- Terms of Service
- Acceptable Use Policy
- Payments Service Terms
- Fraud Protection Service Terms
- Terminal Service
- Partner Terms of Service
- Referral Submission Agreement
- Marketplace Terms of Service
- Voice Service Terms
- Business Associate Agreement
- Developer Terms
- Downstream BAA
- Developer Security & SLA Requirements
Terms of Service
Effective October 19, 2022Download
Table of Contents
If you are using a Podium Service on behalf of a company, organization, or other entity, then “Client” or “you” means that entity, and you are binding that entity to this Agreement. You represent and warrant that you have the legal power and authority to enter into this Agreement and that, if the Client is an entity, this Agreement is entered into by an employee, agent, or other authorized representative with all necessary authority to bind that entity to this Agreement.
This Agreement includes and hereby incorporates by reference any Subscription Documentation executed between you and Podium, as well as any policies or exhibits linked to or referenced herein. If you have entered into a separate written agreement with Podium concerning specific Services, the terms of such agreement control if there is any conflict between the terms of such agreement and these Terms. Please note that we may modify this Agreement as described in Section 16.10 below.
Other terms are defined in other Sections of this Agreement.
2.4.2. Podium Voice. If Client uses the Podium Voice, Client agrees to be bound by the Podium Voice Service Terms.
2.4.5. Podium Developer Platform. If Client uses the Podium Developer Platform, Client agrees to be bound by the Podium Developer Terms.
Podium may, from time to time, contract with a third party to facilitate certain features of the Services, including as described in Section 16.6 of this Agreement. Podium may also allow or facilitate Client to make arrangements with other third-party providers that provide products or services in connection with, but which are not included in, the Services as described in this Agreement (“Third-Party Provider(s)”). If Client elects to use any Third-Party Provider(s) or any applications, integrations, add-ons, software, code, online services, systems, and other products that are not Podium Technology (“Third-Party Products”) in connection with the Services, such Third-Party Provider(s) or Third-Party Products may make Third-Party Content available to Client and may access Client’s instance of the Services, including Client Data. Client agrees and acknowledges that use of such Third-Party Provider(s) or Third-Party Products may require Client to enter into separate terms and conditions with such third-party. Unless Podium expressly agrees otherwise in a signed writing, Podium (a) is not a party to any such terms; (b) will not be liable thereunder; (c) does not warrant or support Third-Party Providers, Third-Party Products; or Third-Party Content; and (d) disclaims all responsibility and liability for these providers and items and their access to the Services, including their modification, deletion, disclosure, or collection of Client Data. Podium is not responsible in any way for Client Data once it is transmitted, copied, or removed from the Services.
TO THE MAXIMUM EXTENT NOT PROHIBITED BY APPLICABLE LAW, IN NO EVENT WILL PODIUM OR ITS SUPPLIERS BE LIABLE FOR ANY LOSS OF USE, LOST OR INACCURATE DATA, INTERRUPTION OF BUSINESS, LOST PROFITS, COSTS OF DELAY, REPUTATIONAL HARM, OR ANY INDIRECT, SPECIAL, INCIDENTAL, COVER, RELIANCE, OR CONSEQUENTIAL DAMAGES OF ANY KIND, HOWEVER CAUSED, EVEN IF INFORMED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL PODIUM’S OR ITS SUPPLIERS’ TOTAL LIABILITY EXCEED IN AGGREGATE THE AMOUNT ACTUALLY PAID BY CLIENT TO PODIUM FOR THE APPLICABLE SERVICE(S) OR RELATED SERVICE(S) IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. FOR FREE ACCESS SUBSCRIPTIONS OR BETA RELEASES, PODIUM’S TOTAL LIABILITY WILL NOT EXCEED IN AGGREGATE FIFTY U.S. DOLLARS ($50.00 US). NOTWITHSTANDING THE FOREGOING, NONE OF THE LIMITATIONS IN THIS SECTION 14 EXCLUDES EITHER PARTY’S LIABILITY FOR FRAUD OR FOR DEATH OR PERSONAL INJURY TO THE EXTENT CAUSED BY A PARTY’S NEGLIGENCE. IN ADDITION, THE LAWS IN SOME JURISDICTIONS MAY NOT ALLOW SOME OF THE LIMITATIONS OF LIABILITY IN THIS SECTION. IF ANY OF THESE LAWS IS FOUND TO APPLY TO THIS AGREEMENT, THIS SECTION 14 WILL APPLY TO THE MAXIMUM EXTENT NOT PROHIBITED BY SUCH LAW. EACH PARTY ACKNOWLEDGES AND AGREES THAT THIS SECTION 14 IS A FUNDAMENTAL BASIS OF THE BARGAIN AND A REASONABLE ALLOCATION OF RISK BETWEEN THE PARTIES AND WILL SURVIVE AND APPLY TO ANY CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT, ANY PODIUM TECHNOLOGY, OR ANY RELATED SERVICES, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE), EVEN IF ANY LIMITED REMEDY IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. EACH PROVISION OF THESE TERMS THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS INTENDED TO AND DOES ALLOCATE THE RISKS BETWEEN THE PARTIES UNDER THESE TERMS. THIS ALLOCATION IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THESE TERMS. THE LIMITATIONS IN THIS SECTION 14 WILL APPLY EVEN IF ANY LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
If a dispute arises between the parties related to this Agreement or the Services provided therefrom, and the dispute cannot be settled through informal negotiations, the parties agree to resolve their dispute (referred to herein as “Claim(s)”) as follows:
Effective September 7, 2022Download
Table of Contents
- Through the Services.
- In email, text, and other electronic messages between you and the Services.
- Through mobile and desktop applications you download from the Services or a third-party app store, which provide dedicated non-browser-based interaction between you and the Services.
- When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy.
Furthermore, we do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI's website.
You have the right to access and correct your personal information, Our Services may already provide you with functionalities to do this, but if these functionalities are not helpful, you can nevertheless exercise these rights. To do so, you can reach us at email@example.com, or by mail at:
1650 W Digital Drive
Lehi, UT 84043
The Office of the Privacy Commissioner of Canada drafted this FAQ to help you access your personal information when it is held by a business. You can also contact the Office of the Privacy Commissioner of Canada’s Information Centre:
9:00 am to 4:00 pm EST
Office of the Privacy Commissioner
30 Victoria Street
1650 W Digital Drive, Lehi, UT 84043
or via our toll-free number:
To register a complaint or concern, please refer to our dispute resolution instructions found in our Terms and Conditions.
Acceptable Use Policy
Effective October 19, 2022Download
Table of Contents
This Acceptable Use Policy (the “Policy”) sets out rules applicable to your use of the Podium Corporation, Inc. (“Podium”, “we”, “us” or “our”) Services and Podium Technology, including via our clients’ websites or platforms (the “Services”). The examples described in this Policy are not exhaustive.
This Policy should be read in conjunction with the Podium Terms of Service (“Podium Terms of Service”) (currently available at: https://legal.podium.com/#termsofservice-us) into which it is incorporated by reference. We may suspend, terminate, or take other interim action regarding your access to or use of the Services, if, in our sole judgment, we believe you, directly or indirectly, violated this Policy or authorize or help others to do so.
We may modify this Policy from time to time by posting a revised version on our Website. By using the Services, you agree to the latest version of this Policy. Any capitalized terms not defined in this Policy have the meaning set forth in the Podium Terms of Service.
General Policies/Requirements. We all expect that the messages and communications we want to send and receive will reach the intended recipient(s), unhindered by filtering or other blockers. An important step you can take to make that expectation a reality is to prevent unwanted communications by only sending messages and communications that comply with applicable laws and communications-industry guidelines/standards. To that end, all communications originating from your use of the Podium Services and Podium Technology (including but not limited to SMS, MMS, webchat, Voice, and similar messaging channels available through the Services) are subject to, and must comply with, the Podium Terms of Service, including this Policy, which sets out certain rules and/or prohibitions regarding: Consent (“opt-in”); Revocation of Consent (“opt-out”); Sender identification; Messaging Usage; Prohibited Content; Filtering Evasion; and Enforcement.
Standard Consent Requirements. Prior to sending the first message to an individual, you must obtain agreement from the message recipient to communicate with them - this is referred to as "consent." You must make clear to the individual they are agreeing to receive messages of the type you're going to send.
You need to keep a record of the consent, such as a copy of the document or form that the message recipient signed, or a timestamp of when the customer completed a sign-up flow or otherwise provided consent. This record of consent must be retained as set forth by local regulations or best practices after the end user opts out of receiving messages.
If you do not send an initial message to that individual within a reasonable period after receiving consent (or as set forth by local regulations or best practices), then you will need to reconfirm consent in the first message you send to that recipient.
The consent applies only to you, and to the specific use that the recipient has consented to. Consent can't be bought, sold, or exchanged. For example, you can't obtain the consent of message recipients by purchasing a phone list from another party. You also can't treat it as blanket consent allowing you to send messages from other brands or companies you may have, or additional messages about other uses for which you haven’t received consent.
Alternative Consent Requirements. While consent is always required and the consent requirements noted above are generally the safest path, there are two scenarios where consent can be received differently.
Contact initiated by an individual
If an individual sends a message to you, you may respond in an exchange with that individual. For example, if an individual texts your phone number asking for your hours of operation, you can respond directly to that individual, relaying your open hours. In such a case, the individual’s inbound message to you constitutes both consent and proof of consent. Remember that the consent is limited only to that particular conversation. Unless you obtain additional consent, don't send messages that are outside that conversation.
Informational content to an individual based on a prior relationship
You may send a message to an individual where you have a prior relationship, provided that individual provided their phone number to you, and has taken some action to trigger the potential communication, and has not opted out or otherwise expressed a preference to not receive messages from you.
Actions can include a button press, alert setup, appointments, or order placements. Examples of acceptable messages in these scenarios include appointment reminders, receipts, one-time passwords, order/shipping/reservation confirmations, drivers coordinating pick-up locations with riders, and repair persons confirming service call times. The message can't attempt to promote a product, convince someone to buy something, or advocate for a social cause.
Periodic Messages and Ongoing Consent.
If you intend to send messages to a recipient on an ongoing basis, you should confirm the recipient’s consent by offering them a clear reminder of how to unsubscribe from those messages using standard opt-out language (defined below). You must also respect the message recipient’s preferences in terms of frequency of contact. You also need to proactively ask individuals to reconfirm their consent as set forth by local regulations and best practices.
Identifying Yourself as the Sender
Every message you send must clearly identify you (the party that obtained the opt-in from the recipient) as the sender, except in follow-up messages of an ongoing conversation.
The initial message that you send to an individual needs to include the following language: “Reply END to unsubscribe,” or the equivalent using another standard opt-out keyword, such as STOP, STOPALL, UNSUBSCRIBE,, and QUIT.
Individuals must have the ability to revoke consent at any time by replying with a standard opt-out keyword. When an individual opts out, you may deliver one final message to confirm that the opt-out has been processed, but any subsequent messages are not allowed. An individual must once again provide consent before you can send any additional messages.
Prohibited Content. You agree that you will not use the Services, or encourage, promote, facilitate, or instruct others to use the Services, to send messages that contain, offer, promote, reference, or link to any information or content related to any of the following:
Solicitations or Advertising. Any messages, communication, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements or otherwise, that are unsolicited or for which you do not have the proper consent from the intended recipient. If you are a Customer of any Podium Client, this includes using the Services to send any such message, communication, or announcement to a Podium Client or any other person or entity.
Illegal, Harmful, or Fraudulent Activities. Any activities that are illegal, that violate the rights of others, or that may be harmful to others, our operations, or reputation, including but not limited to offering, promoting, disseminating, or facilitating:
child pornography, child sexual abuse material, or other sexually exploitative content; fraudulent goods, services, schemes, or promotions;
make-money-fast or “get-rich-quick” schemes (including work-from-home programs, risk investment opportunities, ponzi and pyramid schemes);
high-risk financial services (including payday loans, short-term high-interest loans, third-party auto or mortgage loans, student loans, or cryptocurrency);
third-party lead generation services (such as companies that buy, sell, or share consumer information);
debt collection or forgiveness services (including third-party debt collection, debt consolidation, debt reduction, or credit repair programs)
illegal or regulated substances (including, but not limited to, Cannabis, CBD, or offers for (or payment transactions relating to) Prescription Drugs that cannot be sold over-the-counter);
“SHAFT” use cases (Sex, Hate, Alcohol, Firearms, Tobacco, including vaping-related activities);
phishing or pharming.
Infringing Content. Content that infringes or misappropriates the intellectual property or proprietary rights of others.
Offensive Content. Content that is harassing, defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable.
Harmful Content. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, or otherwise effect a security breach, including viruses, Trojan horses, worms, time bombs, or cancelbots.
Evasive Content. Content that is designed to intentionally evade filters, detection, or monitoring (see below)
Prohibited Industries. If you are using Podium’s Payment Services, you may not use the services in conjunction with any activities identified as Prohibited Industries, as defined in Podium’s Payment Service Terms.
Message Abuse; Falsification of Identity or Origin. You will not send messages using spam bots or other similar systems, alter or obscure mail headers, provide false identification, or assume a sender’s identity without the sender’s explicit permission. You will also not create a false identity or attempt to mislead others as to the identity of the sender or the origin of any data or communications.
Evasion. You may not use the Services or Podium Technology to evade Podium’s (including our subcontractor’s) or a telecommunications provider’s unwanted messaging detection and prevention mechanisms. Examples of prohibited practices include:
Content designed to evade detection. As noted above, we do not allow content which has been specifically designed to evade detection by unwanted messaging detection and prevention mechanisms. This includes intentionally misspelled words or non-standard opt-out phrases which have been specifically created with the intent to evade these mechanisms.
Snowshoeing. We do not permit snowshoeing, which is defined as spreading similar or identical messages across many phone numbers with the intent or effect of evading unwanted messaging detection and prevention mechanisms.
Use of shared public URL shorteners. Where a web address (i.e., Uniform Resource Locator (URL)) shortener is used, you should not use links that have been shortened using shared public URL shorteners like Bitly or TinyURL. If you want to include shortened URLs in your messages, we recommend using a dedicated short domain.
Reverse Engineering and Related Restrictions. You will not (a) modify or create a derivative work of the Services or any portion thereof; (b) reverse engineer, disassemble, decompile, translate, or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats, or non-public APIs to any Services, except to the extent expressly permitted by applicable law and then only upon advance notice to Podium; (c) break or circumvent any security measures or rate limits for the Services; or (d) remove or obscure any proprietary or other notices contained in the Services, including in any reports or output obtained from the Services.
Our Monitoring and Enforcement. We reserve the right, but do not assume the obligation, to monitor content on and sent through the Services and to investigate any violation of the Podium Terms of Service, including this Policy, or misuse of the Services. We may remove or disable access to any user, content, or resource that violates the Podium Terms of Service or this Policy or any other agreement we have with you for use of the Services. We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information. We may also cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.
Reporting Violations. If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested, to stop or remedy the violation.
Payments Service Terms
Effective July 12, 2022Download
Table of Contents
- PAYMENT PROCESSING SERVICES
- DATA USE.
- CLIENT OBLIGATIONS.
- REQUIREMENTS, LIMITATIONS AND RESTRICTIONS
- FEES, SETTLEMENT & PAYOUT SCHEDULE
- SUSPENSION & TERMINATION
- LIMITATIONS ON PODIUM’S LIABILITY
- ADDITIONAL SERVICES
Fraud Protection Service Terms
Table of Contents
Podium Premium Fraud Protection Service Terms
By using or accessing Podium’s Payments Premium Fraud Protection Service, or by signing or clicking accept to any Subscription Documentation referencing these terms, you agree to be bound by the following terms and conditions (the “Premium Fraud Protection Service Terms”).
These Premium Fraud Protection Service Terms incorporate by this reference the Podium Terms of Service and the Podium Payments Service Terms as may be updated from time to time, which, among other terms, contains provisions governing the resolution of claims (see “Disclaimers”, “Limitations of Liability”, “Dispute Resolution”, “General”). In the event of any conflict or inconsistency between these Payments Fraud Protection Service Terms and the Podium Terms of Service or Podium Payments Service Terms, these Fraud Protection Service Terms will govern.
Capitalized terms used herein without a definition have the same meaning as the defined term in the Podium Terms of Service or the Podium Payments Service Terms. For the avoidance of doubt, all references to the “Agreement” will include these Premium Fraud Protection Service Terms.
- Premium Fraud Protection Services. If you subscribe to the Premium Fraud Protection Services, Podium’s Payment Service Provider will review all Orders placed through the Payments Service and you will be provided with an approve or decline recommendation. Where you have been provided an approval notice and you have fulfilled the Order and such Order is subject to a chargeback pursuant to the defined reason codes set out below (“Reason Codes”), Podium will provide the Premium Fraud Protection Guarantee (as defined below). For the avoidance of doubt, if you subscribe to the Premium Fraud Protection Service you must submit all Orders placed through the Payments Service for review. Any Orders not submitted through the Payments Service under an active and valid Premium Fraud Protection Services subscription are not subject to the Premium Fraud Protection Guarantee. The Premium Fraud Protection Service is available only to Clients in the Premium Fraud Protection Territory.
- Premium Fraud Protection Guarantee - Generally. Your sole and exclusive remedy for an Order covered by the Premium Fraud Protection Service will be the payment by Podium of liquidated damages in an amount of the Premium Fraud Protection Guarantee. The Premium Fraud Protection Guarantee amount (i) will be the lower of: (a) the original Order value and (b) the amount stated in the original chargeback notice submitted for review under the Premium Fraud Protection Services (e.g., to reflect any changes in the order value after it was approved by Podium), (ii) will exclude the fees charged for review of such Order and (iii) will be reduced by any amounts recovered by you for such Order and (iv) will exclude any fees incurred by you in relation to such chargeback (e.g., from the payment processor) (the “Premium Fraud Protection Guarantee”).
- Crediting Process. If applicable, Podium will provide reimbursement for amounts owed to you pursuant to the Premium Fraud Protection Guarantee on a monthly basis, as a credit to your account (e.g., chargeback amounts for March would be set off from the payment owed by you to Podium in the April invoice). Following termination or expiration of your applicable Subscription Documentation, Podium shall provide reimbursement via wire transfer in the event the reimbursement amount exceeds the fees owed by you to Podium.
- Required Documentation. If requested by Podium, you must submit the following documents for an Order to be covered by the Premium Fraud Protection Guarantee:
- A copy of the original chargeback notification, which must include the following: (i) a chargeback reason or reason code, (ii) the original order date and order amount, (iii) for orders in which the Customer used a credit card to place the order, the notice must include the first six (6) and last four (4) digits of the credit card, and (iv) if the order was placed using an alternative payment method (e.g. PayPal) the notice must include the customer’s name and customer email.
- For orders of tangible goods, you will, if and where available, provide Podium with a proof of delivery in one of two formats: a copy of the shipping form (as provided by the shipping company) containing the delivery address, reroute information, date of delivery and the parcel delivery status; or a valid tracking number from a shipping company.
- Any other documents that Podium or the Payment Service Provider reasonably requires
- Excluded Orders. The following orders are not covered by the Premium Fraud Protection Guarantee.
- Not Approved. The order did not result in Payment Service Provider providing an approval notice.
- Not Fraud Related. The chargeback reason is other than a reason code set out herein.
- Chargeback Notice / Order Mismatch. The information in the chargeback notice does not match the information in the original order.
- Delivery. Tangible goods delivered to an address other than the shipping address set out in the original order.
- Late Submission of Chargeback. The chargeback was submitted to Podium for reimbursement more than three (3) days after the chargeback notice issuance date or if the date of the chargeback notice is before the order shipping date.
- Eligibility Period. The Premium Fraud Protection Guarantee shall be valid for a period of six (6) months from the date of the approval notice.
- Disputing Party. Orders for which Client does not make Payment Service Provider the first and primary point of contact for disputing the chargeback through Client’s payment gateway and/or bank.
- Reclamation of Goods by Client. Order for which Client is successful in reclaiming the goods. In such case, the Premium Fraud Protection Guarantee amount will be limited to the order shipping costs.
- Failure to Provide Notice. Podium reserves the right to decline to reimburse for chargebacks if Client fails to timely comply with its notice obligations or any other terms herein.
- Prohibited Businesses. Orders related to a Prohibited Business.
- Order Review. You may, in your sole discretion, approve or reject an Order. Podium may choose not to review a Submitted Order if (i) the Order was already fulfilled by you; (ii) more than one (1) week has passed since the Order was created; (iii) the Client Data or a portion thereof does not meet the standards set by the Payment Service Provider; (iv) the Order contains data related to Prohibited Industries; or (v) the Order does not include a physical product or is an order for services.
- Reason Codes. Payment Service Provider covers any and all chargebacks that are of card-not-present “unauthorized credit card use”. The below Reason Codes will be deemed to be automatically updated, without amendment hereto, to reflect changes made by the credit card networks and will automatically apply to the Premium Fraud Protection Service as of the date of such change.
- 10.1: EMV Liability Shift Counterfeit Fraud (Online Only)
- 10.4: Other Fraud – Card Absent Environment
- 4837/37: Fraud Transaction No Cardholder Authorization
- 4840/40: Fraudulent Processing of Transactions
- 4863/63: Cardholder Does Not Recognize Potential Fraud
- FR2: Fraudulent Transaction
- F29: Fraudulent Transaction – Card-Not-Present
- UA02: Fraud Card-Not-Present Transaction
- AA: Transaction Does Not Recognize
- 7030: Unauthorized purchase
Table of Contents
By using Podium’s Terminal Service (as defined below), or by signing or clicking accept to any Subscription Documentation referencing these terms, you agree to be bound by the following terms and conditions (the “Terminal Terms”).
These Terminal Terms incorporate by this reference the Podium Terms of Service and Podium Payments Service Terms, as may be updated from time to time. Capitalized terms used herein without a definition have the same meaning as the defined term in the Podium Terms of Service and/or Podium Payments Service Terms. For the avoidance of doubt, all references to the “Agreement” will include these Terminal Terms. In the event of any conflict or inconsistency between these Terminal Terms and the Podium Terms of Service, these Terminal Terms will govern but solely with respect to the Terminal Services.
- TERMINAL SERVICES.
- PURCHASE OF THE TERMINAL PRODUCT
- USE OF THE TERMINAL PRODUCTS
- SOFTWARE TERMS
- OWNERSHIP AND RIGHTS These Terminal Terms do not grant any rights or licenses in the Terminal Services, Terminal Products, or Software other than as expressly stated in these Terminal Terms. As between the parties, Podium owns all right, title and interest, including all intellectual property rights, in and to the Terminal Services, Terminal Products and Software. All rights not expressly granted are reserved.
- BETA OR PRE-RELEASE VERSIONS Podium may from time to time provide Client with versions of the Terminal Services and/or Terminal Products that are identified by Podium as “pre-release” or “beta” (“Pre-release Versions”). Podium hereby grants Client, subject to the additional license restrictions set forth in Sections 2 and 3, which will apply to the Pre-release Versions as if they were Terminal Services and Terminal Products, a limited, non-transferable, non-exclusive, revocable license, without the right to sublicense, to use such Pre-release Versions for the sole purpose of testing and evaluation. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THESE TERMINAL TERMS, ALL PRE-RELEASE VERSIONS ARE PROVIDED “AS IS,” WITHOUT ANY WARRANTIES, EXPRESS, IMPLIED, OR OTHERWISE (INCLUDING WITHOUT LIMITATION THE LIMITED HARDWARE WARRANTY PROVIDED HEREIN) AND PODIUM DISCLAIMS ANY IMPLIED REPRESENTATIONS, WARRANTIES, AND CONDITIONS WITH RESPECT TO THE TERMINAL PRODUCTS, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, SATISFACTORY QUALITY AND NON-INFRINGEMENT. CLIENT ACKNOWLEDGES THAT THE PRE-RELEASE VERSIONS ARE EXPERIMENTAL, HAVE NOT BEEN GENERALLY RELEASED, MAY CONTAIN DEFECTS AND DEFICIENCIES THAT PODIUM CANNOT OR WILL NOT CORRECT, AND THAT PODIUM WILL HAVE NO OBLIGATION TO RELEASE TO CLIENT ANY OF SUCH PRE-RELEASE VERSIONS AS A FINAL PRODUCT. Client assumes the entire risk as to the results and performance of Pre-Release Versions. Client acknowledges that Podium has the right to adopt and use any ideas or suggestions that Client makes or gives to Podium with respect to such Pre-release Versions, permanently and throughout the world, without compensation to Client.
- LIMITED HARDWARE WARRANTY AND SUPPORT
- TERMINAL SERVICES AND TERMINAL PRODUCT DISCLAIMER THE TERMINAL SERVICES AND TERMINAL PRODUCTS ARE PROVIDED “AS IS”, “AS AVAILABLE” AND WITH ALL FAULTS. EXCEPT AS EXPRESSLY STATED IN THESE TERMINAL TERMS, PODIUM PROVIDES NO EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS, AND PODIUM DISCLAIMS ANY IMPLIED REPRESENTATIONS, WARRANTIES, AND CONDITIONS WITH RESPECT TO THE TERMINAL PRODUCTS, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, SATISFACTORY QUALITY AND NON-INFRINGEMENT, AS WELL AS ANY OTHER IMPLIED WARRANTIES, SUCH AS WARRANTIES REGARDING DATA LOSS, AVAILABILITY, ACCURACY, FUNCTIONALITY AND LACK OF VIRUSES. THIS SECTION APPLIES TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND IN ADDITION TO ANY LIMITATIONS AND DISCLAIMERS THAT MAY BE CONTAINED IN THE PODIUM TERMS OF SERVICE AND PAYMENTS SERVICE TERMS. ANY WARRANTIES, GUARANTEES OR CONDITIONS THAT CANNOT BE DISCLAIMED AS A MATTER OF LAW, BUT WHICH MAY BE LIMITED IN DURATION, LAST FOR ONE YEAR FROM THE DATE ON WHICH YOU RECEIVE A TERMINAL PRODUCT. Use of the Terminal Products in conjunction with any other products, such as hardware accessories, may lead to incompatibilities which cause the Terminal Products to not function correctly. As a consequence, all such use is at your own risk.
- LIMITATIONS ON PODIUM’S LIABILITY. Podium is not responsible for Client’s obligations to its Customers (including properly describing and delivering the goods or services being sold to Customers). You are solely responsible for, and Podium expressly disclaims all liability for, your compliance with applicable laws and obligations related to your provision of the goods or services to your Customers. This may include providing customer service, notification and handling of refunds or Consumer complaints, provision of receipts, registering your legal entity, or other actions not related to the Podium Services (including without limitation, the Terminal Services). You agree to indemnify Podium for any losses we incur based on your failure to properly describe or deliver goods or services, or comply with your legal or contractual obligations to Payment Service Provider or your Customers.
Table of Contents
- "API Documentation" means the API documentation described at https://docs.podium.com/docs, as updated from time to time.
- "API Credentials" means the secure keys, passwords, tokens, or other credentials Podium makes available to you to allow you to access the API.
- "Application" means any application developed by you to interact with the Podium API in compliance with the terms and conditions of this Agreement.
- "Client” means a business or entity, including their Authorized Users (as that term is defined in the Podium TOS) that is a user of the Podium Platform and/or Podium Services (as that term is defined in the Podium Terms of Service). If you are a Podium Client using the Podium API on your own behalf, “Client” means you.
- “Client Agreement” means the terms or agreement entered into between you and a Client, which govern the Client’s access to and use of your Application and services if you are acting as a Developer Partner on behalf of a Client or end user and not on your own behalf.
- “Client Data” means any data, content, or other information, including but not limited to any personal information or sensitive personal information, owned by or relating to a Client or their Customers. Client Data may include Customer Data.
- “Customer” means any individual or entity that is a client, customer, or patient of a Client, or that is a potential client, customer, or patient of a Client.
- “Customer Data” means data related to the identity, characteristics, and activities of Customers, collected or submitted to or via the Podium Platform by Client or by Customer(s).
- “Developer Partner” means a partner who develops an Application or otherwise accesses, connects to, or uses the Podium APIs.
- “Developer Portal” means portal, available at https://developer.podium.com/, by which a partner may sign up to become a Developer Partner and access related materials and documentation.
- "HIPAA" means the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"), the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. §1320d through d-8, as amended from time to time, and the requirements of any regulations promulgated under either the HITECH Act or HIPAA, including, without limitation, the federal privacy regulations as contained in 45 C.F.R. Parts 160 and 164, the federal security standards as contained in 45 C.F.R. Parts 160 and 162, and the federal standards for electronic transactions contained in 45 C.F.R. Parts 160, all as may be amended from time to time.
- “Partner Terms” means the Podium Partner Program Terms and Conditions.
- "Podium API" means the Podium public application programming interface and any API Documentation or other API materials made available by Podium via Podium.com (https://www.podium.com/) including all of its related applications, dashboards, platforms, or other web locations (individually and collectively, the “Website”) or otherwise in writing. The Podium API is a Beta Service as defined in the Partner Terms.
- “Podium Data” means any data, content, or other information owned by or relating to Podium.
- "Podium Marks" means Podium's proprietary trademarks, trade names, branding, or logos made available for use in connection with the API pursuant to this Agreement.
- "Podium Platform" means Podium's software-as-a-service and Payments platform as described on the Website or other written documentation provided to you by Podium, and all related services, applications, and technology.
- “Podium Marketplace” means the mechanism by which Clients can view, access, install, and purchase (as applicable) your Application. The Podium Marketplace is currently a Beta Service (as defined in the Partner Terms.
- “Podium TOS” means the Podium Terms of Service or, with respect to Clients located in Australia, the Podium Terms of Service (AU).
- “Territory” means the United States, Canada, and Australia.
Partner Terms of Service
Table of Contents
Podium Partner Program Terms and Conditions
(b) NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICES OR PODIUM ENTITIES OR ANY MATERIALS OR CONTENT AVAILABLE THROUGH THE SERVICES WILL CREATE ANY WARRANTY REGARDING ANY OF THE PODIUM ENTITIES OR THE SERVICES THAT IS NOT EXPRESSLY STATED IN THESE TERMS. PODIUM DOES NOT PROVIDE ITS PARTNERS OR CLIENTS WITH LEGAL ADVICE REGARDING DATA PRIVACY OR COMPLIANCE WITH RELEVANT LAW IN ANY JURISDICTION, AND ANY STATEMENTS MADE BY PODIUM TO ITS PARTNERS OR CLIENT(S) SHALL NOT CONSTITUTE LEGAL ADVICE. USE OF THE SERVICES DOES NOT GUARANTEE COMPLIANCE WITH APPLICABLE LAWS IN ANY JURISDICTION.
(ii) a former client that has cancelled Podium within the last 60 days,
(iii) a former or current reseller or strategic partner of Podium,
(iv) an active Podium sales opportunity with contact in the past 30 days, or
(v) a marketing lead of Podium at the time the applicable Lead is is submitted to Podium by Partner;
(ii) a former client that has cancelled Podium within the last 60 days,
(iii) a former or current reseller or strategic partner of Podium,
(iv) an active Podium sales opportunity with contact in the past 30 days, or
(v) a marketing lead of Podium at the time the applicable Lead is is submitted to Podium by Partner;
Referral Submission Agreement
Table of Contents
These Podium Referral Submission Terms (these “Terms”) govern your participation in the Podium Referral Program. By submitting a Lead, you (“Referrer” or “you”) agree to these Terms (these “Terms”), which are an agreement between you and Podium Corporation, Inc., a Delaware corporation (“Podium“) and which are incorporated by this reference into the Podium Terms of Service. Podium reserves the right to amend the Terms from time to time at its discretion. Any capitalized terms not defined herein will have the definition given in the Podium Terms of Service.
1. Violate the intellectual property rights of Referral Podium
Marketplace Terms of Service
Table of Contents
Podium Marketplace Terms of Service
Podium Corporation, Inc. (“Podium”) owns and operates an internet-based marketplace that enables users of the Services (as defined below) to browse, install, purchase (as applicable), and manage subscriptions to Apps, and to access applications purchased or installed in this manner through a single sign on system (the “Marketplace”). By using, installing, or accessing the Marketplace or Apps (as defined below), by signing or clicking to accept these terms or any Subscription Documentation (as defined below) referencing these terms, you agree to be bound by the following terms (the “Marketplace Terms”). To use the Marketplace and any Apps, you must have a current Subscription to use the Podium Services and have agreed to the Podium Terms of Service (“Podium Terms of Service”), which incorporate these Marketplace Terms. Any capitalized terms not defined herein will have the definition given in the Podium Terms of Service. For the avoidance of doubt, all references in the Podium Terms of Service to the “Agreement” will include these Marketplace Terms.
If you are using the Marketplace on behalf of a company, organization, or other entity, then “Client” or “you” means that entity, and you are binding that entity to these Marketplace Terms and the Agreement. You represent and warrant that you have the legal power and authority to enter into these Marketplace Terms and that, if the Client is an entity, these Marketplace Terms are entered into by an employee, agent, or other authorized representative with all necessary authority to bind that entity to these Marketplace Terms.
Voice Service Terms
Table of Contents
PODIUM VOICE SERVICE TERMS
By using or accessing Podium’s Voice Service (“Voice”), or by signing or clicking accept to any Subscription Documentation that includes Voice or references these terms, you (“you” or “Client”) agree to be bound by the following terms and conditions (the “Voice Service Terms”).
These Voice Service Terms incorporate by this reference the Podium Terms of Service (currently available at: https://legal.podium.com/#termsofservice-us) (the “Podium Terms of Service”) as may be updated from time to time, which, among other terms, contain provisions governing the resolution of claims (see Section 13 (“Disclaimers”), Section 14 (“Limitations of Liability”), Section 15 (“Dispute Resolution”), and Section 16 (“General”) of the Podium Terms of Service). In the event of any conflict or inconsistency between these Voice Service Terms and the Podium Terms of Service, these Voice Service Terms will govern.
Capitalized terms used herein without a definition have the same meaning as the defined term in the Podium Terms of Service. All documents linked in these Voice Service Terms are deemed to those documents as updated from time to time. For the avoidance of doubt, all references to the “Agreement” will include these Voice Service Terms.
Business Associate Agreement
Table of Contents
PODIUM BUSINESS ASSOCIATE AGREEMENT
This Podium Business Associate Agreement (“BAA”) is incorporated into the applicable Podium Terms of Service or Master Services Agreement (the “Underlying Agreement”) for any Podium Corporation, Inc. (“Podium”) client in which the applicable Podium Services (as defined in the Underlying Agreement) may involve the creation, maintenance, use, transmission or disclosure of protected health information (“PHI”) within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 as they shall be amended (collectively the “HIPAA Rules”). In such case, Podium will be considered the “Business Associate” hereunder and the Podium client will be considered the “Covered Entity” hereunder.
If and only to the extent that Business Associate is a “business associate” as defined in the HIPAA Rules, this BAA supplements the Underlying Agreement and is intended to and will be interpreted to satisfy the requirements for business associate agreements as set forth in the HIPAA Rules. If Business Associate is not a business associate as defined in the HIPAA Rules, this BAA will be void notwithstanding any other terms to the contrary.
- DEFINITIONS. The following terms used in this BAA will have the same meaning as those terms in the HIPAA Rules: Business Associate, Breach, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Privacy Officer, Privacy Rule, Protected Health Information, Required By Law, Secretary, Security Rule, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. All other capitalized terms not defined in this BAA will have the meaning set forth in the Underlying Agreement.
- RESPONSIBILITIES OF BUSINESS ASSOCIATE. Business Associate agrees to:
- USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
- RESPONSIBILITIES OF COVERED ENTITY.
- REQUESTS BY COVERED ENTITY. Covered Entity will not request Business Associate to use or disclose protected health information in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.
- TERM AND TERMINATION.
|If to Business Associate, to:||If to Covered Entity, to:|
Podium Corporation, Inc.
1650 W. Digital Dr.
Lehi, UT 84043
Attn: Legal Department
The current address or email address associated with Client’s Podium account, where applicable.
Effective August 16, 2022Download
Table of Contents
Podium Developer Terms
Thank you for choosing to develop on the Podium Developer Platform.
Podium.com (https://www.podium.com), including all of its related applications, dashboards, or platforms (individually and collectively, the “Website”), is owned and operated by Podium Corporation, Inc. (“Podium”, “we” or “us”). The Podium Developer Platform (defined below) allows you to build Apps (as defined herein) for users of the Podium Services (as defined in Podium’s Terms of Service located at https://legal.podium.com/#termsofservice-us). By clicking on “I agree” (or a similar button) or by using or developing on the Podium Developer Platform, you agree to be bound by these Terms, so please read them carefully.
These Podium Developer Terms (the “Developer Terms” or "Terms") are a binding agreement between Podium and the individual or entity registering as a developer on the Podium Developer Platform ("you" or "Developer"). If you are using the Podium Developer Platform on behalf of a company, organization, or other entity, then “Developer” or “you” means that entity, and you are binding that entity to these Terms. You represent and warrant that you have the legal power and authority to enter into these Terms and that, if the Developer is an entity, these Terms are entered into by an employee, agent, or other authorized representative with all necessary authority to bind that entity to these Terms. The Podium Developer Platform is not intended for and may not be used by anyone under the age of 18.
Podium may modify these Terms from time to time, subject to Section 19.7 (Amendments; Waiver).
Effective August 17, 2022Download
Table of Contents
DOWNSTREAM BUSINESS ASSOCIATE AGREEMENT BETWEEN
PODIUM AND SUBCONTRACTOR
This Downstream Business Associate Agreement (“Downstream BAA”) will be incorporated in the applicable Podium Developer Terms (the “Developer Terms”) for Developers in the Podium Developer Program (each a “Subcontractor”) that are business associates (as defined in HIPAA) or who process, store, or transfer Protected Health Information (“PHI”) (as defined in HIPAA) for use with certain products and services owned by Podium Corporation, Inc., a Delaware Corporation (“Podium”).
Pursuant to the parties’ agreement in the Developer Terms, Subcontractor has agreed to perform certain services for or on behalf of Podium that may involve the creation, maintenance, use, transmission, or disclosure of protected health information on behalf of one or more of Podium’s Clients (each, a “Covered Entity” and collectively, “Covered Entities”) within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 (collectively the “HIPAA Rules”). Subcontractor is a subcontractor of Podium and is a Podium when Subcontractor requests, creates, receives, maintains, transmits, uses, or discloses (individually or collectively, “Processes”) PHI on behalf of Podium or one of Podium’s Clients (as defined in the Developer Terms). This Downstream BAA supplements the Developer Terms and is intended to and will be interpreted to satisfy the requirements for business associate agreements as set forth in the HIPAA Rules as they will be amended. Subcontractor understands and acknowledges that, as a business associate, Subcontractor is subject to certain HIPAA Rules, and that the violation of the HIPAA Rules carries significant administrative and criminal penalties as described in 45 CFR § 160.404 and 42 USC § 1320d-6.
In consideration of the mutual premises and covenants contained herein and in the Developer Terms and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Subcontractor and Podium agree as follows:
1. GENERAL PROVISIONS
1.1. Defined Terms. Capitalized terms used in this Downstream BAA without definition have the respective meanings assigned to such terms by the Administrative Simplification section of HITECH and HIPAA.
1.2. Applicability. Subcontractor acknowledges that (a) Podium is a Business Associate of its Covered Entities, and (b) Subcontractor is a downstream Business Associate of Podium under the Developer Terms. This Downstream BAA relates to PHI that Subcontractor accesses or receives from Podium, a Covered Entity, or a third party on behalf of Podium in connection with this Downstream BAA.
1.3. HIPAA Amendments. The parties acknowledge and agree that HITECH and its implementing regulations impose requirements with respect to privacy, security, and breach notification applicable to Business Associates (collectively the “HITECH BA Provisions”). The HITECH BA Provisions and any other future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this Downstream BAA as if set forth in this Downstream BAA in their entirety, effective on the later of the Effective Date or such subsequent date as may be specified by HIPAA.
1.4. Regulatory References. A reference in this Downstream BAA to a section in HIPAA means the section as it may be amended from time to time.
1.5. Relationship of the Parties. Subcontractor is and at all times during this Downstream BAA will be acting as an independent contractor to Podium, and not as Podium’s agent. Podium will not have authority to control the method or manner in which Subcontractor performs its services on behalf of Podium, provided that Subcontractor complies with the terms of this Downstream BAA and the HIPAA Rules. Subcontractor will not have authority to bind Podium to any liability unless expressly authorized by Podium in writing, and Podium will not be liable for the acts or omissions of Subcontractor. Subcontractor will not represent itself as the agent of Podium. Nothing in this Downstream BAA will be deemed to establish an agency, partnership, joint venture, or other relationship except that of independently contracting entities.
1.6. Rights to PHI. Subcontractor acknowledges and agrees that neither it nor any of its employees, agents, consultants, or assigns will have any rights in any of the PHI or to Process the PHI in any form, including stripped or aggregated information or statistical information derived from or in connection with the PHI, except as expressly permitted in the Developer Terms and this Downstream BAA.
2. OBLIGATIONS OF SUBCONTRACTOR
2.1. Subcontractor Responsibilities. Subcontractor must fully comply with all relevant laws relating to the privacy or security of PHI applicable to Subcontractor, including but not limited to the HIPAA Rules as applicable to subcontractors. Subcontractor may not use or disclose PHI except as permitted by this Downstream BAA or as otherwise required by law. Subcontractor may only Process PHI as permitted or required under the Developer Terms (including this Downstream BAA) or as Required by Law but must not otherwise use, disclose, or Process PHI. Subcontractor must use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by this Downstream BAA or each Covered Entity Downstream BAA. To the extent applicable to business associates, Subcontractor will comply with the requirements in 45 CFR Part 164, Subpart C, including the use of administrative, physical, and technical safeguards to protect electronic protected health information. Subcontractor may not Process PHI in any manner that would constitute a violation of HIPAA if so used or disclosed by Podium or any Covered Entity except as set forth in Sections 2.1(b) and (c) of this Downstream BAA. To the extent Subcontractor carries out any of Podium's or a Covered Entity’s obligations under the HIPAA Privacy Rule, Subcontractor must comply with the requirements of the HIPAA Privacy Rule that apply to Podium and Covered Entities in the performance of such obligations. To the extent Subcontractor is to carry out a Covered Entity’s obligations under 45 CFR Part 164, Subpart E (“HIPAA Privacy Rule”), Subcontractor must comply with the requirements of the HIPAA Privacy Rule that apply to a Covered Entity in the performance of such obligations. Except as otherwise stated in this Downstream BAA, Subcontractor may not use or disclose PHI in a manner that would violate the HIPAA Rules if done by a Covered Entity. Under no circumstances will Subcontractor sell the PHI in violation of the HIPAA Rules Without limiting the generality of the foregoing, Subcontractor is permitted to use or disclose PHI as set forth below:
(a) Subcontractor may use and disclose PHI to carry out Subcontractor's duties and obligations under the Developer Terms or under any agreement between Subcontractor and Podium or a Covered Entity;
(b) Subcontractor may use PHI internally for Subcontractor's proper management and administrative services or to carry out its legal responsibilities;
(c) To the extent required by the “minimum necessary” requirements of the HIPAA Rules, Subcontractor may only Process the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. Subcontractor must comply with the minimum necessary guidance to be issued by the Secretary pursuant to HIPAA and, to the extent practicable, will not Process any Direct Identifiers (as defined in the limited data set standard of HIPAA).
(d) Subcontractor may disclose PHI to a third party for Subcontractor's proper management and administration, provided that the disclosure is required by law or Subcontractor enters into a written agreement with the third party under which the third party agrees to (1) protect the confidentiality, security, and privacy of the PHI, (2) only use or further disclose the PHI as required by law or for the purpose for which the PHI was disclosed to the third party, and (3) notify Subcontractor of any instances of which the third party is aware in which the confidentiality of the PHI has been breached; and
(e) Subcontractor agrees that none of the PHI it receives or its agents or subcontractors receive from Podium will be exported or stored (including temporary storage) outside of the United States.
2.2. Safeguards. Subcontractor must use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Downstream BAA. In addition, Subcontractor must implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of Electronic Protected Health Information (“EPHI”) that it creates, receives, maintains, or transmits on behalf of Podium. Without limiting the foregoing, Subcontractor must comply with the HIPAA Security Rule and with all other applicable provisions of HIPAA with respect to EPHI.
2.3. Mitigation. Subcontractor must take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Subcontractor) of a use or disclosure of PHI by Subcontractor in violation of this Downstream BAA or HIPAA.
2.4. Subcontractors. Subcontractor may not subcontract any services that require it to disclose PHI that it has received from or created on behalf of Podium or any Covered Entities unless expressly authorized in the Developer Terms or this Downstream BAA. In the event Subcontractor is authorized to disclose such PHI, prior to any such permitted disclosure Subcontractor must enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that Processes PHI on behalf of Subcontractor. If Subcontractor is authorized to subcontract services, Subcontractor must ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Subcontractor agree to the same restrictions, conditions, and requirements set forth in this Downstream BAA and the HIPAA Rules applicable to such subcontractors. Subcontractor may fulfill this requirement by executing a written agreement with the subcontractor incorporating the terms of this Downstream BAA and, to the extent necessary, otherwise complying with the requirements in 45 CFR §§ 164.308, 164.502, and 164.504. Subcontractor must ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Subcontractor under this Downstream BAA. In no event may Subcontractor, without Podium’s prior written approval, provide PHI to any employee or agent, including any Subcontractor, if such employee, agent, or Subcontractor receives, processes, or otherwise has access to the PHI outside of the United States.
2.5. Reporting Requirements. Subcontractor must immediately report to Podium any use or disclosure of PHI not permitted by this Downstream BAA or HIPAA of which Subcontractor becomes aware, including but not limited to (a) use or disclosure of PHI in violation of this Downstream BAA or HIPAA by Subcontractor or by a third party to which Subcontractor disclosed PHI, (b) breaches of unsecured PHI as required by 45 CFR § 164.410, and (c) security incidents as required by 45 CFR § 164.314. When Subcontractor reports a breach of Protected Health Information (whether secured or unsecured), the report must include the content required by 45 C.F.R. § 164.410 (collectively an “Unauthorized Use or Disclosure”). Subcontractor’s duty to report does not permit Subcontractor to notify those individuals whose PHI has been breached by Subcontractor without the express written permission of Podium to do so. All notifications to those individuals whose PHI has been breached must be made under the direction, review, and control of Podium. Subcontractor will not make any public disclosure, including to the media, of the foregoing without the approval of Podium, or in instances where Subcontractor is compelled by law or court order, without notifying Podium of such disclosure. The parties acknowledge that Subcontractor is periodically subject to attempted but unsuccessful attempts to access its information system (e.g., typical “pings” or port scans), but that such unsuccessful attempts are trivial, routine, and do not constitute a material threat to the security of PHI. The parties agree that further notice of such trivial but unsuccessful attempts will not be required unless expressly required by Podium.
2.6. Cooperation with Podium. Subcontractor will fully cooperate with Podium’s efforts to promptly investigate, mitigate, and notify third parties of breaches of unsecured protected health information or security incidents as required by the HIPAA Rules. Subcontractor will pay for or reimburse Podium for its expenses, costs, losses, payments, or damages resulting from any violation of the HIPAA Rules or breach of this Downstream BAA by Subcontractor or Subcontractor’s members, employees, agents, or subcontractors.
2.7. Access to Information. Within five (5) business days following Podium’s or a Covered Entity’s request, Subcontractor must make available to the related Covered Entity any PHI in Subcontractor’s control as necessary to enable the Covered Entity to satisfy its obligations to provide an individual with access to certain protected health information under 45 CFR § 164.524. If Subcontractor receives a request for access to PHI directly from an Individual, Subcontractor must forward such request to Podium within two (2) business days.
2.8. Availability of PHI for Amendment. Within ten (10) days following Podium’s or a Covered Entity’s request, make available to Podium any PHI for amendment and incorporate any amendments to PHI as necessary to enable the Covered Entity to satisfy its obligations under 45 CFR § 164.526. If Subcontractor receives a request for an amendment to PHI directly from an Individual, Subcontractor must forward such request to Podium within two (2) business days.
2.9. Accounting of Disclosures. Within five (5) business days of written notice by Podium to Subcontractor that Podium has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Subcontractor must deliver to Podium such Information in Subcontractor's possession that is required for Podium to make the accounting required by 45 C.F.R. § 164.528. If Subcontractor receives a request for an accounting directly from an Individual, Subcontractor must forward such request to Podium within five (5) business days. Subcontractor will have no responsibility for providing an accounting to the Individual. Such accounting is limited to disclosures of PHI that were made in the six (6) years prior to the request and must be provided for as long as Subcontractor maintains the PHI.
2.10. Records; Availability of Books and Records. Subcontractor must maintain information concerning Subcontractor’s disclosures of PHI as required by 45 CFR § 164.528 and, within five (5) days following Podium’s or a Covered Entity’s request, make such information available to Podium and the Covered Entity as necessary to enable the Covered Entity to render an accounting of disclosures pursuant to 45 CFR § 164.528. In addition to any other such information, Subcontractor must document the following as to any impermissible disclosure: (i) the date of the disclosure; (ii) the name and address of the person or entity to whom the disclosure was made; (iii) a brief description of the protected health information disclosed; and (iv) a brief statement of the purpose of the disclosure. Subcontractor must promptly remedy any violation of any term of this Downstream BAA and must certify the same to Podium in writing. Subcontractor must make Subcontractor’s internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Subcontractor on behalf of Podium or a Covered Entity, available to the Secretary for purposes of determining a Covered Entity’s or Podium’s compliance with HIPAA. In addition, if and to the extent requested by Podium or a Covered Entity, Subcontractor must provide to Podium and the Covered Entity such proof of Subcontractor’s compliance with the requirements of this Downstream BAA as Podium or the Covered Entity will reasonably require.
2.11. Indemnification. Subcontractor agrees to indemnify, reimburse, defend, and hold harmless Podium for any costs, expenses, damages, fees, fines, settlements, judgments (including costs and attorney’s fees), and other losses incurred as a result of a breach of this Downstream BAA, Unauthorized Use or Disclosure, Security Incident, or any acts or omissions of Subcontractor or Subcontractor’s officers, members, employees, agents, or subcontractors arising out of the use and disclosure PHI or violation of the HIPAA Rules, or as a result of any negligence or willful misconduct by Subcontractor its agents or subcontractors, including, without limitation: fines or settlement amounts owed to a state or federal government agency; the cost of any notifications to Individuals or government agencies; credit monitoring for affected Individuals; or other mitigation steps taken by Podium to comply with HIPAA or state law.
3. ADDITIONAL RESTRICTIONS AND LIMITATIONS
3.1. Permissions. Podium will notify Subcontractor of any changes in, or revocation of any permission by an Individual to use or disclose the Individual's PHI, to the extent that any such change or revocation affects Subcontractor's use or disclosure of PHI. Subcontractor must comply with any such change or revocation.
3.2. Restrictions & Confidential Communications. Podium will notify Subcontractor of any request for a restriction on the use or disclosure of PHI or confidential communication to which Podium has agreed in accordance with 45 C.F.R. § 164.522, to the extent that such agreed-upon restriction or confidential communication request may affect Subcontractor's use or disclosure of PHI. Subcontractor must comply with any such agreed-upon restriction or confidential communication request.
3.3. Covered Entities' Notices of Privacy Practices. Podium will notify Subcontractor of any limitation in a Covered Entity’s notice of privacy practices that limits Subcontractor's use or disclosure of PHI under this Downstream BAA Subcontractor must comply with such limitations.
4. TERMINATION OF THIS AGREEMENT
4.1. Agreement Term. The term of this Downstream BAA will commence on the Effective Date of the Developer Terms and will continue in full force and effect (and survive the expiration or earlier termination of this Downstream BAA) for so long as Subcontractor maintains any PHI.
4.2. Termination. Podium may terminate this Downstream BAA upon ten (10) days prior notice if Podium determines that Subcontractor or any Subcontractor’s subcontractor has violated the HIPAA Rules, a material term of this Downstream BAA, or otherwise engaged in conduct that may compromise the protected health information. Subcontractor will have the opportunity to cure the breach or violation within the 10-day notice period. If Subcontractor fails to cure the breach or violation within the 10-day notice period, Podium may declare this Downstream BAA and the Developer Terms terminated. Notwithstanding the foregoing, Podium may terminate this Downstream BAA immediately if Subcontractor or any subcontractor engages in any conduct that Podium reasonably believes may result in adverse action against Podium by any governmental agency or third party. Podium may terminate this Downstream BAA without cause upon thirty (30) days prior written notice to Subcontractor. This Downstream BAA will automatically terminate if the Developer Terms are terminated. Notwithstanding anything in the Developer Terms to the contrary, Podium will have the right to terminate the Developer Terms immediately, without penalty or liability, if Podium determines that Subcontractor’s creation, maintenance, use, transmission, or disclosure of protected health information is a material purpose of the Developer Terms and this Downstream BAA is terminated for any reason.
4.3. Obligations of Subcontractor upon Termination. Upon earlier termination of the Developer Terms or of this Downstream BAA, Subcontractor agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e) (2) (ii)(J), if it is feasible to do so. If it is not feasible for the Subcontractor to return or destroy said PHI, the Subcontractor will notify Podium in writing. This notification must include: (i) a statement that the Subcontractor has determined that it is not feasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Subcontractor agrees to extend all protections, limitations, and restrictions contained in this Downstream BAA to Podium’s use and/or disclosure of any PHI retained after the termination of this Downstream BAA, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. Upon request by Podium, Subcontractor will provide proof of compliance with this Section 4.3 to Podium in the form of an affidavit or other manner reasonably requested by Podium. Subcontractor’s obligations under Section 2 will survive termination of this Downstream BAA.
5.1. Regulatory References. A reference in this Downstream BAA to a section in the HIPAA Rules means the section as in effect or as amended.
5.2. Amendments; Waiver. This Downstream BAA may not be modified, nor may any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event may not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree to take such action as is necessary to amend this Downstream BAA from time to time as is necessary for compliance with the requirements of the HIPAA and any other applicable law.
5.3. Notices. Any notices to be given hereunder to a Party must be made via U.S. Mail or express courier to such Party’s address given below:
5.4. Interpretation. Any ambiguity in this Downstream BAA will be interpreted to permit compliance with HIPAA.
5.5. No Third-Party Beneficiaries. Nothing express or implied in this Downstream BAA is intended to confer, nor may anything herein confer, upon any person other than the Parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
5.6. Governing Law. This Downstream BAA will be construed to comply with the requirements of the HIPAA Rules, and any ambiguity in this Downstream BAA will be interpreted to permit compliance with the HIPAA Rules. All other aspects of this Downstream BAA will be governed under the laws of Utah. Unless otherwise specified in the Developer Terms, any action arising out of the breach or violation of his Downstream BAA will be pursued in the Relevant Jurisdiction, or the federal district court covering such county.
5.7. Assignment/Subcontracting. This Downstream BAA will inure to the benefit of and be binding upon the parties and their respective legal representatives, successors, and assigns. Subcontractor may assign or subcontract rights or obligations under this Downstream BAA to subcontractors or third parties without the express written consent of Podium provided that Subcontractor complies with Section 1.5. Podium may assign its rights and obligations under this Downstream BAA to any successor or affiliated entity.
5.8. Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of the HIPAA Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of the HIPAA Rules or this Downstream BAA; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this Downstream BAA. In addition to any other cooperation reasonably requested by Podium, Subcontractor will make its officers, members, employees, agents, and subcontractors available without charge for interview or testimony.
5.9. Insurance. Unless waived in writing by Podium, Subcontractor will procure and maintain in effect during the term of this Downstream BAA: (1) general liability insurance coverage with minimum limits of $3 million per occurrence and $3 million aggregate; and (2) professional liability or errors and omissions insurance coverage within minimum limits of $3 million per occurrence and $3 million in aggregate, insuring against breaches of this Downstream BAA; (3) workers’ compensation insurance coverage as required by law and employers liability in an amount not less than $1 million, and (4) automobile liability insurance in the amount of $1,000,000, if applicable. Upon request, Subcontractor will provide evidence of continuous coverage to Podium and no coverage required within this Section 5.9 will be voided or canceled without prior notice to Podium. Podium, its subsidiaries and affiliates, and its employees, trustees, directors, officers, subcontractors, agents, or other members of its workforce will be added as additional insureds on the liability policies required herein on a primary, non-contributory basis. If this agreement is supplemental documentation to a professional services or vendor agreement, then the greater of the insurance types and coverage requirements will take precedence to this clause. Upon Podium’s request, Subcontractor will provide proof of such insurance to Podium.
5.10. Relation to Developer Terms. This Downstream BAA supplements the Developer Terms. The terms and conditions of the Developer Terms will continue to apply to the extent not inconsistent with this Downstream BAA. If there is a conflict between this Downstream BAA and the Developer Terms, this Downstream BAA will control. Notwithstanding any limitation on liability or other term in the Developer Terms to the contrary, Subcontractor’s obligations pursuant to Sections 2(e) and 11 will apply in the event of any violation of the HIPAA Rules or breach of this Downstream BAA by Subcontractor or its members, employees, agents, or subcontractors.
5.11. Entire Agreement. This Downstream BAA contains the entire agreement between the parties as it relates to the use or disclosure of PHI and supersedes all prior discussions, negotiations, and services relating to the same to the extent such other prior communications are inconsistent with this Downstream BAA.
5.12. Servability. In case any provision in this Downstream BAA shall be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby and such provision shall be ineffective only to the extent of such invalidity, illegality or unenforceability.
5.13. Survival. The terms in this Downstream BAA that must survive termination of this Downstream BAA to give them full effect will survive termination of this Downstream BAA, including but not limited to Sections 2, 3, 4.3, 5.6, 5.8, 5.9, and 5.10.
Developer Security & SLA Requirements
Effective August 17, 2022Download
Table of Contents
- You will allow Podium to conduct system vulnerability scans on the provided systems or endpoints on an on-going basis to ensure maximum security and adherence to these requirements.
- Your App must not collect Podium Clients’ user credentials.
- To the best of your ability, you must follow security best practices and hardening techniques for all aspects of your business.
- Your App must authenticate and authorize all requests.
- Your App must be protected against common web security vulnerabilities.
- If your App stores its own credentials, then it must only store salted password hashes, not plaintext passwords, as described on the Open Web application Security Project website.
- Your App must always be served over HTTPS using a valid TLS certificate (version 1.3) with an expiration date of at least 1 year from the App submission date.
- HSTS must be enabled with a minimum age of at least one year.
- You must provide a Vulnerability Disclosure Policy (VDP) for security researchers to be able to submit findings regarding your App.
- All OS, web-server, and app-server security patches must be up to date, and new patches must be applied in a commercially reasonable timeframe after they are made available by the hardware and software vendors.
- You must provide the IP address(es) from which your App operates and from which Podium API calls are made.
- You must submit a Security Self-Assessment.
- Your App must generate secure tokens, including expirations and search indexing protections, where applicable.
- Your App must not expose network services unnecessarily.
- Your App must not expose its shared secret. If your secret is inadvertently exposed, then you must rotate the secret immediately. They should never be logged, stored in client-side code and public repositories, or made accessible to end-users.
- Request only the OAuth scopes needed for the documented use of the App.
- Your App must protect against iFrames using frame-ancestor Content-Security Policy directives (if applicable).
- Caching is disabled on all SSL pages and all pages that contain sensitive data by using value no-cache and no-store instead of private in the Cache-Control header.
- Your App web server must be configured to disable the TRACE and other HTTP methods if not being used.
- Your App must not provide third-parties with access to a Client’s Podium data, via external API calls or any other means.
- Your App must not export, save, or store End-User Data for any purpose other than the functional use of your App.
- If your App is used by organizations based in Europe, or organizations with customers based in Europe, then it's your responsibility to make sure that your App is GDPR compliant.
- Your App must subscribe to mandatory webhooks so that you can receive any data deletion requests that are issued by organizations. If applicable, your App must subscribe to mandatory GDPR webhooks.
- If your App handles a significant amount of End-User Data, then it must have a system in place to manage that data properly, including secure storage and the ability to erase data at the user's request as per the data rights of individuals.
- Your will guarantee 99.9% uptime for your App. If your App has downtime that falls short of the 99.9% uptime guarantee for any 30-day period, Podium may revoke your access to the Marketplace and remove or disable your App. This uptime guarantee does not apply to planned maintenance, so long as such maintenance is communicated to the Podium Clients.