensure that the goods or services delivered under the Agreement shall not be used, resold, distributed, or delivered (i) to any country or territory that is subject to comprehensive Sanctions or
(ii) to a Restricted Party.
9. Service Provider undertakes that it shall refrain from any and all activities that might cause the Company, its subsidiaries, joint ventures, affiliates, any of their respective directors or officers, or any party acting on behalf of any of the foregoing, (i) to become a Restricted Party and/or (ii) to violate Sanctions.
19