Legal

Confidentiality & Intellectual Property Agreement

Effective Date: February 2026

Document Version: 1.0

1. Purpose & Parties

This Confidentiality & Intellectual Property Agreement ("Agreement") is entered into by and between Rymeda, Inc. ("Rymeda," "Disclosing Party") and the party accessing, receiving, or otherwise exposed to Rymeda's Confidential Information ("Receiving Party," "you"). The Receiving Party may include, but is not limited to, customers, contractors, consultants, partners, vendors, employees, prospective investors, and any other individual or entity granted access to Confidential Information.

The purpose of this Agreement is to protect the confidentiality and proprietary nature of Rymeda's Confidential Information and Intellectual Property, establish the ownership rights in Work Product and Rymeda IP, and define the obligations of the Receiving Party with respect to the handling, use, and return of Confidential Information.

This Agreement supplements and is in addition to any obligations of confidentiality arising under the Terms of Service, Business Associate Agreement, Data Processing Agreement, or any other agreement between the parties.

2. Definitions

"Confidential Information"

Any and all non-public information, in any form or medium (written, oral, electronic, visual, or otherwise), that is disclosed by Rymeda to the Receiving Party, or to which the Receiving Party obtains access in connection with the Receiving Party's relationship with Rymeda, that is designated as confidential, proprietary, or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, without limitation, the categories described in Section 3.

"Intellectual Property"

All patents, patent applications, trademarks, service marks, trade names, domain names, copyrights, trade secrets, know-how, inventions, algorithms, software, source code, object code, designs, specifications, documentation, databases, and all other intellectual property rights, whether registered or unregistered, and all applications and rights to apply for any of the foregoing.

"Trade Secrets"

Information that derives independent economic value from not being generally known to, and not being readily ascertainable through proper means by, other persons who can obtain economic value from its disclosure or use, and that is the subject of efforts that are reasonable under the circumstances to maintain its secrecy, as defined under the Defend Trade Secrets Act (18 U.S.C. §1836) and the California Uniform Trade Secrets Act (Cal. Civ. Code §3426).

"Work Product"

All inventions, discoveries, improvements, works of authorship, designs, software, documentation, data, analyses, reports, and other materials created, conceived, developed, or reduced to practice by the Receiving Party, alone or jointly with others, during the term of the Receiving Party's engagement with Rymeda and in connection with, related to, or arising from such engagement.

"Rymeda IP"

All Intellectual Property owned by or licensed to Rymeda, Inc., including but not limited to: the Rymeda platform (frontend and backend), the ORIS Clinical AI system, all source code, algorithms, data models, system architecture, API designs, user interface designs, documentation, training materials, the Rymeda name, logo, and all associated trademarks and service marks.

3. Scope of Confidential Information

Confidential Information includes, without limitation, the following categories:

3.1 Technical Information

  • Source code, object code, and compiled binaries of the Rymeda platform and all related applications.
  • Software architecture, system designs, data models, database schemas, and API specifications.
  • Algorithms, machine learning models, training methodologies, and model weights used in ORIS Clinical AI and AI-assisted documentation.
  • Infrastructure configurations, deployment pipelines, DevOps tooling, and cloud architecture diagrams.
  • Technical roadmaps, product specifications, feature designs, and unreleased functionality.
  • Performance benchmarks, testing methodologies, and quality assurance processes.

3.2 Business Information

  • Business strategies, plans, forecasts, and projections.
  • Financial information, including revenue, costs, margins, pricing models, and investor materials.
  • Customer lists, customer data, customer contracts, and customer relationship information.
  • Vendor and supplier agreements, pricing, and terms.
  • Marketing strategies, sales pipelines, and partnership discussions.
  • Employee compensation, organizational structure, and human resources data.

3.3 Clinical Information

  • Protected Health Information (PHI) and electronic Protected Health Information (ePHI) as defined under HIPAA.
  • Patient data, clinical records, medical reports, and care plans processed by the platform.
  • Clinical AI models, clinical validation data, and clinical decision support algorithms.
  • Voice recordings, transcriptions, and AI-generated clinical documentation.
  • De-identified and aggregated clinical data sets and analytics.

3.4 Operational Information

  • Security configurations, access controls, firewall rules, and intrusion detection/prevention systems.
  • Infrastructure details, server configurations, network topologies, and disaster recovery procedures.
  • Encryption keys, API keys, authentication tokens, credentials, and secrets.
  • Audit logs, monitoring data, incident reports, and vulnerability assessments.
  • Compliance documentation, audit findings, and regulatory correspondence.

HIPAA-Protected Information: Any PHI or ePHI to which the Receiving Party gains access is subject to the additional protections of the Business Associate Agreement and all applicable HIPAA regulations (45 CFR Parts 160 and 164). HIPAA obligations are in addition to, and not in lieu of, the obligations under this Agreement.

4. Obligations of Receiving Party

The Receiving Party agrees to the following obligations with respect to Confidential Information:

4.1 Non-Disclosure

The Receiving Party shall not disclose, publish, or disseminate Confidential Information to any third party without the prior written consent of Rymeda. The Receiving Party shall use Confidential Information solely for the purpose for which it was disclosed and in connection with the Receiving Party's authorized relationship with Rymeda.

4.2 Need-to-Know Restriction

The Receiving Party shall limit access to Confidential Information to those of its employees, agents, contractors, and advisors who (a) have a legitimate need to know such information for the permitted purpose; (b) have been informed of the confidential nature of the information; and (c) are bound by confidentiality obligations no less restrictive than those in this Agreement.

4.3 Reasonable Care

The Receiving Party shall protect Confidential Information using at least the same degree of care it uses to protect its own confidential information of a similar nature, but in no event less than reasonable care. This includes implementing appropriate physical, administrative, and technical safeguards to prevent unauthorized access, use, disclosure, or loss.

4.4 No Reverse Engineering

The Receiving Party shall not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, algorithms, data structures, or underlying ideas of any Rymeda software, product, or service, except to the extent expressly permitted by applicable law notwithstanding this restriction.

4.5 Return or Destruction on Termination

Upon termination of the Receiving Party's relationship with Rymeda, or upon Rymeda's written request, the Receiving Party shall promptly return or destroy all Confidential Information in its possession or control, in accordance with the procedures described in Section 11.

4.6 No Unauthorized Copying

The Receiving Party shall not copy, reproduce, or duplicate Confidential Information except as reasonably necessary for the permitted purpose. All copies shall bear the same confidentiality notices as the original material.

4.7 Notification of Breach

The Receiving Party shall immediately notify Rymeda in writing upon discovery of any unauthorized access, use, disclosure, or loss of Confidential Information, and shall cooperate with Rymeda in investigating and remediating any such breach. Notification shall be sent to security@rymeda.com and legal@rymeda.com.

5. Permitted Disclosures

The confidentiality obligations of this Agreement do not apply to Confidential Information that the Receiving Party is compelled to disclose under the following limited circumstances:

  • Legal Requirement: Disclosure required by applicable law, regulation, court order, or governmental order, provided that the Receiving Party (a) provides Rymeda with prompt prior written notice of such requirement (to the extent legally permitted); (b) cooperates with Rymeda in seeking a protective order or other appropriate remedy; and (c) discloses only the minimum amount of Confidential Information necessary to comply with the requirement.
  • Regulatory Disclosure: Disclosure required by a regulatory authority with jurisdiction over the Receiving Party, including without limitation healthcare regulators (HHS/OCR), financial regulators, or securities regulators, subject to the same notice and minimization requirements.
  • Prior Written Notice: The Receiving Party shall provide Rymeda with written notice at least ten (10) business days prior to any compelled disclosure (or as soon as practicable if the disclosure is required sooner), to allow Rymeda to seek a protective order or other appropriate relief.
  • Minimum Necessary: Any compelled disclosure shall be limited to the minimum amount of Confidential Information strictly necessary to satisfy the legal or regulatory requirement.

6. Intellectual Property Ownership

6.1 Rymeda Platform IP

Rymeda, Inc. retains all right, title, and interest in and to the Rymeda platform, ORIS Clinical AI, and all associated Intellectual Property, including all modifications, enhancements, derivative works, and improvements thereto, regardless of who conceives, develops, or creates them. Nothing in any agreement with the Receiving Party transfers or assigns ownership of Rymeda IP.

6.2 Customer Data Ownership

The Customer retains all right, title, and interest in and to the data the Customer uploads, creates, or inputs into the Rymeda platform ("Customer Data"), including clinical records, patient data, and business data. Rymeda's use of Customer Data is governed by the Terms of Service, Privacy Policy, and Data Processing Agreement.

6.3 Work Product Ownership

All Work Product created by the Receiving Party during the term of engagement with Rymeda, and in connection with or arising from such engagement, shall be the sole and exclusive property of Rymeda, Inc. The Receiving Party hereby irrevocably assigns to Rymeda all right, title, and interest in and to all Work Product, including all Intellectual Property rights therein, and agrees to execute any documents reasonably necessary to evidence or perfect such assignment.

6.4 No License to Rymeda Marks

No right, license, or authorization is granted to the Receiving Party to use the Rymeda name, logo, trademarks, service marks, or any other proprietary designations of Rymeda, Inc. without the prior written permission of Rymeda. Any authorized use must comply with Rymeda's brand guidelines and is subject to revocation at any time.

7. Non-Solicitation

During the term of the Receiving Party's engagement with Rymeda and for a period of twelve (12) months following the termination of such engagement, the Receiving Party shall not, directly or indirectly:

  • Solicit, recruit, hire, or attempt to solicit, recruit, or hire any employee, contractor, or consultant of Rymeda with whom the Receiving Party had contact or about whom the Receiving Party obtained Confidential Information during the engagement.
  • Encourage or induce any employee, contractor, or consultant of Rymeda to terminate or reduce their relationship with Rymeda.
  • Solicit or divert any customer, client, or business relationship of Rymeda with whom the Receiving Party had contact or about whom the Receiving Party obtained Confidential Information during the engagement, for the purpose of providing products or services that are competitive with the Rymeda platform.

This non-solicitation provision does not restrict the Receiving Party from making general public advertisements for employment that are not specifically directed at Rymeda personnel, or from hiring individuals who independently approach the Receiving Party without solicitation.

8. Remedies

The Receiving Party acknowledges that any breach or threatened breach of this Agreement may cause Rymeda irreparable harm for which monetary damages may be inadequate. Accordingly:

8.1 Injunctive Relief

Rymeda shall be entitled to seek injunctive relief, including temporary restraining orders, preliminary injunctions, and permanent injunctions, to prevent or restrain any breach or threatened breach of this Agreement, without the necessity of proving actual damages or posting a bond (to the extent permitted by law).

8.2 Specific Performance

Rymeda shall be entitled to specific performance of the terms of this Agreement, in addition to any other remedies available at law or in equity.

8.3 Damages

Rymeda shall be entitled to recover all damages arising from the Receiving Party's breach of this Agreement, including direct damages, consequential damages, lost profits, and all reasonable costs and attorney's fees incurred in enforcing this Agreement.

8.4 Cumulative Remedies

The remedies provided in this Section are cumulative and in addition to any other remedies available to Rymeda at law or in equity. No exercise of any remedy shall preclude the exercise of any other remedy.

9. Term

The confidentiality obligations under this Agreement shall remain in effect as follows:

  • General Confidential Information: For a period of five (5) years from the date of disclosure of the applicable Confidential Information, regardless of whether the Receiving Party's engagement with Rymeda has terminated.
  • Trade Secrets: Confidential Information that constitutes a Trade Secret under applicable law shall remain subject to the confidentiality obligations of this Agreement indefinitely, for so long as the information retains its trade secret status (i.e., until such information becomes publicly known through no fault of the Receiving Party).
  • PHI: Obligations with respect to PHI shall survive in accordance with the terms of the Business Associate Agreement and HIPAA requirements, which may extend beyond the five-year period.

10. Exclusions

The confidentiality obligations of this Agreement do not apply to information that the Receiving Party can demonstrate, by clear and convincing evidence:

10.1 Publicly Known

Was or becomes generally available to the public through no act, omission, or fault of the Receiving Party or any person or entity acting on the Receiving Party's behalf.

10.2 Independently Developed

Was independently developed by the Receiving Party without reference to, reliance on, or use of Rymeda's Confidential Information, as evidenced by contemporaneous written records.

10.3 Received from Third Party

Was received by the Receiving Party from a third party who had the legal right to disclose such information without restriction and without breach of any obligation of confidentiality.

10.4 Prior Possession

Was already in the lawful possession of the Receiving Party prior to the date of disclosure by Rymeda, as evidenced by contemporaneous written records, and was not obtained directly or indirectly from Rymeda.

PHI Exclusion Limitation: The exclusions in this Section 10 do not apply to Protected Health Information (PHI). PHI is subject to the protections of HIPAA regardless of how it was obtained. Even if PHI would otherwise qualify for an exclusion above, HIPAA obligations apply.

11. Return of Materials

Upon termination of the Receiving Party's engagement with Rymeda, or upon Rymeda's written request, the Receiving Party shall, within thirty (30) calendar days:

  • Return to Rymeda all originals and copies of Confidential Information in the Receiving Party's possession or control, in whatever form or medium (paper, electronic, digital, or otherwise).
  • Permanently delete and destroy all electronic copies of Confidential Information from all systems, devices, storage media, and backup systems under the Receiving Party's control.
  • Destroy all notes, analyses, compilations, studies, summaries, or other materials prepared by the Receiving Party that contain, reflect, or are derived from Confidential Information.
  • Provide Rymeda with a written certification, signed by an authorized representative of the Receiving Party, confirming that all Confidential Information has been returned or destroyed in accordance with this Section.

Notwithstanding the foregoing, the Receiving Party may retain copies of Confidential Information to the extent required by applicable law or regulation, or as part of automatic backup systems, provided that such retained copies remain subject to the confidentiality obligations of this Agreement for the duration specified in Section 9.

12. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of laws principles. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of California. The Receiving Party consents to the personal jurisdiction of such courts and waives any objection to venue.

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the original intent of the parties.

13. Entire Agreement

This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, and representations, whether oral or written, relating to the confidentiality and intellectual property matters addressed herein. This Agreement may only be modified by a written instrument signed by authorized representatives of both parties.

This Agreement does not supersede or replace the Business Associate Agreement, Data Processing Agreement, or other agreements between the parties that impose additional or more specific obligations with respect to particular categories of information.

Contact

For questions about this Confidentiality & Intellectual Property Agreement:

Legal Department

Confidentiality, IP, and contractual matters

legal@rymeda.com

Security Team

Breach notifications and security incidents

security@rymeda.com

Related Policies

Terms of ServiceBusiness Associate AgreementData Processing AgreementPrivacy PolicyInformation Security PolicyAI Transparency & EthicsBreach Notification PolicyData Retention Policy