Master Customer Agreement
The terms governing your organization’s subscription to and use of the SRS Web Solutions software platform — mConsent, mPayr, Zaha AI, and Caretap — including HIPAA, payment, AI, and Electronic Visit Verification provisions.
This Master Customer Agreement governs your organization’s access to and use of the SRS Web Solutions software platform. It is intended, on its adoption, to replace in full the 2023 “General Terms and Conditions and Software License.”
If you are a patient, caregiver, or other individual whose information is held in our Services by a healthcare provider or agency, this Agreement does not govern that information — please contact that organization. See our Privacy Policy for how we handle personal information.
Agreement and Acceptance
This Master Customer Agreement (this “Agreement”) is entered into by and between SRS Web Solutions, Inc., a Minnesota corporation with offices at 6885 139th LN NW, Suite 100, Ramsey, MN 55303 (“SRS,” “we,” “us,” or “our”), and the customer identified on the applicable Order Form (“Customer” or “you”). SRS and Customer are each a “Party” and together the “Parties.”
This Agreement governs Customer’s access to and use of the SRS software platform and related services, including the mConsent, mPayr, Zaha AI, and Caretap products and any other SRS product or module made available under an Order Form or Product Schedule (collectively, the “Services”).
By executing an Order Form that references this Agreement, by clicking to accept this Agreement, or by accessing or using the Services, Customer agrees to be bound by this Agreement. If the individual accepting this Agreement is doing so on behalf of an organization, that individual represents that they have authority to bind that organization, and “Customer” refers to that organization. If you do not have such authority, or do not agree to this Agreement, you must not access or use the Services.
Effective Date. This Agreement is effective as of the earliest of: (a) the effective date stated on the first Order Form referencing it; (b) the date Customer first accesses or uses the Services under this Agreement; or (c) the date Customer otherwise accepts this Agreement (the “Effective Date”).
Definitions
Capitalized terms have the meanings given where first used or as set out below.
| Term | Meaning |
|---|---|
| Affiliate | Any entity that controls, is controlled by, or is under common control with a Party, where “control” means ownership of more than 50% of voting equity or the power to direct management. |
| Authorized Users | Customer’s employees, contractors, and agents whom Customer permits to access the Services on Customer’s behalf. |
| BAA | The Business Associate Agreement between the Parties addressing Protected Health Information, as described in Section 9. |
| Beta Features | Features identified by SRS as beta, preview, evaluation, or early access, as described in Section 3.5. |
| Breach | A breach of Unsecured Protected Health Information as defined at 45 C.F.R. § 164.402, governed by the BAA and 45 C.F.R. § 164.410. |
| Business Associate | As defined at 45 C.F.R. § 160.103 under HIPAA. |
| Confidential Information | As defined in Section 8.1. |
| Covered Entity | As defined at 45 C.F.R. § 160.103 under HIPAA. |
| Customer Data | All electronic data, content, and information submitted to or processed through the Services by or on behalf of Customer or its Authorized Users, including data supplied by Customer about Customer’s patients, clients, caregivers, and personnel. Customer Data includes Protected Health Information where applicable. |
| Documentation | SRS’s then-current user guides and product documentation made available for the Services. |
| HIPAA | The Health Insurance Portability and Accountability Act of 1996, as amended (including by the HITECH Act), and its implementing regulations at 45 C.F.R. Parts 160 and 164. |
| Insurance Concierge | The eligibility and benefits verification support service described in Schedule A.2. |
| Kiosk | The front-desk kiosk hardware sold by SRS as described in Schedule A.3. |
| Mobile Device | An iPad, tablet, or other mobile device supplied by Customer and used with an SRS mobile application, as described in Schedule A.4. |
| Order Form | An ordering document, online order, or sales quote referencing this Agreement that specifies the Services, fees, and subscription term. |
| PHI | Protected Health Information as defined at 45 C.F.R. § 160.103 under HIPAA. |
| Product Schedule | A product-specific schedule attached to or incorporated into this Agreement (Schedules A–E and any future schedule), setting out terms unique to a particular Service. |
| Services | The SRS software platform and related services described in Section 1 and the applicable Order Form(s) and Product Schedule(s). |
| SRS Data | De-identified or aggregated data and datasets SRS creates, including through the processing of Customer Data, that do not identify Customer or any individual and are de-identified or aggregated in accordance with applicable law (including 45 C.F.R. § 164.514(b)), as further described in Section 7.2. As between the Parties, SRS solely and exclusively owns the SRS Data. |
| SRS IP | The Services (including without limitation the code and content of the SRS platform), all Documentation, the SRS Data, and all other software, technologies, methodologies, processes, data, information, models, algorithms, content, or other assets used by SRS to provide the Services, or otherwise related to or specific to SRS’ business, including all derivatives, modifications, enhancements, or improvements thereto, and all patent rights, trademark rights, trade secret rights, copyrights, and other intellectual property rights therein. |
| Standard Support Hours | As defined in Section 3.7(b). |
| Subscription Term | The subscription period stated on an Order Form, including renewals. |
| Third-Party System | A third-party EMR, EHR, practice management, or other system used by Customer that integrates with the Services, as described in Section 3.6. |
The Services
3.1 Provision of the Services
Subject to this Agreement and payment of applicable fees, SRS will make the Services identified on each Order Form available to Customer and its Authorized Users during the Subscription Term for Customer’s internal business and clinical-operations use.
3.2 Order Forms and Product Schedules
Each Order Form is governed by this Agreement and the applicable Product Schedule(s). In the event of a conflict, the order of precedence is: (a) the BAA, with respect to PHI; (b) the applicable Product Schedule, with respect to that product; (c) the Order Form, with respect to commercial terms; and (d) this Agreement. A signed Order Form prevails over conflicting clickthrough terms only where it expressly references the provision being modified. SRS may make additional products or modules available under a Product Schedule. A future applicable Product Schedule becomes effective when Customer orders the applicable product on an Order Form, or when Customer first uses the product.
3.3 Service Changes
SRS may modify, enhance, or discontinue features of the Services from time to time. SRS will not materially decrease the core functionality of a Service purchased by Customer during a paid Subscription Term without providing a substantially equivalent alternative or a pro-rata refund of prepaid fees for the affected Service for the remainder of that term.
3.4 Service Levels
SRS will use commercially reasonable efforts to make the Services available consistent with the support and availability commitments, if any, stated in the applicable Order Form or Product Schedule. Except where an Order Form or Product Schedule expressly states a service-level commitment with defined remedies, the Services are provided without a guaranteed uptime percentage, and scheduled maintenance, third-party outages, and force-majeure events are excluded from any availability measurement.
3.5 Beta and Evaluation Features
SRS may offer features identified as beta, preview, evaluation, or early access (“Beta Features”). Beta Features are provided AS IS, without warranty or support, may be modified or withdrawn at any time, and are excluded from any service-level or indemnity commitment. Customer should not use Beta Features with production PHI unless SRS expressly confirms in writing that the Beta Feature is covered by the BAA.
3.6 Third-Party Integrations and Data Integrity
The Services may integrate or exchange data with third-party electronic medical record (EMR), electronic health record (EHR), practice management (PMS), or other systems that Customer uses (“Third-Party Systems”). These integrations depend on interfaces, APIs, availability, data formats, and behavior controlled by the Third-Party System or its vendor, not by SRS.
Customer is responsible for the accuracy, completeness, and integrity of the data in its Third-Party Systems and for verifying that information exchanged between a Third-Party System and the Services is correct, current, and complete. Customer should monitor its integrations and reconcile critical data (including patient contact information, appointment data, and scheduling) and promptly notify SRS of any suspected sync issue. SRS processes and transmits the data it receives from a Third-Party System as configured; SRS is not responsible for errors, omissions, or outcomes caused by inaccurate, incomplete, or outdated data originating in or passed from a Third-Party System.
3.7 Support
SRS provides the following customer support during the Subscription Term:
(a) Support channels. Support is available through the channels SRS publishes from time to time, currently including email and in-product messaging, with telephone support available for Severity 1 issues. SRS may update its support channels with reasonable notice.
(b) Support hours. Standard support hours are 8:30 a.m. to 5:00 p.m. U.S. Central Time, Monday through Friday, excluding U.S. federal holidays (“Standard Support Hours”). Severity 1 issues are accepted outside Standard Support Hours through the channels SRS designates for that purpose.
(c) Severity classification and target response times. SRS will use commercially reasonable efforts to provide an initial response within the following target times:
| Severity | Description | Target initial response |
|---|---|---|
| Severity 1 | The Services are not available for substantially all users, or a critical function preventing patient care or essential operations is unusable with no reasonable workaround. | Within four (4) hours, including outside Standard Support Hours. |
| Severity 2 | A significant function is unavailable or materially degraded, but the Services remain usable in some material respect or a temporary workaround exists. | Within one (1) business day during Standard Support Hours. |
| Severity 3 | A non-critical function does not perform as documented, or a question requires substantive response. | Within three (3) business days. |
| Severity 4 | General inquiry, configuration question, or feature request. | Within five (5) business days. |
(d) Scope. Support covers SRS-built features of the Services and the Documentation. Support does not cover third-party software, third-party hardware (including the manufacturer of any Kiosk hardware under Schedule A), Customer-side configurations, Customer customizations, training beyond the Documentation, or data-entry services. SRS may, at Customer’s request and SRS’s discretion, provide such excluded services at SRS’s then-current rates.
(e) No service-level credits unless purchased. The response targets in this Section are operational commitments, not service-level commitments backed by credits or other monetary remedies. Any service-level agreement with defined credits or remedies will be stated in the applicable Order Form.
Customer Obligations and Acceptable Use
4.1 Customer Responsibilities
Customer is responsible for: (a) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired it; (b) obtaining all consents, authorizations, and notices required for Customer Data to be processed through the Services, including patient notices, HIPAA authorizations where required, and any consents required under state law; (c) maintaining the confidentiality of account credentials and the acts of its Authorized Users; (d) configuring and using the Services in compliance with applicable law and the Documentation; and (e) determining whether the Services are appropriate for Customer’s regulatory environment.
4.2 Healthcare and Regulatory Compliance
Customer is and remains the healthcare provider, agency, covered entity, or other regulated party responsible for clinical, billing, and regulatory decisions. SRS is a software vendor and does not provide medical, clinical, billing, coding, legal, or compliance advice. Customer is responsible for the accuracy of claims, coding, eligibility determinations, plan-of-care decisions, and all clinical judgments, regardless of any Service feature that assists with those activities.
Exclusion-list representation. Customer represents and warrants that neither Customer, nor any of its owners, officers, directors, managing employees, or Authorized Users who deliver or bill for items or services to be reimbursed by federal or state healthcare programs, is currently (a) excluded, debarred, suspended, or otherwise ineligible to participate in federal healthcare programs under the OIG List of Excluded Individuals and Entities (LEIE) maintained at 42 U.S.C. § 1320a-7, (b) listed on the General Services Administration’s System for Award Management (SAM) excluded-parties list, or (c) subject to a pending investigation, exclusion proceeding, or sanction by the U.S. Department of Health and Human Services Office of Inspector General, a state Medicaid Fraud Control Unit, or a state licensing or program-integrity authority that would, if concluded adversely, result in exclusion. Customer will conduct ongoing screening of its workforce against these lists as required by applicable law and will promptly notify SRS in writing if Customer or any covered person becomes excluded, debarred, suspended, or subject to a pending exclusion proceeding during the term of this Agreement.
4.3 Telephone and Messaging Consent
Where Customer uses any Service to send SMS, voice, or other electronic communications to patients or other individuals, Customer is solely responsible for obtaining and maintaining all consents required under the Telephone Consumer Protection Act (TCPA), state telemarketing and call-recording laws, and carrier requirements, including prior express written consent where applicable. SRS provides tooling; Customer is the sender and the party responsible for consent and content compliance.
4.4 Prohibited Conduct
Customer will not, and will not permit any Authorized User or third party to:
- reverse engineer, decompile, or attempt to derive source code from the Services, except to the extent applicable law expressly permits despite this limitation;
- resell, sublicense, time-share, or operate the Services as a service bureau except as expressly permitted on an Order Form;
- use the Services, or any output, screen, response, behavior, or documentation of the Services, to build, develop, train, or improve any product, service, software, model, or feature that competes with or replicates the Services, including through any artificial-intelligence or machine-learning system, as further described in Section 7.3;
- benchmark the Services for a competitor or publish performance results without SRS’s consent;
- upload malicious code or interfere with the integrity or performance of the Services;
- use the Services in violation of law, including submitting false or fraudulent claims, or in a manner that would cause SRS to violate the federal Anti-Kickback Statute (42 U.S.C. § 1320a-7b), the Stark Law (42 U.S.C. § 1395nn), the False Claims Act (31 U.S.C. § 3729 et seq.), or HIPAA; or
- circumvent usage limits or access controls.
4.5 Responsibility for Authorized Users and Tools
Customer is responsible for the acts and omissions of every person and tool to which Customer provides access to the Services — including its Authorized Users, employees, contractors, consultants, agents, affiliates, and any artificial-intelligence or automation system Customer operates or directs against the Services — as if they were Customer’s own. Customer will use commercially reasonable measures to prevent the prohibited uses described in this Section 4 and will promptly notify SRS of any actual or suspected violation. Customer’s indemnity under Section 12.2(b) applies to any violation of this Section.
Fees, Billing, and Taxes
5.1 Fees
Customer will pay the fees stated on each Order Form. Unless an Order Form states otherwise, fees are quoted and payable in U.S. dollars, subscription fees are billed in advance, usage-based fees are billed in arrears, and all fees are non-cancelable and non-refundable except as expressly provided in this Agreement.
5.2 Payment Terms
Undisputed invoiced amounts are due within thirty (30) days of the invoice date unless the Order Form states otherwise. Late amounts accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. SRS may suspend the Services for non-payment of undisputed amounts after providing at least ten (10) days’ written notice and an opportunity to cure, except that SRS will not suspend access in a manner that prevents Customer from retrieving Customer Data necessary for patient care during the cure period.
5.3 Taxes
Fees are exclusive of taxes. Customer is responsible for sales, use, and similar taxes, excluding taxes on SRS’s net income. If SRS is required to collect tax for which Customer is responsible, SRS will invoice it unless Customer provides a valid exemption certificate.
5.4 Fee Changes
SRS may change fees effective upon renewal by providing notice at least thirty (30) days before the end of the then-current Subscription Term. Fee changes do not apply retroactively within a paid term.
Term, Renewal, Suspension, and Termination
6.1 Term and Renewal
This Agreement begins on the Effective Date and continues while any Order Form is in effect. Each Order Form’s Subscription Term renews for successive periods equal to the initial term unless either Party gives written notice of non-renewal at least thirty (30) days before the end of the then-current term, or the Order Form states otherwise.
6.2 Termination for Cause
Either Party may terminate this Agreement or an affected Order Form if the other Party materially breaches and fails to cure within thirty (30) days after written notice (ten (10) days for non-payment). Either Party may terminate immediately if the other becomes insolvent or subject to bankruptcy proceedings not dismissed within sixty (60) days.
6.3 Suspension of the Services
In addition to its termination rights, SRS may suspend Customer’s access to all or part of the Services, in whole or in part, on notice as reasonable under the circumstances (which may be immediate), where SRS reasonably determines that: (a) Customer is in material breach of Section 4.4 (Prohibited Conduct), Section 7.3 (Protection of SRS IP), or Section 8 (Confidentiality); (b) continued access poses a security threat to the Services, to other customers, or to SRS; (c) Customer’s use of the Services violates applicable law or could expose SRS to material legal, regulatory, or reputational harm, including any actual or suspected violation of HIPAA, the FCA, the Anti-Kickback Statute, the Stark Law, TCPA, the FTC Reviews Rule, or state-equivalent laws; (d) Customer or any covered person becomes excluded, debarred, or subject to a pending exclusion proceeding as described in Section 4.2; or (e) any payment is overdue beyond the cure period described in Section 5.2. SRS will use commercially reasonable efforts to limit the scope of any suspension to what is necessary to address the underlying issue and will, where the underlying issue can be remedied, restore access promptly upon remedy. The patient-care suspension carve-out in Section 5.2 applies only to non-payment suspensions and does not limit SRS’s rights under this Section 6.3.
6.4 Effect of Termination
Upon termination: (a) Customer’s right to access the Services ends; (b) Customer remains liable for amounts accrued before termination; and (c) each Party will return or destroy the other’s Confidential Information except as required for legal retention or as set out in the BAA for PHI.
6.5 Data Export and Return
For thirty (30) days after termination (the “Data Return Period”), SRS will make Customer Data available for export in a commercially reasonable format, or will provide reasonable export assistance at SRS’s then-current rates. After the Data Return Period, SRS may delete Customer Data in the ordinary course, subject to the BAA and applicable law and except for backups retained on a standard cycle and then deleted.
6.6 Survival
Sections concerning fees accrued, confidentiality (subject to Section 8.6), intellectual property (including the indefinite survival of Section 7.3), disclaimers, limitation of liability, indemnification, dispute resolution, and any provision that by its nature should survive, survive termination.
Intellectual Property
7.1 Customer Data
As between the Parties, Customer owns all right, title, and interest in Customer Data. Customer grants SRS a worldwide, non-exclusive license to host, process, transmit, and display Customer Data solely to provide the Services to Customer (including to improve and support the Services received by Customer), to prevent or address technical or security risks or issues, to maintain Services functionality and otherwise ensure the Services are used in accordance with this Agreement, and as otherwise permitted by the BAA and this Agreement.
7.2 SRS IP
As between the Parties, SRS owns all right, title, and interest in the SRS IP. This Agreement grants Customer only the limited, non-exclusive, non-transferable right to access and use the Services during the Subscription Term as described here, and subject to Customer’s compliance with the terms and conditions of this Agreement. No rights or other licenses are granted by implication. Customer acknowledges and agrees that, in the course of operating and performing the Services, SRS will create data or datasets, including through the processing of Customer Data (which Customer hereby authorizes), that do not identify Customer or any individual and are de-identified or aggregated in accordance with (and as those terms are defined by) applicable laws, rules, and regulations, including without limitation 45 C.F.R. § 164.514(b) (collectively, “SRS Data”). As between the Parties, SRS solely and exclusively owns all right, title, and interest in the SRS Data. If Customer provides suggestions or feedback to SRS, SRS may use such suggestions or feedback without restriction or obligation. Feedback is provided voluntarily and does not constitute the Confidential Information of Customer.
7.3 Protection of SRS IP
Customer’s compliance with the restrictions in Section 4.4 and its responsibility for Authorized Users and tools under Section 4.5 are conditions of its license to the Services. The obligations protecting the SRS IP survive termination or expiration of this Agreement indefinitely.
Confidentiality
8.1 Definition
“Confidential Information” means non-public information disclosed by one Party (“Discloser”) to the other (“Recipient”) that is marked or reasonably understood to be confidential, including pricing, the Services’ non-public features, security information, technical specifications, business strategy, employee and customer information, and Customer Data. PHI is Confidential Information and is additionally governed by the BAA, which controls in any conflict as to PHI. The details of how SRS provides its Services, and the SRS IP, are the Confidential Information of SRS.
8.2 Obligations
Recipient will: (a) use Confidential Information only to perform under, and exercise rights under, this Agreement; (b) protect Confidential Information using at least the same degree of care it uses for its own confidential information of similar sensitivity, and in no event less than reasonable care; (c) limit access to personnel and advisors who have a need to know and are bound by written or professional confidentiality obligations no less protective than this Section; and (d) not disclose Confidential Information to any third party except as expressly permitted by this Section. Recipient is responsible for any breach of this Section by its personnel or advisors.
8.3 Exclusions
Confidentiality obligations do not apply to information that, as demonstrated by Recipient’s written records: (a) is or becomes publicly available through no fault of Recipient; (b) was rightfully in Recipient’s possession without a confidentiality obligation before disclosure by Discloser; (c) is independently developed by Recipient without use of or reference to the Confidential Information; or (d) is rightfully received from a third party without a confidentiality obligation owed to Discloser.
8.4 Compelled Disclosure
Recipient may disclose Confidential Information (a) to those of its employees, vendors, service providers, consultants, advisors, investors, and other agents who Recipient has determined need to know the information for Recipient to carry out its rights and obligations under this Agreement, are bound by non-use and non-disclosure obligations at least as restrictive as those contained herein, and are prohibited from using any Confidential Information for their own commercial benefit, or (b) to the extent legally compelled by a court order, subpoena, regulatory request, or other legal process, provided that, where legally permitted, Recipient promptly notifies Discloser in writing so that Discloser may seek a protective order or other appropriate remedy, and reasonably cooperates (at Discloser’s expense) in Discloser’s efforts to limit disclosure. If a protective order is not obtained, Recipient will disclose only the portion of Confidential Information that is legally required and will use commercially reasonable efforts to obtain confidential treatment for disclosed Confidential Information.
8.5 Return or Destruction
Upon termination of this Agreement or earlier written request of Discloser, Recipient will return or destroy all Confidential Information of Discloser in its possession or control, except: (a) one copy may be retained for legal, regulatory, audit, or backup purposes subject to continuing confidentiality obligations; (b) Customer Data is governed by the Data Return Period in Section 6.5 and the BAA; and (c) information stored in routine system backups will be deleted on the next scheduled cycle.
8.6 Survival
Confidentiality obligations survive termination of this Agreement for five (5) years, except that obligations with respect to (a) Confidential Information that constitutes a trade secret under applicable law and (b) PHI continue for so long as the information remains a trade secret or PHI under applicable law.
8.7 No Implied License
Disclosure of Confidential Information does not grant Recipient any license or other right to the Discloser’s intellectual property, except as expressly granted in this Agreement.
HIPAA and Data Protection
9.1 Business Associate Relationship
To the extent SRS creates, receives, maintains, or transmits PHI on Customer’s behalf, SRS acts as a Business Associate and Customer acts as a Covered Entity or Business Associate, as applicable, under HIPAA. The Parties will enter into a Business Associate Agreement (the “BAA”) before SRS handles PHI. The BAA is incorporated into this Agreement by reference.
9.2 BAA Controls
With respect to PHI, if any term of this Agreement conflicts with the BAA, the BAA controls. With respect to all other matters, including liability allocation other than as expressly carved out below, this Agreement controls.
9.3 Subcontractors and Subprocessors
SRS may use subprocessors to provide the Services. SRS remains responsible for its subprocessors’ performance and will bind subprocessors that handle PHI to written terms no less protective than the BAA requires. SRS maintains a current list of subprocessors that handle Customer Data under a BAA and will make it available on request.
9.4 Security
SRS will maintain an information security program with administrative, physical, and technical safeguards designed to protect Customer Data, aligned with the HIPAA Security Rule where PHI is involved.
SOC 2 attestation. SRS is pursuing SOC 2 attestation of its security program and will use commercially reasonable efforts to complete a SOC 2 Type I report by December 31, 2026, covering the Security Trust Services Criterion at minimum. SRS intends to pursue a SOC 2 Type II report following completion of Type I on a timeline to be determined by SRS. Upon completion of a SOC 2 attestation, SRS will make available, on reasonable written request and subject to a customary confidentiality undertaking, a copy of its then-current SOC 2 report or an equivalent third-party security attestation. A delay in completing a SOC 2 attestation by the targeted date is not a material breach of this Agreement and does not give rise to a termination right under Section 6.2, except where SRS has discontinued the SOC 2 effort entirely without offering a substantially equivalent third-party attestation.
No security program is guaranteed to be impenetrable; SRS’s obligation is to maintain commercially reasonable, HIPAA-aligned safeguards, not to ensure an absence of all incidents.
9.5 Incident and Breach Notification
Where SRS acts as a Business Associate, SRS will notify the affected Customer of a Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410 and the BAA. For security incidents not involving PHI, SRS will notify Customer without undue delay consistent with applicable law. Notification is not an acknowledgment of fault.
9.6 State Privacy Laws and Sensitive-Program Data
HIPAA is the floor, not the ceiling, for healthcare data protection. Customer is responsible for compliance with all federal, state, and local laws applicable to its operations, in addition to HIPAA, including those that impose obligations beyond HIPAA.
State medical-information and health-data laws. Customer is responsible for compliance with state laws that protect medical information or consumer health data independently of HIPAA, including (without limitation) the California Confidentiality of Medical Information Act (CMIA), the Texas Medical Records Privacy Act, the Washington My Health My Data Act, the Nevada SB 370 consumer health data law, and similar laws in other states. Some of these laws define protected information more broadly than HIPAA, impose stricter consent and breach-notification requirements, and create private rights of action. Customer is responsible for determining which laws apply to its operations and for configuring its use of the Services accordingly.
General state consumer-privacy laws. Where Customer is subject to comprehensive state consumer-privacy laws — including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Texas Data Privacy and Security Act (TDPSA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), or analogous laws in other states — Customer is responsible for determining whether and how these laws apply to data processed through the Services, for providing required consumer notices, and for honoring consumer rights requests. Where SRS acts as a service provider, processor, or contractor under such a law, SRS will process personal information consistent with the role and the BAA where PHI is involved.
State breach notification laws. In addition to HIPAA breach notification under 45 C.F.R. § 164.410, Customer is responsible for any independent state breach-notification obligations applicable to Customer’s operations, which may impose shorter timelines, different content requirements, or different recipient lists than HIPAA.
Sensitive-Program Data. Where Customer uses the Services to process data subject to heightened federal or state protection (for example, 42 C.F.R. Part 2 substance-use-disorder records, behavioral-health records under state law, HIV/AIDS records, genetic information, or reproductive-health information under recent state laws), Customer is responsible for so configuring its use, for obtaining required consents, and for any segregation, labeling, or access-control configuration the heightened-protection regime requires. SRS will support such configurations only as expressly described in the applicable Product Schedule or Order Form.
9.7 Customer Security Obligations
Because Customer’s use of the Services is the most common point of compromise for healthcare data, Customer is responsible for maintaining sound access-control and device-security practices for all use of the Services. These obligations supplement, and do not replace, the obligations in Section 4.1 and any BAA.
Devices used with the Services. Each device Customer uses to access the Services — whether a workstation, tablet, kiosk, or other device — must be kept under appropriate password or biometric protection, must not be left unattended in a state where an unauthorized person can use the Services, and must be configured consistent with Customer’s HIPAA Security Rule obligations. Customer is responsible for the configuration, security, and management of its devices, and for any consequences of inadequate device protection.
Warranties and Disclaimers
10.1 Mutual Representations
Each Party represents and warrants that: (a) it is duly organized, validly existing, and in good standing under the laws of its jurisdiction of formation; (b) it has the full corporate or other authority to enter into and perform this Agreement, and the individual accepting this Agreement on its behalf has authority to bind it; (c) execution and performance of this Agreement do not and will not violate any other agreement binding on it or any applicable law; and (d) it will perform its obligations under this Agreement in compliance with all laws applicable to it.
10.2 Customer Representations
In addition to the mutual representations above, Customer represents and warrants that: (a) the information Customer provides to SRS in connection with onboarding, account setup, and use of the Services is and will remain accurate, current, and complete; (b) Customer holds all licenses, registrations, certifications, accreditations, and program enrollments required to lawfully deliver the services Customer provides to its patients or clients using the Services; (c) Customer has obtained, or will obtain before using the Services to process any individual’s information, all patient notices, authorizations, and consents required under HIPAA, applicable state privacy and medical-information laws, and applicable consumer-protection laws (including TCPA and CAN-SPAM where applicable); (d) the exclusion-list representation in Section 4.2 is true on the Effective Date and will remain true throughout the term, with prompt notice to SRS if it ceases to be true; and (e) Customer is not the subject of any pending or, to its knowledge, threatened material litigation, investigation, or regulatory action that would prevent Customer from performing its obligations under this Agreement.
10.3 SRS Limited Warranty
SRS warrants that, during the Subscription Term, the Services will perform materially in accordance with the Documentation under normal use. Customer’s exclusive remedy and SRS’s entire liability for breach of this warranty is for SRS to use commercially reasonable efforts to correct the non-conformity within thirty (30) days of receiving Customer’s written notice describing the issue with reasonable specificity or, if SRS cannot do so within that period, to refund prepaid fees for the non-conforming Service for the period of non-conformity. This warranty does not apply where non-conformity results from Customer’s misuse, modification, or use of the Services other than in accordance with the Documentation, or from any third-party software, hardware, or system.
10.4 Disclaimer
Limitation of Liability
11.1 Exclusion of Indirect Damages
11.2 Liability Cap
11.3 Excluded Claims
The exclusion of indirect damages and the liability cap do not apply to: (a) Customer’s payment obligations; (b) a Party’s indemnification obligations under Section 12; (c) Customer’s use of SRS IP in a manner not authorized or permitted by the terms of this Agreement; (d) a Party’s gross negligence or willful misconduct; or (e) a Party’s breach of its confidentiality obligations or, with respect to SRS, its obligations under the BAA, for which the Parties agree a separate, higher cap equal to two (2) times the fees paid or payable in the preceding twelve (12) months applies (rather than unlimited liability), except where applicable law does not permit such a limit.
11.4 Basis of the Bargain
The limitations in this Section are an essential basis of the bargain and apply even if a limited remedy fails of its essential purpose, to the maximum extent permitted by law.
Indemnification
12.1 By SRS
SRS will defend Customer against any third-party claim alleging that the Services, as provided by SRS and used in accordance with this Agreement, infringe a U.S. patent, copyright, or trademark or misappropriate a trade secret, and will indemnify Customer for amounts finally awarded or settled. SRS’s obligations do not apply to claims arising from Customer Data, Customer’s configuration or combination of the Services with non-SRS items, or use not permitted by this Agreement. If the Services become, or SRS believes may become, subject to an infringement claim, SRS may procure a right to continue use, modify the Services, or terminate the affected Service and refund prepaid unused fees.
12.2 By Customer
Customer will defend SRS against any third-party claim arising from: (a) Customer Data, including a claim that Customer Data or its processing violates law or third-party rights or lacked required consent; (b) Customer’s use of the Services in violation of law or this Agreement; (c) Customer’s clinical, billing, coding, or regulatory decisions; or (d) Customer’s communications to patients or other individuals, including TCPA, call-recording, and marketing-consent claims; and will indemnify SRS for amounts finally awarded or settled.
12.3 Procedure
The indemnified Party will promptly notify the indemnifying Party, allow the indemnifying Party to control the defense (with counsel of its choice, not settling in a manner that imposes non-indemnified liability or admission on the indemnified Party without consent), and provide reasonable cooperation. This Section states each Party’s exclusive remedy for third-party claims covered by it.
12.4 Insurance
Each Party will maintain, during the term of this Agreement and for one (1) year after termination of the last Order Form, insurance appropriate to its operations and obligations under this Agreement, including:
- SRS will maintain (a) commercial general liability insurance with limits of not less than two million U.S. dollars ($2,000,000) per occurrence and in the aggregate, and (b) cyber liability and technology errors-and-omissions insurance with combined limits of not less than two million U.S. dollars ($2,000,000) per claim and in the aggregate.
- Customer will maintain commercial general liability insurance and professional liability insurance (including medical, dental, or other professional malpractice insurance as applicable to Customer’s practice) with limits customary for Customer’s practice, profession, jurisdiction, and operations.
Either Party will provide a certificate of insurance to the other on reasonable written request. The existence, scope, or limits of insurance under this Section do not limit, reduce, or otherwise affect either Party’s liability or obligations under this Agreement, including under Section 11 and Section 12. A failure to maintain the insurance required by this Section is a breach of this Agreement but does not give rise to a separate cause of action for direct damages beyond the cost of obtaining substitute coverage.
Dispute Resolution and Arbitration
13.1 Informal Resolution
Before initiating arbitration, a Party must send a written notice of dispute and the Parties will negotiate in good faith for thirty (30) days. Many disputes can be resolved at this stage.
13.2 Binding Arbitration
Except for the Excluded Matters below, any dispute arising out of or relating to this Agreement will be resolved by final and binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The seat of arbitration is Minneapolis, Minnesota. One arbitrator will be used unless the amount in controversy exceeds $1,000,000, in which case three arbitrators will be used. Judgment on the award may be entered in any court of competent jurisdiction.
Delegation; arbitrator decides arbitrability. The arbitrator, and not any federal, state, or local court or agency, has exclusive authority to resolve any dispute relating to the interpretation, applicability, enforceability, formation, or scope of this Section 13, including any dispute about whether a particular claim is subject to arbitration and any claim that all or part of this Section 13 is void or voidable. The Parties agree that this delegation provision is an agreement to arbitrate threshold questions of arbitrability, separately enforceable under the Federal Arbitration Act.
13.3 Excluded Matters
Either Party may bring (a) an action for injunctive or equitable relief as described in Section 14.4, and (b) a claim in small-claims court if it qualifies, in each case without first arbitrating.
13.4 Class Action Waiver
13.5 Mass Arbitration Protocol
If twenty-five (25) or more demands for arbitration of a substantially similar nature are filed by or with the coordination of the same or coordinated counsel, the Parties agree the demands will be administered as a single coordinated proceeding using a bellwether process: counsel will select a small number of representative cases to be arbitrated first, the results of which will inform a negotiated or mediated resolution of the remaining cases before further individual arbitrations proceed, and limitations periods for the non-bellwether cases are tolled during this process.
13.6 Venue for Non-Arbitrable Matters
For any matter not subject to arbitration, the Parties consent to the exclusive jurisdiction of the state and federal courts located in Anoka County, Minnesota, and waive any objection to venue there.
13.7 Limitations Period
Any claim arising out of or related to this Agreement must be brought within one (1) year after the claim accrued, except where applicable law prohibits shortening the limitations period, in which case the shortest period permitted by law applies.
13.8 Governing Law
This Agreement is governed by the laws of the State of Minnesota, excluding its conflict-of-laws rules, and, for arbitrability, the Federal Arbitration Act.
General Provisions
14.1 Notices
Legal notices to SRS must be sent to legal@srswebsolutions.com and to SRS Web Solutions, Inc., Attn: Legal, 6885 139th LN NW, Suite 100, Ramsey, MN 55303. Notices to Customer may be sent to the email or address on the Order Form or in Customer’s account. Operational notices (including changes under Section 14.9) may be given by email or in-product notice.
14.2 Assignment
Neither Party may assign this Agreement without the other’s consent, except that either Party may assign it in connection with a merger, acquisition, or sale of substantially all assets. In addition, SRS may assign, transfer, or convey its rights and obligations, in whole or part, without Customer’s consent to an affiliate or in connection with a change of control, sale of equity or membership interests, reorganization, or similar corporate event. Any other attempted assignment is void.
14.3 Force Majeure
Neither Party is liable for failure or delay due to events beyond its reasonable control, including natural disaster, war, terrorism, civil unrest, labor disturbance, internet or utility failure, third-party service failure, or governmental action. Payment obligations are not excused.
14.4 Equitable Relief
Each Party acknowledges that a breach of this Agreement involving intellectual property, Confidential Information, data protection obligations, or other obligations for which monetary damages would be inadequate may cause the non-breaching Party irreparable harm. In such event, the non-breaching Party is entitled to seek temporary, preliminary, and permanent injunctive relief and other equitable relief, without the posting of bond or other security and without proof of actual damages, in addition to any other remedy available at law or in equity.
14.5 Independent Contractors
The Parties are independent contractors. This Agreement creates no partnership, joint venture, agency, or employment relationship.
14.6 No Third-Party Beneficiaries
This Agreement does not confer rights on any third party. Patients and other individuals are not third-party beneficiaries and must look to Customer, as their provider or covered entity, with respect to Customer Data.
14.7 Publicity
Neither Party will use the other’s name or marks without consent, except that SRS may identify Customer as a customer in a customer list or on its website unless Customer opts out by written notice to SRS.
14.8 Severability; Waiver; Entire Agreement
If a provision is held unenforceable, it will be modified to the minimum extent necessary and the remainder remains in effect. A waiver must be in writing. This Agreement, together with the Order Form(s), Product Schedule(s), and BAA, is the entire agreement. The terms and conditions herein, including as may be modified in the future, supersede all prior agreements on its subject matter with retroactive effect as of the Effective Date, including any previous versions of the “General Terms and Conditions” posted to the present URL.
14.9 Modifications to This Agreement
SRS may modify this Agreement from time to time. SRS will provide Customer with reasonable advance notice of any updated version of the Agreement by email to Customer’s account contact, by posting the revised Agreement to the Services-terms URL, or by in-product notice (the date such communication or posting is made, the “Change Date”).
Modifications required to comply with applicable law, address an active security threat, or correct manifest error may take effect on shorter or no notice as required, in which case Customer’s continued use after notice constitutes acceptance and Customer’s remedy, if any, is to terminate this Agreement in accordance with its terms.
mConsent — Digital Intake, Consent, Insurance Concierge, Communication
mConsent provides digital patient intake, consent capture, insurance verification (“Insurance Concierge”), appointment communication, reputation tools, front-desk kiosk hardware, and related front-office functionality for dental and medical practices.
Customer responsibilities. Customer is responsible for the content and legal sufficiency of intake and consent forms it configures or adopts, for clinical and billing decisions, and for compliance of any patient communications with TCPA and state law as described in Section 4.3.
A.1 Patient Communication, Scheduling, and Campaigns
The mConsent communication functions may include online self-scheduling, appointment reminders and confirmations, two-way patient texting, quick-fill / open-slot offers, birthday messages, hygiene and care recalls, patient reactivation outreach, and multi-message email and text campaigns. Customer configures and initiates these communications and, for all of them, Customer is the sender and the party responsible for consent, content, and legal compliance as described in Section 4.3.
Transactional vs. marketing messages. Customer is responsible for correctly classifying each communication and for obtaining the level of consent the law requires for it. Informational or transactional messages (such as confirming or reminding a patient about an existing appointment, or replying within a two-way thread the patient initiated) and marketing, promotional, recall, birthday, quick-fill, reactivation, and campaign messages are treated differently under the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and state law. Marketing and promotional messages generally require prior express written consent for SMS and lawful opt-out and sender-identification handling for email. Customer is solely responsible for determining which rules apply and for meeting them before any message is sent.
Campaign execution. Where campaign or reactivation outreach is set up, assisted, or executed with the involvement of SRS personnel, that assistance is operational support performed at Customer’s direction and on Customer’s recipient data and consents; it does not transfer to SRS responsibility for consent, list accuracy, message content, or compliance, all of which remain Customer’s. Customer approves the audience and content and remains the sender of record.
No guarantee of delivery or results. Message and email delivery depends on mobile carriers, messaging aggregators, email providers, registration regimes (including 10DLC and similar carrier registration), spam and content filtering, sender-reputation factors, recipient device and provider settings, and other factors outside SRS’s control. SRS does not guarantee that any message or email will be delivered, delivered without delay, delivered uncorrupted, or delivered to or opened by the intended recipient, and SRS is not responsible for communications that are filtered, blocked, throttled, delayed, or not delivered. SRS does not warrant any number of booked appointments, filled slots, reactivated or recalled patients, reduction in no-shows or cancellations, or any revenue, collections, or operational outcome from scheduling or communications. Where scheduling, reminders, recalls, or other communications depend on data synced from a third-party EMR, EHR, or practice management system, Section 3.6 (Third-Party Integrations and Data Integrity) also applies, including that SRS is not responsible for communications not sent, sent late, or sent with incomplete data, or for resulting no-shows, due to an integration interruption or inaccurate source data. Any such figures in marketing or Documentation are illustrative only and are not warranties.
A.2 Insurance Concierge — Eligibility and Benefits Verification
What Insurance Concierge is. Insurance Concierge provides eligibility and benefits verification support. This may include SRS personnel obtaining and compiling eligibility and benefits information from payers, payer portals, clearinghouses, and similar sources (collectively, “Third-Party Data Sources”) and presenting that information to Customer to assist Customer’s own front-office and billing decisions. Insurance Concierge is solely to be used by Customer for informational purposes only; it is not, and does not replace, Customer’s own verification, clinical, coverage, or billing practices, procedures, policies, decisions, or judgments. Customer remains responsible for independently confirming coverage and benefits to the extent Customer deems appropriate, for obtaining prior authorizations, for the decision to render services, and for all financial outcomes relating to claims and patient balances. Customer’s reliance on Insurance Concierge information is at Customer’s discretion and risk, subject to the limitations in this Agreement.
Information sourced from payers; not SRS-controlled. Eligibility and benefits information is generated by, and obtained from, Third-Party Data Sources. SRS does not control and is not responsible for the accuracy, completeness, timeliness, or availability of information obtained from Third-Party Data Sources, for Third-Party Data Source system errors or outages, for changes a Third-Party Data Source makes to a patient’s coverage, or for retroactive eligibility, termination, or coverage changes made by the Third-Party Data Source. Verification reflects information available at a point in time and may not reflect a patient’s actual coverage at the time services are rendered or a claim is adjudicated.
Not a guarantee of coverage or payment. A verification, eligibility check, or benefits summary provided through Insurance Concierge is an estimate and an informational aid only. It is not a guarantee or assurance that a patient is covered, that any service is a covered benefit, that any amount will be paid, or that any claim will be accepted, paid, or not later denied, downcoded, adjusted, or recouped. Coverage and payment are determined solely by the payer under the patient’s plan and applicable law.
A.3 Front-Desk Kiosk Hardware
mConsent customers may purchase from SRS kiosk hardware for front-desk patient check-in and intake (a “Kiosk”). The Kiosk device is manufactured by a third party, is sold by SRS to Customer, and is delivered pre-configured with SRS software for use with mConsent.
Sale, title, and risk of loss. Each Kiosk is sold to Customer under the applicable Order Form or invoice. Title to the Kiosk hardware and risk of loss pass to Customer on delivery to the carrier (F.O.B. origin) unless the Order Form states otherwise. From the time of delivery, Customer is responsible for the Kiosk, including for its care, physical security, condition, and risk of loss, theft, or damage. All sales of Kiosk hardware are final except as required by applicable manufacturer warranty.
SRS software on the Kiosk is licensed, not sold. Although the Kiosk hardware is sold to Customer, the SRS software pre-installed on each Kiosk is licensed to Customer under this Agreement, not sold. The license is limited to use of the SRS software on the Kiosk for mConsent patient check-in, intake, and related front-desk functions in connection with Customer’s active mConsent subscription. Customer will not use the SRS software for any other purpose, will not remove, alter, copy, decompile, or reverse-engineer the SRS software except as Section 4.4 permits, and will not transfer the SRS software to a third party with or apart from the Kiosk hardware. The SRS software license is non-transferable and terminates as described in Section 6.
Replacement Kiosks. If Customer wishes to purchase a replacement or additional Kiosk through SRS, SRS will sell one at SRS’s then-current price plus shipping, subject to availability and the terms applicable at the time of order. Customer is not required to source replacement hardware from SRS and may use any hardware that meets the technical requirements SRS publishes for mConsent kiosk use, provided the SRS software is licensed for that use under this Agreement.
On termination of the SRS software license. Customer retains ownership of the Kiosk hardware after termination of this Agreement or the applicable Order Form. The SRS software license on each Kiosk terminates at the same time the underlying mConsent subscription terminates, Customer’s access to mConsent through the Kiosk ends, and Customer will, at SRS’s reasonable election, either (a) permit SRS to remotely de-provision the SRS software and any cached SRS data from the Kiosk, or (b) itself uninstall the SRS software and any cached SRS data and confirm in writing that it has done so. Customer may continue to use the Kiosk hardware for other purposes that do not involve the SRS software.
A.4 mConsent iPad App and Mobile Devices
In addition to (or in place of) Kiosk hardware, Customer may use the mConsent iPad application, or other mobile-device versions of mConsent that SRS makes available, to capture patient intake, consent signatures, and related front-desk information on an iPad or similar mobile device that Customer supplies (each, a “Mobile Device”).
Mobile Devices are Customer’s. Customer is responsible for selecting, purchasing, configuring, maintaining, and securing every Mobile Device used with the Services. SRS does not provide or warrant the Mobile Device hardware or its operating system, and any limited warranty SRS provides applies only to the SRS application and Services, not to the Mobile Device.
Where patient data lives. The mConsent iPad application is designed to transmit captured patient information to the SRS Services and not to persistently store patient information on the Mobile Device. While SRS designs the application not to retain patient data on the device beyond what is necessary for an active session, isolated transient artifacts (such as cached form data during a session, application logs, or operating-system caches) may exist on the device for short periods as part of normal application operation, and Customer should not assume the device is wholly free of patient information at any moment.
Screenshots and other OS-level capture. Modern mobile operating systems include built-in capabilities — including screenshots, screen recording, AirPlay or other screen mirroring, accessibility readouts, and clipboard operations — that allow a user with physical access to the device to capture, copy, or transmit information displayed on the screen. These capabilities are functions of the device and its operating system and are not under SRS’s control. SRS does not, and cannot, prevent a user with access to a Mobile Device from taking a screenshot of the mConsent application or otherwise capturing information displayed on the device. Customer is responsible for controlling who has physical and logical access to each Mobile Device, for configuring any available device or MDM restrictions on screen capture, and for any disclosure or misuse of information that results from screen-capture, screen-recording, mirroring, or similar OS-level features used by persons with access to a Mobile Device.
A.5 Reputation Management and Online Reviews
mConsent includes facilities that allow Customer to request reviews from patients on third-party review platforms (such as Google and Facebook), to monitor reviews of Customer that appear on those platforms, and to respond to reviews. The software is a neutral request and monitoring facility; the reviews themselves, the third-party platforms on which they appear, and any decision to invite, monitor, or respond to a review are controlled by patients, by the platforms, and by Customer respectively.
Software is neutral; SRS does not gate or generate reviews. The mConsent software does not screen, filter, or route review requests based on a practice’s expectation of patient sentiment; does not direct unhappy patients to a private feedback channel while directing satisfied patients to a public review platform; does not generate, draft, submit, edit, or alter any review on Customer’s or any patient’s behalf; and does not pay for, compensate, or incentivize reviews. The Services are not designed to produce or simulate reviews and may not be used to do so.
Patient-generated content is not SRS’s responsibility. Reviews, ratings, comments, and other content that patients post about Customer on third-party platforms are created by the patients and hosted by those platforms. SRS does not control what patients write or post, does not control how platforms display, rank, moderate, or remove reviews, and is not responsible for negative reviews, low ratings, or the consequences of patient-generated content. Customer’s recourse for content concerns lies with the patient or the platform, not with SRS.
HIPAA in review responses. Responses to public reviews can implicate HIPAA. A response that identifies an individual as a patient or that discusses care or treatment in a public review reply — even in reply to a review the patient posted publicly — may make an impermissible disclosure of Protected Health Information absent a HIPAA-compliant authorization for that disclosure. Customer is solely responsible for the content of any review response Customer posts. SRS provides the response interface; the content, accuracy, and HIPAA compliance of each response are Customer’s responsibility.
No reputation or rating outcome. SRS does not warrant any number of reviews received, any rating, any sentiment outcome, any search-result position, or any business impact from use of the reputation features. Any such figures in marketing or Documentation are illustrative only and are not warranties.
A.6 No Outcome Guarantee
Any efficiency, revenue, collections, no-show, or reimbursement figures referenced in marketing or Documentation are illustrative and are not warranties; actual results vary based on practice, payer mix, workflow, staff adoption, and other factors.
mPayr — Payments and Billing
mPayr provides payment-processing and billing tools for practices, including tools that allow Customer to configure and administer patient payment arrangements.
B.1 Payment Processing
Card and ACH transactions are processed by a third-party, PCI-DSS-validated payment processor. SRS does not store full primary account numbers or full bank account numbers. Cardholder-data protections are maintained within the processor’s PCI-compliant environment. Customer’s use of payment processing is also subject to the processor’s own terms, and Customer is responsible for entering into and complying with any agreement the processor requires.
B.2 Payment Plans Are Configured and Controlled by Customer
mPayr may allow Customer to create and administer patient payment plans, installment arrangements, or scheduled recurring payments. These are tools Customer configures and operates.
B.3 Collection, Reconciliation, and Accuracy Are Customer’s Responsibility
Customer is solely responsible for ensuring that payments owed to it are actually collected, for monitoring outstanding balances and failed, declined, returned, or missed payments, and for reviewing all transactions, payment records, and reports for accuracy and completeness. SRS does not guarantee that any payment will be successfully collected, settled, or funded, does not act as Customer’s collection agent, and is not responsible for uncollected, failed, reversed, or misapplied payments or for Customer’s reconciliation of its own books. Customer should promptly review transaction activity and notify SRS of any discrepancy.
B.4 Payment Terminals and Hardware
Any physical payment terminal, card reader, or related hardware used with mPayr is manufactured, provided, and supported by a third party and may be subject to that third party’s separate terms, warranties, and support obligations. SRS does not manufacture this hardware and does not warrant it. SRS’s limited warranty does not apply to third-party terminals or hardware, and Customer’s remedies for hardware defects are as provided by the applicable third party.
B.5 Surcharging, Fees, Chargebacks
Customer is solely responsible for the legality of any surcharge, convenience fee, or payment-term disclosure it elects to apply, including compliance with applicable state law and card-network rules. Customer is responsible for transaction disputes and chargebacks arising from Customer’s services and for maintaining records to substantiate transactions.
Zaha AI — AI-Assisted Receptionist
Zaha AI provides AI-assisted handling of inbound calls, appointment scheduling, and patient interactions for practices using automated speech recognition, natural-language processing, and large-language-model technology. Customer is responsible for configuring Zaha AI for Customer’s practice, for the content of any scripts, prompts, or knowledge base Customer provides, and for monitoring Zaha AI’s interactions to the degree appropriate to Customer’s business and legal obligations.
C.1 AI Limitations — Probabilistic Outputs
Zaha AI does not provide medical advice, clinical triage, diagnosis, treatment recommendation, prescription guidance, legal advice, billing or coverage determination, or any other professional advice or judgment, and may not be configured or used to do so. Zaha AI is not a substitute for professional clinical, legal, or financial judgment. Where Zaha AI conveys information about Customer’s services, hours, providers, insurance acceptance, pricing, or policies, it conveys information based on configurations Customer or its agents provide, and Customer is responsible for the accuracy of those configurations and for the consequences of any AI-conveyed information to patients or callers.
Zaha AI uses probabilistic models that can produce output that is incorrect, incomplete, out-of-date, biased, or fabricated (commonly called “hallucination”), even when given accurate inputs. Zaha AI may misunderstand callers, mis-transcribe speech, schedule appointments incorrectly, repeat or omit information, or generate responses that do not reflect Customer’s actual policies. Customer should not rely on any individual Zaha AI output as authoritative without human verification appropriate to the consequence of the output. Customer acknowledges that AI hallucination and inaccuracy are inherent characteristics of the underlying technology and are not defects in the Services, except to the extent the Services fail to function materially in accordance with the Documentation. SRS is not liable for how Customer or its personnel choose to use an AI-generated output, including any incorrect appointment, misstated office information, or other inaccurate conveyance to a patient or caller.
C.2 Call Recording, Consent, and Voice Data
Where Zaha AI handles voice calls, the calls may be recorded, transcribed, and stored to operate the Services, including for quality monitoring and AI processing. Customer is responsible for providing all callers appropriate notice and disclosures, and/or obtaining any consent, as required under applicable federal and state laws, including but not limited to: (a) call-recording laws in two-party-consent jurisdictions; (b) laws requiring disclosure that a caller is interacting with an AI system rather than a human; (c) the Telephone Consumer Protection Act (TCPA) and analogous state laws, including consent requirements for outbound calls placed using an artificial or prerecorded voice; and (d) biometric privacy laws (such as BIPA, CUBI, and similar state laws) to the extent voice recordings constitute biometric or voiceprint information, in each case as such laws may be amended and including any similar or successor laws. Customer is solely responsible for obtaining and documenting all required consents, honoring opt-out and do-not-call requests, and complying with any applicable notice, retention, and destruction requirements. SRS provides configurable notice tooling, but Customer determines and is responsible for the notice actually used and for all aspects of Customer’s legal compliance.
C.3 Voice Cloning, Impersonation, and Identity Protection
Zaha AI is not designed to, and SRS will not configure Zaha AI to, impersonate any specific individual’s voice (including a provider, owner, or staff member of Customer) without Customer’s and that individual’s express written consent. Customer will not use Zaha AI to impersonate any specific real person without that person’s consent, to deceive patients about the identity of the speaker, or in any manner that would violate applicable voice-cloning, deepfake, or right-of-publicity laws.
C.4 Human Oversight and Escalation
Customer is responsible for configuring appropriate escalation paths from Zaha AI to human staff for situations requiring human judgment, including clinical urgency, complaints, vulnerable callers, or callers requesting a human. Customer’s staff retain authority over, and are responsible for, all decisions affecting patient care, and Customer is responsible for human oversight of AI outcomes that could materially affect an individual.
C.5 No Outcome Guarantee
SRS does not warrant any specific resolution rate, transfer rate, booked appointment count, accuracy rate, caller-satisfaction outcome, or call-handling outcome for Zaha AI. Zaha AI performance varies based on call volume, accent and dialect distribution, audio quality, network conditions, language complexity, configuration, and other factors. Any such figures referenced in marketing or Documentation are illustrative only and are not warranties.
iCoreConnect e-Prescribe Integration
Integration. Certain Services may integrate with iCoreConnect, Inc. (“iCoreConnect”) to enable electronic prescribing, including electronic prescribing of controlled substances (EPCS), under a separate written agreement between SRS and iCoreConnect.
Responsibility allocation. The e-prescribing and EPCS functionality, including identity-proofing, two-factor authentication, DEA/EPCS regulatory compliance of the prescribing module, and certification, is provided by iCoreConnect and is iCoreConnect’s responsibility. SRS provides the integration only. Customer’s use of e-prescribing may be subject to iCoreConnect’s end-user terms, and Customer is responsible for its prescribers’ credentialing and lawful prescribing practices.
No SRS warranty for third-party module. SRS does not warrant the iCoreConnect module and disclaims liability for it to the extent permitted by law; Customer’s remedies for the e-prescribing module are as provided by iCoreConnect.
Caretap — Community Health, Home-Care, Behavioral Health, and NEMT Operations
Caretap is an electronic health record and operations platform for community-based and home-based care, supporting personal care assistance, private-duty nursing, behavioral-health services, adult day care, group homes, and non-emergency medical transportation. Customer is solely responsible for the licensure, clinical, and regulatory aspects of its operations; SRS provides software and related operational tooling only.
E.1 Scope
Caretap may include functionality for scheduling, caregiver and staff management, plan of care and documentation, service authorization and units tracking, Electronic Visit Verification (EVV), billing and claims preparation, NEMT scheduling and trip records, behavioral-health documentation, and reporting. The functions Customer is licensed to use are stated on the applicable Order Form.
E.2 Electronic Visit Verification (EVV)
Where required by Section 12006 of the 21st Century Cures Act and applicable state Medicaid requirements, Caretap captures and transmits EVV data — including visit start and end times, service type, location, and the identities of the recipient and the caregiver — to the state’s designated aggregator or system of record at Customer’s direction and in the format and at the times the state specifies. Customer is responsible for configuring EVV in compliance with the requirements of each state Medicaid agency and aggregator in which Customer operates, for the accuracy of visit data, and for its Medicaid enrollment, service authorizations, and claims.
Location data and caregiver notice. EVV and related features collect location data from caregivers’ devices at check-in and check-out only to the extent necessary to satisfy the applicable EVV method. Customer is responsible for informing its caregivers of location collection, for obtaining any consents required under state worker-monitoring or biometric-information laws, and for complying with applicable law in collecting and using location and other workforce-monitoring data.
E.3 Personal Care Assistance, Private-Duty Nursing, and Caregiver Employment
Where Customer uses Caretap to operate personal care assistance (PCA), private-duty nursing, home-health-aide, or similar services, Customer remains the licensed home-care or home-health agency (or other licensed provider) and is solely responsible for: (a) state and Medicaid-waiver licensure and certification; (b) plan-of-care development, clinical supervision, and clinical quality; (c) caregiver qualification, training, background checks, and competency; (d) abuse, neglect, and incident reporting; (e) consumer / participant rights and grievance handling; and (f) the accuracy of all clinical documentation, service-units tracking, and Medicaid billing.
E.4 Behavioral Health Services (ARMHS, EIDBI, ABA, and Similar)
Where Customer uses Caretap to operate behavioral-health services — including Adult Rehabilitative Mental Health Services (ARMHS), Early Intensive Developmental and Behavioral Intervention (EIDBI), Applied Behavior Analysis (ABA), substance-use-disorder (SUD) services, or other mental-health, behavioral-health, or developmental-disability services — Customer remains the licensed provider and is solely responsible for behavioral-health regulatory compliance.
Licensing, scope of practice, and modality. Customer is solely responsible for: (a) all federal, state, and local licensure, certification, accreditation, and program-enrollment requirements for the services Customer delivers, including state behavioral-health licensing, ARMHS / EIDBI / ABA program-specific requirements, and supervisory requirements applicable to each provider type; (b) scope-of-practice limits for each clinician, technician, or staff member; (c) clinical-supervision documentation; and (d) the appropriateness of any service modality Customer elects to deliver, including in-person, in-home, in-community, and remote / telehealth delivery.
Telehealth, remote services, and cross-state practice. Where Customer uses Caretap to support telehealth, remote, or audio/video service delivery, Customer is solely responsible for compliance with all federal and state telehealth laws applicable to each service and to each interaction, including: provider licensure in the state where the patient is physically located at the time of service, modality requirements (audio-video vs. audio-only and any state-specific limitations), informed-consent and disclosure requirements, prescribing limits and Ryan Haight Act / DEA requirements applicable to any controlled-substance prescribing across state lines, originating-site and distant-site rules, payer-specific telehealth coverage and billing rules, and any in-person evaluation requirements imposed by federal or state law. SRS does not provide legal or licensure advice and does not determine whether a particular telehealth interaction is permissible in any jurisdiction.
E.5 Optional Billing Services
For Caretap customers that purchase Billing Services as an optional add-on identified on the applicable Order Form (the “Billing Services”), SRS will submit claims for covered services to the Minnesota Medical Assistance program through MN–ITS, to other state Medicaid systems, or to commercial insurance payers, in each case as identified on the Order Form, based on timesheets, visit records, service authorizations, and supporting documentation that Customer provides through Caretap.
Scope of Billing Services. Billing Services are limited to claims submission, rejection and denial handling as described below, and remittance reconciliation where offered on the Order Form. Billing Services do not include: (a) eligibility or benefits verification (which, where Customer purchases Insurance Concierge for a dental Service, is governed by Schedule A.2); (b) provider enrollment, credentialing, or maintenance of Customer’s Medicaid or payer enrollment; (c) clinical documentation, medical-necessity determinations, or coding decisions; (d) prior authorization or service authorization, except as a transmission function based on documentation Customer provides; (e) collections from patients or guarantors; or (f) any clinical, regulatory, tax, or legal advice. SRS personnel performing Billing Services act as Customer’s billing agent solely with respect to the limited submission function described in this Schedule, not as a co-provider, fiscal intermediary, or full-service billing company unless expressly agreed in a separate writing.
(a) maintaining current, accurate, complete, and timely service-delivery documentation, including timesheets, visit records, EVV records, plans of care, service authorizations, and supporting clinical documentation;
(b) Customer’s enrollment, licensure, certification, NPI status, taxonomy, and good standing with each payer to which claims are submitted, including the Minnesota Department of Human Services for MN–ITS submissions, and the timely renewal of all such enrollments;
(c) the accuracy, completeness, and lawfulness of all data Customer submits to SRS through Caretap (including timesheets, service codes, units, modifiers, dates of service, place of service, and supporting documentation), and the conformity of services billed to services actually delivered to eligible recipients;
(d) clinical documentation supporting medical necessity, coverage, and any prior authorization or service authorization the payer requires;
(e) coding determinations (CPT, HCPCS, ICD-10, modifiers, place-of-service), even where SRS personnel translate Customer’s clinical documentation into codes for submission, in which case Customer remains responsible for verifying that the coding accurately reflects the services delivered and the documentation supporting them;
(f) all payer-specific billing rules, including state Medicaid manuals, payer bulletins, fee schedules, taxonomy requirements, and timely-filing deadlines;
(g) promptly providing any additional documentation, clarification, or correction reasonably required to remedy a rejection or denial;
(h) investigating and remedying the underlying cause of any pattern of rejections or denials originating in Customer’s documentation, service delivery, or operations;
(i) all recoupments, repayments, refunds, post-payment-audit findings, and adjustments imposed by any payer or program-integrity authority at any time; and
(j) Customer’s own obligations under the False Claims Act, Anti-Kickback Statute, Stark Law, state Medicaid program-integrity rules, and analogous federal and state laws with respect to all claims submitted.
Submission and timing. SRS will use commercially reasonable efforts to prepare and submit claims based on the documentation Customer provides, in accordance with payer requirements and consistent with payer timely-filing rules; provided that SRS’s ability to submit timely depends on Customer providing complete and accurate documentation sufficiently in advance of applicable deadlines. Customer is responsible for monitoring its own timely-filing deadlines and is solely responsible for any claim that is denied or unrecoverable due to delayed, missing, or inaccurate documentation, including any timely-filing denial.
Rejections, denials, and resubmission. Where a claim is rejected by a clearinghouse or payer (for technical, format, or eligibility reasons before adjudication) or denied by a payer (in adjudication, for coverage, medical-necessity, documentation, or coding reasons):
- SRS will use commercially reasonable efforts to identify and communicate to Customer the reason(s) reported by the clearinghouse or payer.
- Customer is responsible for determining the actual underlying cause of the rejection or denial and for providing any additional documentation, clarification, correction, or operational remedy required to support a corrected submission.
- Upon Customer’s provision of all documentation and information SRS reasonably requires to resubmit, SRS will use commercially reasonable efforts to resubmit the corrected claim within seven (7) business days, subject to payer rules and timely-filing deadlines.
- After SRS submits a corrected claim using the documentation Customer provided, further pursuit of the claim — including appeals, reconsideration requests, level-2 reviews, and disputes with the payer — is Customer’s responsibility unless expressly agreed in a separate writing or Order Form.
(a) acceptance, adjudication, payment, or final payment amount of any claim;
(b) rejections or denials caused by inaccurate, incomplete, untimely, or unlawful documentation Customer provides, or by clinical, coverage, medical-necessity, prior-authorization, or coding decisions for which Customer is responsible;
(c) rejections or denials based on a payer’s coverage policy, fee schedule, medical-necessity determination, fee-for-service adjustment, capitation arrangement, or audit;
(d) claims not submitted, or submitted after a timely-filing deadline, because Customer did not provide required documentation in time, because Customer’s enrollment, NPI, or licensure status was inactive or non-current, or because Customer did not respond to a documentation request;
(e) recoupments, repayments, refunds, audit findings, fines, or penalties imposed by any payer, program-integrity authority, or oversight agency at any time;
(f) Customer’s failure to identify or remedy the underlying cause of rejections or denials, or any consequences of patterns of non-payment attributable to Customer’s operations; or
(g) the ultimate revenue, collection rate, denial rate, days-in-AR, or financial outcome of claims submitted.
Refusal to submit suspect claims. SRS may, in its discretion, decline to submit, suspend submission of, or where required by law report any claim that SRS reasonably believes may be false, fraudulent, unsupported by required documentation, or otherwise non-compliant with applicable law, including the False Claims Act (31 U.S.C. § 3729 et seq.) and the Anti-Kickback Statute (42 U.S.C. § 1320a-7b). Customer represents and warrants, with respect to each claim submitted through Billing Services, that the claim is supported by services actually delivered to an eligible recipient by a properly enrolled and credentialed provider, that all documentation required by applicable law and payer rules supports the claim, and that submission does not violate any federal or state law. Customer’s indemnity under Section 12.2 applies to claims arising from Customer’s representations under this Section.
Termination of Billing Services. Either Party may terminate Billing Services as a discrete Service under the applicable Order Form in accordance with Section 6. Upon termination of Billing Services: (a) SRS will use commercially reasonable efforts to complete submission of claims for which Customer has provided all required documentation before the effective date of termination; (b) Customer becomes solely responsible for all claim submission, follow-up, and appeal activity for any service delivery on or after the effective date of termination; and (c) records retention is governed by the BAA, applicable state Medicaid records-retention requirements, and Customer’s own audit-defense policies. This Section is subject to Section 10.4, Section 11, and Section 12.
E.6 Non-Emergency Medical Transportation
E.7 No Outcome Guarantee
Any figures referenced in marketing or Documentation regarding claims processed, reimbursement, no-show or missed-visit reduction, caregiver retention, EVV compliance rates, or operational outcomes from Caretap are illustrative and are not warranties; actual results vary based on agency, payer mix, workforce, service mix, state Medicaid requirements, and other factors.
How This Agreement Is Accepted
This Agreement does not require a handwritten or countersigned signature. It is a binding contract that takes effect through any of the methods described in Section 1 (Agreement and Acceptance):
- By Order Form. When an authorized representative of Customer executes or approves an Order Form that references this Agreement.
- Electronically. When Customer clicks to accept this Agreement, or accepts it through an online ordering or sign-up flow.
- By use of the Services. When Customer or its Authorized Users access or use the Services.
By doing any of the above, the individual accepting represents that they are authorized to bind Customer, and Customer agrees to be bound by this Agreement, its Product Schedules, and the BAA where applicable. The date of acceptance is the Effective Date as defined in Section 1.
We recommend Customer retain a copy of this Agreement together with its Order Form(s) for its records. The version and effective date applicable to Customer are shown at the bottom of this page and on the applicable Order Form. SRS will make prior versions available on request to legal@srswebsolutions.com.