1. Introduction

All customers and users of the services and products (“You” or “Customer”) provided by or through phData agree to comply with this Acceptable Use Policy (“AUP”) – it is part of your contract with us and our affiliates (the “Services”).

This AUP applies to the following in connection with your use of Services provided by phData:

• Internet usage
• Mobile device (including Bring Your Own Device (BYOD)) usage
• Social media
• Remote access use

We may modify this AUP at any time by posting a revised version on the phData website. The most current AUP will always be posted here (http://phdata.io/legal/aup/). Words that are capitalized in this AUP have the meanings given to them in the Service Level Agreement. By using the Services, you agree to the latest version of this Policy. If you violate the Policy or authorize or help others to do so, we may suspend or terminate your use of the Services.

2. Capacity and Performance Monitoring

Unless otherwise requested, and if applicable, we will monitor your System capacity for disk space, memory, and CPU performance. We do this to prevent downtime in the event of usage spikes that may cause performance issues or outages.

3. Accurate Information

You agree to provide us with accurate information, including information you provide to us during sign up, in communications with us, through trouble tickets and in our customer portal. You warrant that you will not impersonate any other person or entity, whether actual or fictitious, when using the Services, or defame or otherwise harm any party through your use of the Services. Failure to provide us with accurate information is a material breach of this AUP, and if not cured within the time set out in the Services may lead to termination.

4. No Illegal, Harmful, or Offensive Use or Content

You agree that you will abide by, without limitation, all applicable local, state, national and international laws and regulations with respect to your use of the Services and not interfere with the use of Services by other users or with the operation and management of the Services by phData. You agree to not use or encourage, promote, facilitate or instruct others to use, the Services for any illegal, harmful or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, or offensive.

5. Privacy and Security Statement

For information about the use and protection of your information by phData, please refer to the phData Privacy and Security Statement, which is incorporated into and made a part of this AUP.

6. No Security Violations

You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”). Prohibited activities include, but are not limited to:

• Unauthorized Access. Unauthorized Access is an act of illegally gaining access into any computer, network etc., or promoting such activity, which is banned under the “Unauthorized Access Prohibition Law”, enforced on February 13, 2000.
• Data Interception. Monitoring data streams in order to gather sensitive information System without permission.
• Falsification of Origin. Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. This prohibition does not include the use of aliases or anonymous remailers.

7. No Network Abuse

It is your obligation to determine whether a particular use of our services is permitted. You are responsible for the content you store, upload or transmit using our products and services. You may use this AUP as a baseline to determine whether a particular use is permitted. However, there may be uses that are not defined here that are not lawful or are generally prohibited by the Internet community. The use of our products and Services in the following activities is strictly prohibited:

• Any conduct that is likely to result in retaliation against the phData network or website, or phData’s employees, officers or other agents, including engaging in behavior that results in any server being the target of a denial of service attack;
• Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled;
• Importing or exporting any material prohibited by U.S. law;
• Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective (Denial of Service);
• Facilitating, encouraging or providing assistance to any activity that engages in hacking, spreading viruses or compromises security in any way;
• Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions;
• Is unfair or deceptive under the consumer protection laws of any jurisdiction;
• Interfering with the proper functioning of any System, including any deliberate attempt to overload a system;
• Creates a risk to a person’s safety or health, creates a risk to public safety or health, compromises national security, or interferes with an investigation by law enforcement;
• Infringes on another person’s copyright, trade or service mark, patent, or other property right or is designed to circumvent protective systems; or
• Is otherwise illegal or solicits conduct that is illegal under laws applicable to you or to phData.

8. No E-Mail Abuse / Bulk Email Restrictions

If you initiate, process or enable email use with your Services, you must comply with the CAN-SPAM Act of 2003 and other laws and regulations applicable to bulk or commercial email. You may use your Services to send bulk mail if you comply with the CAN-SPAM Act of 2003.

This AUP applies to messages sent using your Services, or to messages sent from any network by you or any person on your behalf that directly or indirectly refer the recipient to a site or an email address hosted via your Service. phData may block the transmission of email that violates these provisions. phData may, at its discretion, require certain customers to seek advance approval for bulk and commercial email, which approval will not be granted unless the customer can demonstrate that all of the requirements stated above will be met.

9. Specific Information Security Restrictions

The following safeguards are required in all systems regardless of the type of data stored or processed:

• Default or open authentication to logon to Internet facing systems is not allowed.
• Client/Server access to database SQL services between the DMZ (as that term is defined below) and the open Internet is not allowed.
• Terminal servers and file transfers, such as FTP, SSH or RDP, that are not protected by an encrypted tunnel and restricted to a specific list of IP addresses are not allowed, unless you utilized an approved alternative, such as phData’s SSL VPN solution. Otherwise, access will be denied until you provide a narrow and specific list of Internet IP addresses.
• In order to safeguard data within phData’s networks, Internet-facing systems that store or process sensitive or protected data, for example, PHI, PII or PCI (“Sensitive Data”) require specific technical controls. Examples may include web, remote login and/or databases servers that store or process Sensitive Data.

The following safeguards are required for one-tier systems that store or process Sensitive Data:

• You warrant that the application to be hosted meets reasonable security standards and that no known vulnerabilities that could impede phData’s ability to protect ePHI for any and all customers exists.
• You must provide phData with a commercially reasonable application-hardening standard that meets CIS standards (http://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks) or NIST standards (https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml). If you do not have a hardening standard, phData can provide one for you. If phData is to install any application on your behalf, you must provide express instructions. Examples of commercially reasonable hardening standards include those used for PCI-PA, PCI-DSS, etc. You may customize these and other commercial standards to fit your needs as long as the standard is inclusive of reasonable data security safeguards.
• You may customize these and other commercial standards to fit your needs as long as the standard is inclusive of reasonable data security safeguards. Express instructions for hardening steps required for any server built for the application must be provided to phData.

10. Copyrighted Material

phData complies with the Digital Millennium Copyright Act (“DMCA”). You are required to comply with U.S. copyright laws. If a copyright holder believes that a phData customer has infringed a copyright, the copyright holder is required to comply with all provisions of the DMCA. If the copyright holder has reviewed the DMCA, and understand its provisions, it may submit your DMCA notice to our designated agent at:

phData
Attn: CEO
400 S. 4th St., Suite 401

Minneapolis, MN 55415

11. Monitoring and Enforcement

We reserve the right but do not assume the obligation, to investigate any violation of this AUP or misuse of the Services. phData may, at its sole discretion:

• Investigate violations of this Policy or misuse of the Services;
• Remove, disable access to, or modify any content or resource that violates this AUP or any other agreement we have with you for use of the Services.

At phData’s discretion, we may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. We may cooperate with law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this AUP. Reporting information may include disclosing appropriate customer information.

12. Requesting Information From Us

If a third party requests information from us, the party should assume that unless expressly required by law, its request is not confidential, and will be transmitted to the appropriate phData customer. Individuals and entities that request information about our products and services, and their use by our customers, must demonstrate that they are legally entitled to this information. Requests for information, including subpoenas, will be honored only if they are part of a filed and pending matter. Third parties will be charged our technical assistance fee of $175 per hour to process a request, and are responsible for any legal fees we incur when responding to a request. Please direct correspondence about this paragraph to:

phData
Attn: CEO
400 S. 4th St, Suite 401

Minneapolis, MN 44415

13. SLA

No credit will be available under a phData service level guaranty or agreement for interruptions of service resulting from AUP violations.

In addition, if you request that we do not adjust your capacity as noted in the Capacity and Performance Monitoring section of this AUP, no SLA credits will be given in the event your system experiences downtime or performance issues as a result.

14. Acronyms and Terms

• PHI: Protected Health Information
• PII: Personally Identifiable Information
• PCI: Payment Card Industry data
• DMZ: network segments receiving inbound traffic from the open Internet.
• Secure Net: network segments that only communicate with trusted client servers, or via dedicated site-to-site connections or encrypted tunnels such as VPNs.
• One Tier Design: system architecture that stores or processes Sensitive Data in a DMZ context.
• Two or more Tier Design: system architecture that stores or processes all Sensitive Data in a secure network and transfers session specific data from or into a DMZ context.

15. Reporting of Violations of this Policy

If you become aware of any violation of this AUP, you agree to immediately notify us and provide us with assistance, as requested, to stop or remedy the violation. To report any violation of this Policy, please send an email to servicedesk@phdata.io with the following information:

• Name
• Organization
• Email Address
• Phone Number
• Source IPs
• Destination IPs
• Destination Ports
• Destination URLs
• Time, Time Zone and Date of suspected abuse
• Comments
• Logs