Updated: June 8, 2026

SOMA TERMS OF SERVICE

PLEASE READ THESE TERMS OF SERVICE CAREFULLY. BY CLICKING "ACCEPTED AND AGREED TO," CUSTOMER AGREES TO THESE TERMS AND CONDITIONS.

These Terms of Service constitute an agreement (this "Agreement") by and between Soma Health Solutions Inc., a corporation whose principal place of business is 100 Signal Hill Road, St. John's, NL, A1A 1B3, Canada ("Soma") and the corporation, LLC, partnership, sole proprietorship, other business entity, or individual executing this Agreement ("Customer"), each a "Party" and collectively the "Parties".

This Agreement is effective as of the date Customer clicks "Accepted and Agreed To" (the "Effective Date"). Customer's use of, and Soma's provision of, the Platform (as defined below in Section 1.1(o)) are both governed by this Agreement.

THE CUSTOMER ACKNOWLEDGES THAT IT HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS, AND THAT THE PERSON SIGNING ON ITS BEHALF HAS BEEN AUTHORIZED TO DO SO.

1.1 Definitions.

In this Agreement, the following terms will have the following meanings:

1. "Access Credentials" means any user name, identification number, password, license or security key, security token, personal identification number (PIN) or other security code, method, technology or device used, alone or in combination, to verify an individual's identity and authorization to access and use the Services.
2. "AI" means artificial intelligence.
3. "BAA" means the Business Associate Agreement executed between Soma and the Customer where the Customer is a Covered Entity under HIPAA, if applicable.
4. "Customer Data" means information, data and other information, data, documents, materials, works, and other content (including Personal Information and Personal Health Information), devices, methods, processes, hardware, software, and other technologies and inventions, in any form or medium, that is collected, downloaded or otherwise received, accessed, or obtained, directly or indirectly from Customer by or through the Platform or that incorporates or is derived from the Processing of such information, data or content by or through the Services.
5. "Customer Employee" means any Customer employee that the Customer has selected to receive access to the Platform.
6. "Customer Systems" means Customer's information technology infrastructure, including computers, software, hardware, databases, electronic systems (including database management systems), networks and internet connectivity, whether operated directly by Customer or through the use of third-party services.
7. "DPA" means the Data Processing Agreement executed between Soma and the Customer.
8. "Governmental Authority" means any federal, state, county, city, provincial, territorial, municipal or foreign government or political subdivision thereof, or any agency or instrumentality of such government or political subdivision, or any self-regulated organization or other non-governmental regulatory authority or quasi-governmental authority (to the extent that the rules, regulations or orders of such organization or authority have the force of Law), or any arbitrator, court or tribunal of competent jurisdiction.
9. "Governmental Order" means any order, writ, judgment, injunction, decree, stipulation, award or determination entered by or with any Governmental Authority.
10. "IP Rights" means any and all registered and unregistered intellectual property rights granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trade-mark, trade secret, moral right, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection in any part of the world.
11. "Law" means any law, policy, statute, ordinance, regulation, rule, code, constitution, treaty, common law, Governmental Order or other requirement or rule of law of any Governmental Authority applicable to the provision of Services under this Agreement.
12. "Losses" mean all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable legal fees, disbursements and charges, and the cost of enforcing any right to indemnification hereunder.
13. "Order" means a subscription, in whatever form, to the Platform and certain specified product features and services.
14. "Output" means any content, text, analysis, report draft, clinical note draft, score, or other result generated by or through the Platform's AI-powered features in response to Customer Data inputs.
15. "Party" means Soma or Customer, as the case may be, who are collectively the "Parties".
16. "Patient Data" means Personal Information and Personal Health Information about patients or clients of the Customer that the Customer provides to, or causes to be processed through, the Platform. For purposes of any executed DPA or BAA, references to "Patient Data" in those agreements correspond to this defined term.
17. "Person" means an individual, corporation, partnership, unlimited liability company, Governmental Authority, unincorporated organization, trust, association or any other entity.
18. "Personal Information" means any information that, individually or in combination, does or can identify a natural person, or by or from which a natural person may be identified, contacted or located.
19. "Personal Health Information" means identifiable health information about a person in any form, including physical records, electronic records, or spoken information, as well as any prescribed categories of health information, by statute or regulation, in force in that person's jurisdiction.
20. "Platform" means the Soma software application or applications and any third-party or other software that Soma provides remote access to, and use of, as part of the Services, and all new versions, updates, revisions, improvements and modifications of the foregoing.
21. "Process" means to take any action or perform any operation or set of operations that the Services are capable of taking or performing on any data, information or other content, including to collect, receive, input, upload, download, record, reproduce, store, organize, compile, combine, log, catalog, cross-reference, manage, maintain, copy, adapt, alter, translate or make other derivative works or improvements, process, retrieve, output, consult, use, perform, display, disseminate, transmit, submit, post, transfer, disclose or otherwise provide or make available, or block, erase or destroy, and "Processing" and "Processed" have correlative meanings.
22. "Provider" means a licenced and qualified health care professional who provides Services through the Platform.
23. "Regulated Data" means, collectively, Personal Information and Personal Health Information. For purposes of any executed DPA or BAA, references to "Regulated Data" in those agreements correspond to this defined term.
24. "Representatives" means, with respect to a party, that party, its affiliates, and their respective employees, officers, directors, consultants, agents, independent contractors, subcontractors, and legal advisors.
25. "Session Recording" means the Platform feature that enables a Provider to record audio of a patient or client session for the purpose of generating real-time or post-session transcripts and AI-assisted drafting of clinical notes or reports.
26. "Soma Personnel" means all individuals involved in the performance of Services as employees, agents or independent contractors of Soma.
27. "Soma Systems" means the information technology infrastructure used by or on behalf of Soma in performing the Services, including all computers, software, hardware, databases, electronic systems (including database management systems) and networks, whether operated directly by Soma or through Soma's use of third-party services.
28. "Third-Party AI Services" means the artificial intelligence services provided by third-party vendors that Soma integrates with the Platform to deliver AI-powered features, accessed exclusively through Amazon Web Services Bedrock and currently limited to large-language-model services provided by Anthropic, PBC.

2.1 Authorization to Access and Use Platform.

Soma hereby grants to Customer and the Customer Employees the non-exclusive and non-transferable (except as set forth herein) authorization to access and use the Platform to receive the Services as set forth in an Order in accordance with the conditions and limitations set forth in this Agreement.

2.2 Services.

Subject to compliance with the terms of this Agreement by Customer, during the Term, Soma will provide to Customer the services described in an Order (the "Services").

2.3 Authorization Limitations and Restrictions.

Customer will not, and will not authorize any Customer Employee or other Person to, access or use the Platform or the Services except as expressly permitted by this Agreement; for clarity, Customer and Customer Employees will not, except as this Agreement expressly permits:

1. intentionally input false, misleading, or deceptive data into the Platform, nor attempt to manipulate the Platform into generating clinical diagnoses or treatment plans (including prompting Soma to produce differential diagnoses or any other diagnostic conclusions);
2. copy, modify or create derivative works or improvements of the Platform;
3. sell, licence/sublicense, assign, distribute, publish, transfer or otherwise make available the Platform (or any part of it) to any third party, including on or in connection with any software as a service, cloud, or other technology or service;
4. reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the Platform, or any part thereof;
5. bypass or breach any security protocols connected to the Soma Systems to access or use the Platform;
6. intentionally input, upload, transmit, or otherwise provide to or through the Platform any harmful or malicious code;
7. intentionally or recklessly damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Platform or Soma's provision of services to any third party;
8. remove, delete, alter or obscure any copyright, trademark, patent or other intellectual property or proprietary rights notices on the Platform;
9. access or use the Platform in order to infringe, misappropriate, or otherwise violate any IP Right of any third party; or
10. access or use the Platform for purposes of competitive analysis of the Services, including the development, provision, or use of a competing software service or product; or
11. use any Output or other data or information derived from the Platform to train, fine-tune, or otherwise develop any artificial-intelligence or machine-learning model for use in a product or service that competes with the Platform.

2.4 Session Recording.

Where the Customer enables the Session Recording feature for any patient or client session, the following terms apply:

1. Consent. The Customer (acting through the Provider) must obtain explicit consent from the patient or client (or the patient's or client's authorized representative in the case of minors or incapacitated individuals) before recording begins. Consent may be obtained in writing, electronically, or through the consent confirmation mechanism provided in the Platform. The Customer's obligations with respect to consent are described in greater detail in any executed DPA and Section 7.3 of this Agreement.
2. Audio Processing in Transit. Audio is transmitted via TLS to a zero-retention transcription endpoint operated by Soma or by an authorized transcription sub-processor, transcribed in real time, and discarded at the transcription tier without persistent storage. Soma does not retain raw audio recordings at rest in its infrastructure.
3. Transcript Retention. Only the resulting transcripts and any AI-generated summaries derived from them are retained, in each case at rest within Canada in accordance with Section 4.9, and may be summarized for clinical-note or report drafts.
4. Use Restrictions. Transcripts and AI-generated derivatives from Session Recording will not be used for any purpose other than the provision of Services to the Customer, in accordance with Section 4.1(b) and any executed DPA. They will not be used to train, fine-tune, or improve any AI model.
5. Provider Responsibility. Once transcripts or AI-generated derivatives are accessible to a Provider in the Platform, the Provider is solely responsible for storing, securing, and using the data in compliance with all applicable laws, regulations, and professional standards, and for retaining or disposing of such data according to applicable retention requirements. Soma's role is limited to secure transmission, real-time audio processing, transcript storage, and AI-assisted drafting as described in this Agreement.

2.5 System Control.

Except as otherwise expressly provided in this Agreement, as between the Parties:

1. Soma has and will retain sole control over the hosting, operation, provision, management, and maintenance of the Platform, including the: (i) Soma Systems; (ii) technology used to deploy the Services; (iii) modification of the Platform; and (iv) performance of support services and maintenance, upgrades, corrections, and repairs to the Platform.
2. Customer has and will retain sole control over the operation, management, and maintenance of, and all access to and use of, the Customer Systems, and sole responsibility for all access to, and use of, the Services provided by Soma by any Person through the Customer Systems, including any: (i) information, instructions or materials provided by any of them to Soma; (ii) results obtained from any use of the Services; and (iii) conclusions, decisions or actions based on such use.

2.6 Customer Systems and Cooperation.

Customer will at all times during the Term:

1. set up, maintain, and operate in good repair all Customer Systems on or through which the Services are accessed or used;
2. provide Soma Personnel with such access to Customer Systems as is necessary for Soma to perform the Services in accordance with the Availability Requirement; and
3. provide all cooperation and assistance as Soma may reasonably request to enable Soma to exercise its rights and perform its obligations under and in connection with this Agreement.

2.7 Effect of Customer Failure or Delay.

Soma is not responsible or liable for any delay or failure in performing the Services caused in whole or in part by Customer's delay in performing, or failure to perform, any of its obligations set forth in Section 2.6 above (each, a "Customer Failure").

2.8 Changes.

Provided that the Services are not materially degraded or removed, Soma reserves the right, in its discretion, to make improvements to the Platform that it deems necessary or useful to:

1. maintain or enhance the quality or delivery of Soma's services to its customers, the competitive strength of or market for Soma's services, or the cost efficiency or performance of the Services; or
2. to comply with applicable Law.

2.9 Subcontractors.

Soma may use the services of subcontractors (also referred to as sub-processors in any executed DPA) to deliver Services ("Subcontractors"). Soma independently vets all of its Subcontractors and agrees that as between the Parties, it will remain fully responsible for the performance of all Subcontractors, including the handling of any (i) Personal Health Information, or (ii) Customer's Confidential Information. Each Subcontractor that processes Regulated Data is bound by a written agreement containing data-protection, confidentiality, and security obligations no less protective than those Soma has undertaken to Customer under this Agreement and any executed DPA and BAA. The current list of Soma's Subcontractors is published at the Sub-processors page referenced in Soma's Privacy Policy, and may be updated from time to time in accordance with the notice procedure in the DPA. Customer may request at any time that Soma investigate and address any issues that Customer identifies with any Subcontractors.

2.10 Suspension Rights.

Soma may suspend or otherwise deny access to, or use of, all or any part of the Platform by Customer or any other Person, and/or suspend its provision of any related Services, all without any resulting obligation or liability, if:

1. Soma receives a Governmental Order that specifically requires Soma to do so;
2. Customer fails to pay Fees (defined below) on time;
3. Soma has reasonable grounds to suspect and/or sufficient evidence that:
   1. Customer has breached the terms of section 2.3;
   2. Customer has used the Platform to further any other fraudulent, misleading, or unlawful activities relating to or in connection with any of the Services; or
   3. this Agreement expires, or is terminated; or
4. Soma has a reasonable basis to believe Customer is processing Patient Data, or using the Session Recording feature, in violation of applicable consent or lawful-basis requirements. Soma will provide written notice and, where feasible, an opportunity to cure prior to suspension under this Section 2.10(d).

This Section 2.10 does not limit any of Soma's other rights or remedies, whether at Law, in equity or under this Agreement.

2.11 Service Levels.

Subject to the terms and conditions of this Agreement:

1. For the purposes of this section, "Available" means the Platform is available for access and use by Customer.
2. Soma will make the Platform Available at least 99.9% of the time (the "Availability Requirement") as measured over the course of each calendar month during the Term (each such calendar month, a "Service Period"), excluding unavailability as a result of any of the exceptions described in Section 2.11(c). Customer will have the right to terminate the Agreement if the Availability Requirement is not met twice in a 6 month period and will be entitled to receive a refund of fees paid for the unused term.
3. For purposes of calculating the Availability Requirement, the following are exceptions to the Availability Requirement:
   1. any act or omission by Customer, use of the Platform by Customer, or using Customer's Access Credentials, in a manner contravening this Agreement;
   2. any Customer Failure;
   3. loss of Internet connectivity of Customer;
   4. any Force Majeure Event;
   5. any suspension or disabling of the Services under section 2.10; or
   6. any scheduled maintenance windows for which Soma has provided Customer with prior written notice of at least twenty-four (24) hours.

3.1 Fees.

Customer will pay Soma the fees set forth in an Order (the "Fees") in accordance with this ARTICLE III.

3.2 Fee Increases.

Soma reserves the right, in its sole discretion, to increase the Fees applicable to the next Renewal Term upon at least thirty (30) days' written notice to Customer prior to the commencement of such Renewal Term, and any Order will be deemed to be amended accordingly.

3.3 Taxes.

All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments, unless expressly stated otherwise. Without limiting the foregoing, Customer is responsible for all taxes of any kind imposed by any Governmental Authority on any amounts payable by Customer hereunder.

3.4 Payment.

Customer will pay all Fees as set out in an Order. Customer will make all payments hereunder in Canadian dollars by cheque, wire transfer or electronic funds transfer. Customer will make payments to the address or account specified in an Order or such other address or account as Soma may specify in writing from time to time.

3.5 Late Payment.

Any Fees that remain unpaid after thirty (30) days after they initially become due and payable will be considered in arrears, at which time Soma will be entitled to:

1. charge interest after the due date at a rate of 1% per month, compounded monthly; and/or
2. suspend performance of, and access to, the Services to Customer until all past due amounts and interest thereon have been paid, without incurring any obligation or liability to Customer or any other Person by reason of such suspension.

3.6 No Deductions or Set-Offs.

All amounts payable to Soma under this Agreement will be paid by Customer to Soma in full without any set-off, recoupment, counterclaim, deduction, debit or withholding for any reason.

4.1 Ownership and Use of Customer Data.

1. Customer owns its Customer Data, and retains all related rights, title and interests. Customer also owns any Output generated through the Services from Customer Data inputs.
2. During the Term, Customer hereby grants Soma a non-exclusive, non-sublicensable, non-transferable, royalty-free and revocable right and license to access, use, and Process Customer Data as required to perform the Services or comply with applicable Law. Soma will not use Customer Data for any other purpose, including to train, fine-tune, or improve any AI model, except with the Customer's prior written authorization as described in any executed DPA.

4.2 Soma Systems and Data Security Measures.

1. Soma will implement appropriate security controls and safeguards to prevent the disclosure, alteration, or misuse of Customer Data that is in its care or custody and/or Processed by Soma Systems, in each case in compliance with the terms of this Agreement and any applicable Law. These controls currently include AES-256 encryption at rest, TLS 1.2 or higher in transit, enforced multi-factor authentication for administrative access, role-based access controls with least-privilege defaults, and logging and monitoring of administrative and security-relevant events.
2. Soma will protect Customer Data with the same degree of care and diligence that Soma uses to protect and safeguard its own like information, but not less than a reasonable degree of care and/or the protection standards set forth under applicable Law.
3. Soma will not permit Customer Data to be transferred outside of Soma Systems by or on behalf of Soma unless the Customer Data is suitably encrypted.

4.3 Customer Control and Responsibility.

Customer has and will retain sole responsibility for: (a) all information, instructions, and materials provided by or on behalf of Customer in connection with the Services; (b) Customer Systems; (c) the security and use of Access Credentials of Customer; and (d) all access to and use of the Platform through the Customer Systems, with or without Customer's knowledge or consent, including all results obtained from, and all conclusions, decisions and actions based on, such access or use.

4.4 Access and Security.

Customer will employ all physical, administrative, and technical controls, screening and security procedures and other safeguards necessary to: (a) securely administer the distribution and use of all Access Credentials and protect against any unauthorized access to, or use of, the Services; and (b) control the content and use of Customer Data, including the uploading or other provision of Customer Data to the Platform.

4.5 Data Anonymization and Aggregation.

Customer acknowledges that Soma may anonymize Customer Data, and use such anonymized data (including in aggregate form), for Soma's legitimate internal business purposes, subject to the no-secondary-use commitments in any executed DPA. For any anonymized data derived from Personal Information or Personal Health Information, Soma holds the responsibility of ensuring that (i) the anonymization is performed to industry standards, and (ii) the anonymized data cannot reasonably be re-identified to a natural person.

4.6 Personal Information and Personal Health Information – General Compliance.

1. Each Party will comply with all applicable Law regarding their respective responsibilities involving the collection, use and disclosure of Personal Information and Personal Health Information, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health-privacy legislation. The Customer is responsible for ensuring that its collection, use, and provision of Personal Information and Personal Health Information to the Platform complies with all applicable Law, including obtaining any required patient or client consent. Soma is responsible for the secure storage and encryption of such information as described in this Agreement and in any executed DPA and BAA.
2. Each Party understands and agrees that amendments to this Agreement may be required to comply with legislative changes regarding Personal Information and/or Personal Health Information. The Parties agree to negotiate in good faith any amendment to this Agreement as required to comply with applicable Law regarding Personal Information or Personal Health Information.
3. Unless otherwise expressly consented to, Soma will only collect, use and disclose Personal Information as required to provide the Services or as otherwise described in this Agreement.

4.7 Data Storage and Backup.

1. Soma will implement reasonable technical and organizational measures to ensure the secure storage of Customer Data, Personal Information, and Personal Health Information uploaded to the Platform.
2. Notwithstanding section 4.7(a), the Services do not replace the need for Customer to maintain regular data backups or redundant data archives regarding its Customer Data.

4.8 Data Breach Procedures.

1. Soma will advise the Customer without unreasonable delay, and in any event no later than seventy-two (72) hours of becoming aware of the incident where reasonably practicable, or as otherwise required under applicable Law (whichever is sooner), of any circumstances, whether known or suspected, of any data breach relating to Customer Data, including any circumstances, incidents or events which have jeopardized, or may jeopardize the security of Soma Systems used to access the Customer Data (each a "Data Incident"). Such notification will include, to the extent known, the nature and scope of the breach, the categories and specific Customer Data affected, the remedial measures taken or planned, and recommended protective actions that Customer may take. For Customers that have executed a BAA, the breach-reporting procedures in that BAA apply in parallel where the same incident also constitutes a Breach of Unsecured PHI under HIPAA.
2. Soma will implement containment measures on the occurrence of a Data Incident, and will take all steps and measures as may be necessary in accordance with the Law to remedy the Data Incident.
3. Soma will assist Customer, at Customer's direction, with any access requests, questions, complaints, audits, or any investigations related to any Data Incidents.

4.9 Data Residency.

All Customer Data at rest is stored exclusively in Canada. Operational database and managed-service data is hosted on Supabase in Canada (Central) — AWS ca-central-1; object storage, computed artefacts, transcripts, and AI-generated derivatives are stored on Amazon Web Services ca-central-1, Montreal. Certain AI-powered features may require limited transient processing of Customer Data outside of Canada by third-party service providers, as described in Article XI. In all such cases, Customer Data is not retained at rest by the third-party service provider after processing is complete, and processing is governed by executed Business Associate Agreements and zero-retention configurations. All data transmitted to third-party services is encrypted in transit using industry-standard encryption protocols.

5.1 Soma's Intellectual Property.

As between Customer and Soma, all rights to the Platform, including all IP Rights therein, are and will remain with Soma. Customer acknowledges and agrees that it has no right, license or authorization with respect to the Platform (including any IP Rights therein) except as expressly set forth in section 2.1, in each case subject to section 2.3. All other rights in and to the Platform are expressly reserved by Soma.

5.2 Customer's Intellectual Property.

Customer will be the sole and exclusive owner of its intellectual property, including any related IP Rights and the Customer Materials.

5.3 Feedback.

Soma has the right to use or incorporate for its own business purposes any suggestions, enhancement requests, recommendations or other feedback related to the Platform or the Services provided by Customer, Customer Employees, or patients (as long as they do not constitute Confidential Information of the Customer).

5.4 Use of Customer Trademarks.

Customer consents to Soma using Customer's trademarks as part of Soma's marketing materials, promotional materials, proposals, or similar materials. Customer may revoke such consent by written notice to Soma.

6.1 Confidential Information.

1. In connection with this Agreement each party (as the "Disclosing Party") may disclose or make available Confidential Information to the other party (as the "Receiving Party").
2. Subject to Section 6.2, "Confidential Information" means information in any form or medium (whether oral, written, electronic or other) that the Disclosing Party considers confidential, commercially sensitive, or proprietary, including:
   1. information consisting of, or relating to, the Disclosing Party's technology and intellectual property;
   2. Personal Information and Personal Health Information;
   3. trade secrets;
   4. unfiled patents, trade-marks, copyrights, technical expertise and know how;
   5. business operations, financial information, plans, strategies, suppliers, customers, and pricing; and
   6. any other information with respect to which the Disclosing Party has contractual or other confidentiality obligations, in each case whether or not marked, designated or otherwise identified as "confidential".
3. Without limiting section 6.1(b), Customer Data is the Confidential Information of Customer, and the financial terms and existence of this Agreement are the Confidential Information of both Soma and Customer.

6.2 Exclusions.

Confidential Information does not include the following:

1. any information that has been lawfully acquired by the Receiving Party in advance, the evidence of which is substantiated in writing;
2. any public information not attributable to the fault of the Receiving Party;
3. any information lawfully acquired by the Receiving Party through other sources after its receipt of such information.

6.3 Protection of Confidential Information.

As a condition to being provided with any disclosure of or access to Confidential Information, the Receiving Party will:

1. not access or use Confidential Information other than as necessary to exercise its rights or perform its obligations under and in accordance with this Agreement;
2. except as may be permitted by and subject to its compliance with section 6.4, not disclose or permit access to Confidential Information other than to its representatives who:
   1. need to know such Confidential Information for purposes of the Receiving Party's exercise of its rights or performance of its obligations under and in accordance with this Agreement;
   2. have been informed of the confidential nature of the Confidential Information and the Receiving Party's obligations under this Section 6.3; and
   3. are bound by confidentiality and restricted use obligations at least as protective of the Confidential Information as the terms set forth in this Section 6.3;
3. safeguard the Confidential Information from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its similarly sensitive information and in no event less than a reasonable degree of care; and
4. ensure its Representatives' compliance with, and be responsible and liable for any of its Representatives' non-compliance with, the terms of this ARTICLE VI.

6.4 Compelled Disclosures.

1. If the Receiving Party or any of its Representatives is compelled by applicable Law to disclose any Confidential Information, then, to the extent permitted by applicable Law, the Receiving Party will:
   1. promptly, and before such disclosure, notify the Disclosing Party in writing of such requirement so that the Disclosing Party can seek a protective order or other remedy or waive its rights under Section 6.3; and
   2. provide reasonable assistance to the Disclosing Party, at the Disclosing Party's sole cost and expense, in opposing such disclosure or seeking an injunction, a protective order or other limitations on disclosure.
2. If the Disclosing Party waives compliance or, after providing the notice and assistance required under this section 6.4, the Receiving Party remains required by Law to disclose any Confidential Information, the Receiving Party will disclose only that portion of the Confidential Information that the Receiving Party is legally required to disclose.

7.1 Mutual Representations.

Each Party hereby represents to and with the other Party the following, with the intent that such other Party will rely on them in entering into this Agreement:

1. It has the power and capacity and good and sufficient right and authority to enter into this Agreement on its terms and conditions, and has (and agrees to maintain during the Term), the financial and other ability, power, and authority to fulfill and perform its obligations and to carry out the terms of this Agreement; and
2. This Agreement constitutes a legal, valid, and binding obligation of it, enforceable against it in accordance with its terms and conditions.

7.2 Soma Representations.

Soma represents to Customer that:

1. Services will be provided in a professional and workmanlike manner;
2. Soma will comply with all third party licenses and restrictions as required to deliver the Services; and
3. The Platform does not infringe, misappropriate, or otherwise violate any IP Rights of any third party.

7.3 Customer Representations.

Customer represents and warrants to Soma that:

1. Customer owns or otherwise has, and will have, all necessary rights, consents, and lawful authority in and relating to its own Customer Data and any Patient Data (including Personal Information and Personal Health Information) so that, as received by Soma and Processed in accordance with this Agreement and any executed DPA and BAA, the Parties will not infringe, misappropriate or otherwise violate any IP Rights, or any privacy or other rights of any Person, or violate any applicable Law due to the Customer's use or disclosure of Customer Data or Patient Data in connection with the Services; and
2. without limiting Section 7.3(a), where Customer enables the Session Recording feature, Customer has obtained all consents required from the patient, client, or their authorized representative for the recording, transcription, and processing of session audio under all applicable Law, including the Health Insurance Portability and Accountability Act (HIPAA) and applicable U.S. state laws governing recording and consent (including two-party-consent jurisdictions), the Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable provincial health-privacy laws.

7.4 Disclaimers.

1. EXCEPT AS SET FORTH HEREIN, SOMA HEREBY DISCLAIMS ALL CONDITIONS AND WARRANTIES, WHETHER IMPLIED, STATUTORY OR OTHERWISE UNDER THIS AGREEMENT, AND SOMA SPECIFICALLY DISCLAIMS ALL IMPLIED CONDITIONS AND WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE.
2. WITHOUT LIMITING THE FOREGOING AND EXCEPT AS SET FORTH IN THIS AGREEMENT, SOMA MAKES NO CONDITION OR WARRANTY OF ANY KIND THAT THE PLATFORM OR SERVICES, OR RESULTS OF THE USE THEREOF, WILL: (i) MEET CUSTOMER'S OR ANY OTHER PERSON'S REQUIREMENTS; (ii) BE COMPATIBLE OR WORK WITH ANY OTHER SOFTWARE, SYSTEM OR SERVICES, EXCEPT TO THE EXTENT EXPRESSLY SET FORTH IN THIS AGREEMENT, (iii) BE ERROR-FREE, UNINTERRUPTED, OR FREE FROM DEFECTS, OR (iv) ACHIEVE ANY INTENDED RESULT.
3. THE OUTPUT IS INTENDED TO PROVIDE PRACTICAL AND USEFUL INFORMATION ON THE SUBJECT MATTER COVERED BASED ON CUSTOMER PROMPTS AND OTHER INPUTS. WHILE SUCH OUTPUT MAY CONCERN ISSUES RELATED TO PROFESSIONAL SERVICES OR DOCUMENTS, SUCH CONTENT IS NOT FORMAL PROFESSIONAL ADVICE. CUSTOMER WILL NOT RELY ON ANY OUTPUT OF THE SOMA AI PLATFORM WITHOUT SEEKING THE ADVICE OF, AND/OR VETTING ANY OUTPUT THROUGH, A DULY LICENSED AND QUALIFIED PROFESSIONAL IN THE APPLICABLE SUBJECT MATTER. CUSTOMER MUST ALSO REVIEW ALL AI-TRANSCRIBED CONTENT BEFORE USING IT IN CLINICAL RECORDS OR COMMUNICATIONS. SOMA EXPRESSLY DISCLAIMS ALL LIABILITY IN RESPECT OF CUSTOMER ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OUTPUT, OR OTHERWISE IN CONNECTION WITH CUSTOMER'S USE OF THE PLATFORM. SOMA'S PROVISION OF THE PLATFORM, INCLUDING ALL RELATED OUTPUT, IS FOR GENERAL INFORMATIONAL PURPOSES ONLY. CUSTOMER ACKNOWLEDGES AND AGREES THAT IT IS NOT, AND IS NOT INTENDED TO, CONSTITUTE FORMAL PROFESSIONAL ADVICE.
4. CUSTOMER UNDERSTANDS THAT IT IS ULTIMATELY RESPONSIBLE FOR ALL DECISIONS MADE, ACTIONS TAKEN, AND FAILURES TO TAKE ACTION BASED ON CUSTOMER'S USE OF THE PLATFORM, WHICH USES AI TO GENERATE PREDICTIONS BASED ON PATTERNS IN DATA. OUTPUT GENERATED BY AI IS PROBABILISTIC AND SHOULD BE EVALUATED FOR ACCURACY AS APPROPRIATE FOR YOUR USE CASE, INCLUDING BY ENSURING QUALIFIED PROFESSIONAL REVIEW OF SUCH OUTPUT.
5. CUSTOMER IS SOLELY RESPONSIBLE FOR ENSURING THAT ITS USE OF THE SERVICES COMPLIES WITH ALL RELEVANT LAWS AND STANDARDS, INCLUDING DATA PRIVACY AND INFORMED CONSENT REQUIREMENTS.
6. THE PLATFORM IS NOT CLASSIFIED AS A MEDICAL DEVICE UNDER HEALTH CANADA REGULATIONS, OR UNDER THE EQUIVALENT REGULATORY BODIES IN THE UNITED STATES, THE UNITED KINGDOM, OR AUSTRALIA. THE PLATFORM IS DESIGNED TO ASSIST IN ADMINISTRATIVE PROCESSES AND SUPPORT MENTAL HEALTH PROFESSIONALS IN DOCUMENTING CLIENT ENCOUNTERS. IT DOES NOT DIAGNOSE, TREAT, MITIGATE, OR ALLEVIATE ANY ILLNESSES OR MEDICAL CONDITIONS.
7. THE PLATFORM AND ANY OUTPUT GENERATED BY CUSTOMER THROUGH ITS USE MUST NOT BE INTERPRETED AS PROFESSIONAL MEDICAL OR HEALTHCARE ADVICE, A DEFINITIVE DIAGNOSIS, OR A RECOMMENDATION FOR TREATMENT. SOMA IS NOT INTENDED TO DIRECTLY ASSESS, MAINTAIN, OR IMPROVE THE PHYSICAL, MENTAL, OR EMOTIONAL HEALTH OF ANY PATIENT OR INDIVIDUAL.
8. DRAFT CLINICAL NOTES GENERATED BY AI, EVEN IF THEY REFERENCE DIAGNOSIS OR TREATMENT PLANNING, MUST NOT BE USED AS A SUBSTITUTE FOR PROFESSIONAL CLINICAL JUDGMENT. IF CUSTOMER OR ITS PROVIDERS COPY OR INCORPORATE ANY CONTENT FROM SOMA INTO AN ELECTRONIC MEDICAL RECORD OR OFFICIAL CLINICAL DOCUMENTATION, CUSTOMER AFFIRMS THAT IT HAS REVIEWED, VALIDATED, AND ADOPTED THE CONTENT AS ITS OWN PROFESSIONAL OPINION, AND SOMA DISCLAIMS ANY RESPONSIBILITY FOR GENERATED CONTENT USED OR RELIED UPON WITHOUT SUCH INDEPENDENT PROFESSIONAL VERIFICATION.

8.1 Soma Indemnification.

Soma will indemnify, defend, and hold harmless the Customer and its affiliates, along with each of its and their respective officers, directors, employees, agents, successors, and permitted assigns (each, an "Indemnitee") from and against any and all Losses incurred by such Indemnitee in connection with any claim by a third party (other than an affiliate of an Indemnitee) that arises out of or relates to any allegation that the Platform infringes the IP Rights of a third party.

8.2 Mutual Indemnification.

Each Party agrees to indemnify and hold harmless the other Party's Indemnitees from and against any and all Losses incurred by such Indemnitee in connection with any claim by a third party (other than an affiliate of an Indemnitee) that arises out of or relates to any gross negligence or wilful misconduct by a Party (or any third party on behalf of a Party) in connection with this Agreement.

8.3 Customer Indemnification for Consent and Lawful-Basis Failures.

Customer will indemnify, defend, and hold harmless Soma and its Indemnitees from and against any and all Losses incurred by Soma in connection with any claim, damage, fine, or regulatory action arising from Customer's failure to obtain or maintain valid consent or other lawful basis for Soma's Processing of any Patient Data on Customer's behalf, including but not limited to consent for Session Recording.

8.4 Cap on Monetary Liability.

SUBJECT TO THE EXCEPTIONS LISTED IN SECTION 8.5, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ITS SUBJECT MATTER, UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY AND OTHERWISE, EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

8.5 Exceptions to Cap on Monetary Liability.

Section 8.4 does not apply to the following circumstances:

1. A breach of confidentiality by either Party contravening the conditions described in section 6.3;
2. Either Party's indemnification obligations set forth in Section 8.1, 8.2, or 8.3; or
3. A loss, disclosure, alteration, misuse, or other breach of Customer Data by Soma in connection with a Data Incident that contravenes the obligations described in section 4.2; provided that Soma’s aggregate liability under this Section 8.5(c) shall not exceed two (2) times the cap amount set out in Section 8.4.

9.1 Term.

This Agreement will be effective as of the Effective Date and will continue for a term of one year from the Effective Date (the "Initial Term"). At the expiration of the Initial Term, this Agreement will automatically renew for successive terms of one year (each, a "Renewal Term") unless terminated by Customer or Soma in accordance with Section 9.2 or Section 9.3.

9.2 Termination for Convenience.

Customer may terminate this Agreement at any time and for any reason (or no reason at all) on thirty (30) days' prior written notice to Soma; provided, however, that if Customer terminates for convenience under this section, Customer remains obligated to pay all Fees owed for the remainder of the then-current term, all of which Fees will become immediately due and payable in full (if not already pre-paid).

9.3 Termination for Cause.

Either Party may terminate this Agreement for cause upon written notice to the other Party that it has failed to perform any obligation, warranty, duty, or responsibility under this Agreement, and such failure continues unremedied for a period of ten (10) days after receipt of written notice describing the failure.

9.4 Effect of Termination.

Upon termination of this Agreement for any reason:

1. All rights, licenses, consents, and authorizations granted by either Party to the other hereunder will immediately terminate;
2. Customer will immediately cease all use of the Platform, and Soma may disable Customer's Platform access on the effective termination date;
3. at Soma's written request, Customer will destroy all documents and materials (whether written or electronic) containing, reflecting, incorporating, or based on any of Soma's Confidential Information, and confirm such destruction by written notice; and
4. Upon request by Customer within 60 days of the effective termination date, Soma will return Customer Data to Customer in the form requested by Customer. Soma will permanently delete all Customer Patient Data (Personal Information and Personal Health Information) within ninety (90) days of contract termination in accordance with any executed DPA, unless retention is required by law. Soma has no obligation to retain Customer Data or Customer's Confidential Information beyond the periods described in this Section 9.4 and any executed DPA.

10.1 Force Majeure.

Neither Party, nor its employees, officers, directors, or representatives will be liable for failure to perform, or delay in performance, due to anything beyond the reasonable control of either Party (each a "Force Majeure Event"). In the event of delay in performance due to a Force Majeure Event, the date for delivery or completion time (but not a date for payment) will be extended by a period of time reasonably necessary to overcome the effect of such delay.

10.2 Notices.

Soma may email notices pursuant to this Agreement to Customer's provided email contact, and will be deemed to have been received 24 hours after they are sent. Customer may email notices pursuant to this Agreement to contact@soma-health.ca, and such notices will be deemed received 24 hours after they are sent.

10.3 Assignment.

Unless in connection with a merger, acquisition or other change of corporate control, neither Party will assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance under this Agreement without the other Party's prior written consent. Any purported assignment in violation of this clause will be null and void.

10.4 Enurement.

This Agreement will enure to the benefit of and be binding upon the Parties and their respective executors, administrators, heirs, successors, and permitted assigns.

10.5 Relationship of the Parties.

The relationship between the Parties is that of independent contractors. Nothing in this Agreement, and no action taken under this Agreement, will be construed as creating any agency, partnership, joint venture or other form of joint enterprise, employment or fiduciary relationship between the Parties, and neither Party will have authority to contract for or bind the other Party in any manner whatsoever, nor will either Party represent otherwise.

10.6 Entire Agreement.

This Agreement, together with any executed DPA, BAA, and any other addenda referenced herein or in an Order, constitutes the entire understanding between the Parties with respect to the subject matter of this Agreement, and supersedes and replaces all prior and contemporaneous agreements, understandings, warranties, and representations between the Parties and their predecessors, whether written or oral and whether legally enforceable or not, relative to the matters provided for in this Agreement.

10.7 Severability.

In the event that any term or provision of this Agreement is determined by a decision-maker with binding authority to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability will not affect the operation of any other term or provision of this Agreement.

10.8 No Waiver.

Neither party will be deemed to have waived any of its rights under this Agreement by lapse of time or by any statement or representation other than by an authorized representative in an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any other breach of this Agreement.

10.9 Governing Law.

This Agreement will be governed by and construed in accordance with the laws of the Province of Newfoundland and Labrador and the laws of Canada applicable therein, and each Party exclusively attorns to the jurisdiction of the courts of St. John's, Newfoundland and Labrador for any legal proceedings relating to this Agreement. For greater certainty, Soma's principal place of business is in Newfoundland and Labrador, and the Personal Health Information Act (PHIA) of Newfoundland and Labrador is among the regimes referenced in Section 12.2.

10.10 Time of the Essence.

Time will be of the essence of this Agreement and of every part hereof, and no extension or variation of this Agreement will operate as a waiver of this provision.

10.11 Amendments.

1. Terms of Service: Soma may amend this Agreement from time to time by posting an amended version at its website and sending Customer written notice thereof. Such amendment will be deemed accepted and become effective 30 days after such notice (the "Proposed Amendment Date") unless Customer first gives Soma written notice of rejection of the amendment. In the event of such rejection, Customer may terminate this Agreement on notice to Soma and will be entitled to a pro-rata refund of any prepaid Fees for the unused portion of the then-current term. Customer's continued use of the Platform following the effective date of an amendment will confirm Customer's consent to it. This Agreement may not be amended in any other way except through a written agreement by authorized representatives of each party.
2. Privacy Policy: Soma may revise its privacy policy at any time by posting a new version of either at its website, and such new version will become effective on the date it is posted; provided if such amendment materially reduces Customer's rights or protections, notice and consent will be subject to the requirements above in this Section 10.11.

10.12 Relationship to DPA and BAA.

Where the Customer has executed a DPA or BAA with Soma, the provisions of those agreements govern the matters within their respective subject matter. In the event of a conflict between this Agreement and an executed DPA or BAA with respect to the Processing of Regulated Data or Patient Data, the DPA or BAA (as applicable) controls.

11.1 Use of Third-Party AI Services.

The Platform incorporates AI-powered features that utilize Third-Party AI Services, currently limited to large-language-model services provided by Anthropic, PBC and accessed exclusively through Amazon Web Services Bedrock, to generate Output such as clinical-note drafts, assessment-report drafts, and analytical summaries. Soma reserves the right to add, replace, or modify Third-Party AI Service providers in accordance with the sub-processor change-notice procedure in any executed DPA, provided that any replacement or additional provider is subject to data-protection commitments no less protective than those described in this Article XI.

11.2 De-identification Measures.

Soma applies automated de-identification measures to Customer Data prior to transmission to Third-Party AI Services. These measures are designed to remove or replace personal identifiers with pseudonymous tokens as an additional safeguard. Customer acknowledges that automated de-identification is applied on a best-efforts basis and may not identify all personal identifiers in every instance. The primary protection for Customer Data transmitted to Third-Party AI Services is the no-retention and no-training commitments described in Sections 11.3 and 11.4.

11.3 No Retention of Customer Data by AI Providers.

Customer Data transmitted to Third-Party AI Services via the Platform is processed in real-time solely for the purpose of generating the requested Output. Data is not retained at rest by any Third-Party AI Service after the request is processed and the Output is returned. Soma maintains agreements with all Third-Party AI Services and with Amazon Web Services as the underlying Bedrock provider prohibiting them from storing or retaining any Customer Data (including inputs, document data, or any other transmitted information) beyond the time necessary to generate and return Output to Soma.

11.4 No Use of Customer Data for AI Model Training.

Customer Data transmitted to Third-Party AI Services will not be used to train, fine-tune, evaluate, or improve the AI models of those Third-Party AI Services. Soma maintains contractual commitments with each Third-Party AI Service provider that expressly prohibit the use of Customer Data for model training, fine-tuning, or any form of machine-learning improvement. This restriction expressly applies to audio data, transcripts, and any derivative outputs generated through the Session Recording feature.

11.5 Cross-Border Processing.

Certain AI-powered features may require transient processing of Customer Data outside of Canada by Third-Party AI Service providers, including transient inference in U.S. Amazon Web Services Regions through Bedrock cross-region inference. By using such features, Customer consents to the limited transient processing of Customer Data in those jurisdictions as described herein. In all cases, such processing is subject to an executed Business Associate Agreement between Soma and Amazon Web Services, to the no-retention and no-training commitments described in Sections 11.3 and 11.4, and to the de-identification measures described in Section 11.2. No Customer Data is stored at rest outside Canada.

11.6 AI Output Disclaimer.

All Output generated by AI-powered features is provided as a professional drafting aid. Output is probabilistic in nature and may contain errors or omissions. Customer is solely responsible for reviewing, editing, and approving all Output before clinical use, as further described in Section 7.4.

12.1 Fair Information Principles.

Soma's collection, use, and disclosure of Personal Information is conducted in accordance with the ten Fair Information Principles set forth in Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA):

1. Accountability. Soma is responsible for Personal Information under its control and has designated personnel who are accountable for compliance with these principles.
2. Identifying Purposes. The purposes for which Personal Information is collected are identified at or before the time of collection.
3. Consent. The knowledge and consent of the individual are obtained for the collection, use, and disclosure of Personal Information, except where inappropriate or as otherwise permitted by Law.
4. Limiting Collection. The collection of Personal Information is limited to that which is necessary for the purposes identified by Soma.
5. Limiting Use, Disclosure, and Retention. Personal Information is used or disclosed only for the purposes for which it was collected, except with the consent of the individual or as required by Law. Personal Information is retained only as long as necessary for the fulfillment of those purposes.
6. Accuracy. Personal Information is kept as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards. Personal Information is protected by security safeguards appropriate to the sensitivity of the information.
8. Openness. Soma makes readily available to individuals specific information about its policies and practices relating to the management of Personal Information.
9. Individual Access. Upon request, an individual will be informed of the existence, use, and disclosure of their Personal Information and will be given access to that information.
10. Challenging Compliance. An individual may address a challenge concerning compliance with these principles to Soma's designated personnel responsible for privacy compliance.

12.2 Provincial and Territorial Privacy Legislation.

In addition to PIPEDA, Soma acknowledges the applicability of provincial and territorial privacy and health-information legislation to the processing of Personal Information and Personal Health Information, including but not limited to the statutes set out below. Customer is responsible for determining the specific legislative requirements applicable to its practice and jurisdiction, and where its activities engage more than one regime, for complying with each:

• the Personal Health Information Protection Act (PHIPA) in Ontario;
• the Act respecting the protection of personal information in the private sector ("Law 25") in Quebec, and the Act respecting health and social services information ("Law 5") in Quebec where Customer acts on behalf of a health and social services body;
• the Health Information Act (HIA) in Alberta where Customer is a custodian under that Act, and the Personal Information Protection Act (PIPA) in Alberta in all other cases;
• the Personal Information Protection Act (PIPA) in British Columbia;
• the Personal Health Information Act (PHIA) in Manitoba;
• the Health Information Protection Act (HIPA) in Saskatchewan;
• the Personal Health Information Act (PHIA) in Nova Scotia;
• the Personal Health Information Privacy and Access Act (PHIPAA) in New Brunswick;
• the Personal Health Information Act (PHIA) in Newfoundland and Labrador;
• the Health Information Act (HIA) in Prince Edward Island;
• the Health Information Privacy and Management Act (HIPMA) in Yukon;
• the Health Information Act (HIA) in the Northwest Territories; and
• in Nunavut, PIPEDA together with the Access to Information and Protection of Privacy Act (ATIPP), pending the enactment of dedicated personal-health-information legislation.

Where Customer is required by applicable provincial or territorial Law to enter into a written information manager, agent, or service-provider agreement with Soma, the Information Manager Agreement set out in Schedule A is intended to satisfy that requirement; Soma will negotiate jurisdiction-specific addenda on reasonable request.

12.3 Privacy Officer Designation.

Soma designates the following individual as Privacy Officer, accountable for compliance with this Agreement and applicable privacy Law: Ian Vardy, reachable at privacy@soma-health.ca. Customer or any individual whose Personal Information or Personal Health Information is processed by the Platform may direct privacy questions, access requests, correction requests, complaints, or notice of suspected incidents to the Privacy Officer at the address above.

A.1 Designation.

Where applicable Law in a province or territory of Canada requires a written agreement between a custodian, trustee, or equivalent (the "Custodian") and a service provider that processes Personal Health Information on the Custodian's behalf, this Schedule A constitutes that agreement. Statutes referenced include but are not limited to: the Personal Health Information Act (PHIA) in Manitoba (s.25(3)); the Health Information Protection Act (HIPA) in Saskatchewan (s.18); the Personal Health Information Act (PHIA) in Nova Scotia (s.66); the Personal Health Information Privacy and Access Act (PHIPAA) in New Brunswick (s.55); the Personal Health Information Act (PHIA) in Newfoundland and Labrador (s.16); the Health Information Act (HIA) in Prince Edward Island (s.37); the Health Information Privacy and Management Act (HIPMA) in Yukon; and the Health Information Act (HIA) in the Northwest Territories.

A.2 Purpose.

Soma is engaged as Information Manager for the limited purpose of providing AI-assisted drafting of clinical notes, assessment reports, and related Output through the Platform. Soma is not the Custodian's system of record. The Custodian remains responsible for transferring final, validated artefacts to its canonical record-keeping system and for satisfying any provincial or territorial record-retention obligations applicable to that canonical system.

A.3 Safeguards.

Soma will safeguard Personal Health Information processed under this Schedule in accordance with Sections 4.2, 4.7, 4.8, 4.9, and 11.2 through 11.5 of this Agreement, which are incorporated into this Schedule by reference. Without limiting the generality of the foregoing, Soma applies encryption at rest in Canada, encryption in transit, automated de-identification before transmission to Third-Party AI Services, role-based access controls, and audit logging of access events.

A.4 Sub-processors.

Soma engages the following sub-processors in connection with the Platform:

• Amazon Web Services, Inc. — primary cloud infrastructure (compute, object storage, networking) and AI model access through AWS Bedrock; storage and compute in Canada (ca-central-1, Montreal); transient AI inference may execute in U.S. AWS Regions under executed Business Associate Agreement with model-invocation logging disabled and zero retention;
• Supabase, Inc. — managed PostgreSQL, authentication, object storage, edge functions; Canada (Central) — AWS ca-central-1;
• Vercel, Inc. — hosting and edge delivery for the Soma professional web application; requests carrying Personal Health Information transit Vercel under Vercel's Business Associate Agreement with TLS in transit; function logs do not capture Personal Health Information; United States (transit only; no at-rest storage of Regulated Data on Vercel);
• Anthropic, PBC (accessed through AWS Bedrock) — large-language-model inference for AI-assisted features; zero data retention; no training on Customer Data; U.S. AWS Regions (transient inference only);
• Resend, Inc. — transactional email (authentication, account notification, invitation flows); United States;
• Stripe, Inc. — subscription billing and payment processing; United States.

Soma will provide Customer with not less than thirty (30) days' written notice of any material change to its sub-processor list, in accordance with the procedure in any executed DPA.

A.5 Audit.

On reasonable written notice and not more than once in any twelve (12) month period, Customer may request, and Soma will provide, a written summary describing the safeguards in place under this Schedule, the current sub-processor list, and any reportable Data Incidents affecting Customer's account during the relevant period.

A.6 Breach Reporting.

Soma will notify Customer of any Data Incident in accordance with Section 4.8, including the seventy-two (72) hour notification commitment described therein. Soma will provide such reasonable assistance as Customer requires to discharge any breach-notification obligations the Custodian owes to affected individuals or to a regulatory authority under applicable Law.

A.7 Return and Destruction.

Personal Health Information processed under this Schedule is subject to the configurable retention windows and automatic destruction described in this Agreement. Following termination of this Agreement, Soma will destroy any remaining Customer Personal Health Information within ninety (90) days, subject to and in accordance with Section 9.4 of this Agreement and any executed DPA.

A.8 Custodian Obligations.

The Custodian remains accountable under applicable Law for all Personal Health Information processed via the Platform, including for: (i) obtaining any required patient or client consent or other lawful authority; (ii) ensuring its use of the Platform is consistent with the purposes for which Personal Health Information was collected; and (iii) satisfying any record-retention obligations under applicable Law in respect of its canonical record-keeping system. Soma is not the Custodian and does not assume the Custodian's professional, regulatory, or fiduciary obligations.

A.9 Conflict.

In the event of a conflict between this Schedule A and the body of this Agreement with respect to the subject matter of this Schedule, this Schedule A prevails. In the event of a conflict between this Schedule A and a duly executed jurisdiction-specific addendum signed by both parties, the addendum prevails.

B.1 Scope and Status.

Soma is in the process of discontinuing the legacy Soma mobile-app integration features. Those features are no longer offered to new Customers and are not part of the Services described in the body of this Agreement. This Schedule B applies only to Customers whose Providers were granted access to these legacy features prior to the date set out at the top of this Agreement, and only for so long as Soma continues to make those features available to that Customer.

B.2 Decommissioning Notice.

Soma may discontinue any or all of the legacy mobile-app integration features on not less than ninety (90) days prior written notice to affected Customers. Following the effective date specified in such notice, the provisions of this Schedule B with respect to the discontinued feature cease to apply, and the Customer’s continued use of the Platform is governed solely by the body of this Agreement and any executed addenda.

B.3 Optional Connection.

A connection between a client's Soma mobile-app account and a Provider's Soma professional account is strictly optional. Either the client or the Provider may end the connection at any time through the Platform settings or by contacting Soma.

B.4 Client Control of Shared Data.

The client determines which information is shared with the Provider through Soma. This may include:

• Journal entries
• Mood or stress ratings
• Time, date, duration, and completion states of activities
• Audio transcripts (if separately consented)
• Wearable device data (if separately consented)

Soma will only transmit the specific categories of data that the client has explicitly chosen to share.

B.5 Anonymity and Encryption.

1. All client data shared through the legacy mobile-app integration is anonymous to Soma, and where technically feasible, is pseudonymized using Provider-assigned aliases.
2. Sensitive client data, including journal entries, activity details, and wearable device credentials, is encrypted. Soma will not decrypt such data without the client's explicit consent, and in the case of wearable credentials, Soma will not decrypt them under any circumstances, even if consent is provided for product improvement.

B.6 Wearable Device Data Rules.

If a Provider requests wearable device data through the legacy mobile-app integration:

1. the client's connection to a wearable device is optional and may be refused even if the Provider has enabled wearable integration as an option;
2. any wearable data collected through Soma remains anonymous;
3. the types of wearable data that may be collected include, without limitation, heart rate, oxygen levels, breathing rate, sleep data, temperature, and activity data;
4. Soma will summarize and share wearable data with the Provider only if the client has explicitly consented to connect a wearable device; and
5. if the client consents to anonymous wearable data collection, Soma may use such data to improve the product in addition to any other data the client has consented to share for improvement purposes.

B.7 Provider Responsibility for Shared Data.

Once any shared data (including journal entries, mood ratings, activity completion states, transcripts, or wearable data summaries) is received by a Provider through the legacy mobile-app integration, the Provider is solely responsible for:

1. storing, securing, and using the data in compliance with all applicable laws, regulations, and professional standards; and
2. retaining or disposing of such data according to applicable retention requirements.

Soma's role under this Schedule B is limited to secure transmission, anonymization, encryption, and real-time audio processing where applicable, as described in this Schedule.

B.8 Disputes.

Any disputes or concerns regarding the use of shared data after receipt by a Provider are between the Provider and the client. Soma may confirm the type and timing of shared data but is not responsible for how the Provider stores, secures, or uses such data thereafter.