Data Processing Addendum

This Data Processing Appendix (“DPA”) applies when InteroCloud Limited (“InteroCloud”) processes personal data that is subject to the General Data Protection Regulation (GDPR) on behalf of an organization or person (“Subscriber”) who has subscribed to InteroCloud’s clinic management platform (the “Services”).

This DPA is incorporated into and forms part of the Terms of Use for the Services and will apply for as long as the Subscriber has a valid paid subscription to the Services and after this time where required by the applicable law. The provisions of this DPA shall prevail over those of the Terms in respect of the manner and conditions of Processing of Personal Data, where appropriate and shall constitute an automatic amendment of the Term in this respect.

This DPA shall be governed by and construed in accordance with the laws of governing the Terms.

The provisions of this DPA are severable. If any phrase, clause, or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.

Terminology

• “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• “Personal Data” means any information relating to an identified natural person or which can be used (directly or indirectly) to identify a natural person, such as name, address, email address, username, credit card, billing information, health information or other like information.
• “Process” or “Processing” means the collection, use, storage, disclosure, erasure or destruction of Personal Data, or any other operation or set of operations performed on Personal Data, whether or not by automated means.

Terms

1. The Subscriber will act as the “Controller”, being the party who determines the purposes and means of the Processing of Personal Data. InteroCloud will act as the “Processor” being the service provider who Processes Personal Data on behalf of the Subscriber. Each party will comply with the provisions of the GDPR that apply to its role as Controller or Processor, respectively.
2. Purpose and Duration of Processing.Each party will Process Personal Data according to this DPA only as necessary for the provision and use of the Services, and for as long as the Subscriber has a valid paid subscription to the Services, or then after, when necessary, as per the applicable law.
3. Categories of Personal Data.The categories of Personal Data to be Processed will be determined by the Subscriber, but may include: name, address, email address, telephone number, health insurance information, billing information and data concerning health. The categories of individuals whose Personal Data may be processed are: employees, contractors, and patients of the Subscriber.
4. Obligations. InteroCloud will:

• process Personal Data only on the written instructions of the Subscriber. This DPA and the InteroCloud Terms of Use are the Subscriber’s written instructions for this purpose. The Subscriber warrants that it is and will remain authorized to give these instructions, as well as any future instructions regarding the Processing of Personal Data, and that the Subscriber’s instructions will comply with the GDPR;
• not transfer Personal Data to a country outside the European Union, the EEA or the United Kingdom, except where such third country provides appropriate safeguards by way of an adequacy decision or where the recipient of the Personal Data provides appropriate safeguards through adherence to an approved certification framework, Standard Contractual Clauses or binding corporate rules, or other legal mechanisms are in place to safeguard the Personal Data being transferred;
• ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory or conventional obligation of confidentiality;
• implement and maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of the Personal Data (including as appropriate, pseudonymization, encryption, incident management, restoration and access controls), and will regularly monitor compliance with these measures;
• use only sub-processors who maintain at least the same level of security measures and adequate safeguards as required under this DPA and who have entered into a written agreement (which may be electronic) with InteroCloud, requiring such measures and safeguards. InteroCloud will inform the Subscriber of any intended changes to its sub-processors, if considered necessary and appropriate. If a sub-processor fails to fulfil its data protection obligations, InteroCloud will be liable for the performance of such obligations;
• notify the Subscriber, without undue delay, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by InteroCloud, and take all steps reasonably within InteroCloud’s control to mitigate and remediate the breach;a) assist the Subscriber in responding to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by InteroCloud; provided however, that InteroCloud will not respond directly to any individual; and

a) respond to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by InteroCloud; provided however, that InteroCloud will not respond directly to any individual; and

b) assist the Subscriber in meeting its legal obligations with respect to breach notification, data protection impact assessments, or the cooperation or prior consultation with a supervisory authority with respect to Personal Data Processed by InteroCloud;

c) upon request of the Subscriber, either delete or return Personal Data after completion of Services relating to the Processing, subject to any legal or regulatory obligations to maintain or store the Personal Data; and

d) provide the Subscriber with all information necessary to demonstrate InteroCloud’s compliance with the GDPR, and provide a compliance statement or, alternatively,  contribute to audits or inspections to be conducted by or on behalf of the Subscriber no more than once in any calendar year, unless an additional audit is required via a court order. The Subscriber will provide reasonable advance notice of any such request and will abide by InteroCloud’s reasonable security requirements. InteroCloud may charge for any time expended for such statement, audit or inspection at InteroCloud’s then-current hourly rates.