Data Processing Addendum

Back to Legal
This Data Processing Addendum (“DPA”) forms a part of the Agreement between Heads Up and Customer. This DPA is incorporated into the Agreement by reference and describes the Parties’ obligations regarding the Processing of Personal Information. Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name of and on behalf of its Authorized Affiliates, if and to the extent that Heads Up Processes Personal Information for such Authorized Affiliates that qualify as a Controller. Heads Up is acting as a Service Provider and Processor. All capitalized terms not defined shall have the meanings provided in the Agreement. In the event of a conflict between the terms of the Agreement and the DPA, this DPA shall prevail.

1. Definitions.

“Affiliates” means any legal entity controlling, controlled by or under common control with a party to this DPA, for so long as such Control relationship exists. 

“Authorized Affiliates” means those certain Customer Affiliates that, if agreed upon by Heads Up, are authorized to utilize the Heads Up Services as Users pursuant to the Agreement. 

“Applicable Data Protection Law(s)” means any applicable law, ordinance, statute, regulation, or other binding restriction to which the Personal Information is subject, including but not limited to CCPA, GDPR, UK GDPR, Data Protection Act 2018 and Non-EU Data Protection Laws, and all amendments thereof. For the avoidance of doubt, only the Applicable Data Protection Laws governing the use of the Software and the relationship between the Parties shall apply.

“Control” means the ownership of more than 50% of the applicable entity or the ability in fact to direct the management decisions of such entity.

“Customer Personal Information” means Personal Information belonging to Customer that is processed by Heads Up in the course of providing the Heads Up Services under the Agreement.

“Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

“Data Subject” has the meaning assigned to the term “data subject” or “consumer” under Applicable Data Protection Laws and shall include identified or identifiable natural persons to whom the Personal Information relates.

“GDPR” means the EU General Data Protection Regulation 2016/679.

“Non-EU Data Protection Laws” means all other applicable data protection laws, including but not limited to US state comprehensive privacy laws, including but not limited to the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any implementing regulations or guidance provided by the California Attorney General (“CCPA”), Canada’s Personal Information Protection and Electronic Documents Act, S.C., 2000, ch. 5 (“PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth within PIPEDA, the Dubai International Financial Centre’s Data Protection Law No. 5 of 2020 (“DIFC DPL”), Thailand Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”)and Australia’s Privacy Act of 1988 (“Privacy Act of 1988”), and all amendments to the CCPA, PIPEDA , DIFC DPL, Privacy Act of 1988, and similar legislation, as they may be enacted, from time to time. 

“Personal Information” means any data provided by Customer or its Authorized Affiliates to Heads Up that identifies or, alone or in combination with any other data, could reasonably be used to identify, locate, or contact a natural person or household, or any other information that is considered “personal information,” “personal data,” or other similar terms under Applicable Data Protection Laws, but does not include data or information that is publicly available within the meaning of such section or that has been de-identified within the meaning of Applicable Data Protection Laws.

“Process” or “Processing” means any operation or set of operations that are performed upon Personal Information, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the Applicable Data Protection Laws.  

“Security Incident” means any situation in which Heads Up confirms that Personal Information under its direct control has been accessed, acquired, disclosed, altered, lost, destroyed, or used by unauthorized persons in an unauthorized manner having a material impact on Customer or its Affiliates or on Data Subject rights.

“Sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Information to a third party for monetary or other valuable consideration.

“Share”, “sharing”, or “shared” means the provision of Personal Information to support targeted advertising across unaffiliated websites based on online behavioral profiling.

“Service Provider” means an entity that processes information on behalf of Customer and to which Customer    discloses a Data Subject’s Personal Information for a business purpose pursuant to a written contract. 

“Sub-Processor(s)” means any third-party service provider of Heads Up and to whom Heads Up provides or makes available Personal Information for Processing to be carried out on behalf of Customer or its Authorized Affiliates. For clarity, Sub-processors do not include Third-Party Services with whom Customer or its Authorized Affiliates directs Heads Up to interact with or disclose Personal Information. Heads Up may disclose Personal Information to such Third-Party Services, and Heads Up shall have no responsibility for the use of any Personal Information by any such third parties.

2. Service Provider Relationship; Restrictions and Use of Personal Information.

Customer appoints Heads Up as a Service Provider (Processor) of Personal Information and is disclosing Personal Information to Heads Up in that capacity exclusively for the execution of Heads Up Services detailed in the Agreement. Customer and its Authorized Affiliates agree that Heads Up may use Personal Information for purposes of performing its obligations under the Agreement and as otherwise contemplated in the Agreement. Heads Up agrees: (i) each Heads Up employee handling Personal Information will be subject to a duty of confidentiality; (ii) it will promptly notify Customer upon determining Heads Up can no longer meet its obligations under relevant Applicable Data Protection Laws or this DPA; (iii) it will not retain, use, or disclose Personal Information for any purpose not permitted by the Agreement or Applicable Data Protection Laws; (iv) it will not Sell or Share Personal Information; (v) it will not combine or update Personal Information received in connection with performing Heads Up Services under the Agreement and this DPA with Personal Information Heads Up receives from another source; and (vi) it will not attempt to or actually re-identify any aggregated, de-identified, or anonymized Customer Data. 

3. Documented Instructions.

Heads Up and its Sub-Processors will Process Customer Personal Information only in accordance with the documented instructions of Customer. The Agreement, including this DPA, constitute Customer’s complete and final instructions to Heads Up regarding the Processing of Customer Personal Information, including for purposes of the Standard Contractual Clauses. Heads Up  will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and Applicable Data Protection Law or otherwise seeks to Process Customer Personal Information in a manner that is inconsistent with Customer’s instructions.

4. Customer Obligations.

Customer and its Authorized Affiliates warrant that they: (i) will comply with obligations under Applicable Data Protection Laws, including applicable obligations as a Data Controller; (ii) have provided all notices and obtained all consents and rights necessary under Applicable Data Protection Laws for Heads Up to Process Personal Information and provide the Heads Up Services; (iii) will ensure that there is at all times a sufficient legal basis for Heads Up’s Processing as permitted under this DPA; and (iv) will limit the provisioning of Personal Information to Heads Up only to the amount and kinds of data adequate, relevant, and necessary for performing the Heads Up Services. Customer is responsible for law-abiding Processing that it decides to undertake on behalf of itself and Customer Affiliates once it has access to its Personal Information. Without limiting any payment obligations under the Agreement, Customer shall immediately notify Heads Up and cease use of the Heads Up Services in the event any required authorization or legal basis for Processing is revoked or terminated, or, for notification purposes only, promptly notify Heads Up if it discovers any unauthorized access to its Environment or Customer Data.

5. Privacy Inquiries and Requests.

Customer is responsible for handling any Privacy Inquiry and Privacy Request (as defined below) from Data Subjects with respect to their Personal Information Processed by Heads Up. Heads Up agrees to assist Customer and provide Customer the information and assistance required under Applicable Data Protection Laws to enable Customer to respond to: (i) questions or complaints received from Data Subjects regarding Personal Information (“Privacy Inquiry”); and (ii) requests from Data Subjects exercising their rights in Personal Information granted to them under Applicable Data Protection Laws (“Privacy Request”). Heads Up will respond within a reasonable time which permits Customer to respond to the Privacy Inquiry or Privacy Request in accordance with the timelines set forth in Applicable Data Protection Laws.  If Heads Up is directly contacted with a Privacy Inquiry or Privacy Request, Heads Up will promptly forward such inquiry to Customer. Customer shall inform Heads Up of any Data Subject request made pursuant to Applicable Data Protection Laws with which Heads Up is required to comply and will provide all reasonable information necessary for Heads Up to comply with the request. Privacy-related requests may be submitted to support@headsuphealth.com.

6. Government Access Requests.

Unless prohibited by applicable law or a legally-binding request of law enforcement, Heads Up will promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Customer Personal Information, and will render reasonable assistance to Customer, at Customer’s expense, if Customer wishes to contest such activity.

7. Data Protection Impact Assessment.

Taking into account the Heads Up Services provided and the information available to Heads Up, Heads Up shall cooperate with Customer, at Customer’s expense, to enable Customer to conduct data protection impact assessment(s) required for Customer to comply with Applicable Data Protection Laws.

8. Security.

Heads Up has implemented and shall maintain reasonable and appropriate technical and organizational measures designed to protect Personal Information from a Security Incident and to protect the rights of the relevant Data Subjects as defined in Applicable Data Protection Laws. Such security measures are further detailed in the attached Annex II.

9. Security Incident.

Upon becoming aware of a Security Incident, Heads Up will inform Customer without undue delay and provide timely information to enable Customer to timely fulfill its reporting obligations required under Applicable Data Protection Laws.  If the Security Incident was caused by Heads Up, Heads Up shall further take reasonable measures to remedy or mitigate the effects of the Security Incident and will keep Customer reasonably informed of such measures. Heads Up will provide Customer with reasonable information relating to the Security Incident as required by Applicable Data Protection Law. 

10. Audits.

Upon Customer’s prior written request (at least 30 days’ notice except in the event of a Security Incident requires otherwise under Applicable Data Protection Law), and subject to the confidentiality obligations set forth in the Agreement, Heads Up shall make available to Customer or, subject to Heads Up’s approval, Customer’s independent, third-party auditor (provided Customer remains responsible for an approved auditor’s compliance with the confidentiality obligations in the Agreement) information regarding Heads Up’s compliance with the obligations set forth in this DPA in the form of, at Heads Up’s option, (i) answering a security questionnaire, or, as available, (ii) providing third-party certifications and audits to the extent (i) does not fulfill requirements under Applicable Data Protection Law. Heads Up shall respond during its normal business hours and within a reasonable timeframe to Customer requests for documentation that verifies that it no longer retains or uses Personal Information that has been subject to a valid deletion request to Customer. Before the commencement of any audit under (ii), the Parties will mutually agree upon the timing, scope, and duration of the audit. Customer may request a summary audit report(s) or audit Heads Up no more than once annually.

11. Deletion or Return of Data.

Upon termination or expiry of the Agreement, Heads Up may delete Customer Data pursuant to the Agreement, or, subject to Customer paying applicable fees, return Customer Data to Customer, unless retention is required by law. Customer acknowledges that Heads Up is not a system of record and, accordingly, Customer will maintain its own copies of its essential business records. 

12. Sub-processor(s).

Customer hereby provides general authorization to Heads Up to engage third party Sub-processors to Process any Personal Information, with the current list of Sub-processors shown here (“Sub-Processor Table”). Heads Up will impose data protection terms on any Sub-processor it appoints designed to protect the Personal Information with substantially the same standard provided for by this DPA. Heads Up may make changes to its Sub-Processors in its sole discretion, provided: (i) it shall inform Customer of any intended changes concerning its Sub-Processors by updating the Sub-Processor Table; and (ii) Customer may object in writing to Heads Up’s appointment of a new Sub-Processor within thirty (30) days of such appointment so long as the objection is based on reasonable data privacy or security concerns. Heads Up will not use a new Sub-Processor until such thirty (30) days have passed (except in the event of an emergency). If Customer submits an objection to a new Sub-Processor, the Parties will work together to find an agreed upon solution. If no solution is agreed upon within the thirty (30) day period, Customer may terminate the Agreement.

13. International Transfers.

If Heads Up Processes, accesses, or stores Personal Information in a third country (as defined in Applicable Data Protection Law) or otherwise transfers Customer Data internationally to perform the Heads Up Services, then the Parties agree the applicable Standard Contractual Clauses or the accepted transfer mechanism for the transfer of Personal Information under Applicable Data Privacy Laws, as may be shown below, applies and is incorporated herein by reference, as such may be amended from time to time. To the extent applicable, the below shall apply to this DPA with Heads Up acting as the “data importer” and Customer as the “data exporter” or the functional equivalents as defined under Applicable Data Protection Law.

13.1. GDPR. The 2021 Standard Contractual Clauses (“SCCs”). For purposes of this DPA, the SCCs will apply as follows: “Module Two: Transfer Licensee to processor” will apply and all other module options will not apply. For the purposes of Annex 2 of the SCCs, the technical and organizational measures implemented by the data importer are those listed in Annex 2 of this DPA. Clause 7 will not apply. For clause 9, the Parties choose Option 2 and the Parties agree that the time period for prior notice of Sub-Processor changes will be as set forth in Section 12 of this DPA. For clause 11, the optional language will not apply. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b).

13.2. United Kingdom. For transfers of Customer Personal Information out of the United Kingdom, the UK Standard Contractual Clauses (“UK SCCs”) will apply. For Table 1 of the UK SCCs, (i) the Parties’ details will be the Parties to the extent any of them is involved in such transfer, including those set forth in Annex 1 of the SCCs and (ii) the Key Contacts will be the contacts set forth in Annex 1 of the SCCs, which shall be the contact information listed on an Order Form, in the Agreement, or otherwise provided by the Parties. The Approved EU SCCs referenced in Table 2 will be the SCCs pursuant to this DPA. For Table 3, Annex 1A, 1B, and II will be set forth in Annex 1 of the SCCs. For Table 4, either party may end the UK SCCs as set out in Section 19 of the UK SCCs.

13.3. Switzerland Transfers. For transfers of Customer Personal Information out of Switzerland, the SCCs will apply and will be deemed to have the differences set forth in this Section 13.3 to the extent required by the Swiss Federal Act on Data Protection (“FADP”). References to the GDPR in the SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR. The term “member state” in the SCCs will not be interpreted in such a way as to exclude data in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs. References to personal data in the SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope. Under Annex I(C) of the SCCs (Competent Supervisory Authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the SCCs insofar as the transfer is governed by the GDPR.

13.4. Dubai. For transfers of Customer Personal Information out of Dubai, the Dubai Standard Contractual Clauses will apply and are incorporated into this DPA.

13.5. If one or both of the foregoing are not applicable or Applicable Data Protection Laws require a different approach, the Parties agree that they will work together in good faith to ensure the protection of the Personal Information being transferred meet applicable requirements. To the extent that Heads Up and Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Heads Up will, in good faith, pursue a suitable alternate mechanism that can lawfully support the transfer.

14. Data Localization Restrictions.

Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer shall not use or access the Heads Up Services in a manner that would require Customer Data, Personal Information, or its Environment to be hosted in or localized to a specific country pursuant to such country’s Applicable Data Protection Laws.

15. Artificial Intelligence; Governance.

If Customer elects to use Third-Party Services with the Software or uses AI Services, Customer consents to the transmission and exchange of Customer Data with the Third-Party Services and acknowledges that it is responsible for ensuring its use of Third-Party Services, including its use of their AI Components, is in compliance with Applicable Data Protection Laws and avoidant of any prohibited uses. The Parties acknowledge laws and regulations relating to artificial intelligence use and provisioning are often being proposed, implemented, and changed (“AI Regulations”). If AI Regulations cause this DPA to be invalid, the Parties agree to work together in good faith to amend this DPA so that it is compliant with AI Regulations. If AI Regulations cause Heads Up to be unable to provide the Heads Up Services, either Party may terminate the Agreement provided such a termination will not relieve either Party’s obligations and liabilities incurred up to the date of the termination.

16. Liability.

The limitations and exclusions of liability in the Agreement apply to this DPA.

17. Miscellaneous.

Customer may request Heads Up to accept additional data privacy terms necessary to address Applicable Data Protection Laws. If Heads Up does not agree to such additional data privacy terms, Heads Up may terminate the DPA without penalty on thirty (30) days’ written notice. Except as amended by this DPA, all terms and conditions of the Agreement shall remain in full force and effect. Nothing in this DPA or the Agreement relieves Customer of its own direct responsibilities and liabilities under Applicable Data Protection Laws. Where this is a conflict, the most protective Applicable Data Protection Law relating to the rights and freedoms of natural persons whose Personal Information is subject to Processing under this DPA shall apply. 

 

Annex I: Description of Transfers

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Information into the Heads Up Service, the extent of which is determined and controlled solely by the data exporter, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:

Data exporter’s employees, contractors, patients, representatives, agents, and other individuals whom data exporter allows and is permitted to use the Heads Up Service, as well as Personal Information relating to the data exporter’s customers, partners, patients, users, vendors, and other categories as otherwise contemplated by the Agreement.

Categories of personal data transferred

Data exporter may submit Personal Information to the Heads Up Services, the extent of which is determined and controlled solely by data exporter, and which may include, but is not limited to the following Personal Information:

First and last name, contact information such as address, telephone number, and email address, IP address, user identifier, and other categories as otherwise contemplated by the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Any special categories of personal data or sensitive Personal Information, in the sole discretion of data exporter, which may be included in an Input or otherwise Customer Data submitted into the Heads Up Services or contained in an Output generated by the Heads Up Services. Notwithstanding the foregoing, no PCI-DSS-related data (except to enter in its payment information for the Heads Up Services), or other sensitive data types shall be submitted to Heads Up or into the Heads Up Services (protected health information may be submitted). If Customer ignores the foregoing restrictions, Customer is fully responsible for such data and Heads Up disclaims all liability relating to any claims involving such data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis until termination or expiration of the Agreement.

Nature of the processing

The performance of the Heads Up Services pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

The performance of the Heads Up Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement until it is deleted in accordance with the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As stated above, and as may be further detailed in the Sub-Processor Table made available and updated by Heads Up from time to time.

ANNEX II: Security Measures

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Heads Up’s information security program, as established through its Information Security Policy’s internal controls and procedures, is designed to ensure: (i) Customer Data Heads Up processes is protected against accidental, unlawful, or unauthorized loss, access, or disclosure; (ii) reasonably foreseeable risks relating to security and unauthorized access are identified and protected against; and (iii) security risks are minimized by implementing, maintaining, and regularly assessing such controls.

Access Controls

Heads Up has instituted access control management policies: (i) governing the security of Heads Up’s information, networks, applications, and systems aimed to prevent unauthorized access to such items; and (ii) relating to Heads Up’s networks, applications, and systems to ensure only authorized users access appropriate information based on their role and to prevent unauthorized access to the same.

Encryption and Key Management

All encryptions for data and relating to key management shall be end-to-end and be performed in accordance with industry standards. The below represents Heads Up’s encryption methods for at-rest and in-transit data.

  • At-Rest: AES 256 bit symmetric encryption
  • In-Transit: TLS 1.2 (minimum)

Asset Management

Heads Up has instituted policies that appropriately identify and classify its assets to ensure their security and integrity. Protection levels are established pursuant to the corresponding asset’s importance and exposure to sensitive information, and are designed to prohibit unauthorized disclosures, loss, damage, or destruction of information in relation to the asset.

Contingency Planning

Heads Up has instituted redundancy controls to eliminate single points of failure and minimize the impact of possible physical and environmental risks. It has also established a Business Continuity and Disaster Recovery Plan, which it tests regularly, to help ensure the Heads Up Services’ continuity.

Security Incident Response

Heads Up has instituted policies to minimize a security incident’s impact, including as it relates to the availability and confidentiality of the Heads Up Services. These policies help Heads Up to efficiently respond, mitigate, handle, and communicate issues relating to a security incident.

Risk Management

  • Internal – Institute policies relating to managing potential risks, including conducting risk assessments and corresponding mitigation efforts regarding loss, unavailability, damage, or unauthorized access to Heads Up’s information, networks, or controls.
  • External (Including System Governance) – Heads Up has instituted policies and controls for Heads Up to vet its vendors to establish appropriate security measures, including contract reviews to ensure appropriate controls and systems are in place and conducting due diligence to effectively on-board and off-board Heads Up vendors. Once a vendor is on-boarded, Heads Up has instituted policies relating to the monitoring, developing, and supporting of the on-boarded systems and solutions.

Security Controls

  • Network – institute policies to protect Heads Up’s network generally, including protecting the transferring of information, network security, segregated networks, and network services as information is processed and transferred.
  • Operational – institute policies ensuring the secure management of its information technology systems relating to system integrity, protecting against the exploitation of technical vulnerabilities, malware, and data loss, and standardizing backups, logging, installations, and change management.
  • Physical – institute policies relating to physical and environmental threats by identifying security and access controls regarding personnel, visitors, equipment, secure/controlled areas, threat detection, destruction of data, and office documentation and organization management to prohibit unauthorized access and the loss or damage to Heads Up’s systems, data, and operations. 
  • Personnel – institute policies relating to hiring standards and procedures, including appropriate vetting of prospective personnel, background check requirements, and utilizing appropriate confidentiality and employment-related agreements. The policies also institute on-going security and data privacy training for personnel to protect Heads Up’s systems, networks, and controls during the entire employment lifecycle.