This Data Processing Addendum (“DPA”) applies when Jane Software Inc. (“Jane”) processes personal data that is subject to the General Data Protection Regulation (GDPR) on behalf of an organization or person (“Subscriber”) who has subscribed to Jane’s clinic management platform (the “Services”).
- “GDPR”means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified natural person or which can be used (directly or indirectly) to identify a natural person, such as name, address, email address, username, credit card, billing information, health information or other like information.
- “Process” or “Processing” means the collection, use, storage, disclosure, erasure or destruction of Personal Data, or any other operation or set of operations performed on Personal Data, whether or not by automated means.
- Roles. The Subscriber will act as the “Controller”, being the party who determines the purposes and means of the Processing of Personal Data. Jane will act as the “Processor” being the service provider who Processes Personal Data on behalf of the Subscriber. Each party will comply with the provisions of the GDPR that apply to its role as Controller or Processor, respectively.
- Purpose and Duration of Processing. Each party will Process Personal Data only as necessary for the provision and use of the Services, and for as long as the Subscriber has a valid paid subscription to the Services.
- Categories of Personal Data. The categories of Personal Data to be Processed will be determined by the Subscriber, but may include: name, address, email address, telephone number, health insurance information, billing information and data concerning health. The categories of individuals whose Personal Data may be processed are: employees, contractors and patients of the Subscriber.
- Obligations. Jane will:
- not transfer Personal Data to a country outside the European Union, the EEA or the United Kingdom, except where such third country provides appropriate safeguards by way of an adequacy decision (such as Canada) or where the recipient of the Personal Data provides appropriate safeguards through adherence to an approved certification framework (such as the EU-US Privacy Shield), Standard Contractual Clauses or binding corporate rules, or other legal mechanisms are in place to safeguard the Personal Data being transferred;
- ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement and maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of the Personal Data (including as appropriate, pseudonymization, encryption, incident management, restoration and access controls), and will regularly monitor compliance with these measures;
- use only sub-processors who maintain at least the same level of security measures and adequate safeguards as required under this Addendum and who have entered a written agreement (which may be electronic) with Jane requiring such measures and safeguards. Jane will inform the Subscriber of any intended changes to its sub-processors. If a sub-processor fails to fulfill its data protection obligations, Jane will be liable for the performance of such obligations;
- notify the Subscriber, without undue delay, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Jane, and take all steps reasonably within Jane’s control to mitigate and remediate the breach;
- meet its obligations under the GDPR to assist the Subscriber, insofar as this is possible and at the expense of the Subscriber, to:
- respond to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by Jane; provided however, that Jane will not respond directly to any individual; and
- meet the Subscriber’s legal obligations with respect to breach notification, data protection impact assessments, or the cooperation or prior consultation with a supervisory authority with respect to Personal Data Processed by Jane;
- upon request of the Subscriber, either delete or return Personal Data after completion of Services relating to the Processing, subject to any legal or regulatory obligations to maintain or store the Personal Data; and
- provide the Subscriber with all information necessary to demonstrate Jane’s compliance with the GDPR, and contribute to audits or inspections to be conducted by or on behalf of the Subscriber no more than once in any calendar year, unless an additional audit is required by the GDPR or regulatory authority, or is reasonably necessary due to genuine concerns regarding Jane’s compliance with this DPA. The Subscriber will provide reasonable advance notice of any audit and will abide by Jane’s reasonable security requirements. Jane may charge for any time expended for such audit or inspection at Jane’s then-current hourly rates.