Skip to content

Search the site

    Unanet FedRAMP Moderate Equivalent
    Supplemental Terms 

     

    why-unanet-logo-mask

    Last Updated: November 12, 2025

    These Unanet FedRAMP Moderate Equivalent Supplemental Terms (the “FedRAMP Supplemental Terms”) amends and supplements the Unanet Cloud Terms and Conditions (collectively, with the Order Form and these FedRAMP Supplemental Terms, the “Agreement”) solely with respect to the Customer’s use of and Unanet’s provision of the Unanet FedRAMP Moderate Equivalent product(s) (“FedRAMP Products”) provided to Customers executing an Order Form for FedRAMP Products. By executing an Order Form that incorporates these FedRAMP Supplemental Terms, Customer agrees to be bound by the terms and conditions herein with respect to the FedRAMP Products. If a conflict occurs between these FedRAMP Supplemental Terms and the Unanet Cloud Terms and Conditions with respect to the FedRAMP Products, these FedRAMP Supplemental Terms will govern.

    1. FedRAMP Product.
      1. Authorization Boundary. The FedRAMP Products operate within a FedRAMP Moderate Equivalent boundary that hosts the FedRAMP Product(s) specifically identified in the applicable Order Form and Unanet's supporting infrastructure. The authorization boundary explicitly excludes: (i) any third-party integrations, including external applications, or tools not operated by Unanet; (ii) any other Unanet products, solutions, or services not specifically designated as the FedRAMP Product(s) in the Order Form; (iii) any Customer-implemented systems, tools, applications, or IT infrastructure; (iv) any data processing, storage, or transmission that occurs outside the FedRAMP Products environment; and (v) any systems or services provided by entities other than Unanet. Customer acknowledges that Unanet's FedRAMP Moderate Equivalent authorization and associated security controls apply exclusively to the FedRAMP Products within this defined boundary and do not extend to any excluded systems, integrations, or services.
      2. Customer Data Management Responsibilities. In addition to Customer's responsibilities set forth in the Agreement, Customer is solely responsible for all actions, decisions, and practices it takes regarding its Customer Data within the FedRAMP Products boundary, including but not limited to: (i) all data input, upload, and entry into the FedRAMP Products boundary by or directed by Customer; (ii) proper classification, marking, and labeling of all Customer Data in accordance with all applicable law, and all applicable U.S. federal government agency requirements; (iii) all user access control decisions, authorization management, and privilege assignments for Authorized Users by or directed by Customer; (iv) any data export, sharing, transmission, or distribution of Customer Data outside the FedRAMP Products boundary by or directed by Customer; and (v) all decisions regarding integration of the FedRAMP Products with non-FedRAMP systems or services by or directed by Customer. Customer alone is responsible for ensuring that all of its data handling practices and procedures comply with applicable federal agency-specific security requirements as well as any of Customer's specific federal government agency or other customer contract obligations.
      3. Data Location and Residency. Customer Data stored, processed, or transmitted within the FedRAMP Products will be maintained solely within the United States. All Unanet personnel with access to the FedRAMP Products are United States Persons (i.e., a citizen of the United States, a permanent resident alien of the United States, or a protected individual as defined by 8 U.S.C. 1324b(a)(3)). Such personnel access the FedRAMP Products solely from within the United States.
      4. Limitations. AS BETWEEN THE PARTIES, UNANET DISCLAIMS ALL LIABILITY FOR CUSTOMER'S DATA MANAGEMENT ACTIONS, DECISIONS, AND PRACTICES WITHIN THE FEDRAMP PRODUCTS. UNANET SHALL NOT BE RESPONSIBLE OR LIABLE FOR ANY SECURITY INCIDENTS, DATA BREACHES, COMPLIANCE FAILURES, OR OTHER ADVERSE EVENTS RESULTING FROM OR RELATED TO: (I) CUSTOMER'S IMPROPER DATA CLASSIFICATION, MARKING, HANDLING, OR MANAGEMENT BY CUSTOMER OR ITS AUTHORIZED USERS; (II) UNAUTHORIZED ACCESS RESULTING FROM CUSTOMER'S USER AUTHORIZATION DECISIONS OR CREDENTIAL MANAGEMENT; (III) CUSTOMER'S INTEGRATION OF THE FEDRAMP PRODUCTS WITH UNANET OR THIRD PARTY SYSTEMS OR SERVICES OUTSIDE THE FEDRAMP PRODUCTS BOUNDARY; (IV) CUSTOMER'S FAILURE TO COMPLY WITH APPLICABLE LAW, SECURITY REQUIREMENTS, REGULATIONS, OR CONTRACT OBLIGATIONS; (V) CUSTOMER'S EXPORT, TRANSMISSION, OR SHARING OF DATA OUTSIDE THE FEDRAMP PRODUCT BOUNDARY. Customer acknowledges and agrees that it bears all risk associated with its user management decisions and data handling practices within the FedRAMP Product.
      5. Data Retention and Destruction. Upon termination or expiration of the Agreement, Customer may retrieve its Customer Data from the FedRAMP Products for a period of sixty (60) days following such termination or expiration. Following the expiration of such sixty (60) day retrieval period, Unanet will securely delete and destroy all Customer Data in accordance with FedRAMP requirements and applicable NIST standards for media sanitization (including NIST SP 800-88). Data destruction will be performed consistent with the shared responsibility model with Unanet’s cloud hosting provider, whereby the underlying infrastructure sanitization is performed by the cloud provider in accordance with FedRAMP requirements. Notwithstanding the foregoing, backup data will be destroyed in accordance with Unanet’s standard backup retention and destruction policies.
      6. Incident Response and Breach Notification. In addition to the incident response and breach notification provisions set forth in the Unanet Cloud Terms and Conditions, Unanet will comply with applicable FedRAMP incident response and breach notification requirements specifically with respect to the FedRAMP Products, including notification to Customer in accordance with the timelines specified in the Unanet Cloud Terms and Conditions, or as required by applicable FedRAMP requirements. Unanet maintains an incident response policy for the FedRAMP Products that aligns with NIST 800-53 controls and other applicable FedRAMP requirements.
      7. Data Usage Limitations. Notwithstanding any provision to the contrary in the Agreement, including without limitation Section 4(g) of the Unanet Cloud Terms and Conditions, UNANET MAY NOT USE CUSTOMER DATA HOSTED IN THE FEDRAMP PRODUCTS FOR ANY PURPOSE OTHER THAN PROVIDING THE FEDRAMP PRODUCTS TO CUSTOMER AS SET FORTH IN SECTION 4(d) OF THE UNANET CLOUD TERMS AND CONDITIONS. This limitation applies exclusively to Customer Data hosted within the FedRAMP Products and does not restrict Unanet’s data usage rights under any other Subscription Services.
    2. Controlled Unclassified Information (CUI).
      1. CUI Authorization and Scope. Notwithstanding anything to the contrary in the Terms, Customer may elect to store, process, and generate Federal Contract Information (“FCI”) (as defined in 48 C.F.R. 52.204-21) and Controlled Unclassified Information (“CUI”) (as defined by 32 CFR Part 2002) within the FedRAMP Products. This FCI and CUI authorization applies solely to the FedRAMP Products and does not extend to any other Subscription Services or products or services provided by Unanet. Customer is solely responsible for properly marking and identifying CUI in accordance with 32 CFR Part 2002 and applicable agency-specific requirements.
      2. Disclaimers. UNANET MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE FEDRAMP PRODUCTS MEETS CUSTOMER’S SPECIFIC LEGAL, REGULATORY OR CONTRACTUAL OBLIGATIONS TO THE FEDERAL GOVERNMENT, ANY PRIME CONTRACTOR, OR ANY OTHER CUSTOMER. Customer is solely responsible for determining whether the FedRAMP Products are suitable for Customer’s intended use and compliance obligations. Customer is responsible for implementing any additional controls or procedures as may be required by applicable law or Customer’s specific regulatory or contractual. UNANET DOES NOT ASSUME ANY OF CUSTOMER’S OBLIGATIONS UNDER CUSTOMER’S CONTRACTS, INCLUDING BUT NOT LIMITED TO CUSTOMER’S CONTRACTS WITH U.S. FEDERAL GOVERNMENT ENTITIES OR PRIME CONTRACTORS. Customer acknowledges that Unanet is not acting as a subcontractor under Customer’s U.S. federal government contracts but is an external service provider to the Customer.
    3. Assessments and Audits. In an effort to maintain its FedRAMP Moderate Equivalency status, Unanet will engage an accredited third-party assessment organization (“3PAO”) to conduct an annual independent assessment of targeted security controls of the FedRAMP Products. These assessments, along with Unanet’s continuous monitoring activities, ensure ongoing compliance with FedRAMP Moderate requirements and the continued effectiveness of implemented security controls. Customer acknowledges that certain specific system security plans, detailed vulnerability assessments, and other sensitive security details may not be made available to Customer due to security and operational concerns. To access any Unanet FedRAMP Product-related compliance documentation, Customer must execute Unanet’s FedRAMP Products form of confidentiality agreement and agree to use such information solely for Customer’s compliance and audit purposes. Unanet may, in its sole discretion, impose additional access controls and security measures on such documentation, which may include providing view-only access through Unanet’s secure systems, requiring storage on FedRAMP-compliant systems only, limiting disclosure to Customer’s authorized auditors or compliance personnel, or imposing time-limited access.
    4. Integration and Scope. These FedRAMP Supplemental Terms are incorporated by reference into the Agreement. The Agreement, these FedRAMP Supplemental Terms, the applicable Scope of Work(s) (if any), and the applicable Order Form(s) together constitute the entire understanding between Unanet and Customer with respect to the FedRAMP Products. All terms and conditions of the Agreement remain in full force and effect except as expressly modified herein. In the event of a conflict between or among the documents comprising the Agreement with respect to the FedRAMP Products, the following order of precedence shall apply: (i) the Order Form; (ii) these FedRAMP Supplemental Terms; and (iii) the Unanet Cloud Terms and Conditions. These FedRAMP Supplemental Terms apply solely to the FedRAMP Products and do not modify or supersede any terms applicable to other Subscription Services provided by Unanet. For clarity, the terms of the Agreement shall continue to govern all other Subscription Services provided by Unanet. Capitalized terms used but not otherwise defined in these FedRAMP Supplemental Terms shall have the meaning ascribed to them in the Agreement.