AMPRA CLIENT SERVICES AGREEMENT

This Client Services Agreement, including the attached Data Security and HIPAA Addendum, is entered into by and between Ampra AI (“Ampra”) and the client identified in the applicable proposal, statement of work, checkout page, invoice, or signed service confirmation (“Client”).

This Agreement is effective as of the date Client signs, accepts, pays for, or begins receiving services from Ampra.

1. Services

Ampra provides AI consulting, automation strategy, workflow design, implementation support, marketing funnel automation, lead management support, CRM optimization, AI-assisted process improvement, digital outreach optimization, and related advisory or technical services.

Specific services, fees, timelines, deliverables, and session packages may be described in a proposal, statement of work, order form, checkout page, or other written confirmation between the parties.

2. Engagement Model

Ampra’s services may be delivered through scheduled strategy sessions, Flex Flow sessions, implementation work, asynchronous preparation, documentation, workflow mapping, automation setup, client enablement, and support inside Client-approved tools or environments.

Unless otherwise agreed in writing, scheduled sessions occur at the agreed date and time. If Client does not attend a scheduled session, Ampra may still use the scheduled time to perform work for Client, including preparation, workflow review, documentation, automation work, or follow-up support.

3. Client Responsibilities

Client is responsible for:

  1. Providing timely access to required systems, documents, tools, accounts, personnel, data, and decision-makers.

  2. Ensuring that Client has the legal right to provide Ampra with any data, credentials, documents, or system access.

  3. Reviewing and approving workflows, automations, AI outputs, system configurations, and implementation decisions before production use.

  4. Determining whether any recommendation, workflow, automation, communication, or AI-assisted process is appropriate for Client’s business, legal, compliance, security, medical, financial, or operational requirements.

  5. Maintaining Client’s own software subscriptions, security settings, access controls, user permissions, and internal compliance obligations.

4. Client Systems and Approved Tools

Where practical, Ampra will perform services inside Client-owned or Client-controlled systems, platforms, and accounts.

Client acknowledges that Ampra’s services may involve third-party software, including AI tools, automation platforms, CRMs, communication tools, analytics tools, website tools, form tools, cloud services, and other digital systems.

Ampra does not control third-party platforms and is not responsible for their downtime, pricing changes, security incidents, data practices, model behavior, or terms of service.

Client is responsible for approving the use of any third-party tool in connection with Client’s business and data.

5. AI Tool Usage

Ampra may use AI systems to support research, drafting, workflow analysis, automation planning, documentation, summarization, code assistance, and other service-related activities.

Ampra will use reasonable care when handling Client Data in AI systems and will not knowingly submit regulated or highly sensitive Client Data into AI tools unless Client has approved the tool and the intended use.

Client acknowledges that AI-generated outputs may be inaccurate, incomplete, biased, non-compliant, or unsuitable for production use without human review. Client is responsible for reviewing and approving AI-assisted outputs before relying on them.

Unless expressly agreed in writing, Ampra will not use Client Confidential Information, Protected Health Information, or Personal Inquiry Information to train Ampra-owned AI models or to develop datasets for unrelated commercial purposes.

6. Confidentiality

Each party may receive confidential, proprietary, technical, business, operational, financial, marketing, customer, patient, or strategic information from the other party.

Each party agrees to use reasonable care to protect the other party’s confidential information and to use such information only for purposes of performing or receiving services under this Agreement.

Confidential information does not include information that is publicly available, independently developed without use of the other party’s confidential information, rightfully received from a third party without confidentiality obligations, or required to be disclosed by law.

7. Data Handling and Security

Ampra will use commercially reasonable administrative, technical, and organizational safeguards designed to protect Client Data accessed or processed in connection with the services.

Ampra will access Client Data only as reasonably necessary to perform the services, troubleshoot workflows, prepare deliverables, configure automations, or support Client-approved systems.

Client should not provide Ampra with regulated, highly sensitive, or legally restricted data unless the parties have agreed in writing to the applicable handling requirements.

8. Sensitive and Regulated Data

Client must notify Ampra before providing any of the following:

  1. Protected Health Information or electronic Protected Health Information.

  2. Financial account data.

  3. Government identification numbers.

  4. Payment card data.

  5. Social Security numbers.

  6. Special category personal data.

  7. Data subject to industry-specific legal or regulatory restrictions.

  8. Any data requiring a specific security, privacy, retention, encryption, audit, or breach notification framework.

If Protected Health Information may be involved, the parties must enter into the HIPAA Addendum below or a separate Business Associate Agreement before Ampra receives, creates, maintains, or transmits such information on Client’s behalf.

9. Contractors and Service Providers

Ampra may use employees, contractors, consultants, service providers, or subprocessors to deliver the services.

Ampra will require personnel working on Client matters to be subject to confidentiality obligations.

Where a regulatory addendum applies, including the HIPAA Addendum below, Ampra will require applicable subcontractors who access regulated data to agree to appropriate downstream obligations.

10. Ownership of Work Product

Unless otherwise agreed in writing, Client owns final deliverables specifically created for Client and paid for under the applicable engagement.

Ampra retains ownership of its pre-existing materials, templates, frameworks, prompts, internal workflows, training materials, reusable automation patterns, methodologies, know-how, software components, and generalized knowledge developed outside the engagement.

Ampra may reuse generalized skills, ideas, methods, and non-client-specific learnings, provided Ampra does not disclose Client Confidential Information.

11. No Legal, Medical, Financial, Tax, or Compliance Advice

Ampra provides AI, automation, workflow, marketing, and business process support.

Ampra does not provide legal, medical, financial, investment, accounting, tax, cybersecurity certification, HIPAA compliance certification, or regulated professional advice.

Client is responsible for obtaining review from qualified legal, compliance, medical, financial, tax, security, or other professionals where appropriate.

12. Fees and Payment

Client agrees to pay all fees described in the applicable proposal, order form, checkout page, invoice, or statement of work.

Unless otherwise agreed in writing, fees are due according to the payment schedule presented at purchase or invoicing.

Late payments may result in suspension of services.

13. Scheduling, Cancellations, and Rescheduling

Client is responsible for attending scheduled sessions and providing necessary participants.

Missed sessions, late cancellations, or late rescheduling requests may be treated as used sessions unless otherwise agreed in writing.

Ampra reserves dedicated resources for each FlexFlow session including automation architects and AI strategists, the reserved time cannot be moved. If Client does not attend a scheduled FlexFlow session, it will be treated as delivered and used, and Ampra may apply the reserved time to preparation, workflow review, documentation, automation, or follow-up work for Client.

Ampra may reschedule sessions when reasonably necessary due to team availability, technical issues, or operational needs.

14. Term and Termination

This Agreement begins when Client accepts the Agreement, signs an order form, pays an invoice, or begins receiving services.

Either party may terminate the engagement according to the terms of the applicable proposal, order form, statement of work, or written agreement.

Upon termination, Client remains responsible for fees incurred before termination.

15. Disclaimer

Ampra does not guarantee that any AI system, automation, workflow, integration, campaign, recommendation, or deliverable will be error-free, uninterrupted, compliant with all laws, or suitable for every use case.

Client is responsible for testing and approving workflows before production use.

16. Limitation of Liability

To the maximum extent permitted by law, Ampra’s total liability arising out of or related to the services will not exceed the fees paid by Client to Ampra for the specific services giving rise to the claim during the three months before the event giving rise to liability.

Ampra will not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, including lost profits, lost revenue, lost opportunities, loss of goodwill, loss of data, or business interruption.

17. Indemnification

Each party agrees to indemnify the other party from third-party claims arising from its own gross negligence, willful misconduct, or material breach of this Agreement.

Client will indemnify Ampra from claims arising from Client’s data, instructions, systems, legal obligations, marketing claims, regulated professional obligations, or unauthorized provision of data to Ampra.

If a separate HIPAA Addendum applies, breach-related responsibilities will be governed by that addendum to the extent applicable.

18. Order of Precedence

If there is a conflict between documents, the following order controls unless expressly stated otherwise:

  1. HIPAA Addendum or other regulatory addendum.

  2. Signed statement of work or order form.

  3. This Agreement.

  4. Proposal, checkout page, marketing materials, or informal communications.

DATA SECURITY AND HIPAA ADDENDUM

This Data Security and HIPAA Addendum applies when Client is a HIPAA Covered Entity or Business Associate, or when Ampra may receive, create, maintain, or transmit Protected Health Information on behalf of Client.

A. Definitions

Terms not defined in this Addendum have the meanings given to them under HIPAA, including the HIPAA Privacy Rule, HIPAA Security Rule, and HITECH Act.

“PHI” means Protected Health Information.

“ePHI” means electronic Protected Health Information.

“Personal Inquiry Information” means personally identifiable information submitted by or concerning a prospective or existing patient through a marketing channel, website form, chatbot, CRM, lead system, intake workflow, or similar system, including name, email address, telephone number, inquiry details, demographic information, health-related interest, or similar information.

“Client Data” means data provided by Client to Ampra or accessed by Ampra in connection with the services.

B. Permitted Uses and Disclosures

Ampra may use or disclose PHI, ePHI, or Personal Inquiry Information only as necessary to perform services for Client, as permitted by this Addendum, as directed in writing by Client, or as required by law.

Ampra may use such information for its own proper management and administration only where permitted by law and only with appropriate confidentiality protections.

Ampra may not use PHI, ePHI, or Personal Inquiry Information for Ampra’s own marketing purposes, to market third-party products or services, to sell or license data, or to otherwise commercially exploit such information.

C. Minimum Necessary

Ampra will make reasonable efforts to use, disclose, and request only the minimum necessary PHI, ePHI, or Personal Inquiry Information required to perform the services.

Client is responsible for limiting information provided to Ampra to the minimum necessary for the engagement.

D. Safeguards

Ampra will maintain reasonable administrative, technical, and organizational safeguards designed to protect PHI, ePHI, and Personal Inquiry Information from unauthorized use or disclosure.

Such safeguards may include, as appropriate to the services and systems involved:

  1. Access controls.

  2. Unique user access where supported by the relevant platform.

  3. Reasonable password and authentication practices.

  4. Limitation of access to personnel with a service-related need.

  5. Secure storage practices.

  6. Reasonable transmission safeguards.

  7. Confidentiality obligations for personnel.

  8. Return or deletion of information at the end of the engagement where feasible.

Specific safeguards such as encryption standards, audit logging, automatic logoff, dedicated security roles, or formal written policies apply only to the extent supported by the systems used and expressly agreed in writing by the parties.

E. Subcontractors

Ampra may use subcontractors, contractors, or service providers to perform services.

Before allowing a subcontractor to access PHI or ePHI, Ampra will require the subcontractor to agree to restrictions and safeguards that are materially consistent with the applicable requirements of this Addendum.

Client acknowledges that some third-party platforms used in the services may process Client Data under their own terms, security documentation, and business associate agreements where applicable.

F. Reporting Security Incidents and Breaches

Ampra will notify Client without unreasonable delay after discovering a confirmed unauthorized use or disclosure of PHI, a confirmed breach of unsecured PHI, or a material security incident involving ePHI in Ampra’s control.

Where legally required, Ampra’s notice will include information reasonably available to Ampra, including the nature of the incident, categories of information involved, individuals affected if known, date of discovery, mitigation steps, and corrective actions.

Client is responsible for determining whether individual, regulatory, media, or other notices are legally required, unless otherwise agreed in writing.

G. Access, Amendment, and Accounting

To the extent Ampra maintains PHI in a Designated Record Set, Ampra will reasonably cooperate with Client to support Client’s obligations relating to individual access, amendment, and accounting of disclosures.

Client remains responsible for responding to individual requests and determining whether information is part of a Designated Record Set.

H. HHS Access

Ampra will make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Ampra on behalf of Client, available to the Secretary of the U.S. Department of Health and Human Services to the extent required by HIPAA.

I. De-Identified Data

Ampra may use de-identified information only if the information has been de-identified in accordance with HIPAA and does not identify Client, Client’s patients, prospective patients, customers, personnel, or business operations.

Ampra may not re-identify de-identified information without Client’s prior written consent.

Ampra may not use PHI, ePHI, Personal Inquiry Information, or de-identified data to train public AI models or unrelated commercial AI systems unless Client gives prior written approval.

J. Return or Destruction

Upon termination of services, and upon Client’s written request, Ampra will return or destroy PHI, ePHI, and Personal Inquiry Information in Ampra’s possession or control, where feasible.

If return or destruction is not feasible, Ampra will retain only the minimum necessary information and continue to protect it under this Addendum.

This section does not require Ampra to delete information retained in routine backups, legal records, financial records, security logs, or systems where deletion is not commercially feasible, provided such information remains protected and is not used for unrelated purposes.

K. Client Obligations

Client will:

  1. Provide Ampra with any applicable Notice of Privacy Practices or restrictions that may affect Ampra’s work.

  2. Not request Ampra to use or disclose PHI in a way that would violate HIPAA if done by Client.

  3. Identify systems, tools, and data categories that require HIPAA-specific handling.

  4. Obtain all required patient authorizations, consents, or legal permissions for marketing, tracking, outreach, lead handling, CRM workflows, and automation activities.

  5. Maintain responsibility for Client’s HIPAA compliance program and regulated professional obligations.

L. Termination for Material Breach

Either party may terminate this Addendum if the other party materially breaches this Addendum and fails to cure the breach within thirty days after written notice.

If cure is not feasible, the non-breaching party may terminate immediately.

M. Conflict

If this Addendum conflicts with the main Agreement, this Addendum controls only with respect to PHI, ePHI, HIPAA obligations, and Personal Inquiry Information.