Digital CBTe Partner Terms (Master Subscription and Services Agreement)
Effective Date: 2025-12-15
Version: v1.0
These Digital CBTe Partner Terms (the “Agreement”) govern Customer’s purchase and use of Digital CBTe and related services provided by Credo Therapies.
1. Parties and structure
1.1 Supplier. Credo Therapies Ltd., a company organized under the laws of England and Wales, with registered office at 8 King Edward Street, Oxford, UK, OX14HL (“Credo,” “Supplier,” “we,” “us”).
1.2 Customer. The organization identified in an Order Form (“Customer,” “you”).
1.3 Order Forms. Products and quantities are ordered through an Order Form, invoice, or sales order that references this Agreement (each an “Order Form”). Each Order Form incorporates this Agreement by reference.
1.4 Acceptance. Customer accepts this Agreement by (a) signing an Order Form, (b) paying an invoice that references this Agreement, (c) issuing a purchase order that references this Agreement, or (d) accessing or using the Service.
1.5 Order of precedence. If there is a conflict: (1) the Order Form, (2) these Partner Terms, (3) the Addenda and policies referenced in the Order Form (including the UK Data Processing Addendum), then (4) any other Supplier documentation. Any terms in Customer purchase orders or procurement portals are rejected and will not apply unless Supplier expressly agrees in a signed writing that references this Agreement.
2. Definitions
“Activation” means the right for 1 Patient User to access and use Digital CBTe for the Activation Period set out in the Order Form.
“Activation Period” means the period specified in the Order Form (for example, 12 months from Patient activation), during which the Patient User may access Digital CBTe.
“Affiliate” means any entity that controls, is controlled by, or is under common control with a party.
“Authorized Users” means Customer personnel (including clinicians, staff, contractors, and trainees) authorized by Customer to access the administrative and clinician-facing features of the Service.
“Customer Data” means data and content submitted to the Service by or on behalf of Customer or its Authorized Users, including Patient Data.
“Digital CBTe” means Supplier’s digital therapeutic software offering branded as “Digital CBTe,” including associated modules, content, clinician tools, and updates.
“Documentation” means Supplier’s standard user guides, help articles, and technical documentation for the Service.
“Patient Data” means personal data and health-related data relating to a Patient User processed through the Service.
“Patient Users” means individuals invited, registered, or provisioned by Customer (or by Customer’s clinicians) to use Digital CBTe as part of Customer’s services.
“Service” means the hosted software service made available by Supplier to Customer under this Agreement, including Digital CBTe, Documentation, and Support.
“Support” means Supplier’s standard support services described in the Service Levels and Support Policy.
3. Provision of the Service
3.1 Access. During the Term and subject to payment of Fees, Supplier grants Customer a non-exclusive, non-transferable right to access and use the Service for Customer’s internal clinical and administrative purposes and solely for providing services to Patient Users consistent with applicable law and professional standards.
3.2 Activation credits. Customer may provision Patient Users up to the number of Activations purchased in the applicable Order Form. Activations are consumed when a Patient User account is activated. Unless the Order Form states otherwise:
- Activations are non-refundable and expire at the end of the Order Term.
- Unused Activations do not roll over.
- An Activation may not be reassigned to a different Patient User after activation, except to correct an administrative error within 7 days of activation.
3.3 Customer responsibility for end users. Customer is responsible for all use of the Service by Authorized Users and Patient Users under Customer’s accounts, including compliance with this Agreement.
3.4 Implementation and training. If purchased, implementation, configuration, onboarding, and training services will be provided as described in the Order Form or statement of work.
3.5 Subcontractors. Supplier may use subcontractors to deliver the Service, including hosting and support providers. Supplier remains responsible for subcontractor performance under this Agreement. Data protection obligations for subprocessors are addressed in the UK Data Processing Addendum.
4. Acceptable use and restrictions
4.1 Acceptable Use Policy. Customer must comply with the Acceptable Use Policy (AUP), which is incorporated by reference.
4.2 Restrictions. Customer will not, and will not permit others to: (a) copy, modify, or create derivative works of the Service except as expressly permitted; (b) reverse engineer, decompile, or attempt to derive source code, except to the extent prohibited by law; (c) access the Service to build a competing product or service; (d) interfere with or disrupt the Service or circumvent security measures; (e) use the Service for unlawful, infringing, harmful, or deceptive purposes; (f) upload malware or attempt unauthorized access.
4.3 Account security. Customer must maintain reasonable administrative, physical, and technical safeguards for its credentials and access.
5. Clinical and regulatory statements
5.1 Intended use and clinical oversight. Digital CBTe is intended to support clinical care pathways and is not an emergency service. Customer is solely responsible for clinical decision-making, treatment planning, and supervision of Patient Users, including determining suitability and monitoring risk.
5.2 Not for emergencies. The Service is not designed for crisis response. Customer will ensure Patient Users receive appropriate emergency instructions and local crisis resources.
5.3 NHS digital clinical safety standards. Supplier will maintain documentation to support compliance with NHS clinical safety requirements applicable to manufacturers (including DCB0129) and will make available a clinical safety case report and hazard log upon reasonable request. Customer is responsible for completing deployment and use assurance activities applicable to the adopting organization (including DCB0160) for its specific implementation.
5.4 Medical device and regulatory compliance. Each party will comply with applicable laws and regulations, including those relating to medical devices, clinical safety, data protection, and cybersecurity. If Digital CBTe is classified as a medical device in a given jurisdiction, Supplier will use commercially reasonable efforts to maintain appropriate conformity assessment, labeling, and post-market processes for that jurisdiction.
6. Fees, invoicing, and taxes
6.1 Fees. Customer will pay the fees specified in each Order Form (“Fees”).
6.2 Invoicing. Unless otherwise stated in the Order Form, Fees are invoiced in advance and payable within 30 days of invoice date.
6.3 Late payments. Late payments may accrue interest at the lesser of (a) 1.5% per month, or (b) the maximum allowed by law.
6.4 Taxes. Fees exclude taxes. Customer is responsible for applicable sales, use, VAT, GST, and similar taxes, excluding taxes on Supplier’s income.
6.5 Overages. If Customer exceeds purchased Activations, Supplier may (a) suspend additional Patient User activations until Customer purchases additional Activations, or (b) invoice at the then-current rate set out in the Order Form or Supplier’s pricing schedule.
7. Term and termination
7.1 Term. This Agreement begins on the Effective Date and continues until terminated. Each Order Form has its own order term (“Order Term”).
7.2 Termination for cause. Either party may terminate this Agreement or an affected Order Form upon written notice if the other party materially breaches and fails to cure within 30 days (10 days for nonpayment or security-related breaches).
7.3 Suspension. Supplier may suspend access to the Service (in whole or in part) for (a) nonpayment, (b) credible security risk, or (c) unlawful use, provided Supplier uses commercially reasonable efforts to provide notice and to narrow the suspension to what is reasonably necessary.
7.4 Effect of termination. Upon expiration or termination of an Order Form, Customer’s right to access the Service under that Order Form ends. Sections intended to survive will survive, including confidentiality, IP, liability, indemnities, and data protection provisions (as applicable to post-termination processing).
8. Customer Data and data protection
8.1 Customer Data ownership. As between the parties, Customer owns Customer Data. Supplier may process Customer Data only as needed to provide the Service, Support, security, and to comply with law, and as otherwise permitted by the applicable data processing addendum.
8.2 Data processing addendum. If Customer provides or makes available personal data to Supplier, the parties will comply with the UK Data Processing Addendum (for UK processing) and any other applicable addenda specified in the Order Form.
8.3 Security measures. Supplier will maintain appropriate technical and organizational measures designed to protect Customer Data, taking into account the nature of the data and risks. Supplier will provide a security overview upon reasonable request.
8.4 NHS Data Security and Protection Toolkit. If Customer is an NHS organization or processes NHS patient data, Supplier will maintain, as applicable, the Data Security and Protection Toolkit (DSPT) assessment and provide relevant assurance materials on request.
9. Confidentiality
9.1 Confidential information. “Confidential Information” means non-public information disclosed by a party that is marked or reasonably understood as confidential, including the Service, pricing, security details, and business plans.
9.2 Obligations. The receiving party will protect Confidential Information using at least reasonable care and will use it only to perform under this Agreement.
9.3 Exclusions. Confidential Information does not include information that is (a) publicly available without breach, (b) independently developed, (c) rightfully received from a third party without duty, or (d) approved for disclosure.
9.4 Compelled disclosure. A party may disclose Confidential Information if required by law, after providing notice and cooperation where legally permitted.
10. Intellectual property
10.1 Supplier IP. Supplier retains all right, title, and interest in the Service, Documentation, and Supplier technology, including improvements and derivatives.
10.2 Customer feedback. If Customer provides feedback, Supplier may use it without restriction or obligation, provided Supplier does not publicly attribute feedback to Customer without consent.
10.3 No implied rights. No rights are granted except as expressly set out in this Agreement.
11. Warranties and disclaimers
11.1 Performance warranty. Supplier warrants that it will provide the Service in a professional and workmanlike manner and in material conformance with Documentation.
11.2 Disclaimer. Except as expressly stated, the Service is provided “as is” and Supplier disclaims all other warranties, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
11.3 Clinical disclaimer. Supplier does not practice medicine and does not provide medical advice. The Service does not replace professional judgment.
12. Liability
12.1 Exclusion of certain damages. To the maximum extent permitted by law, neither party will be liable for indirect, incidental, special, consequential, or punitive damages, or for lost profits, revenues, or data, arising out of or related to this Agreement.
12.2 Cap. Except for Excluded Claims, each party’s total liability arising out of or related to this Agreement will not exceed the total Fees paid or payable by Customer under the affected Order Form in the 12 months preceding the event giving rise to the claim.
12.3 Excluded Claims. “Excluded Claims” means (a) Customer’s payment obligations, (b) a party’s breach of confidentiality, (c) Customer’s infringement of Supplier IP, and (d) liability that cannot be limited under applicable law (including fraud and death or personal injury caused by negligence where applicable).
13. Indemnification
13.1 Supplier IP indemnity. Supplier will defend Customer against third-party claims that the Service infringes a patent, copyright, or trademark, and will pay damages awarded or agreed in settlement, provided Customer gives prompt notice and cooperation. Supplier may modify the Service or obtain a license. If neither is commercially reasonable, Supplier may terminate the affected Order Form and refund prepaid unused Fees for the remaining Order Term.
13.2 Customer indemnity. Customer will defend Supplier against third-party claims arising from (a) Customer Data content, (b) Customer’s use of the Service in violation of this Agreement or law, or (c) Customer services provided to Patient Users, and will pay damages awarded or agreed in settlement.
14. Compliance and audits
14.1 Compliance. Each party will comply with applicable laws, including anti-bribery and anti-corruption laws.
14.2 Audit cooperation. On reasonable notice, Supplier will provide reasonable information to support Customer’s compliance obligations, including for information governance and security assurance, subject to confidentiality and security constraints.
14.3 Freedom of Information (NHS). If Customer is subject to the Freedom of Information Act 2000 or similar transparency obligations, Customer may disclose information as required by law. Customer will use reasonable efforts to consult Supplier before disclosing Supplier Confidential Information, where permitted, and to apply applicable exemptions.
15. Publicity
15.1 No publicity without consent. Neither party will use the other party’s name or logo in press releases or marketing without prior written consent, except that Supplier may identify Customer as a customer in a confidential customer list shared with investors or auditors, unless Customer opts out in writing.
16. Notices
Notices must be in writing and delivered by email and registered mail (or other tracked delivery) to the addresses in the Order Form, and are effective upon receipt (or 3 business days after mailing if earlier).
17. Assignment
Neither party may assign this Agreement without the other party’s prior written consent, except to an Affiliate or in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound by this Agreement.
18. Force majeure
Neither party will be liable for failure to perform due to events beyond reasonable control (for example, natural disasters, government actions, or widespread internet outages), provided it uses reasonable efforts to mitigate.
19. Governing law and venue
19.1 Governing law. The governing law is specified in the Order Form. If not specified, England and Wales law governs.
19.2 Venue. The courts specified in the Order Form have exclusive jurisdiction. If not specified, the courts of England and Wales have exclusive jurisdiction.
20. Entire agreement
This Agreement and the documents incorporated by reference constitute the entire agreement between the parties regarding the Service and supersede all prior or contemporaneous agreements on the subject.
21. Updates to posted terms
21.1 Supplier may update these posted terms from time to time. Updates will not apply retroactively to an Order Form already in effect unless (a) the change is required by law, or (b) the change is mutually agreed in writing, or (c) the change is non-material and does not reduce Customer rights or increase Customer obligations in a material way. Supplier will maintain an archive of prior versions.
Schedule references
- UK Data Processing Addendum (UK GDPR):
uk_data_processing_addendum_v1.0.md - Service Levels and Support:
service_levels_and_support_v1.0.md - Acceptable Use Policy:
acceptable_use_policy_v1.0.md
Change log
- v1.0 (2025-12-15): Initial release.
