Data Processing Agreement
1. Data processing agreement preamble
The customer agreeing to these terms (“Customer”), and Healthware Inc. (“Healthware”), have entered into an agreement under which Healthware has agreed to provide certain Services, which may be amended from time to time (the "Agreement").
This Data Processing Agreement and its appendices (the “DPA”), which is between Healthware and Customer (each, a “Party”, and together, “the Parties”), forms part of the Agreement and is the Parties’ agreement related to Healthware’s processing of Customer Personal Data. This DPA might be updated from time to time and will be effective and replace any previously applicable data processing agreement as from the Terms Effective Date (as defined below). To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Definitions are provided in Section 2.
The Parties acknowledge and agree that (a) under the Data Protection Legislation, Healthware is a Data Processor of Customer Personal Data listed in Appendix 1, (b) Customer subscribing to Healthware 's services may be a Data Controller or Data Processor, as applicable, of Customer Personal Data and (c) each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of that Customer Personal Data.
Details on categories of data processed and data subjects concerned, Processing operations, location of Processing, and purpose and duration of Processing are provided in Appendix 1.
2. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
“Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
“Agreement” means the Services Agreement entered into between Healthware and the Customer for the provision of Services by Healthware to Customer.
“Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Healthware and/or Healthware’s Affiliates where Customer uses Healthware Affiliates Solutions.
“Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
“Data Incident” means a breach of Healthware’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Healthware. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Effective Date” means the date on which Customer and Healthware agreed to this DPA and is the Agreement Effective Date.
“EEA” means the European Economic Area.
“End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent, or contractor.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) ; and/or (c) the Data Protection Act 2018 (United Kingdom) ; (d) and/or as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland; and/or (e) other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Standard Contract Clauses” or “SCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, as amended, replaced or superseded by any set of clauses approved by the European Commission. The Standard Contract Clauses are enclosed as Appendix 4 and are part of this agreement when applicable.
“Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
“Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Healthware.
“Healthware’s Systems” means the computing and storage infrastructure contracted by Healthware to run the Services and to store the Customer Data. For the avoidance of doubt, Healthware’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third-Party Offerings.
“Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer to Healthware or Sub-Processor, or (b) an onward transfer of Customer Personal Data from Healthware or Sub-Processor to (or between two establishments of) Healthware or Sub-Processor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Standard Contract Clauses or other legal instruments required by European Data Protection Legislation.
“Sub-Processor(s)” mean third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Healthware’s Affiliates.
“Security Measures” has the meaning given in Section 11 (Healthware Security Measures).
“Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, which may include PrecisePK dosing software and any update or replacement thereof and technical support provided by Healthware to Customer according to the terms of the Agreement. The Services do not include (i) Healthware Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
“Healthware Affiliates Solution” means any solution of software provided by one or more Healthware’s Affiliates, which supplements and/or are necessary to provide the Services performed by Healthware, that have either been (i) licensed by Customer from a Healthware’s Affiliate or (ii) licensed by Customer from Healthware.
The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Standard Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
“Term” means the period from the Agreement Effective Date until the end of Healthware’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Healthware may continue providing the Services to Customer for transitional purposes.
“Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by Healthware, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Amazon, Google and Microsoft solutions or software.
“Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
3. Duration
This DPA will take effect on the Agreement Effective Date and, notwithstanding expiry of the Term, remains in effect until, and automatically expire upon, deletion of all Customer Personal Data by Healthware as described in this DPA.
4. Scope
The Parties acknowledge and agree that the Data Protection Legislation will apply to the Processing of Customer Personal Data if:
- the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA/Switzerland; and/or
- the Customer Personal Data relates to Data Subjects who are in the EEA/ Switzerland and the Processing relates to the offering of goods or services in the EEA or the monitoring of their behaviour in the EEA.
5. Non-European data protection legislation
The Parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the Processing of Customer Personal Data. Except to the extent this DPA states otherwise, the terms of this DPA will apply irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies to the Processing of Customer Personal Data by Healthware.
If Non-European Data Protection Legislation applies to either Party’s Processing of Customer Personal Data, the Parties acknowledge and agree that the relevant Party will comply with any obligations applicable to it under that legislation with respect to the Processing of that Customer Personal Data.
6. Third-party data controller
If the Data Protection Legislation applies to the Processing of Customer Personal Data and Customer is a Data Processor acting under the instructions of a third-party Data Controller, Customer warrants to Healthware that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment as Data Processor have been authorized by the Third-Party Data Controller and shall provide evidence thereof, at Healthware’s request.
7. customer's Instructions
By entering into this DPA, Customer instructs Healthware to Process Customer Personal Data only in accordance with the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable:
- to provide the Services and related technical support
- as further specified by Customer or required by Customer’s use of the Services and related technical support;
- as documented in the form of the Agreement, including this DPA; and
- as further documented in any other legitimate and written instructions given by Customer and acknowledged by Healthware as constituting instructions for purposes of this DPA.
As from the Effective Date, Healthware will comply with the Customer’s instructions provided in this Section, including with regard to Personal Data transfers, in accordance with Section 19.
Healthware shall not process, transfer, modify, amend or alter Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third-party other than in accordance with the Customer’s instructions (whether in the Agreement or otherwise) unless EU law or EU Member State law to which Processor is subject requires other Processing of Customer Personal Data by Healthware, in which case Healthware will inform Customer prior to implement the Processing (unless that law prohibits Processor from doing so on important grounds of public interest) via the Notification Email Address.
Healthware agrees to immediately inform the Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation.
8. Deletion During Term
Healthware will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services.
If Customer or an End-User uses the Services to delete any Customer Personal Data during the Term and the Customer Personal Data cannot be recovered by Customer or an End User, this use will constitute a Customer’s Instruction to Healthware to delete the relevant Customer Personal Data from Healthware’s Systems in accordance with applicable Data Protection Legislation. Healthware will comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Healthware for a longer period of time.
9. Deletion on Term Expiry
Subject to Section 10 (Deferred Deletion Instructions), upon expiry of the Term, Customer shall instruct Healthware to delete all Customer Personal Data (including existing copies) from Healthware’s Systems in accordance with applicable Data Protection Law. Processor will comply with this Instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Processor for a longer period of time.
Without prejudice to Section 18 (Data Subjects Rights and Requests) Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.
10. Deferred Deletion Instruction
To the extent any Customer Personal Data covered by the deletion instruction described in Section 9 (Deletion on Term Expiry) is also processed, when the Term under Section 9 expires, in relation to an agreement between Customer and Healthware having a continuing Term, such deletion instruction will only take effect with respect to such Customer Personal Data when the continuing Term expires. For clarity, in the event of a Deferred Deletion Instruction, this DPA will continue to apply to such Customer Personal Data until its deletion by Healthware.
11. Healthware Security Measure
Healthware will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Healthware’s Systems, restore timely access to Customer Personal Data following a Data Incident and regular testing of effectiveness.
Healthware may update or modify the Security Measures in Appendix 2 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services or Healthware’s Systems.
We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
Customer acknowledges that Customer Data will be hosted in a Third-Party Service Provider data centers, by Third-Party Service Provider and/or one or more of its affiliated entities (collectively, “Third-Party Service Providers”) (and not by Healthware) and, as a consequence, that most of the technical and organisational security measures relating to the Customer Personal Data (as notably referred to in Appendix 2) will be provided by the applicable Third-Party Service Provider under its own liability.
Accordingly, and notwithstanding any other provision in the Agreement, Healthware disclaims any and all responsibility in relation to any acts and/or omission of Third-Party Service Provider, including notably (without limitation) for such Third-Party Service Provider’s technical and organisational security measures as listed for information purposes only and without any representation in Appendix 2.
Customer agrees to disclaim Healthware’s liability, in the event of any non-compliance of the Third-Party Service Provider under the applicable agreement.
12. Security Compliance by Processor
Healthware will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, agents and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such personnel has undertaken appropriate training in accordance with the Data Protection Legislation.
13. Processor Security Assistance
Customer agrees that Healthware will (taking into account the nature of the Processing of Customer Personal Data and the information available to Healthware) assist Customer in ensuring compliance with Customer’s obligations in respect of security of Customer Personal Data and Customer Personal Data breaches, in particular in the event of a Data Incident, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
- implementing and maintaining the Security Measures in accordance with Section 11 (Healthware’s Security Measures);
- complying with the terms of Section 14 (Data Incidents).
14. Data Incidents
If Healthware becomes aware of a Data Incident, Healthware will:
- notify Customer of the Data Incident promptly and without undue delay; and
- promptly take reasonable steps to minimize harm and secure Customer Personal Data. Notifications will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Healthware recommends Customer to take to address the Data Incident.
Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Healthware’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid at any time.
Healthware will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements.
Customer is solely responsible for complying with notification obligations provided by Data Protection Legislation or Non-European Data Protection Legislation, as applicable to Customer, and fulfilling any third party notification obligations related to any Data Incident(s).
Healthware’s notification of or response to a Data Incident under this Section 14 (Data Incidents) will not be construed as an acknowledgement by Healthware of any fault or liability with respect to the Data Incident.
15. Customer's Security Responsibilities and Assessment
Customer agrees that, without prejudice to Healthware’s obligations under Sections 11-13 (Healthware’s Security Measures, Controls and Assistance) and Section 14 (Data Incidents):
- Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up Customer Data; and
- Healthware has no obligation to protect Customer Data that Customer elects to store or transfer outside of Processor’s and its Sub-Processors’ systems (for example, offline or on-premise storage, or Customer’s Third-Party Service Provider).
Customer is solely responsible for evaluating whether the Services, the Security Measures and Healthware’s commitments under Sections 11-15 meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Healthware as set out in Section 8 (Healthware’s Security Measures) and Appendix 2 provide a level of security appropriate to the risk in respect of the Customer Data.
16. Audits of compliance
Subject to Section 16.3., upon Customer’s written request, Healthware will provide Customer with the most recent summary audit report(s) concerning the compliance and undertakings in this Agreement. Healthware’s policy is to share methodology, and executive summary information, not raw data or private information. Healthware will reasonably cooperate with Customer by providing available additional information to help Customer better understand such compliance and undertakings. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable Data Protection Laws and Regulations and subject to Section 16.3, only the legally mandated entity (such as a governmental regulatory agency having oversight of Customer’s operations) may conduct an onsite visit of the facilities used to provide the Services. Unless mandated by Data Protection Laws and Regulations, no audits are allowed within a data center for security and compliance reasons. After conducting an audit under this Section 16 or after receiving an Healthware report under this Section 16, Customer must notify Healthware of the specific manner, if any, in which Healthware does not comply with any of the security, confidentiality, or data protection obligations in this DPA, if applicable. Any such information will be deemed Confidential Information of Healthware.
Customer may not audit Healthware’s sub-processors without Healthware’s and Healthware’s sub-processor’s prior agreement. Customer agrees its requests to audit sub-processors may be satisfied by Healthware or Healthware’s sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Healthware’s data protection officer, the IT department, or other mutually agreed third parties by way of an IT security or data protection audit. Onsite audits at sub-processors premises may be performed by Healthware acting on behalf of Controller.
Unless required by Data Protection Laws and Regulations, Customer may request a summary audit report(s) or audit Healthware no more than once annually. Customer must provide at least four (4) weeks’ prior written notice to Healthware of a request for summary audit report(s) or request to audit. The scope of any audit will be limited to Healthware’s policies, procedures and controls relevant to the protection of Customer’s Personal Data and defined in Schedule 1. Subject to Section 16.2., all audits will be conducted during normal business hours, at Healthware’s principal place of business or other Healthware location(s) where Personal Data is accessed, processed or administered, and will not unreasonably interfere with Healthware’s day-to-day operations. An audit will be conducted at Customer‘s sole cost and by a mutually agreed upon third party who is engaged and paid by Customer, and is under a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement, obligating it to maintain the confidentiality of all Healthware Confidential Information and all audit findings. Further, Customer agrees to pay the costs of any support provided by Healthware (including internal resources) based on Healthware’s then-current rates. Before the commencement of any such on-site audit, Healthware and Customer shall mutually agree upon the timing, and duration of the audit. Healthware will reasonably cooperate with the audit, including providing auditor the right to review but not to copy Healthware security information or materials during normal business hours. Customer shall, at no charge, provide to Healthware a full copy of all findings of the audit. The results of the audit will be considered “Confidential Information” of Healthware.
17. Impact Assessments and consultations
Customer agrees that Healthware will (taking into account the nature of the Processing and the information available to Processor) provide Customer with reasonable assistance in ensuring compliance with any obligations of Customer relating to Customer Personal Data in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, to the extent necessary information is available to Healthware.
18. Data Subject Rights and Request
During the Term, Healthware will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict Processing of Customer Personal Data, or erase Customer Personal Data, as applicable, including via the deletion functionality provided by Healthware as described in Section 8 (Deletion During Term), and to export Customer Personal Data, as required by Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
During the Term, if Healthware receives any request from a Data Subject in relation to Customer Personal Data, Healthware will advise the Data Subject to submit his/her request to Customer or directly report such request to Customer using the Notification Email Address or any other communication channel, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
Customer agrees that (taking into account the nature of the Processing of Customer Personal Data) Healthware will provide Customer with reasonable assistance in fulfilling any obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in this Section 18, to the extent Healthware is able to respond to such requests.
18. Personal data transfer
Customer acknowledges and agrees that Healthware may, subject to this Section 19 (Personal Data Transfer), store and process Customer Data in the United States and any other country outside the EEA in which Healthware or Sub-Processors maintain facilities.
If the storage and/or Processing of Customer Personal Data involves a Restricted Transfer, Healthware and Customer hereby agree to enter into the Standard Contract Clauses enclosed in Appendix 4 and such terms are hereby incorporated by reference into this DPA. To the extent there is any conflict between any term of the Standard Contract Clauses and any other part of this DPA or the TOS Agreement, the term of the Standard Contract Clauses shall prevail. Any Restricted Transfers shall be made in accordance with such Standard Contract Clauses. Healthware will impose under a written agreement the same obligations on the Sub-Processors, if any, as are imposed on the Processor under this DPA and the Standard Contract Clauses. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement, Healthware shall remain fully liable to the Customer for the performance of the Sub-Processor's obligations under such agreement.
In addition, where provision of the Services involves a Restricted Transfer from Healthware to a Sub-Processor located outside EU, Customer (on behalf of itself and its relevant Affiliates) mandates Healthware, which mandate Healthware hereby accepts, to promptly enter, on Customer's own name and behalf as Data Exporter (Sub-Processor being the Data Importer), into a Data processing agreement with any Sub-Processor engaged by Healthware in such Restricted Transfer, before such Sub-Processor first Processes Customer Personal Data, so as to ensure that any such Restricted Transfer complies with the Data Protection Legislation. Such Personal Data processing agreement shall (a) meet the conditions set out in Article 28 of the GDPR and offer at least the same level of protection for Customer Personal Data as those set out in this DPA and (b) incorporate Standard Contract Clauses. When Healthware uses Third Party Service Provider Cloud Platform to host and/or provide the Services, information about the locations of Healthware’s Third Party Service Providers’ data centers is available at the Third Party Service Providers’ pages specifying servers locations and may be updated by the Third Party Service Provider from time to time. If Customer has entered into Standard Contract Clauses as described in this Section 19 (Personal Data Transfer), Healthware will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer Personal Data, and any notifications relating to any such disclosures, will be made in accordance with such Standard Contract Clauses. If any supervisory authority adopts revised standard contractual clauses for the matters addressed in this DPA and Customer notifies Healthware that it wishes to incorporate any element of those standard contractual clauses into this DPA, Healthware and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted standard contractual clauses. In the event that the Standard Contract Clauses enclosed in Appendix 4 are deemed to no longer be a valid transfer mechanism to legitimise Restricted Transfers, Healthware and Customer may agree to amend this DPA in order to establish a legitimate transfer of Customer Personal Data outside the EEA.
19. Sub-processors
Customer hereby specifically authorizes the engagement of Healthware’s Affiliates as Sub-Processors pursuant to the Agreement and for the Term. In addition, Customer hereby generally authorizes the engagement of any other third parties as Sub-Processors (“Third Party Service Provider Sub-Processors”), subject to Healthware’s compliance with this Section 20. Customer hereby authorizes all “Sub-Processors” listed in Appendix 3.
If Customer has entered into Standard Contract Clauses as described in Section 19 (Personal Data Transfer), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Healthware of the Processing of Customer Personal Data if such consent is required under the Standard Contract Clauses and Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Information about Sub-Processors is available in Appendix 3 and may be updated by Healthware from time to time in accordance with this DPA.
When engaging any Sub-Processor, Healthware will:
(a) ensure via a written legal instrument or contract that:
- the Sub-Processor only accesses and processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Standard Contract Clauses entered into as described in Section 8 (Transfers of Data Out of the EEA), as applicable; and
- if the GDPR applies to the Processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are mandated by said legal instrument or contract on the Sub-Processor; and
(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor.
When any Third-Party Sub-Processor not listed in Appendix 3 at the Agreement Effective Date is engaged during the Term, Healthware will, at least 30 days before the new Third-Party Sub-Processor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Third-Party Sub-Processor and the activities it will perform) by sending an email to the Notification Email Address.
Customer may object to any new Third-Party Sub-Processor by terminating the Agreement immediately upon written notice to Healthware, provided that Customer sends such notice within 90 days of being informed of the engagement of the Third-Party Sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third-Party Sub-Processor.
20. processing records
Customer acknowledges that Healthware is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of any Data Processor and/or Data Controller on behalf of which Processor is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer, as well as the categories of Processing carried out on behalf of each Data Controller, where possible a general description of the technical and organisational security measures; and (b) make such information available to the Supervisory Authorities.
21. Miscellaneous
Neither the rights nor the obligations of any Party may be assigned in whole or in part without the prior written consent of the other Party, provided, however, that this DPA may be transferred or assigned in the event of a restructuring or change of control affecting a Party hereto.
Should any provision of this DPA be deemed invalid or unenforceable by a competent court, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Any amendments to this DPA shall be made in writing, otherwise being null and void.
22. Limitation of liability
Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the TOS, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the TOS and this Data Protection Agreement. For the avoidance of doubt, Healthware’s and its affiliates’ total liability for all claims from the Customer arising out of or related to the TOS and the present Agreement shall apply in the aggregate for all claims under both the TOS and this Data Protection Agreement.
Governing Law. The parties agree that (1) governing law of this DPA, and (2) the forum for all disputes in respect of this DPA, shall be the same as set out in the Agreement, unless otherwise required by applicable Data Protection Laws and Regulations.
23. Governing Law
In the event of any dispute arising between the Parties in connection with this DPA, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith negotiations by the Parties, both parties hereby irrevocably submit any disputes under this DPA to the jurisdiction of the State and Federal courts located in San Francisco, CA.
This DPA is governed by the laws of California, without reference to its rules governing conflicts of laws.
Appendix 1 - Customer personal data processing details
Subject Matter
Healthware’s provision of the Services and related technical support to Customer.
Categories of Data Subjects
Categories of Data Subjects whose Personal Data will be Processed by Service Provider
Data Subjects whose Personal Data is provided to Healthware via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Customer’s employees and contractors); (b) Customer’s own customers, Healthware's and subcontractors; (and each of their personnel); (c) persons whose Personal Data is collected (including government officials, contractors, external experts, healthcare professionals, collaborators and research subjects); and (d) any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
Categories of data
Personal Data that will be Processed by Healthware
Personal Data that will be Processed by Healthware and it includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services such as user IDs, first and last names, transactional and financial data, health data, contact details, location data, gender, title, age, date of birth, event attendance, email, textual information used in documents and document titles, description and other metadata, text and images to be displayed by the Service, audit log information, system log information and other data.
Location of Processing Operations
Locations where the personal data will be Processed by Healthware
Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Healthware’s location situated at 9191 Towne Centre Drive, Suite 540, San Diego, CA, 92122, United States.
Purposes
Purposes for which the Personal Data will be Processed by Healthware
Healthware will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with this DPA.
Duration of processing
The length of time for which Processing activities will be carried out Healthware
The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Healthware in accordance with this DPA.
Appendix 2 - Security Measures
As from the Effective Date, Healthware will implement and maintain the Security Measures set out in this Appendix 2 to this DPA. Healthware may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of Healthware’s System and of the Services.
Infrastructure security. Healthware uses Amazon Web Services to host Healthware’s Systems. All of Healthware’s Systems are fully managed by Amazon, who is responsible for the networking security of Healthware’s Systems and the physical resilience of our data centers. Amazon’s security measures regarding the AWS Suite and infrastructures are described on this page https://aws.amazon.com/security/.
Personnel Security: Healthware personnel accessing Healthware’s Systems are authenticated via the AWS account, protected by the same physical, networking and organizational measures as described above. Healthware personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Healthware conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Healthware’s confidentiality and privacy policies. Personnel are also required to undertake appropriate training on privacy and data protection principles in compliance with the Data Protection Legislation.
Sub-Processor Security. Before onboarding Sub-Processors, Healthware conducts an audit of the security and privacy practices of Sub-Processors to ensure Sub-Processors provide a level of security and privacy appropriate to their access to Customer Personal Data and the scope of the services they are engaged to provide. Once Healthware has assessed the risks presented by the Sub-Processor, then subject always to the requirements set out in Section 20 (Requirements for Sub-Processor Engagement) of this DPA, the Sub-Processor is required to enter into appropriate security, confidentiality and privacy contract terms.
Appendix 3 - Sub-Processors
Healthware uses the following Sub-Processors for the performance of the Services:
Sub-Processor Name
Sub-Processing Acitvity
Amazon Web Services Inc.
Data Center and Diagnostics
Google LLC
Email and Cloud Storage of Documents, Video Conferencing, Mobility, and Web Meetings
Slack Technologies, Inc.
Internal Team Communication tool
Dropbox, Inc.
File hosting service
Zoom Video Communications Inc.
Video Conferencing, Mobility, and Web Meetings
Microsoft, Inc.
Video Conferencing, Mobility, and Web Meetings
HubSpot, Inc.
Marketing, Sales, Customer Service and CRM
Atlassian Pty Ltd.
Healthware Inc. utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed by Atlassian.
TeamViewer GmbH
Remote access and control tool
Intuit Inc. (Quickbooks)
Accounting Software and Payment integration
PayPal Holdings, Inc.
Payment services
Loom
Screen Recording Services for Tutorial Videos
Cloud Raxak
Consulting services for PPK AWS Configurations
Github
IT Service management, coding collaboration and repository
Datadog
Monitoring service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform
Mixpanel
Tracks user interactions with web and mobile applications and provides tools for targeted communication with them
Docker
Central application containerizer
Gusto
Timecard and Payment Services
LastPass
Password Management
Vetty
Employee Background Check
Jira
Task Management
Figma
User Interface design tool and media creation
Adobe
Document Production Tool with Adobe Illustrator, Adobe Acrobat Pro DC
Microsoft Intune
Cloud-based service focusing on both Mobile Device Management (MDM) alongside mobile application management (MAM)
Notion
Host for User Manual
Office 365
Microsoft Word, Microsoft Excel, Microsoft Powerpoint
Calendly
Meeting Booking and Scheduling Tool
Webflow
PrecisePK.com Website Hosting
Olark
Instant Online Messaging Box
RingCentral
Company Phone Line, Customer Communication
ValueLabs
Optimizing AWS Architecture and security posture
Appendix 4 - Standard Contract Clauses
Model Contractual Clauses (processor) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Healthware (the “Data Importer”) and Customer (the “Data Exporter”), each a “party”, together “the parties”, agree on the following Model Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in the Clauses Schedule 1. The Clauses (including Schedules 1 and 2) are incorporated by reference into the Data Processing Agreement and are effective from the DPA Effective Date.
Clause 1 - Definitions
For the purposes of the Clauses:
- Personal data, special categories of data, process/processing, controller, processor, Data Subject and Supervisory Authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Data Exporter means the controller who transfers the personal data;
- Data Importer means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;
- Applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;
- Technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 - Details of the transfer.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.
The Data Subject can enforce against the Sub-Processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.
Clause 4 - Obligations of the Data Exporter
The Data Exporter agrees and warrants:
- That the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
- That it has instructed and throughout the duration of the personal data processing services will instruct the Data Importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- That the Data Importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Schedule 2 to the Clauses;
- That after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- That it will ensure compliance with the security measures;
- That, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- To forward any notification received from the Data Importer or any Sub-Processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
- To make available to the Data Subjects upon request a copy of the Clauses, with the exception of Schedule 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- That, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a Sub-Processor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and
- That it will ensure compliance with Clause 4(a) to (i).
The Data Exporter acknowledges that its data will be hosted in the Amazon Web Services Inc.'s data centers of Amazon. and/or one or more of its affiliated entities (collectively, “Amazon”) (and not by the Data Importer) and, as a consequence, that most of the technical and organisational security measures relating to the Data Importer's data (as notably referred to in paragraphs 4c., 4d., 4e. and 4h. above) will be provided by the applicable Amazon entity under its own liability. Accordingly, and notwithstanding any other provision in these Clauses, the Data Importer disclaims any and all responsibility in relation to any acts and/or omission of Amazon, including notably (without limitation) for such Amazon technical and organisational security measures as listed for information purposes only and without any representation in Schedules 1 and 2.
Clause 5 - Obligations of the Data Importer
The Data Importer agrees and warrants:
- To process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
- That it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
- That it has implemented the technical and organisational security measures specified in Schedule 2 before processing the personal data transferred;
- That it will promptly notify the Data Exporter about:
- Any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- Any accidental or unauthorised access; and
- Any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;
- To deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal Data Subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- At the request of the Data Exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
- To make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Schedule 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
- That, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
- That the processing services by the Sub-Processor will be carried out in accordance with Clause 11;
- To send promptly a copy of any Sub-Processor agreement it concludes under the Clauses to the Data Exporter.
Clause 6 - Liability
The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Sub-Processor is entitled to receive compensation from the Data Exporter for the damage suffered.
If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a Sub-Processor of its obligations in order to avoid its own liabilities.
If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the Data Subject may issue a claim against the data Sub-Processor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
Without prejudice to paragraphs 1, 2 and 3 of Clause 6, each party’s aggregate liability to the other under or in connection with these Clauses (whether in contract, tort or otherwise) is limited to the amount paid for the services by Customer which is party to the Agreement in the 12 months immediately preceding the event (or first in a series of connected events) giving rise to the liability.
Clause 7 - Mediation and jurisdiction
The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the Data Exporter is established.
The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 - Cooperation with supervisory authorities
The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of the Sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Sub-Processor preventing the conduct of an audit of the Data Importer, or any Sub-Processor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 - Sub-Processing
The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor as are imposed on the Data Importer under the Clauses. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Sub-Processor’s obligations under such agreement.
The prior written contract between the Data Importer and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.
Clause 12 - Obligation after the termination of personal data processing services
The parties agree that on the termination of the provision of data processing services, the Data Importer and the Sub-Processor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The Data Importer and the Sub-Processor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Schedule 1 to the Model Contractual Clauses
Data Exporter
The Data Exporter is the Customer legal entity that is a party to the Clauses.
Data Importer
The Data Importer is Healthware, a global provider of a variety of technology services for businesses.
Categories of Data Subjects
The personal data transferred concern personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services and concerning the categories of Data Subjects listed in the DPA Appendix 1.
Categories of Data
The personal data transferred is personal data that will be Processed by Healthware including data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services as listed in the DPA Appendix 1
Processing operations
The personal data transferred will be subject to the following basic processing activities:
- Scope of Processing:
- Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Schedule pursuant to the provision of the “Service” as defined under the Agreement.
- Personal data may be processed for the following purposes: (a) to provide the Service, (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfil the obligations under the Agreement.
- The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Sub-Processors maintain facilities as necessary for it to provide the Service
- Term of Data Processing:
- Data processing will be for the term specified in the Agreement. For the term of the Agreement, and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s personal data processed pursuant to the Agreement and this DPA.
- Personal data may be processed for the following purposes: (a) to provide the Service, (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfil the obligations under the Agreement.
- The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Sub-Processors maintain facilities as necessary for it to provide the Service
- Data Deletion: For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to delete the Data Exporter’s personal data from the Service. After termination or expiry of the Agreement, the Data Importer will delete the Data Exporter’s personal data in accordance with the Agreement and this DPA.
- Access to Data: For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to correct, block, export and delete the Data Exporter’s personal data from the Service in accordance with the Agreement and this DPA.
- Sub-Processors: The Data Importer may engage Sub-Processors to provide parts of the Service, in accordance with the Agreement and this DPA. The Data Importer will ensure Sub-Processors only access and use the Data Exporter’s personal data to provide the Service