GDPR Data Processing Addendum Terms & Conditions

This Data Processing Addendum (“DPA”) is an agreement between Patientory, Inc.(“Patientory,” “we,” “us,” or “our”) and you (“Customer”, “user” or “you”

• Scope and Roles. This DPA applies when Customer Data is processed by dApp. In this context, Patientory, Inc. will act as “processor” and “controller” to Customer who may act as “controller” with respect to Customer Data (as each term is defined in the GDPR).
• Customer Controls. The Services provide Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer
• Details of Data
  • The subject matter of the data processing under this DPA is Customer
  • As between Patientory, Inc. and Customer, the duration of the data processing under this DPA is determined by Customer.
  • The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
  • Nature of the processing: Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
  • Type of Customer Data: Customer Data uploaded to the Services under Customer’s Patientory, Inc.
• Categories of data subjects. The data subjects may include Customer’s customers, employers, suppliers and end-user
• Compliance with LAW. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.

The parties agree that this DPA constitutes Customer’s documented instructions regarding Patientory, Inc’s processing of Customer Data (“Documented Instructions”). Patientory, Inc. will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Patientory, Inc. and Customer, including agreement on any additional fees payable by Customer to Patientory, Inc. for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Patientory, Inc. declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

dApp will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Patientory, Inc. a demand for Customer Data, Patientory, Inc. will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Patientory, Inc. may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then Patientory, Inc. will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Patientory, Inc. is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.

dApp restricts its personnel from processing Customer Data without authorization by Patientory, Inc. as described in the Patientory, Inc. Security Standards. Patientory, Inc. imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

• dApp has implemented and will maintain the technical and organizational measures for the Patientory, Inc. Network as described in the Patientory, Inc. Security Standards and this Section. In particular, Patientory, Inc. has implemented and will maintain the following technical and organizational measures:
• security of the Patientory, Inc. Network;
• physical security of the facilities;
• measures to control access rights for Patientory, Inc. employees and contractors in relation to the Patientory, Inc. Network; and
• processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Patientory, Inc.

Patientory, Inc. – Certification and SOC Reports. In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA in place, Patientory, Inc. will make available the following documents and information: the System and Organization Controls (SOC) 1 Report, the System and Organization Controls (SOC) 2 Report and the System and Organization Controls (SOC) 3 Report (or the reports or other documentation describing the controls implemented by Patientory, Inc. that replace or are substantially equivalent to the SOC 1, SOC 2 and SOC 3).

• dApp Audits.Patientory, Inc. uses external auditors like securitymetrics.com to verify the adequacy of its security measures, including the security of the physical data centers from which Patientory, Inc. provides the Services. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third party security professionals at Patientory, Inc’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be Patientory, Inc’s Confidential Information.
• Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Patientory, Inc. will provide Customer with a copy of the Report so that Customer can reasonably verify Patientory, Inc’s compliance with its obligations under this

• Application of Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if IO has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.

This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).

The Services provide Customer with controls that Customer may use to retrieve or delete Customer Data as described in the Documentation. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Customer Data in accordance with this Section. For 90 days following the Termination Date, Customer may retrieve or delete any remaining Customer Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject Patientory, Inc. or its Affiliates to liability. No later than the end of this 90 day period, Customers will close all Patientory, Inc. accounts. Patientory, Inc. will delete Customer Data when requested by Customer by using the Service controls provided for this purpose by Patientory, Inc.

Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control.

Unless otherwise defined in the Agreement, all Capitalized terms used in this DPA will have the meanings given to them below:

“Patientory, Inc. Network” means Patientory, Inc’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Patientory, Inc’s control and are used to provide the Services.

“Patientory, Inc. Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.

“Customer” means you or the entity you represent.

“Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s Patientory, Inc. accounts.

“EEA” means the European Economic Area.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

“Security Incident” means a breach of Patientory, Inc’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.

“Standard Contractual Clauses” means Annex 2, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.