TERMS OF USE OF THE FLUXMED PLATFORM
1. INITIAL CONSIDERATIONS
1.1. This document contains the terms and conditions of use of the Fluxmed Platform, which belongs to CORE CONSULTORIA E SERVIÇOS LTDA., CNPJ/MF under no. 05.490.544/0001-00, located at SIG QUADRA 1, 385, room 404, Industrial Zone, CEP: 70.610-410, Brasília/DF (Core Consulting). This document is adhered to by the Contractor identified through the Fluxmed Platform at the time of creating his/her registration (Contractor).
1.2. The Contractor and Core Consulting, whenever referred to together, for the purposes of this adhesion document, shall be designated as “Parties” or, individually, as “Party”, and agree, in good faith and freely and voluntarily, as follows.
1.3. Preliminarily, considering that:
1.3.1. The Contracting Party is a healthcare organization that provides human healthcare services. The Contracting Party's CNPJ and CNAE will be verified with the Federal Revenue Service when registering on the platform.
1.3.2. Core Consulting is a technology company that carries out information technology activities focused on the development of custom computer programs. It is the holder of the brand “Fluxmed”, according to the trademark registration certificate issued by the National Institute of Industrial Property (“INPI”), no. 922355134, as well as all material and immaterial rights related thereto.
1.3.3. Core Consulting is the developer and holder of all material and immaterial property rights related to the software that comprises the Interoperable Platform for the Development of Digital Services for Health (“Platform”) called “Fluxmed Platform”.
1.3.4. The Platform consists of 03 (three) functionalities, developed in accordance with the General Personal Data Protection Law (Law No. 13,709/2018 – “LGPD”):
1.3.4.1. Fluxmed Siis: ideal for, for example, individual practices, small clinics, accredited or not by health plans. It allows clinical records, scheduling for patients and health professionals, telecare, and electronic prescriptions CFM/ICP Brasil. It consists of an Electronic Health Record (SRES) of the patient, meeting the representation, terminology and interoperability standards in an integrated manner in HL7 FHIR standard.
1.3.4.2. Fluxmed APIs: HL7 FHIR interoperability platform whose target audience is those interested in using the Platform's resources in third-party or proprietary products or systems, allowing standardized HL7 FHIR access to a modern development platform for digital health services, which delivers added value, scheduling, clinical records, MPI, terminology management and clinical information data lake, as well as scalable interoperability. This is an accessory service that will be subject to the conditions of a specific term of use with a specific price.
1.3.4.3. Fluxmed Analytics: allows the processing of data already ingested and processed in the Platform and, consequently, the management of population health, administrative and care from the database with standardized clinical and administrative information. It is possible to create anonymized analytical panels, aligned with the needs of population health management and much more, with security and confidentiality. This is an accessory service that will be subject to the conditions of a specific term of use with a specific price.
1.3.5. In summary, the Platform consists of software that performs health data communication and archiving functions (electronic medical records, scheduling, data transmission, and communication). Therefore, the Platform does not offer functionalities related to prevention, diagnosis, treatment, rehabilitation, or contraception and, therefore, it does not comply with the rules described in the Collegiate Board Resolution (RDC) No. 185 of October 22, 2001, and in RDC No. 657/2022, both from the National Health Surveillance Agency (Anvisa). Therefore, the Platform is not considered software as a medical device (Software as a Medical Device – SaMD) and does not need to be regularized with the Equipment Technology Management (GQUIP/GGTPS/ANVISA).
1.3.6. The Contracting Party is interested in contracting and using the Fluxmed Platform, hosted and accessible centrally via the internet/cloud located in Brazil, in the Software as a Service (SaaS) modality, accompanied by services provided by Core Consulting. The Contracting Party will be exclusively responsible for the management of clinical information and all actions and activities related to the provision of health services and the performance of its health professionals, who must be linked to it.
1.3.7. The Parties are holders of confidential and exclusive commercial and technical information related to their field of activity, and the confidential nature of such information and documentation is of substantial and invaluable value to them. The Parties declare and guarantee that all material and immaterial rights related to the Platform and the services related thereto are the exclusive property of Core Consulting.
1.3.8. All information and/or materials that relate, directly or indirectly, to the purpose of this document, due to its strategic nature, must be treated with the utmost secrecy and the strictest confidentiality, in order to avoid, by any means or form, its knowledge and/or use by third parties, whether during its validity or even after it, under penalty of the infringing Party bearing the losses and damages resulting from the non-compliance of this obligation, without prejudice to the applicable judicial and administrative measures;
1.3.9. The duty of privacy and confidentiality of sensitive personal data relating to health is protected by the Constitution, since Article 5, X, of the Federal Constitution classifies the inviolability of privacy, private life, honor and image of individuals as a fundamental right, ensuring the right to compensation for material or moral damages resulting from their violation. In the constitutional terms, Article 21 of the Civil Code establishes that “the private life of a natural person is inviolable, and the judge, at the request of the interested party, shall adopt the necessary measures to prevent or cease any act contrary to this rule”.
1.3.10. The Parties shall protect the confidentiality of personal data and sensitive data entrusted to them by the data subjects. To this end, they have been implementing technical and administrative security measures capable of protecting personal data and sensitive data against unauthorized access and accidental situations, or any form of inappropriate processing, necessary to comply with the General Data Protection Law (Law No. 13,709/2018). Good practice and governance rules ensure that the processing of personal and sensitive data is lawful, fair, transparent and limited to the authorized purposes for which it is intended. The collection of personal data and sensitive data for processing is carried out by the Parties based on measures necessary to ensure accuracy, integrity, confidentiality and anonymization, as well as to guarantee respect for freedom, privacy, inviolability of privacy, image, in short, all rights of the data subjects, including the exercise of the right to request access, correction and deletion of personal and sensitive data stored in databases and digital systems.
1.3.11. Each Party shall observe and undertake to respect all intellectual, industrial and know-how property rights of the other Party, and neither Party may use in any way the brand, logo, trade name, internet domain, or any other distinctive sign belonging to the other Party without its prior and express written authorization signed by its due legal representatives.
1.3.12. The Parties comply with Brazilian legislation that deals with privacy and protection of personal data, including the Federal Constitution, the Consumer Defense Code, the Civil Code, the General Data Protection Law “LGPD” (Federal Law No. 13,709/2018), the Internet Civil Framework (Federal Law No. 12,965/2014), its regulatory decree (Decree No. 8,771/2016) and, in relation to the Contracting Party, Law No. 12,842/2013 (Medical Act Law), Law No. 8,078/90 (Consumer Protection Code) and, where applicable, the provisions of Law No. 13,787/18 (Electronic Medical Record Law), other sectoral or general standards on the protection of personal data provided for in Resolutions of the Federal Council of Medicine, such as the Code of Medical Ethics, and other professional councils in the health sector.
1.3.13. The Contractor acknowledges and agrees that the Platform does not record teleconsultations.
1.3.14. For the purposes of this Document, the Contracting Party acts as a “data controller”, responsible for decisions regarding the processing of its patient’s personal data, with the Contracting Party being responsible for the obligations assigned by the LGPD. It is before the data controller that the patient data subject exercises his/her rights set forth in art. 18 of the LGPD. It must also prove that consent to share health data with Fluxmed was obtained from the patient data subject. The Contracting Party is obliged to timely notify the National Data Protection Authority (“ANPD”) and the patient data subject of the occurrence of a security incident that may result in risk or relevant damage to the patient data subject.
1.3.15. Core Consulting acts as a “data operator” before the Contracting Party and must process personal data shared by the Contracting Party on behalf of the Contracting Party and related to the purposes of the Fluxmed Platform contracted by the Contracting Party. Core Consulting may only process the data for the purpose previously established by the Contracting Party, which is the controller.
1.3.16. The processing of personal data and sensitive personal data of the Contracting Party's patient is subject to the collection, by the Contracting Party, of the free, informed and unequivocal consent of the patient-holder, by which he/she agrees to the processing of his/her personal data and sensitive personal data (art. 11, I of the LGPD) by the Contracting Party, for specific purposes related to the assistance and management of his/her health. The Fluxmed Platform itself offers mechanisms for compliance with consent, according to the “Terms and Conditions of Use” and Privacy Policy, both available in the logged-in and non-logged-in environment of the Application/web, which may be revoked at any time by the patient.
1.3.17. The Parties declare that they recognize that sensitive personal data such as health data belong to a special category, and the conditions for processing are more rigorous. The Parties declare and guarantee that the LGPD prohibits the processing of personal data that may result in unlawful or abusive discrimination, such as the practice of risk selection.
1.3.18. The term “patient-data subject (or “patient-data subject”)” shall mean the natural person assisted by the Contracting Party within the scope of the provision of health services offered by the Contracting Party. The patient is the natural person to whom the personal data that are subject to processing in the context of the purpose of this Document refer.
1.3.19. The “authorized user” is considered to be the healthcare professional linked to the Contracting Party who will receive the login to access the Fluxmed Platform. The Contracting Party shall be fully responsible for the acts of the authorized user that imply irregular and insecure processing of health data and security incidents involving the personal data of the patient-holder.
1.4. The Parties declare that they agree and accept, in good faith and freely, the Terms and Conditions of Use of the Fluxmed Platform, as per this document, which they mutually grant and accept.
2. OBJECT
2.1. This document is intended to determine the conditions and terms of use of the Fluxmed Platform and the obligations of the Parties, the purpose of which includes:
2.1.1. The Contractor’s acceptance of the use of the software called Fluxmed by Core Consulting.
2.2. Included in the subscription price, the services linked to the subject of the Document and provided by Core Consulting will be the following:
2.2.1. Technical Support and Maintenance: Assistance to resolve technical issues so that the software operates optimally. This includes regular updates to fix bugs and improve security and availability. By default, software updates related to bug fixes, security improvements and availability will be performed by actively monitoring the platform. A digital channel will be made available for opening technical support calls. The criticality of the call will be triaged and the customer will be responded to within 24 hours. Depending on the criticality, high, medium or low, the adjustment period will be informed, which can be up to 5 business days.
2.2.2. Installation and Configuration: Assistance with software installation and initial configuration to ensure that the software is ready for use according to the specific needs of the Contractor's user. User manuals will be made available on the Platform itself and will be an integral part of this document.
2.2.3. Customization: if desired by the Contractor, services that adapt the software to the Contractor's specific needs, including the development of customized features or integrations with other systems, are not included in the price of this subscription. For customizations, please contact Core Consulting through the website.
2.2.4. Data Backup and Recovery: The Platform is hosted centrally via the internet/cloud. The Platform backup will be automated with cloud resources. The Platform offers mechanisms for the Contractor to perform backups of its records and is responsible for this.
2.2.5. Updates and Upgrades: Provision of new versions of the software to ensure continued access to the latest features, performance improvements and security fixes. New features may result in price adjustments.
2.3. The Parties declare and acknowledge that the patient is the protagonist of his/her own health and the holder of his/her personal data and sensitive personal data, and may or may not revoke consent to access his/her information.
3. RESPONSIBILITIES
3.1. Core Consulting is responsible for:
3.1.1. Comply with the terms and uses of this document, maintain the availability and quality of the Platform.
3.1.2. Keep User Manuals up to date.
3.1.3. Invest in constant technological developments in favor of digital health.
3.1.4. In the event of cancellation or termination of the Document, for any reason, Core Consulting undertakes to keep the Platform available to the Contracting Party, with read-only access to data, for a period of 30 (thirty) days so that the Contracting Party can proceed with compliance with Law No. 13,787/2018, which deals with the digitalization and use of computerized systems for the storage, safekeeping and handling of patient records.
3.1.5. Notify the Contracting Party in the event of a security incident within 48 (forty-eight) hours of becoming aware of the incident and provide the Contracting Party with any necessary clarifications related to the incident.
3.1.6. Maintain the timely issuance of electronic Invoices, relating to the Contractor's subscription for use.
3.1.7. Inform the Contractor by email about payment problems, maintaining use of the Fluxmed Platform for 10 days after informing the payment problem.
3.2. In addition to the obligations set forth in this instrument and in applicable legislation, the Contracting Party also undertakes to:
3.2.1. Make all subscription payments on time.
3.2.2. Ensure and maintain an internet connection with sufficient speed and stability to support the effective performance of the Platform.
3.2.3. Follow the instructions for using the Platform and User Manuals
3.2.4. Do not make modifications, updates or changes to the software (Platform) without prior written approval from Core Consulting. Any unauthorized modification may lead to compatibility or operational problems and result in a violation of the software's terms of use, exempting Core Consulting from any liability.
3.2.5. The Contractor is prohibited from sublicensing, renting or lending the use of the software (Platform) to third parties.
3.2.6. In the event of instability, failures or any other technical problem with the software (Platform), the Contractor undertakes to open technical support calls immediately upon becoming aware of the problem.
4. LIMITATION OF LIABILITY AND FORCE MAJEURE
4.1. Limitation of Liability and Force Majeure. The Parties represent and agree that Core Consulting’s total liability, under any circumstances arising from or related to the subject matter of this document, if proven, will be limited to the nature of Core Consulting’s economic performance and its responsibilities. For the avoidance of doubt, in no event shall Core Consulting be held liable for damages suffered by the Contracting Party’s patient related to the provision of health services by the Contracting Party.
4.1.1. Force Majeure: Neither party shall be liable for any failure or delay in the performance of its obligations hereunder due to force majeure events, which include, but are not limited to, natural disasters, wars, acts of terrorism, strikes, Internet failures or delays, power outages, and governmental interventions. In such circumstances, the deadlines for performance shall be extended by a reasonable period of time, taking into account the duration of the force majeure event. The following are examples that exempt Core Consulting from any liability to the Contractor:
4.1.1.1. Failures in the internet contracted by the contractor: the technology company cannot be held responsible for connectivity problems that occur due to failures in the internet contracted by the Contractor;
4.1.1.2. Scheduled maintenance: scheduled interruptions for maintenance or system updates, about which the Contractor has been previously notified;
4.1.1.3. Natural disasters: events beyond the company's control, such as earthquakes, hurricanes, floods or other natural disasters that affect the infrastructure necessary for the service;
4.1.1.4. Third-party cyber attacks: attacks by hackers or other malicious entities that are not the result of negligence on the part of Core Consulting;
4.1.1.5. Contractor's equipment failures: problems caused by obsolete or poorly maintained hardware by the Contractor, which affect the operation of the SaaS;
4.1.1.6. Changes not authorized by Core Consulting: modifications made by the Contractor to the configuration or use of the platform without the consent or approval of Core Consulting;
4.1.1.7. Software conflicts caused by third parties: interference or incompatibilities caused by third-party software or hardware not provided by Core Consulting;
4.1.1.8. Known technological limitations: technological restrictions or limitations of the platform that are known and documented and about which the Contractor has been informed;
4.1.1.9. Improper use of the platform: use of the software in a manner contrary to the instructions provided or the best practices established by Core Consulting;
4.1.1.10. Force majeure: any other event beyond Core Consulting's reasonable control, such as strikes, riots, war, pandemics, or government interventions that prevent the continuity of services;
4.2. When it is proven that the technical problem resides in the cloud, Core Consulting will not be responsible for events such as instability or even unavailability of the Platform.
5. TERM AND PRICE OF SERVICES
5.1. The term of the subscription and the price will be made available online through the Fluxmed Platform resources and may be adjusted as the functionalities evolve. Payments will be made in advance. In the event of early termination of the subscription, the contracted price will prevail and no refund will be made by Core Consulting.
6. TERMINATION
6.1. The subscription may be cancelled by the Contractor at any time through the mechanisms offered by the Fluxmed Platform.
6.2. Core Consulting may cancel the subscription for just cause, and must notify the Contracting Party 10 (ten) days in advance. If improper use of the Fluxmed Platform by the Contracting Party is detected, Core Consulting will notify the Contracting Party and immediately suspend the subscription until it is corrected.
7. CONFIDENTIALITY
7.1. The Parties undertake to maintain the strictest confidentiality of the information provided by the other party for the purpose of this Document, which is considered to be of inestimable value to both parties, and undertake to use it only for the specific purposes referred to in this contract. The party that fails to comply with this obligation shall be liable for any damages caused that may be determined in due course.
7.2. The Parties hereby undertake, on their own behalf, their representatives, agents, employees and/or subcontractors, to treat with absolute secrecy and confidentiality any and all information, economic or technical data, drawings, projects, procedures, manuals, made available by both parties during the term of this document, and may not, under any circumstances, reveal them to third parties and/or disclose them in any form or under any pretext, or use them for their own benefit or that of third parties for purposes other than those of this document, except with express written authorization from the other interested parties.
7.3. The parties shall adopt strict measures to protect the confidential information of the other Party to prevent it from being in any way disclosed, revealed, published, sold, assigned or in any other way transferred by the Receiving Party, its representatives, agents, employees and/or subcontractors.
7.4. The Contracting Party is solely responsible for the origin of the information provided by it to Core Consulting for the performance of the Services contracted herein and hereby expressly declares that the content of the life database and the information contained therein and which will be provided to Core Consulting does not violate any law or any third party right, including, without limitation, intellectual property rights and copyright, exempting and indemnifying Core Consulting, at any time, even after the expiration or termination of this document for any reason, from any liability arising from erroneous or false information in the data provided to Core Consulting.
7.4.1. Core Consulting is exempt from liability for the content of any and all information, personal, economic or technical data related to the beneficiary, made available by the Contracting Party, which is responsible for the origin and accuracy of the information that it will make available to Core Consulting for the performance of the services covered by this instrument.
7.5. Core Consulting expressly undertakes to adopt the necessary technical and organizational measures to guarantee the security of the personal data of the Contractor's members and prevent their alteration, loss and unauthorized access, given the personal nature of the stored data and the risks to which they are exposed, whether from human action or the physical or electronic environment in which they are stored.
7.6. The Contracting Party is also aware that the medical records, guides and information sent by Core Consulting to beneficiaries are non-shareable documents, the property of which belongs exclusively to the beneficiary, and that Core Consulting reserves the right not to provide a copy to the Contracting Party, under any circumstances, under penalty of violating the confidentiality and privacy of the beneficiary, except with unequivocal consent, in accordance with the Law.
7.7. Obligations regarding the confidentiality of technical and business information exchanged between the Parties for the execution of this Document will last for a period of 02 (two) years after the termination of this Document, except in the case of commercial and industrial secrets and the personal rights of individuals, such as sensitive personal data.
8. PRIVACY AND PROTECTION OF PERSONAL DATA
8.1. Regarding the General Personal Data Protection Law (Law 13,709/2018 – LGPD), without prejudice to the other provisions set forth in this instrument, the Parties declare the following:
8.1.1. The Parties protect the confidentiality of personal data and sensitive data entrusted to them by the holders of such data by virtue of this document. They declare, including on behalf of their employees, partners, agents and subcontractors, that they comply with Brazilian legislation on privacy, as set forth in the Federal Constitution, the Consumer Defense Code, the Civil Code, the General Data Protection Law “LGPD” (Federal Law No. 13,709/2018), the Internet Civil Framework (Federal Law No. 12,965/2014), its regulatory decree (Decree No. 8,771/2016) and other sectoral or general standards on the protection of personal data. To this end, they have been implementing technical and administrative security measures capable of protecting personal data and sensitive data against unauthorized access and accidental situations, or any form of inappropriate processing, necessary to comply with the General Data Protection Law (Law No. 13,709/2018).
8.1.2. Good practice and governance rules ensure that the processing of personal and sensitive data is lawful, fair, limited to the authorized purposes for which it is intended, and respects the principles of transparency, necessity, proportionality, and non-discrimination. The collection of personal data and sensitive data for processing is carried out by the Parties based on measures necessary to ensure accuracy, integrity, confidentiality, and anonymization, as well as to guarantee respect for freedom, privacy, inviolability of privacy, image, and, ultimately, all rights and freedoms of the data subjects, including the exercise of the right to request access, correction, and deletion of personal and sensitive data stored in databases and digital systems, except when storage is permitted by law or regulatory obligation (art. 16. I of the LGPD).
8.1.3. The Parties must have a privacy policy, information security guidelines and risk mitigation mechanisms, with a view to ensuring the security of the processing of personal data and sensitive personal data, for example, a report on the impact on the protection of personal data (art. 5, XVII of the LGPD), in order to avoid security incidents such as information leaks, including those caused internally, with accessible evidence that such content is communicated and disseminated to all its adherents.
8.1.4. For the purposes of this Document, Core Consulting acts as “Data Operator”, under the terms of the LGPD and the Contractor acts as “Data Controller”, under the terms of the LGPD.
8.1.4.1. Core Consulting shall be jointly and severally liable with the Contracting Party for damages caused by the processing when it is proven that it has failed to comply with the obligations of data protection legislation or when it has not followed the Contracting Party's lawful instructions, except in cases of exclusion provided for in art. 43 of the LGPD.
8.1.4.2. The Contractor shall be jointly liable with Core Consulting for any damages caused to the data subject by the processing in which they are directly involved, except in cases of exclusion provided for in art. 43 of the LGPD.
9. GENERAL AND FINAL PROVISIONS
9.1. This document is signed by entirely different people and cannot be characterized as any form of partnership or association, and it is understood that the Parties will not have any other type of relationship other than that arising from the relationship governed by this Document.
9.2. Each Party shall be fully responsible for its labor, tax or civil obligations, and there shall be no form of labor relationship between the Parties and other legal entities in any way related to this Document;
9.3. The Parties undertake to:
9.3.1. Act within the applicable laws and regulations and obey the strictest and most rigorous concepts and principles of ethics, morality and good faith in conducting joint business, including, but not limited to, avoiding relationships, contacts and/or commercial partnerships with any agents who by any means knowingly participate or have participated in illicit activities of any kind;
9.3.2. Have all authorizations and licenses to operate your business as it is currently operated and maintain, during the term of this Document, all governmental or non-governmental approvals, permissions, registrations and authorizations. TERMS OF USE OF THE FLUXMED PLATFORM.
