Cora

CORA TERMS OF SERVICE

Document Version: TOS-v5.0-2026-05-28 Last Updated: 2026-05-28

IMPORTANT: PLEASE READ THESE TERMS CAREFULLY BEFORE USING CORA. BY CHECKING THE ACCEPTANCE BOX AND CLICKING "ACCEPT," YOU AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.

This Terms of Service agreement ("Agreement") is entered into between Max Output LLC, a North Carolina limited liability company ("Provider," "we," "us," or "our"), and the entity or individual accessing or using the Cora platform ("Customer," "you," or "your"). This Agreement is informed by industry-standard cloud service agreement frameworks with additional terms specific to AI-powered services and clinical research workflows.

1. DEFINITIONS

"Acceptable Use Policy" or "AUP" means Section 5 of this Agreement, which governs permitted and prohibited uses of the Service.

"AI Output" means any text, data, analysis, citation, or other content generated by the Service in response to a User's query or interaction.

"Authorized Users" means individuals who are employees, contractors, or agents of Customer who have been authorized by Customer to access and use the Service under this Agreement.

"Confidential Information" means any non-public information disclosed by either party to the other in connection with this Agreement that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. For clarity, Confidential Information includes, but is not limited to, uploaded Protocol Documents, AI Outputs, system prompts, RAG architecture, and business terms.

"Customer Data" means all data, content, and information submitted to the Service by or on behalf of Customer, including Protocol Documents, User queries, and account information.

"Effective Date" means the date on which Customer first accepts this Agreement by clicking the acceptance mechanism in the Service.

"Money-Back Guarantee Period" means the initial thirty (30) day period commencing on the Effective Date during which Customer may request a full refund for any reason.

"Protocol Documents" means clinical trial protocols, study documents, and related materials uploaded to the Service by Customer. Protocol Documents may include confidential and proprietary information owned by third parties, including pharmaceutical sponsors.

"Service" means the Cora platform, accessible at https://cora.getmaxoutput.com, including all features, functionality, and AI-powered capabilities provided thereunder.

"Third-Party Confidential Information" means Confidential Information owned by a third party (including pharmaceutical sponsors) that is disclosed to Provider through Customer's use of the Service, including but not limited to Protocol Documents subject to Confidential Disclosure Agreements between Customer and third parties.

2. DESCRIPTION OF SERVICE

2.1 What Cora Is

Cora is an AI-powered study document reference tool. It is a web-based application that allows clinical research site staff to upload clinical trial study documents in PDF format (including protocols, informed consent forms, lab and pharmacy manuals, manuals of procedures, investigator's brochures, safety reporting plans, site SOPs, clarification memos, and related reference materials) and ask natural-language questions about those documents, receiving citation-backed answers generated through Retrieval-Augmented Generation (RAG) technology.

2.2 What Cora Is NOT

THE SERVICE IS NOT A MEDICAL DEVICE. It does not diagnose, treat, cure, prevent, or mitigate any disease or condition. It does not acquire, process, or analyze signals from the human body.

THE SERVICE IS NOT A CLINICAL DECISION SUPPORT (CDS) SYSTEM. It does not recommend treatments, predict patient outcomes, or provide clinical guidance. It is an administrative reference tool that retrieves and presents information already contained in documents uploaded by the Customer.

THE SERVICE IS NOT A SOURCE OF MEDICAL ADVICE. Every response generated by the Service includes a disclaimer stating this explicitly.

THE SERVICE IS NOT DESIGNED TO PROCESS PROTECTED HEALTH INFORMATION (PHI). The Service processes study design documents (procedures, eligibility criteria, dosing schedules), not patient data. See Section 5.3 for PHI restrictions.

THE SERVICE IS NOT GUARANTEED TO BE 100% ACCURATE. AI-generated outputs may contain errors. See Section 4 for complete AI disclaimers.

3. ACCOUNT REGISTRATION AND ACCESS

3.1 Account Creation

To access the Service, Customer must create an account by providing a valid email address and completing email verification via one-time password (OTP). Customer is responsible for maintaining the accuracy of account information.

3.2 Account Security

Customer is responsible for all activity that occurs under its account. Customer must immediately notify Provider at founders@maxoutput.ai if Customer becomes aware of any unauthorized access to or use of the Service.

3.3 Authorized Users

Customer may permit Authorized Users to access the Service under Customer's account. Customer is responsible for the acts and omissions of all Authorized Users and must ensure that all Authorized Users comply with this Agreement, including the Acceptable Use Policy.

3.4 Access Suspension

Provider may immediately suspend Customer's access to the Service if Provider reasonably determines that Customer or any Authorized User has violated the Acceptable Use Policy (Section 5), particularly regarding the upload of Protected Health Information or unauthorized third-party documents. Provider will use commercially reasonable efforts to provide notice before or promptly after any suspension.

4. AI-SPECIFIC TERMS

4.1 Nature of AI Outputs

The Service utilizes artificial intelligence and machine learning technologies, including Large Language Models (LLMs) and Retrieval-Augmented Generation (RAG), to generate responses to Customer queries. Due to the inherent probabilistic nature of these technologies, AI Outputs may be inaccurate, incomplete, misleading, or contain errors (commonly referred to as "hallucinations"). Provider makes no representations or warranties, express or implied, regarding the accuracy, reliability, completeness, or factual correctness of AI Outputs.

AI OUTPUTS ARE PROVIDED "AS IS" AND MUST NOT BE RELIED UPON AS ABSOLUTE STATEMENTS OF FACT.

4.2 Output Verification Responsibility (Human-in-the-Loop)

THE SERVICE IS AN ADMINISTRATIVE REFERENCE TOOL AND IS NOT A SUBSTITUTE FOR PROFESSIONAL HUMAN OVERSIGHT, CLINICAL JUDGMENT, OR ADHERENCE TO REGULATORY COMPLIANCE PROTOCOLS.

Customer and its Authorized Users maintain absolute responsibility for independently reviewing, verifying, and validating all AI Outputs against the original, approved source documents (including sponsor-provided clinical trial protocols) before utilizing or relying upon such AI Outputs for any operational, administrative, or clinical purpose.

Any reliance on unverified AI Outputs for clinical trial operations constitutes a material breach of this Agreement. Customer acknowledges that Provider bears no liability for outcomes resulting from reliance on unverified AI Outputs.

4.3 Confidence Scoring and Warnings

The Service assigns confidence levels (HIGH, MEDIUM, or LOW) to AI Outputs. When confidence is LOW, the Service displays a visible warning and recommends verification with the Principal Investigator. The presence of a HIGH or MEDIUM confidence score does not constitute a guarantee of accuracy. All AI Outputs, regardless of confidence level, must be verified against source documents.

4.4 No Model Training on Customer Data

Provider expressly agrees that it shall not use Customer Data — including uploaded Protocol Documents, User queries, chat histories, or AI Outputs — to train, fine-tune, or iteratively improve any foundational large language models, neural networks, or machine learning algorithms.

Customer Data processed through the Service's AI infrastructure (AWS Bedrock) is not used by the infrastructure provider (Amazon Web Services) to train or improve AI models. Protocol text transmitted for AI processing is not retained by the AI infrastructure provider after the response is generated.

4.5 Third-Party AI Infrastructure

The Service utilizes AWS Bedrock (provided by Amazon Web Services) as its AI infrastructure provider for language model inference and embedding generation. Customer acknowledges that Customer Data is transmitted to AWS Bedrock for processing and that such processing is subject to AWS's service terms. Customer's use of the Service must also comply with the acceptable use policies of underlying infrastructure providers; violations of such policies constitute a breach of this Agreement. Provider has selected AWS Bedrock specifically because it does not use customer content for model training under its standard terms of service.

4.6 Accuracy Disclaimer

An accuracy disclaimer is displayed in the Service at all times: "Cora is an AI assistant. All responses should be verified against source documents before making clinical decisions." This disclaimer is a material term of this Agreement and reflects the operational reality of AI-generated content.

4.7 Document Type Categorization

The Service requires Customer to select a document type classification (e.g., "Protocol," "Informed Consent Form," "Investigator's Brochure") at the time of upload. Customer is solely responsible for selecting the correct document type for each uploaded document. The Service's retrieval accuracy, citation quality, and AI Output reliability are contingent upon correct document categorization, as the document type informs how the Service indexes, chunks, and retrieves content.

PROVIDER IS NOT LIABLE FOR INACCURATE, INCOMPLETE, OR MISLEADING AI OUTPUTS THAT RESULT, IN WHOLE OR IN PART, FROM DOCUMENTS UPLOADED UNDER AN INCORRECT DOCUMENT TYPE CLASSIFICATION. Customer acknowledges that incorrect categorization may cause the Service to apply inappropriate parsing logic, retrieval weighting, or contextual assumptions, any of which may degrade the accuracy of AI Outputs.

Customer's obligation under Section 4.2 (Output Verification Responsibility) applies regardless of whether a document was correctly categorized. Correct categorization does not guarantee the accuracy of AI Outputs.

5. ACCEPTABLE USE POLICY

5.1 Permitted Uses

Customer may use the Service solely for the following purposes:

  • Uploading clinical trial protocol documents in PDF format
  • Querying uploaded protocols using the Service's natural-language interface
  • Reviewing, exporting, and sharing AI Outputs with Customer's site personnel and Principal Investigators
  • Providing feedback on AI Output quality
  • Other internal, administrative reference purposes related to clinical trial operations

5.2 Prohibited Uses

Customer and its Authorized Users shall NOT:

(a) Use the Service to make clinical decisions regarding patient care, treatment, diagnosis, or trial eligibility without independently verifying AI Outputs against source documents;

(b) Upload, transmit, or enter Protected Health Information (PHI) into the Service (see Section 5.3);

(c) Upload documents for which Customer does not possess the necessary rights, licenses, permissions, or authorizations, including documents that would violate any existing Confidential Disclosure Agreement, non-disclosure agreement, or sponsor mandate;

(d) Use the Service to build a competitive product, perform competitive benchmarking, or reverse-engineer, decompile, or disassemble any aspect of the Service, including its AI architecture, system prompts, or RAG pipeline;

(e) Attempt to extract, reconstruct, or reverse-engineer the Service's system prompts, proprietary algorithms, or prompt engineering techniques;

(f) Circumvent, disable, or interfere with the Service's security features, including PII/PHI detection filters;

(g) Use the Service in any manner that violates applicable federal, state, or local laws or regulations;

(h) Share login credentials or permit unauthorized individuals to access the Service;

(i) Use the Service to generate content that is defamatory, fraudulent, or in violation of third-party intellectual property rights;

(j) Misrepresent AI Outputs as having been independently verified when they have not been;

(k) Use automated scripts, robots, scrapers, headless browsers, or other automated means to access the Service, mirror its content, harvest its outputs in bulk, or generate load patterns inconsistent with ordinary human use, except for (i) Customer's own internal monitoring of its account usage and (ii) good-faith security research conducted with Provider's prior written authorization;

(l) Exceed reasonable rate limits applied by the Service. The Service applies per-account and per-organization rate limits to API endpoints, document uploads, and query volume. Current rate limits are enforced via runtime controls (HTTP 429 responses) and may be adjusted by Provider in response to changing operational conditions. Sustained exceedance of rate limits after a written or in-product warning constitutes a material breach of this Section.

5.3 Absolute Prohibition on Protected Health Information

THE SERVICE IS NOT DESIGNED, INTENDED, OR AUTHORIZED FOR THE STORAGE, PROCESSING, OR TRANSMISSION OF PROTECTED HEALTH INFORMATION (PHI) AS DEFINED BY THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA). CUSTOMER AND ITS AUTHORIZED USERS ARE STRICTLY PROHIBITED FROM ENTERING, UPLOADING, OR TRANSMITTING ANY PHI, PERSONALLY IDENTIFIABLE PATIENT INFORMATION, OR PATIENT-SPECIFIC HEALTH DATA INTO THE SERVICE.

The Service implements automated detection filters designed to identify and block queries containing patient identifiers (including names, Social Security numbers, medical record numbers, dates of birth, addresses, phone numbers, and email addresses). These filters are provided on a "best-efforts" basis and are not guaranteed to be error-free, comprehensive, or infallible. The existence of these preventative measures does not relieve Customer of its absolute and primary obligation to refrain from inputting PHI into the Service.

Business Associate Agreement (BAA) — Not Required. Because the Service is architected so that PHI is not introduced into Customer Data under normal use, Provider does not, as a matter of standard policy, enter into Business Associate Agreements with Customer under 45 CFR 164.504(e). Customers requesting a BAA as a condition of subscription should understand that the Service's architecture, Acceptable Use Policy, and PHI detection controls are designed to make a BAA unnecessary. If after reviewing the architecture Customer's compliance team still requires a signed BAA as a procurement gate, Customer should contact founders@maxoutput.ai to discuss whether a limited-scope BAA is feasible given Provider's then-current subprocessor coverage; Provider makes no representation that such a BAA will be available, and providing one may require Provider to first execute back-to-back BAAs with one or more sub-processors at additional cost.

5.4 User Warranty Regarding Upload Rights

By uploading any document to the Service, Customer represents and warrants that:

(a) Customer possesses all necessary licenses, permissions, and authorizations required to upload such document into the Service and to have it processed by the Service's AI infrastructure, including transmission to third-party sub-processors;

(b) Such upload does not violate any existing Confidential Disclosure Agreement (CDA), non-disclosure agreement, sponsor mandate, or other contractual obligation binding Customer;

(c) Customer has determined, in its sole judgment, that the use of the Service is consistent with Customer's obligations to the owners of the uploaded documents (including pharmaceutical sponsors);

(d) Customer acknowledges that it is solely responsible for ensuring that the use of the Service complies with all applicable institutional confidentiality policies and sponsor requirements.

5.5 Waiver of Privilege Warning

Customer acknowledges that uploading privileged or confidential information into any cloud-based AI service may, under certain circumstances, constitute a waiver of confidentiality privilege under applicable law. Customer is solely responsible for evaluating and accepting this risk with respect to any documents uploaded to the Service.

6. INTELLECTUAL PROPERTY

6.1 Customer Data

Customer retains all right, title, and interest in and to Customer Data, including uploaded Protocol Documents. Provider acquires no ownership rights in Customer Data by virtue of this Agreement.

6.2 AI Outputs

To the extent permitted by applicable law, Provider assigns to Customer all available right, title, and interest in AI Outputs generated specifically in response to Customer's queries. Customer acknowledges that: (a) AI Outputs are generated using third-party AI models and may not be eligible for copyright protection under current United States law; (b) AI Outputs may be similar or identical to outputs generated for other customers using different source documents; and (c) Provider makes no warranty against third-party infringement claims based on AI-generated text.

6.3 Provider Intellectual Property

Customer acknowledges that the Service, including its software, algorithms, RAG pipeline architecture, system prompts, user interface, and documentation, is the proprietary intellectual property of Provider. Nothing in this Agreement grants Customer any right, title, or interest in the Service beyond the limited access rights expressly set forth herein.

7. FEES AND PAYMENT

7.1 Money-Back Guarantee Period

During the Money-Back Guarantee Period (the first thirty (30) days from the Effective Date), Customer may request a full refund for any reason. No justification is required. If Customer requests a refund during the Money-Back Guarantee Period, Provider will process the refund and terminate this Agreement.

7.2 Extended Guarantee (90-Day Conditional)

If, within ninety (90) days of the Effective Date, Customer has (a) uploaded at least one (1) protocol PDF to the Service and (b) run at least ten (10) substantive queries, and the Service has not saved Customer's coordinators meaningful time, Customer may request a refund of the first year's fees. This guarantee is anchored to coordinator time savings and does not constitute a guarantee of clinical accuracy, regulatory compliance, or audit outcomes.

7.3 Pricing

The Service is billed annually at $300 per active study bundle per year. Payment is collected at the time of account creation. There is no free trial period.

7.4 Protocol Definitions (for Billing Purposes)

For purposes of billing:

(a) Protocol. A "Protocol" means one active clinical study. A single Protocol slot includes the original protocol document and up to five (5) amendments to that same study. Amendments to the same study do not constitute separate Protocols.

(b) Active Protocol. A Protocol is considered "active" for billing purposes if it has been uploaded to or queried within the current billing period.

(c) Fair Usage. The Service enforces included Protocol limits via soft notification, not hard lockout. If Customer exceeds the included number of Protocols in a billing period, Provider will notify Customer and apply per-Protocol overage fees as set forth in the applicable pricing terms. The Service will not restrict access to Protocols during active clinical operations.

7.5 Taxes

All fees are exclusive of applicable taxes. Customer is responsible for all taxes, duties, and governmental assessments arising from this Agreement, excluding taxes based on Provider's net income.

7.6 Beta, Preview, and Experimental Features

Provider may, from time to time, make available features identified as "beta," "preview," "experimental," "labs," or similar designations ("Beta Features"). Beta Features are provided AS-IS for evaluation purposes only and are excluded from the availability targets in Section 8.5, the security incident notification timelines in Section 8.6, the Service Level Agreement obligations elsewhere in this Agreement, and any pricing commitments. Provider may modify, suspend, or discontinue any Beta Feature at any time without notice and without liability to Customer. Customer's use of any Beta Feature is voluntary. Customer acknowledges that Beta Features may have unresolved defects, may produce inaccurate or incomplete outputs, and should not be relied upon for production clinical research operations.

8. DATA HANDLING AND SECURITY

8.1 Data Security

Provider implements and maintains commercially reasonable administrative, technical, and physical safeguards to protect Customer Data, including:

(a) Encryption of data in transit using Transport Layer Security (TLS);

(b) Encryption of data at rest using AES-256 encryption;

(c) Multi-tenant data isolation using PostgreSQL row-level security (RLS) policies, ensuring that Customer's data is logically isolated from and inaccessible to other customers;

(d) Audit logging of all queries, responses, confidence scores, and response times;

(e) Rate limiting on API endpoints to prevent abuse;

(f) Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Cache-Control: no-store).

8.2 Data Location

All Customer Data is stored and processed on infrastructure located within the United States.

8.3 Privacy Policy

Provider's collection, use, and disclosure of personal information is governed by the Privacy Policy available at https://cora.getmaxoutput.com/privacy. The Privacy Policy is incorporated into this Agreement by reference.

8.4 Data Deletion

Upon termination of this Agreement or upon Customer's written request, Provider will permanently delete Customer's Protocol Documents, associated text chunks, vector embeddings, chat session history, and account information within thirty (30) days. Audit logs may be retained in anonymized form (with user identifiers removed) as described in the Privacy Policy. Upon Customer's request, Provider will issue a written Certificate of Destruction confirming that all primary records have been purged from production systems.

8.5 Service Availability

Provider targets a monthly Service availability of ninety-nine and five-tenths percent (99.5%), measured as the percentage of minutes in a calendar month during which the Service's primary HTTP endpoints respond to authenticated requests with a non-error status. Excluded from availability calculations are: (a) scheduled maintenance windows announced at least seventy-two (72) hours in advance; (b) emergency security patches applied to mitigate active threats; (c) unavailability caused by Customer's misuse of the Service or by Customer-side network conditions; (d) unavailability caused by force majeure events under Section 15.7; and (e) outages attributable to underlying infrastructure providers (AWS, Supabase, Railway, Vercel) where Provider is using such providers in accordance with their published service terms. Provider does not offer monetary service credits for availability shortfalls during the Money-Back Guarantee Period. Sustained availability shortfalls (defined as actual monthly availability below 99.0% in any given calendar month) entitle Customer to a pro-rated credit against the affected month's fees, calculated as one (1) day of fees per full hour of shortfall below the 99.5% target, capped at thirty percent (30%) of the affected month's fees. Service credits are Customer's sole and exclusive remedy for availability shortfalls.

8.6 Security Incident Notification

Provider will notify Customer's designated administrators by email within seventy-two (72) hours of Provider's confirmation of a Security Incident affecting Customer Data. A "Security Incident" means any confirmed unauthorized access to, disclosure of, alteration of, or destruction of Customer Data stored or processed by the Service. Notification will include: (a) a description of the nature of the Security Incident; (b) the categories and approximate volume of Customer Data affected; (c) the steps Provider has taken or is taking to contain and remediate the Security Incident; and (d) contact information for further inquiries. Provider will continue to provide updates as material new information becomes available and will cooperate in good faith with Customer's reasonable requests for additional information. Provider's notification obligations under this Section are independent of, and do not waive, Customer's own notification obligations under applicable law.

8.7 Insurance

Provider acknowledges that as an early-stage company Provider does not currently maintain dedicated cyber liability or technology errors and omissions insurance. Provider commits to obtaining commercially reasonable cyber liability and technology errors and omissions insurance policies appropriate for Provider's scale and risk profile prior to onboarding any Customer that contractually requires such coverage as a condition of service. Customers requiring evidence of insurance prior to or as a condition of subscription should contact founders@maxoutput.ai before completing onboarding so Provider can scope appropriate coverage. Provider will provide a certificate of insurance upon written request once coverage is in place.

8.8 Audit Cooperation and Certifications

Provider does not currently hold a SOC 2 Type II, ISO 27001, or HITRUST certification under its own name. Provider's sub-processors (as identified in the Privacy Policy and the Subprocessors page) hold their own current certifications, including AWS (SOC 2 Type II, ISO 27001, HIPAA eligible), Supabase (SOC 2 Type II, HIPAA ready), Vercel (SOC 2 Type II), and Stripe (PCI DSS Level 1, SOC 2 Type II, ISO 27001). Upon written request and under a mutual non-disclosure agreement, Provider will share: (a) summaries or third-party certification letters of the sub-processors named above; (b) Provider's most recent self-attested security questionnaire response (Standardized Information Gathering / SIG Lite or equivalent); and (c) reasonable written responses to Customer's risk-assessment questions. Provider does not consent to on-site audits by Customer or its agents during the early-stage period, but will participate in good-faith documentary audit cooperation as described above.

8.9 Sub-Processor Changes

Provider will notify Customer's designated administrators by email at least fourteen (14) days prior to any material change to the sub-processors that handle Customer Data, including: (a) addition of a new sub-processor that will receive Customer Data; (b) replacement of an existing sub-processor with a different vendor performing the same function; (c) material expansion of an existing sub-processor's data access scope. The current sub-processor list is maintained at the Subprocessors page. Customer's continued use of the Service after the effective date of any sub-processor change constitutes acceptance of the change. Customer's exclusive remedy in the event of an unacceptable sub-processor change is to terminate the Agreement under Section 13 with no further fees owed for unused service. The Privacy Policy Section 16 (Changes to This Policy) governs the broader notification process for material privacy changes; this Section 8.9 is the more specific commitment for sub-processor changes affecting Customer Data.

8.10 Sub-Processor Contractual Obligations

Provider commits that each sub-processor receiving Customer Data is bound by written agreements (including the sub-processor's standard terms of service accepted by Provider) imposing confidentiality and security obligations no less protective than those in this Agreement. Provider remains responsible for the acts and omissions of its sub-processors with respect to the processing of Customer Data, except where the sub-processor is acting outside the scope of Provider's instructions and the sub-processor is independently liable to Customer.

9. CONFIDENTIALITY

9.1 Mutual Obligations

Each party agrees to hold the other party's Confidential Information in strict confidence using no less than a reasonable degree of care, and in no event less than the degree of care used to protect its own confidential information of a similar nature. Neither party shall disclose the other party's Confidential Information to any third party except as expressly permitted by this Agreement.

9.2 Third-Party Confidential Information

Provider acknowledges that Protocol Documents may contain confidential and proprietary information owned by third parties, including pharmaceutical sponsors, and subject to Confidential Disclosure Agreements between Customer and such third parties ("Sponsor CDAs"). Provider agrees to protect such Third-Party Confidential Information with the same degree of care as Customer's own Confidential Information. Provider's sub-processors (as identified in the Privacy Policy) are bound by written agreements imposing equivalent confidentiality obligations.

9.3 Permitted Disclosures

A party may disclose the other party's Confidential Information: (a) to its employees, contractors, and agents who have a need to know and are bound by confidentiality obligations at least as restrictive as those in this Agreement; (b) as required by applicable law, regulation, or valid legal process, provided that the disclosing party gives reasonable prior notice to the other party (to the extent permitted by law).

9.4 Exclusions

Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was rightfully known by the receiving party prior to disclosure; (c) is independently developed by the receiving party without use of or reference to the disclosing party's Confidential Information; or (d) is rightfully received from a third party without restriction.

9.5 Survival of Confidentiality Obligations

Confidentiality obligations under this Section shall survive for a period of five (5) years from the date of disclosure of the applicable Confidential Information, except that obligations relating to trade secrets (including Protocol Documents designated as trade secrets by their owners) shall survive for as long as the information remains a trade secret under applicable law.

10. MEDICAL AND REGULATORY DISCLAIMER

10.1 Not a Medical Device

THE SERVICE IS NOT A MEDICAL DEVICE AS DEFINED UNDER THE FEDERAL FOOD, DRUG, AND COSMETIC ACT OR FDA REGULATIONS. THE SERVICE DOES NOT DIAGNOSE, TREAT, CURE, PREVENT, OR MITIGATE ANY DISEASE OR CONDITION. THE SERVICE DOES NOT ACQUIRE, PROCESS, OR ANALYZE SIGNALS FROM THE HUMAN BODY.

10.2 Not Clinical Decision Support

THE SERVICE IS NOT A CLINICAL DECISION SUPPORT (CDS) SYSTEM AS DEFINED UNDER SECTION 520(o)(1)(E) OF THE FEDERAL FOOD, DRUG, AND COSMETIC ACT (AS ADDED BY SECTION 3060(a) OF THE 21ST CENTURY CURES ACT). THE SERVICE IS AN ADMINISTRATIVE REFERENCE TOOL THAT RETRIEVES AND PRESENTS INFORMATION ALREADY CONTAINED IN DOCUMENTS UPLOADED BY THE CUSTOMER. THE SERVICE DOES NOT RECOMMEND TREATMENTS, PREDICT PATIENT OUTCOMES, ALTER CLINICAL WORKFLOWS, OR REPLACE THE INDEPENDENT PROFESSIONAL JUDGMENT OF HEALTHCARE PROVIDERS OR CLINICAL RESEARCH PROFESSIONALS.

10.3 Not a Substitute for Professional Judgment

THE SERVICE SUPPLEMENTS, BUT DOES NOT REPLACE, THE CUSTOMER'S OBLIGATION TO READ, UNDERSTAND, AND COMPLY WITH CLINICAL TRIAL PROTOCOLS, APPLICABLE REGULATIONS, AND INSTITUTIONAL POLICIES. ALL AI OUTPUTS MUST BE INDEPENDENTLY VERIFIED AGAINST ORIGINAL SOURCE DOCUMENTS BEFORE BEING USED IN ANY CLINICAL TRIAL CONTEXT.

10.4 Regulatory Compliance

Customer is solely responsible for ensuring that its use of the Service complies with all applicable laws, regulations, and institutional policies, including but not limited to FDA regulations, Good Clinical Practice (GCP) guidelines, and sponsor requirements.

11. LIMITATION OF LIABILITY

11.1 Cap on Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES ACTUALLY PAID BY CUSTOMER TO PROVIDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM.

Carve-Outs. Notwithstanding the foregoing, the liability cap set forth above does not apply to:

(a) Provider's gross negligence or willful misconduct;

(b) Provider's material breach of Section 8 (Data Handling and Security) or Section 9 (Confidentiality);

(c) Provider's indemnification obligations, if any, for third-party intellectual property infringement claims arising from Provider's proprietary Service technology (excluding AI Outputs, which are governed by Section 6.2);

(d) Any amounts owed under any Data Processing Agreement, Business Associate Agreement, or similar instrument executed between the parties that expressly provides for separate liability terms.

The carve-outs in (a)-(d) are not intended to create new obligations beyond those otherwise set forth in this Agreement; they remove only the Section 11.1 cap with respect to those obligations.

11.2 Exclusion of Damages

IN NO EVENT SHALL PROVIDER BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO: LOSS OF PROFITS OR REVENUE; BUSINESS INTERRUPTION; LOSS OF DATA OR CORRUPTION OF DATA; REGULATORY FINES OR PENALTIES; CLINICAL TRIAL DATA LOSS, CORRUPTION, OR INVALIDATION; PROTOCOL DEVIATIONS ARISING FROM RELIANCE ON AI OUTPUTS; OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11.3 Basis of the Bargain

Customer acknowledges that Provider has set its fees and entered into this Agreement in reliance upon the limitations of liability and disclaimers set forth herein, and that the same form an essential basis of the bargain between the parties.

12. INDEMNIFICATION

12.1 Customer Indemnification

Customer shall indemnify, defend, and hold harmless Provider and its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

(a) Customer's or any Authorized User's violation of the Acceptable Use Policy, including but not limited to the entry of Protected Health Information into the Service;

(b) Customer's or any Authorized User's upload of documents in violation of any Confidential Disclosure Agreement, non-disclosure agreement, or other contractual obligation with third parties, including pharmaceutical sponsors;

(c) Customer's or any Authorized User's reliance on AI Outputs without independent verification against original source documents;

(d) Any claim by a third party (including pharmaceutical sponsors) arising from Customer's use of the Service in connection with such third party's confidential or proprietary information;

(e) Customer's violation of any applicable law or regulation in connection with its use of the Service.

12.2 Indemnification Cap and Carve-Outs

Cap. Customer's indemnification obligations under Section 12.1 are subject to a cap equal to three (3) times the total annual fees paid by Customer to Provider during the twelve (12) months immediately preceding the claim. For purposes of this Section 12.2, "annual fees" means the aggregate fees due under the then-current order form or pricing schedule for one (1) full year, regardless of billing cadence.

Uncapped Carve-Outs. The cap set forth above does not apply, and Customer's indemnification obligations are unlimited, with respect to:

(a) Customer's willful misconduct;

(b) Customer's repeated or systematic violations of the Acceptable Use Policy following written notice from Provider;

(c) Customer's fraudulent misrepresentation in connection with this Agreement;

(d) Customer's deliberate or repeated upload of Protected Health Information into the Service after Provider has notified Customer of one or more prior PHI-upload events.

Relationship to Section 11. This Section 12.2 supersedes the limitation of liability in Section 11.1 with respect to Customer's indemnification obligations under Section 12.1; Customer's indemnification obligations are capped only as set forth in this Section 12.2.

13. TERM AND TERMINATION

13.1 Term

This Agreement commences on the Effective Date and continues on an annual basis under the then-current pricing terms until terminated by either party. During the Money-Back Guarantee Period (the first thirty (30) days), Customer may terminate by requesting a full refund under Section 7.1.

13.2 Termination for Convenience

Either party may terminate this Agreement at the end of any annual period by providing written notice at least fifteen (15) days prior to the end of the then-current period.

13.3 Termination for Breach

Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within fifteen (15) days after receiving written notice of the breach. Notwithstanding the foregoing, Provider may terminate this Agreement immediately, without a cure period, upon any violation of the Acceptable Use Policy (Section 5).

13.4 Effect of Termination

Upon termination: (a) Customer's access to the Service will cease; (b) Provider will delete Customer Data in accordance with Section 8.4; (c) Sections 4 (AI-Specific Terms), 5.3 (PHI Prohibition), 6 (Intellectual Property), 9 (Confidentiality), 10 (Medical and Regulatory Disclaimer), 11 (Limitation of Liability), 12 (Indemnification), and 14 (Governing Law) shall survive termination.

14. GOVERNING LAW AND DISPUTE RESOLUTION

14.1 Governing Law

This Agreement is governed by and construed in accordance with the laws of the State of North Carolina, without regard to its conflict of laws principles.

14.2 Venue

Any legal action or proceeding arising under this Agreement shall be brought exclusively in the state or federal courts located in Mecklenburg County, North Carolina, and the parties consent to the personal jurisdiction and venue of such courts.

15. GENERAL PROVISIONS

15.1 Entire Agreement

This Agreement, together with the Privacy Policy and any order forms or invoices, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, and communications, whether oral or written.

15.2 Amendments

Provider may update these Terms by posting a revised version on the Service. Material changes will be communicated to Customer via the email address associated with Customer's account at least thirty (30) days prior to the effective date of the change. Customer's continued use of the Service after the effective date of any change constitutes acceptance of the updated Terms. If Customer does not agree to the updated Terms, Customer must stop using the Service and may terminate this Agreement.

15.3 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Waiver

The failure of either party to enforce any right or provision of this Agreement shall not be deemed a waiver of such right or provision.

15.5 Assignment and Change of Control

Customer may not assign this Agreement without Provider's prior written consent, except that Customer may assign this Agreement, upon prior written notice to Provider, to a successor entity in connection with a merger, acquisition, reorganization, or sale of all or substantially all of Customer's assets, provided the successor entity expressly agrees in writing to be bound by all of the obligations herein. Provider may assign this Agreement in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets, in which case Provider will notify Customer's designated administrators by email within thirty (30) days of the change of control and the successor entity will be bound by all of the obligations herein, including those pertaining to Customer Data handling and PHI prohibition. In the event of a Provider change of control that materially diminishes the protections in Section 8 (Data Handling and Security) or that transfers Customer Data to a successor entity outside the United States without Customer's consent, Customer may terminate this Agreement under Section 13 with a pro-rated refund of any prepaid fees for unused service.

15.6 Notices

All notices under this Agreement shall be in writing and sent to the email addresses associated with each party's account. Notices to Provider shall be sent to: founders@maxoutput.ai. Notices are deemed received on the business day following transmission.

15.7 Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under this Agreement due to circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, pandemic, government actions, internet or telecommunications failures, or third-party service provider outages.

15.8 AI Disclosure

Customer acknowledges that the Service is powered by generative artificial intelligence technology. All responses generated by the Service are machine-generated and should be treated as AI-assisted outputs requiring human verification.