Iron Mountain Online Terms and Conditions of Service

These Terms and Conditions of Service (including any exhibits or addenda attached hereto), along with our Services overview, Plans & Pricing, Policies, and other information on our website (collectively referred to herein as the “Agreement”) outline the terms and conditions regarding your use of our products and services. This Agreement is a legally binding contract between you and Iron Mountain so please read carefully. We agree to make the services available to you only upon your acceptance of this Agreement. If you do not accept this Agreement, then do not purchase, register for, or use any of the services. By purchasing, registering for, and/or using our services you expressly acknowledge that you understand and have accepted this Agreement. 

As used herein and as the context requires, the term “we”, “us”, “our”, and “Iron Mountain” shall mean Iron Mountain Information Management, LLC, and its affiliates and subsidiaries that may perform any services. The term “you”, “your”, and “Customer” shall mean the person or entity who accesses or uses the services and any person or entity who purchases services or creates an account for the services. The term “services” shall mean all products and services offered by Iron Mountain which are further described on the Iron Mountain website, including but not limited to the Customer Account Dashboard, www.express.ironmountain.com (the "Site"), product offerings such as service plans and all other services. The term “Deposits” and “items” means any of your records, media, materials, images and electronically stored information, computer hardware and electronic equipment, and other items stored with or processed by Iron Mountain as part of the services.  


  1. Changes To The Agreement. We reserve the right to modify this Agreement in any manner and at any time as we may determine in our sole and absolute discretion. We will post the most current version of the Agreement on the Site at www.express.ironmountain.com/terms, which shall be effective thirty (30) days after posting. If we make material modifications to the services, we will notify you and such changes shall take effect thirty (30) days following notice to you. If you do not accept the changes, you must stop using the services and cancel your account within thirty (30) days of the notice of such material changes. Your continued use of the services more than thirty (30) days after we publish or send a notice about our changes to this Agreement means that you have consented to the updated terms. We may terminate your account or the services at any time, with or without cause, to be effective upon notice to you. If we terminate without cause, we will refund any pre-paid fees and arrange for the return of your Deposits back to you at our expense. 
  2. Your Account.
    1. One-Time Services. You may purchase certain services without establishing an account by completing the checkout process offered for the applicable service. You represent and warrant that all information entered during checkout is true, accurate, and complete. 
    2. Recurring Plans. Access to our services requires you to obtain a log-in by completing a registration form and designating a user ID and password. When registering with Iron Mountain you must: (a) provide true, current, and complete information about your business on the registration form and (b) maintain the accuracy of such information so it continues to be true, current, and complete. You are entirely responsible for all materials and information that you upload, post, or otherwise transmit via the services. Only you may use your Iron Mountain log-in and you are responsible for all aspects of your log-in, including any order placed, instruction submitted, or file accessed using your login. Each authorized user must have a separate log-in. You may not share, loan, or transfer your ID or password. If you become aware of any unauthorized use of the services or your log-in, or have any questions about your account please contact Iron Mountain Support via support@express.ironmountain.com or (888) 703-8127.
  3. Term.
    1. One-Time Services. This Agreement shall commence upon order placement and continue until the service has been completed. Orders for one-time services may only be canceled if you contact us before the day of your service. If you would like to cancel an order for one-time services, please immediately contact Iron Mountain Support via support@express.ironmountain.com or (888) 703-8127.
    2. Recurring Plans. Your plan shall continue and automatically renew for the same duration (for example, monthly plans automatically renew monthly and annual plans automatically renew annually) until you cancel (see “Cancellation” and “Trial Period” below). You must provide notice of cancellation before your plan renews to avoid automatic renewal. Notwithstanding anything to the contrary, in the event that Iron Mountain continues to hold Deposits after the expiration or termination of this Agreement for any reason, the terms of this Agreement shall continue to apply until all Deposits have been removed from Iron Mountain’s facility. 
    3. Cancellation. You may notify us of your intent to cancel your plan at any time, however cancellation will not be effective until your plan renewal date and you will continue to have access to the services and be billed for the services until such time. Deposits will be returned to you and shred bins will be permanently removed from your locations after your cancellation effective date and receipt of payment for all fees, including account closure fees and the Early Termination Fee, as applicable. You shall permit us to retrieve all shred bins and other of our property kept at your location and, if we cannot retrieve such items, you will be charged to replace the same.
      1. Account Closure. Iron Mountain charges fees to close your account and terminate the services, which are the charges incurred (in addition to your plan price) to return your Deposits to you and to pick up any shred bins from your location. Account closure fees apply and will be assessed to close your account and terminate your services for any reason, except for cancellation during the Trial Period. 
      2. Early Termination Fee. If you have more than one month remaining in your plan term you may elect to cancel your plan and terminate your services prior to your plan renewal date by paying an early termination fee equal to your monthly plan price multiplied by the number of months remaining in the then-current term (“Early Termination Fee”). The Early Termination Fee is in addition to the applicable account closure fees. 
  4. Charges. Rates, charges, and definitions of Iron Mountain’s offered service plans, along with available add-ons or incremental services, are specified on the Site. Rates and charges for services may be changed at any time by Iron Mountain upon written notice to you, provided that recurring plan rates will remain the same for your stated plan term, with changes going into effect upon renewal. Add-ons and one-time services (purchased on top of plan price), will be charged at the then-published price. Published prices are exclusive of taxes and required fees, which will be charged as applicable. 
  5. Promotional Offers. We may make certain promotional offers available from time to time, which may be subject to differing conditions or limitations which shall be disclosed at the time of registration or purchase. If you qualify for a promotional offer, the terms of the offer shall control over any conflicting terms and conditions in this Agreement. 
  6. Payment Terms. You are required to enroll in electronic auto-pay, and provide Iron Mountain with current, complete, accurate, and authorized payment method information (e.g. ACH or credit card information). Iron Mountain is authorized to charge the provided payment method in advance on a recurring basis for the services selected. Payment will be due and charged on the date of your enrollment, and thereafter monthly on each anniversary (unless you registered on a day not contained in a given month, in which case you will be charged on the closest available date) for that month’s service plan and will continue until you cancel. Iron Mountain’s fees are fully earned upon payment and there are no refunds or credits for canceled, unused, or partially used services, except as otherwise set forth herein. You shall be liable for late charges totaling one percent (1%) per month of the outstanding balance, beginning the day after payment was due.     
  7. Customer Default. If you fail to pay Iron Mountain’s charges within fourteen (14) days after the billing date, as established in the “Payment Terms” section above, Iron Mountain will suspend service until you become current, including applicable late fees. Suspended accounts will not be allowed to place orders for services, or view or access Deposits. If you fail to pay Iron Mountain’s charges for two (2) consecutive billing dates Iron Mountain will send written notice informing you that Deposits may be securely destroyed in ninety (90) days. A final notice will be sent to you ten (10) days prior to secure destruction of the Deposits. Iron Mountain shall have all other rights and remedies as may be provided by law. In the event Iron Mountain takes any actions pursuant to this Section, it shall have no liability to you or anyone claiming by or through you . You shall pay Iron Mountain’s standard price for secure destruction and shall otherwise remain responsible for any uncollected amounts and collection costs.
  8. Updates To The Service. Iron Mountain can make necessary deployments of changes, updates or enhancements to the services at any time, including adding new services. Iron Mountain may also add or remove functionalities or features, or suspend or stop the services altogether.
  9. Customer Instructions. You warrant that you are the owner or legal custodian of the Deposits and have full authority to direct Iron Mountain to store, shred, image, destroy, remarket or otherwise dispose of the Deposits and data contained therein in accordance with this Agreement, free from liens, security interests, or other claims of third parties. Title to Deposits consisting of electronic storage media, computer hardware or other electronic equipment (“IT Assets”) sent to Iron Mountain for disposition services shall transfer to Iron Mountain upon receipt of such IT Assets, which will be recycled or remarketed by Iron Mountain in its sole discretion, provided that all data must be permanently deleted from any data bearing IT Assets remarketed by Iron Mountain. Iron Mountain will perform services pursuant to the direction of your agent(s) identified pursuant to Iron Mountain’s standards, including processing orders placed through your Account Dashboard. For the avoidance of doubt, any order placed using your log-in credentials or the log-in credentials of any authorized user shall constitute your representation that the identified persons have full authority to order any service, including disposal or removal of Deposits. You release Iron Mountain from all liability by reason of the destruction of Deposits ordered using your or any authorized user’s account log-in.  
  10. Operational Procedures. You will comply with Iron Mountain’s reasonable operational requirements, as modified from time to time, regarding cartons, carton integrity, delivery/pickup/account closing volumes, preparation for pickup, security, secure shredding protocols, access, and similar matters. Without limiting the generality of the foregoing, you will comply with all instructions, controls, and restrictions Iron Mountain may impose from time to time regarding access to the services and electronically stored information, including but not limited requirements relating to VPN devices, FTP connections, password standards, encryption, network requirements, and secure access protocols.     
  11. Force Majeure. Neither party shall be liable for any failure, loss (including loss of or damage to Deposits), claim, damage, delay or inability to perform caused by acts of God, governmental actions, labor unrest, acts of terrorism, riots, unusual traffic delays or other causes beyond its reasonable control. You are responsible for obtaining and maintaining all equipment, technology, and communication systems (including, without limitation, internet access) that are necessary or appropriate for you to access the services. Iron Mountain shall have no responsibility or liability for your failure to access or use the services caused by or related in any manner to your failure to obtain and maintain all such equipment, technology, and communication systems.     
  12. Governmental Orders. Iron Mountain is authorized to comply with any subpoena or similar order related to the Deposits, at your expense, provided that Iron Mountain notifies you promptly upon receipt thereof, unless such notice is prohibited by law. Iron Mountain will cooperate with your efforts to quash or limit any subpoena, at your expense. 
  13. Confidentiality. "Confidential Information" means any information (i) contained in the Deposits, (ii) concerning or relating to the property, business and affairs of the party disclosing such information that is furnished to the receiving party, and (iii) regarding this Agreement, the services, and Iron Mountain’s processes and procedures; except for information that was previously known to the receiving party free of any obligation to keep it confidential, is subsequently made public by the disclosing party or is disclosed by a third party having a legal right to make such disclosure. Confidential Information shall be used only in the manner contemplated by this Agreement and shall not be intentionally disclosed to third parties without the disclosing party’s written consent. Iron Mountain shall not obtain any rights of any sort in or to your Confidential Information contained in Deposits. Iron Mountain shall implement and maintain reasonable safeguards designed to protect your Confidential Information.  
  14. LIMITATION OF LIABILITY.
    1. DECLARED VALUE OF DEPOSITS. YOU DECLARE, FOR THE PURPOSES OF THIS AGREEMENT, THAT (A) WITH RESPECT TO HARD-COPY (PAPER) RECORDS, MICROFILM, AND MICROFICHE STORED OR PROCESSED PURSUANT TO THIS AGREEMENT, THE VALUE OF SUCH ITEMS IS $1.00 PER CARTON, LINEAR FOOT OF OPEN-SHELF FILES, CONTAINER, OR OTHER STORAGE UNIT, AND (B) WITH RESPECT TO ROUND REEL TAPE, AUDIO TAPE, VIDEO TAPE, FILM, DATA TAPE, CARTRIDGES OR CASSETTES OR OTHER NON-PAPER MEDIA STORED OR PROCESSED PURSUANT TO THIS AGREEMENT, THE VALUE OF SUCH ITEMS IS EQUAL TO THE COST OF REPLACING THE PHYSICAL MEDIA. YOU ACKNOWLEDGE THAT YOU HAVE DECLINED TO DECLARE AN EXCESS VALUATION, FOR WHICH AN EXCESS VALUATION FEE WOULD HAVE BEEN CHARGED. DEPOSITS ARE NOT INSURED BY IRON MOUNTAIN AGAINST LOSS OR DAMAGE, HOWEVER CAUSED. YOU MAY INSURE DEPOSITS THROUGH THIRD-PARTY INSURERS FOR ANY AMOUNT, INCLUDING AMOUNTS IN EXCESS OF THE LIMITATION OF LIABILITY SET FORTH IN THIS AGREEMENT. YOU SHALL CAUSE YOUR INSURERS OF DEPOSITS TO WAIVE ANY RIGHT OF SUBROGATION AGAINST IRON MOUNTAIN.  
    2. MAXIMUM LIABILITY. IRON MOUNTAIN SHALL NOT BE LIABLE FOR ANY LOSSES, COSTS, DAMAGES, OR EXPENSES (INCLUDING BUT NOT LIMITED TO THE LOSS OR DESTRUCTION OF, OR DAMAGE TO, DEPOSITS, AND THE COSTS RESULTING FROM A LOSS OF A DEPOSIT CONSTITUTING A BREACH OF DATA SECURITY OR CONFIDENTIALITY), UNLESS AND TO THE EXTENT THE SAME WAS CAUSED BY IRON MOUNTAIN’S NEGLIGENCE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IRON MOUNTAIN’S LIABILITY, IF ANY, FOR LOSS OR DESTRUCTION OF, OR DAMAGE TO, DEPOSITS IS LIMITED TO THE DECLARED VALUE OF EACH DEPOSIT AS DESCRIBED ABOVE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IRON MOUNTAIN’S TOTAL, AGGREGATE, AND CUMULATIVE LIABILITY UNDER THIS AGREEMENT (WHETHER ARISING IN CONTRACT, TORT, WARRANTY, INDEMNIFICATION, OR ANY OTHER LEGAL THEORY) EXCEED (I) THE AMOUNT ACTUALLY PAID BY THE CUSTOMER FOR THE SERVICES OR, (II) WITH RESPECT TO RECURRING SERVICES, THE AMOUNT ACTUALLY PAID BY THE CUSTOMER IN THE PRIOR TWELVE (12) MONTHS FOR THE SERVICES. IRON MOUNTAIN SHALL NOT BE LIABLE FOR THE DEPOSITS OR THE LOSS OF CONTENTS OF SHREDDING BINS OR OTHER CONTAINERS UNLESS AND UNTIL THE SAME ARE IN THE PHYSICAL CUSTODY AND CONTROL OF IRON MOUNTAIN.         
    3. NO CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS OR LOSS OF DATA, REGARDLESS OF WHETHER AN ACTION IS BROUGHT IN TORT, CONTRACT OR UNDER ANY OTHER THEORY.         
  15. ITAR/EAR Compliance. You represent that none of the Deposits require protection from access by foreign persons because they contain technical information regarding defense articles or defense services within the meaning of the International Traffic in Arms Regulations (22 CFR 120) or technical data within the meaning of the Export Administration Regulations (15 CFR 730-774). If any of your Deposits do contain any such information, you shall notify Iron Mountain of the specific Deposits that contain such information and acknowledge that special storage and service rates may apply thereto.  
  16. Non-Custodial Status. Iron Mountain’s performance of services shall not cause Iron Mountain to be deemed a “custodian” of the records or “designee” of Customer under state or federal law with respect to such records.     
  17. Notice of Claims. You must present all claims in writing within a reasonable time, in no event longer than ninety (90) days after delivery or return of the Deposits to you, or ninety (90) days after you are notified of loss, damage or destruction to part or all of the Deposits. Unless otherwise expressly provided by law, you may not bring any action against Iron Mountain with respect to any matter arising out of this Agreement or the services unless such action is commenced within one (1) year after the date of the act, omission, or event giving rise to the claim.     
  18. Notice of Loss. When Deposits have been lost, damaged or destroyed, Iron Mountain shall, upon confirmation of the event, report the matter in writing to you.     
  19. Safe Materials and Premises. You shall not store with Iron Mountain, place in any shred bin, or otherwise tender to Iron Mountain any material that is highly flammable, may attract vermin or insects, or is otherwise dangerous or unsafe to store or handle, or any material that is regulated by federal or state law or regulation relating to the environment or hazardous materials. You shall not store or transmit (i) negotiable instruments, jewelry, check stock or other items that have intrinsic value, (ii) defamatory, trade libelous, or otherwise unlawful information, or (iii) obscene, pornographic or indecent information in violation of applicable law. You warrant that you shall only place paper-based materials in the shredding bins and shall only tender items to Iron Mountain that are listed as accepted on the Site. You warrant and covenant that your locations where Iron Mountain employees perform services (including pickups and deliveries) are and shall be free of hazardous substances or dangerous conditions. You shall reimburse Iron Mountain for damage to equipment or injury to personnel resulting from your breach of this warranty. Violation of this clause shall be grounds for termination of service.     
  20. Personal Information.
    1. EU Personal Data. You represent and warrant that you shall not provide Iron Mountain with any ‘Personal Data’ (as defined in GDPR), whether contained within the Deposits or otherwise, that is the subject of the General Data Protection Regulation (2016/679/EU) (“GDPR”). You must immediately contact Iron Mountain in the event you become aware that your Deposits contain any Personal Data.
    2. California Consumer Privacy Act. If you are a ‘Business’ and provide ‘Personal Information’ to Iron Mountain (each as defined in the California Consumer Privacy Act of 2018 (“CCPA”)), whether contained within the Deposits or otherwise, you agree to Iron Mountain’s Personal Information Privacy Addendum, which is attached as Exhibit 1 and hereby incorporated into this Agreement.
    3. Protected Health Information. If you provide ‘Protected Health Information’ to Iron Mountain where Iron Mountain is your ‘Business Associate’ of Customer (each as defined in the Health Insurance Portability and Accountability Act of 1996), whether contained in the Deposits or otherwise, you agree to Iron Mountain’s Business Associate Agreement, which is attached as Exhibit 2 and hereby incorporated into this Agreement.         
  21. Separate Agreement. Customer understands that (i) the services offered by Iron Mountain hereunder are separate and unique from any other services that may be offered by Iron Mountain and that this Agreement with Iron Mountain is separate from any other contracts or accounts you may have with Iron Mountain; (ii) if Customer, its parent, affiliates, subsidiaries, or any other entity which acquires, merges, or consolidates with Customer has any other agreement with Iron Mountain, this Agreement with Iron Mountain supersedes any such other agreements with respect to the services offered hereunder and shall continue pursuant to its terms; and (iii) your accounts created on the Site cannot be combined or merged with other Iron Mountain accounts/inventory.     
  22. Miscellaneous. Iron Mountain may subcontract any or all of its obligations under this Agreement to third party vendors or subcontractors, provided that Iron Mountain shall remain directly liable to you for the performance of such subcontracted obligations. You may not assign this Agreement in whole or in part, except to an affiliate, without the prior written consent of Iron Mountain. An affiliate means any entity controlling, controlled by, under common control with, or having a common parent with Iron Mountain or Customer. Iron Mountain may exercise all rights granted to warehousemen by the Uniform Commercial Code as adopted in the state where the Deposits are stored. Customer represents and covenants that upon the commencement of this Agreement and throughout the term of this Agreement, that: (i) it is not identified on any restricted party lists; or located in countries identified on any restricted country lists; or using the goods or services for any restricted end uses; including those promulgated by the U.S. Departments of State, Commerce and Treasury; and (ii) it is and shall remain compliant with all laws and regulations applicable to its performance under this Agreement, including but not limited to export control and economic sanctions, will not take any action that will cause Iron Mountain to be in violation of such laws and regulations, and will not require Iron Mountain to directly or indirectly take any action that might cause it to be in violation of such laws and regulations. Customer will not provide Iron Mountain any goods, software, services and/or technical data subject to export controls and controlled at a level other than EAR99/AT. This Agreement shall be governed by the laws of the state in which Customer’s office identified in this Agreement is located except for conflicts of laws principles.
  23. Electronic Contract. We will send notices to you in electronic form only, for example via emails to your email address provided during registration or posted to your Customer Account Dashboard. You agree that any notices, agreements, disclosures or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing, and you agree to maintain a valid email address and check your email address and Customer Account Dashboard regularly.
  24. Entire Agreement. This Agreement constitutes the entire understanding of the parties and supersedes all previous communications, representations, agreements and understandings relating to the services provided by Iron Mountain to Customer with respect to the subject matter hereof.

Exhibit 1: Iron Mountain Personal Information Privacy Addendum

This Personal Information Privacy Addendum (“Addendum”) is an addendum to your Agreement with Iron Mountain and is incorporated therein by reference. It is intended to supplement the Agreement, including the Privacy Policy. Pursuant to the Agreement, Iron Mountain may Process Personal Information on behalf of Customer in connection with the services. To the extent that Iron Mountain Processes Personal Information on behalf of Customer, this Addendum sets forth the rights and obligations of the parties with respect to the CCPA, under which Customer is a “Business” and Iron Mountain is a “Service Provider” of Customer. 

  1. Definitions. For the purposes of this Addendum, capitalized terms shall have the following meanings, provided that capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement:

    “CCPA” means the California Consumer Privacy Act of 2018.

    “Personal Information” means any data or information that is received by Iron Mountain from Customer, subject to the services under the Agreement, that relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular natural person who is a California resident or household. Personal Information does not include publicly available information.

    “Process” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

  2. Restrictions on Use. Iron Mountain shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement, as required under this Addendum, or as otherwise permitted under the CCPA.
  3. Permitted Use and Disclosure. Notwithstanding anything herein to the contrary, Iron Mountain may use or disclose Personal Information to carry out its legal responsibilities, including, but not limited to compliance with civil, criminal, or regulatory inquiries, investigations, subpoena, or summons by federal, state or local authorities.
  4. Individual Requests. Iron Mountain shall promptly notify Customer if Iron Mountain receives a request from any individual with respect to Personal Information that is Processed by Iron Mountain on behalf of Customer. If Iron Mountain is in possession of the requested Personal Information, upon Customer’s request, Iron Mountain shall promptly provide Customer with the Personal Information, so that Customer may respond to individual requests for access to or disclosure of Personal Information as required by the CCPA. Iron Mountain’s retrieval of the requested Personal Information will be subject to the applicable charges or fees as set out in the Agreement.
  5. Deletion. At Customer’s request, but subject to the CCPA, Iron Mountain shall promptly and securely delete or destroy the Personal Information identified by the Customer. Iron Mountain’s deletion of any Personal Information will be subject to the applicable charges or fees as set out in the Agreement. Notwithstanding anything herein to the contrary, if a request for destruction or deletion involves Personal Information in the form of a hard-copy record contained in the Customer’s Deposit(s), at Customer’s direction Iron Mountain shall either return the Deposit(s) to Customer or securely destroy the Deposit(s). For the avoidance of doubt, Iron Mountain shall not remove records from Deposits.
  6. Privacy Safeguards. Iron Mountain shall implement and maintain reasonable security procedures and practices that are appropriate for the protection of Personal Information from unauthorized access, destruction, use, modification or disclosure. This Addendum supplements, and does not replace, any existing obligations related to the privacy and security of Personal Information or other personal data as set forth in the Agreement.
  7. Order of Precedence. This Addendum is supplemental to the Agreement. The terms and conditions of the Agreement apply to, and govern, the rights and obligations of the parties under this Addendum. If any terms and conditions contained in this Addendum are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be the controlling terms and conditions with respect to Personal Information.
  8. Miscellaneous. This Addendum is incorporated by reference into and made a part of the Agreement, and as such may be amended from time to time by Iron Mountain as described therein, subject to applicable law. Continued use of the services following amendment of this Addendum shall indicate your acceptance of such amendment.

Exhibit 2: Iron Mountain Business Associate Agreement

This Business Associate Agreement (“BAA”) is an addendum to your Agreement with Iron Mountain and is incorporated therein by reference. It is intended to supplement and amend the Agreement only in the event and to the extent Iron Mountain meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. §160.103 and may Use and/or Disclose PHI on your behalf, as a Covered Entity. Except to the extent modified in this BAA, all terms and conditions set forth in the Agreement shall remain in full force and effect and govern the services.

Iron Mountain and Customer are entering into this BAA in order for both parties to meet their respective obligations as they become effective and binding upon the parties under the HIPAA Privacy, Security, and Breach Notification Rules along with any implementing regulations including those implemented as part of the Omnibus Rule (collectively referred to as the “HIPAA Rules”), under which Customer is a “Covered Entity” or “Business Associate” and Iron Mountain is a “Business Associate” of Customer. For purposes of this Agreement, any references hereinafter to Business Associate shall be deemed references to Iron Mountain.

  1. Definitions.

    Capitalized terms used but not otherwise defined in this BAA shall have the same meanings ascribed to those terms in the HIPAA Rules or in the Agreement, as applicable.
    1. “Breach Notification Rule” shall mean the rule for Breach Notification for Unsecured Protected Health Information at 45 CFR §164 Subpart D.
    2. “Business Associate” shall mean Iron Mountain to the extent it receives, maintains, or transmits Protected Health Information in delivering services to Customer.
    3. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996.
    4. “HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and including any implementing regulations.
    5. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR §160 and §164, Subparts A and E.
    6. “Protected Health Information” or “PHI” shall have the same meaning as the term ‘protected health information’ in 45 CFR §160.103 and shall be limited to the PHI created by Business Associate on behalf of Customer or received from or on behalf of Customer pursuant to the Agreement.
    7. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR §160 and §164, Subparts A and C.
  2. Obligations and Activities of Business Associate.
    1. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by this BAA or as required by law.
    2. Business Associate agrees to use appropriate safeguards, and comply, as applicable, with Subpart C of 45 CFR §164 with respect to electronic PHI, to prevent Uses or Disclosures of the PHI other than as provided for by this BAA or the Agreement; however, the parties acknowledge and agree it shall be the responsibility of Customer and not Business Associate to comply with requirements under 45 CFR §164.312 to implement encryption or decryption mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Customer with Business Associate.
    3. Business Associate agrees to promptly report to Customer any Security Incident, Breach, or other Use or Disclosure of PHI of which it becomes aware that is not permitted or required by this BAA or the Agreement. In the event of a Breach, such notification shall be made in accordance with and as required of a business associate by the HIPAA Rules, including without limitation pursuant to 45 CFR 164.410, but in no event more than three (3) business days after Business Associate has completed its internal investigation and confirmed a Breach as occurred. Business Associate will provide reasonable assistance and cooperation in the investigation of any such Breach and shall document the specific Deposits which have been compromised, the identity of any unauthorized third party who may have accessed or received the PHI, if known, and any actions that have been taken by Business Associate to mitigate the effects of such Breach.
    4. Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), as applicable, ensure that any business associate that is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for the purpose of assisting in providing services pursuant to the Agreement, agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI through this BAA.
    5. If Business Associate has custody of PHI in a Designated Record Set with respect to Individuals, and if Customer so requests, Business Associate agrees to provide access to such PHI to Customer by retrieving and delivering such PHI in accordance with the terms and conditions of the Agreement, so that Customer may respond to an Individual in order to meet the requirements of 45 CFR §164.524.
    6. Business Associate agrees that if an amendment to PHI in a Designated Record Set in the custody of Business Associate is required, and if Customer instructs Business Associate to retrieve such PHI in accordance with the Agreement, Business Associate shall perform such service so that Customer may make any amendment to such PHI as may be required by either Customer or an Individual pursuant to 45 CFR §164.526.
    7. Business Associate agrees to document and make available to Customer the information required to provide an accounting of Disclosures of PHI, provided that Customer has provided Business Associate with information sufficient to enable Business Associate to determine which records or data received from or on behalf of Customer by Business Associate contain PHI. The documentation of Disclosures shall contain such information as would be required for Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR §164.528 or other provisions of the HIPAA Rules.
    8. Business Associate shall promptly notify Customer of any requests by Individuals for access to or knowledge or correction of PHI, without responding to such requests, and Customer shall be responsible for receiving and responding to any such Individual requests.
    9. To the extent the Business Associate is to carry out one or more of Customer's obligation(s) under Subpart E of 45 CFR §164, Business Associate shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
    10. Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  3. Permitted Uses and Disclosures by Business Associate.
    1. Business Associate may Use or Disclose PHI as necessary to perform the services set forth in the Agreement.
    2. Business Associate may Use or Disclose PHI as required by law.
    3. Business Associate agrees to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.
    4. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR §164 if done by Customer.
    5. Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the Disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  4. Obligations of Customer.
    1. Customer shall not direct Business Associate to act in a manner that would not be compliant with the HIPAA Rules.
    2. Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of Customer in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
    3. Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose their PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
    4. Customer shall notify Business Associate in writing of any restriction to the Use or Disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
  5. Term and Termination.
    1. Term. The term of this BAA shall continue for the term of the Agreement and shall terminate automatically upon the later to occur of (i) the expiration or termination of the Agreement, or (ii) when all PHI provided by Customer to Business Associate is destroyed or returned to Customer.
    2. Termination for Cause. Upon a party’s knowledge of a material breach of the BAA by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach. If the breaching party does not cure the breach within thirty (30) days, following the breaching party’s receipt of a written notice from the non-breaching party setting forth the details of such material breach, then the non-breaching party shall have the right to terminate this BAA and the Agreement according to the terms of the Agreement, or, if termination is not feasible, shall report the problem to the Secretary or any other competent authority.
    3. Effect of Termination.
      1. Except as provided in Section 5.c.ii. below, upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Customer in accordance with the Agreement. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon notice to Customer, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI pursuant to the terms of the Agreement.
  6. Miscellaneous.
    1. Injunctive Relief. Business Associate acknowledges that any unauthorized Use or Disclosure of PHI by Business Associate may cause irreparable harm to Customer for which Customer shall be entitled, if it so elects, to seek injunctive or other equitable relief.
    2. Regulatory References. A reference in this BAA to a section of the HIPAA Rules shall mean that section of HIPAA, the Privacy Rule, the Security Rule, the HITECH ACT, or the final Omnibus Rules as amended and in effect, and for which compliance is required.
    3. Amendment. This BAA is incorporated by reference into and made a part of the Agreement, and as such may be amended from time to time by Iron Mountain as described therein, subject to applicable law. Continued use of the services following amendment of this BAA shall indicate your acceptance of such amendment.
    4. Survival. The respective rights and obligations of Business Associate under Section 5(c) above shall survive the termination of this BAA.
    5. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Customer, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
    6. Independent Contractor. Business Associate, including its directors, officers, employees and agents, is an independent contractor and not an agent (as defined under Federal common law of agency) of Customer or a member of its workforce. Without limiting the generality of the foregoing, Customer shall have no right to control, direct, or otherwise influence Business Associate’s conduct in the course of performing the services, other than through the enforcement of this BAA or the Agreement.
    7. Precedence; Entire Agreement. Any ambiguity in this BAA shall be resolved to permit the parties to comply with the HIPAA Rules. This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof, and shall supersede all previous communications, representations, agreements and understandings relating to the HIPAA Rules, including any and all prior business associate agreements between the parties.

Exhibit 3: Addendum for Policy Center Essential

This Addendum for Policy Center Essential (“Addendum”) is an addendum to your Agreement with Iron Mountain and is incorporated therein by reference. It is intended to supplement the Agreement to include additional terms and conditions applicable to Policy Center Essential.  With respect to Policy Center Essential only, these additional terms and conditions supersede any conflicting terms in the Agreement.  For the avoidance of doubt, Policy Center Essential shall be considered “services” for purposes of the Agreement.

1. Iron Mountain grants you the non-exclusive and non-transferable right and permission to access and use the information and material provided as part of the services for your internal business use only.  You shall not: (i) modify, port, translate, localize, or create derivative works of the services; or (ii) transfer, sell or use commercially any of the information and material obtained through the services.

2. Iron Mountain shall bear no liability whatsoever arising out of or in connection with the services, regardless of the cause of action and whether arising in contract, tort, indemnity, warranty or any other legal theory.

3. Iron Mountain and its suppliers are the sole and exclusive owner of all right, title, and interest in and to the services (excluding any open source third-party software), and all copies thereof including all derivations and modifications thereto including, but not limited to, ownership of all intellectual property rights (collectively, “Intellectual Property”). Use of the services does not provide you with title or ownership of the Intellectual Property, but only a right of limited use.

4. You understand and acknowledge that your access to and use of the information contained in the services does not constitute legal advice and is not provided as part of the practice of law. The legal data and information contained in the services is intended to provide you with information to inform decisions regarding your record keeping requirements. Iron Mountain does not warrant the accuracy or completeness of the information provided as part of the services and that information is, among other things, subject to change.  Further, the record retention periods do not take into account your particular circumstances and there may be exceptions or additional record keeping requirements that apply.  Accordingly, you should make your own inquiries or seek advice from an appropriate professional advisor regarding the record keeping requirements that may apply in your particular circumstances.

5. Notwithstanding anything to the contrary in the Agreement, either party may terminate GRCS at any time without penalty, by providing notice of cancellation in accordance with the Agreement.