This Data Processing Addendum (“DPA”) is an agreement between Patientory, Inc.(“Patientory,” “we,” “us,” or “our”) and you (“Customer”, “user” or “you”
The parties agree that this DPA constitutes Customer’s documented instructions regarding Patientory, Inc’s processing of Customer Data (“Documented Instructions”). Patientory, Inc. will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Patientory, Inc. and Customer, including agreement on any additional fees payable by Customer to Patientory, Inc. for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Patientory, Inc. declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
dApp will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Patientory, Inc. a demand for Customer Data, Patientory, Inc. will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Patientory, Inc. may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then Patientory, Inc. will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Patientory, Inc. is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.
dApp restricts its personnel from processing Customer Data without authorization by Patientory, Inc. as described in the Patientory, Inc. Security Standards. Patientory, Inc. imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
Patientory, Inc. – Certification and SOC Reports. In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA in place, Patientory, Inc. will make available the following documents and information: the System and Organization Controls (SOC) 1 Report, the System and Organization Controls (SOC) 2 Report and the System and Organization Controls (SOC) 3 Report (or the reports or other documentation describing the controls implemented by Patientory, Inc. that replace or are substantially equivalent to the SOC 1, SOC 2 and SOC 3).
This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
The Services provide Customer with controls that Customer may use to retrieve or delete Customer Data as described in the Documentation. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Customer Data in accordance with this Section. For 90 days following the Termination Date, Customer may retrieve or delete any remaining Customer Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject Patientory, Inc. or its Affiliates to liability. No later than the end of this 90 day period, Customers will close all Patientory, Inc. accounts. Patientory, Inc. will delete Customer Data when requested by Customer by using the Service controls provided for this purpose by Patientory, Inc.
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control.
Unless otherwise defined in the Agreement, all Capitalized terms used in this DPA will have the meanings given to them below:
“Patientory, Inc. Network” means Patientory, Inc’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Patientory, Inc’s control and are used to provide the Services.
“Patientory, Inc. Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.
“Customer” means you or the entity you represent.
“Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s Patientory, Inc. accounts.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“Security Incident” means a breach of Patientory, Inc’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
“Standard Contractual Clauses” means Annex 2, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.