Last Updated: January 15, 2026

BUTTERFLY MASTER TERMS AND CONDITIONS

PLEASE READ THIS CAREFULLY. THIS MASTER TERMS AND CONDITIONS ("AGREEMENT") CONTAINS ALL OF YOUR RIGHTS AND OBLIGATIONS AS A PURCHASER OF THE SUBSCRIPTION SERVICES AND DEVICES AS DESCRIBED HEREIN. BY CLICKING "ACCEPT," YOU ARE AGREEING TO BE LEGALLY BOUND AND TO BECOME A PARTY TO THIS AGREEMENT.

These Master Terms and Conditions (“Agreement”) are effective as of the date that you click “accept” (the “Effective Date”), by and between BFLY Operations, Inc. (“Butterfly”), having its principal place of business at 1600 District Avenue, Burlington, MA 01803, and you, or the entity on whose behalf you are acting (referred to as “Client”) (each a “Party” and collectively “Parties”).

WHEREAS, Butterfly is a healthcare company that has developed and commercialized (i) its proprietary Ultrasound-on-Chip™ semiconductor technology and related ultrasound software solutions; (ii) artificial intelligence (AI) tools that enhance imaging and diagnostic decision making; (iii) AI-compatible tools in collaboration with strategic partners; and (iv) semiconductor technologies in collaboration with medical and non-medical device sectors; and

WHEREAS, Client is, as applicable, a physician or other licensed health care provider, medical practice, medical school, veterinary professional, licensed veterinary care provider, veterinary practice, veterinary school, global health partner or other authorized user, as may be further set forth on Exhibit E; and

WHEREAS, Butterfly desires to sell ultrasound imaging probes and provide the associated services to Client and Client desires to purchase or lease such ultrasound imaging probes and receive the associated services from Butterfly.

NOW, THEREFORE, in consideration of the mutual promises contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:

This Agreement is comprised of the following, and is entered into by the Parties as of the Effective Date:

Terms and Conditions
Exhibits:

TERMS AND CONDITIONS

1. Definitions

1.1 Affiliates means, in relation to either Party, any entity controlling, controlled by, or under common control with such Party, for only so long as such control exists. For these purposes, “control” shall refer to: (i) the possession, directly or indirectly, of the power to direct the management or policies of the entity, whether through the ownership of voting securities, by contract, or otherwise, or (ii) the ownership of more than fifty percent (50%) of the voting securities or other ownership interest of an entity.

1.2 Client Data means the data, images, imaging studies and content that Client or an End User inputs, transmits, uploads, transfers, submits, discloses or otherwise provides to the Subscription Service; provided, however, that Client Data does not include Usage Data or De-identified Data / Anonymized Data, as applicable.

1.3 De-identified or Anonymized Data means the images, imaging studies and content that have been de-identified or anonymized in accordance with 45 CFR 164.514.

1.4 Device means the portable ultrasound imaging probes, which are used by Client and End Users to conduct ultrasound imaging, and which are connected to Client’s or an End User’s compatible mobile device in order to enable the use of the Subscription Service in accordance with the Documentation. Only Client and its End Users may access and use the Devices, as set forth in this Agreement.

1.5 Documentation means Butterfly’s user manual and indications for use, as set forth on Butterfly’s website, describing the design, features, use of and functionality of the Subscription Service and Devices, and which Butterfly may update from time to time in its own discretion.

1.6 End User means Client’s designated employees and agents authorized to use Client’s login credentials to access the Subscription Services. Client may also be an End User.

1.7 Intellectual Property Rights means patents, inventions, utility models, trademarks, service marks, trade and service names, copyrights, database rights and design rights (whether or not any of them are registered, and including applications for registration of any of them), rights in know-how, moral rights, trade secrets and rights of confidence and all rights or forms of protection of a similar nature or having similar or equivalent effect to any of them which may exist anywhere in the world.

1.9 Law means: (a) any federal, national, state, local or other law or statute in any applicable jurisdiction; (b) any rule or regulation issued by a relevant regulatory agency; and (c) any written or authoritative interpretation by such relevant regulatory agency of any such law, statute, rule or regulation.

1.9 Products shall collectively mean the Device, Subscription Services, Professional Services and any applicable Product terms set forth on Butterfly’s website. Butterfly may amend such product terms in its own discretion and without notice.

1.10 Professional Services means training and implementation of the Subscription Services.

1.11 Services means the applicable Subscription Services and/or Professional Services ordered by Client.

1.12 Subscription Service means the hosted, on demand web-based provision of applications, application programming interfaces, and platform services provided by Butterfly, which is accessed from Client owned and/or controlled computer systems via the internet, (“Butterfly Cloud”) and the associated mobile application, which is installed on Client or End User owned and/or controlled mobile devices (“Butterfly iQ App”).

1.13 Usage Data means any data and content generated through Client or End User’s use or execution of the Subscription Service, to the extent such data or content does not include Protected Health Information (“PHI”), as that term is defined in HIPAA.

2. Fees, Payment and Shipping Terms

2.1 Fees. Client shall pay the amounts set forth in the Confidential Quotation or purchase order for the Devices and Subscription Service. Client is solely responsible for payment of any such fees and costs. In the event of a conflict between the Confidential Quotation and the terms of this Agreement, the Confidential Quotation shall govern. For purposes of this Agreement, Confidential Quotation means the order form or quotation provided by Butterfly and accepted by Client, outlining the Devices and Services being purchased or leased by Client. The Confidential Quotation is incorporated herein by reference.

2.2 Invoices and Payment. All invoices will be issued with the frequency and terms as specified in the Confidential Quotation. All payments shall be made in U.S. Dollars by bank wire or other form of transfer. Overdue amounts will be subject to a late payment charge at the lesser of one and one half percent (1.5%) per month or the highest rate permissible under applicable Law for the actual number of days elapsed from the date due. Any payment not received from Client by the due date may result in suspension of Client’s ability to access the Services until payment is made. Client shall pay any applicable state, federal, or other sales and use taxes that may be associated with the purchase of the Devices and Services under this Agreement, and Butterfly may collect all applicable sales taxes. If Client claims tax-exempt status, Client will provide Butterfly with documentation of such status. Client shall be invoiced for the Subscription Services once the cloud domain has been created and Client has access to such cloud domain. If applicable, all reasonable and customary travel related expenses, such as airfare, hotel, transportation, and meals will be billed to Client for any on-site work performed under this Agreement. If travel expenses are incurred, Butterfly will make reasonable efforts to keep travel costs to a minimum.

2.3 Shipping Terms. Butterfly shall prepay and bill to Client all freight charges associated with all deliveries. Delivery dates are approximate. Client shall observe and abide by Butterfly’s then current return policy, posted on Butterfly’s website.

2.4 Disputes. If Client has a good faith dispute regarding payment for a particular Device or Subscription Service, such dispute shall not entitle Client to withhold payment for any other purchase of Devices or portion of the Subscription Service.

2.5 Discount Disclosure. The dollar value of the discounts or other reductions in price pursuant to this Agreement, if any, and any other items and services not paid for by Client and received by Client under this Agreement are “discounts and other reductions in price” under Section 1128B(b)(3)(A) of the Social Security Act (42 U.S.C.§ 1320-a-7b(b)(3)(A)), as amended. It is the intent of the parties to comply with the Anti-kickback Law Discount Safe Harbor (42 C.F.R.§ 1001.952(h) as amended). The Discount Safe Harbor requires that certain discounts be reported and or passed on to Federal and State health care programs, such as Medicare and Medicaid. Client understands and agrees it must properly disclose the discounts or reductions in price, and reflect such discounts or reductions in price in the costs claimed or charges made, under any Federal or State health care program which provides cost or charge- based reimbursement to Client for the items and services covered by this Agreement. Client shall be solely responsible for determining whether the savings or discounts it receives must be reported or passed on to payors.

3. Ownership

3.1 Butterfly Property. Butterfly owns all right, title and interest in and to: (a) the Subscription Service and the technology, software, hardware, products, processes, algorithms, user interfaces, Documentation and know-how related to the Subscription Service; (b) any Usage Data; (c) any and all Butterfly Confidential Information (see Section 7); (d) De-identified or Anonymized Data, as applicable; (e) the Devices, subject to Section 3.2 (Client Property), and the technology, software, hardware, products, processes, algorithms, user interfaces, documentation, user manuals and know-how related to the Devices; and (f) and any and all Intellectual Property Rights embodied in (a)-(e) (collectively the “Butterfly Property”). Butterfly shall own any and all developments, inventions and work product created under any Professional Services, including but not limited to training materials, implementation guides and customizations of the Subscription Service. Butterfly shall have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into the Subscription Services and Devices any suggestions, enhancement requests, recommendations or other feedback provided by Client and End Users relating to the Subscription Services and Devices. All rights not expressly granted to Client herein are expressly reserved by Butterfly. Butterfly hereby grants to Client a non-exclusive, non-sublicensable, non-transferable license to use the Documentation during the term of this Agreement solely for Client's internal business purposes in connection with its use of the Services.

3.2 Client Property. Following receipt of the Devices and payment of the applicable fees set forth in the Confidential Quotation, Client owns all right, title and interest in and to the Devices. Subject to the aforementioned sentence, Client Data and Devices are, collectively, “Client Property.”

4. Data Privacy, Security & System Monitoring

4.1 Obligations. Client acknowledges and agrees that Butterfly does not require any specific data from Client or End User, that Client and End User controls the content of any Client Data that is inputted, transmitted, uploaded, transferred, submitted, disclosed, processed, collected, stored, replicated or in any other way accessed or used through the use of the Subscription Service, and that Butterfly has no obligation to monitor the content of any Client Data. Client shall be responsible for procuring any necessary consents and making any notifications under applicable Law with respect to the provision of the Client Data to Butterfly through the Subscription Service and the processing of such Client Data by Butterfly through the Subscription Services. Upon request of Butterfly, Client will provide Butterfly with documentation to support such consent.

4.2 Security Requirements. Client agrees and acknowledges that it will: (a) establish and maintain industry standard information, physical and administrative security protocols, including virus protection, for all Client Equipment; (b) establish and maintain backup and disaster recovery plans for any Client Data not uploaded to the Subscription Service; and (c) prevent unauthorized access to the Subscription Service and Devices and interception of transmission of Client Data from the Device to the compatible smart device.

5. Representations and Warranties; Disclaimer of Warranties

5.1 Mutual Representations and Warranties. Each Party represents and warrants to the other Party as of the Effective Date that: (a) it has the full right, power and authority to enter into this Agreement, to perform its obligations hereunder and (b) this Agreement has been duly executed by it and is legally binding upon it, enforceable in accordance with its terms, and does not conflict with any agreement, instrument or understanding, oral or written, to which it is a Party or by which it may be bound, nor violate any material Law having jurisdiction over it.

5.2 Butterfly Representations and Warranties.

(a) Subscription Service Warranty. Butterfly warrants that the Subscription Service, when properly used for the purpose and in the manner specifically authorized by this Agreement and in accordance with the Documentation, will perform materially in accordance with the Documentation. The foregoing warranty shall be effective for so long as Client is a subscriber in good standing to the Subscription Service. The warranty in this Section 5.2(a) shall not apply to the Subscription Service to the extent that the Subscription Service has been modified by any party, other than Butterfly. Butterfly shall have no obligation to Client under the warranty, or otherwise, if the failure of the Subscription Service to meet the warranty or conform materially to the Documentation can be attributable to Client Equipment, third party software or hardware, Client Data or to causes that are not the responsibility of Butterfly.

(b) Device Warranty. Unless otherwise specified in the Confidential Quotation, Butterfly warrants that for twelve (12) months from receipt of the Device that: (i) the Device will be free from defects in title, material and workmanship under normal use and service and (ii) the Device will perform substantially in accordance with the Documentation. Butterfly shall not have any obligation to Client hereunder if the warranty claim results from or arises out of: (1) the use of the Device in combination with any software, tools, hardware, equipment, supplies, accessories or any other materials or services not furnished by Butterfly or recommended in writing by Butterfly or using or combining the Device with any item or data that does not properly and unambiguously exchange data with the Device in accordance with the Documentation; (2) the use of the Device in a manner or environment, or for any purpose, for which Butterfly did not design or license it, or in violation of Butterfly’s recommendations or instructions on use; (iii) any alteration, modification or enhancement of the Device by Client or any third party not authorized or approved in writing by Butterfly; (iv) any defect or deficiency (including failure to conform to Documentation) that results, in whole or in part, from any improper storage or handling, failure to maintain the Device in the manner described in the Documentation, inadequate back-up or virus protection or any cause external to the Device or beyond Butterfly’s reasonable control, including, but not limited to, power failure and failure to keep the Device clean and free of dust, sand and other particles or debris; or (v) any use or maintenance, or any extraordinary use, repair or service of the Device, by anyone other than Butterfly or its authorized representatives. In addition, this warranty does not cover the Device to the extent it is used in any country other than the country to which Butterfly ships the Device.

(c) Warranty Claims. Client will promptly notify Butterfly of any Device defect subject to the warranty in (b) above and return the Device as set forth herein at Butterfly’s expense. Client will follow the cleaning and disinfection procedures set forth in the Documentation and any other instructions from Butterfly regarding Device return, and will package the Device in order to protect it from damage during return shipping. Butterfly shall promptly ship a replacement Device within forty-eight (48) hours of a Device warranty claim. Upon receipt, Butterfly shall have the right to promptly evaluate the Device to confirm that the Device is defective and subject the warranty in (b). If Butterfly determines that the damage resulted from any of the causes set forth in 7.2(b)(i)-(v), Butterfly will so notify Client and Client will be responsible for purchasing the replacement Device.

5.3 Exclusive Remedy. Butterfly’s sole obligation and Client’s sole remedy for breaches of the warranty in Section 5.2(a) and 5.2(b) is for Butterfly to use commercially reasonable efforts to provide services to correct the failure of the Subscription Service or Devices to operate in accordance with the Documentation. THE FOREGOING REMEDY IS EXCLUSIVE, IS SUBJECT TO THE LIMITATIONS SET FORTH HEREIN AND SHALL BE CLIENT’S SOLE REMEDY WITH RESPECT TO ANY CLAIM OF BREACH OF WARRANTY ARISING OUT OF OR RELATING TO THIS AGREEMENT.

5.4 Client Representations and Warranties. Client represents and warrants that it will, and will ensure that its End Users, use the Subscription Services and Devices only in accordance with all applicable Laws (including but not limited to HIPAA).

5.5 Disclaimer of Warranties. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 5, BUTTERFLY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY OR COMPLETENESS, OR NON-INFRINGEMENT. BUTTERFLY DOES NOT WARRANT, REPRESENT, OR GUARANTEE THAT THE SUBSCRIPTION SERVICES SHALL BE UNINTERRUPTED, ERROR-FREE, OR THAT THE SUBSCRIPTION SERVICES OR DEVICES WILL PROVIDE ANY SPECIFIC RESULTS FOR CLIENT, OR PROVIDE ANY RESULTS AT ALL. FURTHER, CLIENT ACKNOWLEDGES AND UNDERSTANDS THAT THE SUBSCRIPTION SERVICES MAY BE CONTINGENT ON THIRD PARTY PERFORMANCE AND BUTTERFLY CANNOT GUARANTEE AND IS NOT LIABLE FOR THE SAME. THE SUBSCRIPTION SERVICES AND DEVICES, AND DELIVERABLES, IF APPLICABLE, PROVIDED HEREUNDER ARE NOT INTENDED TO SUBSTITUTE FOR, OR TO REPLACE THE SKILL, KNOWLEDGE, AND EXPERIENCE OF CLIENT, END USER OR OTHER LICENSED PHYSICIANS OR OTHER CARE PROVIDERS. BUTTERFLY ASSUMES NO RESPONSIBILITY FOR PATIENT CARE AND IS NOT PROVIDING THE DEVICES OR ANY SERVICE HEREUNDER TO THE CLIENT AS A SUBSTITUTE OR REPLACEMENT FOR THE MEDICAL JUDGMENT OF THE CLIENT’S PHYSICIANS, END USERS OR OTHER CARE PROVIDERS. BUTTERFLY HAS NO, AND DISCLAIMS ANY RESPONSIBILITY WHATSOEVER FOR, AND CLIENT RELEASES BUTTERFLY FROM, ANY CLAIMS ARISING FROM OR RELATED TO THE CONDUCT OF THE CLIENT’S BUSINESS OR FOR ACTS OR OMISSIONS OF CLIENT AND END USERS IN THE PROVISION OF PATIENT CARE, AND THAT ANY RELIANCE UPON THE BUTTERFLY PROPERTY OR SERVICES HEREUNDER SHALL NOT DIMINISH THE CLIENT’S RESPONSIBILITY FOR PATIENT CARE.

Further, Butterfly does not and cannot control the performance of Internet or cellular services provided or controlled by third parties. At times, actions or inactions of such third parties can impair or disrupt Client’s connections to the Internet or cellular service (or portions thereof). Although Butterfly will use commercially reasonable efforts to take all actions it deems appropriate to remedy and avoid such events, Butterfly cannot guarantee that such events will not occur. BUTTERFLY DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM OR RELATED TO THE PERFORMANCE OR NON- PERFORMANCE OF INTERNET SERVICES PROVIDED OR CONTROLLED BY THIRD PARTIES WHICH ARE NOT BUTTERFLY’S SUBCONTRACTORS.

5.6 Warranties to Client Only. The warranties stated in this Section are made only to Client and Butterfly shall have no liability to any third party, including any End User, with respect to the Subscription Services or Devices as a result of the warranties contained herein.

6. Indemnification and Limitation of Liability

6.1 Butterfly’s Indemnification Obligations.

(a) Butterfly shall defend, indemnify, and hold harmless Client and its Affiliates, and their respective directors, officers, and employees against any and all actions, claims or assertions brought against them by a third party (“Claims”), that the Subscription Service or Devices, when used within the scope of and in accordance with this Agreement and the Documentation, infringes a United States patent or copyright and will pay resulting costs, damages, and attorney fees finally awarded.

(b) In the event that the Subscription Service and/or Device in the opinion of Butterfly, is likely to or does become the subject of a claim of infringement, Butterfly shall have the right at its sole option and expense to: (a) modify the Subscription Service and/or Device to be non-infringing provided that such modification does not fundamentally change the functionality of the Subscription Service and/or Device; (b) obtain for Client a license to continue using the Subscription Service and/or Device at no additional charge to Client; or (c) if neither (a) nor (b) are reasonably practicable, terminate the Agreement and refund to Client the pro rata portion of fees paid to Butterfly for such portion of the Subscription Service and/or Device thereof that cannot be utilized due to such infringement.

(c) Butterfly shall have no liability under this Section 6 for any such claim based upon: (a) any component of software provided by Client or any third party; (b) any modification by a party other than Butterfly, unless such modification was at the direction of Butterfly; (c) the combination, operation or use of the Subscription Service and/or Device with a software program(s) or data not part of Subscription Service and/or Device if the claim would have been avoided had such combination, operation or use not occurred; (d) the Subscription Service and/or Device being used in a manner not authorized by this Agreement; and (e) continued use of the Subscription Service and/or Device from the date of written notice wherein Butterfly informs Client that such continued use may lead to a claim. This Section 6.1 sets forth Butterfly’s sole and exclusive obligation and liability, and Client’s sole and exclusive remedy, for any infringement or misappropriation of intellectual property rights of any kind.

6.2 Client’s Indemnification Obligations. Client shall indemnify and defend Butterfly and its Affiliates, licensors, and suppliers, and their respective directors, officers, shareholders, employees, contractors and agents from and against any and all Claims and all liabilities, awards, damages, settlements, fees, penalties, costs and expenses (including reasonable attorney’s fees) owing to third parties (including for avoidance of doubt, government and regulatory agencies) in connection therewith (collectively, “Losses”), arising from: (a) any gross negligence or willful misconduct by Client; (b) any failure by Client to procure appropriate consents or authorizations, including from patients; (c) any failure to comply with the End User License Agreement attached hereto; (d) Client’s and its End Users’ use or misuse of the Subscription Services and/or Devices; (e) Client Data (whether properly or improperly obtained and/or transmitted); (f) Client Equipment, including, without limitation, any failure or malfunction caused by the compatible smart device connected to the Device; (g) Client’s and/or its End Users’ failure to comply with any applicable Law to which it may be subject in the use of the Subscription Services; (h) the consequences of Client’s or End Users’ utilization of the Subscription Services and/or Devices in respect of any third party; and (i) any allegation that the Client Property infringes the Intellectual Property Rights of a third party.

6.3 Indemnification Procedure. The Party having the benefit of the indemnification obligation under this Section 8 (the “Indemnitee”) shall: (a) give the Party having the indemnification obligation (the “Indemnitor”) prompt notice of any claim; (b) allow the Indemnitor to have sole control over the defense and settlement of the claim, provided, however, that the Indemnitee shall have the option, at its sole discretion, to participate in the defense of any such claim using attorneys selected by it, the costs and expenses of which shall be the responsibility of Indemnitee; and (c) provide all assistance reasonably requested by Indemnitor, at Indemnitor’s expense, in the defense and settlement of the claim. The Indemnitor will not consent to the entry of any judgment or enter into any settlement with respect to a Claim without the Indemnitee’s prior written consent (not to be unreasonably withheld or delayed) unless: (i) the judgment or proposed settlement involves only the payment of monetary damages by the Indemnitor, and does not impose injunctive or other equitable relief upon or otherwise adversely affect the Indemnitee; (ii) there are no additional Claims pending against the Indemnitee, and no adverse impact on existing Claims, as a result of the judgment or proposed settlement; and (iii) the Indemnitee will have no liability with respect to such judgment or proposed settlement and will not otherwise be materially and adversely affected by the terms of such settlement.

6.4 Limitation on Damages. IN NO EVENT SHALL EITHER PARTY OR BUTTERFLY’S THIRD PARTY SUPPLIERS HAVE LIABILITY ARISING OUT OF OR PERTAINING TO THIS AGREEMENT TO THE OTHER PARTY OR ANY OTHER THIRD PARTY FOR ANY SPECIAL, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL, PUNITIVE, OR INDIRECT DAMAGES OF ANY KIND BASED ON ANY CLAIM OR LEGAL THEORY, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF DATA, LOST OPPORTUNITY, LOST SAVINGS, LOST PROFITS, LOSS OF USE, BUSINESS INTERRUPTION OR COST OF SUBSTITUTE SERVICES OR TECHNOLOGY, EVEN IF INFORMED OF THE POSSIBILITY OF ANY SUCH DAMAGES IN ADVANCE. ADDITIONALLY, EXCEPT FOR CLAIMS ARISING FROM GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, OR EITHER PARTY’S INDEMNIFICATION OBLIGATIONS AS SET FORTH IN SECTION 6.1 AND 6.2, NEITHER PARTY’S NOR BUTTERFLY’S SUPPLIERS’ OR LICENSORS’ AGGREGATE LIABILITY TO THE OTHER PARTY AND ANY AFFILIATES AND THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AND END USERS FOR ANY CLAIMS ARISING UNDER THIS AGREEMENT OR OTHERWISE ARISING FROM THE TRANSACTIONS CONTEMPLATED HEREIN AND THEREIN REGARDLESS OF THE FORM OF ACTION (INCLUDING, BUT NOT LIMITED TO, ACTIONS FOR BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY, RESCISSION AND BREACH OF WARRANTY) SHALL EXCEED THE FEES CLIENT PAID IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. CLIENT HEREBY RELEASES BUTTERFLY FROM ALL OBLIGATIONS, LIABILITY, CLAIMS OR DEMANDS IN EXCESS OF THIS LIMITATION. THIS LIMITATION OF LIABILITY SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAWS AND NOTWITHSTANDING THE FAILURE OF ANY LIMITED REMEDY.

7. Confidentiality

“Confidential Information” means any confidential and proprietary information related to a Party’s business belonging to one Party (“Discloser”), and disclosed to the other Party (“Recipient”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including information concerning research, development, design details and specifications (including beta versions of functionality), financial information, procurement requirements, engineering and manufacturing information, Client lists, business forecasts, sales information and marketing plans, internal business processes, product designs, the terms and conditions of this Agreement (including pricing and other terms reflected in Exhibits hereto or other order forms), and any additional information that any End User or other third party has disclosed to Discloser in confidence and that Discloser is permitted to disclose to Recipient under the terms and conditions of this Agreement. Any information related to the Subscription Services, Devices or other Butterfly Property shall be deemed to be the Confidential Information of Butterfly, and any Client Data shall be deemed to be the Confidential Information of Client. Recipient shall only use Confidential Information of the Discloser for the purposes of this Agreement and shall keep such information in strict confidence. Recipient shall restrict disclosure of Confidential Information solely to its employees, attorneys, accountants, contractors and other representatives with a need to know, not disclose it to any third parties, except End Users as permitted hereunder, and use no less than reasonable care in its obligations. Except as expressly set forth elsewhere in this Agreement, all Confidential Information shall remain the property of the respective Discloser. Information will not be deemed “Confidential Information” if such information: (a) is generally available to the public (other than through breach of this Agreement); (b) is received form a third party lawfully empowered to disclose such information without being subject to an obligation of confidentiality; or (c) was rightfully in the Recipient’s possession free of any obligation of confidence at the time it was communicated to the Recipient. Notwithstanding the above, the Recipient will not be in violation of this Section 7 with regard to a disclosure that was in response to a valid order by a court or other governmental body, provided that the Recipient provides the Discloser with prompt written notice of such disclosure where reasonably possible in order to permit the Discloser to seek confidential treatment of such information.

8. Term and Termination

8.1 Term. The Agreement shall commence on the Effective Date and shall continue in effect for the longer of the term specified in the Confidential Quotation or twelve (12) months (the “Initial Term”). Following the Initial Term, the Agreement will automatically renew for subsequent terms of the same length as the Initial Term, and in any event, at least twelve (12) months, (each, a “Renewal Term”). Either Party may terminate this Agreement by giving written notice of non-renewal within sixty (60) days prior to the end of the Initial Term or Renewal Term as applicable.

8.2 Termination for Breach. This Agreement may be terminated by either Party for material breach if such breach has not been cured by the other Party within thirty (30) days’ receipt of written notice of such breach by such other Party. If the Agreement is terminated by Butterfly as a result of a material breach by Client, Client shall remain liable for the payment for the entire Subscription Service Fee, as applicable, for the then current Term, as the case may be, and any unpaid amounts still due and owing for Devices.

8.3 Suspension. Butterfly may suspend the provision of the Subscription Service to Client under this Agreement effective immediately upon notice if: (a) Client fails to pay any portion of the fees due under the Confidential Quotation within thirty (30) days after receiving written notice from Butterfly that payment is past due; or (b) if Client’s or an End User’s use of the Subscription Service: (i) poses a security risk to the Subscription Services or any other third party or (ii) may adversely impact Butterfly’s systems, networks, any Butterfly Property or the data of any other Butterfly client. During any such suspension, or in the event that the Subscription Service is unavailable for any reason, Client is solely responsible for continuity of patient care, including, identifying alternate means of accessing diagnostic images, imaging studies and Client Data.

8.4 Effects of Termination. All subscriptions are paid in advance and in accordance with the Confidential Quotation and run for a minimum period of one (1) year. Users choosing to discontinue after any subscription year will maintain the ability to scan with the Device and access their existing studies in the Butterfly Cloud but will no longer be able to archive new studies. Upon expiration or termination of this Agreement under this Section 8, Butterfly shall immediately terminate Client and any End Users’ access to all subscription features including the ability to archive new studies. In accordance with the Business Associate Agreement executed between the parties. Client shall immediately pay to Butterfly all amounts due and payable prior to the date of such expiration or termination and, except in the event of termination by Client due to breach by Butterfly, all unpaid Subscription Fees that would become due under the then-current Subscription period if such termination did not occur.

8.5 Survival. Sections 2 (Fees, Payment and Shipping Terms), 3 (Ownership), 4 (Data Privacy, Security & System Monitoring), 5.3 (Exclusive Remedy), 5.5 (Disclaimer of Warranties), 5.6 (Warranties to Client Only), 6 (Indemnification and Limitation of Liability), 7 (Confidentiality), 8 (Term and Termination), 9.1 (Jurisdiction and Compliance with Law), 9.2 (No Class Actions), 9.6 (Entire Agreement and Modification) 9.7 (Notices), 9.10 (Severability), 9.11 (Counterparts), Exhibit A and Exhibit B.

9. General

9.1 Jurisdiction and Compliance with Laws. This Agreement shall be governed by Delaware law. The Parties hereby waive any objections to the exclusive jurisdiction and venue of the state and federal courts of Delaware. Each Party shall comply with all applicable Laws, including by limited to HIPAA, in the performance of each Party’s obligations under this Agreement.

9.2 No Class Actions. Each party may bring Disputes against the other only on its own behalf, and not on behalf of any other person or entity, or any class of people. The parties each agree not to participate in a class action, a class-wide arbitration, Disputes brought in a private attorney general or representative capacity, or consolidated Disputes involving any other person or entity in connection with any Dispute. If there is a final judicial determination that any particular Dispute (or a request for particular relief) cannot be arbitrated in accordance with this provision’s limitations, then only that Dispute (or only that request for relief) may be brought in court. All other Disputes (or requests for relief) remain subject to this provision.

9.3 Independent Contractors. The Parties are independent contractors. Nothing in this Agreement shall be construed to create a joint venture, partnership, franchise, or an agency relationship between the Parties.

9.4 Insurance. The Parties, at their own expense, shall procure and maintain policies of insurance required by Law and at such levels as are appropriate and customary for each industry, and the scope of activities and operations and a Party’s obligations hereunder. Upon reasonable request, each Party shall furnish to the other a Certificate of Insurance evidencing such coverage.

9.5 Assignment. This Agreement may not be assigned without the prior written consent of the other Party, which shall not be unreasonably withheld; provided however, Butterfly may freely assign this Agreement without the consent of the other Party, in whole or in part, in connection with a merger, consolidation, reorganization or transfer of all or substantially all of Butterfly’s assets or stock to a successor. Any attempted assignment in violation of this Section 9.5 shall be void. This Agreement shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.

9.6 Entire Agreement and Modification. This Agreement, with its Exhibits and any other attachments, constitutes the entire agreement between the Parties with respect to the subject matter hereof and shall supersede, as of the Effective Date, any prior agreement or understanding, written or oral, between the Parties. None of the provisions of this Agreement can be waived or modified except in a writing signed by both Parties; except, however, Butterfly may, at any time and upon written notice to Client, alter or amend the Agreement, including all Exhibits attached hereto, in order to comply with applicable Law, rules and regulations. If any term of this Agreement is held by a court to be unenforceable or inoperative, the other terms not subject to such holding shall remain enforceable.

9.7 Notices. Notices must be in writing; delivered: (a) personally; (b) by certified mail return receipt requested; (c) by facsimile transmission with a confirming copy sent the same day by first class mail; (d) by a nationally recognized overnight courier service; or (e) email; and addressed to the addresses set forth in the Client’s order. Each notice shall be deemed given upon receipt of such notice by the other Party.

9.8 Force Majeure. Neither Party will be in default or otherwise liable for any delay in or failure of its performance under this Agreement if such delay or failure arises by any reason beyond its reasonable control, including any act of God, or any acts of the common enemy, the elements, earthquakes, floods, fires, epidemics, riots, failures or delays in transportation or communications, internet or telecommunications failures, cyberattacks or any act or failure to act by the other Party, its employees, agents or contractors. The Parties will promptly inform and consult with each other as to any of the above causes, which in their judgment may or could be the cause of a substantial delay in the performance of this Agreement.

9.9 Publicity. Butterfly may issue one (1) press release within thirty (30) days of the Effective Date of this Agreement announcing the existence of this Agreement and generally describing the terms hereof or as otherwise mutually agreed by the Parties. During the Term of this Agreement, Butterfly may use Client’s name and logo on the Butterfly web site and in Butterfly’s collateral marketing materials.

9.10 Severability. If one or more provisions of this Agreement are held to be unenforceable under applicable Laws, the Parties agree to renegotiate such provision in good faith, in order to maintain the economic position enjoyed by each Party as closely as possible to that under the provision rendered unenforceable. In the event that the Parties cannot reach a mutually agreeable and enforceable replacement for such provision, then: (a) such provision shall be excluded from this Agreement; (b) the balance of the Agreement shall be interpreted as if such provision were so excluded; and (c) the balance of the Agreement shall be enforceable in accordance with its terms.

9.11 Counterparts. This Agreement may be executed in counterparts. Signatures of the Parties hereto transmitted by facsimile or electronic means shall be deemed to be their original signatures for all purposes.

9.12 Non-Solicitation. During the Term and for one year after, Client shall not, and shall not assist any other person to, directly or indirectly, recruit or solicit for employment or engagement as an independent contractor any person then or within the prior three (3) months employed or engaged by Butterfly and involved in any respect with the Subscription Services. In the event of a violation of this Section, Butterfly will be entitled to liquidated damages equal to the compensation paid by Butterfly to the applicable employee during the prior three (3) months.

EXHIBIT A

Devices

Passage of Title. Title to the Devices shall remain with Butterfly and shall not pass to the Client until Butterfly has received full and final payment of the purchase price for the Devices in cleared funds. Upon receipt of such payment, title to the Devices shall automatically pass to the Client. Until the title passes to Client, Client hereby grants to Butterfly a purchase money security interest (PMSI) in the Devices and any proceeds thereof, to secure payment of the purchase price. Client agrees that Butterfly may file financing statements or take any other actions necessary to perfect and maintain the PMSI under the applicable Uniform Commercial Code or similar laws. Client shall not grant or permit any lien or encumbrance on the Devices prior to full payment. When feasible, Butterfly reserves the right to make delivery in installments. All such installments shall be separately invoiced and paid for when due, without regard to subsequent deliveries.
Client Equipment. Client is responsible for obtaining and properly maintaining any Client Equipment, defined as: (a) Client’s computer hardware, software and network infrastructure used to access the Subscription Service; (b) the compatible smart devices used to connect to the Device; (c) other data storage and viewing platforms and networks including but not limited to Client’s internal systems (e.g., EMR and DICOM) for viewing and accessing ultrasound images and imaging studies; and (d) any ancillary services needed to connect to, access or otherwise use the Devices and Subscription Service. Client shall be responsible, and under no circumstances will Butterfly or its Affiliates or any of their licensors or suppliers be responsible, for any loss, damage or liability arising out of any Client Equipment, including any delays, inaccuracies, errors, malfunctions, security failures or other incident attributable to Client Equipment. Client shall not contract with or otherwise allow a third party to provide assistance or maintenance for the Devices without the prior written consent of Butterfly.
Restrictions on Use. Client shall not, and shall not allow or assist any End User or other entity to: (a) use the Device in a manner inconsistent with its labeling; (b) rent, lease, sublicense, assign, distribute, transfer, copy, reproduce, download, display, modify or timeshare or otherwise make the Butterfly Property or any portion thereof available to any third party other than End Users as contemplated by this Agreement; (c) use the Devices or Services to send or store infringing or unlawful material or material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs; (d) modify, copy or create derivative works based on the Butterfly Property, provided that Client may print, annotate or export, Client Data contained in certain reporting/reviewing/viewing functions but only to the extent expressly permitted in the Documentation and only for purposes of providing medical care to the individual patient associated with such Client Data; (e) translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover any source code or underlying ideas of any Butterfly Property, or modify any Butterfly Property, except to the extent (but only to such extent) that applicable Law prohibits such restrictions; (f) access or use the Butterfly Property to develop or create competing products or services or copy any features or user interface of the Butterfly Property or otherwise use such Butterfly Property as a component of or a base for products or services prepared for commercial sale, sublicense, lease, access or distribution; (g) attempt to repair the Butterfly Property; (h) disable any security devices or codes on the Butterfly Property; (i) alter, remove, or obscure any proprietary rights notices on the Butterfly Property or related Documentation; (j) create Internet “links” to or from the Subscription Service, or “frame” or “mirror” any content forming part of the Subscription Service except that Client may create links for sharing images and imaging studies consistent with the Documentation; and (k) use the Subscription Service, for purposes of benchmarking or other comparative analysis intended for publication without Butterfly’s prior written consent.

EXHIBIT B

Subscription Services

1. Subscription Services. Subject to and conditioned on compliance with the terms of this Agreement and payment of the amounts set forth in the Confidential Quotation, Butterfly will provide Client with access to a specified number of End Users, to use the Butterfly Subscription Service. Only a Client that is fully paid up and its End Users may access and use the Subscription Service. Client is permitted to terminate and re-designate individual employees and agents as authorized End Users, provided that the total number of End Users does not exceed the number specified in the Confidential Quotation. Client and End Users are expressly prohibited from authorizing the sharing of login credentials, sharing login credentials with unauthorized individuals, or otherwise making the Subscription Service available to more than the number of End Users specified in the Confidential Quotation. All use of the Subscription Service by End Users is subject to the restrictions set forth in the End User License Agreement. Client acknowledges that each End Users shall accept the End User License Agreement prior to such End User receiving access to the Subscription Service and any Devices.

2. Subscription Term. The term of the Subscription Services shall commence on the later of the Effective Date of this Agreement or the Subscription Services Start Date, and shall remain in effect for an initial term of twelve (12) months (“Initial Subscription Term”), unless otherwise noted on the Confidential Quotation. Upon expiration of the Initial Subscription Term, the Subscription Services shall automatically renew for successive renewal terms of twelve (12) months each (each a “Renewal Subscription Term”), unless either Party provides written notice of non-renewal in accordance with the terms of the Agreement. For clarity, the Subscription start date is the date the cloud domain is created and Client has access to such cloud domain (“Subscription Services Start Date”).

Each Subscription Term is non-cancelable and non-refundable, except as expressly provided in this Agreement. Client is responsible for all fees for the full duration of the Subscription Term, regardless of actual usage.

In the event Client orders an additional Subscription Service through a Confidential Quotation and this Agreement terminates, the Subscription Service shall remain active for twelve (12) months, unless otherwise noted on the Confidential Quotation and the terms of this Agreement shall apply until Client provides written notice of non-renewal.

3. Security of Account. Client agrees to maintain all security regarding its and its End Users’ account ID, password, and connectivity, including its computer networks. If Client’s or its End Users’ account ID or password are stolen, or otherwise compromised, Client is obligated to immediately change the password and inform Butterfly of the compromise. Client shall be responsible, and under no circumstances will Butterfly or its Affiliates or any of their licensors or suppliers be responsible, for any loss, damage or liability arising out of any compromise of Client’s and its End Users’ access credentials, Client Equipment and/or computer networks

4. Changes. Butterfly reserves the right, in its sole discretion, to make any changes to the Subscription Services that it deems necessary or useful to: (a) maintain or enhance: (i) the quality or delivery of the services to its clients; (ii) the competitive strength of or market for Butterfly's services; or (iii) the Subscription Services cost, efficiency or performance; or (b) to comply with applicable Law. Without limiting the foregoing, either party may, at any time during the Term, request in writing changes to the Subscription Services.

5. Subscription Support Services. Butterfly will provide to Client reasonable technical support, maintenance, and generally available updates. Client shall not contract with or otherwise allow a third party to provide assistance or support for the Subscription Services without the prior written consent of Butterfly.

6. Use Restrictions. Client shall not, and shall not permit any other person to, access or use the Services except as expressly permitted by this Agreement. For the purposes of clarity and without limiting the generality of the foregoing, Client shall not, except as this Agreement expressly permits:

(a) bypass or breach any security device or protection used by the Subscription Services or access or use the Subscription Services other than by an End User through the use of his or her own then valid access credentials;

(b) input, upload, transmit, or otherwise provide to or through the Subscription Services, any information or materials that are unlawful or injurious, or contain, transmit, or activate any harmful code;

(c) damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Subscription Services;

(d) remove, delete, alter, or obscure any trademarks, specifications, Documentation, EULA, warranties, or disclaimers, or any copyright, trademark, patent, or other intellectual property or proprietary rights notices from any Subscription Services, including any copy thereof;

(e) access or use the Subscription Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any Intellectual Property Right or other right of any third party (including by any unauthorized access to, misappropriation, use, alteration, destruction, or disclosure of the data of any other Provider Client), or that violates any applicable Law;

(f) access or use the Subscription Services for purposes of competitive analysis of the Subscription Services the development, provision, or use of a competing software service or product or any other purpose that is to the Provider's detriment or commercial disadvantage; or

(g) otherwise access or use the Subscription Services beyond the scope of the authorization granted under this under this Agreement.

7. Client Systems and Cooperation. Client shall at all times during the Term: (a) set up, maintain, and operate in good all client systems on or through which the Subscription Services are accessed or used; (b); and (b) provide all cooperation and assistance as Butterfly may reasonably request to enable Butterfly its rights and perform its obligations under and in connection with this Agreement.

8. Effect of Client Failure or Delay. Butterfly is not responsible or Butterfly is delay or failure of performance caused in whole or in part by Client's delay in performing, or failure to perform, any of its obligations under this Agreement (each, a "Client Failure").

9. Client Control and Responsibility. Client has and will retain sole responsibility for: (a) all Client Data, including its content and use; (b) all information, instructions, and materials provided by or on behalf of Client or any End User in connection with the Services; (c) Client's information technology infrastructure, including computers, software, databases, electronic systems (including database management systems), and networks, whether operated directly by Client or through the use of third-party services ("Client Systems"); (d) the security and use of Client's and its End Users' access credentials; and (e) all access to and use of the Services and Provider Materials directly or indirectly by or through the Client Systems or its or its End Users' access credentials, with or without Client's knowledge or consent, including all results obtained from, and all conclusions, decisions, and actions based on, such access or use.

10. Access and Security. Client shall employ all physical, administrative, and technical controls, screening, and security procedures and other safeguards necessary to: (a) securely administer the distribution and use of all access credentials and protect against any unauthorized access to or use of the Subscription Services; and (b) control the content and use of Client Data, including the uploading or other provision of Client Data for processing by the Subscription Services.

EXHIBIT C

End User License Agreement (“EULA”)

The Butterfly platform (“Butterfly iQ”) is a cloud-based ultrasound image acquisition and sharing platform for patient care, research, education or other authorized use. The examination and associated patient information that you will store, send, and/or receive through Butterfly iQ will be transferred and stored in accordance with HIPAA standards.

You have the authority and the right to use the login credentials that you are using, and to access, use, transmit, and share the ultrasound images and personally identifiable information and/or patient health information.
You will not share your login credentials or otherwise permit unauthorized individuals to access Butterfly iQ.
You are a licensed physician, healthcare provider, veterinary professional, or medical school in good standing or otherwise authorized to use Butterfly iQ.
You have obtained any required consents, authorizations, or other permissions necessary to share the ultrasound images and associated patient or End User information and have otherwise taken steps to ensure that the transmission complies with applicable law.
You are not purporting to be anyone other than yourself (or a person for whom you have legal authority to act).
You are adhering to all international, national and/or state laws/regulations that govern the exam and associated personally identifiable information and/or patient health information.
You will only use Butterfly iQ in accordance with this Agreement and the Documentation.
You are sharing this ultrasound images and associated personally identifiable information and/or patient health information for purposes of research, education or continuity of care and not for any illegal or malicious purpose.
You will only transfer personally identifiable information and/or patient health information from the Butterfly Cloud using an encrypted connection.
Butterfly is not the intended recipient of any ultrasound images, rather, Butterfly, provides a platform for the storage and transfer of ultrasound images from one End User to another.
Butterfly is not a healthcare provider and is not responsible for the medical care or treatment of any patient.
Butterfly, will not be responsible for the content, results, diagnoses (or lack thereof) in the data provided and/or transmitted and will not review, verify, or provide any opinion or consultation regarding same.
You agree to hold Butterfly harmless from any costs or damages arising from your use, misuse or reliance on this system, except to the extent that such costs or damages are caused by Butterfly’s gross negligence or intentional misconduct.

EXHIBIT D

Professional Services

Professional Services. From time to time, Client may engage Butterfly to provide certain Professional Services, such as for training, implementation or customization of the Subscription Service. Fees for Professional Services will be based on Butterfly’s then applicable Professional Services rates. Each such engagement of Professional Services will be described in a Statement of Work that must be accepted in writing by an authorized representative of each Party. In the event of a conflict between the terms provided in this Agreement and the terms of any Statement of Work, the terms of this Agreement will prevail, except that the terms of the Statement of Work shall prevail over conflicting terms of this Agreement (but only with respect to such applicable Statement of Work) where the Statement of Work explicitly identifies such conflicting terms and confirms the intent of the Parties to supersede or modify the conflicting term of this Agreement.

EXHIBIT E

Custom Client Terms

The Parties agree that the additional terms set forth in this Exhibit shall apply to Client’s use of the Devices and Subscription Services, as may be applicable to the specific Client. In the event of a conflict between the terms of this Exhibit and the Terms and Conditions, the Custom Client Terms set forth in this Exhibit shall apply:

Clinical Treatment and Medical Diagnosis

Medical Diagnosis and Treatment. Client acknowledges and agrees that all clinical and medical treatment and diagnostic decisions are the responsibility of Client and its professional healthcare providers.

Use for Clinical Diagnostic Purposes. Client acknowledges and agrees that it and its End Users will use the Devices and Subscription Services consistent with the Device labeling, this Agreement and only for clinical diagnostic purposes in the diagnosis or treatment of a disease or condition or other authorized purposes and not for any entertainment or amusement purposes.

Compliance with Law. Butterfly acknowledges that in the performance of the Subscription Service, Butterfly may have access to Client Data. Butterfly shall only use and disclose Client Data in accordance with applicable Law, including without limitation HIPAA as amended by the HITECH Act, and the terms of the Business Associate Agreement (“BAA”) attached hereto.

Medical Education

Use for Medical Educational Purposes. Client acknowledges and agrees that it and its End Users will use the Devices and Subscription Services consistent with the Device labeling, this Agreement and only for educational purposes, teaching and internal research, and not for use in the diagnosis or treatment of any patient disease or condition, entertainment or amusement purposes, or any other purposes not authorized hereunder.

Compliance with Law. Client agrees that the transmission of protected health information (“PHI”) is not contemplated by this Agreement. Accordingly, Client shall not transmit any PHI to Butterfly, will be solely responsible for any error in transmission, and shall hold Butterfly harmless from any and all liability for its transmission of PHI in violation of this Agreement.

Global Health Partner

“Global Health Partner” means a vetted clinical provider or health related organization seeking to procure Butterfly’s ultrasound imagine probes for use in resource limited settings and humanitarian response efforts

Use for Clinical Diagnostic Purposes. Client acknowledges and agrees that it and its End Users will use the Devices and Subscription Services consistent with the Device labeling, this Agreement and only for clinical diagnostic purposes in the diagnosis or treatment of a disease or condition, for teaching, research or other authorized purposes and not for any entertainment or amusement purposes.

Location of Use. Client agrees and acknowledges that all use of the Subscription Service and Devices by it and its End Users will (i) occur in the region in which the End User is located; and (ii) be in compliance with applicable Law. Moreover, if Client chooses to use the Subscription Service and Device in a region or country where Butterfly does not have regulatory approval, Client agrees to take full responsibility for such use.

Compliance with Data Protection Laws and Regulations. Butterfly acknowledges that in the performance of the Services, Butterfly may have access to and process certain Client Data. Butterfly shall only process Client Data in accordance with applicable Data Protection Laws and the DPA (where applicable). Each Party shall comply with all its obligations under applicable Data Protection Laws when processing personal data under this Agreement, and the terms of the Data Protection Agreement (“DPA”) attached hereto.

Veterinary Care

Medical Diagnosis and Treatment. Client acknowledges and agrees that all clinical and medical treatment and diagnostic decisions are the responsibility of Client and its veterinary professional or licensed veterinary care providers.

Use for Clinical Diagnostic Purposes. Client acknowledges and agrees that it and its End Users will use the Devices and Subscription Services consistent with the Device labeling, this Agreement and only for clinical diagnostic purposes in the diagnosis or treatment of a disease or condition, for teaching, research or other authorized purposes and not for any entertainment or amusement purposes.

Data Privacy Obligations. Client acknowledges and agrees that Butterfly does not require any specific data from Client or End User, that Client and End User controls the content of any Client Data (as defined below) that is inputted, transmitted, uploaded, transferred, submitted, disclosed, processed, collected, stored, replicated or in any other way accessed or used through the use of the Subscription Service, and that Butterfly has no obligation to monitor the content of any Client Data. Client shall be responsible for procuring any necessary consents and making any notifications under Applicable Law with respect to the provision of the Client Data to Butterfly through the Subscription Service and the processing of such Client Data by Butterfly through the Subscription Services. Upon request of Butterfly, Client will provide Butterfly with documentation to support such consent.

Compliance with Law. While performing its obligations under this Agreement, Butterfly may have access to Personally Identifiable Information (“PII”), as that term is defined under Applicable Law (“Privacy Laws”). Butterfly agrees it shall not do or omit to do anything which would cause Client to be in breach of any Privacy Laws. Butterfly shall, and shall cause its employees, agents and representatives to: (i) keep PII confidential and may use and disclose PII only as necessary to carry out those specific aspects of the purpose for which the PII was disclosed to Client and in accordance with this Agreement and Privacy Laws; and (ii) implement and maintain appropriate technical and organizational measures regarding information security to: (A) ensure the security and confidentiality of PII; (B) protect against any threats or hazards to the security or integrity of PII; and (C) prevent unauthorized access to or use of PII. Butterfly shall promptly notify Client: (1) of any disclosure or use of any PII by Butterfly, any of its employees, agents and representatives in breach of this Agreement; and (2) of any disclosure of any PII to Butterfly or its employees, agents and representatives where the purpose of such disclosure is not known to Butterfly or its employees, agents and representatives. Applicable Law means: (a) any national, state, local or other law or statute in any applicable jurisdiction; (b) any rule or regulation issued by a relevant regulatory agency; and (c) any written or authoritative interpretation by such relevant regulatory agency of any such law, statute, rule or regulation.

EXHIBIT F

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (“BA Agreement”) supplements and is made a part of the Master Terms and Conditions (where may applicable) (the “Underlying Services Agreement”) by and between Client (hereinafter referred to as “Company”) and BFLY Operations, Inc. (hereinafter referred to as “Business Associate”) and is effective as of the effective date of the Underlying Services Agreement (the “Effective Date”).

RECITALS

WHEREAS, Company and Business Associate are parties to an agreement setting forth services that require Business Associate to have access to Protected Health Information (the “Underlying Services Agreement”); and

WHEREAS, it is the intent of Company and Business Associate to amend the Services Agreement, as described in this BA Agreement, for the parties to comply with HIPAA.

NOW THEREFORE, in consideration of the mutual premises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Company and Business Associate agree as follows:

I. GENERAL PROVISIONS

Effect. The provisions of this BA Agreement shall control with respect to Protected Health Information that Business Associate receives from or on behalf of Company, and the terms and provisions of this BA Agreement shall supersede any conflicting or inconsistent terms and provisions of the Services Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference, to the extent of such conflict or inconsistency. This BA Agreement shall not modify or supersede any other provision of the Underlying Services Agreement.
No Third Party Beneficiaries. The parties have not created and do not intend to create by this BA Agreement any third party rights, including, but not limited to, third party rights for Company’s patients.
Independent Contractor. Company and Business Associate acknowledge and agree that Business Associate is at all times acting as independent contractor of Company and is not an agent or employee of Company under this BA Agreement.
HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this BA Agreement as if set forth in this BA Agreement in their entirety, effective on the later of the effective date of this BA Agreement or such subsequent date as may be specified by HIPAA.
Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as it may be amended from time to time.

II. DEFINITIONS

Definitions. Capitalized terms used in this BA Agreement without definition shall have the respective meanings assigned to such terms by the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).
Security Incident. The successful unauthorized access, use, disclosure, modification, or destruction of information in an information system.
Underlying Services. Shall mean, to the extent and only to the extent they involve the creation, maintenance, use, disclosure or transmission of protected health information (“PHI”), the services performed by Business Associate for Company pursuant to the applicable Underlying Services Agreement.
Underlying Services Agreement(s). Shall mean the written agreement(s) (other than this BA Agreement) by and between the parties pursuant to which Business Associate receives, maintains, creates, or transmits PHI for or on behalf of Company in connection with the provision of the services described in the applicable agreement by Business Associate to Company or in performance of Business Associate’s obligations under such agreement(s).

III. OBLIGATIONS OF BUSINESS ASSOCIATE

Use and Disclosure of Protected Health Information. Business Associate may use and disclose PHI as permitted or required under the applicable Underlying Services Agreement, this BA Agreement or as Required by Law, but shall not otherwise use or disclose any PHI. Business Associate shall not and shall ensure that its employees, other agents and contractors do not use or disclose PHI received from Company in any manner that would constitute a violation of HIPAA if so used or disclosed by Company. To the extent Business Associate carries out any of Company’s obligations under HIPAA, Business Associate shall comply with the requirements of HIPAA that apply to Company in the performance of such obligations. Without limiting the generality of the foregoing, Business Associate is permitted to use or disclose Protected Health Information as set forth below:
1. Business Associate may use PHI internally for Business Associate’s proper management and administrative services or to carry out its legal responsibilities, including any necessary customer support activities;
2. Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration, provided that (1) the disclosure is Required by Law, (2) Business Associate makes the disclosure pursuant to an agreement consistent with this BA Agreement or (3) Business Associate makes the disclosure pursuant to a written confidentiality agreement under which the third party is required to (A) protect the confidentiality of the Protected Health Information, (B) only use or further disclose the Protected Health Information as Required by Law or for the purpose for which it was disclosed to the third party and (C) notify Company of any acquisition, access, use, or disclosure of PHI in a manner not permitted by the confidentiality agreement;
3. Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Company if required or permitted under the applicable Underlying Services Agreement or this BA Agreement; and
4. Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may disclose health information that has been de-identified in accordance with HIPAA.
Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted or required by this BA Agreement. In addition, Business Associate shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI that it creates, receives, maintains or transmits on behalf of Company. Business Associate shall comply with the HIPAA Security Rule with respect to Electronic PHI.
Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Business Associate shall comply with the minimum necessary guidance to be issued by the Secretary pursuant to HIPAA and, to the extent practicable, shall not request, use or disclose any Direct Identifiers (as defined in the limited data set standard of HIPAA).
Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Business Associate) of a use or disclosure of PHI by Business Associate in violation of this BA Agreement or HIPAA.
Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BA Agreement.
Reporting Requirements.
1. Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after becoming aware of any acquisition, access, use, or disclosure of PHI in violation of this BA Agreement by Business Associate, its employees, other agents or contractors or by a third party to which Business Associate disclosed PHI (each, an “Unauthorized Use or Disclosure”), report such Unauthorized Use or Disclosure to Company.
2. Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after becoming aware of any Security Incident, report it to Company.
3. Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after discovery of a Breach of PHI (whether secured or unsecured), report such Breach to Company in accordance with 45 C.F.R. § 164.410.
Access to PHI. Within ten (10) business days of a request by Company for access to PHI about an Individual contained in any Designated Record Set of Company maintained by Business Associate, Business Associate shall make available to Company such PHI for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall forward such request to Company within five (5) business days.
Availability of PHI for Amendment. Within ten (10) business days of receipt of a request from Company for the amendment of an Individual’s PHI contained in any Designated Record Set of Company maintained by Business Associate, Business Associate shall provide such PHI to Company for amendment and incorporate any such amendments in the PHI (for so long as Business Associate maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall forward such request to Company within five (5) business days.
Accounting of Disclosures. Within ten (10) business days of notice by Company to Business Associate that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Company such information as is in Business Associate’s possession and is required for Company to make the accounting required by 45 C.F.R. § 164.528. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to Company within five (5) business days.
Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Company available to the Secretary for purposes of determining Company’s or Business Associate’s compliance with HIPAA.
Restrictions; Limitations in Notice of Privacy Practices. Business Associate shall comply with any reasonable limitation in Company’s notice of privacy practices to the extent that such limitation may affect Business Associate’s use or disclosure of PHI and such notice of privacy practices have been provided to Business Associate by Company. Business Associate shall comply with any reasonable restriction on the use or disclosure of PHI that Company has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
Insurance. The parties, at their own expense, shall procure and maintain policies of insurance required by Law and at such levels as are appropriate and customary for each industry, and the scope of activities and operations and a Party’s obligations hereunder. Upon reasonable request, each Party shall furnish to the other a Certificate of Insurance evidencing such coverage policy. To the extent the Services Agreement provides more strict insurance requirements, the relevant provisions of the Services Agreement shall control.
Business Associate shall comply with any applicable state privacy laws.

IV. OBLIGATIONS OF COMPANY

Permissible Requests. Company shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Company.
Minimum Necessary PHI. When Company discloses PHI to Business Associate, Company shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purpose.
Permissions; Restrictions. Company represents and warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Company shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Company shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Business Associate’s use or disclosure of PHI under this Agreement unless such restriction is Required By Law or Company grants its written consent, which consent shall not be unreasonably withheld.
Notice of Privacy Practices. Except as Required By Law, with Company’s consent or as set forth in this Agreement, Company shall not include any limitation in the Company’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under this Agreement.

V. TERM AND TERMINATION OF THIS BA AGREEMENT

Term. This Agreement shall become effective on the Effective Date and shall expire when all of the PHI provided by Company to Business Associate is destroyed or returned to Company.
Termination Upon Breach of Provisions Applicable to PHI. Any other provision of the Underlying Services Agreement notwithstanding, the Underlying Services Agreement and this BA Agreement may be terminated by either party (the “Non-Breaching Party”) upon 30 days advance written notice to the other party (the “Breaching Party”) in the event that the Breaching Party breaches any provision contained in this BA Agreement in any material respect and such breach is not cured within such 30-day period.
Return or Destruction of PHI upon Termination. Upon expiration or earlier termination of this BA Agreement, Business Associate shall either return or destroy all PHI received from Company or created or received by Business Associate on behalf of Company and which Business Associate still maintains in any form. Notwithstanding the foregoing, to the extent that Business Associate reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BA Agreement shall survive termination of the Services Agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

VI. MISCELLANEOUS

Assignment. This BA Agreement and the rights and obligations hereunder shall not be assigned, delegated, or otherwise transferred by Business Associate without the prior written consent of Company, and any assignment or transfer without proper consent shall be null and void.
Amendment or Modification. This BA Agreement may only be amended or modified by mutual written agreement of the parties. The parties agree to take such action as is necessary to amend this BA Agreement from time-to-time as is necessary for the parties to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act.
Waiver. The failure of either party at any time to enforce any right or remedy available hereunder with respect to any breach or failure shall not be construed to be a waiver of such right or remedy with respect to any other breach or failure by the other party.
Regulatory References. A reference in this BA Agreement to a section in the Privacy, Security, or Breach Notification Rules means the section as in effect or as amended, and for which compliance is required.
Compliance with State/other Federal Law. In addition to the obligations herein, the parties agree to comply with any applicable state or federal privacy and security laws and regulations.
Notices. All notices required or permitted under this BA Agreement shall be in writing and sent to the other party as directed by the Underlying Services Agreement.
Severability. In the event any provision of this BA Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this BA Agreement, which shall remain in full force and effect and enforceable in accordance with its terms.
Entire Agreement. This BA Agreement constitutes the entire agreement between the parties with respect to the matters contemplated herein and supersedes all previous and contemporaneous oral and written negotiations, commitments, and understandings relating thereto and the Services Agreement shall govern with respect to all issues not contemplated herein, including but not limited to limitation of liability and indemnification.

VII. COUNTERPARTS

This BA Agreement may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this Agreement.

EXHIBIT G

EEA Data Processing Addendum ("DPA")

This Data Processing Addendum ("DPA") supplements and is made a part of the Master Terms and Conditions (where may applicable) ("Agreement") between Client and BFLY Operations, Inc. ("Butterfly") (each a "Party" and collectively "Parties") and is effective as of the effective date of the Agreement (“Effective Date”). All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. By signing this DPA you agree to be notified of any changes to this document, including but not limited to any updates by change of law, through electronic notification or otherwise.

The Parties agree as follows:

Definitions

"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term

"Controlled" will be construed accordingly.

"Client Personal Data" means any Client Data that is personal data that Butterfly's processes on behalf of Client in the course of providing the Services.

"Data Protection Laws" means all data protection and privacy laws, regulations and secondary legislation applicable to the respective Party in its role in the processing of personal data under the Agreement, including, to the extent applicable, European Data Protection Laws. ", as may be amended, superseded or replaced.

"European Data Protection Laws" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR") and the Data Protection Act 2018 (together the "UK Privacy Laws"); (vi) the Swiss Federal Data Protection Act ("Swiss DPA");

"Europe" means, for the purposes of this DPA, the European Economic Area and/or its member states, the United Kingdom and/or Switzerland.

"Purposes" shall mean the data processing purposes described in Annex A of this DPA.

"Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

"Security Incident" means any actual unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Personal Data on systems managed by or otherwise controlled by Butterfly but does not include any Unsuccessful Security Incident.

"Standard Contractual Clauses" means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs").

"Sub-processor" means any third party (including any Butterfly Affiliates) engaged by Butterfly to process any Client Personal Data (but shall not include Butterfly employees or consultants).

“Unsuccessful Security Incident” means an unsuccessful attempt or activity that does not compromise the security of Client Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

The terms "personal data", "controller", "processor" and "processing" shall have the meaning given to them in applicable Data Protection Laws, or if not defined therein, the GDPR, and "process", "processes" and "processed" shall be interpreted accordingly.

Scope and Applicability of this DPA
2.1 This DPA applies where and only to the extent that Butterfly processes Client Personal Data that is protected by Data Protection Laws applicable to the EEA as a processor or sub-processor on behalf of the Client in the course of providing Services pursuant to the Agreement.

2.2 Notwithstanding Section 2.1 above, Client acknowledges that Butterfly may process certain Butterfly Data as a controller in accordance with the terms of the Agreement. Where such processing of Butterfly Data involves the transfer of personal data from Client to Butterfly and such transfer is a Restricted Transfer, Section 10.2(b) of this DPA shall apply. The terms of this DPA shall not otherwise apply in connection with the processing of Butterfly Data by Butterfly.

2.3 Notwithstanding expiry or termination of the Agreement, this DPA and any Standard Contractual Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Client Personal Data by Butterfly as described in this DPA.
Roles and Scope of Processing
3.1 Role of the Parties. As between Butterfly and Client, Client is the controller or processor of Client Personal Data and Butterfly shall process Client Personal Data only as a processor or sub-processor acting on behalf of Client (including as described in Annex A of this DPA). Each party shall comply with its obligations under applicable Data Protection Laws in respect of any personal data it processes under the Agreement. With respect to Client Personal Data, Butterfly is not responsible for compliance with any Data Protection Laws applicable to Client or Client's industry that are not generally applicable to Butterfly as a service provider.

3.2 Client Instructions. Butterfly will process Client Personal Data in accordance with the Client's documented lawful instructions, except where otherwise required by applicable law. For these purposes, Client instructs Butterfly to process Client Personal Data for the Purposes. If Client is itself processor acting on behalf of or jointly with a third-party controller, Client represents and warrants to Butterfly that Client's instructions and actions with respect to that Client Personal Data, including its appointment of Butterfly as a processor or sub-processor, have been authorized by the relevant controller or joint controllers.

3.3 Notification Obligations Regarding Client Instructions. Butterfly shall promptly notify Client in writing, unless prohibited from doing so under Data Protection Law, if: (a) it becomes aware or believes that any data processing instruction from Client violates Data Protection Law; or (b) it is unable to comply with Client’s data processing instructions.
Subprocessing
4.1 Authorized Sub-processors. Client provides a general authorization for Butterfly to engage Sub-processors to process Client Personal Data. Butterfly will provide a list of Sub-processors that it engages to process Personal Data upon written request by Client or as otherwise made available by Butterfly on its website located here https://www.butterflynetwork.com (or such successor URL as may be designated by Butterfly).

4.2 Sub-processor Obligations. Butterfly shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Client Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Butterfly to breach any of its obligations under this DPA.

4.3 Changes to Sub-processors. Butterfly shall notify Client if it adds a new Sub-processors at least ten (10) days prior to any such changes if Client opts-in to receive such notifications. Client may object in writing to Butterfly's appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If Butterfly cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Client as its sole and exclusive remedy, may terminate the relevant part of the Agreement (including this DPA) regarding those Services which cannot be provided by Butterfly without the use of the Sub-processor concerned without liability to either Party (but without prejudice to any fees incurred by Client prior to suspension or termination).
Security
5.1 Security Measures. Butterfly shall implement and maintain appropriate technical and organizational security measures to protect Client Personal Data from Security Incidents and to preserve the security, integrity and confidentiality of the Client Personal Data. These measures shall at a minimum comply with Data Protection Laws and include the measures described in Butterfly's Security Policy found at https://www.butterflynetwork.com/security-overview (or such successor URL as may be designated by Butterfly) Annex B ("Security Measures"). Butterfly shall ensure that any person who is authorized by Butterfly to process Client Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.2 Updates to Security Measures. Client is responsible for reviewing the information made available by Butterfly relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws. Client acknowledges that the Security Measures are subject to technical progress and development and that Butterfly may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed to by Client.

5.3 Security Incident Response. In the event of a Security Incident, Butterfly shall: (i) notify Client without undue delay and in any event such notification shall, where feasible, occur no later than 48 hours from Butterfly becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client; and (iii) Butterfly shall promptly take all reasonable steps to contain, investigate, and mitigate any Security Incident. Butterfly's notification of or response to a Security Incident under this Section 5.3 (Security Incident Response) will not be construed as an acknowledgment by Butterfly of any fault or liability with respect to the Security Incident.
Security Reports and Audits
6.1 Audit Rights. Butterfly audits its compliance against data protection and information security standards on a regular basis. Upon Client's written request, and subject to obligations of confidentiality, Butterfly will make available to Client a summary of its most recent relevant audit report and/or other documentation reasonably required by Client which Butterfly makes generally available to its customers, so that Client can verify Butterfly’s compliance with this DPA.
Client Responsibilities
7.1 Security. Client agrees that, without prejudice to Butterfly's obligations under Section 5.1 (Security Measures) and Section 5.3 (Security Incident Response):
1. Client is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Personal Data, securing its account authentication credentials, managing its data back-up strategies, and protecting the security of Client Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Client Personal Data;
2. Client shall be solely responsible for ensuring Client Personal Data accessed, maintained or stored by Butterfly's personnel while on the Client's facilities and/or otherwise accessed or processed by Butterfly's personnel on computer systems or other electronic equipment controlled by Client during the provision of the Services is processed in compliance with Client's data protection and security obligations under applicable Data Protection Laws and any associated policies, codes of practices and/or procedures relating to any End User, worker, customer, client, or supplier of the Client; and
3. Butterfly has no obligation to protect Client Personal Data that Client elects to store or transfer outside of Butterfly's and its Sub-processors’ systems (for example, offline or on premise storage).
7.2 Client's Responsibilities. Client is solely responsible for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired Client Personal Data. Client represents and warrants that: (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Data Protection Laws for Butterfly to lawfully process Client Personal Data on Client's behalf and in accordance with its instructions; (ii) it has complied with all applicable Data Protection Laws in the collection and provision to Butterfly and its Sub-processors of such Client Personal Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Data Protection Laws) and that the processing of Client Personal Data by Butterfly in accordance with the Client's instructions will not cause Butterfly to be in breach of applicable Data Protection Laws.
Co-operation and Data Protection Impact Assessments
8.1 Data Subject Requests. To the extent Client is unable to independently retrieve, access or delete the relevant Client Personal Data within the Services, Butterfly shall (at Client's request and expense and taking into account the nature of the processing) provide reasonable cooperation to assist Client to respond to any requests from individuals or applicable data protection authorities relating to the processing of Client Personal Data under the Agreement. In the event that any request from individuals or applicable data protection authorities is made directly to Butterfly where such request identifies Client, Butterfly shall not respond to such communication directly without Client's prior authorization, unless legally compelled to do so, and instead, after being notified by Butterfly, Client shall respond. If Butterfly is required to respond to such a request, Butterfly will promptly notify Client and provide it with a copy of the request unless legally prohibited from doing so.

8.2 Record Keeping. Client acknowledges that Butterfly is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Butterfly is acting and, where applicable, of such processor's or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Client will, where requested, provide such information to Butterfly via means provided by Butterfly, and will ensure that all information provided is kept accurate and up-to-date.

8.3 DPIAs. To the extent Butterfly is required under applicable Data Protection Laws, Butterfly shall (at Client's request and expense) provide reasonably requested information regarding the Services to enable the Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
Return or Deletion of Data
9.1 Upon Client's request, or upon termination or expiry of the Agreement, Butterfly shall destroy or return to Client Personal Data in its possession or control within a reasonable period. This requirement shall not apply to the extent that Butterfly is required by any applicable law to retain some or all of the Client Personal Data, or to Client Personal Data it has archived on back-up systems, which Client Personal Data Butterfly shall securely isolate and protect from any further processing and eventually delete in accordance with Butterfly's deletion policies, except to the extent required by such law.
Data Transfers
10.1 Location of Processing. Personal data that Butterfly processes under the Agreement may be processed in any country in which Butterfly, its Affiliates and authorized Sub-processors maintain facilities to perform the Services. Butterfly shall not process or transfer Client Personal Data (nor permit such data to be processed or transferred) outside of Europe, unless it first takes such measures as are necessary to ensure the transfer is in compliance with this DPA.

10.2 Transfer Mechanism. The Parties agree that when the transfer of personal data from Client (as "data exporter") to Butterfly (as "data importer") is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form a part of this DPA as set out in Annex C. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

10.3 Alternative Transfer Mechanism. If Butterfly adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Shield adopted pursuant to European Data Protection Laws) for the transfer of personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which the relevant personal data is transferred).
Limitation of Liability
11.1 Each Party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the main body of the Agreement.

11.2 Any claims against Butterfly or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely against the Client entity that is a Party to the Agreement.

11.3 Notwithstanding any other provision of the Agreement or this DPA, in no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA, the Standard Contractual Clauses or otherwise.
Relationship with the Agreement
12.1 The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.

12.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.

12.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Annex A - Description of Data Processing / Transfer

Annex 1(A): List of parties
Data exporter	Name of the data exporter: Party identified as the Client in the Agreement Contact person’s name, position and contact details: The details provided in the relevant Order Form Activities relevant to the data transferred: Personal data transferred will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Service pursuant to and as contemplated the Agreement; and/or (ii) disclosures in accordance with the Agreement and/or as compelled by applicable laws. Role (Controller/Processor): Controller or Processor
Data importer	Name of the data importer: BFLY Operations, Inc. Contact person’s name, position and contact details: Kate Driscoll, VP of Compliance, kdriscoll@butterflynetinc.com Activities relevant to the data transferred: Personal data transferred will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Service pursuant to and as contemplated the Agreement; and/or (ii) disclosures in accordance with the Agreement and/or as compelled by applicable laws. Role (Controller/Processor): Controller (for Module 1) or Processor / Sub-processor (for Module 2 or Module 3)
Annex 1(B): Description of the processing / transfer
Categories of Data Subjects whose Personal Data is transferred	Data subjects include individuals about whom data is provided to Butterfly via the Services (by or at the direction of) the Client or by End Users, which shall include End Users and patients.
Categories of Personal Data transferred:	Module 1	End Users: business contact information, account log-in credentials, and data relating to the operation, support and/or use of the Services (such as data related to billing, account management, technical support and troubleshooting, the performance and usage data, product development and sales and marketing), as more particularly described in the Butterfly Privacy Notice available here: https://www.butterflynetwork.com/privacy-notice. We refer to this data as "Service Data" in the Agreement. Patients: where deep learning is authorized the Client, Butterfly will process certain de-identified and/or anonymized patient personal data to support the continued improvement and development of the Butterfly products and services, as more particularly described in the Butterfly Patient Notice available here: https://www.butterflynetwork.com/patient-privacy. We refer to this data as "Learning Data" in the Agreement.
	Modules 2 and 3	Client may submit personal data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include data relating to patients provided to Butterfly via the Services by (or at the direction of) Client or by End Users, which typically includes: patient identification and contact data (name, title, DOB, sex, accession number, medical record number (MRN)/patient identification number) and any other category of personal data uploaded by (or on behalf of) the Client to the Services.
Sensitive Data Transferred (if appropriate) and applied Restrictions or Safeguards:	Client may submit sensitive personal data (or PHI) about patients to the Services, the extent of which is determined and controlled by the Client in its sole discretion and which may include the following types of sensitive personal data: Patient health information ("PHI"), such as MRN data, study description and related metadata (such as comment data from physicians about an ultrasound study). Any other category of sensitive personal data uploaded by (or on behalf of) the Client or agreed upon between the Parties in the Agreement.
Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis):	Continuous
Subject Matter and Nature of the Processing (Module 2 and 3 only):	Butterfly provides a cloud-based ultrasound image acquisition and sharing platform and related services for patient care, research, education and other authorised uses, as further described in the Agreement.
Duration of the Processing (Module 2 and 3 only):	The Initial Term plus the period from expiry of any Renewal Term (if applicable) until deletion of the personal data by Butterfly in accordance with the Agreement.
Purpose of the Data Transfer/Processing Operations:	Module 1	Personal data shall be processed by Butterfly for the purposes contemplated by Agreement and described (in relation to Service Data) in the Butterfly Privacy Notice and (in relation to Learning Data) the Butterfly Patient Notice.
	Modules 2 and 3	Client Personal Data may only be processed by Butterfly on behalf of Client for the following purposes: (i) as necessary for the performance of the Services and Butterfly's obligations under and pursuant to the Agreement (including the DPA); (ii) processing initiated by End Users in their use of the Services; and (iii) any other purposes of processing of Client Personal Data agreed upon between the Parties in writing (the "Purposes").
Period for which the Personal Data will be retained, or if that is not possible the criteria used to determinate that period, if applicable:	Module 1: Butterfly will retain Butterfly Data for no longer than the period during which Butterfly has a legitimate need to retain such data for purposes it was collected or transferred Module 2 and 3: Butterfly will retain Client Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Butterfly processes Client Personal Data
Annex 1(C): Competent supervisory authority
Competent supervisory authority	The competent supervisory authority, in accordance with Clause 13 of the Standard Contractual Clauses, shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to personal data to which UK Data Protection Laws apply, the competent supervisory authority is the Information Commissioners Office.

Annex B - Technical and Organisational
Security Measures

Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Encryption:

The Butterfly mobile application requires that hardware device encryption is enabled before login and scanning is allowed. All data is encrypted at rest and in transit.
Data is encrypted at rest at the database level using AES 256-bit encryption.
Data transmissions over the internet are encrypted utilizing HTTPS over TLS 1.2 or higher using SHA-256.
Teleguidance: Data streams are encrypted using Datagram Transport Layer Security (DTLS) and media streams are encrypted using Secure Real-time Transport Protocol (SRTP). WebRTC is a real-time communication protocol supported by the major browser makers: Apple, Google, Microsoft, Mozilla, and Opera among others. WebRTC uses DTLS-SRTP to protect this media. The calls are either peer-to-peer or DTLS over a TURN server, and in both cases are end-to-encrypted.

Confidentiality, Integrity, Availability and Resilience:

Butterfly Cloud is a SaaS with continuous delivery. Updates are deployed using zero downtime techniques with limited impact to the end user.
The Butterfly Cloud is hosted in AWS. We leverage AWS Shield for Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. A program of techniques, technologies, and methods to guard against, detect, and report the presence of malicious software is in place. A central antivirus server is configured with antivirus software to protected servers and workstations. Butterfly Cloud servers are protected by source code review and isolation from executables. In addition, Managed Host-based Intrusion Detection (HIDS) is installed on each host that runs the application stack and will detect potential intrusions and other anomalous activities including malware.
Butterfly mobile application and Butterfly device firmware upgrades and security patches are provided automatically using Over the Air (OTA) updates. Updates are not generally required, however, major updates, such as those affecting safety or data security, could be mandatory.
All client integrations are developed and regression tested in a test environment. Updates are only released to production after sufficient regression testing, as per the Butterfly Quality Management System. Changes are validated to not affect client integrations.

Back Ups and Disaster Recovery:

Application files and production data are backed up in accordance with established backup policies.
A Disaster Recovery Plan exists to ensure the required level of continuity for business operations during an adverse situation.
Disaster recovery restoration tests are completed annually in accordance with the entity's system policies. Testing results and change recommendations are reported to management.
Application files and production data are backed up in accordance with established backup policies.

User Identification and Authorisation:

User access reviews for in-scope systems and infrastructure are performed to determine whether all end user accounts, and system accounts are limited to the authorized personnel.
Administrator access to in-scope applications and tools are reviewed to validate access access is restricted to authorized personnel based on job function.
Requests to grant or modify user access to in-scope systems and infrastructure are authorized via the access request form/ticket.
Terminated user access is removed in a timely manner following termination and removal is documented.
Employees with access to the in-scope applications and infrastructure are assigned a unique ID.
Dual-factor authentication is required to access the production environment. In addition, users must be authenticated to the corporate network to access production.
Access to VPN into IaaS resources within AWS is appropriately restricted to only authorized individuals.

Physical Security of Personal Data Processing:

Physical security is managed by Amazon at AWS data centers. Controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means. AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard.

Logging:

A SIEM is in place which generates, correlates, and analyzes security event logs to identify risks that impact the security of applications, infrastructure, and operations.
Security event logs are securely stored to prevent modification.
Privileged access to the SIEM and loggings tools is restricted to authorized personnel that require access based on job function.

System Configurations:

All workstations and servers are required to run centrally managed anti-virus systems and are configured for daily definition updates and active scans.
Access to the source code repository is restricted to only authorized personnel. All code commits require peer code review enforcing dual control, which extends to GitHub administrators
Butterfly continuously monitors and reports the compliance of our infrastructure against our information security baselines via AWS Security Hub.

Internal Technology Governance:

An architecture diagram is maintained for Butterfly which includes data flows, system components, and network boundaries.
A hardware and software asset inventory is in place to identify assets associated with information systems to determine accountability and ownership of assets.
Laptops have full-disk encryption in place.
Firewall rules are reviewed on a quarterly basis. Any discrepancies are researched and addressed.

Certifications and Assurances of Products and Processes:

All products are developed under the Butterfly Quality Management System (QMS).
Butterfly conducts Post Market Surveillance Meetings regularly with leadership and key stakeholders from all relevant teams. Post Market Surveillance is used to monitor the safety and performance of the Butterfly Devices. These activities are designed to generate information regarding the use of the device to expediently identify device design and/or usage problems and accurately categorize the real – world device behaviour in the market. Any falsified devices would be identified through the Return Material Authorization process and escalated. If a device is returned for investigation, a failure analysis is performed, and a fraudulent device would be identified.
Medical certifications:
- EN ISO 14971:2012 Medical Devices – Application of risk management to medical devices
- FDA 510K, Class II Medical Device (K163510, K200980, K202406)
- CE Mark, Class IIa (CE 686786)
- Health Canada, Class III (104476)
- TGA, Class IIa (318962)
- HSA (Singapore), Class B (DE050439)
- Kenya, Class B (MD/2020/1382)
- South Africa, Class II (1153/29672)
- IEC 62304 / ISO 13485
Butterfly is also HIPAA compliant and undergoes an AICPA SOC 2 audit

Data Quality:

The Butterfly Cloud is hosted by Amazon Web Services and uses a multi-tenant cloud architecture that ensures data separation through organization-specific metadata tags, and per normal VPC hosting the underlying physical hardware is virtualized.

Data Portability and Erasure:

Data uploaded to the Butterfly Cloud is owned and managed by the customer. Data is kept in the Butterfly Cloud indefinitely, or until the customer deletes it. If services were to be terminated, Butterfly will continue to allow Customer to view and download their data from the Butterfly Cloud. If feasible, and upon the request of Customer, Butterfly shall return data to Customer or destroy any patient identifiable data (PID) in accordance with HIPAA regulations.

Annex C – Standard Contractual Clauses

In relation to transfers of Client Personal Data that is protected by the EU GDPR, the EU SCCs shall apply, completed as follows:
1. Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply (as applicable);
2. in Clause 7, the optional docking clause will apply;
3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of this DPA;
4. in Clause 11, the optional language will not apply;
5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA; and
8. Subject to Section 5.2 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA;
In relation to transfers of Butterfly Data protected by the EU GDPR, the EU SCCs shall apply, completed as follows:
1. Module One (Controller to Controller) will apply;
2. in Clause 7, the optional docking clause will apply;
3. in Clause 11, the optional language will not apply;
4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
6. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA; and
7. Subject to section 5.2 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA;
In relation to transfers of personal data protected by the UK Privacy Laws or the Swiss DPA, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:
1. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);
2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);
3. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);
4. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
5. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);
7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
8. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland,
If the EU SCCs, implemented as described above, cannot be used to lawfully transfer such personal data in compliance with the UK Data Privacy Laws or Swiss DPA, the parties agree that the UK SCCs or the Swiss SCCs (as applicable) shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs or the Swiss SCCs shall be populated using the information contained in Annex A and B this DPA (as applicable).