Master Subscription Agreement
UPStandards LLC Healthcare SaaS Platform
This Master Subscription Agreement (the "Agreement") is entered into as of May 6, 2026 by and between UPStandards LLC, a California limited liability company ("UPStandards"), and the customer identified in the applicable Order Form ("Customer"). UPStandards and Customer may each be referred to as a "Party" and together as the "Parties."
This Agreement is intended for covered-entity customers using UPStandards for accreditation readiness, facility compliance rounds, clinical chart audit workflows, policy and procedure management, and survey-readiness reporting. It is drafted as the commercial umbrella agreement for the UPStandards platform. The HIPAA Business Associate Agreement, any Part 2 Addendum, any Data Processing Addendum, and any executed Order Form are incorporated as provided below.
1. Definitions
"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
"Authorized User" means an employee, contractor, workforce member, consultant, or other individual authorized by Customer to access the Services under Customer account credentials.
"BAA" means the HIPAA Business Associate Agreement between the Parties governing Protected Health Information handled by UPStandards as Business Associate.
"Customer Data" means data, records, files, text, audit results, facility round information, policy content, reports, and other information submitted to, stored in, generated through, or otherwise processed by the Services on behalf of Customer, including PHI to the extent present.
"Documentation" means user guides, help materials, policies, technical specifications, feature descriptions, and similar materials made available by UPStandards for use of the Services.
"Order Form" means an ordering document, online checkout flow, written quote, purchase schedule, or other ordering instrument accepted by UPStandards that identifies the subscription tier, sites, billing cycle, fees, and other commercial terms.
"Part 2 Records" means patient identifying information subject to 42 CFR Part 2, to the extent such information is submitted to or processed by the Services.
"Services" means the UPStandards software-as-a-service platform, hosted services, features, modules, support, Documentation, and related services purchased by Customer under an Order Form.
"Site" means a separately licensed customer location, facility, program, clinic, or operating unit using the Services.
"Subscription Term" means the monthly, annual, trial, renewal, or other period identified in an Order Form.
2. Platform Scope and Limited Data Model
2.1 UPStandards is an accreditation and compliance workflow tool. It is designed to help behavioral health programs prepare for and maintain accreditation with The Joint Commission, CARF, or similar accreditation bodies by organizing compliance rounds, clinical chart audits, policy library materials, audit scoring, reviewer notes, and survey-readiness reporting.
2.2 UPStandards is not an electronic health record, clinical documentation system, billing platform, patient portal, utilization-management platform, treatment-planning system, or substitute for Customer clinical judgment. Customer remains solely responsible for clinical care, patient communications, patient consents, diagnosis, treatment planning, progress notes, prescription decisions, billing, and the content and legal sufficiency of Customer medical records.
2.3 The Parties acknowledge that UPStandards is intended to process only a narrow subset of information needed for accreditation audit workflows. Customer shall not upload or enter diagnosis details, treatment plan content, progress notes, full medical records, lab results, imaging, prescriptions, billing PHI, financial PHI, or other information not reasonably necessary for Customer use of the Services unless UPStandards expressly agrees in writing to support that data category.
3. Access Rights; Account Administration
3.1 Subject to this Agreement and the applicable Order Form, UPStandards grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to access and use the Services for Customer internal accreditation, quality, compliance, policy-management, and survey-readiness operations.
3.2 Customer is responsible for designating account administrators, managing Authorized User access, assigning role-based permissions, disabling access promptly when no longer needed, and maintaining the confidentiality of account credentials. Customer is responsible for all activity occurring under Customer accounts except to the extent caused by UPStandards breach of this Agreement.
3.3 Customer shall ensure that all Authorized Users comply with this Agreement, the Documentation, Customer policies, applicable law, and applicable patient confidentiality requirements. Customer shall not share credentials or permit use by persons other than Authorized Users.
4. Ordering, Sites, Tiers, Trials, and Billing
4.1 Customer may purchase subscriptions by Site, tier, billing cycle, or other metric stated in an Order Form. Unless otherwise stated in an Order Form, subscriptions are purchased per Site and may not be shared across unaffiliated facilities or programs.
4.2 The Services may be offered in multiple subscription tiers currently expected to range from approximately $179 to $249 per Site per month. Actual fees, included features, usage limits, renewal terms, and billing cycle will be as stated in the applicable Order Form or online checkout record.
4.3 If UPStandards offers a 30-day free trial, the trial begins when Customer first receives access or accepts the trial terms. Unless the Order Form states otherwise, at the end of the trial Customer access may expire, downgrade, or convert to a paid subscription only if Customer has provided a valid payment method and accepted the paid subscription terms.
4.4 Upgrades may take effect immediately or at the beginning of the next billing cycle as specified by UPStandards. If an upgrade takes effect mid-term, UPStandards may charge a prorated fee for the remainder of the then-current term. Downgrades generally take effect at the next renewal unless UPStandards expressly agrees otherwise. Downgrades may reduce features, capacity, storage, reporting, or support levels.
4.5 Customer shall pay all fees when due. Fees are non-refundable except as expressly stated in an Order Form or required by law. Customer is responsible for taxes other than taxes based on UPStandards net income. If payment is overdue, UPStandards may suspend access after reasonable notice unless the overdue amount is disputed in good faith.
5. Customer Responsibilities
Customer is responsible for:
determining whether and how the Services are appropriate for Customer operations, accreditation workflows, and internal compliance programs;
ensuring that Customer Data is accurate, lawful, appropriately limited, and authorized for submission to the Services;
maintaining the underlying EHR and clinical record as the official source of clinical documentation;
configuring user roles, access controls, permissions, and site structure in a manner consistent with Customer policies and legal obligations;
obtaining and maintaining all patient consents, authorizations, notices, or internal approvals required for Customer use of the Services;
identifying any Part 2 Records or other specially protected data submitted to the Services and applying appropriate internal restrictions;
reviewing all reports, AI-assisted drafts, audit findings, risk scores, and other outputs before relying on them;
not using the Services to make emergency, diagnostic, treatment, or patient-care decisions.
6. Prohibited Uses
Customer shall not and shall not permit any Authorized User or third party to: reverse engineer, decompile, scrape, copy, resell, sublicense, or create competing services from the Services; interfere with security or availability; introduce malware; bypass usage limits; use the Services to violate law or patient confidentiality obligations; upload data not reasonably necessary for the intended workflow; use the Services for consumer-facing medical advice; or transmit PHI to external AI providers through fields, integrations, or workflows not approved by UPStandards for PHI.
7. HIPAA; Business Associate Agreement
7.1 Customer represents that it is a covered entity or otherwise legally authorized healthcare organization and that UPStandards acts as a business associate only to the extent UPStandards creates, receives, maintains, or transmits PHI on behalf of Customer through the Services.
7.2 The BAA governs all PHI processed by UPStandards as business associate. If there is a conflict between this Agreement and the BAA regarding PHI, HIPAA, breach notification, or business associate obligations, the BAA controls solely for that subject matter.
7.3 Customer shall not request or require UPStandards to use or disclose PHI in a manner that would not be permitted if done by Customer, unless expressly permitted by the BAA and applicable law.
8. 42 CFR Part 2; Substance Use Disorder Program Customers
8.1 Customer acknowledges that if Customer is a Part 2 program or if Customer submits patient identifying information from a substance use disorder treatment program, some Customer Data may be Part 2 Records. Customer is responsible for determining whether its data is subject to 42 CFR Part 2 and for obtaining, documenting, and managing patient consents or other legal permissions required for use and disclosure of Part 2 Records.
8.2 UPStandards will process Part 2 Records only to provide the Services, as permitted by the BAA, the Part 2 Addendum if applicable, Customer instructions, and applicable law. UPStandards is not Customer Part 2 consent-management system and does not verify whether Customer has obtained legally sufficient patient consent.
8.3 Customer shall not use the Services to store SUD counseling notes unless an Order Form or written addendum expressly authorizes that use case. Customer shall identify any heightened restrictions that materially affect UPStandards processing of Customer Data.
9. California CMIA and Other State Medical Privacy Laws
For California customers and California medical information, the Parties intend the Services to operate consistently with HIPAA and the California Confidentiality of Medical Information Act, to the extent applicable. Customer is responsible for its own provider, clinic, facility, professional licensing, and patient-notice obligations. UPStandards will not sell, intentionally share for marketing, or use medical information for purposes unrelated to providing and improving the Services except as permitted by applicable law and this Agreement.
10. Artificial Intelligence Features
10.1 The Services may include AI-assisted features for policy drafting, report refinement, summarization, template generation, and similar compliance-administration use cases. UPStandards current design is that PHI is not transmitted to Anthropic or any other external AI provider; only aggregate, de-identified, or non-PHI inputs should be sent to AI services unless UPStandards expressly changes the product architecture and provides appropriate contractual terms.
10.2 Customer is responsible for reviewing AI-assisted outputs. AI outputs may be incomplete, inaccurate, outdated, or unsuitable for a particular accreditation body, facility, patient population, legal requirement, or operational context. AI outputs are not legal advice, medical advice, clinical judgment, accreditation guarantees, or final policies unless reviewed and adopted by Customer.
10.3 Customer shall not intentionally enter PHI into any field designated as non-PHI, AI prompt, free-text drafting field, or other workflow not approved by UPStandards for PHI processing.
11. Integrations and Third-Party Services
11.1 The Services may interoperate in the future with EHR vendors, accreditation body APIs, identity providers, analytics tools, communications providers, or other third-party systems. Unless an Order Form or SOW expressly provides otherwise, UPStandards is not responsible for third-party systems, changes to third-party APIs, third-party outages, or data errors originating outside the Services.
11.2 If an integration requires access to PHI, UPStandards may require additional configuration terms, security review, customer authorization, or a vendor/subcontractor BAA before enabling the integration. Customer authorizes UPStandards to engage subprocessors and subcontractors listed in UPStandards documentation or applicable schedules, provided they are bound by appropriate confidentiality, security, and data-protection obligations.
12. Security; Availability; Support
12.1 UPStandards will maintain administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, use, disclosure, alteration, and destruction. Safeguards may include access controls, encryption in transit, encryption at rest where supported, logging, role-based access, backups, workforce confidentiality, vendor review, and incident-response procedures.
12.2 Unless a separate SLA is included in an Order Form, the Services are provided without a formal uptime service credit. UPStandards will use commercially reasonable efforts to maintain availability, but Customer acknowledges that pre-launch and early-stage services may be subject to maintenance, improvements, vendor outages, emergency fixes, or feature changes.
12.3 Support will be provided through the support channels stated in the Order Form, Documentation, or UPStandards website. UPStandards may prioritize support requests based on severity, customer tier, regulatory urgency, and operational impact.
13. Customer Data; Export; Deletion; Retention
13.1 As between the Parties, Customer owns Customer Data. UPStandards may process Customer Data to provide, secure, maintain, support, improve, and document the Services; comply with law; enforce this Agreement; and exercise rights expressly permitted under the BAA or applicable data protection addendum.
13.2 During the Subscription Term, Customer may export available Customer Data through standard platform features. After termination, UPStandards will use commercially reasonable efforts to make exportable Customer Data available for 30 days for standard self-serve accounts unless the account is terminated for serious security abuse, unlawful activity, nonpayment after notice, or legal restriction. An executed enterprise Order Form may extend the export window to 60-90 days where appropriate for longer accreditation cycles or survey-transition needs. After that period, UPStandards may delete or de-identify Customer Data according to its retention practices, subject to the BAA and legal retention requirements.
13.3 UPStandards may create and use aggregated, statistical, or de-identified information derived from use of the Services to operate, analyze, improve, benchmark, and market the Services, provided such information does not identify Customer, Authorized Users, patients, or individuals and is not PHI unless de-identified in accordance with HIPAA.
14. Confidentiality
Each Party may receive non-public business, technical, financial, operational, security, or other confidential information of the other Party. The receiving Party shall use reasonable care to protect confidential information, use it only for purposes of this Agreement, and disclose it only to personnel, advisors, contractors, and representatives with a need to know and confidentiality obligations. These obligations do not apply to information that is public without breach, already known without restriction, independently developed without use of the disclosing Party confidential information, or lawfully received from a third party without restriction.
15. Intellectual Property
UPStandards and its licensors own the Services, Documentation, software, workflows, templates, platform architecture, user interface, know-how, improvements, analytics, and related intellectual property. Customer receives only the limited access rights expressly granted in this Agreement. Customer owns Customer Data and Customer-specific policy content submitted by Customer. Customer grants UPStandards a limited right to use Customer Data to provide and support the Services, subject to this Agreement and the BAA.
Customer may provide suggestions, ideas, requests, or feedback. UPStandards may use feedback without restriction or compensation, provided UPStandards does not disclose Customer confidential information or PHI in doing so.
16. No Accreditation, Legal, Medical, or Compliance Guarantee
UPStandards provides tools that support Customer compliance operations. UPStandards does not guarantee accreditation, survey results, acceptance by TJC, CARF, regulators, payers, auditors, or accreditation bodies, absence of deficiencies, clinical quality, legal compliance, or any particular operational outcome. Customer is responsible for final decisions, documentation, policy adoption, staff training, implementation, patient care, regulatory submissions, and accreditation interactions.
17. Warranties and Disclaimers
Each Party represents that it has authority to enter into this Agreement. UPStandards warrants that it will provide the Services in a professional and workmanlike manner consistent with commercially reasonable SaaS practices. Except as expressly stated, the Services are provided "as is" and "as available." UPStandards disclaims all implied warranties, including merchantability, fitness for a particular purpose, non-infringement, uninterrupted operation, error-free operation, and results.
18. Indemnification
18.1 UPStandards will defend Customer against third-party claims alleging that the Services, as provided by UPStandards and used according to this Agreement, infringe a U.S. patent, copyright, or trademark, and will pay damages finally awarded or amounts paid in settlement approved by UPStandards. UPStandards has no obligation for claims arising from Customer Data, Customer modifications, third-party systems, unauthorized use, or combination with items not provided by UPStandards.
18.2 Customer will defend UPStandards against third-party claims arising from Customer Data, Customer clinical operations, Customer accreditation activities, Customer misuse of the Services, Customer violation of law, Customer failure to obtain required consents or authorizations, or Customer submission of Part 2 Records or other restricted data in violation of this Agreement, and will pay damages finally awarded or amounts paid in settlement approved by Customer.
18.3 The indemnified Party must promptly notify the indemnifying Party, provide reasonable cooperation, and allow the indemnifying Party to control the defense and settlement, provided any settlement requiring admission of fault, non-monetary obligations, or payment by the indemnified Party requires prior written consent.
19. Limitation of Liability
19.1 Except for Excluded Claims, each Party total aggregate liability arising out of or relating to this Agreement will not exceed the fees paid or payable by Customer to UPStandards under the applicable Order Form during the 12 months before the event giving rise to liability.
19.2 Neither Party will be liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages, or for lost profits, lost revenue, lost goodwill, business interruption, loss of data, substitute services, or loss of accreditation opportunity, even if advised of the possibility.
19.3 "Excluded Claims" means payment obligations, confidentiality obligations, Customer misuse of the Services, Customer Data claims, Customer regulatory or patient-care obligations, willful misconduct, fraud, and liabilities that cannot be limited by law. For clarity, PHI-related liability allocation should be read together with the BAA. If Customer requires higher caps, cyber insurance thresholds, SLA credits, or enterprise-risk allocation, those terms should be stated in an Order Form or enterprise addendum.
20. Term; Suspension; Termination
20.1 This Agreement begins on the Effective Date and continues until all Order Forms expire or are terminated. Unless otherwise stated in an Order Form, subscriptions renew for successive periods equal to the initial term unless either Party gives non-renewal notice at least 30 days before the renewal date.
20.1A If Customer signs up through an online subscription, free-trial, automatic-renewal, or continuous-service flow, UPStandards should configure the checkout and renewal process to provide required automatic-renewal disclosures, obtain affirmative consent to renewal terms, send renewal/trial reminders where legally required, and provide a reasonably accessible cancellation mechanism. The Agreement is drafted to support auto-renewal, but the enforceability of renewal terms also depends on the signup-flow disclosures and records of consent.
20.2 Either Party may terminate this Agreement or an affected Order Form for material breach if the breach is not cured within 30 days after written notice. UPStandards may suspend access immediately if necessary to prevent security risk, unlawful activity, harm to the Services, violation of patient confidentiality obligations, or continued nonpayment after notice.
20.3 Upon termination, Customer shall stop using the Services and pay all fees accrued through the effective termination date. Sections that by their nature should survive will survive, including confidentiality, IP, payment, disclaimers, limitations, indemnities, data export/deletion provisions, and the BAA survival provisions.
21. Governing Law; Dispute Resolution
This Agreement is governed by the laws of the State of California, without regard to conflict-of-law rules. The Parties consent to exclusive jurisdiction and venue in the state and federal courts serving Lake County, California, except that either Party may seek injunctive relief in any court of competent jurisdiction for misuse of confidential information, IP infringement, data-security threats, or unauthorized access.
22. Order of Precedence
If documents conflict, the following order controls: (1) BAA for PHI, HIPAA, Part 2, and business associate obligations; (2) any signed enterprise addendum or Part 2 Addendum; (3) applicable DPA for non-PHI personal data subject to the DPA; (4) Order Form for commercial terms; (5) this Agreement; (6) Documentation and online terms. A later-signed document controls over an earlier-signed document only if it expressly states that it modifies the earlier document.
23. General Terms
Neither Party may assign this Agreement without the other Party prior written consent, except to an Affiliate or in connection with a merger, reorganization, sale of substantially all assets, or change of control, provided the assignee assumes the obligations. Notices must be sent to the addresses in the Order Form or this Agreement. This Agreement may be executed electronically and in counterparts. No waiver is effective unless in writing. If any provision is unenforceable, the remainder remains effective. This Agreement, together with incorporated documents, is the entire agreement regarding the Services.
Execution
| UPSTANDARDS LLC | CUSTOMER |
|---|---|
| By: ______________________________ | By: ______________________________ |
| Name: ____________________________ | Name: ____________________________ |
| Title: _____________________________ | Title: _____________________________ |
| Date: _____________________________ | Date: _____________________________ |
Schedule 1 - Template Order Form
| Field | Commercial Term |
|---|---|
| Customer legal name | [Customer Legal Name] |
| Customer address | [Customer Address] |
| Customer contact | [Customer Contact Name / Email] |
| Subscription tier | [Tier Name] |
| Sites licensed | [Number and name of sites] |
| Billing cycle | [Monthly / Annual] |
| Fees | [$___ per Site per month / year] |
| Free trial | 30 days unless otherwise stated |
| Subscription term | [Initial Term] |
| Auto-renewal | [Yes / No; renewal period] |
| Payment method | Stripe or other method accepted by UPStandards |
| Support channel | support@upstandards.net">support@upstandards.net |
| BAA required | Yes, if Customer is a covered entity or otherwise submits PHI |
| Part 2 Addendum required | Yes, if Customer is a Part 2 program or submits Part 2 Records |
| Special terms | [Insert any negotiated deviations] |
Order Form Acceptance
| UPSTANDARDS LLC | CUSTOMER |
|---|---|
| By: ______________________________ | By: ______________________________ |
| Name: ____________________________ | Name: ____________________________ |
| Title: _____________________________ | Title: _____________________________ |
| Date: _____________________________ | Date: _____________________________ |
Schedule 2 - Optional Service Level Addendum
This schedule is optional and should be included only for enterprise customers who require formal uptime and support commitments. If not included in an executed Order Form, no service credit or uptime commitment applies beyond the commercially reasonable support obligations in the Agreement.
Target availability: [99.5% / 99.9%] monthly uptime, excluding scheduled maintenance, emergency maintenance, third-party outages, customer-caused issues, force majeure, beta features, and non-production environments.
Scheduled maintenance: UPStandards will use commercially reasonable efforts to provide advance notice for planned maintenance likely to materially affect availability.
Support response targets: Severity 1 - [4 business hours]; Severity 2 - [1 business day]; Severity 3 - [2 business days]. Response targets are not resolution guarantees.
Service credits: If included, Customer sole remedy for verified failure to meet uptime target is [credit formula], capped at [percentage] of monthly fees for affected Site.
No accreditation remedy: downtime credits do not create reimbursement for lost accreditation, regulatory, patient-care, revenue, or consequential damages.