1. Services and Deliverables

• Scope: We provide the professional services, deliverables, timelines, acceptance criteria, and fees described in the applicable engagement document. Deliverables may include advisory reports, regulatory strategies, intelligence products, templates, training, dashboards, and other outputs.
• Change Requests: Scope, schedule, and fee changes must be agreed in writing. We will provide reasonable estimates for change requests and will not commence out‑of‑scope work until the parties have agreed terms.
• Standards: Services will be performed with reasonable skill, care, and diligence consistent with professional standards for regulatory consulting in the life sciences sector.

2. Engagement Terms and Fees

• Fees: Fees are specified in the engagement document or proposal. Fees are exclusive of applicable taxes unless otherwise stated.
• Expenses: Client will reimburse reasonable, preapproved expenses incurred in performance of services.
• Invoicing and Payment: We invoice per the engagement document. Unless otherwise agreed, payment is due within 30 days of invoice date. Past due payments accrue interest at the lesser of 1.5% per month or the maximum permitted by law.
• Taxes: Client is responsible for any taxes arising from the engagement, except for taxes based on our net income.
  Suspension for Nonpayment: We may suspend services for overdue payments after providing written notice and a 10‑day cure period.

3. Confidentiality and Data Protection

• Confidential Information: Each party will keep confidential nonpublic information disclosed by the other and will not use or disclose it except as necessary to perform the engagement. Confidential information includes commercial, technical, financial, regulatory, and business information and excludes information that is public, independently developed, or rightfully received from a third party without restriction.
• Permitted Disclosures: Disclosure is permitted to employees, contractors, advisors, and permitted subcontractors who have a need to know and are bound by confidentiality obligations. Disclosure required by law or court order is permitted if prior notice is given when legally available.
• Data Security: We implement administrative, physical, and technical safeguards appropriate to the nature of the data processed to protect confidentiality, integrity, and availability. Controls include role‑based access, encryption where feasible, logging, and contractually binding security obligations for subprocessors.
• HIPAA Compliance: When Novo Compliance will manage Protected Health Information PHI, the parties will execute a Business Associate Agreement that governs permitted uses, disclosures, safeguards, breach notification, and return or destruction of PHI. We process PHI only on the instructions of the covered entity and in compliance with HIPAA and applicable state laws.
• GDPR Compliance: Where Novo Compliance processes personal data of data subjects in the EEA or UK, the parties will execute a Data Processing Agreement describing processing activities, security measures, subcontractor handling, international transfer mechanisms, and liabilities. We will assist Clients acting as controllers to respond to data subject requests and will only process data according to documented instructions.
• CCPA Compliance: For engagements involving California personal information, we will function as a service provider where required and process such information only by the Client’s instructions and the service provider obligations under CCPA/CPRA. We will not sell personal information. We will assist Clients in complying with consumer requests under CCPA/CPRA where feasible and as required by contract.
• Retention: Personal data and confidential client records are retained only for the period necessary to fulfill contractual, legal, and regulatory obligations and then securely deleted or returned, subject to retention schedules agreed in the engagement.

4. Intellectual Property

• Client Materials: Client retains ownership of materials and data it provides to Novo Compliance. Client grants Novo Compliance a nonexclusive, worldwide, royalty‑free license to use Client materials solely to perform the engagement.
• Novo Compliance Deliverables: Subject to Client’s payment of all amounts due, Novo Compliance grants the Client a nonexclusive, nontransferable, fee-based licensing of specific deliverables for the Client’s internal business purposes only in the fields and territories set out in the engagement.
• Preexisting IP and Tools: Novo Compliance retains all rights, title, and interest in and to its preexisting intellectual property, methodologies, models, templates, software, libraries, and know‑how used in delivering services. Unless expressly licensed in writing, nothing in the engagement transfers ownership of Novo Compliance’s preexisting IP to Client.
• Residuals: We may retain and use general knowledge, skills, and non‑identifying lessons learned from the engagement provided no Confidential Information or Client‑identifiable data is disclosed or used.

5. Warranties and Disclaimers

• Mutual Warranties: Each party represents that it has authority to enter the engagement and that performance will not violate applicable laws.
• Service Warranty: Novo Compliance warrants that services will be performed in a professional manner consistent with prevailing industry standards.
• No Further Warranties: Except as expressly provided, services and deliverables are provided “as is” and Novo Compliance disclaims all other warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non‑infringement.

6. Limitation of Liability

• Exclusion of Consequential Damages: Neither party will be liable to the other for lost profits, lost revenue, loss of business, loss of data, or any indirect, special, incidental, or consequential damages, even if advised of the possibility of such damages.
• Cap on Liability: Novo Compliance’s aggregate liability for claims arising out of or related to the engagement will not exceed the total fees paid by Client to Novo Compliance under the applicable engagement in the 12 months preceding the claim.
• Exceptions: The foregoing limitations do not apply to liability arising from willful misconduct, gross negligence, breach of confidentiality obligations, violations of data protection laws where statutory caps are not permitted, or indemnification obligations for third‑party claims.

7. Indemnification

• Client Indemnity: Client will indemnify and hold Novo Compliance harmless from third‑party claims arising from Client materials, Client’s breach of representations or unlawful instructions, or Client’s misuse of deliverables.
• Novo Compliance Indemnity: Novo Compliance will indemnify and hold Client harmless from third‑party claims that deliverables provided by Novo Compliance infringe third‑party intellectual property rights, provided Client gives prompt notice, allows us to control defense, and cooperates in defense. Remedies are limited to procuring rights, modifying deliverables to avoid infringement, or refunding fees for the infringing deliverable.
• Indemnity Procedure: The indemnified party will promptly notify the indemnifying party of any claim, provide reasonable cooperation, and permit the indemnifying party to control defense and settlement.

8. Term, Termination, and Consequences

• Term: The engagement commences on the effective date in the engagement document and continues until completion or earlier termination as provided herein.
• Termination for Convenience: Either party may terminate for convenience on 30 days’ written notice if agreed in the engagement or as specified in the engagement document.
• Termination for Cause: Either party may terminate for material breach if the breach remains uncured after 30 days’ written notice, or immediately for insolvency, bankruptcy, or unlawful conduct.
  Effects of Termination: Upon termination Client pays for services performed, reasonable non‑cancelable commitments, and expenses incurred through termination date. We will return or securely delete Client Confidential Information and personal data as instructed, subject to retention obligations and regulatory requirements. Provisions intended to survive termination will survive.

9. Subcontracting and Subprocessors

• Use of Subcontractors: We may engage subcontractors and service providers to perform parts of the services. We remain responsible for their acts defined in the engagement document.
• Subprocessor Controls: For personal data subject to GDPR or similar laws, we will provide a list of subprocessors upon request and will require subprocessors to implement appropriate safeguards and confidentiality obligations.

10. Compliance with Laws and Professional Standards

• Regulatory Compliance: Each party will comply with applicable laws, regulations, and professional rules relevant to the engagement, including export controls, anti‑corruption, and applicable industry standards.
• Sanctions and Restricted Parties: We will not be required to provide services that would cause us to violate applicable sanctions, export control, or restricted party laws.

11. Dispute Resolution and Governing Law

• Governing Law: These Terms and any engagement will be governed by the law identified in the engagement document or, if none is specified, by the laws of the State of California without regard to conflict of law principles.
• Dispute Resolution: Parties will attempt in good faith to resolve disputes through escalation to senior executives. If unresolved within 30 days, disputes will be resolved by binding arbitration under the rules chosen in the engagement document or, if none specified, under the rules of the American Arbitration Association in San Francisco County, California. Arbitration award will be final and binding and may be entered in any court of competent jurisdiction. Injunctive relief to protect Confidential Information may be sought in any competent court.

12. Notices

• Method: Notices under these Terms must be in writing and delivered to the addresses in the engagement document or to the other party’s registered business address or official email. Notices are effective on receipt.
• Privacy and Data Requests: Privacy rights requests, BAA requests, DPA requests, or data subject inquiries should be directed to the Privacy Officer contact information in the engagement document.

13. Miscellaneous Provisions

• Entire Agreement: These Terms together with the applicable engagement document, SOW, DPA, BAA, and any executed appendices constitute the entire agreement between the parties and supersede prior discussions.
• Amendments: Amendments require written agreement signed by authorized representatives. We may update standard terms for future engagements with notice; existing engagements are governed by the terms in effect at their execution unless otherwise agreed.
• Assignment: Client may not assign the engagement documents without Novo Compliance’s prior written consent, except to a successor in connection with a merger or sale of substantially all assets. Novo Compliance may assign to an affiliate or in connection with a business transfer.
• Severability: If any provision is held invalid or unenforceable, the remainder will remain in effect.
  No Waiver: Failure to enforce a provision is not a waiver of rights.
• Publicity: Neither party will issue public statements or press releases concerning the relationship without prior written consent except as required by law; Novo Compliance may include a non‑confidential description of the engagement in marketing materials after Client approval.

14. Execution

• Acceptance: These Terms are accepted by Client upon execution of the engagement document or by Client’s continued use of Novo Compliance services after receipt of these Terms.
• Contact: For contractual, privacy, or legal inquiries contact Novo Compliance at the address and email provided in the engagement document.