DEAready Terms of Service
Effective as of the date Customer accepts these Terms, recorded against the Customer's organization. Version: 1.0
These Terms of Service (these "Terms") are a binding agreement between DEAready LLC, a Missouri limited liability company with its principal place of business at 210 W Oklahoma St, Branson, MO 65616, doing business as "DEAready" ("DEAready," "we," "us," or "our"), and the practice, registrant, or other entity that accepts these Terms ("Customer," "you," or "your"). These Terms govern your access to and use of the DEAready controlled-substance recordkeeping software and related services (the "Service").
PLEASE READ THESE TERMS CAREFULLY. THEY CONTAIN IMPORTANT DISCLAIMERS (SECTION 3 AND SECTION 8), LIMITATIONS OF LIABILITY (SECTION 8), AN AUTOMATIC-RENEWAL PROVISION (SECTION 6), A BINDING-ARBITRATION PROVISION, A CLASS-ACTION WAIVER AND JURY-TRIAL WAIVER (SECTION 10), AND PROVISIONS GOVERNING THE INTENTIONALLY IMMUTABLE NATURE OF YOUR RECORDS (SECTION 5).
1. Acceptance, Parties, and Eligibility
1.1 Acceptance. These Terms become binding on the earlier of (a) your clicking "I agree" (or a similar affirmation) at sign-up, or (b) your access to or use of the Service. These Terms are effective as of the date you accept them, which DEAready records against your organization together with a timestamp and the accepting user account. If you do not agree, do not access or use the Service.
1.2 Authority to bind. The individual accepting these Terms represents and warrants that he or she is an authorized representative of the Customer entity and has the authority to bind that entity to these Terms, to the Privacy Policy, and to the Business Associate Agreement. These Terms bind the Customer entity, not the individual signer personally.
1.3 Eligibility. You represent and warrant that you are (a) a DEA registrant, or an entity acting on behalf of a DEA registrant, that is lawfully authorized to handle controlled-substance records in each jurisdiction in which you operate; (b) at least eighteen (18) years of age; and (c) not barred from receiving the Service under any Applicable Law. The Service is a business-to-business offering. It is not offered to, and may not be used by, consumers for personal, family, or household purposes.
1.4 The Agreement. These Terms, together with the Privacy Policy, the Business Associate Agreement ("BAA"), and any Order or plan selection you make, together constitute the "Agreement" between the parties. In the event of any conflict among these documents, the order of precedence in Section 10.8 governs.
2. Definitions
Capitalized terms have the meanings given where first defined or as set forth below.
2.1 "Applicable Law" means all federal, state, and local laws, regulations, and rules applicable to a party's performance under the Agreement, including the Controlled Substances Act (21 U.S.C. § 801 et seq.), the implementing regulations of the U.S. Drug Enforcement Administration at 21 CFR Parts 1300–1321, the HIPAA Rules, and applicable state controlled-substance, pharmacy-board, and prescription-monitoring laws.
2.2 "Audit Ledger" or "Hash Chain" means the append-only, cryptographically chained audit log maintained by the Service, in which each entry incorporates a SHA-256 hash of the prior entry to render the sequence tamper-evident.
2.3 "Authorized User" means an individual whom Customer permits to access the Service under Customer's account, including individuals assigned the Owner, Admin, Staff, Witness-Only, or Read-Only roles.
2.4 "BAA" means the Business Associate Agreement between DEAready and Customer governing the Service's handling of PHI.
2.5 "Covered Entity" has the meaning given in 45 CFR 160.103.
2.6 "Business Associate" has the meaning given in 45 CFR 160.103.
2.7 "Controlled-Substance Retention Law" means, for any record, the longest applicable record-retention period imposed by Applicable Law on that record, consisting of the federal floor of two (2) years under 21 CFR 1304.04 plus any longer period required by the law of any state in which Customer is registered or operates.
2.8 "Customer Data" means all data, records, and content that Customer or its Authorized Users submit to, generate within, or store in the Service, including controlled-substance transaction records, inventory records, container and drug-catalog records, Audit Ledger entries, Merkle Roots, and any PHI contained therein.
2.9 "Documentation" means DEAready's then-current user guides, help materials, and published descriptions of the Service.
2.10 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended.
2.11 "Inspection Pack" means the report bundle the Service generates separately, on demand, under the Reports area to assist an inspection or audit, comprising cover materials, inventory documents, ledger data, and audit-chain verification output. The Inspection Pack is generated on request and is distinct from the data export described in Section 5.3.
2.12 "Merkle Root" means a cryptographic root hash that the Service computes over a daily window of Audit Ledger entries and stores in write-once object storage as an independent integrity proof.
2.13 "Order" means a plan selection, subscription, or order form by which Customer subscribes to the Service and that specifies the plan, price, billing interval, and term.
2.14 "PHI" or "Protected Health Information" has the meaning given in 45 CFR 160.103, limited to information DEAready creates, receives, maintains, or transmits on behalf of Customer.
2.15 "Service" means the DEAready software-as-a-service application, including the web application at app.deaready.com, related APIs, exports, and Documentation.
2.16 "Subprocessor" means a third party engaged by DEAready to process Customer Data in connection with providing the Service. The current list of Subprocessors is maintained in the Privacy Policy.
2.17 "Subscription Term" means the period of a paid subscription as specified in the applicable Order, together with any renewal period.
3. Service Description; Disclaimer (Conspicuous and Non-Waivable)
3.1 What the Service is. DEAready is software that helps a DEA registrant create, organize, store, and export controlled-substance records (receive, dispense, administer, waste, transfer, and inventory), generate inspection-oriented report packs, and produce prescription-monitoring-program ("PMP/PDMP") and ASAP export files, supported by a tamper-evident audit trail. The Service is a recordkeeping and document-generation tool only.
3.2 What the Service is NOT. Customer acknowledges and agrees to each of the following, which DEAready states conspicuously and which Customer cannot waive on DEAready's behalf:
(a) NO PROFESSIONAL ADVICE. DEAREADY DOES NOT PROVIDE LEGAL ADVICE, REGULATORY ADVICE, COMPLIANCE ADVICE, MEDICAL ADVICE, PHARMACY ADVICE, OR PROFESSIONAL ADVICE OF ANY KIND. No attorney-client relationship, consultant relationship, or other advisory or fiduciary relationship is created by your use of the Service.
(b) NO GUARANTEE OF COMPLIANCE. USE OF THE SERVICE DOES NOT GUARANTEE, ENSURE, OR CERTIFY COMPLIANCE with the Controlled Substances Act, 21 CFR Parts 1300–1321, the HIPAA Rules, any state controlled-substance or pharmacy-board law, any PMP/PDMP requirement, or any other law. Software cannot make, and the Service does not make, Customer compliant.
(c) NO GOVERNMENT AFFILIATION. DEAREADY IS NOT AFFILIATED WITH, ENDORSED BY, SPONSORED BY, OR ACTING ON BEHALF OF THE U.S. DRUG ENFORCEMENT ADMINISTRATION (DEA), THE DEA DIVERSION CONTROL DIVISION, THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS), ANY STATE BOARD OF PHARMACY OR DENTISTRY, OR ANY PMP/PDMP AUTHORITY. References to "DEA" and to specific regulations describe only the regulatory subject matter the Service is designed to help with.
(d) Customer bears sole responsibility for compliance. The registrant and Customer remain solely and exclusively responsible for: their own DEA and state controlled-substance compliance; the lawfulness of their receiving, handling, prescribing, dispensing, administering, transferring, and disposing of controlled substances; and all required filings, reports, inventories, and notifications, including (without limitation) DEA Form 41 disposal records, DEA Form 222 / CSOS ordering records, theft-or-loss reporting under 21 CFR 1301.74 and 1301.76 (including DEA Form 106), initial and biennial inventories under 21 CFR 1304.11, and PMP/PDMP submissions. Customer is solely responsible for verifying that any output of the Service is accurate, complete, and acceptable to its regulators before relying on it.
(e) State-rule encodings are a convenience only. The Service encodes certain state-specific rules (for example, record-retention periods) as a convenience. DEAready does not warrant that these encodings are current, complete, or correct for Customer's situation, and Customer must independently verify all such rules with its own counsel and regulators.
(f) Consult your own professionals. Customer must consult its own attorney and compliance professionals. The Service is an aid to, and not a substitute for, Customer's professional judgment and the advice of Customer's own counsel.
3.3 No reliance. Customer agrees that it is not relying on DEAready for any representation regarding legal sufficiency, and that all informational content, templates, state-rule encodings, deadline prompts, completeness indicators, and similar features are provided "AS IS" FOR CONVENIENCE ONLY and may be incomplete or out of date.
3.4 Precedence and survival. This Section 3 controls over any contrary statement in any marketing material, website page, sales communication, or Documentation, and survives any termination or expiration of the Agreement.
4. Customer Responsibilities
4.1 Data accuracy and completeness. Customer is solely responsible for the accuracy, completeness, legality, and timeliness of all Customer Data that it or its Authorized Users enter. The Service stores and organizes the data it is given; it does not independently verify entries against physical inventory, external systems, or any source of truth. Customer accepts that incomplete or inaccurate input produces incomplete or inaccurate output.
4.2 Lawful use. Customer will use the Service only for lawful purposes and in compliance with all Applicable Law, including the Controlled Substances Act, the HIPAA Rules, and state controlled-substance law. Customer will not use the Service to facilitate diversion, to falsify records, or to evade any regulatory obligation.
4.3 Credentials and account security. Customer is responsible for safeguarding its authentication credentials and multi-factor authentication, and for all activity occurring under its accounts. Multi-factor authentication is required for all users via Amazon Cognito. Customer will assign and manage Authorized User roles (Owner, Admin, Staff, Witness-Only, Read-Only) on a least-privilege basis and will promptly notify DEAready at support@deaready.com of any suspected unauthorized access.
4.4 Authorized Users and witnesses. Customer is responsible for the acts and omissions of its Authorized Users as if they were Customer's own. Where the Service supports witnessed events (such as waste or disposal), the Service enforces that a witness is separately authenticated; however, Customer is solely responsible for ensuring that any witness is genuinely independent, properly authorized, and legally sufficient for the event being recorded.
4.5 HIPAA and Covered-Entity duties. Customer is a Covered Entity, or acts on behalf of one, and retains all Covered-Entity obligations under the HIPAA Rules, including: configuring patient-identifier capture on a minimum-necessary basis (the Service permits Customer to select among full name, initials plus date of birth, or chart identifier); handling patient rights requests; providing breach notifications to its own patients and to HHS as required; and ensuring it has lawful authority to disclose PHI to DEAready. DEAready acts only as a Business Associate under the separate BAA. Customer will transmit PHI to DEAready only through the Service's intended fields for that purpose (for example, Customer will not enter PHI into free-text fields not configured to receive it) and will not transmit any PHI to the Service's payment processor.
4.6 Compliance with the Agreement. Customer will comply with these Terms, the Privacy Policy, the BAA, and the acceptable-use requirements in Section 9.4.
5. Customer Data; Immutable Audit Ledger; Portability and Deletion
5.1 Ownership. As between the parties, Customer owns all Customer Data, including its controlled-substance records, Audit Ledger entries, and Merkle Roots. DEAready claims no ownership of Customer Data. Customer grants DEAready a limited, non-exclusive license to host, process, transmit, back up, and display Customer Data solely to provide the Service and as the BAA permits.
5.2 The ledger is intentionally append-only and tamper-evident. Customer acknowledges and agrees that, by design and as a core feature of the Service, controlled-substance transaction records and Audit Ledger entries are immutable: they cannot be edited or deleted in place. Corrections are made only by recording new void and correction entries; the original entries are never overwritten or removed. This immutability is enforced both at the database layer (triggers that block update and delete operations on the transaction and audit-log tables) and cryptographically (a per-organization SHA-256 hash chain and daily Merkle Roots stored in write-once object storage). Customer agrees not to request, and DEAready is not obligated to perform, any deletion or alteration that would break the hash chain or defeat the tamper-evidence of the ledger.
5.3 "Your data is yours" means portability and verifiability, not arbitrary mutability. DEAready honors Customer's ownership of its records through export and independent verifiability, not through arbitrary deletion or in-place editing. At any time during the Subscription Term, and during the post-termination window described in Section 7.4, a user assigned the Owner role may download a complete, self-describing, tool-agnostic export through the Service's data-export feature. The export is a portable ZIP archive containing:
transactions.csv— the full controlled-substance ledger;containers.csv— container records;drugs.csv— drug-catalog records;locations.csv— location records, including DEA registration and expiry;inventory-events.csv— inventory events;audit-log.csv— the full audit chain, including row hashes;merkle-roots.json— the daily Merkle Roots, including their object-storage keys; andchain-verification.json— a chain-verification result computed at the time of export.
The export uses no proprietary formats, is independently verifiable offline, and includes the field names and structure needed to re-verify chain integrity. The export does not include a rendered Inspection Pack PDF; the Inspection Pack is generated separately, on demand, under the Reports area (Section 2.11). DEAready will maintain a working, complete export path for the life of the account.
5.4 Deletion requests and retention law. Customer may request deletion of its account and Customer Data. DEAready will honor such a request except to the extent that retention is required by Controlled-Substance Retention Law, the HIPAA Rules, tax or financial law, or is necessary to preserve the integrity of the tamper-evident ledger or to establish, exercise, or defend legal claims. Specifically:
(a) Mandatory minimum retention; default retention period. Controlled-substance records are subject to a mandatory minimum retention period — a federal floor of two (2) years under 21 CFR 1304.04, with several states (including Arkansas) requiring longer. To accommodate the longest applicable requirements, DEAready sets a default retention period of seven (7) years. DEAready will not delete such records before the longest applicable retention period has expired, and on request will inform Customer which period DEAready understands to apply (which information is provided for convenience and not as legal advice; Section 3 governs).
(b) Object-locked Merkle Roots. Daily Merkle Roots are stored in object storage under a COMPLIANCE-mode object lock and cannot be deleted by anyone — including DEAready or its cloud provider — for the seven (7) year lock period. Customer acknowledges that this is a deliberate integrity feature that provides independent provability of the ledger, and Customer accepts it. Merkle Roots contain only cryptographic hashes and do not contain PHI or substantive record content.
(c) Redaction or de-identification in lieu of deletion. Where Customer requests deletion of personal data or PHI but the surrounding record must be retained under Applicable Law, DEAready may anonymize, de-identify, or redact the personal data or PHI rather than delete the record, consistent with the minimum-necessary record required to satisfy the retention obligation.
(d) Coordination with the BAA. Where controlled-substance records must be retained beyond the point at which the BAA would otherwise require return or destruction of PHI, the parties will rely on the BAA's provision that, where return or destruction of PHI is infeasible, DEAready will extend the protections of the BAA to the retained PHI and limit further uses and disclosures to those that make return or destruction infeasible. This mechanism allows retained controlled-substance records to remain under safeguard rather than be destroyed, and the parties intend these Terms and the BAA to be read consistently on this point.
5.5 How records are ultimately destroyed. Because Customer Data lives in an append-only, hash-chained, object-locked ledger, in-place deletion of individual records is not available without defeating the integrity guarantees Customer is paying for. Accordingly, at the end of the applicable retention period, "return or destruction" of Customer Data is accomplished by de-identification and/or by expiry of the object-lock retention period, after which the retained data is deleted or anonymized. The Service does not perform per-customer cryptographic key destruction; field-level encryption uses a single shared key, so crypto-shredding of an individual Customer's data is not the destruction mechanism.
5.6 Customer's independent copy. Because Customer may export verifiable copies of its Customer Data at any time, Customer is responsible for maintaining its own retained copies if and when it leaves the Service. DEAready's retention is a backstop and is not Customer's system of record for compliance purposes.
5.7 Backups and disaster recovery. The Service employs append-only database triggers, a per-organization hash chain, object-lock storage of Merkle Roots, and point-in-time database recovery. These are best-effort safeguards and are not a guarantee against data loss. Customer should maintain its own exports as described in Section 5.6.
6. Fees, Billing, Trial, Renewal, Taxes, and Non-Payment
6.1 Plans and fees. Customer will pay the fees for the plan and billing interval specified in its Order. As of the date these Terms are accepted, the Service offers the following plans, billed through the Service's payment processor:
| Plan | Monthly | Annual |
|---|---|---|
| Essentials | $29 / month | $290 / year |
| Practice | $79 / month | $790 / year |
| High-Volume | $249 / month | $2,490 / year |
DEAready may change its prices prospectively on notice; any price change takes effect at Customer's next renewal, and the price for the current Subscription Term is locked.
6.2 Payment processor. Billing is handled by Stripe, Inc. Customer authorizes recurring charges to its designated payment method through Stripe. DEAready does not store full payment-card data. No PHI is sent to Stripe, consistent with Section 4.5 and the Privacy Policy.
6.3 Free trial. If Customer enrolls in a free trial, the trial runs for the period stated at sign-up (currently fourteen (14) days) and includes the features described there. A valid payment method is collected at sign-up but is not charged during the trial period. At the end of the trial, the subscription converts to a paid subscription at the then-current price for the selected plan, and Customer's payment method will be charged, unless Customer cancels before the trial ends. Customer may cancel at any time before the trial ends, in which case no charge is made. The material trial terms are disclosed clearly and conspicuously at sign-up.
6.4 Automatic renewal and cancellation. Subscriptions automatically renew for successive periods of the same length (monthly or annual) at the then-current rate through Stripe, unless Customer cancels before the applicable renewal date.
(a) Disclosure at the point of consent. Before purchase and adjacent to the point of consent, DEAready discloses, clearly and conspicuously, the renewal period, the renewal price, and how to cancel. By enrolling, Customer agrees to these automatic-renewal terms, and DEAready records Customer's acceptance of these Terms (including timestamp and the accepting user account) as described in Section 1.1.
(b) Self-service cancellation. Customer may cancel at any time through the same online medium in which it subscribed, using the self-service cancellation function in the Service, without unreasonable obstacles. Cancellation stops future renewals as provided in Section 7.2.
(c) Price changes. DEAready may change subscription prices prospectively as provided in Section 6.1; any change takes effect at Customer's next renewal, and the price for the current Subscription Term is locked.
6.5 Taxes. Fees are exclusive of taxes. Customer is responsible for all applicable sales, use, value-added, and similar taxes, excluding taxes based on DEAready's net income. Customer claiming a tax exemption will provide valid supporting documentation.
6.6 Non-payment, suspension, and the retention guardrail. If a charge fails, DEAready will provide notice and a cure period of at least ten (10) days. If the failure is not cured, DEAready may suspend Customer's access to read and write features and, after a further period, downgrade the account. Notwithstanding any suspension or downgrade, because the Service holds legally mandated controlled-substance records, DEAready will not delete Customer Data for non-payment and will continue to make Customer's records available for export on request (which may be provided through a read-only or export-only mode), so that non-payment never strands a registrant's legally required records.
6.7 Refunds. Except where Applicable Law requires otherwise, fees are non-refundable, and DEAready does not provide refunds or credits for partial subscription periods or for annual prepayments.
6.8 Disputes and chargebacks. Customer will contact DEAready at support@deaready.com to resolve any billing dispute before initiating a chargeback. DEAready may suspend the account during the pendency of an unresolved chargeback, subject to the export guardrail in Section 6.6.
7. Term, Termination, and Post-Cancellation Data Window
7.1 Term. The Agreement begins on Customer's acceptance and continues through each Subscription Term and renewal until terminated as provided in this Section 7.
7.2 Termination by Customer. Customer may cancel at any time using the self-service cancellation function (Section 6.4(b)). Cancellation takes effect at the end of the then-current paid period, and Customer has no obligation to pay for periods after the effective date of cancellation.
7.3 Termination by DEAready. DEAready may terminate or suspend the Agreement (a) for Customer's material breach that remains uncured thirty (30) days after written notice; (b) for non-payment as provided in Section 6.6; (c) immediately, for unlawful use, a violation of Section 9.4 that threatens the platform or other customers, or other egregious misconduct; or (d) on at least sixty (60) days' advance notice if DEAready discontinues the Service, in which case DEAready will provide the export window described in Section 7.4.
7.4 Post-cancellation data access and export commitment. On any termination or expiration, DEAready will maintain Customer Data in a retrievable, exportable state for a window of thirty (30) days, during which Customer may log in (at minimum to read and export its data) and download, at no additional charge, the complete verifiable export described in Section 5.3. If Customer's access has lapsed, DEAready will, on request made within the window, provide at least one export opportunity. After the thirty (30) day window closes, the records are retained under the retention and object-lock periods described in Section 7.5 but are no longer interactively accessible through the Service. This thirty (30) day window is consistent with the BAA.
7.5 After the window; reconciliation with retention law. After the access window in Section 7.4 closes, DEAready will return or destroy Customer Data as provided in the BAA, except for records subject to Controlled-Substance Retention Law and for object-locked Merkle Roots, which DEAready will retain under continued safeguards for the period required rather than destroy, invoking the BAA's provision permitting extended protection where return or destruction is infeasible. For clarity, cancellation does not immediately purge controlled-substance records: Applicable Law, and not DEAready, requires their retention, and during the retention period DEAready will hold those records securely and produce them to Customer or, where legally required, to a regulator. After the longest applicable retention period (a default of seven (7) years) and the seven (7) year object-lock period have expired, the retained data is destroyed in the manner described in Section 5.5 (de-identification and/or expiry of the object-lock retention period), not by per-customer key destruction.
7.6 Effect of termination. On termination, Customer's right to access the Service ends (subject to the window in Section 7.4), and all accrued and unpaid fees become immediately due. Sections 1.4, 2, 3, 4.1, 5, 6.5 through 6.8, 7.5, 7.6, 8, 9, and 10, and any other provision that by its nature should survive, survive termination or expiration.
8. Warranties, Disclaimers, Limitation of Liability, and Indemnification
8.1 Limited warranty. DEAready warrants that it will provide the Service with reasonable skill and care and that it will not materially decrease the core functionality of the Service during a paid Subscription Term. DEAready may publish availability or uptime goals; any such goal is a target only and does not constitute a service-level commitment or entitle Customer to credits unless a separate written service-level agreement so provides.
8.2 Disclaimer of warranties. EXCEPT FOR THE LIMITED WARRANTY IN SECTION 8.1, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, DEAREADY EXPRESSLY DISCLAIMS ANY WARRANTY THAT USE OF THE SERVICE WILL RESULT IN, ENSURE, OR MAINTAIN COMPLIANCE WITH THE CONTROLLED SUBSTANCES ACT, 21 CFR PARTS 1300–1321, THE HIPAA RULES, ANY STATE LAW, OR ANY REGULATOR'S EXPECTATIONS; THAT STATE-RULE ENCODINGS, DEADLINE PROMPTS, OR COMPLETENESS INDICATORS ARE CURRENT OR CORRECT; THAT ANY OUTPUT IS ACCURATE, COMPLETE, OR ACCEPTED BY ANY REGULATOR; OR THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE. This Section 8.2 reinforces and is in addition to the disclaimers in Section 3.
8.3 Limitation of liability.
(a) Exclusion of indirect damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOST PROFITS, LOST REVENUE, LOST DATA, LOST GOODWILL, REGULATORY FINES OR PENALTIES IMPOSED ON CUSTOMER, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATING TO THE AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
(b) Aggregate cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE AGREEMENT WILL NOT EXCEED THE GREATER OF (i) THE TOTAL FEES PAID BY CUSTOMER TO DEAREADY IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (ii) ONE THOUSAND U.S. DOLLARS ($1,000).
(c) Carve-outs from the cap and exclusions. The limitations in Sections 8.3(a) and 8.3(b) do not apply to: (i) Customer's payment obligations; (ii) Customer's indemnification obligations under Section 8.5; (iii) either party's breach of its confidentiality obligations under Section 9.3; (iv) a party's gross negligence, willful misconduct, or fraud; or (v) liability for breach of the BAA or for unauthorized use or disclosure of PHI, which is governed by Section 8.4.
8.4 BAA and HIPAA interaction. The parties intend that the limitations of liability in Section 8.3 do not limit, cap, or reduce DEAready's obligations or liability for the unauthorized use or disclosure of PHI or for breach of the BAA. Accordingly, liability arising out of or relating to the BAA, the HIPAA Rules, or the unauthorized use or disclosure of PHI is excluded from the aggregate cap in Section 8.3(b) and from the exclusion of indirect damages in Section 8.3(a). Nothing in these Terms limits, supersedes, or caps either party's obligations or liabilities under the BAA except as the BAA itself expressly provides. To the extent of any conflict between these Terms and the BAA regarding liability for PHI, the BAA controls. Customer acknowledges that DEAready, as a Business Associate, also has direct statutory liability under the HIPAA Rules that no contractual limitation purports to waive.
8.5 Indemnification.
(a) By DEAready. DEAready will defend Customer against any third-party claim alleging that the Service, as provided by DEAready and used in accordance with the Agreement, infringes a valid United States patent, copyright, or trademark or misappropriates a trade secret, and will indemnify Customer for damages and reasonable costs finally awarded against Customer (or agreed in settlement) on such a claim. If the Service becomes, or DEAready believes it may become, the subject of such a claim, DEAready may at its option procure the right for Customer to continue using the Service, modify or replace the Service to make it non-infringing, or terminate the affected subscription and refund any prepaid, unused fees. This Section 8.5(a) states DEAready's entire liability for intellectual-property infringement.
(b) By Customer. Customer will defend and indemnify DEAready against any third-party claim (including any claim by a regulator or a patient) arising out of or relating to: Customer Data; Customer's use of the Service in violation of Applicable Law; Customer's violation of any controlled-substance or HIPAA obligation; Customer's lack of authority to provide PHI or other Customer Data to DEAready; or Customer's breach of Sections 3, 4, or 9.4.
(c) Procedure. The indemnified party will (i) promptly notify the indemnifying party of the claim (provided that failure to do so does not relieve the indemnifying party except to the extent prejudiced), (ii) give the indemnifying party sole control of the defense and settlement (provided that no settlement imposing liability or obligation on the indemnified party may be entered without its prior written consent, not to be unreasonably withheld), and (iii) provide reasonable cooperation at the indemnifying party's expense.
9. Intellectual Property, Confidentiality, Acceptable Use, and Security
9.1 DEAready intellectual property. DEAready and its licensors own all right, title, and interest in and to the Service, including its software, platform, user interface, Documentation, state-rule encodings, templates, and any aggregated or de-identified analytics that DEAready derives in operating the Service. For purposes of this Section, "de-identified" data excludes all PHI and all Customer Data and is created in a manner that does not identify, and cannot reasonably be used to identify, any individual or Customer. Subject to the Agreement, DEAready grants Customer a limited, non-exclusive, non-transferable, revocable license to access and use the Service during the Term for Customer's internal business purposes. Customer will not reverse engineer, decompile, resell, sublicense, or white-label the Service, except to the extent this restriction is unenforceable under Applicable Law.
9.2 Customer Data and feedback. Customer retains ownership of Customer Data as provided in Section 5.1. If Customer provides suggestions or feedback about the Service, DEAready may use that feedback without restriction or obligation.
9.3 Confidentiality. Each party (as "Receiving Party") will protect the other party's "Confidential Information" using at least reasonable care, will use it only to perform under the Agreement, and will not disclose it except to representatives with a need to know who are bound by confidentiality obligations. "Confidential Information" excludes information that is or becomes public through no fault of the Receiving Party, was rightfully known without restriction before disclosure, is independently developed without use of the disclosing party's Confidential Information, or is rightfully received from a third party without restriction. The Receiving Party may disclose Confidential Information as required by law, provided it gives reasonable prior notice where lawful. PHI is governed by the BAA and not by this Section 9.3; to the extent of any conflict regarding PHI, the BAA controls.
9.4 Acceptable use and security. Customer will not, and will not permit any Authorized User or third party to: (a) circumvent or attempt to circumvent the Service's tenant-isolation controls (including per-organization row-level security) or access any other organization's data; (b) probe, scan, or test the vulnerability of the Service, or breach or attempt to breach its security or authentication, without DEAready's prior written authorization; (c) upload or transmit malware or malicious code; (d) scrape, harvest, or systematically extract data other than through supported export features; (e) overload, disrupt, or impair the Service or its infrastructure; or (f) use the Service to violate any law, facilitate diversion, or falsify any record. DEAready may suspend access, in whole or in part, to address a violation of this Section 9.4 that threatens the platform or other customers, subject to the export guardrail in Section 6.6. Customer will use the security controls the Service makes available, including multi-factor authentication and least-privilege role assignment.
9.5 Vulnerability reporting. Customer may report suspected security vulnerabilities to DEAready at support@deaready.com. DEAready will acknowledge and investigate good-faith reports.
10. General
10.1 Governing law. The Agreement, and any dispute arising out of or relating to it or the Service, is governed by the laws of the State of Missouri, excluding its conflict-of-laws rules, except where federal law (including the HIPAA Rules) governs, in which case federal law controls. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
10.2 Dispute resolution; binding arbitration.
(a) Informal resolution first. Before initiating any formal proceeding, the parties will attempt in good faith to resolve any dispute through informal negotiation, beginning with written notice of the dispute and continuing for at least thirty (30) days.
(b) Binding arbitration. Except for the carve-outs in Section 10.2(e), any dispute, claim, or controversy arising out of or relating to the Agreement or the Service — including its breach, termination, enforcement, interpretation, or validity — that is not resolved through informal negotiation will be resolved by final and binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules. Because the Agreement is a business-to-business agreement, the AAA's Supplementary Procedures for consumer-related disputes do not apply.
(c) Seat, arbitrator, and governing law of the arbitration. The seat and venue of the arbitration is Taney County (Branson), Missouri. The arbitration will be conducted before a single arbitrator. The arbitrator will apply Missouri law (and the substantive law otherwise specified in Section 10.1), and the Federal Arbitration Act (9 U.S.C. § 1 et seq.) governs the interpretation and enforcement of this agreement to arbitrate. The arbitrator may award any relief available in a court of competent jurisdiction, and judgment on the award may be entered in any court having jurisdiction.
(d) Confidentiality; costs. The arbitration, and all submissions, evidence, and the award, are confidential, except as necessary to confirm, vacate, or enforce the award or as otherwise required by law. Each party bears its own costs and attorneys' fees, except as the AAA Rules or the arbitrator otherwise provide.
(e) Carve-outs. Notwithstanding the agreement to arbitrate: (i) either party may bring an action for injunctive or other equitable relief, or an action to compel arbitration or to confirm, vacate, or enforce an arbitration award, in the state or federal courts located in Taney County, Missouri, and the parties consent to the personal jurisdiction and venue of those courts for those purposes and waive any objection to that venue; and (ii) either party may bring a qualifying claim in small-claims court.
(f) Class-action and class-arbitration waiver. DISPUTES ARE RESOLVED ONLY ON AN INDIVIDUAL BASIS. EACH PARTY WAIVES ANY RIGHT TO PARTICIPATE IN OR BRING A CLASS, COLLECTIVE, OR REPRESENTATIVE ACTION OR CLASS ARBITRATION against the other arising out of or relating to the Agreement. No arbitration may be consolidated or joined with any other proceeding without all parties' consent.
(g) Jury-trial waiver. To the extent any matter proceeds in court under Section 10.2(e) or otherwise, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL in any proceeding arising out of or relating to the Agreement.
(h) Limitations period. Any claim arising out of or relating to the Agreement must be brought within one (1) year after the claim accrues, or it is permanently barred, except where Applicable Law prohibits such a limitation. This one-year period does not apply to claims arising under the Business Associate Agreement or under HIPAA, or to any claim for which a longer limitations period is required by Applicable Law, all of which are governed by the limitations period the law provides.
(i) PHI, HIPAA, and regulatory authority preserved. For matters concerning PHI, the HIPAA Rules and other federal law control as provided in Section 10.1 and the BAA, and nothing in this Section 10.2 limits, waives, or alters either party's statutory obligations under the HIPAA Rules or any regulator's authority. This Section 10.2 governs contract disputes between the parties and operates consistently with the BAA and the order of precedence in Section 10.8.
10.3 Changes to these Terms. DEAready may modify these Terms from time to time. For any material change, DEAready will provide advance notice by email and in-app notice not less than thirty (30) days before the change takes effect, and Customer's continued use of the Service after the effective date constitutes acceptance of the modified Terms. If a material change is adverse to Customer and takes effect during a paid Subscription Term, Customer may reject the change by cancelling the affected subscription without penalty before the change's effective date, and the prior version will govern until the end of the then-current paid period. DEAready maintains a version number and effective date in the header of these Terms and retains an archive of prior versions. This Section 10.3 operates together with the renewal- and price-change provisions in Section 6.4.
10.4 Assignment. Customer may not assign or transfer the Agreement without DEAready's prior written consent, except that Customer may assign it, on written notice, to a successor to all or substantially all of its practice or business. DEAready may assign the Agreement to an affiliate or in connection with a merger, acquisition, or sale of assets, provided that any assignee assumes DEAready's obligations under the BAA. Any prohibited assignment is void. The Agreement binds and benefits the parties' permitted successors and assigns.
10.5 Force majeure. Neither party is liable for any failure or delay in performance caused by events beyond its reasonable control, including acts of God, natural disasters, labor disputes, internet or utility failures, governmental action, and cloud-provider outages. Force majeure does not excuse (a) Customer's payment obligations, (b) either party's obligations to safeguard PHI under the BAA, or (c) DEAready's obligation to preserve and make exportable the records subject to Controlled-Substance Retention Law.
10.6 Entire agreement. The Agreement (these Terms, the Privacy Policy, the BAA, and any Order) is the entire agreement between the parties regarding the Service and supersedes all prior or contemporaneous agreements and understandings on that subject. Each document is cross-referenced rather than merged, and the order of precedence in Section 10.8 governs any conflict.
10.7 Miscellaneous. If any provision of the Agreement is held unenforceable, that provision will be limited or severed to the minimum extent necessary, and the remaining provisions will remain in full force. No waiver of any provision is effective unless in writing, and no failure to enforce any provision is a waiver of the right to enforce it later. Notices to Customer may be given by email to the account contact or by posting in the Service; notices to DEAready must be sent to DEAready LLC, 210 W Oklahoma St, Branson, MO 65616, with a copy to support@deaready.com. The parties are independent contractors, and nothing in the Agreement creates a partnership, joint venture, agency, or employment relationship. Section headings are for convenience only. The Agreement may be accepted electronically and in counterparts.
10.8 Order of precedence. In the event of any conflict among the documents constituting the Agreement, the following order of precedence governs:
- The BAA controls for any matter concerning PHI, the HIPAA Rules, or liability for the unauthorized use or disclosure of PHI (including over the limitation of liability in Section 8, consistent with Section 8.4).
- The Privacy Policy controls for descriptions of data collection, use, and Subprocessors, but does not establish any limitation of liability, warranty, or commercial term, which are governed by these Terms.
- These Terms control for all other matters, including commercial terms, intellectual property, general liability, and governing law.
- An Order controls over these Terms only as to the specific commercial terms it states (such as plan, price, and billing interval).
No document silently overrides another regarding liability for PHI; the precedence rule in this Section 10.8 and the carve-out in Section 8.4 together preserve the BAA's HIPAA protections.
OWNER MUST CONFIRM
The following items must be confirmed and filled in before publication:
- Insurance — these Terms assert no insurance policy or dollar amount. Confirm and, if desired, insert the actual administrative/cyber/professional-liability coverage carried as the business scales.
- Pricing accuracy (Section 6.1) — confirm the plan names and prices (Essentials $29/$290, Practice $79/$790, High-Volume $249/$2,490) match the live Stripe configuration before publication.
- Liability-cap floor (Section 8.3(b)) — set at $1,000; confirm or adjust, recognizing that bare trailing-12-month fees on the lowest plan are approximately $348.