Data Processing Agreement
Version: July 4th, 2024
1. Introduction
This Exhibit 1 to the Cloud Subscription Agreement describes specific terms in respect of the Processing of Client Personal Data by Extra Horizon (the “Processor”) in connection with use of the Licensed Products and the provision of Services under the Agreement (collectively the “Services”) as may be provided to the Client (the “Controller”) by Extra Horizon in connection with the Agreement, the terms of which are incorporated herein by reference. In the event of a conflict between the Agreement and any provision of this Exhibit, the latter shall govern. Capitalized terms not otherwise defined herein, shall have the meaning specified in the Agreement.
By making use of the Services, the Client acknowledges and agrees to be bound by this Exhibit. This Exhibit supersedes all previous understandings, agreements, and communications, whether oral or written, regarding the subject matter herein. Extra Horizon may amend this Exhibit at any time and is expressly committed to ensuring that any amendment complies with applicable ethical principles and legislation; provided, however, that Extra Horizon will provide the Client with thirty (30) days’ written notice prior to the proposed effective date of the amendment(s). The Client shall have the right during this 30-day notice period to object to the amendment(s) in writing, in which case the Parties shall negotiate the objected to amendment(s) in good faith, failing which the Client shall have the right to terminate the Agreement with immediate effect. If the Client does not make an objection during the 30-day notice period, the Client will be considered to have tacitly accepted the changes following the conclusion of the 30-day period.
2. Definitions
2.1. For the purpose of this Data Processing Agreement, the following definitions apply:
“Client Personal Data” shall mean all Personal Data that is transferred to, accessed by, or otherwise Processed by the Processor in connection with the provision of the Services.
“Confidential Information” shall mean all information that is disclosed to the other Party in writing or in any material form under this Data Processing Agreement and that is identified as confidential or can be identified as confidential given the nature of the data or the nature of the circumstances that require the disclosure, such as, but not limited to product information, customer lists, sensitive personal data (including health and biometric data), price lists and financial information. For the avoidance of doubt, all Client Personal Data amounts to Confidential Information of the Controller;
“Controller” shall mean the natural or legal person, public authority, agency or any other body which, alone or jointly with others, that determines the purposes and means of the processing of Personal Data;
“Data Protection Legislation” shall refer to all relevant and applicable laws and regulations relating to privacy and data protection, including, but not limited to the following (in each case as currently in effect or as they become effective, and as amended, updated, re-enacted or replaced from time to time):
(i) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (‘GDPR’);
(ii) the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) of Canada;
(iii) the Health Insurance Portability and Accountability Act (‘HIPAA’) of the United States;
(iv) relevant and applicable state-specific and federal privacy and data protection laws and regulations in the United States;
(v) relevant and applicable provincial privacy and data protection laws and regulations in Canada, including all public and private sector and health sector laws and regulations, such as Quebec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1, British Columbia’s Personal Information Protection Act, SBC 2003, c 63, Alberta’s Personal Information Protection Act, SA 2003, c P-6.5, Ontario’s Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A and Alberta’s Health Information Act, RSA 2000, c H-5;
(vi) any other relevant and applicable laws and regulations relating to privacy and data protection in the EU, Canada, and the United States.
“Data Subject” shall mean an identified or identifiable natural person;
“Personal Data” shall mean all information, including personal information (PI) and personally identifiable information (PII), that can be used directly or indirectly, alone or in conjunction with other data, to identify, relate to, or be attributed to an individual Data Subject, as defined or recognized under applicable Data Protection Legislation;
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed;
“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Controller;
“Process” or “Processing” shall mean any operation or set of operations which is performed on (Client) Personal Data or on sets of (Client) Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subprocessor” shall mean any processor engaged as a subcontractor by the Processor and who agrees to process (Client) Personal Data for and on behalf of the Controller in accordance with this Data Processing Agreement;
“Supervisory Authority” shall mean an independent public authority or regulatory authority, including an authority that is established by a member state pursuant to Article 51 of the GDPR, or any equivalent authority or body established or designated under any other Data Protection Legislation, responsible for overseeing and/or enforcing any Data Protection Legislation;
3. Subject-matter of the Data Processing Agreement
3.1. As between the Parties, the Controller shall be the Party that determines the purposes and means of the Processing of Client Personal Data.
3.2. The Controller wishes to entrust the Processor with the Processing of Client Personal Data for the purpose of providing the Services. The Processor shall Process the Client Personal Data solely on behalf of the Controller and for the sole purpose of providing the Services.
3.3. The Processor shall perform the Services in accordance with the provisions of this Data Processing Agreement.
3.4. Both Parties explicitly commit to comply with the provisions of the relevant applicable Data Protection Legislation and shall not do or omit anything that may cause the other Party to infringe the relevant and applicable Data Protection Legislation. To this end, both Parties recognize and affirm that this Data Processing Agreement encapsulates the fundamental principles and obligations related to the Client Personal Data Processing activities conducted under the Agreement, including the requirements established by Data Protection Legislation.
Furthermore, acknowledging the specificity and uniqueness of each client's needs and regulatory environments, a unique Annex 2 may be provided prior to entering into an agreement between the Parties, containing provisions specifically tailored to individual client requirements and applicable Data Protection Legislation.
Nonetheless, the Controller acknowledges and agrees that it retains the primary responsibility for familiarizing itself with the specific and relevant Data Protection Legislation that applies to it directly as such legislation pertains to the Processing activities carried out on its behalf under the Agreement. Should the Controller determine that any specific provisions or stipulations are required to ensure compliance with such legislation, the Controller commits to promptly notify the Processor. Both Parties agree to negotiate in good faith any necessary amendments or addendums to this Agreement to address and incorporate those requirements.
3.5. Processing Activities. The Processor shall only Process Client Personal Data on behalf of the Controller and only as strictly necessary for the purpose of providing the Services to the Controller or as otherwise expressly instructed by the Controller in writing, and the Controller shall not Process any Client Personal Data for any other purpose.
3.6. Categories of Personal Data. The Client Personal Data that are Processed are:
(i) Personal identification data (such as first name, last name, e-mail address)
(ii) Electronic identification data (such as IP-address, etc.)
(iii) Usage logs
(iv) Any other Client Personal Data stored by the Controller through the Services, including any special or sensitive categories of Client Personal Data (such as health information)
3.7. Data Subjects. The Data Subjects may include Controller’s customers, employees, suppliers and end-users, as well as any other Data Subjects, of whom the Controller elects to store Client Personal Data using the medical back-end solution during the term of the Agreement.
3.8. Purposes. The purposes of the Processing are to provide the Services as stipulated in the Agreement. The Processing will be performed in accordance with the provisions of this Data Processing Agreement.
3.9. Without limiting any other obligations set out in this Data Processing Agreement, both Parties shall undertake to adopt appropriate measures to ensure that the Client Personal Data are not used improperly or acquired by an unauthorized third party.
4. Duration of the Processing.
4.1. This Data Processing Agreement shall continue to be in force for as long as the Processor Processes Client Personal Data.
5. Controllers’ instructions.
5.1. The Parties agree that this Data Processing Agreement, the Agreement and any written instructions set forth by Controller in execution and/or in connection with this Data Processing Agreement or Agreement constitute Controller’s documented instructions regarding Processor’s Processing of Client Personal Data (“Documented Instructions”). Processor will Process Client Personal Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Processor and Controller, including agreement on any additional fees payable by Controller to Processor for carrying out such instructions, except to the extent such instructions are required for Controller to comply with its obligations under Data Protection Legislation.
6. Assistance to the Controller.
6.1. Compliance with legislation. The Processor shall comply with Data Protection Legislation, and shall assist the Controller in ensuring compliance with its obligations pursuant to Data Protection Legislation, taking into account the nature of Processing and the information available to the Processor.
6.2. Personal Data Breach. In the case of a Personal Data Breach or reasonably suspected Personal Data Breach, the Processor shall promptly notify the Controller, and in any event within 48 hours after becoming aware of a Personal Data Breach. This notification shall, to the extent known, at least include the following information:
(i) A description of the circumstances, cause and nature of the Personal Data Breach;
(ii) The date and/or time period during which the Personal Data Breach is believed to have occurred and when the Processor became aware of it;
(iii) A description of the Client Personal Data (expected to be) involved in the Personal Data Breach;
(iv) An estimate of the number of Data Subjects affected by the Personal Data Breach (including a breakdown by jurisdiction);
(v) The likely consequences of the Personal Data Breach;
(vi) Measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects or reduce the risk of harm to affected Data Subjects.
The Processor shall provide regular updates to the Controller as additional information becomes available.
6.3. In case the Processor makes use of a Subprocessor, the Processor shall require the Subprocessor to provide it with the same information when a Personal Data Breach takes place at the Subprocessor. The Processor shall promptly relay the information received from the Subprocessor to the Controller.
6.4. The Controller shall exclusively decide, at its own discretion and in compliance with the relevant and applicable Data Protection Legislation, whether or not Data Subjects whose Client Personal Data have been impacted by a Personal Data Breach shall be notified of the Personal Data Breach. It is the responsibility of the Controller to notify the Supervisory Authority of a Personal Data Breach.
6.5. In the case of a Personal Data Breach, the Processor shall promptly take all reasonably necessary and advisable corrective actions, cooperate fully with the Controller in all reasonable efforts to investigate, mitigate, rectify, remediate and prevent such Personal Data Breach, and provide such assistance as required to assist the Controller in satisfying the Controller’s obligations under Data Protection Legislation. Without limiting the foregoing, the Processor shall, assist the Controller in the Controller’s efforts to investigate and respond to the Personal Data Breach, notify affected Data Subjects, regulatory authorities and other parties in accordance with applicable law, and seek injunctive or other equitable relief against any person or persons who have violated or attempted to violate the security of Client Personal Data. Insofar as such assistance would require extraordinary efforts on the part of the Processor and the Personal Data Breach is not attributable to a (de)fault of the Processor, the Processor shall be entitled to charge additional costs for any such assistance.
6.6. The Processor shall, insofar as the measures taken by the Processor pursuant to article 6.5 have proven to be ineffective (as determined by either party, acting reasonably), retain a reputable forensics expert to recommend to the Processor all steps necessary to (A) stop any ongoing Personal Data Breach, (B) preserve all records and information related to the Personal Data Breach, and (C) investigate the nature and scope of the Personal Data Breach. The cost(s) of engaging a reputable forensics expert shall be borne exclusively by the Controller, unless the Personal Data Breach is attributable to a (de)fault of the Processor, in which case the Processor shall bear such cost(s).
6.7. Without limiting the foregoing, the Parties, and if applicable the Subprocessor(s) shall ensure to work together in good faith to limit possible adverse effects of a Personal Data Breach.
6.8. Data Processing Impact Assessment. The Processor shall assist the Controller as he carries out privacy, security, data protection and/or transfer impact assessments, including in accordance with article 35 of the GDPR.
7. Information obligations.
7.1. The Processor shall provide the Controller with all information the Controller requires in relation to the Processing of Client Personal Data and which is reasonably in line with the requirements under the Data Protection Legislation. At all times, the Processor shall respond to such a request as soon as possible.
8. Processors’ obligations.
8.1. The Processor shall handle all reasonable requests of the Controller concerning the Processing of Client Personal Data related to this Data Processing Agreement, immediately or within a reasonable time (depending on the legal obligations defined in the Data Protection Legislation) and in a proper manner.
8.2. The Processor undertakes to not Process Client Personal Data for another purpose than in accordance with the Agreement and the compliance with the responsibilities of this Data Processing Agreement in accordance with the Documented Instructions of the Controller; if the Processor, for any reason, cannot comply with this requirement, it shall notify the Controller without unreasonable delay thereabout and, unless legally required, shall not proceed unless and until it receives written instruction to do so from the Controller.
8.3. The Processor shall notify the Controller without delay if it is of the opinion that an instruction from the Controller violates the applicable Data Protection Legislation.
8.4. The Processor shall ensure that the access to, the inspection, the Processing and the disclosure of Client Personal Data, as permitted by this Data Processing Agreement, shall only take place in accordance with the principle of proportionality and the ‘need-to-know’ principle (i.e., data are only accessed by the persons (such as Processor’s personnel, independent contractors, agents, Subprocessors) that require Client Personal Data for the performance of the Services).
8.5. Except as permitted under article 10, the Processor shall not transfer, disclose or otherwise communicate any Client Personal Data to, or otherwise permit access to any Client Personal Data by, any other persons than the staff of the Processor who need the Client Personal Data to comply with the obligations of this Data Processing Agreement.
8.6. The Processor shall ensure or cause each of its personnel that may have access to or otherwise Process Client Personal Data to:
(i) commit themselves, in writing, to protect the confidentiality and security of the Client Personal Data, or are otherwise under a statutory obligation of confidentiality to do so, substantially in accordance with the terms of this Data Processing Agreement and Data Protection Legislation;
(ii) be appropriately trained on compliance with Data Protection Legislation applicable to the Services; and
(iii) undergo (or to have undergone) appropriate background verifications, the results of which are sufficient to provide the Processor with comfort as to the suitability of the performance of their duties in connection with the Processing of Client Personal Data.
9. Controllers’ obligations.
9.1. The Controller shall not issue any instructions, directions or requests to the Processor that do not comply with the provisions of the Data Protection Legislation.
9.2. Without prejudice to article 15.2 of this Data Processing Agreement, the Controller shall render the assistance needed for the Processor and/or its Subprocessor(s) to comply with a request, order, inquiry or subpoena directed at the Processor or its Subprocessor(s) by a competent national governmental or judicial authority.
9.3. The Controller shall not issue instructions, directions or requests to the Processor that it knows would require the Processor and/or its Subprocessor(s) to violate any obligations imposed by applicable mandatory national law to which the Processor and/or its Subprocessor(s) are subject.
10. The use of Subprocessors.
10.1. Controller gives by means of this Data Processing Agreement his general permission to Processor to work with Subprocessors in accordance with this article 10 and any additional obligations set out under Annex 2.
10.2. The Subprocessors that may be used under the Agreement are as follows (hereinafter: the “Subprocessors”):
(i) Database as a service providers – Mongo DB, Inc., 1633 Broadway, 38th Floor, New York, New York 10019, United States;
(ii) Cloud Providers: Amazon Web Services, Inc., 410 Terry Ave. North. Seattle, WA 98109-5210.
10.3. If the Processor wishes to replace one of the Subprocessors listed under article 10.2 or introduce a new Subprocessor, it shall notify the Controller in writing thereof.
10.4. In the event that one of the Subprocessors is replaced or a new Subprocessor is engaged, the Controller will have fourteen (14) days from the date of notification to express in writing its reasonable objections to such replacement. If no such objections are made during this period, the Controller is deemed to have accepted the replacement of the Subprocessor. The Processor will not proceed with its Processing activities if the Controller has objected, on the basis of reasonable arguments to the replacement of the Subprocessor.
10.5. The Processor shall ensure that its Subprocessors will be bound to the same or equivalent obligations with respect to Personal Data as to which the Processor is bound by this Agreement.
10.6. The Processor shall only retain Subprocessors that the Processor can reasonably expect to appropriately protect the privacy, confidentiality and security of Client Personal Data, and the Processor shall remain fully liable for any breach by a Subprocessor of any of the Processor’s obligations under this Data Processing Agreement.
10.7. The Processor shall relay the purposes determined and instructions issued by the Controller in an accurate and prompt manner to the Subprocessor(s) when and where these purposes and instructions pertain to the part of the Processing in which the Subprocessor(s) is(are) involved.
11. Rights of the Data Subjects.
11.1. Taking into account the nature of the Processing, the Processor shall assist the Controller by making available appropriate technical and organizational measures for the fulfillment of the Controller’s obligation to respond to complaints or requests for exercising the Data Subject’s rights under the Data Protection Legislation.
11.2. With respect to any request from Data Subjects regarding their rights concerning the Processing of Client Personal Data pertaining to them by the Processor and/or its Subprocessor(s), the following conditions apply:
(i) The Processor shall without unreasonable delay inform the Controller of any complaint or request made by a Data Subject with regard to the Client Personal Data, without itself responding to or giving any other consequence to such request unless explicitly authorized by the Controller to do so;
(ii) The Processor shall without unreasonable delay comply and shall require its Subprocessor(s) to promptly comply with any request made by the Controller in order for the Controller to comply with a request made by the Data Subject who wishes to exercise one of his rights;
(iii) The Processor shall ensure that both he and its Subprocessor(s) have the technical and organizational capabilities required to access Client Personal Data, block access to Client Personal Data and to physically destroy Client Personal Data with no means of recuperation if and when such request is made by the Controller. The Controller shall be given the ability to exercise all these requests themselves without the need of the Processor.
12. Security Measures.
12.1. Throughout the term of this Data Processing Agreement the Processor shall have in place, maintain and adhere to appropriate physical, technical and organizational measures in such a manner that Processing will meet the requirements of the Data Protection Legislation and ensure the protection of the rights of the Data Subject.
12.2. The Processor shall amongst others have in place, maintain and adhere to physical, technical and organizational measures against unauthorized and unlawful Processing, and shall on a regular basis evaluate and adjust the security measures as required to ensure the appropriateness of the security measures.
12.3. More in particular, the Processor shall implement, maintain and adhere to appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, according to article 32 of the GDPR.
12.4. In assessing the appropriate level of security, the Processor will take into account in particular the risks that are presented by Processing, in particular from loss, theft, unauthorized, accidental or unlawful destruction, alteration, use or disclosure of, access to or other Processing of Client Personal Data.
12.5. The Controller reserves the right to suspend and/or terminate the Agreement, where the Processor can no longer provide for physical, technical and organizational measures appropriate to the risk of processing.
12.6. The Processor has implemented, amongst others, but not limited to, the general physical, logical, technical and organizational security measures as described in Annex 1 hereto.
13. Audit.
13.1.The Processor acknowledges that the Controller is under the supervision of several/a Supervisory Authority/ies. The Processor acknowledges that any involved Supervisory Authority will have the right to perform an audit at any time, and in any case during the normal office hours of the Processor, during the term of this Data Processing Agreement to assess whether the Processor is compliant with Data Protection Legislation and the provisions of this Data Processing Agreement. The Processor shall provide the necessary cooperation.
13.2. The Processor shall appoint an independent auditor every two (2) years to perform such an audit. The final results of such an audit report (without any confidential information) shall be communicated to the Controller. The Processor shall bear the costs of all audits described under article 13.2 .
13.3. Without limiting article 13.2, the Controller shall have a right to audit the Processor upon the Controller having reasonable grounds to request such an audit and if such grounds are communicated and demonstrated in writing to the Processor. Reasonable grounds shall mean a reasonable presumption of a Personal Data Breach (including in the case of an actual or known Personal Data Breach), destruction of Client Personal Data, or a material breach of any of the Processor’s obligations under this Data Processing Agreement. In such event and upon written request of the Controller, the Processor will provide an independent third party, certified auditor, appointed by the Controller or the involved Supervisory Authority access to the relevant parts of the administration of the Processor and all locations and information of interest of the Processor (and those of its agents, subsidiaries and Subprocessors) to determine if the Processor is compliant with the Data Protection Legislation and the provisions of this Data Processing Agreement. On request of the Processor, the concerned parties shall agree to a confidentiality agreement.
13.4. The Controller shall take all appropriate measures to minimize any obstruction caused by the audit on the daily functioning of the Processor or the Services performed by the Processor.
13.5. If there is agreement between the Processor (acting reasonably) and the Controller on a material shortcoming in the compliance with the Data Protection Legislation and/or the Agreement, as revealed in the audit, the Processor shall recover this failure as soon as possible at his own costs. Without limiting the foregoing, the Parties will agree to have a plan in place, including a timescale to implement this plan, to respond to the shortcomings revealed in the audit.
13.6. The Controller will bear the costs of any performed audit in the meaning of article 13.3, unless the audit has revealed that the Processor is manifestly not compliant with the Data Protection Legislation and/or the provisions of this Data Processing Agreement, in which case the Processor shall bear the costs of such an audit.
14. Transfer to Third Parties.
14.1. The transfer of Client Personal Data to (which, for the avoidance of doubt, includes any permitting of access to or other Processing by) third parties in any manner possible is prohibited, unless it is legally required or in case the Processor has obtained the prior and explicit consent of the Controller to do so. In case a legal obligation applies to transfer Client Personal Data to a third party, the Processor shall fully comply with article 16.
15. International transfer.
15.1. The Parties agree that Client Personal Data Processed within the European Economic Area (‘EEA’) can only be transferred to and/or kept with the recipient outside the EEA in a country that falls under an adequacy decision issued by the European Commission, unless by exception and only if necessary to comply with the obligations of this Data Processing Agreement or with a non-EU entity for which binding corporate rules or standard contractual clauses have been entered into. Such transfer shall be governed by the terms of a data transfer agreement containing standard contractual clauses as published in the Decision of the European Commission of June 4, 2021 (Decision 2021/914/EC), or by other mechanisms foreseen by the applicable data protection law or in any law or legal binding text amending these standard contractual clauses.
15.2. The Processor shall prior to the international transfer inform the Controller about the particular measures taken to guarantee the protection of the Client Personal Data of the Data Subject in accordance with the GDPR.
16. Conduct in relation to national governmental and judicial authorities.
16.1. The Processor shall notify the Controller promptly of any request, order, demand, warrant, inquiry, subpoena or other communication by a competent national governmental or judicial authority directed at the Processor or its Subprocessor which entails the communication of Client Personal Data Processed by the Processor or a Subprocessor for and on behalf of the Controller or any data and/or information associated with such Processing, unless and only to the extent such notification is prohibited by law applicable to the Processor.
16.2. The Processor reserves the right to take prompt and necessary steps to ascertain the legality and validity of such request, order, demand, warrant, inquiry, subpoena or other communication before issuing such notification to the Controller.
16.3. In the event the Processor would be prohibited from notifying the Controller:
(i) the Processor shall employ all reasonable and lawful efforts to obtain the right to waive the prohibition on communication, with the aim of conveying as much information to the Controller as possible and permissible under the applicable law; and
(ii) the Processor shall employ all reasonable and lawful efforts to challenge the order, demand, warrant, inquiry or subpoena; and
(iii) if, after the steps detailed above, the Processor remains legally compelled to comply with the order, demand, warrant, inquiry or subpoena, the Processor commits to disclosing only the minimal necessary amount of Client Personal Data essential to comply with the order, demand, warrant, inquiry or subpoena.
16.4. The Processor represents, to the best of its knowledge as of the Effective Date, that no obligations of applicable statutory law exist that would preclude its ability to adhere to the obligations stipulated in this Data Processing Agreement, including Article 16.1.
17. Confidentiality.
17.1. The Processor commits itself to handle the Client Personal Data and its Processing with utter confidentiality. The Processor shall guarantee confidentiality with measures that are not less restrictive than the measures he uses to protect his own confidential material, including Personal Data.
18. Intellectual Property rights
18.1. Nothing in this Agreement shall constitute a transfer of any Intellectual Property Rights from the Controller to the Processor, or vice versa, unless otherwise contractually agreed upon between the Parties.
19. Liability.
19.1. The Controller involved in processing shall be liable for the damage caused by Processing which infringes the Data Protection Legislation. The Processor shall be liable for the damage caused by Processing only where it has not complied with obligations of the Data Protection Legislation specifically directed to the Processor or where it has acted outside or contrary to lawful instructions of the Controller, including by failing to comply with any of its obligations under this Data Processing Agreement.
19.2. The Controller or the Processor shall be exempt from liability under article 19.1 of this Data Processing Agreement if it proves that it is not in any way responsible for the event giving rise to the damage.
19.3. Where both the Controller and the Processor, are involved in the same processing and where they are, under articles 19.1 and 19.2 of this Data Processing Agreement, responsible for any damage caused by processing, each the Controller or the Processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
19.4. Where the Controller or the Processor has, in accordance with article 19.3 of this Data Processing Agreement, paid full compensation for the damage suffered, the Controller or the Processor shall be entitled to claim back from the other that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in article 19.1 of this Data Processing Agreement and/or in accordance with the limitation of liabilities set forth in this article 19 .
19.5. This article 19 is without prejudice to article 11.2 of the Agreement but in case of conflict, the liability regime of this article 19 shall prevail.
20. Contact Details.
20.1. For all questions or support related to the Data Processing Agreement, please contact support@extrahorizon.com.
21. Mediation and jurisdiction.
21.1. The relevant and applicable Data Protection Legislation shall be fully applicable to this Data Processing Agreement.
21.2. The Processor agrees that if the Data Subject invokes against it claims for damages under this Data Processing Agreement, the Processor will accept the decision of the Data Subject:
(i) To refer the dispute to mediation by an independent person;
(ii) To refer the dispute to the courts in Belgium.
21.3. The Parties agree that the choice made by the Data Subject will not prejudice the Data Subject’s substantive or procedural rights to seek remedies in accordance with other provisions of applicable national or international law.
21.4. Any dispute between the Parties regarding the terms of this Data Processing Agreement shall be brought before the competent courts as determined in the Agreement.
22. Termination of this Data Processing Agreement.
22.1. This Data Processing Agreement shall apply as long as the Processor Processes Client Personal Data.
22.2. In the event of breach of this Data Processing Agreement or the Data Protection Legislation, the Controller can instruct the Processor to stop Processing the Client Personal Data with immediate effect.
22.3. Without limiting the foregoing, promptly upon the expiration or earlier termination of the Agreement, or at such earlier time as the Controller instructs in writing, the Processor shall cease any and all use of Client Personal Data and return (or, at the Controller’s written request, securely dispose of) each and every original and copy in every media of all Client Personal Data in the possession or under the control of the Processor (including all Subprocessors) and certify to the Controller in writing upon completion of such delivery or disposal. In the event, and only to the extent and for the duration, applicable law does not permit the Processor to comply with the delivery or destruction of the Client Personal Data in accordance with this article, the Processor warrants that it will continue to ensure the confidentiality of the Client Personal Data in accordance with this Data Processing Agreement and that it will not Process (with the exception of storage) any Client Personal Data for any reason.
22.4. In the event the Controller transfers or deletes all data (including the Client Personal Data) (or requires the Processor to support him in this), the Controller acknowledges that, as of such moment of transfer or deletion, the Processor’s compliance with the law or its contractual obligations in relation to the deleted or transferred data (including Client Personal Data) and the operation of the Processor’s systems pertaining thereto will be evidenced by the Processor’s policies and log of actions taken.
ANNEX 1 - Technical and Organizational Measures
The IT security standards at Processor contain a set of fundamental provisions for ensuring minimum standards in terms of confidentiality and availability of data processed within the Processor. The responsibility for the systems lies with the system and application owners. On top, each employee of Processor is personally responsible for the appropriate protection of systems, applications and data to which they have access. The prevention of the following occurrences has top priority:
(i) Unauthorized or accidental destruction;
(ii) Loss;
(iii) Technical faults;
(iv) Forgery, theft or unlawful use;
(v) Unauthorized alteration, copying, access or other unauthorized processing.
Therefore following technical and organizational measurements has been taken:
1. Admission Control.
By applying the following measures, Processor prevents the entrance of non-authorized persons to data-processing installations in which Data are processed or used:
Data is collected and processed by Processor on two locations:
For development and testing purposes in Processor’s headquarters in Hasselt at Kempische Steenweg 303/27, as well as secured offshore development hubs. All facilities are duly secured by key locks and alarm systems.
For testing, staging and production purposes on the Amazon Web Services (AWS) cloud computing platform, standard in the Frankfurt region (eu-central-1) and Ireland region (eu-west-1) though the Controller can request another AWS region as preferred: “Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. All entrances to AWS data centers, including the main entrance, the loading dock, and any roof doors/hatches, are secured with intrusion detection devices that sound alarms and create an alarm in AWS centralized physical security monitoring too if a door is forced open or held open. In addition to electronic mechanisms, AWS data centers utilize trained security guards 24×7, who are stationed in and around the building. All alarms are investigated by a security guard with root cause documented for all incidents. All alarms are set to auto-escalate if response does not occur within SLA time. Physical access points to server locations are recorded by closed circuit television cameras (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations. AWS Physical Security Mechanisms are reviewed by independent external auditors during audits for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance.” For the most updated information, please consult: https://aws.amazon.com/compliance/data-center/controls/ at all times.
2. System Access Control.
By applying the following measures, Processor prevents the access of data processing systems by non-authorized persons:
Processor employs three types of data-processing systems:
Laptops as local workstations: Every software developer has a laptop assigned to him/her which is used to develop data processing systems. Every laptop is fitted with a personal password-protected user account for the software developer. Password policies are in place. On top a cybersecurity risk management plan is in place to assess possible risks and the appropriate controls to mitigate all risks in this respect.
Cloud Computing Platform operated by Amazon:
Access to the AWS console is managed by personal password-protected user accounts managed through the AWS Identity and Access Management (IAM) service. Tokens for programmatic access (access token, secret key) to data processing systems are attached to the personal IAM user accounts and can be retracted at any time. All actions against the AWS system are logged on a user level and kept for 90 days;
Direct access to computing resources is protected by secure connections. Access to keys for these connections are strictly regulated;
Hosted database as a service MongoDB Atlas. Access to database management is restricted by MongoDB’s role based access controls, that are at least matching the TOM of Processor.
3. Data access control.
By applying the following measures, Processor ensures that persons authorized to use a data-processing system will only have access to those data that they have been authorized for and that, neither during the processing nor after storage, Data can be read, copied, altered or removed without a respective authorization:
All data at rest is encrypted using AES-256 encryption;
Processor software employees, i.e. software developers, that are authorized to use data processing systems are provided with a personal AWS user account and tokens. Specific accounts are in place to restrict certain access to Data depending on the job content and contribution to the Processor Platform.
Staff policies in respect of each staff access rights to personal data (if any), informing staff about their obligations and the consequences of any violations of such obligations, to ensure that staff will only access personal data and resources required to perform their job duties and training of staff on applicable privacy duties and liabilities;
All initiated clusters on behalf of the Controller have a role-based-access-control (RBAC) system that allows for fine grained permissions. All actions performed against the Processor platform are logged and are available for one month;
Multiple attempts to gain access to the initiated clusters on behalf of the Controller with incorrect credentials will result in a period of inaccessibility. Automatic turn-off of the account is in place when several erroneous passwords are entered, requiring a manual intervention to unlock.
4. Transmission control.
By applying the following measures, Processor ensures that personal data cannot be read, copied, altered or removed during electronic data transmission without authorization and that it is possible to check and determine at which points a transmission of personal data by means of data transmission installations is intended:
Processor employs an encrypted connection for all data transmission in and out of the, on behalf of the client, initiated cluster. The AWS recommended security policy is used: The connection supports the following protocols: TLSv1.2, TLSv1.1 & TLSv1. Supporting the following TLS Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA;
All actions performed against the, on Controller’s behalf, initiated clusters need to be authorized by the oAuth1.0 or oAuth2.0 protocol. In this way each instance/person requesting the data is identified;
All actions performed against, on Controllers behalf, initiated clusters are logged
5. Input control.
By applying the following measures, Processor ensures that it is possible to subsequently check and establish whether and by whom personal data have been input into, modified in, or removed from, data processing systems:
All actions performed against the, on Controllers behalf, initiated clusters are logged and are identifiable on a user basis.
6. Job control.
By applying the following measures, the Processor ensures that personal data are processed strictly in accordance with the instructions of the Controller.
Personnel performing work affecting product quality are competent on the basis of appropriate education, training, skills and experience. Processor has documented process(es) for establishing competence, providing needed training, and ensuring awareness of personnel.
Furthermore we have:
determined the necessary competence for personnel performing work affecting product quality;
provided training or taken other actions to achieve or maintain the necessary competence;
evaluated the effectiveness of the actions taken;
ensured that our personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives;
maintained appropriate records of education, training, skills and experience. Employees also sign a confidentiality statement when joining the Processor.
7. Availability control.
By applying the following measures, Processor ensures that Data are protected against accidental destruction or loss:
Use of state-of-the-art anti-virus and firewall technologies;
On the Controller’s behalf, initiated clusters are provided with two backup options: Continuous backups and snapshots. Continuous backups ensure backups are typically just a few seconds behind the operational system and can be restored in case of failure. Snapshot backups can be taken on an hourly, daily, weekly and monthly basis;
Automatic restart of microservices in case microservices in the, on Controllers behalf, initiated cluster, go offline;
Each microservice cluster is monitored using AWS CloudWatch alerting the required personnel in case services become unavailable.
8. Separation control.
By applying the following measures, Processor ensures that data collected for different purposes are processed separately:
The Processor platform consists of a microservice architecture meaning the application itself is separated based on function and purpose. Each service manages and processes its own data. For example Personal Identifiable Data and Personal Health Data are strictly separated for each other;
Each client has his own dedicated microservice cluster. Meaning both data processing systems and databases are completely separated from one another
ANNEX 2 - Specific Data Protection Provisions
1. Introduction
This Annex 2 forms an integral part of the Data Processing Agreement and has been created to address the specific data protection and privacy principles and requirements associated with the specific Data Protection Legislation applicable in the present context of this Agreement. In cases where there is any inconsistency between this Annex 2 and the main Data Processing Agreement, the provisions of this Annex 2 shall prevail.
2. Overview of Specific Data Protection Legislation
This Annex 2 has been created to incorporate specific requirements pursuant to the following regional-specific Data Protection Legislation:
Canada:
Personal Information Protection and Electronic Documents Act (PIPEDA) and Provincial privacy and data protection laws and regulations, including all public and private sector and health sector laws and regulations, such as Quebec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1, British Columbia’s Personal Information Protection Act, SBC 2003, c 63, Alberta’s Personal Information Protection Act, SA 2003, c P-6.5, Ontario’s Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A and Alberta’s Health Information Act, RSA 2000, c H-5 (hereinafter “Canadian Data Protection Legislation”);
France:
Article L.1111-8 of the French Public Health Code, Décret n° 2018-137 du 26 février 2018 relatif à l'hébergement de données de santé à caractère personnel (hereinafter “French Data Protection Legislation”).
3. Specific Definitions
For the purpose of this Annex 2, the following specific terms shall have the following meaning:
“Canadian Client Personal Data” means the Client Personal Data of Data Subjects whose Personal Data is collected in Canada or in connection with a service received in Canada.
“Client Personal Health Data” means Client Personal Data which constitutes health-related Personal Data, as set out in Article 9.1 of the GDPR.
4. Specific Provisions
4.1 Canadian Data Protection Legislation
4.1.1 Except as set out under clause 4.2 below or as otherwise agreed to in writing by the Controller, the Processor shall only transfer, access, store or otherwise Process Canadian Client Personal Data in Canada.
4.1.2 The Processor will process the following information on behalf of the Controller:
i. Personally identifiable information, including the name, gender, birthdate, email, phone number, demographic information, location and government-issued ID numbers of users.
ii. Protected health information, including medical records, user health insurance information and protected communication between patients and healthcare professionals.
iii. User-generated content, including text, photos and videos
iv. Authentication information
v. Access logs
4.1.3 The Subprocessors that may be used under the Agreement to Process Canadian Client Personal Data and the jurisdictions in which such Subprocessors are permitted to Process Canadian Client Personal Data are listed here:
i. Database as a service providers – Mongo DB, Inc., 1633 Broadway, 38th Floor, New York, New York 10019, United States;
ii. Cloud Providers: Amazon Web Services, Inc., 410 Terry Ave. North. Seattle, WA 98109-5210.
4.1.4 If the Processor wishes to replace or modify one of the above-listed Subprocessors (including, without limitation, changing the jurisdiction where an existing Subprocessor Processes Canadian Client Personal Data) or introduce a new Subprocessor, it shall first notify the Controller in writing thereof and not proceed with any such replacement, modification or addition until the notice period set out in article 10.4 to the Data Processing Agreement has passed (assuming no objection has been made).
4.1.5 The Processor shall keep and make available to the Controller an electronic record of:
i. all accesses to Client Personal Data, which must identify the person who accessed the Client Personal Data, the Data Subject whose Client Personal Data was accessed, the Client Personal Data that was accessed, whether Client Personal Data was added, modified, deleted, transferred or otherwise Processed by the person who accessed it, and the date and time of the access, and
ii. all transfers of (which, for the avoidance of doubt, includes all provision of access to) Client Personal Data, which must identify the person who transferred the Client Personal Data and the person or address to whom it was transferred, and the date and time it was transferred.
4.1.6 The Processor shall ensure that all Client Personal Data is securely and logically segregated from any other information owned or managed by the Processor or other third parties, including implementing any necessary access barriers, password authorization procedures and other access controls and monitoring in connection therewith.
4.1.7 The Processor shall not (i) use Personal Data Processing technologies that enable the identification, location or profiling of individuals, (ii) Process any biometric data, or (iii) use Client Personal Data to render a decision based exclusively on an automated Processing of such Client Personal Data.
4.1.8 The Processor shall not (i) send or cause or permit to be sent any commercial electronic messages (“CEMs”), as such term is defined under Canada’s Anti-Spam Legislation (Statutes of Canada 2010, c 23) and its associated regulations (collectively, “CASL”), or (ii) install or cause to be installed a computer program, as defined under CASL, on another person’s computer system (including any updates or upgrades to computer programs), on behalf of the Controller or otherwise in connection with this Data Processing Agreement without the prior written consent of the Controller. The Controller will only provide such consent after the Processor and the Controller mutually agree on written protocols governing the sending of CEMs. If the Controller provides such consent, the Processor will fully comply, and will cause its Subprocessors to fully comply, with all applicable consent, notice, unsubscribe and other requirements under CASL.
4.2 French Data Protection Legislation
4.2.1 The Controller shall provide the Processor with the contact details of a single point of contact within the Controller's organization, upon the Processor's initial request. This contact information shall, at least, include the following details:
i. The Controller’s corporate name;
ii. The contact’s first and last name;
iii. The contact’s e-mail address; iv.
The contact’s telephone number.
This single point of contact must be able to designate to the Processor a healthcare professional authorised to access Client Personal Health Data whenever necessary.
Last updated