TokenEx respects the citizens and organizations who utilize our website and platform. Our most important asset is our relationship with our clients and prospects and protecting their data. We are committed to maintaining the availability, confidentiality, integrity, and security of information about our clients and their organizations. The following documents are available for reading or downloading. However, none of the documents that are available to you are editable in any form. If you have any questions regarding these documents, please email


Mutual NDA

This NON-DISCLOSURE AGREEMENT is made and entered into this _____ day of ________________, 2020 (the “Effective Date”) by and between __________________________, with its principal office at _______________________________________ (“Company”) and TokenEx, Inc., a Delaware Corporation, with its principal office located at 3825 NW 166th Street, Suite C1, Edmond, Oklahoma 73012 (“TokenEx”).

WHEREAS, the parties anticipate disclosing certain information to each other and have agreed to maintain the confidentiality of each other’s information;

NOW, THEREFORE, in consideration of the premises and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

  1. Definitions

    “Confidential Information” as used in this Agreement shall include, but not be limited to, any and all financial, technical, legal, marketing, network and/or other business information, know-how, plans, records, files, file layouts, manuals, documentation or data (including but not limited to computer programs, code systems, applications, analyses, passwords, procedures, output, software sales, customer information, personal individual information, and lists compilations). All information communicated during the course of this Agreement, whether written or oral, shall be assumed confidential even if it is not specifically noted as such at the time of the disclosure.

    “Disclosing Party” is a party to this Agreement which discloses its Confidential Information to a Receiving Party.

    “Receiving Party” is a party to this Agreement which accepts, receives, views, or otherwise obtains Confidential Information from a Disclosing Party.

    “Affiliate(s)” means, a subcontractor, advisor, agent, or affiliated entity controlling, controlled by, or under common control, performing on behalf of the Receiving Party in its obligations hereunder who have entered into a confidentiality agreement no less restrictive than the terms of this Agreement.

    “Affiliate” is any company or other entity that is a competitor of the Disclosing Party, irrespective of any nondisclosure agreement executed by any such Affiliate/competitor.
  2. Mutual Obligations

    Use and Care. Confidential Information provided under this Agreement by one party to another shall be used only for the purpose for which it was provided and to those employees and Affiliate(s) of the Receiving Party with a “need to know” and an obligation to protect.

    Any use or disclosure that is not expressly provided for in this Agreement is prohibited.

    Each party shall use the same degree of care to avoid disclosure or use of Confidential Information as it employs with respect to its own proprietary information, and in any event shall take all precautions that are reasonably necessary to protect the security of the other party’s Confidential Information.

    A Receiving Party warrants that any Confidential Information obtained from Disclosing Party shall not be disclosed to any Affiliate (as defined above) of the Receiving Party which either is or may be a competitor of Disclosing Party, irrespective of any nondisclosure agreement executed by any such Affiliate/competitor.  All questions regarding the status of any Affiliate entity as a “competitor” shall be referred to Disclosing Party for resolution prior to making any disclosure to any such Affiliate.  The decision of Disclosing Party on any such issue is final.


    Notifications. Any notice permitted or required under this Agreement shall be deemed to have been given if it is in writing and personally served or delivered, mailed by registered or certified mail (return receipt requested), delivered by a TokenEx Mutual NDA Page 2 of 4 national overnight courier service with confirmed receipt, or sent by facsimile with confirmation by registered mail to the parties at the following addresses:

    Notices to Company should be directed to:




    Notices to TokenEx should be directed to:

    TokenEx, Inc.
    PO Box 521068
    Tulsa, Oklahoma 74152
    Phone #: 877.316.4544
    Attn: Legal

    With a copy to

    Each party may change its address by giving similar notice.

    Return. Each party further agrees that within thirty (30) days of the completion of the discussion or work associated with any particular Confidential Information or upon request of the Disclosing Party, the Receiving Party and its Affiliates will return or securely destroy (at the Disclosing Party’s election) all electronic or tangible items in their possession containing any of the Disclosing Party’s Confidential Information without retaining copies of the items required to be returned. If applicable, the Receiving Party shall send the Disclosing Party written certification of destruction of Confidential Information.

  3. Exclusions

    Information shall not be deemed confidential if the receiving party can show that the information:

    (a) is or subsequently becomes part of the public domain through no fault of the Receiving Party;

    (b) is subsequently disclosed by a third party not under any confidentiality obligation to the Disclosing Party;

    (c) is developed independently by the Receiving Party without reliance on the Disclosing Party’s Confidential Information;

    (d) is otherwise approved by written authorization from the Disclosing Party; or

    (e) is required to be disclosed pursuant to a valid order by a court or other governmental entity with jurisdiction, provided that Receiving Party provides the Disclosing Party with prompt written notice of such demand (prior to any scheduled disclosure) in order to permit Disclosing Party to challenge such disclosure or obtain a protective order at Disclosing Party's expense.

    The Receiving Party shall have the burden of proof with respect to any claimed exception to the obligations of confidentiality.

  4. Proprietary Information

    Both parties acknowledge and agree that a Disclosing Party’s Confidential Information is the proprietary property of the Disclosing Party, its Affiliates or customers and constitute valuable trade secrets. Nothing herein shall be construed as granting the Receiving Party any right of use, title or interest in the Disclosing Party’s Confidential Information.

  5. Remedies 

    Upon the occurrence or the threatened or likely occurrence of any breach hereof, Disclosing Party shall be entitled to temporary, preliminary and permanent equitable and injunctive relief, it being expressly stipulated that any unauthorized disclosure shall cause irreparable harm to Disclosing Party and that Disclosing Party shall not in such event have an adequate remedy at law. Recipient agrees that if there is any unauthorized use or disclosure of Disclosing Party’s Information by any of Recipient’s employees or any other third party with access to Disclosing Party’s Information through Recipient, Recipient will enforce for Disclosing Party’s benefit, through litigation if necessary, all rights provided under law to seek damages and protection from additional disclosure. In the event that Disclosing Party has provided Recipient with information in which any third party has an interest (including, without limitation, software or other trade secrets licensed to Disclosing Party by such third party), Recipient shall defend, indemnify and hold Disclosing Party harmless from any and all claims and demands of such third party and any liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incident thereto arising out of or related to Recipient’s breach of this Agreement. The foregoing remedies are cumulative and in addition to any and all other remedies available at law or in equity. No waiver or modification of the terms hereof shall be binding unless in writing signed by Disclosing Party. No waiver of any provision hereof at any time shall operate as a waiver of any other provision or as a waiver of any subsequent breach of the same provision. The invalidity or unenforceability of any provision hereof shall not affect the validity or enforceability of the remaining provisions, all of which shall continue in full force and effect. In the event litigation arises out of this Agreement, the prevailing party shall be entitled to recover from the non-prevailing party its reasonable attorneys’ fees and costs.

  6. Disclaimers

    This Agreement does not impose or imply an obligation by either party to enter into any contract or business relationship with the other party, and is not any agency or partnership between the parties. All Confidential Information is "AS IS" and without representation or warranty. If a party takes any action permitted hereunder and relies on the other party's Confidential Information, it does so at its own risk and expense.

  7. General 

    Term and Survival. This Agreement commences on the date of first exchange of Confidential Information and shall survive the termination of any related contract or other relationship between the parties.

    Modifications. This Agreement may only be modified by a separate writing signed by both Parties

    Governing Law and Venue. This Agreement shall be governed by and construed and interpreted in accordance with the substantive laws of the State of Delaware. Whenever possible, each provision of this Agreement shall be interpreted in such manner as to be effective and valid under applicable law, but if any provision hereof shall be prohibited by or invalid under applicable law, such provision shall be ineffective to the extent of such prohibition or invalidity, without invalidating the remainder of such provision or the remaining provisions of this Agreement. All obligations and rights of the Parties expressed herein shall be in addition to, and not in limitation of, those provided by applicable law. Any disputes arising out of this Agreement shall be subject to binding and final arbitration, pursuant to the Federal Arbitration Act (as amended from time to time).

    Counterparts. This Agreement may be executed in any number of counterparts which may include facsimile or electronic signatures, each of which shall be an effective and binding original, but all of which together shall constitute one instrument.

    Interpretation/construction. The paragraph headings in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. The wording in this Agreement is the wording chosen by the parties to express their mutual intent, and no rule of strict construction shall be applied against either party.

  8. Non-solicitation

    The parties acknowledge that each other’s business is dependent upon being able to attract, train and keep qualified persons and adequately utilize its employees. Unless it first obtains the prior written consent of the other party, neither party to this Agreement shall directly nor indirectly, for itself, or on behalf of any other person, firm, corporation or other entity, solicit, participate in or promote the solicitation of the other party’s employees to leave the employ of the other party, or hire or retain as an employee or as an independent contractor the other party’s employees, during the term of this Agreement and for two (2) years immediately following the termination of the foregoing for any reason. Should either party solicit, hire or attempt to hire any employees from the other party during this period, the hiring party agrees to pay the other party as liquidated damages and not a penalty, within thirty (30) days of such event, a finder’s fee of the relevant person's most recent monetary compensation (including bonuses) received during the preceding 12-month period with such non-hiring party (annualized for the purpose of calculating said finder's fee for employees engaged for less than 12 months). Notwithstanding the foregoing, the parties hereby acknowledge and agree that the restrictions of this Section shall not apply to the hiring by either party of any individual who, not being specifically solicited or targeted, responds to a general recruitment advertisement of the other party.


Mutual NDA Download



TokenEx Terms of Service

These Terms of Service (“the ToS”) set forth the agreed terms and conditions which govern and control TokenEx, Inc.’s (“TokenEx”) delivery of the services and products set forth on the Proposal to you (“Customer”). Any nondisclosure agreement previously executed by the parties is superseded by Section 11 of these ToS. There are addenda to these ToS, including one or more Proposals, and addenda dealing with GDPR Addendum; Security, Privacy and PCI; Service Level Addendum; and Data Processing Addendum, all or any of which supplement these ToS to the extent applicable.




“Affiliates” means any entities that a party directly or indirectly controls, is controlled by or is under control of that party.

“Authorized User” means any individual or entity (other than a TokenEx Competitor) that has a written agreement to provide services to Customer and is subject to confidentiality obligations covering TokenEx’s Confidential Information and that is authorized by Customer to have access or use of the Services or Platform solely on behalf of and for Customer’s use. Customer’s Authorized Users are subject to these ToS and Customer is responsible for their acts and omissions. Any breach by such Authorized User of the ToS is a breach by Customer.

“Customer” is the counter-party to TokenEx identified in the Proposal.

“Customer Data” means all information processed by Customer or an Authorized User, on Customer’s behalf, or provided to TokenEx for such processing or storage, as well as any information derived from such information. Customer Data includes, without limitation: (a) information provided to TokenEx for processing or storage; (b) information provided to TokenEx by Customer’s customers and/or Authorized Users; and (c) personally identifiable information from such customers and Authorized Users.

“Platform” means the software products owned or licensed by TokenEx to which TokenEx grants Customer access as part of the Services, including, but not limited to (1) Web API’s, (2) Hosted payment pages/iframe, (3) batch file processing (sftp) and (4) customer portal.

“Platform Credentials” means all credentials provided or related to accessing the TokenEx Platform. TokenEx shall provide Customer with Platform Credentials, including but not limited to (1) API Keys, (2) SFTP user accounts and (3) customer portal user accounts.

“Proposal” means the fully executed document which sets forth the details of pricing and specific services and products agreed to be provided to Customer by TokenEx.

“Services” means the work, deliverables (if any), and Platform components and access identified on the Proposal.

“Scheduled Maintenance” means a period for which the specific parts of the Services and/or the Platform are scheduled to be unavailable for use by Customer in order to perform preventive maintenance, install upgrades or perform similar work, and for which Customer has been given prior notice of such period.


1. TokenEx Responsibilities. TokenEx shall provide the Services to Customer. TokenEx shall provide Customer with Platform Credentials, including but not limited to (1) API Keys, (2), SFTP user accounts and (3) customer portal user accounts.

TokenEx shall use all reasonable, good-faith efforts to provide the Services in accordance with the Service Level Agreement (“SLA”) at no additional charge. The sole remedy for failure to meet the performance specifications set out in the SLA are those provided for in the SLA.

Protection of Data. TokenEx shall maintain administrative, physical, and technical safeguards for protection of Customer’s data. TokenEx shall not access or modify Customer’s data except to prevent or address service problems, in which case TokenEx will inform Customer.

Privacy Rules. TokenEx shall comply with all applicable privacy laws and regulations to the extent those laws apply to the Services being performed hereunder. In the event that a governmental authority or other authority having jurisdiction requests that all or any part of Customer’s data be disclosed, TokenEx shall as soon as practicable, if allowed by law, inform Customer of the request or subpoena, and cooperate with Customer in any defense Customer wishes to make to the request or subpoena, at Customer’s expense. TokenEx shall comply with any and all processing instructions provided by Customer, and applicable privacy laws and regulations, to the extent those laws apply to the processing instructions provided by Customer and the Services being performed hereunder.

Background Checks. TokenEx performs background checks on all employees, including, at a minimum: SSN verification (with trace), academic credentials (highest level of education earned or most recent place of attendance), employment history (all employers for the longer of last seven years or last three employers), Domestic Terror Watchlist and criminal history (all felonies, misdemeanors, convictions, current indictments, and time served for last seven years in all counties of residence).

2. Customer Responsibilities. Customer shall be responsible for the accuracy, quality and content of all of Customer’s data subject to these ToS. Customer shall use commercially reasonable efforts to prevent access to or use of the Services and all components of the Platform by any entity other than Customer and Authorized Users. Customer agrees to promptly notify TokenEx of any access or use of the Services and/or Platform by any entity other than an Authorized User, and to use the Services and Platform in compliance with all applicable laws and government regulations. Customer agrees not to disclose Customer’s Platform Credentials or make TokenEx’s Services or Platform accessible to any entity not an Authorized User, or to sell, resell, rent or lease any part of the Services, unless pursuant to a separate negotiated agreement with TokenEx, or as a value-added service incorporated into Customer’s product offering, and then with prior notification to and written permission of TokenEx. Customer further agrees not to use production data within the TokenEx test environment. Customer represents and warrants that Customer is compliant with all applicable laws and that Customer and Customer’s Authorized Users have obtained all necessary rights and consents to disclose to and allow TokenEx to process Customer’s and Authorized User’s data.

3. Fees, Invoicing, Payment and Pricing. Customer shall pay the fees agreed to in the Proposal. Customer may pay for the Services with a credit card and authorize TokenEx to charge such credit card for all fees related to these ToS. If the Proposal specifies that payment may be by a method other than a credit card, TokenEx will invoice Customer. Invoiced charges are due net thirty (30) days from the invoice date. Unless specifically provided for in a negotiated amendment to these ToS, otherwise herein or by specific document, Customer will also be responsible and pay for all such fees incurred by any Authorized User. Pricing reflected on the Proposal is firm for the subscription term indicated. Any pricing modification(s) shall not exceed five (5) percent from the prior term except by written agreement of the parties.

4. DISCLAIMER OF WARRANTIES. TokenEx does not warrant, guarantee, or otherwise assume responsibility for any service offered by a third party that interfaces with TokenEx’s Services provided hereunder. TokenEx Services are provided on an “AS IS” basis without warranty of any kind.


5. Mutual Indemnification. Each party (“Indemnifying Party”) shall, to the extent caused by the indemnifying party’s negligent act or omission, defend, indemnify and hold harmless the other party, its respective directors, shareholders, employees and officers (collectively, “Indemnified Parties”) from and against all third-party claims, losses, liabilities (including negligence, tort and strict liability), damages, judgments, suits and all legal proceedings, and any and all costs and expenses in connection therewith (including any interest, penalties, fines and reasonable legal fees and disbursements) (individually, a “Claim” or collectively, “Claims”) arising out of or in any manner connected with any breach of any representation, covenant or other obligation of the Indemnifying Party contained herein. A party seeking indemnity from the other party shall promptly notify the other party of any Claim and shall provide information, assistance and cooperation in defending against such Claim at the Indemnifying Party’s sole cost and expense. Any such notification shall be in writing and directed to the person designated in the “Notification” paragraph hereof. In addition, an Indemnified Party shall have the right to participate in the defense of any Claim, suit or proceeding at its own sole cost and expense. No claim against an Indemnifying Party shall be settled or resolved unless presented to and approved in advance by the Indemnifying Party, who’s approval shall not be unreasonably withheld.

The right to indemnity provided for in this paragraph is subject to the non-breaching party’s notification to the alleged breaching party of any known breach of the provisions hereof within ten (10) days of knowledge of breach, and providing the alleged breaching party with a reasonable time within which to correct the alleged breach, and provide evidence of any such correction. The right to correct a breach provided for herein shall not apply to the Nondisclosure provisions of these ToS.


7. Insurance. TokenEx will, at its expense, obtain and maintain insurance of a type and amount as may be reasonable to protect its interests and obligations incident to its performance hereunder. TokenEx will, within thirty (30) days of Customer’s written request, provide Customer with a certificate of insurance evidencing such coverage, provided that the existence of such insurance will in no way expand or limit TokenEx’s liability hereunder.

8. Return of Data/Notice. TokenEx shall, upon request, return Customer’s stored data in the possession or control of TokenEx at the end of a subscription term, or upon termination of these ToS or any extension or renewal hereof. Any request must be in writing and received by TokenEx within thirty (30) days following the effective date of expiration or termination. Thereafter, TokenEx shall have no further legal or business obligation to maintain or provide any of the data after that time and all such data shall be securely deleted from TokenEx’s systems. A certification of such secure deletion/destruction will be provided upon Customer’s request, and at Customer’s expense. Stored data shall be returned to Customer not later than fourteen (14) days following receipt of a written request.

9. Applicable Law. In any dispute arising under these ToS, the laws of the State of Delaware shall govern without regard to the choice of law rules of any jurisdiction, including Delaware.

10. Arbitration. Any controversy, dispute or claim arising out of, in connection with, or in relation to, the interpretation, performance or breach of these ToS, including, without limitation, the validity, scope and enforceability of these ToS, that is not first resolved by negotiation between the parties, shall be submitted to binding and final arbitration by a single arbitrator selected by the American Arbitration Association (“AAA”) or, if applicable, the International Center for Dispute Resolution (“ICDR-AAA”), having experience in data security, and conducted pursuant to the rules of the AAA or ICDR-AAA, as applicable. Any such action or claim must be brought within two (2) years of the date the claim arose. The arbitrator shall be limited solely to awarding remedies that are permitted by these ToS. Notwithstanding any other provision of these ToS, the arbitrator shall award costs to the party that substantially prevails in any arbitration proceeding, including recovery of that party’s reasonable attorney’s fees, the arbitrator’s fees, and all costs of litigation incurred by the prevailing party in connection with the arbitration. Nothing in this section shall restrict a party’s right to seek injunction or other equitable relief in any court of competent jurisdiction prior to initiating arbitration.

11. Nondisclosure. Any information, data, trade secrets, know-how or proprietary information, in any form (as those terms are broadly construed), that the parties hereto exchange, including but not limited to those concerning these ToS, the Services or TokenEx’s Platform, shall be treated as confidential, shall be used only for the purpose of performing their respective obligations hereunder, and shall not be reproduced in whole or in part or disclosed to any other person or entity for any other purposes. All such information shall be returned promptly upon demand of the discloser. The parties shall ensure that no information is shared with any third party except where necessary to perform a party‘s obligations under these ToS and, in such cases, the disclosing party shall obtain from the third party an undertaking not less restrictive than set forth in this Paragraph to preserve confidentiality.

The parties further agree to be responsible for the actions of their employees and any other person provided access to their offices or systems who may have contact with or access to information subject to these ToS, and to monitor those persons such that said information is continuously protected.

It is expressly agreed that a remedy at law for breach of the obligations set forth in this section concerning Nondisclosure is inadequate and that each party shall, in addition to any other remedies permitted by these ToS, be entitled to injunctive relief to prevent the breach, threatened breach, or continued breach thereof.

All rights and obligations contained in these ToS concerning the nondisclosure and protection of proprietary and confidential information shall survive the termination of these ToS.

12. Notices. Except as otherwise specifically set forth in these ToS, all notices, demands, requests or other communications that are required to be given by any party hereto shall be in writing and shall be personally delivered, mailed by first-class registered or certified mail (return receipt requested and postage prepaid), or sent by courier, addressed as follows:

If to TokenEx:
Attention: TokenEx, Inc. Legal Department
Address: P.O. Box 521068
Tulsa, OK 74152-1068
Phone: 877.316.4544
Fax: 405.703.5277

If to Customer: The address and contact information set forth on the Proposal.

13. Business Continuity and Disaster Recovery Plans. Upon request, TokenEx shall promptly provide to Customer an outline and/or summary of TokenEx’s business continuity and disaster recovery plan, testing and exercise documentation, and/or recovery strategies of TokenEx’s contractors or subcontractors.

14. Cooperation with Regulators. TokenEx shall provide reasonable cooperation to Customer by providing service-specific information requested by Customer’s regulators or any of Customer’s Customers concerning the relationship between the parties, and by making any modifications to the services and/or these ToS required by such regulators. In the event that TokenEx determines that such modifications are impracticable or uneconomical, TokenEx shall have the right to terminate these ToS, subject to TokenEx’s Termination Assistance program, described hereinafter.

15. Force Majeure. Either party to these ToS shall be released from liability hereunder for failure to perform any of its obligations hereunder where such failure to perform occurs by reason of any act of God, sabotage, war, strikes, lockouts, terrorism, military operations, national emergency, civil commotion, pandemic, communication systems failures, or the order, requisition, request or recommendation of any governmental agency or acting governmental authority having jurisdiction, or by either party’s compliance therewith, or governmental regulation or priority, or any other cause beyond either party’s reasonable control whether similar or dissimilar to such causes. In the event of any such disaster, TokenEx’s release of liability hereunder is subject to TokenEx’s reasonable execution of its Disaster Recovery and Business Continuity Plans, provided that any such exercise shall not itself have been rendered impracticable by any such event or its consequences. TokenEx shall be obligated to perform and Customer shall be obligated to pay for only such services actually performed during any of the above-mentioned conditions. If either party is not able to perform its material obligations hereunder within forty-five (45) days after the aforementioned conditions have been resolved or removed, then the other party may immediately terminate these ToS. Such termination, however, shall not affect the rights or obligations of either party that have arisen or accrued prior to such termination.


Export Compliance. The Services, Platform, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Customer represents that neither Customer nor any of Customer’s Authorized Users are named on any U.S. government denied-party list. Customer will not permit any User to access or use any Service in a U.S.-embargoed country or region (currently Cuba, Iran, North Korea, Sudan, Syria or Crimea) or in violation of any U.S. export law or regulation.

Assignment. Neither party may assign or otherwise transfer their rights or obligations pursuant to these ToS, or any of either party’s rights or obligations hereunder, without the prior written consent of the other party, which consent shall not be unreasonably withheld.

Severability. In the event that any provision hereof is invalid or unenforceable, such invalid or unenforceable provision shall not invalidate or affect the other provisions of these ToS. The other provisions of these ToS shall remain in effect and be construed as if the invalid or unenforceable provision were not a part hereof, provided that if the invalidation or unenforceability of such provision shall, in the opinion of either party, have a material effect on such party’s rights or obligations hereunder, then these ToS may be terminated by such party upon thirty (30) days’ written notice by such party to the other party.

Termination. These ToS may be terminated by either party, with or without cause, upon providing the other party not less than thirty (30) days prior written notice of any termination, but immediately in the event of a material breach of these ToS, at the option of the non-breaching party. Any breach of the confidentiality provisions of these ToS and/or any separate nondisclosure agreement between the parties shall constitute a material breach of these ToS, entitling the non-breaching party, at its option, to immediately terminate these ToS. These ToS will automatically renew following each contract year. In the event of non-renewal or termination, Customer shall be obligated to pay any and all outstanding charges for Services that have been delivered or invoiced prior to the date of termination.

In the event of a termination of these ToS not for cause or for material breach, TokenEx shall provide Termination Assistance Services. “Termination Assistance Services” means (i) the Services shall be performed, to the extent Customer requests the Services during the Termination Assistance Period, (ii) TokenEx’s cooperation with Customer or another supplier designated by Customer in the transfer of the Services, and (iii) any other services requested by Customer in order to facilitate the transfer of the Services to Customer or another supplier designated by Customer. Except as otherwise set forth herein, the Termination Assistance Services will be provided for a reasonable time (but not to exceed six months), and at the applicable rates set forth in the Proposal or, if the applicable rates are not set forth in the Proposal, then at TokenEx’s rates then in effect for like services immediately prior to the expiration or termination of these ToS.

Entire Agreement. The Proposal and these ToS, together with all documents incorporated by reference, constitute the entire agreement between the parties with respect to the subject matter hereof and supersedes any prior agreements, negotiations, understandings, or other matters, whether oral or written, with respect to the subject matter hereof. These ToS cannot be modified, changed or amended except in writing signed by a duly authorized representative of each party.

Headings. The headings hereof are for convenience of reference only and shall not be considered in the interpretation of these ToS.

Counterparts. The Proposal may be signed by facsimile and in one or more counterparts and, when signed by both parties, shall, together with these ToS and applicable addenda, constitute a single binding agreement.

TokenEx Terms of Services Download


GDPR Compliance Addendum

1. Relation to Agreement. Except as modified and supplemented herein, all other terms of the Agreement shall remain the same and in full force and effect. In the event of a conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall prevail and control.

2. Definitions.

(a) “Applicable Laws” means any statute, law, treaty, rule, code, ordinance, regulation, permit, certificate, or any other final and non-appealable action of a governmental authority having subject-matter jurisdiction. Applicable Laws, includes, without limitation: (i) the European General Data Protection Regulation (Regulation (EU) 2016/679), and all related and derivative data protection laws (collectively “EU Data Protection Laws”), (ii) the California Consumer Privacy Act 2018 (“CCPA”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (iii) the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and the Privacy and Security Rule regulations of HIPAA and the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act (“Omnibus Final Rule”) and all amendments to and further regulations of the HIPAA and HITECH Acts (collectively, “HIPAA”).

(b) “Personal Data” means any information disclosed to, or otherwise received by, TokenEx in connection with the Agreement, that (alone or when used in combination with other information within TokenEx’s direct control) can be used to identify, locate or contact an individual.

(c) “Privacy Shield” means the European Union-United States framework of privacy principles agreed to by the United States Department of Commerce and the European Union Commission on February 2, 2016 and formally adopted by the European Union Commission implementing decision C(2016) 4176 final on July 12, 2016.

(d) “Security Incident” means any unauthorized, accidental, or unlawful loss, acquisition, modification, use, destruction, alteration, disclosure, transfer, transport or access of Personal Data.

(e) “Information System” means the computing and/or network equipment, software and systems used by TokenEx in connection with the Agreement.

(f) “Processing” or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking or dispersed erasure or destruction.

3. Ownership of Personal Data. During the term of the Agreement, TokenEx shall have a limited, non-transferable license to use Personal Data solely for performance under the Agreement for the benefit of CUSTOMER. There are no implied licenses under this Addendum, and any rights to the Personal Data not expressly granted to TokenEx hereunder are reserved by CUSTOMER. Without limiting the foregoing, none of CUSTOMER’s right, title and interest in Personal Data shall be diminished as a result of TokenEx’s access to, or use of, such Personal Data.

4. Information Security and Privacy Compliance. With respect to Personal Data, TokenEx agrees to the following:

(a) TokenEx represents and warrants that it has developed and implemented, and that it maintains, monitors and uses appropriate administrative, technical, and physical security measures, safeguards, procedures and practices to protect the confidentiality, integrity and availability of all Personal Data against a Security Incident.

(b) TokenEx represents and warrants that it shall Process all Personal Data in accordance with all Applicable Laws and reasonable security requirements, policies, procedures and standards designated by CUSTOMER from time to time, including Processing of all Personal Data it receives from CUSTOMER’s United States operations (“Privacy Shield Data”) in accordance with CUSTOMER’s Privacy Shield certification and Swiss-US Privacy Shield certification (collectively “Data Transfer Certifications”), or the GDPR’s Standard Contractual Clauses, as appropriate, and that at all times TokenEx’s protection of such Personal Data will meet or exceed the obligations for protection of such Personal Data set forth in the Privacy Shield principles. In the event new laws or regulations are implemented that require modifications to this Addendum, the parties mutually agree, in good faith, to modify this Addendum, within thirty (30) days of such law(s) or regulation(s) becoming effective. The parties further acknowledge that each is responsible to comply with any new law(s) or regulation(s) and to ensure that its handling of Personal Data is consistent therewith.

TokenEx certifies that it understands the rules, restrictions, requirements and definitions of the CCPA applicable to it as a service provider and agrees to refrain from taking any action that would cause any transfers of personal information to or from TokenEx to qualify as a sale of personal information under the CCPA. TokenEx acknowledges and confirms that it does not receive any personal information from CUSTOMER as consideration for any services or other items provided to CUSTOMER and shall not sell any such personal information.

(c) TokenEx shall ensure that all personnel involved in the processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to contractual obligations of confidentiality (which are at least commensurate with those set out in the Agreement) and shall take reasonable steps to ensure the reliability of such personnel and ensure that they have received appropriate privacy and security training. TokenEx shall ensure that access to the Personal Data is limited to those personnel who need it to perform their duties in order for TokenEx’ to meet its obligations under the Agreement.

(d) TokenEx shall not transfer, disclose, use, transport, store, or in any manner Process, internally or via third parties, the Personal Data across any national borders or permit remote access to the Personal Data by any employee, affiliate, contractor, or other third party, unless such transfer or remote access is specifically permitted in the Processing instructions provided to it by CUSTOMER, or it has the prior written consent of CUSTOMER for such transfer or access. In order to receive Personal Data in the US from countries in the European Union or European Economic Area or Switzerland, TokenEx has been Privacy Shield certified, and if the data is from Switzerland, Swiss-U.S. Privacy Shield certified (collectively, the “Data Transfer Programs”). If TokenEx has not certified to the Data Transfer Programs, or if at any time during the course of this Agreement, if a particular Personal Data transfer does not qualify for the Data Transfer Programs, or if for some other reason the Data Transfer Programs are deemed invalid for purposes of a specific Personal Data transfer or for all Personal Data transfers, then the parties agree that for the duration of any such invalidity, the Model Contract Clause Provisions as approved by the EU Commission for Controller to Processor Personal Data transfers (“Controller to Processor Model Clauses”) will be incorporated into this Addendum and this Agreement with respect to all Personal Data transfers from the EU and/or Switzerland, as the case may be, and TokenEx and CUSTOMER hereby agree to immediately complete, sign, and execute the Controller to Processor Model Clauses. In addition, TokenEx agrees to reasonably execute and undertake such other compliance mechanisms as may be required by Applicable Laws in other countries with similar data transfer restrictions. If, in addition to the Data Transfer Programs, the Controller to Processor Model Clauses are deemed invalid for the purpose of a specific Personal Data transfer or for all Personal Data transfers, the parties agree to
work together, and execute necessary documents, in order to determine an appropriate and legal mechanism for the transfer of such Personal Data.

(e) TokenEx shall Process Personal Data solely for the purpose of performing, and only to the extent needed to perform, TokenEx’s obligations under the Agreement or as otherwise authorized in writing by CUSTOMER. If for any reason, TokenEx cannot comply with the obligations of this Addendum, with respect to the Processing of Personal Data, and with the obligations of the Privacy Shield principles or the Standard Contractual Clauses, as applicable, TokenEx shall immediately notify CUSTOMER in writing of such inability to comply.

(f) TokenEx shall not disclose, transfer, transport, or provide access to Personal Data to any third party unless such disclosure is necessary for performance under the Agreement, and provided that such third party is fully bound in a written agreement by obligations at least as restrictive as those contained herein, including those in the Privacy Shield principles or Standard Contractual Clauses, as applicable. TokenEx shall remain responsible to CUSTOMER for all Processing of Personal Data undertaken by such third party and TokenEx shall remain responsible for any harm caused by such third party to the same extent as if TokenEx caused such harm itself, except to the extent TokenEx’s disclosure of Personal Data to such third party is required or otherwise requested by CUSTOMER.

(g) Within thirty (30) days of (i) CUSTOMER’s request, (ii) the date that Personal Data is no longer reasonably necessary for TokenEx’s performance under the Agreement or (iii) termination or expiration of the Agreement, whichever occurs first, TokenEx shall return all Personal Data, including all copies and excerpts thereof, in TokenEx’s possession and/or control (including any Personal Data in the possession of TokenEx’s subcontractors or agents) to CUSTOMER in the original format in which the Personal Data was received (if alternative format is requested by CUSTOMER, it will be at CUSTOMER’S expense), or as requested by CUSTOMER, permanently and securely destroy such Personal Data using industry standard data wiping tools acceptable to CUSTOMER. TokenEx shall certify to CUSTOMER in writing that TokenEx has fully complied with the foregoing obligations.

5. TokenEx’s Responsibilities for Required Disclosure, Security Incident Handling.

(a) Notwithstanding anything herein to the contrary, if TokenEx is required to disclose Personal Data pursuant to an order by a court or administrative body of competent jurisdiction or governmental agency TokenEx shall, if permitted by law, (i) immediately notify CUSTOMER prior to such disclosure; (ii) cooperate with CUSTOMER (at CUSTOMER’s cost and expense) in the event that CUSTOMER elects to legally contest, request confidential treatment for, or otherwise attempt to avoid or limit, such disclosure; and (iii) limit such disclosure to the minimum extent required by law.

(b) TokenEx shall notify CUSTOMER of any suspected Security Incident immediately upon discovery of the Security Incident, but in no event more than forty-eight (48) hours after TokenEx reasonably believes a Security Incident has occurred. As part of such notification, TokenEx shall, to the extent known or can be reasonably determined, identify: (i) the specific Personal Data subject to the Security Incident; (ii) the nature of the unauthorized access, loss, use and/or disclosure; (iii) the person(s) involved in the Security Incident; (iv) the actions taken (or to be taken) by TokenEx to mitigate any deleterious effect of the Security Incident; and (v) the corrective actions taken (or to be taken) by TokenEx to prevent any future Security Incident. In addition, TokenEx shall provide to CUSTOMER such other information as reasonably requested by CUSTOMER with respect to the Security Incident and whether such individual should be provided credit monitoring.

(c) In connection with any suspected Security Incident, TokenEx shall, at its sole cost and expense, be responsible for: (i) investigating the Security Incident; (ii) promptly taking all actions necessary or reasonably requested by CUSTOMER to mitigate the resulting damages; and (iii) providing all consumer notices and/or credit monitoring required by law or appropriate under the circumstances, provided that CUSTOMER will determine, in its sole discretion and pursuant to law, if any individual(s) should be notified of the Security Incident.

(d) At no cost to CUSTOMER, TokenEx will cure any Security Incident to any Information System which TokenEx develops and/or hosts for CUSTOMER, consistent with legal requirements and any forensic services that may require ensuring that evidence is properly preserved.

(e) In addition to any indemnification obligations of TokenEx under the Agreement, TokenEx shall indemnify, defend and hold harmless CUSTOMER, its affiliated companies, and each of their respective officers, directors, employees and agents, from and against any and all claims, actions, liabilities, losses, damages, judgments, awards, fines, penalties, costs and expenses (including reasonable attorneys’ fees and defense costs and amounts paid in investigation, defense or settlement of the foregoing) which may be sustained or suffered by any of them arising out of or based upon a Security Incident or TokenEx’s (including TokenEx’s employees, agents, and subcontractors) breach of this Addendum. NO LIMITATION OF LIABILITY SET FORTH ELSEWHERE IN THE AGREEMENT IS APPLICABLE TO THE FOREGOING INDEMNITY OBLIGATIONS OR TOKENEX’S BREACH OF THIS ADDENDUM.

(f) Inform CUSTOMER if in TokenEx’s opinion, compliance with any instruction of the CUSTOMER would infringe Applicable Law.

6. Assurance of Compliance.

(a) Upon CUSTOMER’s written request, but not more frequently than annually, TokenEx shall certify in writing its compliance with this Addendum. Without limiting the foregoing, upon CUSTOMER’s written request but not more frequently than annually, TokenEx shall provide documentary verification of its compliance with this Addendum and shall allow reasonable inspections and audits by CUSTOMER or its third-party designee(s) to verify such compliance. In connection therewith, CUSTOMER may require formal penetration testing, security logs or other information security tests. TokenEx shall timely comply with all reasonable recommendations that result from such inspections, audits and tests. Any such audit will be conducted at CUSTOMER’s sole expense, except where the audit reveals TokenEx’s material noncompliance with this Addendum, in which case the reasonable cost of the audit will be borne by TokenEx.

(b) In the event any CUSTOMER inspection or audit reveals TokenEx’s noncompliance with this Addendum, or in the event CUSTOMER reasonably suspects any such noncompliance, TokenEx shall perform, upon CUSTOMER’s request and at TokenEx’s expense, a security audit by an independent third party approved by CUSTOMER in writing, to confirm TokenEx’s compliance hereunder. The audit results, along with TokenEx’s written plan for addressing or resolving any noncompliance or deficiencies identified by such audit, shall be provided to CUSTOMER within thirty (30) days of TokenEx’s receipt of such audit results, subject to reasonable confidentiality protections. If the audit finds TokenEx to be in compliance, then the cost associated with the requested audit will be borne by CUSTOMER.

(c) TokenEx shall maintain written policies and procedures regarding its disaster recovery and avoidance procedures, damage assessment and incident handling, and shall, upon CUSTOMER’s reasonable request, provide CUSTOMER with access to such policies and procedures in a manner that allows CUSTOMER to assess TokenEx’s effectiveness in maintaining the protection of Personal Data, including, without limitation, the operation, maintenance and technical controls of TokenEx’s Information System.

(d) TokenEx acknowledges and understands that CUSTOMER has the right to provide a copy of this Agreement and this Addendum, or a summary hereof, to the United States Department of Commerce, or any other regulatory authority, at any time.

7. Termination.

(a) CUSTOMER may terminate the Agreement upon written notice in the event TokenEx is in material breach of any obligation under this Addendum, which default is incapable of cure or which, being capable of cure, has not been cured within thirty (30) days after receipt of notice of such default.

(b) Each provision of this Addendum that by its terms would survive expiration or termination of the Agreement shall so survive.



Security, Privacy and PCI Addendum

This Security, Privacy and PCI Addendum to TokenEx’s Terms of Service (“ToS”) may be modified from time to time. TokenEx shall place any such amendments on its website, at, and provide immediate notice of any such amendments on TokenEx’s Customer Portal.

1. Security Assessments. Commencing on the Effective Date, TokenEx shall and shall cause those Agents who will be hosting the Services or will have access to Customer Data, at their sole cost and expense, engage an AICPA accounting firm to conduct an annual end-to-end SOC 2 Type 2 audit of the trust services principles, security, availability, confidentiality, and controls of the information processing and management systems (including procedures, people, software, data, and infrastructure) used by TokenEx and its Agents in the provision of the Services and the storing, accessing, and processing Customer Data received by TokenEx under the Agreement.  Upon request by Customer, TokenEx shall, provide a summary of the resulting annual report, including end-user considerations, within thirty (30) business days of Customer’s request. The SOC 2 Report(s) shall be prepared in accordance with attestation standards established by the American Institute of Certified Public Accountants.

2. Audits. Upon reasonable request and no more than once every twelve (12) months, Customer may notify TokenEx in writing of Customer’s intent to conduct either an assessment or an audit of TokenEx relevant to the services being provided to Customer by TokenEx, in order to assess the performance of TokenEx’s obligations hereunder. For purposes of this paragraph, an “assessment” includes responding to written questions and providing limited documentation in respect of the Services being provided Customer by TokenEx; and, an “audit” includes both an assessment and a site visit to TokenEx’s facilities.  Customer shall provide written notice to TokenEx of Customer’s intent to exercise these assessment or audit rights no less than thirty (30) days prior to initiation of any such assessment or audit. The notification shall contain the anticipated start date of the assessment or audit, questions to be answered, documents to be produced or reviewed, areas to be reviewed, and, in the event of an audit, the anticipated on-site arrival date of the auditors. All audits shall be conducted in a reasonable manner during normal business hours and shall not interfere with TokenEx’s business. TokenEx will bear internal costs incident to any such audit (salary of affected employees, etc.) of TokenEx, but only to the extent of One Thousand dollars ($1,000.00) per audit.  Any internal expenses due to salary, etc., in excess of One Thousand dollars ($1,000.00) per audit, shall be billed to Customer at TokenEx’s normal hourly rates.  Each party shall communicate in good faith to agree to terms for an audit visit and adhere to these terms and admit properly identified and authorized employees or representatives of Customer onto TokenEx’s premises. Such access shall be limited to summaries of TokenEx’s policies and reports that relate to the services provided to Customer or a designated representative of Customer.

3. Security Controls. TokenEx shall conduct regular self-testing and independent audits to ensure compliance by Supplier with this Agreement and all applicable Laws and Regulatory Requirements, including all confidentiality, non-disclosure, security, disaster recovery, contingency planning, and obligations applicable to TokenEx and its Agents.

TokenEx has implemented and maintains (a) administrative, technical, and physical safeguards and security controls, (b) data retention, and incident response policies and procedures, and (c) an architecture designed for high-availability that is tailored to and appropriate for the nature and complexity of the Services, and otherwise designed to (i) ensure the security and confidentiality of the Services, personal information, and Customer data, (ii) protect against any anticipated threats or hazards to the security or integrity of the Services, personal information, and the Customer data, and (iii) protect against unauthorized access to or use of the Services, personal information, or the Customer data that could result in substantial harm or inconvenience to Customer, Customer’s affiliates, or Customer’s Customers or employees.

Updating of Security Controls. TokenEx shall evaluate and adjust TokenEx’s security controls to (a) address any reasonable changes or additions to the services, TokenEx’s operations, or the relationship between the parties, (b) address any risks or vulnerabilities reported to or discovered by TokenEx, (c) meet evolving industry standards and best practices, (d) comply with and respond to any changes in privacy laws or other applicable laws, and (e) address any other circumstances that TokenEx believes may have a material impact on the services, or could adversely affect Customer, Customer’s affiliates or Customer’s employees or Customers. TokenEx shall promptly correct any deficiencies or vulnerabilities identified as part of any monitoring, testing, or auditing. Without limiting the foregoing, TokenEx shall develop and implement an action plan for prompt corrective action to eliminate the identified risk, make the action plan available to Customer, and provide all information reasonably requested by Customer and Customer’s regulators in connection with the implementation thereof.

TokenEx shall notify Customer in writing or via email in accordance with TokenEx’s Incident Response Policy in the event of any known or suspected breach of confidentiality or security affecting Customer, Authorized Users and employees, including any known or suspected unauthorized access to or misuse, loss, alteration or destruction of personal information or other Customer data. The initial communication shall describe the nature and impact of the security incident, the actions already taken, and an assessment of the immediate risk. TokenEx shall cooperate in taking all reasonable actions necessary to investigate, respond to, and limit the adverse effects of the security incident on a basis no less favorable than offered to any other affected Customer, and shall participate in Customer’s internal incident response plan where applicable. TokenEx shall coordinate with Customer regarding any notification to regulators, law enforcement, affected individuals, and the press, and shall not notify or otherwise contact any employees or Customers of Customer without Customer’s prior written approval.

4. PCI DSS Compliance. TokenEx has established security procedures and shall make reasonable efforts consistent with industry standards to protect cardholder data, meet all applicable audit requirements and comply with PCI DSS (hereinafter “Payment Card Industry Data Security Standards”) and such other applicable rules, regulations, codes of practice, guidance and industry standards related to the handling and processing of credit card data in force from time to time during the term hereof (“Payment Card Issuer Requirements”), as established by the PCI Security Standards Council.

TokenEx is responsible for the security of cardholder data TokenEx possesses or otherwise stores, processes, or transmits on Customer’s behalf, or to the extent TokenEx could impact the security of Customer’s cardholder data environment.

TokenEx agrees to comply with all applicable PCI DSS requirements to the extent that TokenEx handles, has access to, or otherwise stores, processes or transmits Customer’s cardholder data, or manages Customer’s cardholder data environment.

TokenEx acknowledges that TokenEx is solely responsible for compliance with all applicable PCI DSS requirements for TokenEx’s tokenization products and services, including but not limited to, TokenEx’s tokenization application programing interface (API), , and any vaulting services. Customer agrees to monitor TokenEx’s PCI DSS compliance at least annually.

TokenEx agrees that on request, TokenEx shall provide Customer proof of the current status of TokenEx’s PCI DSS compliance. If TokenEx or any of TokenEx’s subcontractors are no longer in compliance with the Payment Card Issuer Requirements, TokenEx shall (a) notify Customer of the same within twenty-four (24) hours of discovery by TokenEx, and (b) within 72 hours, develop and communicate a remediation plan and timeline for becoming compliant. If TokenEx fails to uphold the foregoing obligations Customer shall have the right to terminate this agreement or any part of the Services, and Customer shall only be obligated to pay for any Products and/or Services satisfactorily delivered.

TokenEx agrees to comply with all applicable laws that require notification of individuals or parties in the event of unauthorized disclosure of cardholder data.  Pursuant to the provisions hereof, in the event of a breach of any of TokenEx’s security obligations relating to PCI or other event requiring notification under applicable law, TokenEx agrees to assume responsibility for informing all such individuals in accordance with applicable laws, and, subject to the indemnity and limitations on liability provisions contained herein.

Security, Privacy and PCI Addendum Download


Service Level Addendum

This Service Level Agreement (“SLA”) outlines TokenEx’s commitments for the end-to-end uptime and critical security incident notifications for TokenEx’s Services. It also sets forth the respective remedies available if TokenEx fails to meet these commitments. This SLA and the credits provided below are TokenEx’s only obligation and Customer’s only remedy for TokenEx’s failure to meet these commitments. Capitalized terms not defined herein will have the same meaning as in the applicable Terms of Service between Customer and TokenEx.

1. Uptime Guarantee

A. TokenEx guarantees end-to-end uptime availability of 99.99% for our services.

B. The following are excluded from this guarantee:

• Routing anomalies, asymmetries, inconsistencies and failures of the Internet outside of TokenEx’s control;

• Maintenance events as defined in Section C below;

• Customer requested or instructed actions, whether performed by the Customer, TokenEx, or a third party, that impacts the availability of Services.

TokenEx proactively monitors infrastructure uptime. The results of these monitoring systems are the exclusive determination of the Services uptime. Not more than once a month and upon request via the Customer Portal, TokenEx will provide Customer with these results.

C. Maintenance Exceptions

Availability. “Availability” means the time in which the Customer is able to connect to and transfer data with the System on a monthly basis, excluding Scheduled Maintenance.

Scheduled Maintenance. “Scheduled Maintenance” means a period for which the Services are scheduled to be unavailable for use by Customer in order to perform preventive maintenance, install upgrades or perform similar work, and for which Customer has been given prior notice of such period. TokenEx shall notify Customer of any scheduled maintenance at least seven days prior to such period.

2. Service Availability and Discounts.

In the event that TokenEx does not meet the applicable Availability levels set forth below, upon Customer’s request through the Customer Portal, TokenEx shall provide the discount set out below to Customer’s next monthly invoice or obligation for the applicable System(s) as sole remedy for not meeting the Availability level. The discount levels do not aggregate. Customer shall not receive a discount if an interruption is (a) caused by Scheduled Maintenance (b) due to any cause beyond TokenEx’s reasonable control, or (c) caused by Customer’s inability to access the System as a result of the failure of Customer’s own systems or providers.

Length of Downtime During the Service Month

Percent Monthly Discount

> 5 minutes - 45 minutes


> 45minutes - 7 hours


> 7 hours



The payment of service credits will be based solely on the Fees for the Services for the month in which the claim arises and only for the impacted account(s) for the Services. TokenEx will only apply the Service Credits against future Services payments otherwise payable to the Customer. The payment for any single failure shall not exceed fifty percent (50.0%) of the monthly service Fees for the impacted components of the Services. The total cumulative Service Credits claimed by Customer in any given month shall not exceed the amount owed by the Customer for the Services that month.

All Service credit claims should be communicated via a ticket in the Customer Portal within seven (7) calendar days of the incident giving rise to the claim. The notification ticket must express the desire to claim a service credit and state that Customer was affected by the downtime. After notification, Customer has thirty (30) days to deliver any relevant information about the downtime that TokenEx requests. The ticket detailing the impact of the downtime may include any relevant information, including, but not limited to: the impacted server(s), the date, time, and full description of the incident and any logs (if applicable). Failure to provide notification via the portal will disqualify the Customer from receiving a Service credit.

No Service Credits will be given for service interruptions : (i) caused by the action or failure to act by Customer, Customer’s personnel, or any of Customer’s users, (ii) due to failure of any equipment or software provided by the Customer, (iii) which are the result of Scheduled Maintenance, (iv) due to a force majeure event, (v) for which Customer is entitled to a Service Credit for the same or contemporaneous service commitment failure, or (vi) for downtime or other problems that may result from the Customer’s use of the Beta Services or, (vii) to the extent TokenEx offers Customer a Self-Service option and that results from the Customer’s use of a Self-Service option.

3. Problem Response and Escalation.

TokenEx’s Customer support services are available twenty-four (24) hours a day, seven (7) days a week via the Customer Portal as well as via a toll-free telephone number which will be provided. Notification to TokenEx of support issues shall be by such portal ticket or telephone number, subject to the provisions hereof. TokenEx shall answer all calls directly within fifteen (15) minutes and engage resources for resolution within thirty (30) minutes for all Severity I and II issues. Additionally, TokenEx shall escalate the level of personnel necessary, up to and including TokenEx’s CTO, to address any such Severity I or II issue as necessary to remedy any such issue as quickly as possible. TokenEx shall return all calls within six (6) hours for Non-Critical and Minor items. The Customer Portal is also available 24x7 for use by the Customer to report any issues or ask any questions.

Severity Level Condition

Response Interval

Severity 1: Production System Down - causes major functionality of the program/service to be inoperative

Resources engaged within 30 minutes after notification by telephone to TokenEx.

Severity 2: Critical - prevents major functions, processes or specified activities of the program/service from being performed but is not a production-down situation.

Resources engaged within 30 minutes after notification by telephone to TokenEx.

Severity 3: Non-Critical - The program/service is usable with limited functions. Error condition is not critical to continuing operation.

Within 6 hours after notification to TokenEx by portal ticket 24/7 or telephone during business hours (7AM- 7PM CT).

Severity 4: Minor - are Program/Service problems that do not impact normal program functions and that are minor or cosmetic in nature.

Within 6 hours after notification to TokenEx by portal ticket 24/7 or telephone during business hours (7AM- 7PM CT).

Service Level Addendum Download


TokenEx, Inc. Data Processing Addendum

This Data Processing Addendum shall serve as Addendum to TokenEx Inc.’s Terms of Service (“ToS”) or Master Services Agreement (“MSA”), and is subject to, and controlled by, the terms of those agreements, whichever is applicable.  Both shall be referred to herein as “ToS.”

WHEREAS, Customer and TokenEx are parties to a ToS pursuant to which TokenEx provides data security services as ordered by Customer from time to time under the ToS. 

WHEREAS, the parties have agreed to supplement and amend the ToS to the extent required by this Data Processing Addendum, but only to that extent.

In consideration of the mutual obligations in this Data Processing Addendum and payment to TokenEx, the receipt of which is duly acknowledged by TokenEx, the parties agree as follows:



1.1 The Effective Date will be the Effective Date of the ToS, unless otherwise specifically set forth in this Addendum.


2.1 All terms defined in the ToS shall be deemed to have the same meaning in this Data Processing Addendum, other than as specifically amended by this Data Processing Addendum.

2.2 In this Data Processing Addendum, the following terms have the following meanings:

(a) “Personal Data” shall mean all information relating to an identified or identifiable natural person (“Data Subject”) that is Processed by the TokenEx as a Data Processor for Customer under this Agreement; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her identity.

(b) “Data Controller” shall mean the natural or legal person or entity which alone or jointly with others determines the purposes and means of the Processing for the purposes of this Agreement.

(c) “Data Processor” shall mean any natural or legal person or entity which processes Personal Data on behalf of and under the strict instructions of the Data Controller for the purposes of this Agreement.

(d) “Data Protection Legislation” means Regulation (EU) 2016/679 (the “GDPR”), in each case along with any national implementing laws, regulations and secondary or supplementary legislation, as amended or updated from time to time, in the EU or UK and any successor legislation to the GDPR, and all other applicable laws and regulations relating to the processing of personal data and privacy applicable to a Data Controller in the Member State in which the Data Controller is established, and amendments and re-enactments of the same, including where applicable the guidance and codes of practice issued by the Data Protection Regulator, and any applicable similar or analogous laws and regulations made outside the United Kingdom;

(e) “Data Protection Authority” means the Information Commissioner’s Office in the EU or UK; and

(f) “Process,” “Processed,” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

(g) “Third Party” means any company, other than a TokenEx affiliate, which is engaged by TokenEx for the provision of the Services.


3.1 Customer’s role and obligations. The parties expressly agree that Customer is the Data Controller for the Personal Data Processed for the purpose of the provision of the Services under this Addendum.   Customer, as Data Controller, shall ensure that any Customer Personal Data processed by TokenEx on Customer’s behalf for the purposes of this Addendum is processed in accordance with the Data Protection Regulation and complies with the principles stated in the GDPR.  Accordingly, Customer expressly guarantees:

(a) any Personal Data is processed on the basis of an adequate legal ground as permitted under the Data Protection Legislation.

(b) any Personal Data is processed for a defined, explicit and legitimate purpose.

(c) any Personal Data processed is relevant and non-excessive in consideration of the purpose of the processing.

(d) any Personal Data is and will be maintained accurate and up to date for the entire term of the provision of the Services under this Agreement.

(e) a term of retention has been defined for Personal Data, which is legitimate in consideration of the purpose of the processing and the nature of Personal Data processed.

(f) Complete, clear and accurate information is provided to the Data Subjects whose Personal Data is processed under this Addendum, including, if relevant, information about the fact that Personal Data may be transferred outside the European Economic Area;

(g) Data Subjects whose Personal Data is processed under this Addendum are granted adequate and effective means to exercise their rights with regards to the processing of their Personal Data in accordance with applicable legislation (access, rectification, update, erasure, etc. as applicable). TokenEx shall not be liable in cases where Customer fails to respond to the Data Subject’s request in total, correctly or in a timely manner.

(h) all adequate and necessary formalities, if any, or internal documentation, as per applicable Data Protection Legislation, have been completed with all competent authorities, completed or otherwise retained internally by Customer.

(i) Customer has conducted all relevant verifications and obtained all relevant information which it deems necessary regarding TokenEx and is satisfied that TokenEx provides sufficient guarantees to process Personal Data in accordance with the requirements of Data Protection Legislation.

(j) Customer shall maintain a current and up to date a register of data processing activity, and shall provide that register to TokenEx at least annually during the term of this Agreement.

3.2 Nothing in this Addendum or TokenEx’s ToS shall relieve TokenEx of its own direct responsibilities and liabilities under the Data Protection Legislation.

3.3 Customer’s Processing Instructions.  Schedule 1 sets out Customer’s documented instructions related to the scope, nature and purpose of processing of Personal Data by TokenEx, the duration of the processing, the types of Contract Personal Data and categories of Data Subject.  TokenEx shall not process Personal Data other than on Customer’s documented instructions (including the ToS) unless processing is required by applicable law to which TokenEx is subject, in which case TokenEx shall, unless prohibited by applicable law, inform Customer of that legal requirement before the relevant processing of that Personal Data.   Should Customer wish to implement modifications to its instructions, Customer shall notify TokenEx at least thirty (30) days in advance in order for both parties to evaluate Customer’s proposed modification. 

The parties expressly agree that Customer’s modifications to its instructions may have a direct impact on the delivery of the Services which may require a review and modification of the terms of the ToS and this Data Processing Addendum, including the financial terms.  If TokenEx cannot provide such compliance with Customer’s written instructions for whatever reasons, TokenEx agrees to promptly advise Customer of its inability to comply, in which case the Customer is entitled to review and amend its instructions to allow TokenEx to remain in compliance with its obligation.

Customer hereby expressly acknowledges and accepts that TokenEx shall not be bound by any Customer Instructions breaching applicable law (including Data Protection Legislation).  As such, TokenEx shall be entitled to suspend performance on such Instructions until Customer conforms or modifies such Instructions.  In such cases, TokenEx shall provide a prior notice to the Customer of such intended suspension.

3.4 TokenEx’s roles and obligation.  The parties expressly agree that Customer is the Data Controller and TokenEx is the Data Processor in the event TokenEx collects or otherwise processes (including to store) Personal Data on behalf of Customer when performing the Services.  Accordingly, TokenEx will:

(a) ensure that all persons authorised by TokenEx to process the Personal Data are under an enforceable obligation to keep Personal Data strictly confidential;

(b) adopt and maintain appropriate technical and organisational measures specified in Schedule 2 to ensure the Personal Data is kept secure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, including but not limited to any specific measures agreed between Customer and TokenEx elsewhere in the Contract;

(c) subject to Section 4.1 (Customer Processing Instructions), only transfer the Personal Data in accordance with any reasonable written instructions set forth in Schedule 1 from Customer and take all further steps necessary to ensure that the transfer is and remains in accordance with the Data Protection Legislation;

(d) without limitation and notwithstanding any other obligation under the Agreement, TokenEx shall, (and shall ensure that any sub-processor shall), on request, provide all information and assistance reasonably required by Customer to enable Customer to comply with the Data Protection Legislation in relation to Personal Data, including but not limited to the exercise of the rights of Data Subjects to the extent TokenEx can reasonably have access to Data Subject Personal Information with regard to the Processing of Personal Data performed by TokenEx. Notwithstanding the foregoing, TokenEx shall not respond to any such Data Subject request, inquiry, complaint, or claim relating to Processing of Personal Data without Customer’s prior written consent except to the extent required by the Data Protection Legislation or reasonably necessary to confirm that the request relates to Customer.  TokenEx shall not be liable in cases where Customer fails to respond to the Data Subject’s request in total, correctly or in a timely manner;

(e) ensure that TokenEx has adequate processes and systems in place to comply with its obligations under Clause 2(d) above;

(f) TokenEx shall not communicate any Personal Data or subcontract whole or part of the Processing for the purpose of the provision of the Services under this Agreement to any Third Party (excluding, however, affiliates or authorized subcontractors as stated in Schedule 3 of this Addendum), unless TokenEx has the specific prior written consent of Customer, which shall not be unreasonably withheld. Where Customer objects to TokenEx’s use of such a Third Party subcontractor, Customer shall notify TokenEx in writing within 5 business days after receipt of TokenEx’s written request to appoint a Third Party subcontractor.  In the event Customer objects to a Third Party subcontractor, Customer shall justify its material or legal reasons for such objection.

(g) not modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically approved in advance in writing by Customer;

(h) immediately notify Customer with full details if TokenEx:

(i) becomes aware of any breach of the Data Protection Legislation in relation to the Agreement;

(ii) except as prohibited by the Data Protection Legislation, believes that instructions provided by Customer in respect to the processing of Personal Data are contrary to or would require it to act in a way contrary to the Data Protection Legislation and/or applicable law. Customer shall adapt its instructions in order to comply with such legislation. Such modifications may have a direct impact on the delivery of Services which may require a review and modification of the terms of this Agreement, including, notably, the scope of the Services and the financial terms, to the terms of the Agreement as necessary, including notably, the term of implementation of requested modifications.  In any event, Customer hereby expressly acknowledges and accepts that TokenEx shall not be bound by any Customer instructions breaching applicable law (including applicable Data Protection Legislation).  As such, TokenEx shall be entitled to suspend performance on such instructions until Customer conforms or modifies such instructions.  In such a case, TokenEx shall provide a prior notice to Customer of such intended suspension; or

(iii) subject to Section 4.3(d), receives any request (including from a Data Subject or the Data Protection Regulator) to disclose any Personal Data; provided TokenEx shall not directly respond to such requests except as duly and expressly agreed between the parties as part of the Services under the Agreement;

(i) upon no less than thirty (30) days’ written notice by Customer:

(i) make available to Customer all such information as is reasonably necessary to demonstrate TokenEx’s compliance with Data Protection Legislation;

(ii) shall allow Customer to carry out or have an independent duly appointed third party for its auditing functions, any of whom shall be bound by a strict obligation of confidentiality, to perform an audit of TokenEx’s processing facilities in order to ensure the compliance with the obligations set forth in this Addendum.  TokenEx shall be entitled to reject third party auditors which are competitors of TokenEx.  Such audit operations shall not exceed a period of twelve (12) hours per year, shall occur not more than once per year, shall not hinder or otherwise disrupt in any way TokenEx’s operations or business activities and shall only relate to that part of the relevant infrastructure which processes Customer’s Personal Data.  TokenEx’s assistance in relation to such activity shall be invoiced at TokenEx’s then applicable rates; and

(iii) provide, at Customer’s cost and during normal business hours, all reasonable co-operation, access and assistance in the carrying out of such an audit, and allow Customer the right to take copies of the records or any information relevant to its audit;

(j) notwithstanding any agreed retention periods applicable to Personal Data in the Agreement, on termination of the Agreement, at Customer’s sole election, TokenEx will provide all Personal Data to Customer and/or permanently delete such Personal Data, save where applicable law requires TokenEx to retain Personal Data, in which case TokenEx shall provide Customer with written particulars of any Personal Data so retained. This sub-clause 2(j)shall survive termination of the Agreement.

3.5 Transfers of Customer Personal Data to Third Party Countries. By entering into the Agreement, Customer hereby expressly acknowledges and accepts that Customer Personal Data may be transferred and/or processed by TokenEx, which headquarters are located outside the European Economic Area. 

TokenEx is bound by Model Clauses as approved by the European data protection authorities and as attached as Schedule 4 of this Addendum. 

For purposes of this Agreement, TokenEx commits to comply with and be bound by the terms of the Model Clauses.  Accordingly, Customer hereby expressly consents that Customer Personal Data may be transferred to TokenEx. TokenEx commits to provide adequate information to Data Subjects regarding use of TokenEx as processor which is available at

Upon written request from Customer, TokenEx shall provide Customer with a list of subcontractors used by TokenEx for the provision of the Services.

TokenEx shall ensure that Third Party subcontractors provide an adequate level of protection to Customer Personal Data.  For that purpose, TokenEx commits that any duly authorized subcontractor brought to process Personal Data outside the European Economic Area shall enter into and comply with the obligations set out in appropriate standard contractual clauses for the transfer of Personal Data as set out by the European Commission (or any competent authority) with Customer or with TokenEx, in accordance with the mandate granted above.

3.6 Parties’ compliance with Laws. The TokenEx warrants to Customer and Customer warrants to TokenEx that it will fully comply with the provisions of the Data Protection Legislation in carrying out its obligations under the Contract.

4. This Data Processing Addendum has been signed on behalf of each of the parties by a duly authorised signatory.

Signed for and on behalf of  


By        ……………………………………………..

Name   ………………………………………………

Title     ………………………………………………

Date     ………………………………………………

Signed for and on behalf of  


By        ……………………………………………..

Name   ………………………………………………

Title     ………………………………………………

Date     ………………………………………………




This Schedule 1 forms part of the Data Processing Addendum and is incorporated therein.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Schedule.

Data Controller

For the purposes of the Data Processing Addendum, the Data Controller is


Data Controller (please specify briefly your activities relevant to the transfer), intend to transfer Personal Data of their customers and customers of their Customers to TokenEx., whose servers are located in the United States and the European Union, for data hosting and storage purposes, as well as web portal hosting services.

Data Processor

The Data Processor is TokenEx, Inc.

The Data Processor, TokenEx, is a provider of data security services (the “Platform”) which processes Personal Data in accordance with the terms of the Agreement. The core purpose of the Platform is to provide data security services in order to allow Platform users authorized by the Data Controller to manage and administer its data.

Data Subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • Current and former customers and customers of clients and business partners and vendors of data controller (who are natural persons)

  • Employees, agents, advisors, freelancers of Data Controller (who are natural persons)

  • Data controller’s Users authorized by data controller to use the TokenEx Services

  • _______________________________________

  • _______________________________________

  • _______________________________________

Categories of data

The personal data transferred concern the following categories of data (please specify):

The following data categories are associated with Account Data:

  • First and last name

  • Contact details (e.g., email, phone, physical address)

  • Salutation

The following data categories are associated with Services Data: [please enumerate]

  • _______________________________________

  • _______________________________________

  • _______________________________________

  • _______________________________________

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • _______________________________________

  • _______________________________________

  • _______________________________________

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • The purpose of the data processing is to provide global data hosting and storage, as well web application hosting services.

  • The Data Processor will, through authorized personnel perform the following processing services:

    • provide the Services pursuant to the terms of the Agreement;

    • maintain storage of the Data Controller’s personal data that is contained within TokenEx’s Services;

    • enable the Data Controller to access, modify, enhance and/or delete its personal data maintained on or within TokenEx’s Services;

    • prevent unauthorized access to or modification of the Data Controller’s personal data by Data Processor’s employees;

    • enable the Data Controller to generate standardized reports and analysis regarding its personal data.

  • The Data Processor shall not make any copy of the personal data without informing the Data Controller, unless it is a security copy required to duly perform the data processing, or unless it is required to comply with applicable statutory retention periods.

  • As soon as the parties agree that the Data Processor shall cease the provision of the data processing services, the Data Controller may extract the transferred personal data and the Data Processor shall delete such data, or otherwise comply with the instructions of Data Controller, as provided in the Agreement.



This Schedule 2 forms part of the Data Processing Addendum and is incorporated into the Data Processing Addendum.

Description of the technical and organizational security measures implemented by the Data Processor in accordance with Section 4.2(b) of the Data Processing Addendum:

Data Processor will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the TokenEx secure customer portal and stored on other TokenEx controlled systems including the secure virtual servers provided by TokenEx for Customer to store Customer Services Data.

TokenEx maintains an information security program that has been certified against the ISO/IEC 27001:2013 standard.  The program includes an information security policy, and other corporate policies and procedures that are designed to give TokenEx the capability to protect non-public personal information consistent with applicable federal, state, and international regulations.  In addition to ISO 27001 certification, TokenEx also holds unqualified SSAE 16 SOC 2 Type II reports that further validate TokenEx’s information security program.

Users of confidential and private information within TokenEx aim to keep the volume of such material to a reasonable level in proportion to the business responsibilities and services being delivered to customers, employees, and other parties.

Personnel security measures include employees undergoing a multi-component background check as part of the hiring process in accordance with applicable law. Employees are required to sign confidentiality and non-disclosure agreements as a condition of employment.

Vendor management procedures are in place to review contractors, business partners, and vendors that will have access to confidential information.

TokenEx’s secure cloud hosting environments, including all of the Services TokenEx provides to customers, have been validated against the Payment Card Industry Data Security Standard v3.2 and the HITRUST CSF.  These validations require controls designed to help protect the confidentiality and integrity of Customer Services Data.  These controls include the following:

  • IP Reputation Management

  • DoS/DDoS mitigation

  • Web Application Firewalls

  • Network Intrusion Detection (NIDS)

  • Hypervisor based network firewall resident on each Customer virtual server

  • Managed anti-malware/anti-virus protection

  • Operating system file integrity monitoring

  • Operating system patching

  • Operating system log management

TokenEx provides for only secure, encrypted remote access by Customer for administrative access to its servers and controls TokenEx support staff access to Customer servers for support purposes via secure, two factor authenticated jump servers and a privileged access management system that logs and fully records each TokenEx session. 

Data Processor will not materially decrease the overall security of the TokenEx Services during the Term.



This Schedule 3 forms part of the Data Processing Addendum and is incorporated therein.

Description of the subcontractors used by the Data Processor and the purposes for which the subcontractor’s services are utilized in accordance with Section 4.2(f) of the Data Processing Addendum:




Personal Data Processed

Applicable Services

Armor Defense, Inc.

Secure Hosting Services

Client Data


BraveSoft, Inc.

DBA Services



TokenEx, Inc. Data Processing Addendum Download


Business Associate Agreement

TokenEx and the entity identified in the text box below, on behalf of itself and any of its affiliates and subsidiaries providing services to TokenEx (collectively “Subcontractor”), agree to the following terms (the “Agreement”). TokenEx and Subcontractor each are referred to as a “Party” and collectively as the “Parties”. Capitalized terms contained in the text box below (“Text Box”) shall have the meaning specified in the Text Box. This Agreement shall commence on the Effective Date, as set forth in the Text Box. If no Effective Date is set forth in the Text Box, the Effective Date shall occur when this Agreement has been signed by both Parties.

Effective Date:


Legal Name:

TokenEx, Inc.




PO Box 521068

City, State, Zip:

Tulsa, OK 74152

Contact Name and Title:

Heather Foster

Phone Number:



State of Incorporation:


Authorized Signer’s Name and Title

Jeffrey Rudd, CFO

Authorized Signer’s Email:

Authorized Signer’s Phone Number:

877-316-4544 103




WHEREAS, pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the U.S. Department of Health & Human Services (“HHS”) promulgated the Privacy Standards, the security standards at 45 C.F.R. Parts 160 and 164, Subparts A and C (the “Security Standards”), and the breach notification standards at 45 C.F.R. Part 164, Subpart D (the “Breach Notification Standards”) requiring certain individuals and entities subject to these standards to protect the privacy and security of certain individually identifiable health information including electronic individually identifiable health information;

WHEREAS, the Parties wish to comply with Privacy Standards, Security Standards, and Breach Notification Standards as may be revised or amended by HHS from time to time;

WHEREAS, in connection with Subcontractor’s performance under its agreement(s) and/or other documented arrangements between Subcontractor and TokenEx, whether in effect as of the Effective Date or which become effective at any time during the term of this Agreement (collectively “Business Arrangements”), Subcontractor may provide services for or on behalf of TokenEx that requires Subcontractor to use, disclose, receive, access, create, maintain and/or transmit health information that is protected by state and/or federal law; and

WHEREAS, Subcontractor and TokenEx desire that Subcontractor obtain access to PHI and EPHI in accordance with the terms specified herein;

NOW, THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the Parties agree as follows:

1. Business Associate Obligations.

In accordance with this Agreement and the Business Arrangements, Subcontractor may use, disclose, access, create, maintain, transmit and/or receive on behalf of  TokenEx health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI.  Subcontractor acknowledges and agrees it meets the definition of a “business associate” at 45 C.F.R. §160.103.  All capitalized terms not otherwise defined in this Agreement or in the Text Box shall have the meanings set forth in the Privacy Standards, Security Standards, the Breach Notification Standards, HIPAA or the HITECH Act, as applicable and as may be amended from time to time (collectively referred to hereinafter as the “Confidentiality Requirements”).  PHI shall mean any and all Protected Health Information, including Electronic Protected Health Information that Subcontractor (or its Agents, as defined in Section 3.2) uses, discloses, accesses, creates, maintains, transmits and/or receives for or on behalf of TokenEx pursuant to the Business Arrangements. “EPHI” shall mean PHI transmitted or maintained in electronic media. The Parties hereby acknowledge that the definition of PHI includes “Genetic Information” as set forth at 45 C.F.R. §160.103.  To the extent the Subcontractor is to carry out an obligation of TokenEx under the Confidentiality Requirements, the Subcontractor shall comply with the provision(s) of the Confidentiality Requirements that would apply to TokenEx (as applicable) in the performance of such obligation(s).

2. Use of PHI.

Except as otherwise Required By Law, Subcontractor shall use PHI in compliance with this Agreement and 45 C.F.R. §164.504(e).  Subcontractor agrees not to use (or permit the use) of PHI in a manner that would violate the Confidentiality Requirements if the PHI were used by TokenEx in the same manner.  Furthermore, Subcontractor shall use PHI:  (i) solely for the benefit of TokenEx and only for the purpose of performing services for or on behalf of  TokenEx as such services are defined in the Business Arrangements; and (ii) as necessary for the proper management and administration of Subcontractor or to carry out its legal responsibilities; provided that such uses are permitted under federal and applicable state law.   TokenEx shall retain all rights in the PHI not granted herein.  Except as necessary to perform services  TokenEx under the Business Arrangements, Subcontractor may not de-identify PHI or other identifiable data without the express written authorization of  TokenEx.  All de-identification of PHI must be performed in accordance with the Confidentiality Requirements, specifically, 45 C.F.R. §164.514(b).

3. Disclosure of PHI.

3.1 Subject to any limitations in this Agreement, Subcontractor may disclose PHI to any third party as necessary to perform its obligations under the Business Arrangements and as permitted or required by applicable law. Subcontractor agrees not to disclose (or permit the disclosure of) PHI in a manner that would violate the Confidentiality Requirements if the PHI was disclosed by TokenEx in the same manner. Further, Subcontractor may disclose PHI for the proper management and administration of Subcontractor; provided that: (i) such disclosures are required by law; or (ii) Subcontractor: (a) obtains reasonable assurances from any third party to whom the PHI is disclosed that the PHI will be held confidential and used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) requires the third party to agree to immediately notify Subcontractor of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements.  Subcontractor shall report to TokenEx any use or disclosure of PHI not permitted by this Agreement of which it becomes aware.  Such report shall be made within five (5) business days of Subcontractor becoming aware of such use or disclosure and, if known to Subcontractor, Subcontractor shall identify in writing for TokenEx the PHI impacted by and scope of impact of such use or disclosure. 

3.2 If Subcontractor uses or contracts with any agent, including a subcontractor (collectively, “Vendor Subcontractors”) that uses, discloses, creates, accesses, receives, maintains or transmits PHI on behalf of the Subcontractor, Subcontractor shall require its Vendor Subcontractors to agree in writing to the same restrictions and conditions that apply to Subcontractor under this Agreement, including but not limited to 45 C.F.R. §§164.314, 164.410, 164.502 and 164.504(e). In addition to Subcontractor’s obligations under Section 9, Subcontractor agrees to mitigate, to the extent practical and unless otherwise requested by TokenEx in writing, any harmful effect that is known to Subcontractor and is the result of a use or disclosure of PHI by Subcontractor or any of its Vendor Subcontractors in violation of this Agreement.  Additionally, Subcontractor shall ensure that all disclosures of PHI by Subcontractor and its Vendor Subcontractors comply with the principle of “minimum necessary use and disclosure,” (i.e., in accordance with 45 C.F.R. §164.502(b), only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed).

4. Individual Rights Regarding Designated Record Sets.

If Subcontractor maintains a Designated Record Set on behalf of TokenEx, Subcontractor shall:  (i) provide access to and permit inspection and copying of PHI by TokenEx, as required under 45 C.F.R. §164.524, as it may be amended from time to time; and (ii) amend PHI maintained by Subcontractor as requested by TokenEx.  Subcontractor shall respond to any request from TokenEx for access by an Individual within five (5) business days of such request and shall make any amendment requested by TokenEx within ten (10) business days of such request.  Any information requested under this Section 4 shall be provided in the form or format requested, if it is readily producible in such form or format.  Subcontractor may charge a reasonable fee based upon Subcontractor’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies).  Subcontractor shall notify TokenEx within five (5) business days of receipt of any request for access or amendment by an Individual.  TokenEx, not Subcontractor, shall determine whether to grant or deny any access to or amendment of PHI requested by an Individual, provided that nothing in this Agreement shall restrict Subcontractor’s ability to provide access or a copy of PHI as provided for by Section 13405(e) of HITECH, as amended, or any regulations promulgated pursuant to such provision in compliance with the Confidentiality Requirements.  Subcontractor shall have a process in place for receiving requests for amendments and for appending such requests to the Designated Record Set when requested by TokenEx.

5. Accounting of Disclosures.

Subcontractor shall make available, within twenty (20) business days of a request by TokenEx for information required for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528 (or such shorter time as may be required by state or federal law).  Such accounting must be provided without cost if it is the first accounting requested within any twelve (12) month period.  For subsequent accountings within the same twelve (12) month period, Subcontractor may charge a reasonable fee based upon Subcontractor’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies) only after Subcontractor informs TokenEx and TokenEx informs the Individual in advance of the fee, and the Individual is afforded an opportunity to withdraw or modify the request.  Such accounting obligations shall survive the expiration or termination of this Agreement and with respect to any disclosure, whether on or before the termination of this Agreement, shall continue for a minimum of seven (7) years following the date of such disclosure.

6. Withdrawal of Authorization.

If the use or disclosure of PHI under this Agreement is based upon an Individual’s specific authorization regarding the use of his or her PHI, and: (i) the Individual revokes such authorization in writing; (ii) the effective date of such authorization has expired; or (iii) the authorization is found to be defective in any manner that renders it invalid for whatever reason, then Subcontractor agrees, if it has received notice from TokenEx regarding such revocation or invalidity, to cease the use and disclosure of any such Individual’s PHI except to the extent Subcontractor has relied on such use or disclosure, or where an exception under the Confidentiality Requirements expressly applies.

7. Records and Audit.

Subcontractor shall make available to HHS or its agents its internal practices, books, and records reasonably relating to the compliance of Subcontractor and TokenEx with the Confidentiality Requirements, such internal practices, books and records to be provided in the time and manner designated by HHS or its agents.  Except to the extent prohibited by law, Subcontractor agrees to notify TokenEx immediately upon receipt by Subcontractor of any and all requests by or on behalf of any and all federal, state, and local government authorities served upon Subcontractor requesting PHI or investigating compliance with the Confidentiality Requirements.

8. Implementation of Security Standards; Notice of Security Incidents.

Subcontractor will comply with the Security Standards and, by way of example and not limitation, use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement.  In accordance with the Security Standards, Subcontractor will implement administrative, physical, and technical safeguards that protect the confidentiality, integrity and availability of the PHI that it uses, discloses, accesses, creates, receives, maintains or transmits.  To the extent feasible, Subcontractor will use commercially reasonable efforts to ensure that the technology safeguards used by Subcontractor to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009) or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI.  Subcontractor will promptly report to TokenEx any Security Incident of which it becomes aware; provided, however, that TokenEx acknowledges and shall be deemed to have received notice from Subcontractor that there are routine occurrences of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Subcontractor; and (ii) immaterial incidents such as “pinging” or “denial of services” attacks.  At the request of TokenEx, Subcontractor shall identify:  the date of the Security Incident, the scope of the Security Incident, Subcontractor’s response to the Security Incident, and to the extent permitted by law, the identification of the party responsible for causing the Security Incident, if known.

9. Data Breach Notification and Mitigation.

9.1 HIPAA Data Breach Notification and Mitigation. Subcontractor agrees to implement reasonable systems for the discovery and prompt reporting of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. §164.402 (“HIPAA Breach”).  The Parties acknowledge that 45 C.F.R. §§164.404 and 164.410, as described below in this Section 9.1, govern the determination of the date of a HIPAA Breach.  In the event of any conflict between this Section 9.1 and the Confidentiality Requirements, the more stringent requirements shall govern.  Following the discovery of a HIPAA Breach, Subcontractor will notify TokenEx immediately and in no event later than five (5) business days after Subcontractor discovers such HIPAA Breach unless Subcontractor is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations.  If known to Subcontractor, Subcontractor shall identify in writing for TokenEx the data impacted by and scope of impact of a HIPAA Breach (e.g., Individuals from which the PHI that was subject to the HIPAA Breach originated and/or databases, instances, etc. impacted by the HIPAA Breach) no later than five (5) business days following a HIPAA Breach.  For purposes of reporting a HIPAA Breach to TokenEx, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to Subcontractor, or, by exercising reasonable diligence would have been known to Subcontractor.  Subcontractor will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the HIPAA Breach) who is an employee, officer or other agent of Subcontractor.  No later than seven (7) business days following a HIPAA Breach, Subcontractor shall provide TokenEx with sufficient information to permit TokenEx to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. §164.400 et seq.  Additionally, if the following information is known to (or can be reasonably obtained by) Subcontractor, Subcontractor will provide TokenEx with:  (i) contact information for Individuals who were or who may have been impacted by the HIPAA Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the HIPAA Breach, including the date of the HIPAA Breach and date of discovery; (iii) a description of the types of unsecured PHI involved in the HIPAA Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what Subcontractor has done or is doing to investigate the HIPAA Breach, mitigate harm to the Individual impacted by the HIPAA Breach, and protect against future HIPAA Breaches; and (v) appoint a liaison and provide contact information for same so that TokenEx may ask questions or learn additional information concerning the HIPAA Breach.  Following a HIPAA Breach, Subcontractor will have a continuing duty to inform TokenEx of new information learned by Subcontractor regarding the HIPAA Breach, including but not limited to the information described in items (i) through (v) above.  This Section 9.1 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Subcontractor maintains PHI.

9.2 Data Breach Notification and Mitigation Under Other Laws. In addition to the requirements of Section 9.1, Subcontractor agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI and referred to hereinafter as “Individually Identifiable Information”) that, if misused, disclosed, lost or stolen, would trigger an obligation under one or more State data breach notification laws (each a “State Breach”) to notify the individuals who are the subject of the information.  Subcontractor agrees that in the event any Individually Identifiable Information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws, Subcontractor shall promptly:  (i) notify TokenEx within five (5) business days of such State Breach; (ii) if known to Subcontractor, identify in writing for TokenEx the individuals impacted by and scope of impact of any State Breach (e.g., individuals from which the Individually Identifiable Information that was subject to a State Breach originated and/or databases, instances, etc. impacted by the State Breach) no later than five (5) business days following such State Breach; (iii) cooperate and assist TokenEx with any investigation into any State Breach or alleged State Breach; (iv) cooperate and assist TokenEx with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (v) cooperate with TokenEx regarding the respective obligations of TokenEx and Subcontractor to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (vi) assist with the implementation of any decision by any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach.  This Section 9.2 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Subcontractor maintains PHI or Individually Identifiable Information.

9.3 Breach Indemnification. Subcontractor shall indemnify, defend and hold TokenEx and their respective officers, directors, employees, agents, successors and assigns harmless from and against any and all losses, claims, actions, demands, liabilities, damages, costs and expenses (including costs of judgments, settlements, court costs and reasonable attorneys’ fees actually incurred) (collectively “Information Disclosure Claims”) arising from or related to: (i) the use or disclosure of Individually Identifiable Information (including PHI) in violation of the terms of this Agreement or applicable law; and (ii) whether in oral, paper or electronic media, any HIPAA Breach of unsecured PHI and/or State Breach of Individually Identifiable Information.  If Subcontractor assumes the defense of an Information Disclosure Claim,  TokenEx shall  have the right, at its expense, to participate in the defense of such Information Disclosure Claim.  Subcontractor shall not take any final action with respect to any Information Disclosure Claim without the prior written consent of TokenEx.  To the extent permitted by law, Subcontractor shall be fully liable to TokenEx for any acts, failures or omissions of its Vendor Subcontractors and agents in furnishing the services as if they were Subcontractor’s own acts, failures or omissions.  For purposes of this Section 9.3, PHI and Individually Identifiable Information shall refer to PHI and Individually Identifiable Information used, disclosed, accessed, created, maintained, received or transmitted by, and/or under the direction or control of, Subcontractor and/or its Vendor Subcontractors at the time of any HIPAA Breach and/or State Breach.  This Section 9.3 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Subcontractor maintains PHI or Individually Identifiable Information.

10. Term and Termination.

10.1 Termination. This Agreement shall remain in effect until terminated in accordance with the terms of this Section 10; provided, however, that termination shall not affect the respective obligations or rights of the Parties arising under this Agreement prior to the effective date of termination, all of which shall continue in accordance with their terms.

10.2 Termination without Cause. TokenEx shall have the right to terminate this Agreement for any reason upon thirty (30) days written notice to Subcontractor.

10.3 Termination with Cause. Either Party may immediately terminate this Agreement as set forth in this Section 10.3 (the “Terminating Party”) and shall have no further obligations to the other Party (the “Terminated Party”) hereunder if either of the following events shall have occurred and are continuing:

a. The Terminated Party fails to observe or perform any material covenant or obligation contained in this Agreement for ten (10) days after written notice thereof has been given to the Terminated Party;

b. A material violation by the Terminated Party of any provision of the Confidentiality Requirements or applicable federal or state privacy law relating to the obligations of the Terminated Party under this Agreement.

10.4 TokenEx May Terminate Business Arrangements if Subcontractor is Terminated for Cause. Termination of this Agreement for either of the two reasons set forth in Section 10.3 above shall be cause for TokenEx to immediately terminate for cause any Business Arrangement pursuant to which Subcontractor uses, discloses, accesses, receives, creates, maintains or transmits PHI for or on behalf of TokenEx.

10.5 Termination Upon Conclusion of Business Arrangements. Upon the expiration or termination of all Business Arrangements, either TokenEx or Subcontractor may terminate this Agreement by providing written notice to the other Party.

10.6 Return of PHI Upon Termination. Upon termination of this Agreement for any reason, Subcontractor agrees either to return all PHI or to destroy all PHI received from  TokenEx or otherwise through the performance of services under the Business Arrangements that is in the possession or control of Subcontractor or its Subcontractors.  In the case of PHI for which it is not feasible to return or destroy, Subcontractor shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI.  Subcontractor shall comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.  This Section 10.6 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Subcontractor maintains PHI.

11. No Warranty.


12. Ineligible Persons.

Subcontractor represents and warrants that Subcontractor and its directors, officers, and key employees:  (i) are not currently excluded, debarred, or otherwise ineligible to participate in the federal health care programs as defined in 42 U.S.C. §1320a-7b(f) or any state healthcare program (collectively, the “Healthcare Programs”); (ii) have not been convicted of a criminal offense related to the provision of healthcare items or services but have not yet been excluded, debarred, or otherwise declared ineligible to participate in the Healthcare Programs; and (iii) are not under investigation or otherwise aware of any circumstances which may result in Subcontractor being excluded from participation in the Healthcare Programs (collectively, the “Warranty of Non-exclusion”). Subcontractor’s representations and warranties underlying the Warranty of Non-exclusion shall be ongoing during the Term, and Subcontractor shall immediately notify TokenEx of any change in the status of the representations and warranties set forth in this Section 12.  Any breach of this Section 12 shall give TokenEx the right to terminate this Agreement immediately.

13. Waiver.

No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver for excuse any different or subsequent breach.

14. Assignment.

Neither Party may assign (whether by operation or law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party.  Notwithstanding the foregoing, TokenEx shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of TokenEx, whether by merger, acquisition, change in control, or other transaction involving the sale of all or substantially all of TokenEx’s’ assets, without the prior approval of Subcontractor.

15. Severability.

Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.

16. Governing Law.

This Agreement shall be governed by and interpreted in accordance with the laws of the state of Delaware, excluding its conflicts of laws provisions. Any disputes arising out of this Agreement shall be subject to binding and final arbitration, pursuant to the Federal Arbitration Act (as amended from time to time).

17. Equitable Relief.

Subcontractor understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this Agreement will cause TokenEx irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that TokenEx shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as TokenEx shall deem appropriate.  Such right of TokenEx is to be in addition to the remedies otherwise available to TokenEx at law or in equity.  Subcontractor expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by TokenEx.

18. Nature of Agreement; Independent Contractor.

Nothing in this Agreement shall be construed to create: (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates or TokenEx’s; or (ii) a relationship of employer and employee between the Parties.  Subcontractor is an independent contractor and not an agent of TokenEx.  This Agreement does not express or imply any commitment to purchase or sell goods or services.

19. Counterparts; Execution.

This Agreement and any amendments hereto may be executed by the Parties hereto individually or in any combination, in one or more counterparts, each of which shall be an original and all of which shall together constitute one and the same agreement.  Execution and delivery of this Agreement and any amendments by the Parties shall be legally valid and effective through (i) executing and delivering the paper copy of the document, (ii) transmitting the executed paper copy of the document by facsimile transmission, or electronic mail in “portable document format” (“.pdf”) or other electronically scanned format, or (iii) creating, generating, sending, receiving or storing by electronic means this Agreement and any amendments, the execution of which is accomplished through use of an electronic process and executed or adopted by a Party with the intent to execute this Agreement (i.e., “electronic signature” through a process such as DocuSign®).

20. Entire Agreement.

This Agreement constitutes the complete agreement between Subcontractor and TokenEx relating to the matters specified in this Agreement and supersedes all prior representations or agreements, whether oral or written, with respect to such matters.  In the event of any conflict between the terms of this Agreement and the terms of the Business Arrangements or any such later agreement(s), the terms of this Agreement shall control unless the terms of such Business Arrangements are stricter with respect to PHI and comply with the Confidentiality Requirements, or the Parties specifically otherwise agree in writing.  No oral modification or waiver of any of the provisions of this Agreement shall be binding on either Party to this Agreement or on TokenEx; provided, however, that upon the enactment of any law, regulation, court decision or relevant government publication and/or interpretive guidance or policy that TokenEx believes in good faith will adversely impact the use or disclosure of PHI under this Agreement, TokenEx may amend the Agreement to comply with such law, regulation, court decision or government publication, guidance or policy by delivering a written amendment to Subcontractor which shall be effective thirty (30) calendar days after receipt and written acceptance by TokenEx, not to be unreasonably withheld.  No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is for the benefit of, and shall be binding upon the Parties, their affiliates and respective successors and assigns.

21. Notice.

All notices, requests, demands and other communications required or permitted to be given or made under this Agreement shall be in writing, shall be effective upon receipt or attempted delivery, and shall be sent by:  (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) overnight delivery service with proof of delivery; or (iv) facsimile with return facsimile acknowledging receipt.  Notices shall be sent to the addresses below.  No Party to this Agreement shall refuse delivery of any notice hereunder.

Business Associate Agreement Download