Inbound Services Agreement, dated August 18, 2017, by and between the Registrant and Google Inc

Exhibit 10.25

Certain information contained in this document, identified by [***], has been redacted because it is both (i) not material and (ii) would likely cause competitive harm to the Registrant if publicly disclosed.

GOOGLE INBOUND SERVICES AGREEMENT

This Inbound Services Agreement (“ISA”) is effective as of the Effective Date and is entered into by and among Google, 1Life, and One Medical Group.

Page 1 of 46

1. Definitions.

1.1 “Affiliate” means: (a) any corporation which is a member of a controlled group of corporations (as defined under Section 414(b) of the Internal Revenue Code of 1986, as amended (the “Code”)) which includes Google Inc. and Alphabet Inc., or (b) any trade or business (whether or not incorporated) which is under common control (as defined under Code Section 414(c)) with Google.

1.2 “Agreement” means, collectively, this ISA (including all Attachments) and all SOWs issued under this ISA.

1.3 “Deliverable” means the work product developed specifically for and unique to Google that is identified in writing and agreed to by the parties and/or labeled as a Deliverable when delivered and/or specified in the applicable SOW, including, but not limited to documents, reports, floor plans and communication plans and delivered by 1Life or One Medical Group to Google under this Agreement. For purposes of clarity, 1Life/One Medical Group will share the calculations used to produce a Deliverable, as applicable and appropriate; provided, however, for purposes of clarity, this Agreement does not convey any rights of ownership to Google in such calculations.

1.4 “Eligible Employees” means those employees of Google and its Affiliates as specified in the applicable SOW who are eligible to receive the Services.

1.5 “Eligible Dependents” means dependents of Eligible Employees as specified in the applicable SOW who are eligible to participate in the Membership Services.

1.6 “Membership Services” means access to all One Medical Group Near-Site Clinics, the patient portal and mobile application, and other value added standard services that are offered to all One Medical Group members as part of the current membership offering.

1.7 “Eligibility Report” means a report identifying Eligible Employees and Eligible Dependents, as updated by Google in accordance with this Agreement.

1.8 “Google Data” means:

(a) data provided by Google to 1Life or One Medical Group under this Agreement;

(b) data provided by Google’s third party providers to 1Life or One Medical Group (provided that such providers enter into a data sharing agreement with Google, 1Life and One Medical Group). For purposes of clarity, the data set in this Section 1.8(b) shall be referred to as “Third Party Data”; or

(c) aggregated and de-identified data (including but not limited to experience, effectiveness, and efficiency data) generated or derived from Patient Data, specifically excluding Patient Data (defined below), data of 1Life/One Medical Group, and data involving One Medical Group patient populations other than Eligible Employees and Eligible Dependents. (Google will not receive Patient Data containing PHI but some of its third party providers (e.g. [***], [***], etc.) may; provided that such third party providers enter into a data sharing agreement with Google, 1Life and One Medical Group.) For purposes of clarity, the data set in this Section 1.8(c) shall be referred to as “Derived Googler Patient Data”.

Page 2 of 46

1.9 “Intellectual Property” or “IP” means anything protectable by an Intellectual Property Right.

1.10 “Intellectual Property Right(s)” means all patent rights, copyrights, trademark rights, rights in trade secrets (if any), design rights, database rights, domain name rights, moral rights, and any other intellectual property rights (registered or unregistered) throughout the world.

1.11 “Medical Personnel” means employees and contractors of One Medical Group.

1.12 “Medical Services” means the medical services that will be provided at the On-Site Clinics, at the Near-Site Clinics, and virtually via phone, the patient portal and mobile application, unless the reference is only to medical services provided at the On-Site Clinic, in which case the term “On-Site Clinic Medical Services” will be used.

1.13 “Near-Site Clinic” means the medical clinics owned and operated by One Medical Group nationwide. For clarity, Near-Site Clinics do not include On-Site Clinics.

1.14 “On-Site Clinic” means the on-site clinic(s) at Google’s office locations specified in the SOW(s).

1.15 “On-Site Clinic Medical Personnel” means the Medical Personnel who will provide the On-Site Clinic Medical Services.

1.16 “On-Site Clinic Medical Services” refers solely to the Medical Services provided by the On-Site Clinic Medical Personnel at the On-Site Clinic.

1.17 “Patient Data” means data provided by the Eligible Employees and Eligible Dependents to 1Life / One Medical Group under this Agreement, data collected about or from Eligible Employees and Eligible Dependents in the course of providing Medical Services, and Protected Health Information as defined under HIPAA.

1.18 “Personnel” means the employees and contractors of 1Life and One Medical Group unless used in connection with the provision of Medical Services, in which case the term “Medical Personnel” will be used.

1.19 “Prior NY Agreement” means the Master Services Agreement by and among Google Inc., 1Life Healthcare, Inc. and One Medical of NY, P.C., dated July 9, 2015.

1.20 “Reasonable Efforts” means commercially reasonable efforts of at least a level and quality generally accepted in the industry under the circumstances.

1.21 “Services” means the services that 1Life and One Medical Group are required to provide under this Agreement. For the avoidance of doubt, Services include Hosted Services, Membership Services and the Medical Services.

1.22 “SOW” means a fully-signed statement of work, specifying the Services and Deliverables under this Agreement, in the form attached as Attachment A.

1.23 “Successor Supplier” means any designated person or company engaged to provide services to replace any of the On-Site Clinic Medical Services provided by One Medical Group and related services provided by 1Life in connection with such replacement of the On-Site Clinic Medical Services such as medical records transfer.

Page 3 of 46

1.24 “Tax(es)” means all government-imposed taxes, except for taxes based on 1Life’s or One Medical Group’s or Personnel’s net income, net worth, asset value, property value, or employment.

1.25 In this Agreement, (A) “include” or “including” means “including but not limited to,” and (B) examples are illustrative and not the sole examples of a particular concept.

2. Services and Deliverables.

2.1 Services; Requirements.

(A) Services. 1Life and One Medical Group will provide Services and Deliverables as specified in applicable SOWs.

(B) Affiliates. So long as an Affiliate is participating in the Google group health plan, it may not independently enter into SOWs under this ISA.

2.2 [Intentionally Omitted]

2.3 Notice of Delays. 1Life or One Medical Group will promptly notify Google in writing of anything that is likely to cause a delay in the delivery of any Deliverable.

3. Payment.

3.1 Invoices.

(A) Submitting Invoices. 1Life or One Medical Group must submit invoices to Google’s online portal at [***] according to the portal’s instructions. Unless otherwise specified in the invoicing section of the applicable SOW, 1Life or One Medical will invoice Google monthly in arrears.

(B) Disputing Invoices. Google will only initiate invoice disputes in good faith, and will provide a written description of the disputed amounts. Upon Google’s request, 1Life or One Medical Group will issue separate invoices for undisputed and disputed amounts. Payment of any undisputed amounts will not compromise Google’s right to object to the disputed amounts. Disputed amounts will not be due until the dispute is finally resolved, and will then be payable according to Subsection (C) (Paying Invoices).

(C) Paying Invoices. Google will pay 1Life or One Medical Group within [***] days after Google receives a correct invoice in accordance with this Section 3.1 (Invoices).

3.2 Expenses.

(A) Expenses Eligible for Reimbursement. Google will reimburse expenses up to the amounts specified in the applicable purchase order or SOW, unless the parties mutually agree otherwise in writing (e-mail is acceptable), and only if they are:

(1) actual, reasonable, and necessary (without mark-ups or commissions);

(2) approved in advance and in writing by Google; and

Page 4 of 46

(3) accompanied by receipts or other documentation that Google may reasonably request establishing the type, date, amount, payment, and purpose for such expenses.

(B) 1Life and One Medical Responsible for Personnel’s Expenses. 1Life and One Medical Group are solely responsible for reimbursing their respective Personnel’s expenses and will do so in accordance with all applicable laws and regulations.

3.3 Right to Offset Payment. In addition to other rights and remedies Google may have, Google may offset any payment obligations to 1Life or One Medical that Google may incur under this Agreement against any fees owed to Google and not yet paid by 1Life or One Medical under this Agreement or any other agreement between 1Life or One Medical and Google. Google may also withhold and offset against its payment obligations under this Agreement any amounts Google may have overpaid to 1Life or One Medical in prior periods. Prior to exercising the right to offset payment set forth in this Section 3.3, Google will provide at least [***] day’s prior written notice of its intent to offset, which notice shall include the justification for any amounts to be offset, and a point of contact at Google so that the parties may discuss the circumstances concerning such potential offsets.

3.4 Taxes.

(A) Invoicing and Payment. Taxes are not included in the fees. Google will pay itemized, correctly-stated Taxes for the purchased Services and Deliverables unless Google provides a valid Tax exemption certificate.

(B) Withholding Taxes. If legally required, Google will withhold Taxes from its payments to 1Life or One Medical Group and provide a withholding Tax certificate.

3.5 Bank Charges. The party receiving payment will be responsible for bank and credit card charges assessed by its bank or the credit card issuer.

4. Intellectual Property and Deliverables.

4.1 Ownership. Notwithstanding anything else in this Agreement, each party will retain all Intellectual Property Rights in its Intellectual Property that it owned or developed prior to the date hereof, or acquired or developed after the date hereof, without reference to or use of the Intellectual Property of the other party.

4.2 Improvements and Modifications. Notwithstanding anything else in this Agreement, 1Life will have ownership of any improvements or modifications to its Intellectual Property [***], and Google will have ownership of any improvements or modifications to its Intellectual Property [***].

4.3 Third Party Materials. 1Life will acquire any licenses or permissions required to utilize any third party’s Intellectual Property incorporated into the Services and Deliverables, including any open source materials, and will remain liable for the same. Further, Google’s use of such third party’s Intellectual Property in connection with the Services and Deliverables in accordance with the terms of the Agreement and any SOW will not constitute an infringement thereof. This Section 4.3 will survive termination or expiration of this Agreement.

Page 5 of 46

4.4 Customized Software and Intellectual Property Development.

(A) The parties agree and acknowledge that no Intellectual Property development or customized software is contemplated under this Agreement.

(B) If the parties desire to jointly develop Intellectual Property or customized software in the future, then they will memorialize the terms of such agreement in a SOW. The SOW must state which party owns the newly developed IP (“New IP”) or customized software and the details of any licenses which may be granted to the other parties.

4.5 Independent Development. Google and 1Life acknowledge that the other party is in the software development business. Notwithstanding anything to the contrary in this Agreement, nothing in this Agreement shall be construed to preclude either party from developing, using, marketing, licensing and/or selling any independently developed software which has the same or similar functionality as the Hosted Services, Google programs, or any other products, so long as such activities do not breach the terms of this Agreement. This Section 4.5 will survive termination or expiration of this Agreement.

4.6 Deliverables. The parties agree that the Deliverables delivered to Google under the applicable SOWs are owned by Google. For purposes of clarity, the underlying methodologies, business processes and work flows used in creating the Deliverables are owned by 1Life.

4.7 Work Flows. Each party will retain all rights to the clinical and medical workflows that it owned prior to the date hereof, or acquired or developed after the date hereof outside of performance under this Agreement. The parties expressly agree that each may freely use any workflows that the parties jointly develop under this Agreement, and that any such workflows that may rise to the level of Intellectual Property shall be memorialized in a separate SOW as provided for in Section 4.4.

4.8 Google Data. As among the parties, Google will retain ownership of the Google Data.

5. Licenses.

5.1 License to Derived Googler Patient Data. Google hereby grants to 1Life and One Medical Group a [***] license (with the right to sublicense to [***] who are acting on 1Life/One Medical Group’s behalf to carry out the purpose of this license) to [***] the Derived Googler Patient Data for purposes of [***]. For clarity, Derived Googler Patient Data can be combined with other [***] but cannot be externally attributable to Google.

Page 6 of 46

5.2 License to Use Google Materials; Anonymized Video/Photo Data.

(A) Google hereby grants 1Life and One Medical Group a limited, [***] license to copy, display, perform and otherwise use the Google Materials (“Google Materials”), which means any Google-provided audio files, logo images, digital photographs and other graphic files, text, branding guidelines, style guides, message templates, and materials) during the Term of the Agreement, solely as may be necessary to deliver the Services. If Google Materials include trademarks, trade names, or logos of Google (“Google Marks”), during the Term, Google grants to 1Life and One Medical Group a [***] license to [***] the Google Marks as part of the Services, as applicable. 1Life has no rights to modify the Google Marks in any way without obtaining the prior written consent of Google. 1Life’s and One Medical Group’s use of the Google Marks will be subject to Google’s prior review and written approval (which may be via e-mail), and Google will provide all necessary branding and trademark guidelines to 1Life. Google and its licensors retain all right, title and interest, including all related intellectual property rights, in and to Google Materials. This Agreement does not convey to 1Life or One Medical Group any rights of ownership in or related to the Google Materials. 1Life and One Medical Group acknowledge that their use of the Google Marks pursuant to this Agreement will not create any right, title or interest in such Google Marks in 1Life or One Medical Group. Google will have the sole right and discretion to bring, prosecute and settle infringement, unfair competition and similar proceedings based on the Google Marks.

(B) 1Life and One Medical Group may not use any anonymized or aggregated photo or video data derived from the Medical Services for any purpose other than providing individual patient care without written consent from the individual patient.

6. Confidentiality; Publicity; Privacy and Security.

6.1 Definition.

(A) “Confidential Information” means information that one party or an affiliate (“Discloser”) discloses to the other party (“Recipient”) under this Agreement, and that is marked as confidential or would normally be considered confidential information under the circumstances. It does not include information that is independently developed by the Recipient, is rightfully given to the Recipient by a third party without confidentiality obligations, becomes public through no fault of the Recipient or except as required by law to be disclosed.

(B) Each party’s Intellectual Property is its Confidential Information. Subject to Section 4, the Deliverables are Google’s Confidential Information. A Recipient may use Residuals for any purpose, including use in the acquisition, development, manufacture, promotion, sale, or maintenance of products and services; provided that this right to Residuals does not represent a license under any intellectual property and/or proprietary rights of a Discloser. The term “Residuals” means information that is retained in the unaided memories of Recipient’s employees or contractors as permitted herein who have had access to Discloser’s Confidential Information. Memory is unaided if the employee or contractor has not intentionally memorized the Confidential Information for the purpose of retaining and subsequently using or disclosing it.

Page 7 of 46

6.2 Confidentiality Obligations. The Recipient will not disclose the Discloser’s Confidential Information, except to employees, affiliates, agents, or professional advisors (“Delegates”) who need to know it and who have a legal obligation to keep it confidential. The Recipient will use the Confidential Information only to exercise rights and fulfill obligations under this Agreement. The Recipient may disclose Confidential Information when legally compelled by a court or other government authority. To the extent permitted by law, Recipient will promptly provide the Discloser with sufficient notice of all available details of the legal requirement and reasonably cooperate with the Discloser’s efforts, at the Discloser’s expense, to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as the Discloser may deem appropriate. The Recipient will ensure that its Delegates are also subject to the same non-disclosure and use obligations.

6.3 No Rights. Except for the limited rights under this Agreement, no party acquires any right, title, or interest in another party’s Confidential Information.

6.4 No Publicity. Except as may be required by law, no party may make any public announcement regarding this Agreement without the written approval (email is acceptable) of the other parties.

6.5 Privacy and Security. If 1Life and One Medical Group have access to Protected Information (as defined in Attachment D (Information Protection Addendum)) in connection with this Agreement, then they will comply with Attachment D in addition to this Section 6.

7. Insurance.

7.1 1Life and One Medical Group will maintain insurance policies in accordance with Attachment B (Insurance).

8. Independent Contractor; Personnel.

8.1 Not Employees. 1Life and One Medical Group are independent contractors and their Personnel are not Google employees. For their respective Personnel, 1Life and One Medical Group are responsible for, as applicable:

(A) Personnel’s acts and omissions;

(B) recruiting, staffing, instructing, training, and managing Personnel performing Services;

(C) performance evaluations, promotions, and terminations; and

(D) determining Personnel’s compensation (i.e., any stated rates for Services provided are not wage rates).

The right and duty to issue work assignments, to correct deficient performance, and to effectuate all other aspects of its supervisory responsibility hereunder shall at all times remain with 1Life and One Medical Group, as applicable.

8.2 No Employee Compensation or Benefits. 1Life and One Medical Group’s Personnel will not be entitled to any compensation, stock, options, or other rights or benefits provided to Google employees in connection with their performance under this Agreement.

Page 8 of 46

8.3 Income Tax Withholding for Personnel. 1Life and One Medical Group are responsible for any income tax withholding applicable to their respective Personnel.

8.4 Personnel. Other than the Medical Personnel who are employed or contracted by One Medical Group (for whom One Medical Group assumes legal responsibility as the employer or contractor), 1Life hereby assumes all legal responsibility as the employer or contractor of all 1Life personnel.

8.5 Neither 1Life nor Google will engage in the practice of medicine nor in any way direct or control the practice of medicine or direct the provision of health services required to be provided by a licensed provider.

8.6 Termination of Personnel. 1Life or One Medical Group is responsible for all costs associated with terminating their respective Personnel, including:

(A) costs arising under applicable law; and

(B) costs arising under an agreement between 1Life or One Medical Group and their respective Personnel.

8.7 Dispute Resolution Agreements with Personnel. 1Life or One Medical Group will enter into dispute resolution agreements with [***] whose work for 1Life or One Medical Group consists primarily of providing Services to Google, requiring:

(A) arbitration of any claims arising out of Personnel’s relationship with 1Life or One Medical Group; and

(B) a waiver of all rights to bring a [***].

9. HIPAA.

9.1 Definitions. In this Section 9, all capitalized terms will have the definitions given to them by the Health Insurance Portability and Accountability Act of 1996, as amended, and any regulations promulgated thereunder (“HIPAA”), including the following:

(A) “Breach” has the same meaning as the term “breach” at 45 C.F.R. § 164.402.

(B) “PHI” has the same meaning as the term “protected health information” at 45 C.F.R. § 160.103.

(C) “Security Incident” has the same meaning as the term “Security Incident” at 45 C.F.R. § 164.304.

9.2. Acknowledgements.

(A) 1Life and One Medical Group acknowledge and agree that HIPAA governs the use and/or disclosure of certain Personal Information (as defined in the Information Protection Addendum) that may be obtained or created through the provision of services under this Agreement.

(B) 1Life and One Medical Group acknowledge and agree that they (and One Medical Group’s affiliated Professional Corporations) are considered “Affiliated Covered Entities” under HIPAA, and as such will only use and disclose PHI for treatment, payment and operations purposes or as otherwise required or permitted by law.

Page 9 of 46

(C) 1Life and One Medical Group will maintain any books, records, patient charts, patient files or any other document containing PHI in accordance with HIPAA, the Information Protection Addendum and applicable medical and privacy laws, as amended from time to time.

9.3 Patient records.

(A) 1Life will arrange for the provision of all record keeping services related to the maintenance and storage of medical records; however all patient records will be prepared by One Medical Group/the Medical Personnel and will remain the property of One Medical Group and/or the patient per applicable law.

(B) Google understands and agrees that all of the medical records and other PHI will be held in strict confidence and that Google will not be entitled to have access to medical records, in the absence of an appropriate written authorization from the patient/employee.

(C) 1Life’s and One Medical Group’s medical records systems will be configured to ensure that only those Personnel authorized under HIPAA and other applicable privacy and patient records laws have access to such medical records. Without limiting the generality of the foregoing, and to the extent Google seeks information from 1Life or its other Affiliated Covered Entities that may include PHI, Google represents and warrants that it is authorized to receive such information, and that either: (i) Google has all necessary consents and approvals, including those from its employees, their spouses or dependents, as applicable, to permit requested disclosures of PHI, or (ii) all Google representatives seeking such information are properly authorized representatives of the Google group health plan (as such term is defined in 45 C.F.R. § 160.103).

(D) One Medical Group will supply patients with access to their medical records in prompt and reasonable manner and in a HIPAA standards-compliant format as required by 45 C.F.R § 164.524 and 45 C.F.R §162 (e.g. consolidated CDA or FHIR interface), or as otherwise reasonably requested by the patient or their legally authorized representative (e.g. PDF).

9.4 Safeguards. 1Life and One Medical Group will:

(A) use reasonable administrative, technical, and physical safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided by the Agreement;

(B) maintain a data security program that complies with HIPAA, the Information Protection Addendum, and applicable law;

(C) in accordance with the Agreement and applicable law, report to Google any use or disclosure of PHI not provided for by the Agreement or any Breach, or Security Incident involving the Google Data and Protected Information of which they become aware;

Page 10 of 46

(D) ensure that any contractor or subcontractors that access PHI on behalf of Google contractually agree to the same terms that apply to 1Life and One Medical Group with respect to such PHI;

(E) provide access to PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.524 and Google’s specified timeframes;

(F) at the individual’s request, where required, amend the PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.526;

(G) respond to an Individual’s request for an accounting of PHI disclosures in accordance with 45 C.F.R. § 164.528 and Google’s specified timeframes;

(H) make their internal practices and records available to the Secretary of the Department of Health and Human Services to determine HIPAA compliance; and

(I) in accordance with applicable law and 1Life/One Medical Group’s internal policies (provided such are no less protective than applicable law), return or destroy (and retain no copies of) all PHI received from Google once such PHI is not needed to perform Services.

10. Representations and Warranties.

10.1 Mutual. Each party represents and warrants that it has full power and authority to enter into and fulfill its obligations under this Agreement.

10.2 1Life and One Medical Group. Unless otherwise indicated, 1Life and One Medical Group represent and warrant that:

(A) Quality. Performance of their respective services under this Agreement will be of professional quality and performed with reasonable skill and care consistent with generally-accepted industry standards and One Medical Group represents and warrants that any On-Site Clinic Medical Personnel’s performance will satisfy the applicable standard of care for One Medical Group medical professionals in the community.

(B) Specifications and Requirements. Except as otherwise stated in sub-section A above, the Services and Deliverables will meet this Agreement’s specifications and requirements.

(C) Hosted Services. The Hosted Services (i) are not subject to any open source license or other terms that require software or documentation be disclosed or distributed in source code form, be licensed for the purpose of making derivative works, or be redistributable at no charge, and (ii) do not contain any copy protection, automatic shut-down, lockout, “time bomb” or similar mechanisms that could interfere with Google’s exercise of its business or its rights under this Agreement. In addition to the indemnity obligations set forth in Section 11 (Defense and Indemnity), in the event of a third party

Page 11 of 46

claim that the use of the Hosted Services infringes or misappropriates any third party Intellectual Property Rights, 1Life or One Medical Group will do the following at its sole option and expense: (i) procure the right for Eligible Employees and Eligible Dependents to continue using the Hosted Services in compliance with this Agreement; or (ii) modify the Hosted Services to make them non-infringing without materially reducing functionality; or (iii) replace the Hosted Services with a non-infringing, substantially functionally-equivalent alternative.

(D) Viruses and Malicious Code. 1Life represents and warrants that it will not intentionally introduce any viruses or other malicious code into the Deliverables or Hosted Services; provided, however, that no virus or malicious code will be attributable to the Deliverables or Hosted Services to the extent that it is demonstrated by 1Life to have been provided to 1Life by or on behalf of Google.

(E) Non-Infringement. 1Life represents and warrants that the Services and the Deliverables (excluding any Google Confidential Information or data provided by or on behalf of Google to 1Life included in the Deliverables) will not infringe upon any and all (i) United States or foreign patent rights or any application therefore and any and all reissues, divisions, continuations, renewals, extensions and continuations-in-part thereof (“United States and Foreign Patent Rights”); (ii) trade secrets; (iii) copyrights, copyright registrations and applications therefore in the United States or any foreign country, and all other rights corresponding thereto throughout the world; and (iv) any other proprietary rights anywhere in the world (“Intellectual Property Rights of any third party”).

(F) No Conflicts. There are no actual or potential conflicts of interest regarding 1Life’s or One Medical Group’s performance under this Agreement.

(G) Legal Proceedings. No legal proceedings have been threatened or brought against 1Life or One Medical Group that threaten the provision of the Services, and 1Life or One Medical Group will promptly notify Google in writing if such legal proceedings are brought against 1Life or One Medical Group during the term of the Agreement.

(H) License Rights. 1Life has and will retain all necessary rights to grant the licenses in this Agreement and perform under this Agreement.

(I) No Breach of Third-Party Obligations. Fulfillment of their obligations under this Agreement will not breach any obligations they have to any third party.

(J) No Use of Third-Party Confidential Information. In performing the Services, neither will use or bring to Google any third party’s confidential or proprietary information unless 1Life or One Medical Group obtains the third party’s prior written consent or has the licensed right to use such information.

(K) Compliance with Google’s Procedures, Policies, and Code of Conduct. 1Life and One Medical Group, as applicable, will ensure that Personnel and Medical Personnel will comply with:

(1) Google’s environmental, health, safety and physical security procedures that are commercially reasonable and provided in advance to 1Life/One Medical Group when performing Services at Google’s facilities; and

(2) Google’s Supplier Code of Conduct at

http://www.google.com/about/company/responsible-manufacturing.html.

Page 12 of 46

(J) Compliance with Laws. Each will comply with all applicable laws and regulations, including the following:

(1) Import and Export. Each will comply with all applicable import and export laws and trade sanction regulations.

(2) Anti-Bribery. Each will comply with all applicable commercial and public anti-bribery laws, including the U.S. Foreign Corrupt Practices Act of 1977 and the UK Bribery Act of 2010, which prohibit corrupt offers of anything of value, either directly or indirectly to anyone, including government officials, to obtain or keep business or to secure any other improper commercial advantage. “Government officials” include any government employee; candidate for public office; and employee of government-owned or government-controlled companies, public international organizations, and political parties. Furthermore, neither will make any facilitation payments, which are payments to induce officials to perform routine functions they are otherwise obligated to perform. Each will use commercially reasonable and good faith efforts to comply with Google’s due diligence process, including providing requested information.

(3) Employment; Occupational Health and Safety. 1Life and One Medical Group will comply with all applicable employment and occupational health and safety laws and regulations, including those related to employment practices, wages, and worker classification.

(4) HIPAA. Each will ensure that the Services under this Agreement shall be conducted in a manner that is compliant with HIPAA and each shall promptly notify Google if the scope of Services shall require changes to the Parties’ procedures or protocols to ensure continued compliance with HIPAA. Each will ensure that all Personnel or Medical Personnel, as applicable, are trained with respect to their duties and responsibilities under HIPAA and applicable state and federal privacy and security laws.

(5) Licensing. Each will cause the Medical Personnel to comply with all applicable laws and regulations with respect to licensing and certification, and each will cause the Medical Personnel to maintain during the term of this Agreement appropriate credentials, including, as applicable to the specific role of the Medical Personnel: (i) a duly issued and active license to practice medicine in the state where they are providing the Medical Services; (ii) good standing with his/her profession and state professional association; (iii) the absence of any license restriction, revocation or suspension; (iv) the absence of any involuntary restriction placed on his/her federal DEA registration; and (v) the absence of any felony conviction.

(6) Tax. Each will comply with all applicable tax laws as to its Personnel and/or Medical Personnel, as applicable, and the Services.

Page 13 of 46

10.3 Google. Google represents and warrants that:

(A) Viruses and Malicious Code. Neither Google nor any party working on its behalf will intentionally introduce any viruses or other malicious code into the Deliverables or the Hosted Services.

(B) License Rights. Google has and will retain all necessary rights to grant the licenses in this Agreement and perform under this Agreement.

(C) No Breach of Third-Party Obligations. Google and its personnel’s fulfillment of their obligations under this Agreement will not breach any obligations it has to any third party.

(D) No Use of Third-Party Confidential Information. In performing under this Agreement, Google will not use or bring to 1Life or One Medical Group any third party’s confidential or proprietary information unless Google obtains the third party’s and 1Life’s prior written consent.

(E) Compliance with Laws. Under this Agreement, Google will comply with applicable laws and regulations.

11. Defense and Indemnity.

11.1 Obligations.

(A) 1Life and One Medical Group, jointly and severally, will defend and indemnify Google and its Affiliates, directors, officers, and employees against all settlement amounts approved by 1Life and/or One Medical Group, as applicable, and any liabilities, damages, losses, costs, fees (including reasonable legal fees), and expenses in connection with any third-party legal proceeding to the extent arising from:

(1) 1Life’s or One Medical Group’s breach of warranty, gross negligence, willful misconduct, fraud, misrepresentation or violation of applicable laws;

(2) any property damage, personal injury, or death related to 1Life’s or One Medical Group’s performance of the Services (except for claims subject to indemnity in Section 11.1(B) which shall be handled in accordance with that section);

(3) a claim by 1Life’s or One Medical Group’s Personnel for any compensation, stock, options, or other rights or benefits provided to Google employees, in connection with performance under this Agreement;

(4) any breach of Section 6 (Confidentiality; Publicity; Privacy and Security) or applicable data protection laws; or

(5) an allegation that use of the Services or Deliverables (excluding any Google Confidential Information or data provided by or on behalf of Google to 1Life or One Medical Group included in the Deliverables) infringe or misappropriate any third party’s right including Intellectual Property Rights.

Page 14 of 46

(B) Notwithstanding Section 11.1(A) above, One Medical Group, alone, will defend and indemnify Google and its Affiliates, directors, officers, and employees against all settlement amounts approved by One Medical Group (such approval not to be unreasonably withheld, conditioned or delayed) and any liabilities, damages, losses, costs, fees (including reasonable legal fees), and expenses in connection with any third-party legal proceeding to the extent arising from a medical malpractice claim resulting from the Medical Services provided by Medical Personnel to Eligible Employees and Eligible Dependents hereunder. In the event One Medical Group and/or its insurer, as applicable, is unable to fully satisfy the obligation described in this Paragraph 11.1(B), then 1Life shall assume such remaining obligation.

(C) Google will defend and indemnify 1Life and One Medical Group and their respective directors, officers, and employees against all liabilities, damages, losses, costs, fees (including reasonable legal fees), and expenses in connection with any third-party legal proceeding to the extent arising from:

(1) Google’s [***] willful misconduct, fraud, misrepresentation or violation of applicable laws;

(2) any property damage, personal injury, or death related to [***] under the Agreement;

(3) a claim by [***] for any compensation, stock, options, or other rights or benefits provided to 1Life or One Medical Group employees, in connection with performance under this Agreement;

(4) any breach of [***] or applicable [***] laws; or

(5) an allegation that any [***] to 1Life or One Medical Group infringes or misappropriate any third party’s right including Intellectual Property Rights.

11.2 Exclusions. This Section 11 (Defense and Indemnity) will not apply to the extent that the indemnified party fails to notify the indemnifying party in writing promptly upon learning of any claim or suit for which indemnification may be sought resulting in the indemnifying party being prejudiced thereby, or the underlying allegation arises from:

(A) modifications to or use of the Services or Deliverables, or the indemnifying party’s Confidential Information or data, as applicable, not authorized or made by the applicable party;

(B) compliance with designs or instructions provided by the applicable party in writing.

11.3 Control of Defense. The indemnified party will tender sole control of the indemnified portion of the legal proceeding to the indemnifying party, but

Page 15 of 46

(A) the indemnified party has the right to reject controlling counsel chosen by the indemnifying party if the indemnified party reasonably believes there is a conflict of interest, has reasonably attempted to obtain a conflict waiver and/or it is not feasible to do so;

(B) the indemnified party may appoint its own non-controlling counsel at its own expense; and

(C) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party’s prior written consent, such consent not to be unreasonably withheld, conditioned or delayed.

12. Limitations of Liability.

12.1 Liability. IN SECTION 12 (LIMITATIONS OF LIABILITY), “LIABILITY” MEANS ANY LIABILITY, WHETHER UNDER CONTRACT, TORT, OR OTHERWISE, INCLUDING FOR NEGLIGENCE.

12.2 Limitations.

(A) NO PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT FOR:

(1) ANOTHER PARTY’S LOST REVENUES;

(2) INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL LOSSES (WHETHER OR NOT FORESEEABLE OR CONTEMPLATED BY THE PARTIES AT THE EFFECTIVE DATE); OR

(3) EXEMPLARY OR PUNITIVE DAMAGES; AND

(B) SUBJECT TO SECTION 12.3 (EXCEPTIONS TO LIMITATIONS), EACH PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE GREATER OF: (1) [***], OR (2) THE AMOUNT GOOGLE PAID TO 1LIFE AND ONE MEDICAL GROUP UNDER THIS AGREEMENT FOR THE 12 MONTHS PRECEDING THE SUBJECT CLAIM.

12.3 Exceptions to Limitations. NOTHING IN SECTION 12.2(B) OF THIS AGREEMENT EXCLUDES OR LIMITS A PARTY’S LIABILITY FOR:

(A) DEATH OR PERSONAL INJURY RESULTING FROM ITS NEGLIGENCE OR THE NEGLIGENCE OF ITS PERSONNEL; PROVIDED, HOWEVER, THAT A PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO:

1. A SETTLEMENT AMOUNT THAT IS APPROVED BY GOOGLE PURSUANT TO SECTION 11.3(C) AND DESCRIBED IN SECTION 11.1(B) IS LIMITED BY THE MAXIMUM LIMITS OF THE APPLICABLE ONE MEDICAL GROUP INSURANCE POLICY(IES); AND

2. ANY OTHER LIABILITY FOR WHICH INDEMNIFICATION MAY BE OFFERED BY, OR REQUIRED OF, A PARTY, PURSUANT TO SECTION 11.1(B), IS LIMITED TO AN AMOUNT THAT IS EQUAL TO THE AMOUNT DESCRIBED IN SECTION 12.2(B).

Page 16 of 46

(B) FRAUD OR FRAUDULENT MISREPRESENTATION;

(C) BREACH OF SECTION 6 (CONFIDENTIALITY; PUBLICITY; PRIVACY AND SECURITY) UP TO THE GREATER OF [***] OR THE AMOUNT GOOGLE PAID TO 1LIFE AND ONE MEDICAL GROUP FOR THE 12 MONTHS PRECEDING THE SUBJECT CLAIM;

(D) ITS OBLIGATIONS UNDER SECTION 3 (PAYMENT);

(E) DEFENSE AND INDEMNITY (SECTION 11) UP TO [***] (“CAP”), EXCEPT FOR OBLIGATIONS RELATED TO SECTION 11.1(A)(3) OR SECTION 11.1(C)(3) WHICH ARE NOT SUBJECT TO THE FOREGOING CAP; OR

(F) MATTERS FOR WHICH LIABILITY CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

12.4 1LIFE AND GOOGLE DO NOT RENDER MEDICAL SERVICES OR TREATMENTS. ACCORDINGLY, EXCEPT AS OTHERWISE EXPRESSLY SET FORTH HEREIN, NEITHER GOOGLE NOR 1LIFE IS RESPONSIBLE FOR THE MEDICAL SERVICES DELIVERED BY ONE MEDICAL GROUP UNDER THIS AGREEMENT. EXCEPT AS EXPRESSLY STATED HEREIN, 1LIFE AND ONE MEDICAL GROUP EXPRESSLY DISCLAIM ALL OTHER EXPRESS WARRANTIES OR CONDITIONS, AND ALL OTHER WARRANTIES, CONDITIONS, AND OBLIGATIONS IMPLIED IN LAW, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

13. Term and Termination.

13.1 Termination for Breach. Either party may terminate this ISA or any SOW if:

(A) the other party materially breaches Section 6 (Confidentiality; Publicity; Privacy and Security), Section 7.1 (Insurance) or Section 10 (Representations and Warranties) , and such breach is not capable of cure, or such party fails to cure any breach capable of cure within [***] days after receiving written notice of such breach. The termination will be effective the later of [***] days following receipt of written notice of breach or upon completion of the Exit Period (as defined herein); or

(B) the other party is in material breach of any other provision and fails to cure that breach within [***] days following receipt of written notice of breach. In such case, termination will be effective [***] days from the date of receipt of written notice.

13.2 Termination for Legal Cause. A party may [***] suspend performance of, or terminate a SOW upon [***] days’ (or shorter as agreed by the parties in the event that such [***] day notice period is not feasible under the circumstances) written notice to the other parties, if an applicable law or an applicable government or court order prohibits such performance.

13.3 Effects of Termination. Upon the effective date of termination, 1Life and One Medical Group will stop work on all applicable SOWs. Termination of this ISA terminates all outstanding SOWs. Google will pay for Services and Deliverables properly invoiced prior to the effective date of termination.

Page 17 of 46

14. Exit Procedures.

14.1 Exit Plan. 1Life and One Medical Group will develop and include an Exit Plan as specified in each SOW, as applicable, which will include appropriate transition measures for On-Site Clinic Medical Services and Deliverables (as applicable), and specifics for the return and destruction of Google Data.

14.2 Exit Period. The “Exit Period” will be as defined in the applicable On-Site SOW.

14.3 Cooperation. In the event of termination or expiration of this Agreement, 1Life and One Medical Group will provide assistance to Google and/or the Successor Supplier as is reasonable and sufficient to ensure the orderly and smooth transfer the On-Site Clinic Medical Services without disruption to Google’s business as specified in the applicable SOW (the “Exit Services”). Exit Services will be provided at a mutually agreeable cost.

15. General.

15.1 Notices. All notices of termination or breach must be in English, in writing and addressed to the other party’s legal department. All other notices must be in English, in writing and addressed to the other party’s primary contact. Notice can be by email and will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).

15.2 Property Damaged or Not Returned. Unless specified otherwise in the applicable SOW, 1Life or One Medical Group will, at Google’s option, promptly, repair, replace, or compensate Google for the reasonable value of any Google property that is: (A) damaged by Personnel or On-Site Clinic Medical Personnel (normal wear and tear excepted); or (B) not returned on completion of the applicable On-Site Clinic Medical Services.

15.3 Background Checks. To the extent applicable, 1Life and One Medical will comply with the background check policies in Attachment C (Background Checks).

15.4 Equal Employment Opportunities. It is not the intent of the parties that either 1Life or One Medical Group will be serving as a federal subcontractor to Google under this Agreement. Nevertheless, because Google is an equal opportunity employer and federal contractor or subcontractor, each will comply, to the extent applicable, with the requirements of 41 CFR 60-1.4(a), 41 CFR 60-300.5(a), and 41 CFR 60- 741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, sexual orientation, gender identity or national origin. These regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status. To the extent applicable, the parties will abide by the requirements of Executive Order 13496 (29 CFR Part 471, Appendix A to Subpart A), relating to the notice of employee rights under federal labor laws.

Page 18 of 46

15.5 Records and Audit Rights.

(A) Maintaining Records. 1Life and/or One Medical Group, as applicable, will maintain complete and accurate records relating to this Agreement.

(B) Right to Audit Records. During the Agreement term, and for [***] after this Agreement terminates, Google’s third party auditor under obligations of confidentiality and with [***] days’ prior written notice, may audit 1Life and One Medical Group’s relevant records to confirm its compliance with this Agreement. Google’s auditor will only have access to those records reasonably necessary to confirm such compliance, specifically excluding access to any Patient Data. 1Life and/or One Medical Group will repay Google any overcharged amounts by, at Google’s option, either: (1) promptly issuing a credit to Google; or (2) issuing a refund to Google within [***] days of Google’s invoice date. 1Life and/or One Medical Group will reimburse Google for all reasonable audit costs if the price discrepancy for any particular invoice exceeds [***] percent. Google will promptly pay any price discrepancy determined owed by Google.

(C) Notice of Government Audits. If a government authority audits any portion of 1Life’s or One Medical Group’s business related to the Services or Deliverables, 1Life or One Medical Group will, to the extent legally permissible and under obligations of confidentiality, promptly notify Google and provide Google with reasonably-requested information about the audit.

15.6 Assignment. No party may assign or transfer its rights or obligations under this Agreement without the prior written approval of the other parties, and any attempt to do so is void; provided, however, that a party may assign this Agreement to a successor supplier in connection with a merger or sale of all or substantially all of its assets.

15.7 Change of Control. A “Change of Control” means the sale of all or substantially all the assets of a party; any merger, consolidation or acquisition of a party with, by or into another corporation, entity or person; or any change in the ownership of more than fifty percent (50%) of the voting capital stock of a party.

(A) If 1Life experiences a Change of Control, then 1Life will give written notice to Google within [***] days after the change of control; and if in such case Google does not wish to be contracting with another entity as a result of such change in control, then Google may, at its option, terminate the Agreement upon [***] days’ written notice.

15.8 Subcontracting.

(A) 1Life or One Medical Group, as applicable, will notify Google via email of any subcontracted obligations for the On-Site Clinic staffing outlined in the applicable On-Site SOW, and the parties agree to discuss in good faith any concerns which Google has regarding such subcontracted obligations.

(B) Services provided at the Near Site Clinics. 1Life or One Medical Group may subcontract any of its respective obligations under this Agreement without Google’s written consent.

(C) 1Life or One Medical Group, as applicable will remain liable for all subcontracted obligations and all acts or omissions of its subcontractors.

Page 19 of 46

15.9 Force Majeure. No party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

15.10 No Waiver. No party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.

15.11 No Agency. This Agreement does not create any agency, partnership, or joint venture among the parties.

15.12 No Third-Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does.

15.13 Execution. The parties may execute this Agreement using electronic signatures, electronic copies, and counterparts.

15.14 Entire Agreement. This Agreement, including the Attachments hereto, sets out all the terms agreed among the parties and supersedes all other agreements between the parties as of the Effective Date relating to its subject matter. In entering into this Agreement no party has relied on, and neither party will have any right or remedy based on, any statement, representation, or warranty (whether made negligently or innocently), except those expressly stated in this Agreement. Any terms or conditions on a quote, invoice, or other similar document from 1Life or One Medical Group related to this Agreement or the Services, including any online terms between Google and the parties hereto, or from Google on any purchase order related to this Agreement, are void.

15.15 Amendments. Any amendment must be in writing, signed by all parties, and expressly state that it is amending this Agreement.

15.16 Severability. If any term (or part of a term) of this Agreement is invalid, illegal or unenforceable, the rest of this Agreement will remain in effect.

15.17 Order of Precedence. If there is a conflict between any term of this ISA and a SOW, the terms of the applicable SOW will control with respect to such conflict provided this is expressly stated and agreed to in the Special Terms section of the applicable SOW.

15.18 Governing Law. ALL CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL BE GOVERNED BY CALIFORNIA LAW, EXCLUDING CALIFORNIA’S CONFLICT OF LAWS RULES, AND WILL BE LITIGATED EXCLUSIVELY IN THE FEDERAL OR STATE COURTS OF SANTA CLARA COUNTY, CALIFORNIA, USA; THE PARTIES CONSENT TO PERSONAL JURISDICTION IN THOSE COURTS.

15.19 Survival Sections. The following Sections will survive expiration or termination of this Agreement: Sections 1 (Definitions), 3 (Payment, to the extent there are any due but unpaid amounts), 4 (Intellectual Property and Deliverables), 5 (Licenses), 6 (Confidentiality; Publicity; Privacy and Security), 8 (Independent Contractor; Personnel), Section 10.2(E)(Non-Infringement), as it pertains to Deliverables delivered after the termination of the Agreement, if applicable, 11 (Defense and Indemnity), 12 (Limitations of Liability), 13.3 (Effects of Termination), and 15 (General); provided, however, sub-sections 15.2 (Property Damaged or Not Returned), 15.3 (Background Checks) and 15.4 (Equal Employment Opportunities), will not survive. Sub-sections 15.5 A (Maintaining Records) and C (Notice of Government Audits) will survive, but Sub-section 15.5 B (Right to Audit Records) will only survive for a period of one (1) year following the expiration or termination of this Agreement.

Page 20 of 46

15.20 Termination of Prior NY Agreement. The parties hereby agree that effective as of January 2, 2018, the Prior NY Agreement will be terminated and replaced in its entirety by this Agreement (including applicable SOWs), and as of such date the Prior NY Agreement will be of no further force and effect.

SIGNATURES FOLLOW ON THE NEXT PAGES

Page 21 of 46

Signed by the parties’ authorized representatives on the dates below.

Page 22 of 46

Page 23 of 46

ATTACHMENT A

SOW TEMPLATE

[This is an example SOW and should not be completed in this Attachment.

Make a copy of this template for each new SOW.]

Statement of Work No. ___

[Insert project name here]

This Statement of Work (“SOW”) is issued under the Inbound Services Agreement between Google Inc. (“Google”) and the contractor listed below (“Contractor”) dated [insert Effective Date of the Inbound Services Agreement] (the “ISA”).

A. All defined terms in this SOW have the same meaning as in the ISA unless this SOW expressly states otherwise.

B. All references to Services and Deliverables below are restricted to the Services and Deliverables under this SOW, and not those under the parties’ other SOWs, if any.

C. If there is any conflict between this SOW and the ISA, the terms of the SOW will control with respect to such conflict provided such is expressly stated and agreed to by the parties in Section 13, Special Terms, of the SOW.

D. Contractor (and its Project Manager) will work with the Google Project Manager listed below.

E. NO SERVICES MAY BE PERFORMED UNTIL GOOGLE AND CONTRACTOR SIGN THIS STATEMENT OF WORK.

Page 24 of 46

Page 25 of 46

Page 26 of 46

If you are signing on behalf of your company, you represent and warrant that you:

If you do not have the legal authority to bind your company, do not sign the signature box below.

Signed by the parties’ authorized representatives on the dates below.

[Signature Block]

Page 27 of 46

ATTACHMENT B

INSURANCE

One Medical Group

During the Agreement term, One Medical Group will ensure that the Medical Personnel, as applicable, maintain professional liability (medical malpractice) insurance covering the acts and omissions in connection with the Medical Services with limits of not less than [***] per occurrence and [***], in aggregate. One Medical will maintain Healthcare Providers Professional Liability insurance providing excess coverage above the applicable insurance held by Medical Personnel covering the acts and omissions of the Medical Personnel, as applicable, in the minimum annual coverage amounts of [***] per occurrence and [***] in the aggregate. One Medical Group will provide Google with notice of cancellation of any policy required above in accordance with policy provisions.

1Life and/or One Medical Group

During the Agreement term and at its own expense, 1Life and/or One Medical Group will maintain the following insurance coverage in connection with the applicable Services and Deliverables, with insurance carriers rated A- or better by A.M. Best Company:

1. Standard Coverages. Any combination of the following insurance may be used to meet the total limit requirements of this Section.

1.1 Commercial General Liability insurance, including contractual liability coverage, on an occurrence basis for bodily injury, death, “broad form” property damage, products and completed operations, and personal and advertising injury, with coverage limits of not less than US[***] per occurrence.

1.2 Workers’ Compensation insurance as required by law in the state where the Services will be provided, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than US[***] per accident and employee.

1.3 Umbrella (Excess) Liability insurance on an occurrence form, with coverage limits of not less than US[***] per occurrence.

2. Specific Coverages.

2.1 Auto Liability. If the Services include Personnel driving, then 1Life or One Medical will additionally maintain auto liability insurance coverage for all owned, non-owned and hired vehicles with coverage limits of not less than US[***] per occurrence for bodily injury and property damage.

2.2 [Intentionally Omitted]

Page 28 of 46

2.3 Commercial Crime. If the Services include access to financial information, funds, payments, or other financial records, then 1Life or One Medical Group will additionally maintain commercial crime insurance on an occurrence form with coverage limits of not less than US[***] annual aggregate.

2.4 Network Security and Privacy Liability. If 1Life or One Medical Group will collect, store, process or otherwise access any data related to Google, its customers, or its employees, then 1Life or One Medical Group will additionally maintain network security and privacy liability insurance with coverage limits of not less than US[***] per claim, that includes coverage for: (A) 1Life or One Medical Group unauthorized disclosure of, or failure to properly handle, personal or other confidential data; and (B) financial loss, including any related defense expense, resulting from 1Life or One Medical Group’s wrongful acts in rendering Services. If 1Life or One Medical Group’s professional liability policy includes coverage for network security and privacy liability, then any combined single limit for the policy must be the sum of the limits required for each (i.e., US[***]).

3. Coverage Requirements.

3.1 Primary Coverage. 1Life and One Medical Group’s policies will be considered primary without right of contribution from Google’s insurance policies.

3.2 Policy Limits. 1Life and One Medical’s policies will apply to the full extent provided by the policies. The coverage requirements in Sections 1 (Standard Coverages) and 2 (Specific Coverages) above will not lower the coverage limits of 1Life and One Medical’s policies, and will not limit their obligations or liability under this Agreement (including indemnities).

3.3 Additional Insured. 1Life and One Medical Group will name Google and its Affiliates and their officers, directors, shareholders, employees, agents and assignees as additional insureds in each of the policies required above except for:

(A) workers’ compensation,

(B) professional liability, and

(C) network security and privacy liability policies.

3.4 Waiver of Subrogation. 1Life and One Medical Group will include a severability of interests and waiver of subrogation clause in favor of Google in each of the policies required above except for:

(A) professional liability, and

(B) network security and privacy liability policies.

3.5 Cancellation Notice. 1Life and One Medical Group will provide Google with notice of cancellation of any policy required above in accordance with policy provisions.

Page 29 of 46

4. Responsible for Own Insurance Coverage.

4.1 1Life and One Medical Group’s Activities at Own Risk. All of 1Life and One Medical Group’s activities under this Agreement will be at their own risk.

4.2 No Benefit of Google Insurance Policies. Personnel will not be entitled to any benefits under Google’s insurance policies.

4.3 1Life and One Medical Group Responsible for Subcontractor’s Insurance Coverage. 1Life or One Medical Group, as applicable, are solely responsible for ensuring that their subcontractors maintain insurance coverage that is usual, reasonable and customary for the services provided by such subcontractors to ensure that 1Life and One Medical Group’s can meet their requirements and obligations under this Agreement.

5. Certificates of Insurance.

5.1 Evidence of Insurance Coverage. Upon Google’s request, 1Life and One Medical Group will provide evidence of required insurance coverage to Google or Google’s third-party vendor.

5.2 Google Not Obligated to Review Insurance Coverage. Google’s failure to request, review, or object to the terms of 1Life or One Medical Group’s certificates of insurance will not:

(A) waive any of 1Life and One Medical Group’s obligations under this Agreement;

(B) waive any of Google’s rights under this Agreement; or

(C) limit or diminish 1Life and One Medical Group’s liability under this Agreement.

Page 30 of 46

ATTACHMENT C

BACKGROUND CHECKS

1. Applicable Categories. To the extent permitted under applicable law, 1Life or One Medical Group will complete the background checks required below prior to Personnel performing Services.

1.1 Restricted Individuals. For Personnel performing Services at the On-Site Clinic, 1Life or One Medical Group will perform a background check to ensure that such Personnel are not restricted from performing Services by an applicable government authority, including the:

(A) U.S. Department of Treasury – Office of Foreign Assets Control;

(B) U.S. Department of Commerce – Bureau of Industry and Security; and

(C) U.S. Department of State – Directorate of Defense Trade Controls.

1.2 Criminal Court / Social Security Number. If the Services involve unescorted access to Google’s facilities, remote access to internal Google systems, or access to an individual’s personal property or Personal Information (as defined in Attachment D (Information Security)), 1Life or One Medical Group will additionally perform the following checks on Personnel performing such Services:

(A) Criminal court checks for all counties of residence for the prior 7 years (or such period permitted by law) and, in addition, for Personnel performing Services at the On-Site Clinic, criminal court checks for all counties of work for the prior 7 years; and

(B) Social Security number traces.

1.3 Fingerprint. If the Medical Services involve access to children, 1Life or One Medical Group will additionally perform fingerprint checks on the Medical Personnel performing such Medical Services.

1.4 FACIS. For Medical Personnel performing Medical Services, 1Life or One Medical Group will also perform a FACIS (Fraud and Abuse Control Information System) Level 3 Search to identify wrongful actions of individuals and entities in the healthcare field.

2. Proper Notices; Consents. 1Life or One Medical Group will provide all required background check notices to, and obtain signed consent from, Personnel.

3. Personnel Eligibility Guidelines.

3.1 Ineligible to Perform Services. For Personnel performing Services at the On-Site Clinic, such Personnel may not perform any Services at the On-Site Clinic if a background check reveals any such Personnel is restricted from performing the Services under Section 1.1 (Restricted Individuals) of this Attachment and the Personnel is not able to prove error.

Page 31 of 46

3.2 May be Eligible to Perform Services, but Requires Additional Review.

(A) Issues Requiring Additional Review. 1Life or One Medical Group must perform additional review to determine if Personnel is eligible to perform Services if a background check reveals any of the following:

(1) Criminal Conviction. Personnel has any felony or misdemeanor criminal conviction within the last 7 years (or such period permitted by law).

(2) Misrepresentation. Personnel misrepresents:

(a) identification numbers (e.g., Social Security number); or

(b) any educational or technical qualifications even if not required to perform the Services, including:

(i) an educational degree not earned;

(ii) an educational degree for which there is no record of it being earned; or

(iii) a different major of study than recorded.

(B) 1Life or One Medical Group to Perform Additional Review. 1Life or One Medical Group is responsible for performing any additional review to decide whether Personnel is eligible to perform the Services.

3.3 Verification of Background Checks. Upon request, 1Life or One Medical Group will provide to Google or its third-party vendor verification that it conducted background checks.

Page 32 of 46

ATTACHMENT D

INFORMATION PROTECTION ADDENDUM

Part A: General Information Security Terms

1. Introduction.

1.1 Order of Precedence. The terms of this Information Protection Addendum (“IPA”) will prevail over any conflicting terms in the Agreement’s other sections.

1.2 Supplemental Terms. In addition to Part A (General Information Security Terms), the following additional terms are part of the Agreement to the extent applicable: None

1.3 Representations and Warranties.

(a) You hereby represent and warrant that Services provided under the Agreement will never include any outsourced call center operations.

(b) You hereby represent and warrant that Services provided under the Agreement will never include reverse logistics.

(c) You hereby represent and warrant that Services provided under the Agreement will never include writing code specifically for Google.

(d) You hereby represent and warrant that Services provided under the Agreement will never include designing web applications for Google.

(e) You hereby represent and warrant that You will not begin performing the Services until You are in full compliance with this Addendum and You will continue to remain in compliance with this Addendum through the term of the Agreement.

2. Definitions; Interpretation.

2.1 In this IPA:

(a) “Access” or “Accessing” means to create, collect, receive, acquire, record, consult, alter, use, process, store, retrieve, maintain, disclose, or dispose of.

(b) “Applicable Laws” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction applicable to You and Your Services under the Agreement.

(c) “Applicable Standards” means government standards industry standards, and best practices applicable to You and Your Services under the Agreement.

(d) “The Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Page 33 of 46

(e) “includes “ or “ including” means, “including but not limited to”.

(f) “Personal Information” means (i) any information about an identifiable individual accessed in performing Services under the Agreement; or (ii) information that is not specifically about an identifiable individual accessed in performing Services under the Agreement but, when combined with other information, may identify an Eligible Employee or Eligible Dependent. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, IP addresses, network and hardware identifiers, and geolocation information.

(g) “Protected Information” means Personal Information and Google Confidential Information that You or a Third-Party Provider may Access in performing Services. Protected Information does not include the parties’ business contact information (specifically, business addresses, phone numbers, and email addresses) including the party’s contact persons’ names used solely to facilitate the parties’ communications for administration of the Agreement.

(h) “reasonable“ means reasonable and appropriate to (i) the size, scope, and complexity of Your business; (ii) the nature of the Personal Information being Accessed; and (iii) the need for privacy, confidentiality, and security of the Protected Information.

(i) “Safeguards” has the meaning set forth in Section 5 (Safeguards).

(j) “Security Incident” means an actual or reasonably likely loss of or unauthorized disclosure, Access, or use of Protected Information in Your custody or control.

(k) “Services” means any goods or services that You provide to Google under the Agreement.

(l) “Third Party Provider” means any contractor or other third party that You authorize to act on Your behalf in connection with performing Services.

(m) “You” or “Your” means the party (including any employee, contractor, or agent) that performs Services under the Agreement.

2.2 Interpretation. All capitalized terms that are not expressly defined in the IPA will have the meanings given to them in the Agreement. If a word listed in Section 2.1 (Definitions) is used in this IPA but is not capitalized, that word will be deemed to have the meaning in Section 2.1 unless the parties expressly state otherwise (for example, if the word “access” is used in this IPA, it will be interpreted to mean “Access”. Any examples in this Agreement are illustrative and not the sole examples of a particular concept.

3. Compliance with Laws; Use Limitation; Privacy Notice.

3.1 Compliance with Applicable Laws and Applicable Standards. You represent and warrant that when You Access Protected Information under the Agreement, You will at all times comply with all Applicable Laws and Applicable Standards, including any requirements that apply to cross--border transfers of Personal Information.

Page 34 of 46

3.2 Use Limitation. You will Access Protected Information solely to exercise Your rights and to fulfill Your obligations under the Agreement. You are expressly prohibited from Accessing the Protected Information for any other purpose.

3.3 Privacy Notice. If You collect Personal Information directly from individuals, You will provide a clear and conspicuous privacy notice to such individuals that accurately describes how You Access and protect that information and that complies with Applicable Laws and Applicable Standards.

4. Third-Party Providers. You are responsible, and liable to Google, for Your Third-Party Providers’ acts and omissions. You must contractually require each Third-Party Provider that has Access to Protected Information to protect the privacy, confidentiality, and security of Protected Information using at least the same level of protection and confidentiality obligations that apply to You under this IPA. You will regularly assess Your Third-Party Providers’ compliance with those contractual requirements. You will provide Google with information about Your Third Party Providers, including a summary or copy of Your contractual terms, if required by Applicable Law.

5. Safeguards. At all times that You have Access to Protected Information, You will maintain reasonable administrative, technical and physical controls designed to ensure the privacy, security, and confidentiality of the Protected Information (“Safeguards”) that comply with this IPA, Applicable Standards, and Applicable Law, including:

5.1 Physical Access. You will maintain physical Access controls designed to secure relevant facilities, infrastructure, data centers, hard copy files, servers, backup systems, and equipment (including mobile devices) used to Access Protected Information, including controls to prevent, detect, and respond to attacks, intrusions, or other system failures;

5.2 User Authentication. You will maintain user authentication and Access controls within operating systems, applications, equipment, and media;

5.3 Personnel Security. You will maintain personnel security policies and practices restricting Access to Protected Information, including background checks consistent with Applicable Law on all personnel with Access to Protected Information or who maintain, implement, or administer Your information security program and Safeguards;

5.4 Logging and Monitoring. You will log and monitor the details of all Access to Protected Information on networks, systems, and devices operated by You. Your logging and monitoring systems must meet Applicable Standards and You must maintain all Access logs for at least [***] days;

5.5 Malware Controls. You will maintain reasonable and up-to-date controls to protect all networks, systems, and devices that Access Protected Information from malware and unauthorized software;

Page 35 of 46

5.6 Security Patches. You will maintain controls and processes designed to ensure that networks, systems, and devices (including operating systems and applications) that Access Protected Information are up-to-date, including prompt implementation of all security patches when issued; and

5.7 User Account Management. You must implement reasonable user account management procedures to securely create, amend, and delete user accounts on Your networks, systems, and devices, including monitoring redundant accounts and ensuring that information owners properly authorize all user account requests.

6. Encryption Requirements. Using a reasonable encryption standard, You will encrypt all Personal Information that is (a) stored on portable devices or portable electronic media; (b) stored or maintained outside of Google’s or Your physically -secured facilities, excluding hard copy documents; or (c) transferred across any network other than an internal company network owned and managed by You.

7. Access Controls. You will:

7.1 maintain reasonable controls to ensure that only individuals who have a legitimate need to Access Protected Information under the Agreement will have such Access;

7.2 promptly terminate an individual’s Access to Protected Information when such Access is no longer required for performance under the Agreement;

7.3 log the appropriate details of Access to Protected Information on Your systems and equipment, and retain such records for no less than [***] days; and

7.4 be responsible for any unauthorized Access to Protected Information under Your custody or control (or Your Third-Party Provider(s) custody or control).

8. Training and Supervision. To ensure Your compliance with this IPA, You will provide reasonable ongoing privacy and information protection training and supervision for all Your personnel (including Third-Party Providers) who Access Protected Information. Google may require You to provide any additional training it deems reasonably necessary for You to perform Services under the Agreement.

9. Use of Google APIs, Property, and Equipment. To the extent that You Access Google -owned or -managed networks, systems, or devices (including Google APIs, corporate email accounts, equipment, or facilities) to Access Protected Information, You must comply with Google’s written instructions, system requirements, and policies made available to You.

10. Assessments; Corrections.

10.1 Google’s Assessment. Upon Google’s written request, to confirm compliance with this IPA, as well as any Applicable Laws and Applicable Standards, You will promptly and accurately complete Google’s written information privacy and security questionnaire regarding Your information privacy and security practices in relation to all Protected Information You Access

Page 36 of 46

and/or Services You provide to Google under the Agreement. You will provide reasonable assistance and cooperation during these assessments by providing Access to knowledgeable personnel, documentation, infrastructure and application software that Accesses, processes, stores or transports Protected Information under the Agreement. Google will treat the information that You provide in the assessments as confidential under Your existing, applicable confidentiality agreement(s) with Google.

10.2 Your Self-Assessment. You will continuously monitor risk to the Protected Information to ensure that the Safeguards are properly designed and maintained to prevent unauthorized Access to the Protected Information and will periodically (but no less than once per year) assess and document the effectiveness of Your Safeguards across Your networks, systems, and devices (including infrastructure, applications, and services) used to Access Protected Information. You will update your Safeguards as needed.

10.3 Correcting Vulnerabilities. If either party discovers that Your Safeguards contain a vulnerability, You will promptly correct at Your own cost (a) any vulnerability within a reasonable period, and (b) any material vulnerability within [***] days or less. If Google identifies any vulnerability, You will provide Google with reasonable assurances that Your corrections meet this IPA’s requirements. If You are unable to correct the vulnerabilities within this time period, You must promptly notify Google and propose reasonable remedies. Compliance with this Section 10.3 will not reduce Your obligations under Section 11 (Security Incident Response).

11. Security Incident Response.

11.1 Security Incident Response Program. You will maintain a reasonable incident response program to respond to Security Incidents.

11.2 Notice. If You have reason to believe that a Security Incident has occurred, You will promptly (and in no event longer than [***] after discovery of the Security Incident) send an email to ***@*** and provide, to the extent allowed by applicable law, a complete description of the details known about the Security Incident, with the exception that any such details which violate Your confidentiality obligations to Your customers or employees may be omitted.

11.3 Investigation; Remediation. If You have reason to believe that a Security Incident has occurred, You will promptly (a) investigate and remedy the Security Incident; (b) remediate the root cause of the Security Incident and provide written assurances that the remediation meet this IPA’s requirements; and (c) identify relevant contact people who will be reasonably available until the parties mutually agree that the Security Incident has been resolved. For Security Incidents involving Personal Information or systems that Access such information, “reasonably available” will mean 24 hours per day, 7 days per week.

11.4 No Unauthorized Statements. Except as required by law, You will not make (or permit any third party under Your control to make) any statement concerning the Security Incident that references Google either directly or indirectly unless Google provides its explicit written authorization.

Page 37 of 46

12. Legal Process. If You or anyone to whom You provide Access to Protected Information becomes legally compelled by a court or other government authority to disclose Protected Information, other than in the ordinary course of business (which shall include, without limitation, subpoenas or court orders for individual patient records), then to the extent permitted by law You will provide Google with sufficient reasonable notice of details of the legal requirement and reasonably cooperate with Google’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as Google may deem appropriate, at Google’s expense.

13. Additional Security Specifications.

13.1 Google’s Vulnerability Testing. If You Access Personal Information from Your systems or Your systems connect to Google’s systems, then upon reasonable notice and in coordination with You, Google may periodically perform vulnerability testing (including penetration testing) on Your systems used to Access Protected Information, to confirm Your compliance with this IPA; provided, however, that such vulnerability testing shall be designed not to access PHI. Google will not perform vulnerability testing more than once per year unless You materially change the Services You provide to Google under this Agreement.

13.2 Your Vulnerability Testing.

(a) If You Access Personal Information from Your systems; or Your systems connect to Google’s systems, then periodically (but at least [***]), You will have an accredited third party perform manual and automated vulnerability testing (including penetration testing based on recognized industry best practices) on all Your networks, systems, software and devices used to Access Protected Information.

(b) Upon request by Google, You will provide Google with a report summarizing the results of the vulnerability testing performed under Section 13.2. At a minimum the report summary must include:

(b)(i). Google will treat these results as confidential under Your existing, applicable confidentiality agreement(s) with Google

13.3 Security Audits; Reports. In addition to Google’s right to assess under Section 10.1, and 13.1, You will:

(a) conduct an annual security audit of Your Safeguards covering all relevant networks, systems, devices, and media used to Access Protected Information using a recognized third party audit firm and a reasonable audit standard; and

Page 38 of 46

(b) upon reasonable notice and coordination with You, permit Google to perform annual privacy and security audits to confirm Your compliance with the Agreement.

14. Special Categories of Data.

14.1 PCI Compliance. To the extent You process payment card information, including primary account numbers (“PANs”) subject to the Payment Card Industry Data Security Standards (“PCI DSS”) for the provision of Services, You will ensure that You are currently and demonstrably PCI DSS certified or compliant, and will maintain Your compliance status as long as You Access or process PANs in connection with the Agreement. Should Your payment processing exceed the applicable threshold or You process payments without use of a third party, then You will ensure that You are currently and demonstrably PCI DSS certified or compliant.

14.2 HIPAA Compliance. To the extent You Access protected health information (“PHI”) subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA), You will act in accordance with HIPAA.

14.3 EU Data Protection Compliance. If You Access Personal Information that originated in the EU, all of the following will apply:

(a) Access to EU-Originated Personal Information from Non-Adequate Countries or Industry Sectors. To the extent You will Access Personal Information that originated in the EU from a country or industry sector that is not the subject of a formal adequacy finding of the European Commission, You will ensure the lawfulness of cross--border Personal Information transfers by doing one of the following, at Google’s discretion: (i) entering into an agreement with Google based on the European Commission’s standard contractual clauses; (ii) implementing fully approved binding corporate rules (BCRs) and taking such steps as are required to ensure that the Personal Information is protected by those BCRs; or (iii) where applicable, certifying Your compliance to the EU – US Privacy Shield and complying with its relevant principles. In this Agreement, “Personal Information” has the same meaning as “personal data” under The Directive.

(b) Transfers Under the EU—US Privacy Shield. To the extent that Google is certified to the EU-US Privacy Shield, You will: (i) provide at least the same level of protection for Personal Information as is required by the relevant principles of the EU—US Privacy Shield; (ii) comply with Parts A and B of the IPA for as long as You have Access to Personal Information that originated in the EU; and (iii) where You permit a Third Party Provider to Access Personal Information that originated in the EU, require the Third Party Provider to provide at least the same level of protection as is required by the IPA and the relevant principles of the EU-US Privacy Shield.

(c) All Data Processors. To the extent You are a “data processor” (as defined in The Directive) that will Access Personal Information that originated in the EU, You will only Access Personal Information in accordance with Google’s instructions.

Page 39 of 46

15. Suspension; Termination.

15.1 Suspension. Google may immediately suspend Your access to Protected Information if You are not complying with this Addendum.

15.2 Termination. Google may terminate the Agreement if Google reasonably determines that (a) You have failed to cure material noncompliance with this IPA within a reasonable time; or (b) Google needs to do so to comply with Applicable Laws or Applicable Standards.

16. Retention and Destruction of Protected Information.

16.1 Retention. Subject to Section 5.1 of the Agreement, You will not store or retain any Protected Information except as necessary to perform Services under the Agreement and for compliance with applicable law, Your internal policies and professional liability risk management practices. If requested by Google before the time period specified in Section 16.2 (Destruction), You will promptly return to Google a copy of Protected Information (other than Patient Data and Third Party Data).

16.2 Destruction. Subject to Section 5.1 of the Agreement, within [***] days of the Agreement’s expiration or termination, or sooner if reasonably requested by Google, You will destroy all copies of Protected Information (other than Patient Data and Third Party Data), including any automatically -created archival copies. If required by Applicable Law, You may retain a copy of such Protected Information for so long as required, but only if You: (a) notify Google in advance and in writing that such copy is required and the reason for such retention; (b) ensure that such copy is encrypted and protected in accordance with this IPA; and (c) do not Access the Protected Information for any other purpose that is not otherwise in accordance with the Agreement.

16.3 Media Sanitization. You will use a media sanitization process that deletes and destroys data in accordance with the US Department of Commerce’s National Institute of Standards and Technology’s guidelines in NIST Special Publication 800-88 or equivalent standard.

17. Survival. Your obligations under this IPA will survive expiration or termination of the Agreement and completion of the Services as long as You continue to have Access to Protected Information.

Page 40 of 46

ATTACHMENT E

HOSTED SERVICES

To the extent that 1Life and One Medical provides any Hosted Services (defined below), this Attachment E will apply in addition to any other terms of the Agreement. If there is a conflict between any term of this Attachment E and the body of the ISA, the terms of this Attachment E will apply.

1. Definitions.

1.1 “1Life and One Medical Group Materials” means any content, information, reports, documents, or other materials provided or made accessible by 1Life and One Medical to Google for download or export from the Hosted Services, excluding any Deliverables, Google Data, any content, information, reports, documents, or other materials provided or made accessible by Google, and 1Life / One Medical Group Confidential Information.

1.2 “Front-End Hosted Services” means any Hosted Services that impact patient-care directly and are necessary for Eligible Employees and Eligible Dependents, as applicable, to access and use the Medical Services including:

1.3 “Back-End Hosted Services” means the hosted services provided by 1Life under this Agreement and any SOW, excluding the Front-End Hosted Services, and includes all of 1Life’s software, APIs, and other systems necessary for 1Life and One Medical Group to deliver the Services including:

The Front-End Hosted Services and the Back-End Hosted Services are collectively referred to herein as the “Hosted Services”.

Page 41 of 46

2. Services.

2.1 1Life will provide Hosted Services according to the applicable SOW. 1Life will provide support and maintenance for the Front End Hosted Services and Back End Hosted Services according to Section 5 of this Attachment E (Maintenance and Support) and will meet the performance standards for the Front End Hosted Services in Section 6 of this Attachment E (Performance Standards) and the applicable SOW.

2.2 Minimum Functionality. Functionality of the patient portal and mobile application will be on par with that offered to all One Medical commercial members as part of the standard membership offering in the same geographic region; functionality will include, but is not limited to: appointment scheduling, pre-visit communications (ability to complete intake forms online and ability for members to enter reasons for the visit), post-visit communications (including unfilled lab orders and vaccine orders), patient health record (insurance, vaccine history, medications and allergies), online bill pay, prescription refills, and secure messaging. Additionally, the mobile application will offer video visits and question-and-answer care for common conditions and guided image upload for dermatology issues.

2.3 Future Functionality. 1Life and One Medical Group will agree on priorities for the technology roadmap, and will articulate for Google estimated time lines for the features of lab results, next steps functionality in the personal health record and drug-to-drug interaction in the electronic medical record, and inform Google of any material updates to the foregoing.

3. Intellectual Property; Usage Rights; Licenses.

3.1 Front End Hosted Services Usage Rights. Eligible Employees and Eligible Dependents shall have access to the patient portal and mobile application under 1Life’s standard Member Terms of Service.

3.2 1Life and One Medical Group Materials Usage Rights. 1Life and One Medical Group hereby grant to Google and its Affiliates during the term of the applicable SOW a non-exclusive, worldwide, royalty-free, enterprise-wide license to use the 1Life and One Medical Group Materials.

3.3 Reservation of Rights.

(A) Google Data and IP. Google owns and reserves all right, title and interest to the Google Data and all Intellectual Property Rights therein. Except as may expressly be set forth in this Agreement, no right, title, or interest to any of the Google IP is transferred or licensed to 1Life or One Medical Group.

(B) Hosted Services. As among Google, 1Life and One Medical Group, 1Life or its licensors, as applicable, own and reserve all right, title and interest in and to the Hosted Services, any modifications to, upgrades, or enhancements of the Hosted Services, and all Intellectual Property Rights therein.

4. Google Data Security. 1Life and One Medical may collect, use, store and retain Google Data and Patient Data in accordance with Attachment D (Information Protection Addendum) and the applicable SOW.

Page 42 of 46

5. Maintenance and Support. 1Life will maintain and support the Front End Hosted Services to ensure connectivity and access by Eligible Employees and Eligible Dependents to the patient portal and mobile application. 1Life will promptly repair or replace, without any additional charge, the Front End Hosted Services, to fix any bugs, defects or errors (collectively, “Errors”). 1Life will provide the support services on a 24x7 basis, 365 days per year. 1Life will provide the maintenance and support services set forth below:

5.1 Updates and Upgrades. As 1Life updates, enhances, upgrades or creates new features for the Front End Hosted Services, 1Life will make available to Eligible Employees and Eligible Dependents any and all patches, enhancements, updates, upgrades, and new versions of the Front End Hosted Services that 1Life makes available to commercial consumers in the same region (“Updates”) and any such Updates will be deemed part of the Front End Hosted Services. 1Life will use Reasonable Efforts to ensure that no Update (a) will impair the operation or disable or inhibit any functions or features of the Front End Hosted Services or cause performance of the Front End Hosted Services to be degraded; or (b) adversely affect form, fit, function, reliability, safety or serviceability of the Front End Hosted Services.

5.2 Availability and Contacts. 1Life will make technical support available for the patient portal and mobile application by toll-free telephone number and e-mail 24 hours per day, 7 days per week. 1Life’s support personnel will provide remote assistance to Eligible Employees and Eligible Dependents for help in using the patient portal and mobile application and to accept reports of Errors in the patient portal and mobile application. 1Life will ensure that its personnel performing any maintenance and support services are experienced, knowledgeable and qualified in the use, maintenance and support of the Front End Hosted Services. Contact information for technical support will be provided to Google prior to the commencement of Services.

5.3 Error Correction. In the event that Google, Eligible Employees, or Eligible Dependents report to 1Life or One Medical Group any Error in the Front End Hosted Services (the Severity Level to be reasonably determined by Google), 1Life will respond to such reports as set forth in Section 9.4 (Response Times) below:

(A) “Severity Level 1” is an emergency condition which makes the use or continued use of any one or more functions of the Front End Hosted Services impossible or materially impaired and for which there is no reasonable workaround.

(B) “Severity Level 2” is, other than any Severity Level 1 Problem, any condition which seriously disrupts the use or continued use of any one or more functions of the Front End Hosted Services and which cannot reasonably circumvented or avoided on a temporary basis without the expenditure of significant time or effort.

(C) “Severity Level 3” is, other than any Severity Level 1 Problem or Severity Level 2 Problem, any limited problem condition which is not critical to the essential functions of the Front End Hosted Services and which can reasonably circumvented or avoided on a temporary basis without the expenditure of significant time or effort.

Page 43 of 46

(D) “Severity Level 4” is, other than any Severity Level 1 Problem, Severity Level 2 Problem or Severity Level 3 Problem, a minor problem condition or significant document error which can be easily circumvented or avoided.

5.4 Response Times. 1Life will respond to an Error, depending on the Severity Level, within the timeframes set forth in the chart below, starting from the time Google notifies 1Life of the Error.

5.5 No Additional Charges. Except as may otherwise be set forth in a SOW, 1Life will provide maintenance and support services at no additional charge.

6. Performance Standards.

6.1 Definitions. The following definitions will apply with respect to this Section 6 for the Front End Hosted Services, unless specified otherwise:

(A) “Actual Availability” means Total Scheduled Availability minus Downtime.

(B) “Downtime” means the time that Eligible Employees and Eligible Dependents, as applicable, using the Front End Hosted Services are not able to (a) access the Front End Hosted Services, (b) perform ordinary functions to use or receive Front End Hosted Services in accordance with specifications, or (c) utilize the Front End Hosted Services for normal business operations due to failure malfunction or delay. Downtime does not include any unavailability of the Front End Hosted Services due to System Maintenance or a failure or defect arising out of a Force Majeure Event.

(C) “Force Majeure Event” means any failure or delay caused by or the result of causes beyond the reasonable control of a party and could not have been avoided or corrected through the exercise of reasonable diligence, including, but not limited to, acts of God, fire, flood, hurricane or other natural catastrophe, terrorist actions, laws, orders, regulations, directions or actions of governmental authorities.

Page 44 of 46

(D) “System Availability” will be calculated on a quarterly basis using the following formula: [(Actual Availability divided by Total Scheduled Availability) multiplied by 100%].

(E) “System Maintenance” means time that the patient portal and mobile application are not accessible to Eligible Employees and Eligible Dependents due to maintenance, including for maintenance and upgrading of the software and hardware used by 1Life to provide the patient portal and mobile application. System Maintenance includes scheduled maintenance and unscheduled, emergency maintenance.

(F) “Total Scheduled Availability” means 7 days per week, 24 hours per day, excluding (i) System Maintenance and (ii) unavailability resulting from: (a) factors outside of 1Life’s reasonable control including any force majeure event; or (b) Google’s failure to perform its obligations as described in the Agreement or SOW(s), including, without limitation, failure of any ISP providing service to the On-Site Clinic to meet [***] uptime.

6.2 Service Level Standards. 1Life will at all times during the Term of this Agreement maintain the following service levels for the Front End Hosted Services (collectively, the “Service Levels”): 1Life will provide [***] System Availability over quarterly periods, excluding any System Maintenance or Force Majeure Events that result in the Front End Hosted Services not being available to any Eligible Employee or Eligible Dependent.

6.3 Accessibility. 1Life agrees to support and maintain WCAG 2.0 Type AA accessibility standards for the patient portal and mobile application.

6.4 System Maintenance Notice.

(A) Planned maintenance. System Maintenance in any given month will not exceed [***] per month, and is expected to take place in one of two windows: (1) is expected to begin no sooner than [***] and is expected to be completed by [***]; or (2) is expected to begin no sooner than [***] and is expected to be completed by [***]. In addition, the parties agree that such planned maintenance windows may be changed to substantially similar times as needed and in such case(s), 1Life will provide notice (e-mail is acceptable) to Google.

(B) Unplanned Maintenance. Any time during which the Front End Hosted Services are unavailable to Eligible Employees and Eligible Dependents due to maintenance or other activity by 1Life, which exceeds the permitted time allotment, or which occurs outside of the foregoing permitted planned maintenance windows listed above in 6.4 (A)hours (“Unplanned Maintenance”), then 1Life will provide commercially reasonable notice (e-mail or other options such as posting to an availability website are acceptable) to Google. Unplanned Maintenance will be included in the calculation of Downtime.

6.5 Backups. 1Life will back up all Google Data and Patient Data entered into the Hosted Services since the last backup daily to 1Life’s backup location. 1Life will create a full backup (complete data copy) at least once per week at such backup location. 1Life will maintain all backup files for at least [***]. 1Life will restore Google Data or Patient Data from backup files if it

Page 45 of 46

reasonably believes Google Data or Patient has been corrupted or lost. 1Life will ensure that backups do not cause system downtime. 1Life will ensure that daily incremental backups in combination with weekly full backups are complete so that no more than [***]-worth of data will be lost in the event of a disaster.

6.6 Reporting. During the term of this Agreement, 1Life and One Medical Group will, upon Google’s request (which made be made by telephone or email), provide quarterly reports to Google that include 1Life and One Medical Group’s performance with respect to the Service Levels and such other metrics as reasonably requested by Google and mutually agreed to by 1Life and One Medical Group from time to time.

6.7 SLA Discount. Google and 1Life will review Service Level Guarantees on a quarterly basis, will partner to address and resolve instances in which the Service Levels are unsatisfactory, and 1Life will develop and implement action plans for remediation. If the System Availability as measured on a quarterly basis falls below [***], 1Life will provide Google with a discount to the On-Site fees for the following quarter as set forth in the chart below. If there is no further invoice for a SOW in which to apply a discount that is due, then 1Life/One Medical Group will pay Google an amount equal to the value of the discount due within [***] days after the end of the month in which such discount accrued.

6.8 Chronic SLA Failure. If 1Life and/or One Medical Group fails to meet average Service Level of [***] in any [***] in a rolling [***] period during the term of this Agreement, Google will have the right in its sole discretion to terminate the Agreement with [***] prior written notice to 1Life and One Medical Group, which will run concurrently with the Exit Period.

Page 46 of 46