End User License Agreement

1. Definitions

For purposes of this Agreement, the following terms have the meanings set forth below:

• "HAI" or "the Service": The Health AI clinical decision support platform, including all software, APIs, interfaces, algorithms, documentation, and related services provided by HAICONEX SYSTEMS, LLC (HAICONEX) as a cloud-hosted software-as-a-service (SaaS).
• "Company," "we," "us," or "our": HAICONEX, the entity that owns and operates HAI.
• "User," "you," or "your": Any individual who accesses or uses the Service, including both Physician Users and Patient Users.
• "Physician User": A licensed healthcare professional who uses HAI for clinical decision support in the diagnosis and treatment of patients.
• "Patient User": An individual who creates an account to manage their health profile, share case information with Physician Users, and view diagnostic results generated through the Service.
• "Protected Health Information (PHI)": As defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 C.F.R. Parts 160 and 164), any individually identifiable health information that is created, received, transmitted, or maintained by the Service and that relates to the past, present, or future physical or mental health condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
• "Electronic Protected Health Information (ePHI)": PHI that is created, received, maintained, or transmitted in electronic form, subject to the HIPAA Security Rule (45 C.F.R. Part 164, Subparts A and C).
• "Covered Entity": As defined under HIPAA (45 C.F.R. § 160.103), a health plan, healthcare clearinghouse, or healthcare provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. Physician Users who are Covered Entities are required to execute a Business Associate Agreement with HAICONEX prior to using the Service.
• "Business Associate": As defined under HIPAA (45 C.F.R. § 160.103), a person or entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. HAICONEX acts as a Business Associate with respect to Physician Users who are Covered Entities.
• "Business Associate Agreement (BAA)": A written contract between HAICONEX and a Covered Entity that establishes the permitted and required uses and disclosures of PHI by HAICONEX as a Business Associate, in accordance with HIPAA (45 C.F.R. § 164.504(e)).
• "Security Incident": As defined under the HIPAA Security Rule (45 C.F.R. § 164.304), the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that processes, stores, or transmits ePHI.
• "Breach": As defined under the HIPAA Breach Notification Rule (45 C.F.R. § 164.402), the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, unless an exception under 45 C.F.R. § 164.402 applies.
• "De-Identified Data": Health information that has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b) (Expert Determination Method) or 45 C.F.R. § 164.514(b) (Safe Harbor Method), such that it no longer constitutes PHI under HIPAA.
• "Subprocessor": Any third-party service provider engaged by HAICONEX that processes ePHI or other User data on HAICONEX's behalf in connection with the delivery of the Service.
• "Clinical Decision Support (CDS)": The primary function of HAI — providing evidence-based diagnostic reasoning, test recommendations, and differential diagnoses to assist Physician Users in their clinical judgment.
• "Virtual Doctor Panel": HAI's AI-driven diagnostic reasoning system, which simulates a panel of specialist perspectives through a chain-of-debate methodology to produce diagnostic recommendations.
• "Diagnostic Session" or "Case": A single instance of clinical reasoning conducted through HAI, initiated by a Physician User, encompassing all rounds of panel deliberation, test recommendations, and diagnostic outputs.
• "Operational Mode": The configuration under which a Diagnostic Session runs, determining the scope of questions, tests, and cost tracking (including Instant Answer, Question Only, Budgeted, No Budget, and Ensemble modes).
• "SOC 2": The System and Organization Controls 2 framework, developed by the American Institute of Certified Public Accountants (AICPA), which defines criteria for managing customer data based on the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
• "Trust Services Criteria (TSC)": The AICPA-defined criteria against which HAICONEX's controls are evaluated for SOC 2 compliance, including the five principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

2. License Grant

2.1. Grant of License. Subject to the terms and conditions of this Agreement, HAICONEX grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use HAI through the cloud-hosted platform for its intended purpose as a clinical decision support tool.

2.2. SaaS Delivery. HAI is provided as a cloud-hosted service. No software is installed on your local systems. All processing, storage, and computation occur on infrastructure managed by HAICONEX or its authorized hosting providers.

2.3. Scope of License

This license permits you to:

• Access the Service through supported web browsers and client applications
• Create, manage, and participate in Diagnostic Sessions within your authorized role
• Export your own data as permitted by the Service's functionality

2.4. Restrictions

You may not:

• Copy, modify, distribute, sell, lease, or sublicense any part of the Service
• Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Service
• Access the Service through any automated means (bots, scrapers, crawlers) except through authorized APIs
• Remove, alter, or obscure any proprietary notices, labels, or marks on the Service
• Use the Service to build a competing product or service

3. User Eligibility and Roles

3.1. Physician Users

To register as a Physician User, you must:

• Hold a current, valid, and unrestricted medical license in your jurisdiction of practice
• Provide accurate professional credentials, including your medical license number and specialty
• Maintain your licensure in good standing throughout your use of the Service
• Use the Service only within the scope of your professional qualifications

HAICONEX reserves the right to verify professional credentials and to suspend or terminate access if credentials are found to be invalid, expired, or misrepresented.

3.2. Patient Users

To register as a Patient User, you must:

• Be at least eighteen (18) years of age, or have the consent and supervision of a parent or legal guardian
• Provide accurate personal and health information
• Understand that HAI is a clinical decision support tool used by your physician and is not a substitute for direct medical care

3.3. Individual Registration

HAI is offered directly to individual Physician Users and Patient Users. Each user must register for their own account and independently agree to this Agreement. There is no institutional or organizational account tier at this time.

3.4. Future Institutional Access

HAICONEX may introduce institutional or organizational access in the future. If and when institutional access becomes available, additional terms governing institutional responsibilities, administrator roles, and organizational billing will be published as an addendum to this Agreement.

4. Permitted Use

4.1. Clinical Decision Support Only. HAI is designed and licensed exclusively as a clinical decision support tool. It assists Physician Users by providing evidence-based diagnostic reasoning, differential diagnoses, test recommendations, and cost estimates.

4.2. Supplementary to Professional Judgment. HAI's outputs are intended to supplement — never replace — the independent professional judgment of a licensed physician. The Physician User retains full authority and responsibility for all clinical decisions, including but not limited to:

• Accepting, modifying, or rejecting diagnostic suggestions
• Ordering or declining recommended tests
• Determining the final diagnosis and treatment plan
• Communicating findings and recommendations to patients

4.3. Patient User Interactions

Patient Users may use the Service to:

• Create and maintain a personal health profile (demographics, medical history, allergies, medications, conditions, family history)
• Share case information with their Physician User via time-limited, secure sharing tokens
• Review diagnostic reasoning and results as made available by their Physician User
• Approve or decline profile suggestions generated during Diagnostic Sessions

4.4. Operational Modes. Physician Users may select from available Operational Modes for each Diagnostic Session. Each mode defines the scope of diagnostic activity (questions, tests, cost constraints). Users agree to operate within the parameters of the selected mode.

4.5. Minimum Necessary Standard. In accordance with the HIPAA Minimum Necessary Standard (45 C.F.R. § 164.502(b)), Physician Users agree to access, use, and request only the minimum amount of PHI reasonably necessary to accomplish the intended clinical purpose of each Diagnostic Session. Users must not input PHI beyond what is clinically relevant to the case under review.

5. Prohibited Use

You agree not to use HAI for any of the following purposes:

5.1. Emergency Reliance. Do not use HAI as the sole or primary decision-making tool in medical emergencies. HAI is not designed for real-time emergency triage. In emergency situations, follow established emergency protocols and seek immediate in-person medical attention.

5.2. Autonomous Diagnosis. Do not use HAI to generate diagnoses without physician review and oversight. All diagnostic outputs require review by a licensed Physician User before any clinical action is taken.

5.3. Unauthorized Access. Do not access another user's account, Diagnostic Session, or health data without proper authorization. Case sharing between Patient Users and Physician Users must occur through the Service's designated sharing mechanism.

5.4. Data Misuse

Do not:

• Extract, scrape, or harvest data from the Service for purposes unrelated to your authorized use
• Use patient health information for marketing, advertising, or any purpose not directly related to clinical care
• Share, transmit, or disclose PHI in violation of applicable law, including HIPAA, the HITECH Act, or applicable state privacy laws
• Input PHI into the Service in excess of what is minimally necessary for the stated clinical purpose

5.5. Resale and Redistribution. Do not resell, redistribute, or commercially exploit access to the Service or its outputs without express written permission from HAICONEX.

5.6. Circumvention. Do not attempt to circumvent, disable, or interfere with security features, access controls, audit logging mechanisms, usage limits, or cost safeguards built into the Service.

5.7. Unsupported Jurisdictions. Do not use the Service in jurisdictions where its use would violate local medical practice regulations, data protection laws, or licensing requirements.

5.8. Unauthorized PHI Disclosure. Do not disclose or make accessible any PHI processed through the Service to any third party not authorized under the applicable BAA or this Agreement, including any downstream system, application, or service not approved by HAICONEX.

6. Clinical Disclaimers

6.1. Not a Medical Device. HAI is a clinical decision support tool as described under the U.S. Food and Drug Administration (FDA) guidance on Clinical Decision Support Software. It is intended to assist healthcare professionals by providing information and recommendations. HAI does not independently diagnose, treat, or prescribe. It does not meet the definition of a medical device under 21 U.S.C. § 321(h) as it is intended for use by licensed healthcare professionals who independently review the basis for recommendations.

6.2. No Guarantee of Accuracy. While HAI employs evidence-based reasoning, Bayesian analysis, medical knowledge graphs, and clinical literature retrieval to generate its outputs, HAICONEX does not warrant that:

• Diagnostic suggestions will be accurate, complete, or applicable to every clinical scenario
• Test recommendations will be optimal for every patient
• Cost estimates will reflect actual charges at any specific healthcare facility
• The system will identify every relevant diagnosis or risk factor

6.3. Physician Authority. The Physician User is and remains the sole decision-maker for all clinical actions. HAI's Virtual Doctor Panel provides structured reasoning and recommendations, but the treating physician's independent judgment supersedes all system outputs.

6.4. AI Limitations

HAI utilizes large language models (LLMs) and algorithmic reasoning. These technologies have inherent limitations, including but not limited to:

• Potential for generating plausible but incorrect reasoning
• Dependence on the quality and completeness of input data
• Possible gaps in medical knowledge, particularly for rare conditions or recent medical developments
• Variability in outputs based on the underlying LLM provider

6.5. No Doctor-Patient Relationship. Use of HAI does not create a doctor-patient relationship between the Patient User and HAICONEX, its affiliates, or the AI system. The doctor-patient relationship exists solely between the Patient User and their treating Physician User.

7. Intellectual Property

7.1. Company Ownership. HAICONEX retains all right, title, and interest in and to the Service, including but not limited to:

• All software, algorithms, models, and system architecture
• The Virtual Doctor Panel methodology and chain-of-debate framework
• All prompt templates, intelligence stack modules, and reasoning engines
• Trademarks, trade names, logos, and branding associated with HAI
• Documentation, specifications, and design materials

7.2. User Data Ownership. You retain all right, title, and interest in the data you provide to the Service, including patient health information, clinical inputs, and personal profile data. By using the Service, you grant HAICONEX a limited license to process this data solely to provide the Service and as described in our Privacy Policy.

7.3. Diagnostic Outputs. Diagnostic reasoning, differential diagnoses, and test recommendations generated by the Service during a Diagnostic Session are provided for the User's clinical and personal use. HAICONEX retains the right to use De-Identified Data and aggregated outputs for system improvement and research purposes, provided such use complies with applicable de-identification standards under 45 C.F.R. § 164.514.

7.4. Feedback. Any suggestions, ideas, enhancement requests, or feedback you provide regarding the Service may be used by HAICONEX without restriction or obligation to you.

8. Account and Security

8.1. Account Registration. To use the Service, you must create an account by providing accurate and complete registration information. You agree to update your information promptly if it changes.

8.2. Credential Security

You are solely responsible for:

• Maintaining the confidentiality of your login credentials
• All activities that occur under your account
• Notifying HAICONEX immediately at security@haiconex.com of any unauthorized use or suspected security breach

8.3. Authentication. The Service employs JWT-based authentication with configurable session expiration and supports multi-factor authentication (MFA). Physician Users are required to enable MFA as a condition of access. You agree not to share authentication tokens, bypass session controls, or attempt to extend sessions beyond their authorized duration.

8.4. Encryption Standards. All data transmitted between your browser or client application and the Service is encrypted in transit using Transport Layer Security (TLS) 1.2 or higher. All ePHI and sensitive User data stored within the Service is encrypted at rest using AES-256 encryption. Encryption keys are managed using industry-standard key management practices and are rotated on a defined schedule.

8.5. Audit Logging. The Service maintains comprehensive, tamper-evident audit logs of all User activity involving PHI, including logins, logouts, session initiations, PHI access events, exports, case sharing, and administrative actions. Audit logs are retained for a minimum of six (6) years in accordance with HIPAA's documentation retention requirements (45 C.F.R. § 164.530(j)) and are available to authorized HAICONEX personnel and, upon request, to Covered Entities pursuant to their BAA.

8.6. Case Sharing Security. Patient Users who share case information with Physician Users do so through time-limited sharing tokens (default: 72 hours). Users acknowledge that shared case data is accessible to the designated Physician User for the duration of the sharing token's validity. Sharing tokens cannot be reassigned to a different Physician User and expire automatically upon lapse of the validity period.

8.7. Access Termination. HAICONEX may suspend or terminate your account immediately if we reasonably believe your credentials have been compromised, a Security Incident has occurred involving your account, or your account has been used in violation of this Agreement.

9. HIPAA Compliance and Business Associate Agreement

9.1. Business Associate Agreement Requirement

Physician Users who are Covered Entities under HIPAA must execute a separate Business Associate Agreement (BAA) with HAICONEX prior to using the Service for any purpose that involves the creation, receipt, maintenance, or transmission of PHI. Use of the Service without an executed BAA, where one is required, constitutes a material breach of this Agreement and may result in immediate suspension of access.

To obtain a BAA, Physician Users who are Covered Entities must submit a request to compliance@haiconex.com. HAICONEX will provide a standard BAA within five (5) business days of a completed request. The BAA is incorporated by reference into this Agreement and governs HAICONEX's obligations as a Business Associate with respect to PHI.

9.2. HAICONEX's Obligations as Business Associate

In its capacity as a Business Associate, HAICONEX agrees to:

• Use and disclose PHI only as permitted or required by the applicable BAA and this Agreement, and as required by law
• Use appropriate safeguards — and comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to ePHI — to prevent unauthorized use or disclosure of PHI
• Report to the applicable Covered Entity any Security Incident or Breach of PHI of which HAICONEX becomes aware, in accordance with Section 9.5 below
• Ensure that any Subprocessor that creates, receives, maintains, or transmits PHI on HAICONEX's behalf agrees to the same restrictions and conditions as required of HAICONEX under the BAA
• Make PHI available to Covered Entities and individuals as required to fulfill obligations under the HIPAA Privacy Rule
• Make its internal practices, books, and records available to the Secretary of Health and Human Services (HHS) for purposes of determining HIPAA compliance
• Return or destroy PHI, where feasible, upon termination of the BAA, retaining only what is required by law

9.3. Minimum Necessary Standard

HAICONEX implements technical and administrative controls to enforce the HIPAA Minimum Necessary Standard (45 C.F.R. § 164.502(b)). The Service is designed to request, collect, and process only the PHI elements that are reasonably necessary for the clinical purpose of each Diagnostic Session. Physician Users bear responsibility for ensuring that PHI inputs do not exceed what is clinically necessary, consistent with Section 4.5 of this Agreement.

9.4. Patient Rights Under HIPAA

Patient Users are entitled to exercise their rights under the HIPAA Privacy Rule with respect to PHI maintained by the Service. These rights include:

• Right of Access (45 C.F.R. § 164.524): The right to inspect and obtain a copy of PHI maintained in a designated record set. Patient Users may access their health profile and Diagnostic Session outputs directly through the Service. For additional access requests, contact privacy@haiconex.com.
• Right to Amendment (45 C.F.R. § 164.526): The right to request amendment of PHI that you believe to be inaccurate or incomplete. Amendment requests must be submitted to privacy@haiconex.com and will be processed within sixty (60) days, with a possible thirty (30)-day extension upon notice.
• Right to an Accounting of Disclosures (45 C.F.R. § 164.528): The right to receive an accounting of disclosures of PHI made by HAICONEX for purposes other than treatment, payment, and healthcare operations, covering a period of up to six (6) years prior to the request.
• Right to Request Restrictions (45 C.F.R. § 164.522): The right to request restrictions on the use and disclosure of PHI. Requests must be submitted to privacy@haiconex.com. HAICONEX is not required to agree to requested restrictions unless required by applicable law, but will consider all requests in good faith.

To exercise any of the above rights, Patient Users should contact privacy@haiconex.com. HAICONEX will respond in accordance with the applicable HIPAA timelines.

9.5. Breach Notification

HAICONEX's Notification Obligations. In the event HAICONEX discovers a Breach of PHI, HAICONEX will:

• Notify the applicable Covered Entity (Physician User) without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of the Breach, as required under 45 C.F.R. § 164.410
• For Breaches affecting Patient Users who are not represented by a Covered Entity using the Service, notify affected individuals in accordance with 45 C.F.R. § 164.404
• Provide notification to the Secretary of HHS in accordance with 45 C.F.R. § 164.408
• For Breaches affecting 500 or more individuals in a state or jurisdiction, provide prompt notice to prominent media outlets in that state or jurisdiction, as required by 45 C.F.R. § 164.406

Breach notifications will include, to the extent known, the information required under 45 C.F.R. § 164.404(c), including the nature of the Breach, the PHI involved, the steps affected individuals should take, and the steps HAICONEX is taking to investigate and mitigate the Breach.

User Notification Obligations. If you become aware of any actual or suspected Breach involving PHI processed through the Service, you must notify HAICONEX immediately at security@haiconex.com and cooperate fully with HAICONEX's investigation and response.

9.6. HIPAA Security Rule Safeguards

HAICONEX implements the required administrative, physical, and technical safeguards under the HIPAA Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312) to protect the confidentiality, integrity, and availability of ePHI, including:

• Administrative Safeguards: Security management processes, assigned security responsibility, workforce training and management, information access management, security incident procedures, contingency planning, and periodic evaluation of security policies
• Physical Safeguards: Facility access controls, workstation use policies, device and media controls governing the receipt, removal, and disposal of hardware and electronic media containing ePHI
• Technical Safeguards: Access controls (unique user identification, automatic logoff, encryption), audit controls, integrity controls, and transmission security

9.7. De-Identification of Data

HAICONEX may use and disclose De-Identified Data for system improvement, research, analytics, and other lawful purposes. De-identification is performed in accordance with one of the two methods recognized by HIPAA:

• Expert Determination Method (45 C.F.R. § 164.514(b)(1)): A qualified statistical or scientific expert determines that the risk of identifying an individual is very small
• Safe Harbor Method (45 C.F.R. § 164.514(b)(2)): Eighteen (18) specified categories of identifying information are removed and HAICONEX has no actual knowledge that the remaining information could be used to identify an individual

De-Identified Data is not PHI and is not subject to the HIPAA Privacy or Security Rules.

9.8. HITECH Act Compliance

HAICONEX's obligations under this Agreement and the applicable BAA incorporate the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. § 17921 et seq.), including the provisions regarding:

• Notification in the case of a Breach
• Restrictions on the sale of PHI
• Accounting of disclosures for treatment, payment, and healthcare operations
• Business Associate direct liability under HIPAA, as established by the HITECH Act and the Omnibus Rule (78 Fed. Reg. 5566)

10. Data Security and SOC 2 Compliance

10.1. SOC 2 Commitment

HAICONEX is actively pursuing and committed to maintaining SOC 2 Type II certification, evaluated against the AICPA Trust Services Criteria (TSC). The five TSC principles that govern HAICONEX's control environment are:

• Security: The system is protected against unauthorized access, use, or modification
• Availability: The system is available for operation and use as committed or agreed
• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
• Confidentiality: Information designated as confidential is protected as committed or agreed
• Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in HAICONEX's privacy notice and applicable law

Upon request, HAICONEX will provide Users with its most current SOC 2 Type II report summary or a third-party audit attestation letter, subject to applicable non-disclosure obligations.

10.2. Security Controls

HAICONEX implements and maintains a comprehensive information security program consistent with the SOC 2 Security criterion (CC6–CC9), including:

• Encryption: TLS 1.2 or higher for all data in transit; AES-256 encryption for all data at rest, including ePHI and sensitive User data stored in databases, backups, and file storage systems
• Access Control: Role-based access control (RBAC) ensuring that access to PHI and system components is restricted to authorized individuals based on the principle of least privilege; MFA required for all Physician Users and all HAICONEX personnel with access to production systems
• Network Security: Firewall configurations, network segmentation, and intrusion detection and prevention systems to protect the Service infrastructure from unauthorized access
• Endpoint Security: Managed endpoint protection, device encryption, and mobile device management policies for HAICONEX personnel accessing production systems
• Vulnerability Management: Regular automated vulnerability scans, annual third-party penetration testing, and a defined remediation process for identified vulnerabilities, prioritized by severity
• Patch Management: Security patches for critical vulnerabilities are applied within defined timelines based on severity classification

10.3. Availability

HAICONEX targets a Service availability of 99.5% uptime, measured monthly, exclusive of scheduled maintenance windows. Scheduled maintenance is performed during low-usage periods and communicated to Users at least twenty-four (24) hours in advance via in-Service notification or email.

HAICONEX maintains business continuity and disaster recovery plans, including regular backups of all User data and ePHI, offsite backup storage, and defined recovery time objectives (RTOs) and recovery point objectives (RPOs) consistent with its SOC 2 Availability commitments. Backups are encrypted and tested periodically to verify recoverability.

10.4. Processing Integrity

The Service is designed to process User inputs completely, accurately, and as authorized. HAICONEX implements input validation, output integrity checks, and algorithmic monitoring to detect and alert on anomalous or erroneous processing. Diagnostic outputs are logged with sufficient detail to enable audit and reconstruction of the reasoning process underlying each Diagnostic Session.

10.5. Confidentiality

Information designated as confidential — including PHI, ePHI, User credentials, proprietary clinical inputs, and Diagnostic Session outputs — is protected throughout its lifecycle within the Service. HAICONEX's workforce members with access to confidential information are bound by confidentiality obligations and receive training on their responsibilities. Confidential information is not disclosed to third parties except as expressly authorized by this Agreement, the applicable BAA, or required by law.

10.6. Audit and Monitoring

HAICONEX maintains continuous monitoring of its production environment, including:

• Real-time security event monitoring and alerting through a Security Information and Event Management (SIEM) system
• Periodic review of access logs, privileged user activity, and system configuration changes
• Automated alerting on anomalous access patterns, failed authentication attempts, and unauthorized configuration changes
• Retention of security and audit logs for a minimum of six (6) years to satisfy HIPAA documentation requirements

Audit logs are protected from unauthorized modification and are available to support Breach investigations, regulatory inquiries, and User access-rights verification.

10.7. Incident Response

HAICONEX maintains a formal Security Incident Response Plan (IRP) that governs the identification, containment, eradication, recovery, and post-incident review processes for Security Incidents. The IRP includes:

• Defined roles and responsibilities for the incident response team
• Escalation thresholds for Security Incidents involving ePHI or potential Breaches
• Notification timelines consistent with HIPAA Breach Notification requirements (Section 9.5) and applicable contractual obligations
• Post-incident analysis and remediation tracking

In the event of a Security Incident, HAICONEX will prioritize containment of the incident, preserve evidence, and notify affected parties in accordance with applicable legal and contractual requirements.

10.8. Subprocessor Management

HAICONEX maintains a current list of approved Subprocessors used to deliver the Service, available to Covered Entities upon request. Before engaging any new Subprocessor that will process ePHI, HAICONEX will:

• Conduct a security and privacy assessment of the prospective Subprocessor
• Execute appropriate data processing agreements, including Business Associate Agreements where required by HIPAA
• Notify affected Covered Entities of material Subprocessor changes at least thirty (30) days in advance, providing an opportunity to object

Physician Users who are Covered Entities may obtain the current Subprocessor list by contacting compliance@haiconex.com.

10.9. Change Management

HAICONEX follows a formal change management process for modifications to systems and infrastructure that process or store ePHI, consistent with the SOC 2 Change Management criteria (CC8). Changes are reviewed, approved, tested in a non-production environment, and deployed through a controlled release process. Emergency changes follow an expedited but documented approval process. Change records are retained and available for audit review.

10.10. Risk Assessment

HAICONEX conducts and documents a comprehensive risk assessment of its information systems that create, receive, maintain, or transmit ePHI at least annually, and following material changes to the Service environment, in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(A). Risk assessments identify potential threats and vulnerabilities, evaluate the likelihood and impact of identified risks, and inform remediation and risk treatment decisions.

11. Fees and Payment

11.1. Individual Subscription Model. Access to HAI is provided to individual users on a subscription basis. Physician Users and Patient Users each register and subscribe independently. Current pricing, plan details, and available features for each user type are published on HAICONEX's website and may be updated from time to time.

11.2. Operational Mode Costs. Certain Operational Modes involve cost tracking for diagnostic tests and services recommended during a session. These tracked costs represent estimated healthcare expenses and are separate from your HAI subscription fees. HAICONEX is not responsible for actual charges incurred at healthcare facilities.

11.3. Billing. Subscription fees are billed in advance on a monthly or annual basis. All fees are non-refundable except as required by applicable law or as expressly stated in your subscription plan.

11.4. Changes to Pricing. HAICONEX reserves the right to modify pricing with at least thirty (30) days' advance written notice. Continued use of the Service after a price change takes effect constitutes your acceptance of the new pricing.

12. Limitation of Liability

12.1. NO LIABILITY FOR CLINICAL OUTCOMES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HAICONEX SHALL NOT BE LIABLE FOR ANY CLINICAL OUTCOMES, MEDICAL DECISIONS, PATIENT INJURIES, OR ADVERSE EVENTS ARISING FROM THE USE OF OR RELIANCE ON HAI'S DIAGNOSTIC OUTPUTS, TEST RECOMMENDATIONS, OR COST ESTIMATES. THE PHYSICIAN USER ASSUMES FULL RESPONSIBILITY FOR ALL CLINICAL DECISIONS.

12.2. LIMITATION ON DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HAICONEX'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICE SHALL NOT EXCEED THE AMOUNT YOU PAID TO HAICONEX IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

12.3. EXCLUSION OF CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL HAICONEX BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, GOODWILL, OR OTHER INTANGIBLE LOSSES, REGARDLESS OF WHETHER HAICONEX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.4. Exceptions. The limitations in this section do not apply to: (a) HAICONEX's obligations under applicable data protection laws, including HIPAA and the HITECH Act; (b) liability arising from HAICONEX's gross negligence or willful misconduct; (c) HAICONEX's indemnification obligations under an applicable BAA; or (d) any liability that cannot be excluded or limited under applicable law.

13. Indemnification

13.1. Your Indemnification Obligations. You agree to indemnify, defend, and hold harmless HAICONEX, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

• Your use of the Service in violation of this Agreement
• Clinical decisions made based on or influenced by HAI's outputs
• Your violation of any applicable law, regulation, or professional standard, including HIPAA, the HITECH Act, or applicable state privacy laws
• Any unauthorized access to or use of the Service through your account
• Your breach of any representation or warranty made under this Agreement

13.2. Physician-Specific Indemnification

Physician Users additionally agree to indemnify HAICONEX against claims arising from:

• Failure to exercise independent professional judgment when using HAI's outputs
• Use of the Service outside the scope of the Physician User's professional qualifications or licensure
• Failure to obtain appropriate patient consent for the use of AI-assisted diagnostic tools
• Use of the Service involving PHI without an executed BAA, where one is required under HIPAA

14. Termination

14.1. Termination by You. You may terminate this Agreement at any time by closing your account through the Service or by providing written notice to HAICONEX at info@haiconex.com.

14.2. Termination by Us. HAICONEX may terminate or suspend your access to the Service immediately, without prior notice, if:

• You breach any material term of this Agreement
• Your professional credentials are revoked, suspended, or expire (Physician Users)
• We are required to do so by law or regulatory authority
• We reasonably believe your use of the Service poses a risk to patient safety, data security, or system integrity
• A Covered Entity Physician User uses the Service to process PHI without an executed BAA

14.3. Effect of Termination

Upon termination:

• Your right to access the Service ceases immediately
• HAICONEX will make your data available for export for a period of thirty (30) days following termination, after which it may be deleted in accordance with HAICONEX's data retention and secure destruction policies
• Provisions that by their nature should survive termination (including Sections 6, 7, 9, 10, 12, 13, 15, and 16) shall survive

14.4. Data Retention and Destruction After Termination

Notwithstanding termination, HAICONEX may retain De-Identified Data and audit logs as required by law, including HIPAA's six (6)-year retention requirement for documentation (45 C.F.R. § 164.530(j)) and audit records. Upon expiration of the applicable retention period, HAICONEX will securely destroy retained PHI and ePHI using methods that render the data unreadable and irrecoverable, consistent with NIST SP 800-88 guidelines and HIPAA requirements. Upon request, HAICONEX will provide written certification of destruction to the applicable Covered Entity.

15. Governing Law

15.1. Applicable Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, United States, without regard to its conflict of laws provisions.

15.2. Federal Law. To the extent that federal law applies, including but not limited to HIPAA, the HITECH Act, and applicable FTC regulations, such federal law shall govern the relevant provisions of this Agreement.

15.3. International Users

If you are accessing the Service from outside the United States:

• You are responsible for compliance with all local laws applicable to your use of the Service
• You acknowledge that your data may be transferred to and processed in the United States
• Where the European Union General Data Protection Regulation (GDPR) or equivalent data protection legislation applies, the additional terms in our Privacy Policy shall govern the processing of your personal data
• Where local law provides greater protections than this Agreement, the more protective provisions shall apply

16. Dispute Resolution

16.1. Informal Resolution. Before initiating any formal dispute resolution proceedings, you agree to first contact HAICONEX at info@haiconex.com and attempt to resolve the dispute informally for a period of at least thirty (30) days.

16.2. Binding Arbitration. Any dispute, claim, or controversy arising out of or relating to this Agreement that cannot be resolved informally shall be settled by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules.

16.3. Arbitration Opt-Out. You may opt out of the arbitration provision by sending written notice to info@haiconex.com within thirty (30) days of first accepting this Agreement. The notice must include your name, account identifier, and a clear statement that you wish to opt out of arbitration.

16.4. CLASS ACTION WAIVER. YOU AND HAICONEX AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING.

16.5. Exceptions. Notwithstanding the above, either party may seek injunctive or equitable relief in any court of competent jurisdiction to protect its intellectual property rights, PHI, or ePHI, or to prevent irreparable harm.

17. Updates and Modifications

17.1. Right to Modify. HAICONEX reserves the right to modify this Agreement at any time. We will provide notice of material changes by:

• Posting the updated Agreement on the Service with a revised "Last Updated" date
• Sending notice to the email address associated with your account at least fifteen (15) days before the changes take effect

17.2. Acceptance of Changes. Your continued use of the Service after the effective date of any modifications constitutes your acceptance of the updated Agreement. If you do not agree with the changes, you must stop using the Service and terminate your account.

17.3. Service Updates. HAICONEX may update, modify, or discontinue features of the Service at any time. We will provide reasonable notice before discontinuing any material feature. Minor updates, bug fixes, and security patches may be applied without notice.

17.4. Regulatory Updates. HAICONEX will update this Agreement and its privacy, security, and data handling practices as necessary to reflect changes in applicable law, including amendments to HIPAA, the HITECH Act, AICPA Trust Services Criteria, and applicable state privacy statutes. Where regulatory changes require immediate updates, HAICONEX may modify this Agreement with less than fifteen (15) days' notice, provided that HAICONEX notifies Users as promptly as practicable.

Contact Information

For questions or concerns about this Agreement, please contact:

HAICONEX SYSTEMS, LLC
Email: info@haiconex.com
Address: Argyle, TX 76226

• For privacy and HIPAA-related inquiries: privacy@haiconex.com
• For security incidents and breach reports: security@haiconex.com
• For Business Associate Agreement requests: compliance@haiconex.com