Terms of service

CoreFolio is self-assessment software for US healthcare practices. The first product, CoreFolio HIPAA, guides you through an annual HIPAA risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) and a matching risk management plan under 45 CFR § 164.308(a)(1)(ii)(B). It produces structured, dated documentation you can use internally and share with your privacy officer or counsel.

CoreFolio is not legal advice. It is not an audit, an attestation, or a certification. No use of CoreFolio constitutes a representation to HHS, OCR, or any other body that your practice is in compliance with any law or regulation. A determination of HIPAA compliance is made by HHS OCR, not by software.

CoreFolio is intended for US-based covered entities and business associates as defined under HIPAA. When you sign up, you identify the practice or business associate organization you are assessing (the “named practice”). Your CoreFolio subscription is licensed to you for the named practice only. You represent that you have authority to conduct a risk analysis and maintain compliance documentation on behalf of the named practice.

Use across multiple unrelated practices — including by a HIPAA consultant, MSP, or auditor working on behalf of clients — is not permitted under a standard subscription. If you advise multiple practices, contact us before signing up; we may permit this use under a separate written partner agreement.

What is yours. The answers you enter, the dated Risk Analysis Report, the dated Risk Management Plan, the 2026 Readiness Gap Report, and the templates you fill in are yours. You may use, share, retain, and modify them for any internal compliance purpose at the named practice. We make no claim to the content of those outputs.

What is ours. The CoreFolio software, the assessment question bank, the scoring engine, the template language and form fields, the regulatory crosswalks, the content registries, the visual design, the brand, and all related intellectual property are owned by CoreFolio. We retain all rights in them.

License.Subject to these terms, we grant you a non-exclusive, non-transferable, non-sublicensable, revocable license to use CoreFolio and its outputs for the internal compliance purposes of the named practice during your subscription. This license does not include the right to redistribute, resell, scrape, train an artificial-intelligence model on, or rebuild from CoreFolio’s question bank, templates, or content registries. The Acceptable Use section below names the specific prohibitions.

Reaffirm ownership.Per § 3, the answers you enter, the dated reports we generate for you, and the templates you fill in are yours. Nothing in this section changes that.

License to create derivatives.You grant CoreFolio a worldwide, royalty-free, non-exclusive, perpetual, irrevocable license to: (a) process your Digital Binder content to deliver the service to you; (b) create de-identified and aggregated derivatives from that content; and (c) use those derivatives for any lawful purpose — including service improvement, training of CoreFolio’s own machine-learning models, industry benchmarks, and research. The derivatives are not your data after de-identification; they are CoreFolio’s data.

De-identification standard. De-identification meets or exceeds the HIPAA Safe Harbor standard at 45 CFR § 164.514(b)(2). CoreFolio evaluates compliance with this standard before any external use. The full methodology is documented in the Data Processing Addendum.

Identified data stays private. CoreFolio does not sell, publish, or share data that identifies you or your practice without separate written consent. Aggregated benchmark statistics carry a minimum sample-size floor (default N ≥ 20 distinct practices, raised on a per-publication basis as the DPA documents).

Layered consent and your choices. CoreFolio uses a layered consent surface for derivative uses: service operation is required; service improvement (de-identified, internal) is on by default for new accounts and off by default at re-prompt for existing accounts; external benchmarks (de-identified, published) is off by default; named case studiesrequire separate written consent every time. You can view and change your settings at any time from your account’s data-use settings page. The free-tier carve-out below means the free assessment never participates in any of these uses.

Survival on cancellation.Raw binder content is deleted per § What happens to your data when you cancel. De-identified and aggregated derivatives created from your content while your consent covered the relevant layer are no longer your data after de-identification and survive cancellation by design.

Free-tier carve-out.This section applies only to the paid Digital Binder. The free assessment’s answers are stored in your browser’s localStorage and never reach CoreFolio’s servers; they cannot be used for any purpose — including service improvement, benchmarks, training, or research — because CoreFolio never receives them.

Symmetry with the customer-side prohibition in § 3.§ 3 forbids you from using CoreFolio’s outputs to train an artificial-intelligence model. This section grants CoreFolio the server-side mirror right over de-identified derivatives of your binder content. Read together, the two rules describe a coherent contract: neither party trains on the other’s identified data.

CoreFolio templates, assessment questions, and regulatory references are starting points, not finished legal documents. They reflect our current understanding of HIPAA and related guidance and are intended to give you a structured place to begin. They are not a substitute for review by your privacy officer or counsel.

You are responsible for reviewing each template with your privacy officer or counsel before relying on it for your practice. Accepting a template inside CoreFolio without review does not by itself make the template appropriate for your practice.

We may revise templates, questions, and regulatory references as guidance evolves — for example, when HHS amends 45 CFR Part 164, when OCR publishes new enforcement guidance, when settlement precedent clarifies an obligation, or when a proposed rule is finalized. Revisions are surfaced inside the Digital Binder so you can review them and choose whether to adopt the change. CoreFolio is not liable for the compliance impact of any revision you adopt or decline to adopt.

CoreFolio does not receive, store, transmit, or process electronic protected health information (ePHI) on behalf of customers. Assessment answers are limited to the typed contracts described in our Privacy notice; we do not accept patient identifiers, treatment information, free-text fields carrying clinical content, or any other field that would carry ePHI through our servers.

Because CoreFolio does not perform a function that creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate, CoreFolio is not a business associateas that term is defined at 45 CFR § 160.103. A Business Associate Agreement (BAA) is neither required for, nor offered with, CoreFolio.

The Digital Binder is sold as a subscription. We currently offer two billing cadences:

• Monthly— $99/month, billed every month.
• Annual— $990/year, billed every year (a two-month savings versus monthly).

Subscriptions renew automatically at the end of each billing period for another period of the same length and at the same price, until you cancel. You authorize us, through our payment processor (Stripe), to charge the payment method on file at each renewal. You will receive an emailed receipt for every charge.

How to cancel. You may cancel at any time from your Digital Binder account. Cancellation stops the next renewal; your subscription continues through the end of the current paid period, and you keep access until then. Cancellation is online and self-serve; no phone call, support ticket, or written notice is required.

Notice of price changes. If we change the price of your subscription, we will notify you by email at least 30 days before the change takes effect, with instructions for cancelling if you do not wish to continue at the new price.

This auto-renewal disclosure is provided in compliance with California’s Automatic Renewal Law, Cal. Civ. Code §§ 17600–17606.

Subscription fees are non-refundable. Cancellation stops the next renewal but does not refund the current paid period. Your service continues through the end of the paid period after cancellation.

We may, at our discretion, refund a charge in cases of clear billing error or duplicate payment.

For 30 daysafter your subscription ends, you may request an export of your account’s binder data (status records, filled-in templates, completed reports) by contacting support. After 30 days, your account’s binder data is permanently deleted from our systems.

Reports you have already downloaded, exported, or printed remain yours regardless of subscription status. Your email-list subscriptions (the CoreFolio Brief, transactional notifications) persist until you unsubscribe.

For our own records and to support investigations of security or billing events, we retain a minimal audit log of account events (sign-in, subscription change, cancellation) for up to seven years. The audit log carries no ePHI, no assessment answers, and no template content; it carries only the account identifier and the event type.

You agree not to:

• Paste ePHI— patient identifiers, clinical notes, treatment information, or any other electronic protected health information — into any free-text field on CoreFolio. CoreFolio is not configured to receive ePHI and doing so violates these terms.
• Use CoreFolio output and represent it as regulatory-reviewed, attorney-reviewed, HHS-approved, or officially certified when it has not been.
• Use CoreFolio across multiple unrelated practices without a separate written partner agreement with us.
• Resell, sublicense, redistribute, or otherwise commercialize CoreFolio’s software, question bank, templates, or content registries.
• Reverse-engineer, scrape, or extract the assessment question bank, the template language, or the content registries in bulk; or use the outputs to train an artificial-intelligence model.
• Use automated tools to submit forms or interact with the assessment outside of a real browser session.
• Circumvent rate limits, access gates, billing controls, or any security measure on the service.

We may suspend or terminate your access to CoreFolio for: non-payment after the standard payment-retry window has elapsed; violation of the Acceptable Use section; fraud, abuse, or attempts to circumvent security or billing controls; a security incident that requires us to lock the account to protect you or other customers; or compulsion by court order or regulatory action.

Where reasonable, we will give you written notice and a chance to cure the issue before terminating. The data-retention rules in the previous section apply to terminations as well as voluntary cancellations: 30 days to request export, then permanent deletion of binder data.

You will defend and indemnify CoreFolioagainst any third-party claim arising from: (a) your representation of CoreFolio output to a third party in a way these terms forbid (for example, claiming an output is attorney-reviewed when it is not); (b) your violation of the Acceptable Use section; (c) content you upload or input that infringes a third party’s intellectual-property or privacy rights; or (d) your use of CoreFolio outside the license granted in section 3.

We will defend and indemnify you against any third-party claim that the CoreFolio software, as delivered by us and used unmodified, infringes a US patent, copyright, or trade secret. This obligation does not cover: claims arising from your modifications to the software, claims arising from your content, or claims arising from your combination of CoreFolio with other systems where the combination (and not CoreFolio alone) is the cause of the claim.

Each party’s total indemnification liability under this section is capped at the amount the other party paid (or, in CoreFolio’s case, received from you) in the 12 months preceding the claim, consistent with the Limitation of Liability section below.

CoreFolio is provided “as is.” We make no warranty, express or implied, that using CoreFolio will satisfy any legal obligation, prevent an OCR investigation, or produce a specific audit outcome. The regulatory landscape changes; we work to keep our content current but cannot guarantee that every question or template reflects the most recent guidance at the moment you use it.

We recommend that any ambiguous findings be reviewed with a qualified privacy officer or healthcare attorney before you act on them.

To the maximum extent permitted by law, CoreFolio’s liability to you for any claim arising from your use of the service is limited to the amount you paid us in the 12 months preceding the claim. We are not liable for indirect, incidental, consequential, or punitive damages.

Most disputes can be handled without lawyers. Before either of us starts a formal proceeding, we agree to try in good faith to resolve the dispute by direct conversation. To start that process, send a written notice describing the dispute to the address in section 16; we have 30 days to respond.

If informal resolution fails, any dispute arising from these terms or your use of CoreFolio that is not resolved within 60 days of the written notice will be resolved by binding individual arbitration, administered by JAMS under its Streamlined Arbitration Rules, seated in California. Each party will bear its own arbitration fees except as JAMS’s consumer-claim provisions require otherwise.

Class-action waiver. You and CoreFolio each waive the right to participate in a class action, collective action, or representative proceeding. Disputes will be resolved on an individual basis only. This waiver does not apply to requests for public injunctive relief, which the California Supreme Court has held cannot be waived in arbitration (the McGill rule); claims for public injunctive relief may be brought in court.

Carve-outs.Either party may seek injunctive or other equitable relief in court to protect its intellectual property; either party may pursue claims in small-claims court; and nothing in this section limits any government agency’s ability to bring an action.

30-day opt-out.You may opt out of this arbitration agreement by sending written notice within 30 days of first signing up. Send the notice to the address in section 16, including your account email and the words “Opt out of arbitration.” Opting out does not affect any other part of these terms.

Severability. If any provision of these terms is held unenforceable, the remaining provisions remain in full effect.

Entire agreement. These terms, together with our Privacy notice and Disclaimer, are the entire agreement between you and CoreFolio regarding the service.

Assignment. You may not assign these terms without our written consent. We may assign these terms in connection with a merger, acquisition, sale of assets, or similar transaction.

Force majeure.Neither party is liable for delays or failures caused by events outside its reasonable control — for example, acts of God, war, civil unrest, government action, internet or cloud-provider outages, or pandemics — provided the affected party uses reasonable efforts to mitigate.

Attorney’s fees.In any action to enforce these terms, the prevailing party is entitled to recover its reasonable attorney’s fees and costs.

Notices to you are sent to the email address on your CoreFolio account; we may also post material notices on the service.

Notices to CoreFolio may be sent to legal@corefolio.ai. A postal address for service of process will be added to this section before paid launch.

We may update these terms. If the change is material, we will notify active subscribers by email with at least 14 days’ notice before the new terms take effect. Continued use after the effective date constitutes acceptance. The “Last reviewed” date at the top of this page is updated whenever the terms change.

These terms are governed by the laws of the State of California, without regard to conflict of law provisions. Any dispute that this agreement permits to be brought in court — for example, IP enforcement actions and small-claims matters — will be resolved in the state or federal courts located in California.