DriveBoss Acceptable Use Policy

DriveBoss LLC · Effective Date: April 21, 2026 · Last Updated: April 21, 2026

This Acceptable Use Policy ("AUP") applies to all use of the DriveBoss software-as-a-service platform, applications, APIs, websites, communications tools, integrations, support channels, and related services ("Services"). By using the Services or accepting the DriveBoss Master Services Agreement, Customer agrees to this AUP. Capitalized terms not defined in this AUP have the meanings given in the DriveBoss Master Services Agreement ("MSA") or Business Associate Agreement ("BAA"), as applicable.

This AUP is incorporated into the MSA. If this AUP conflicts with the BAA, the BAA controls for PHI and HIPAA-regulated obligations. If this AUP conflicts with the MSA, the MSA controls except where this AUP imposes more specific use restrictions.

1. Authorized Use

Customer may use the Services only for lawful non-emergency medical transportation ("NEMT") and related operations authorized by Customer's agreements with DriveBoss, brokers, payers, facilities, transportation providers, and applicable regulators.

Authorized uses include dispatch, routing, scheduling, broker-feed processing, trip execution, billing and reconciliation workflows, driver GPS and trip-status tools, patient SMS and IVR communications, facility visibility, customer support, reporting, and related operational workflows.

2. PHI and Sensitive Data

Customer may submit PHI and other sensitive data only through authorized DriveBoss workflows and only to the extent reasonably necessary for permitted NEMT, billing, reporting, broker, payer, facility, SMS, IVR, support, and related operations.

Customer must not:

• upload, transmit, export, or disclose PHI outside approved DriveBoss workflows;
• disclose PHI to unauthorized recipients;
• use the Services to collect unnecessary PHI;
• use PHI for marketing, advertising, or unrelated business purposes;
• copy PHI into free-text fields where structured fields or approved workflows should be used;
• transmit PHI to personal email, personal devices, or unauthorized third-party services; or
• bypass privacy, role-based access, audit, or security controls.

PHI is governed by the BAA.

3. Trip, Broker, Payer, and Billing Integrity

Customer must not falsify, manipulate, misrepresent, backdate, delete, conceal, or improperly alter trip, broker, payer, facility, billing, GPS, or operational records.

Prohibited conduct includes:

• falsifying pickup, drop-off, arrival, completion, no-show, cancellation, mileage, wait-time, driver, vehicle, patient, escort, or eligibility data;
• submitting, approving, or facilitating claims or invoices for trips that were not performed as represented;
• changing broker-assigned trip data outside authorized broker, payer, or DriveBoss workflows;
• using DriveBoss to evade broker, payer, Medicaid, Medicare, insurance, CMS, audit, or transportation program requirements;
• sharing or misusing broker credentials, payer credentials, facility credentials, or customer credentials;
• spoofing GPS location, device identity, driver identity, vehicle identity, timestamps, or service status;
• bypassing audit trails, signature requirements, trip-verification requirements, or required documentation;
• using another user's account or permitting unauthorized users to submit or approve trip or billing data.

4. Patient, Rider, Driver, and Facility Communications

Customer is responsible for ensuring that SMS, IVR, telephone, email, and in-platform communications sent through or triggered by the Services are authorized and comply with applicable healthcare, communications, consent, opt-out, carrier, broker, payer, facility, and transportation requirements.

Customer must not:

• send unsolicited marketing, telemarketing, spam, or unrelated promotional messages;
• send deceptive, harassing, threatening, discriminatory, abusive, or misleading messages;
• contact patients, riders, drivers, facilities, or brokers for purposes unrelated to authorized transportation or related operations;
• bypass STOP, opt-out, quiet-hour, consent, carrier, 10DLC, or compliance controls;
• use IVR or call features in jurisdictions or situations requiring consent unless Customer has obtained the required consent;
• use DriveBoss for emergency medical, emergency dispatch, 911, or emergency-response communications.

5. Account and Access Security

Customer must maintain appropriate account, credential, device, and user-management controls.

Customer must not:

• share passwords, API keys, access tokens, or credentials;
• allow unauthorized users to access the Services;
• use shared accounts where named-user access is required;
• access another customer's account, data, or systems;
• circumvent authentication, authorization, role-based access, logging, or rate limits;
• scrape, harvest, crawl, or bulk-export data without authorization;
• conduct vulnerability testing, penetration testing, scanning, probing, or load testing without DriveBoss's prior written authorization;
• introduce malware, malicious code, unauthorized automation, or harmful files;
• interfere with service operation, data integrity, network integrity, or security controls.

6. APIs, Integrations, and Third-Party Systems

Customer must use broker, payer, facility, communications, payment, and other third-party integrations only as authorized.

Customer must not:

• use integrations to access data Customer is not authorized to access;
• overload, abuse, reverse engineer, or bypass third-party APIs or DriveBoss APIs;
• alter integration payloads to misrepresent trip, patient, billing, eligibility, GPS, or status data;
• use DriveBoss to violate third-party terms, broker rules, payer rules, carrier rules, or applicable law.

7. Prohibited Content and Conduct

Customer must not use the Services for content or conduct that is unlawful, fraudulent, deceptive, defamatory, infringing, obscene, exploitative, threatening, harassing, discriminatory, harmful, or otherwise inconsistent with lawful NEMT operations.

Customer must not use the Services to:

• infringe copyrights, trademarks, trade secrets, privacy rights, publicity rights, or other rights;
• impersonate any person or entity;
• facilitate fraud, identity theft, credential theft, phishing, or payment abuse;
• harm, exploit, or target minors unlawfully;
• violate export controls, sanctions, anti-corruption laws, healthcare program requirements, consumer-protection laws, communications laws, or privacy laws;
• create material legal, security, operational, reputational, broker, payer, patient, driver, or facility risk for DriveBoss or others.

8. Data Collection and Consent

Customer is responsible for obtaining and maintaining all consents, authorizations, notices, permissions, rights, and legal bases needed to collect, submit, process, communicate, and disclose data through the Services.

Customer must not use the Services to collect patient, rider, driver, employee, facility, broker, or third-party information without authorization or outside an existing lawful business, healthcare, transportation, or service relationship.

9. Enforcement

DriveBoss may investigate suspected violations of this AUP. DriveBoss may remove content, block messages, block exports, suspend integrations, suspend users, suspend accounts, terminate access, notify affected customers or third parties, or take other reasonable action if DriveBoss reasonably believes use of the Services:

• violates this AUP, the MSA, the BAA, an order form, or applicable law;
• creates security, privacy, PHI, or operational risk;
• may expose PHI or sensitive data without authorization;
• may violate broker, payer, facility, carrier, or third-party requirements;
• may cause service disruption or data-integrity issues;
• may harm DriveBoss, customers, patients, riders, drivers, brokers, payers, facilities, or third parties.

Where practical, DriveBoss will provide notice and an opportunity to cure. DriveBoss may act immediately if needed to prevent harm, protect PHI, preserve security, comply with law, comply with broker or payer requirements, prevent fraud, or protect service availability.

10. Reporting

Questions, security reports, abuse reports, and compliance concerns should be sent to [email protected].

Customer must promptly notify DriveBoss if Customer becomes aware of unauthorized access, credential compromise, unauthorized PHI disclosure, fraudulent billing activity, broker credential misuse, GPS spoofing, trip-data manipulation, or other material misuse of the Services.

11. Changes

DriveBoss may update this AUP from time to time. Material changes will be posted with an updated effective date or otherwise communicated as required by the MSA.