API Terms of Use

Last updated: October 2023

Thank you for developing with Cumulus!

By accessing or using Cumulus APIs, including within a software application, website, tool, service, or product you create or offer to Customers (your "Application"), you are agreeing to these terms and to comply with any accompanying documentation that applies to your use of the Cumulus APIs ("API Terms") with Cumulus Care Inc. ("Cumulus", "we", "us", or "our"). You represent and warrant to us that you have the authority to accept these API Terms on behalf of yourself, a company, and/or other entity, as applicable. We may change, amend or terminate these API Terms at any time. Your use of the Cumulus APIs after any change or amendment means you agree to the new API Terms. If you do not agree to the new API Terms or if we terminate these API Terms, you must stop using the Cumulus APIs.

a) "Customer(s)" means the licensee of a Cumulus online service ("Cumulus Offering") and if the licensee is an organization, includes their administrators and end users.

b) "Cumulus APIs" means (i) any form of machine accessible application programming interface that Cumulus makes available which provides access to a Cumulus Offering, including all associated tools, elements, components and executables therein, (ii) any Cumulus sample code that enables interactions with a Cumulus Offering, and (iii) documentation that Cumulus makes available to help enable your access to the Cumulus APIs.

c) The Cumulus APIs include:

1. the Cumulus FHIR API (documented, for example, at https://cumulus.care/docs/building-apps);
2. any other Cumulus APIs that enables access to data in Cumulus;

a) These API Terms govern your use of Cumulus APIs except if you have entered into another agreement with Cumulus that expressly supersedes these API Terms and governs your use of specific Cumulus APIs.

b) Registration for your Application may be required pursuant to documentation. If registration is required, you must register your Application with Cumulus. Your registration must be accurate and kept up-to-date by you at all times. Once you have successfully registered an Application, you will be given access credentials for your Application. "Access Credentials" means the necessary security keys, secrets, tokens, and other credentials to access the Cumulus APIs. The Access Credentials enable us to associate your Application with your use of the Cumulus APIs. All activities that occur using your Access Credentials are your responsibility. Access Credentials are non-transferable and non-assignable. Keep them secret. Do not try to circumvent them.

a) Cumulus APIs License Subject to your compliance with all of the API Terms, Cumulus grants you a limited, non-exclusive, non-assignable, non-transferable, revocable license to use the Cumulus APIs to develop, test, and support your Application, and allow Customers to use your integration of the Cumulus APIs within your Application. You may use the Cumulus APIs only as expressly permitted in these API Terms. Violation of these API Terms may result in the suspension or termination of your use of the Cumulus APIs.

b) Cumulus APIs Guidelines

You may NOT:

1. Use the Cumulus APIs in a way that could impair, harm or damage Cumulus, the Cumulus APIs, any Cumulus Offering, or anyone's use of the Cumulus APIs or any Cumulus Offerings;
2. Use the Cumulus APIs to disrupt, interfere with, or attempt to gain unauthorized access to services, servers, devices, or networks connected to or which can be accessed via the Cumulus APIs;
3. Use the Cumulus APIs, or any information accessed or obtained using the Cumulus APIs, for the purpose of migrating Customers away from a Cumulus Offering, except in connection with use of the Cumulus APIs by your Application or unless expressly permitted by Cumulus pursuant to a duly executed written agreement;
4. Scrape, build databases or otherwise create copies of any data accessed or obtained using the Cumulus APIs, except as necessary to enable an intended usage scenario for your Application;
5. Request from the Cumulus APIs more than the minimum amount of data, or more than the minimum permissions to the types of data, that your Application needs for Customers to use the intended functionality of your Application;
6. Use an unreasonable amount of bandwidth, or adversely impact the stability of the Cumulus APIs or the behavior of other apps using the Cumulus APIs;
7. Attempt to circumvent the limitations Cumulus sets on your use of the Cumulus APIs. Cumulus sets and enforces limits on your use of the Cumulus APIs (e.g., limiting the number of API requests that you may make or the number of users you may serve), in its sole discretion;
8. Use Cumulus APIs in any manner that works around any technical limitations of the Cumulus APIs or of the accessed Cumulus Offering, or reverse engineer, decompile or disassemble the Cumulus APIs, except and only to the extent that applicable law expressly permits, despite this limitation;
9. Use the Cumulus APIs, or any data obtained using the Cumulus APIs, to conduct performance testing of a Cumulus Offering unless expressly permitted by Cumulus pursuant to a duly executed written agreement;
10. Use the Cumulus APIs, or any data obtained using the Cumulus APIs, to identify, exploit or publicly disclose any potential security vulnerabilities;
11. Request, use or make available any data obtained using the Cumulus APIs outside any permissions expressly granted by Customers in connection with using your Application;
12. Use or transfer any data accessed or obtained using the Cumulus APIs, including any data aggregated, anonymized or derived from that data (collectively the "Cumulus APIs Data") for advertising or marketing purposes including (i) targeting ads, or (ii) serving ads. For purposes of clarity, this prohibition on using Cumulus APIs Data for advertising or marketing purposes does not extend to using other data, such as (i) the number of users of your Application, (ii) a user identifier you independently receive from a user (e.g., an email address you receive when a user enrolls to use your Application, a device identifier, or an advertising identifier), or (iii) a product or service identifier that identifies a Cumulus Offering;
13. Make your Application available for use in a manner that circumvents the need for users to obtain a valid license to the Cumulus application or service that is accessed through the Cumulus APIs;
14. Redistribute or resell, or sublicense access to, the Cumulus APIs, any data obtained using the Cumulus APIs, or any other Cumulus Offering accessed through the Cumulus APIs; or
15. Misrepresent expressly, by omission, or implication, the need for users to obtain a valid license to the Cumulus application or service that is accessed through the Cumulus APIs;
16. Falsify or alter any unique referral identifier in, or assigned to an Application, or otherwise obscure or alter the source of queries coming from an Application to hide a violation of this agreement; or
17. Use the Cumulus APIs or allow any user to use the Application in a way that violates applicable law, including:
    1. Illegal activities, such as child pornography, gambling, piracy, violating copyright, trademark or other intellectual property laws.
    2. Intending to exploit minors in any way.
    3. Accessing or authorizing anyone to access the Cumulus APIs from an embargoed country as prohibited by the U.S. government.
    4. Threatening, stalking, defaming, defrauding, degrading, victimizing or intimidating anyone for any reason.
    5. Violating applicable privacy laws and regulations.
18. Use the Cumulus APIs in a way that could create, in Cumulus' sole discretion and judgment, an unreasonable risk to Customers from a security or privacy perspective.

You warrant that your Application has been developed to operate with Cumulus API content in a secure manner. Your network, operating system and the software of your servers, databases, and computer systems (collectively, "Systems") must be properly configured to securely operate your Application and store content collected through your Application (including the Cumulus API content). Your Application must use reasonable security measures to protect the private data of your users.

We may use technology to detect, prevent or limit the impact of any issues caused by your Application (before, after, or instead of suspension of your access). This may include, for example, (i) filtering to stop spam, (ii) performing security or privacy monitoring regarding scraping, denial of service attacks, user impersonation, application impersonation, or illicit consent grant(s), or (iii) limiting or terminating your access to the Cumulus APIs.

You will permit Cumulus reasonable access to your Application for purposes of monitoring compliance with these API Terms. You will respond to any questions by Cumulus about your compliance with these API Terms.

Without limiting the foregoing, upon request by Cumulus, you will provide us (or an independent auditor acting on our behalf) with up to two full-feature client account-level instances to access your Application (and/or other materials relating to your use of the API) as reasonably requested by us to verify your compliance with these API Terms (including, in particular, your security and privacy obligations under these API Terms).

We may restrict or terminate access to the APIs or perform an audit (including by hiring an independent auditor acting on our behalf) of your Application if you fail to provide adequate information and materials (including up to two full-featured instances of your Application) to verify your compliance with these Terms.

You must have a process to respond to any vulnerabilities in your Application, and in the case of any vulnerabilities related to your Application's connection to the Cumulus APIs discovered by you or reported to you by a third party, you agree that you will provide vulnerability details to the Cumulus Security Response Center (secure@cumulus.care) as described in the Cumulus Vulnerability Disclosure Policy.

In the event of a data breach by you resulting from any aspect of the Cumulus APIs involving your Application or any data collected through your Application, you will promptly contact the Cumulus Security Response Center (secure@cumulus.care) and provide details of the data breach. You agree to refrain from making public statements (e.g., press, blogs, social media, bulletin boards, etc.) without prior written and express permission from Cumulus in each instance as it relates to the Cumulus APIs. For more information, see the Cumulus Vulnerability Disclosure Policy.

The rights and requirements of this section -- 4. Security -- will survive for five (5) years following any termination of these API Terms.

You must comply with all laws and regulations applicable to your use of the data accessed through the Cumulus APIs, including without limitation laws related to privacy, biometric data, data protection and confidentiality of communications. Your use of the Cumulus APIs is conditioned upon implementing and maintaining appropriate protections and measures for your service and Application, and that includes your responsibility to the data obtained through the use of the Cumulus APIs. For the data you obtained through the Cumulus APIs, you must:

a) obtain all necessary consents before processing data and obtain additional consent if the processing changes ("Data Access Consents"),

b) in the event you're storing data locally, ensure that data is kept up to date and implement corrections, restrictions to data, or the deletion of data as reflected in the data obtained through your use of the Cumulus APIs,

c) implement proper retention and deletion policies, including deleting all data when your user abandons your Application, uninstalls your Application, closes its account with you, or abandons the account,

d) maintain and comply with a written statement available to Customers and users that describes your privacy practices regarding data and information you collect and use ("Your Privacy Statement"), and that statement must be as protective as the Cumulus Privacy Statement, and

Nothing in the Agreement shall be construed as creating a joint controller or processor-subprocessor relationship between you and Cumulus.

WE MAY CHANGE OR DISCONTINUE THE AVAILABILITY OF SOME OR ALL OF THE Cumulus APIs AT ANY TIME FOR ANY REASON WITH OR WITHOUT NOTICE. Such changes may include, without limitation, removing or limiting access to specific API(s), requiring fees or setting and enforcing limits on your use of additions to the Cumulus APIs. We may also impose limits on certain features and services or restrict your access to some or all of the Cumulus APIs. We may release subsequent versions of the Cumulus APIs and require that you use those subsequent versions, at your sole cost and expense.

Any version of the Cumulus APIs designated as "preview", "pre-release" or "beta" ("Preview API"), may not work in the same way as a final version. We may change or not release a final or commercial version of a Preview API in our sole discretion.

WE MAY MODIFY THESE API TERMS AT ANY TIME, WITH OR WITHOUT PRIOR NOTICE TO YOU. YOUR CONTINUED USE OF THE Cumulus APIs FOLLOWING THE RELEASE OF A SUBSEQUENT VERSION OF THESE API TERMS WILL BE DEEMED YOUR ACCEPTANCE OF ANY MODIFICATIONS TO THESE API TERMS.

If you give feedback about the Cumulus APIs to Cumulus, you give to Cumulus, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You will not give feedback that is subject to a license that requires Cumulus to license its software or documentation to third parties because Cumulus includes your feedback in them. These rights survive these API Terms.

You may be given access to certain non-public information, software, and specifications relating to the Cumulus APIs ("Confidential Information"), which is confidential and proprietary to Cumulus. You may use Confidential Information only as necessary in exercising your rights granted under these API Terms. You may not disclose any Confidential Information to any third party without Cumulus' prior written consent. You agree that you will protect any Confidential Information from unauthorized use, access, or disclosure in the same manner that you would use to protect your own confidential and proprietary information.

a) Disclaimer of Warranties

WE MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO YOUR USE OF THE Cumulus APIs. YOU UNDERSTAND THAT USE OF THE Cumulus APIs IS AT YOUR OWN RISK AND THAT WE PROVIDE THE Cumulus APIs ON AN "AS IS" BASIS "WITH ALL FAULTS" AND "AS AVAILABLE" TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES, INCLUDING FOR MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, AND NON-INFRINGEMENT. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE API TERMS ARE INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE. WE DO NOT GUARANTEE THE Cumulus APIs WILL FUNCTION WITHOUT INTERRUPTION OR ERRORS IN FUNCTIONING. IN PARTICULAR, THE OPERATION OF THE Cumulus APIs MAY BE INTERRUPTED DUE TO MAINTENANCE, UPDATES, OR SYSTEM OR NETWORK FAILURES. WE DISCLAIM ALL LIABILITY FOR DAMAGES CAUSED BY ANY SUCH INTERRUPTION, ERRORS IN FUNCTIONING, OR THAT DATA LOSS WILL NOT OCCUR.

b) Limitation of Liability

IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES (INCLUDING BREACH OF THESE API TERMS), YOU AGREE THAT YOUR EXCLUSIVE REMEDY IS TO RECOVER, FROM Cumulus OR ANY AFFILIATES, RESELLERS, DISTRIBUTORS, SUPPLIERS (AND RESPECTIVE EMPLOYEES, SHAREHOLDERS, OR DIRECTORS) AND VENDORS, ONLY DIRECT DAMAGES UP TO USD $5.00 COLLECTIVELY. YOU CAN'T RECOVER ANY OTHER DAMAGES OR LOSSES, INCLUDING, WITHOUT LIMITATION, DIRECT, CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT, INCIDENTAL, OR PUNITIVE. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to any claims related to these API Terms or your use of the Cumulus APIs.

c) Indemnification

You will defend, hold harmless, and indemnify Cumulus from any claim or action brought by a third party, including all damages, liabilities, costs and expenses, and reasonable attorney fees, to the extent resulting from, alleged to have resulted from, or in connection with your breach of the obligations herein or infringement of Cumulus' or third party's intellectual property.

d) No Injunctive Relief

In no event shall you seek or be entitled to rescission, injunctive or other equitable relief, or to enjoin or restrain the operation of the Cumulus APIs, content or other material used or displayed through the current Cumulus website or successor site.

e) No Third-Party Beneficiaries

There are no third-party beneficiaries to this Agreement.

a) We may suspend or immediately terminate these API Terms, any rights granted herein, and/or your license to the Cumulus APIs, in our sole discretion at any time, for any reason. You may terminate these API Terms at any time by ceasing your access to the Cumulus APIs.

b) Upon termination, all licenses granted herein immediately expire and you must cease use of the Cumulus APIs. You must also comply with Customer's instruction to return or delete any data accessed or obtained through the Cumulus APIs, unless expressly permitted by Cumulus or prohibited by law. Neither party will be liable to the other for any damages resulting solely from termination of these API Terms.

a) Applicable Law

1. United States. If you reside in the United States, Vermont state law governs the interpretation of these API Terms and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you reside in any other country, the laws of that country apply.

b) Support. Because the Cumulus APIs are provided "as is," we may not provide support services for them. You are solely responsible for the quality of your Application and providing support for your Application.

c) Assignment and Delegation. You may not assign or delegate any rights or obligations under these API Terms, including in connection with a change of control. Any purported assignment and delegation shall be ineffective. We may freely assign or delegate all rights and obligations under these API Terms, fully or partially without notice to you.

d) Reservation of Rights. All rights not expressly granted herein are reserved by Cumulus. You acknowledge that all intellectual property rights within the Cumulus APIs remain the property of Cumulus and nothing within these API Terms will act to transfer any of these intellectual property rights to you.

e) Cumulus and you are independent contractors. Nothing in this Agreement shall be construed as creating an employer-employee relationship, processor-subprocessor relationship, a partnership, or a joint venture between the parties.

f) No Waiver. Either party's failure to act with respect to a breach of these API Terms does not waive either party's right to act with respect to that breach or subsequent similar or other breaches.

g) Survival. Sections of these API Terms that, by their terms, require performance after the termination or expiration of these API Terms will survive, such as, for example, the rights and requirements of section 4. Security.

h) Modifications. We may modify these API Terms at any time with or without individual notice to you. Any modifications will be effective upon your continued use of the Cumulus APIs.

i) Entire Agreement. These API Terms and any documents incorporated into these API Terms by reference, constitute the entire agreement between you and us regarding the Cumulus APIs and supersede all prior agreements and understandings, whether written or oral, or whether established by custom, practice, policy or precedent, with respect to the subject matter of these API Terms. If any provision of these API Terms is found to be illegal, void, or unenforceable, the unenforceable provision will be modified so as to render it enforceable to the maximum extent possible.