Terms of Service — RXV1.1

RXV1.1 (a.k.a. “RxVerifier”) – MASTER TERMS OF SERVICE (For Business / Commercial Customers) Version: 1.0 Effective Date: 11/01/2025 These Master Terms of Service (“Master Terms”) govern access to and use of the RXV1.1 / RxVerifier software and related services (the “Service”) provided by CashFlow Solutions, LLC (“Provider”). These Master Terms are incorporated by reference into each Order Form (defined below). By signing an Order Form referencing these Master Terms, Customer agrees to be bound by them. If Customer does not agree to these Master Terms, Customer must not access or use the Service. 1. PARTIES This Agreement is between: (a) CashFlow Solutions, LLC, a Connecticut limited liability company (“Provider”); and (b) the business entity identified in the applicable Order Form (“Customer”). 2. STRUCTURE; ORDER FORMS; PRIORITY 2.1 Order Form Defined. “Order Form” means a written subscription/licensing agreement, software licensing and usage agreement, statement of work, or similar ordering document executed by Provider and Customer that specifies Commercial Terms (as defined below) and references these Master Terms. The Parties intend that Customer’s signed “RXV1.1 (RxVerifier) Software Licensing and Usage Agreement” (or similar) serves as the Order Form. 2.2 Commercial Terms. Commercial Terms include subscription term length, fees, billing cadence, Usage Limits, licensed locations, discounts, support tier, and any additional negotiated provisions. 2.3 Priority. If there is a conflict among documents, the following order of precedence applies: (1) the Order Form (including any exhibits attached to it), (2) these Master Terms, (3) the Documentation (defined below). The more specific term controls over a more general term. 3. DEFINITIONS 3.1 “Authorized Users” means Customer’s employees and authorized agents/contractors who have been issued access credentials by Customer or Provider and are permitted to use the Service solely for Customer’s internal business operations. 3.2 “Client Data” or “Customer Data” means all data, including images, files, personal data, and (if applicable) PHI, input into, uploaded to, or transmitted through the Service by Customer or its users. 3.3 “Documentation” means Provider’s written user guides, SOPs, training documents, and technical documentation relating to the Service. 3.4 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and implementing regulations. 3.5 “PHI” means protected health information as defined by HIPAA, if applicable to Customer’s use. 3.6 “Service” means the RXV1.1 / RxVerifier remote verification platform, including associated web/mobile apps, reporting, and any Provider-hosted components or managed services. 3.7 “Usage Limits” means the usage limitations stated in the Order Form or Documentation (e.g., number of locations, users, transactions, images/day, storage, or API calls). 4. SUBSCRIPTION LICENSE GRANT 4.1 Access Rights. Subject to Customer’s payment of fees and compliance with this Agreement, Provider grants Customer a non-exclusive, non-transferable, limited right to access and use the Service during the Subscription Term solely for Customer’s internal business operations. 4.2 No Sublicensing / No External Sharing. Customer will not sublicense, white-label, or otherwise provide access to the Service to any third party, partner, affiliate, or entity not expressly permitted in the Order Form without Provider’s prior written consent. 4.3 Reservation of Rights. Provider retains all rights not expressly granted. 5. RESTRICTIONS; TRADE SECRET / NON-USE PROTECTIONS 5.1 Trade Secrets and Confidential Nature of Service. Customer acknowledges that the Service (including its structure, organization, source code, user interface, data models, workflow logic, SOPs, training materials, and underlying ideas) constitutes Provider’s valuable trade secrets and confidential information. Customer will not, directly or indirectly, and will ensure its employees/contractors/agents do not: (a) copy, modify, translate, adapt, or create derivative works of the Service or Documentation, except as expressly allowed in an Order Form (e.g., to obtain required regulator approval); (b) reverse engineer, decompile, disassemble, or attempt to derive or reconstruct source code, algorithms, file structures, or architecture; (c) access or use the Service to develop, train, benchmark, or operate any product or service that is competitive with or substantially similar to the Service, or to replicate any workflow/dashboard/verification process derived from the Service; (d) disclose, transfer, distribute, rent, lease, lend, assign, or otherwise make available the Service or any part thereof to any third party except as expressly authorized in writing by Provider; (e) bypass, disable, or interfere with any security mechanism, license management, rate limits, or usage-tracking feature; (f) remove, alter, or obscure any proprietary notices or confidentiality legends; or (g) publicly display or demonstrate the Service or Documentation except to Customer’s Authorized Users (and, if applicable, regulators) in the ordinary course of Customer’s internal operations. 5.2 Independent Development Carve-Out. Nothing in this Agreement prohibits Customer from developing software independently that is NOT based on or derived from Provider Confidential Information or trade secrets. However, Customer may not use Provider Confidential Information, Documentation, screenshots/recordings, or access to the Service as an input to such development. 5.3 Remedies for Misappropriation. Customer agrees that any breach of Section 5 may cause irreparable harm for which monetary damages may be inadequate. Provider is entitled to injunctive relief and all other remedies available at law or equity. 6. ACCEPTABLE USE; SECURITY 6.1 Account Security. Customer is responsible for maintaining the confidentiality of credentials, ensuring unique credentials per Authorized User, and all activities occurring under Customer accounts. 6.2 Customer Systems. Customer is responsible for its own devices, networks, identity provider configurations, and security controls necessary to access the Service, including Customer’s own Google Workspace security and access controls if Customer uses Google Workspace in connection with the Service. 6.3 Prohibited Conduct. Customer will not use the Service to transmit malware, attempt unauthorized access, disrupt the Service, or violate law. Provider may suspend access for security threats or material violations. 7. DATA RIGHTS; STORAGE; PRIVACY; SECURITY INCIDENTS 7.1 Ownership. As between the Parties, Customer owns Customer Data. Provider claims no ownership rights in Customer Data. 7.2 Processing to Provide Service. Provider may access, transmit, and process Customer Data only to provide, secure, maintain, and support the Service, to comply with law, and as instructed through Service functionality. 7.3 Storage Architecture. Unless otherwise stated in an Order Form, Customer Data may be stored in Customer’s systems (including Customer’s Google Workspace/Google Drive environment), and Provider may transmit limited data transiently to enable notifications and Service functionality. 7.4 Safeguards. Provider will implement reasonable administrative, technical, and physical safeguards designed to protect Customer Data from unauthorized access, use, or disclosure. 7.5 Security Incidents. Provider will notify Customer without undue delay after confirming a security incident that results in unauthorized access to Customer Data and will reasonably cooperate with Customer’s response. 8. HIPAA / PHI (IF APPLICABLE) 8.1 No PHI Without BAA (If Required). If Customer’s use involves PHI and Provider’s role makes Provider a “business associate” under HIPAA, the Parties must execute a Business Associate Agreement (“BAA”) before Provider processes PHI. The HIPAA Rules generally require appropriate business associate contracts in many vendor access scenarios, subject to exceptions. (See HHS guidance.) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html 8.2 Customer Responsibility. Customer is solely responsible for determining whether its use involves PHI and whether a BAA is required for its specific workflow and regulatory posture. 9. SUPPORT; SERVICE LEVELS; MAINTENANCE 9.1 Support. Provider will provide support as stated in the Order Form or Exhibit 1 (Support & Service Levels), if attached. 9.2 Maintenance Windows. Provider may perform scheduled maintenance as stated in the Order Form and may perform emergency maintenance when needed for security or operational integrity. 9.3 No Guarantee of Uninterrupted Service. Customer acknowledges that the Service may be unavailable at times due to maintenance, force majeure, or third-party outages (including third-party hosting or Google services, if applicable). 10. FEES; TAXES; PAYMENT 10.1 Fees. Customer will pay all fees as stated in the Order Form. Unless otherwise stated, invoices are due within fifteen (15) days and late payments may accrue interest at 1.5% per month or the maximum allowed by law, whichever is less. 10.2 Taxes. Customer is responsible for applicable taxes other than Provider’s income taxes. 10.3 No Setoff. Fees are non-refundable and not subject to setoff or counterclaim unless required by law or expressly stated in the Order Form. 11. TERM; RENEWAL; AUTORENEW NOTICE 11.1 Term. The Subscription Term is stated in the Order Form. 11.2 Automatic Renewal (If Applicable). If the Order Form provides for automatic renewal, the renewal will occur as described there unless either Party gives timely written notice of non-renewal. 11.3 Renewal Notice (If Applicable). Where required, Provider will provide renewal notice containing the procedure for cancellation within the timeframe required by applicable law and/or as stated in the Order Form. Connecticut’s automatic renewal statute for certain consumer contracts contains specific notice requirements, including timing parameters. https://law.justia.com/codes/connecticut/title-42/chapter-739/section-42-126b/ 12. SUSPENSION OF ACCESS 12.1 Suspension Rights. Provider may immediately suspend or restrict Customer’s access, in whole or part, upon written or electronic notice if: (a) any undisputed payment is more than sixty (60) days past due; (b) Provider reasonably believes Customer or any Authorized User has materially breached this Agreement, violated law, or engaged in conduct that may disrupt or compromise the security, integrity, or availability of the Service or data; or (c) Provider reasonably suspects unauthorized access, copying, misuse, or attempted misappropriation of the Service. 12.2 Payment Obligations Continue. Suspension does not relieve Customer of payment obligations during suspension. 12.3 Reinstatement. Provider will restore access promptly after the issue is cured to Provider’s reasonable satisfaction. 13. TERMINATION; EARLY TERMINATION ECONOMICS; EFFECTS 13.1 Termination for Cause. Either Party may terminate for uncured material breach upon written notice and an opportunity to cure as stated in the Order Form (or, if not stated, within thirty (30) days). 13.2 Early Termination Without Cause. If Customer terminates without cause before the end of the initial term, Customer will pay the remaining contract balance as stated in the Order Form (including any acceleration clause), unless a stated carve-out applies (e.g., regulatory changes making the Service unneeded, or termination within an initial trial/pilot period due to failure to meet agreed expectations), if and only if such carve-outs are expressly stated in the Order Form. 13.3 Effect of Termination. (a) Access to the Service ceases. (b) Customer remains responsible for all amounts accrued through the termination effective date and any accelerated amounts due under the Order Form. (c) Data return/deletion will occur as stated in the Order Form or Section 13.4. 13.4 Data Return/Deletion. Unless otherwise stated in the Order Form: (a) Upon Customer’s written request within thirty (30) days after termination, Provider will make Customer Data available for export in a reasonable format if feasible. (b) Provider will delete Customer Data within a commercially reasonable time after the export window, subject to legal, regulatory, security, and backup retention obligations. 14. CONFIDENTIALITY 14.1 Confidential Information. “Confidential Information” includes (i) the Service, Documentation, pricing, security details, and trade secrets of Provider; and (ii) Customer Data and Customer’s non-public business information. 14.2 Use and Protection. The receiving Party will use the disclosing Party’s Confidential Information only to perform obligations and exercise rights under this Agreement; will not disclose it to any third party except to personnel/contractors with a need to know who are bound by confidentiality obligations; and will protect it using reasonable care. 14.3 Exclusions. Confidentiality obligations do not apply to information that is publicly available without breach, already known without duty, independently developed without use of Confidential Information, or received lawfully from a third party without duty of confidentiality. 14.4 Compelled Disclosure. A Party may disclose Confidential Information if legally required, provided it gives reasonable notice (if permitted) and cooperates with efforts to limit disclosure. 15. INTELLECTUAL PROPERTY; FEEDBACK 15.1 Provider IP. Provider owns and retains all right, title, and interest in the Service, Documentation, and all related intellectual property and trade secrets. 15.2 Customer Data. Customer owns Customer Data. 15.3 Feedback. If Customer provides feedback or suggestions, Customer grants Provider a perpetual, irrevocable, royalty-free right to use it without restriction. 16. WARRANTIES; DISCLAIMERS 16.1 Mutual Authority. Each Party represents it has authority to enter into this Agreement. 16.2 Limited Warranty. Provider warrants it has rights to license the Service and will provide the Service in a professional and workmanlike manner. Provider does not warrant the Service will be error-free or uninterrupted. 16.3 DISCLAIMER. EXCEPT AS EXPRESSLY STATED, THE SERVICE IS PROVIDED “AS IS” AND PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT TO THE MAXIMUM EXTENT PERMITTED BY LAW. 16.4 No Medical/Legal Advice. The Service is a workflow and compliance-support tool and does not provide medical or legal advice. Customer is responsible for regulatory compliance decisions and professional judgment. 17. INDEMNIFICATION 17.1 By Customer. Customer will indemnify, defend, and hold harmless Provider from third-party claims arising out of (a) Customer Data, (b) Customer’s use of the Service in violation of this Agreement or law, or (c) Customer’s operations. 17.2 By Provider (Optional; only if included in Order Form). If the Order Form includes Provider IP indemnity, it will apply as stated there; otherwise no Provider IP indemnity is provided. 18. LIMITATION OF LIABILITY 18.1 Exclusion of Consequential Damages. To the maximum extent permitted by law, neither Party will be liable for indirect, incidental, special, consequential, or punitive damages, or lost profits/revenue, arising out of or relating to this Agreement. 18.2 Liability Cap. To the maximum extent permitted by law, each Party’s total liability will not exceed the fees paid by Customer to Provider under the applicable Order Form in the twelve (12) months preceding the event giving rise to liability. 18.3 Exceptions. Sections 18.1–18.2 do not limit liability for Customer’s payment obligations, willful misconduct, or a Party’s breach of confidentiality/trade secret obligations to the extent not waivable under law. 19. DISPUTE RESOLUTION; GOVERNING LAW; VENUE; INJUNCTIVE RELIEF 19.1 Governing Law. Connecticut law governs this Agreement without regard to conflict-of-law rules. 19.2 Venue. The Parties consent to exclusive jurisdiction and venue in state and federal courts located in New Haven County, Connecticut. 19.3 Injunctive Relief. A Party may seek injunctive relief to protect Confidential Information, trade secrets, and intellectual property. 20. ELECTRONIC SIGNATURES; COUNTERPARTS 20.1 Electronic Signatures. The Parties agree that electronic records and signatures are binding and effective, consistent with Connecticut’s Uniform Electronic Transactions Act. https://www.cga.ct.gov/2025/pub/chap_015.htm 20.2 Counterparts. This Agreement and any Order Form may be executed in counterparts, each of which is deemed an original. 21. MISCELLANEOUS 21.1 Force Majeure. Neither Party is liable for delay or failure due to events beyond its reasonable control (excluding payment obligations), including third-party outages. 21.2 Assignment. Neither Party may assign without the other’s written consent except to a successor in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound. 21.3 Entire Agreement. This Agreement plus all Order Forms constitute the entire agreement and supersede prior discussions. 21.4 Severability. If any provision is unenforceable, it will be modified to the minimum extent necessary and the remainder remains in effect. 21.5 No Waiver. A waiver must be in writing and applies only to the specific instance. EXHIBIT 1 – SUPPORT & SERVICE LEVELS If not stated in the Order Form, the following targets apply as non-binding goals: • Availability: 99% uptime target excluding scheduled maintenance and third-party outages. • Maintenance Window: Saturdays 2:00–5:00 a.m. Eastern Time (or as otherwise noticed). • Support Response Target: within 24 hours during normal business hours for standard support requests. EXHIBIT 2 – ACCEPTABLE USE POLICY Customer will not: (a) use the Service unlawfully or to process unlawfully collected data; (b) attempt unauthorized access, scanning, or penetration testing without written permission; (c) disrupt or interfere with the Service or its security controls; (d) share credentials or permit unlicensed users to access; (e) upload malicious code or content designed to harm systems or data. END OF MASTER TERMS