DATA PROCESSING AGREEMENT
Effective as of October 1, 2024 (Version Number: 45566)
This Canadian data processing agreement (“DPA”) is governed by and is incorporated by reference into and shall apply to the DAS Standard Incorporated Terms and Conditions, any Program Agreement, Client Order Form (“COF”), Statement of Work (“SOW”), all agreements assigned, transferred, or conveyed to DAS Health Ventures (Canda), Inc., including its affiliates (“DAS”) and other agreements, addendums, appendices or referenced documents (together with these Terms, the “Agreement”) executed between DAS and the client identified in the Agreement (“Client”). DAS and Client may be referred to individually as a “Party” and collectively as the “Parties.”
| 1. | Application and Scope |
| 1.1 | Scope. This DPA applies to Personal Data processed by DAS in delivering PM/EHR, revenue cycle management, consulting, managed services, and other related services (the “Services”), including without limitation that is required for DAS to perform its obligations under the Agreement. |
| 1.2 | Purpose. The purpose of this DPA is to set forth the terms under which DAS and Client Process Personal Data and related obligations. The guiding principles of this DPA are those set out in applicable Data Protection Laws. |
| 2. | Definitions |
| 2.1 | Anonymized Data means information from which Personal Data has been removed, such that it is defined or recognized as “anonymized”, or equivalent term, within the meaning of and in accordance with Data Protection Laws. |
| 2.2 | Data Protection Laws means all laws and regulations related to data protection, data security, marketing, or privacy, applicable to any of the collection, use, disclosure or other Processing of Personal Data under the Agreement (including this DPA), as amended or replaced from time to time. Depending on the Processing at issue, such laws may include (but are not limited to) the Personal Information Protection and Electronic Documents Act, substantially similar provincial laws, and provincial health information laws. |
| 2.3 | Patient Data means any Personal Data that relates to the health of any individual, including any information defined as Personal Health Information under the applicable Data Protection Laws. Patient Data is sensitive Personal Data. |
| 2.4 | Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can foreseeably be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Patient Data, and any other information defined or recognized as constituting “personal information,” "personal health information", “personal data,” “personally identifiable information,” “non-public personal data,” or similar terms as defined by Data Protection Laws, but excludes Anonymized Data. |
| 2.5 | Process(ing) means any treatment of Personal Data, including, without limitation, collecting, using, disclosing, accessing, storing, archiving, modifying, or destroying Personal Data. |
| 2.6 | DAS Personnel means any employees, officers, directors, contractors, subcontractors, associates, representatives or other persons engaged by DAS, whose responsibilities include fulfilling DAS’s obligations under the Agreement. |
| 2.7 | Record includes documents, images, maps, drawings, photographs, letters, papers and any other media on which Personal Data is recorded or stored by graphic, electronic, mechanical or other means. |
| 2.8 | Security Incident means (i) the actual or suspected loss, theft, unavailability or misuse, or unauthorized and/or unlawful access to, or handling, alteration, compromise or other processing of Personal Data, or (ii) any other breach of the protection or safeguarding of Personal Data. |
| 2.9 | Other Terms. All other terms referred to in this DPA shall have the meaning ascribed to them in the Agreement or Data Protection Laws, where applicable. In the event of a conflict between applicable definitions for the same term, the parties will give effect to the strictest definition. |
| 3. | Roles and Responsibilities |
| 3.1 | Roles. Client is the controller and DAS (including DAS Personnel) the processor of the Personal Data. |
| 3.2 | Client |
| 3.2.1 | Control. All right, title, interest and control in and to the Personal Data that DAS Processes in the course of providing the Services shall remain with Client. |
|
| 3.2.2 | Legal Authorization. Client is responsible for ensuring that DAS’s access, use and storage of the Personal Data under the Agreement is authorized under Data Protection Laws. Client shall ensure that all Personal Data provided to DAS in relation to the performance of the Services has been collected in compliance with Data Protection Laws, and secure any required rights (including consent, as applicable) for DAS and DAS Personnel to Process the Personal Data as outlined in the Agreement. |
| 3.3 | DAS |
| 3.3.1 | Authorized Processing of Personal Data. DAS will Process Personal Data only in accordance with the Agreement. Except as otherwise permitted or required by Data Protection Laws, DAS will Process Personal Data, including Patient Data, for the sole purpose of performing the Services. The nature and permitted purposes for Processing of Personal Data by DAS for Client as part of the Services are precisely defined in the Agreement. |
|
| 3.3.1 | Anonymization. In addition to any other permitted Processing for purposes specified in the Agreement, and to the extent permitted by Data Protection Laws, Client instructs and authorizes DAS (including DAS Personnel) to produce Anonymized Data from Personal Data, and use or disclose the resulting Anonymized Data for the Intended Use (as defined in Section 5.3 below). |
| 4. | Legal Requirements |
| 4.1 | Compliance with Data Protection Laws. DAS agrees to comply with all Data Protection Laws when Processing Personal Data. If, as a result of the Services provided to the Client under the Agreement, DAS is a “service provider”, “information manager”, “information management service provider” or “agent” to Client, as defined in Data Protection Laws applicable to Client, DAS will comply with all resulting obligations including, where made known in advance to DAS by Client, the requirements applicable to Client, and the standards, policies and procedures established by Client, concerning the protection, retention and secure destruction of Personal Data. |
| 4.2 | Authorized Personnel. DAS shall be solely responsible for ensuring full compliance by all DAS Personnel with the terms and conditions of the Agreement (including this DPA). DAS will ensure that, (i) except as otherwise required or permitted by Data Protection Laws, DAS Personnel will have access to Personal Data only where such access is necessary to enable DAS to deliver the Services, and (ii) all DAS Personnel are aware of, and agree in writing to comply with, the obligations of DAS under the Agreement and Data Protection Laws. |
| 4.3 | Security Incident. After becoming aware of confirmed Security Incident, DAS will promptly notify Client, in writing, of such Security Incident, and shall take all reasonable steps to prevent any further Security Incident. DAS will cooperate fully in the investigation by Client of any Security Incident, including by providing Client with sufficient access to Personal Data as is necessary for Client to undertake an assessment of the Security Incident. |
| 4.4 | Assistance. DAS will, (1) on request, allow Client to access or otherwise obtain copies of the Personal Data at any time, subject only to necessary operational constraints; (2) on request, provide Client with any information Client deems reasonably relevant to demonstrate DAS’s compliance with the Agreement and Data Protection Laws; and (3) assist Client with performing its obligations under Data Protection Laws with respect to any Personal Data, including assisting Client in responding to and addressing individual rights requests. If DAS receives an individual rights request or complaint directly from an individual concerning any Personal Data, DAS shall immediately forward the request to Client. |
| 4.5 | Compliance. DAS will promptly notify Client if it makes a determination that it has not complied with or can no longer meet its obligations under Data Protection Laws or the Agreement. Upon receipt of such notice, Client may, upon providing written notice to DAS, take reasonable steps to stop and remediate unauthorized processing of Personal Data. |
| 5. | Measures |
| 5.1 | Security. DAS will adopt and implement appropriate measures to protect Personal Data from risks such as unauthorized access, use, disclosure, disposition, destruction, loss, modification or alteration, including technical, physical, and organizational safeguards appropriate to the risk represented by the nature and sensitivity of the Personal Data and the Processing performed under the Agreement. DAS will ensure all safeguards are in accordance with industry standard practices and consistent with Data Protection Laws, including those relating to data security. |
| 5.2 | Confidentiality. DAS will (1) treat Personal Data as strictly confidential and inform DAS Personnel engaged in the Processing of Personal Data of the confidential nature of Personal Data; and (2) ensure that persons authorized to Process the Personal Data have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality. |
| 5.3 | Anonymization, Aggregation and Data Linkage. Client instructs and authorizes DAS to use and disclose Anonymized Data in any manner and for any purpose, including, but not limited to, optimization of the DAS services, the provision and improvement of DAS digital & technical services, general customer service (including internal processes that support customers, such as supply forecasting), the improvement of existing & future DAS products and the research, development (“Intended Use”). Notwithstanding the foregoing, DAS will not attempt to re-identify Anonymized Data, or combine Personal Data Processed under this agreement with Personal Data or Anonymized Data that DAS receives from, or on behalf of, other persons, or collects from its own interactions with an individual, except as permitted under Data Protection Laws. |
| 5.4 | International Data Transfers. DAS will not transfer any Personal Data to a region other than the one in which it was collected, unless the transfer complies with any applicable restrictions on data transfers set forth in Data Protection Laws, including ensuring an adequate legal mechanism for such transfers. Such measures may include (without limitation) a transfer pursuant to (i) a written agreement with terms and conditions that are substantially similar to those in this DPA, as it pertains to the safeguarding of Personal Data, and/or (ii) a data transfer assessment as required by Data Protection Laws. |
| 6. | Term and Termination |
| 6.1 | Termination. In the event of a breach of any provision of this DPA, in any material respect, by either party, that is not cured within thirty (30) days after receipt of written notice thereof from the other party, the non-breaching party may, upon written notice to the breaching party, (i) terminate the Agreement, (ii) terminate or suspend the performance of any Services, and/or (iii) pursue other legal and equitable rights and remedies to which it may be entitled. |
| 6.2 | Effect of Termination. Upon termination of the Agreement, DAS shall immediately terminate or suspend the performance of any Services, and return any and all Personal Data or Records thereof in its possession to Client, in an electronic format that Client can readily use. DAS will cooperate fully with Client to enable it to meet its obligations under Data Protection Laws during the transfer. Following completion of the transfer, DAS will securely destroy all Records of the Personal Data that remain in its custody. |
| 6.3 | Term. The duration of this DPA shall be as necessary to perform the Services. Notwithstanding anything to the contrary in the Agreement, DAS’s rights and obligations regarding Personal Data will survive any termination or expiration of the Agreement to the extent DAS continues to retain or otherwise process Personal Data (as such retention or other Processing may be permitted under the Agreement or applicable laws). |
| 7. | Miscellaneous |
| 7.1 | Order of Precedence. In the event of a conflict between the Agreement, this DPA and Data Protection Laws, then the conflict will be resolved by giving effect to such in the following order of precedence: (a) Data Protection Laws; (b) this DPA; and (d) the Agreement. |
| 7.2 | Changes in Law. The parties agree to work in good faith to amend this DPA as necessary to incorporate any changes necessitated by changes in Data Protection Laws or any other applicable laws. |
| 7.3 | Headings. The headings in this DPA are for reference purposes only and do not affect in any way the meaning or interpretation of the DPA. |
| 7.4 | Governing Law and Jurisdiction. The parties submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity. |
| 7.5 | Entire DPA. This DPA supersedes all prior and contemporaneous communications, whether written or oral, regarding the subject matter covered in this DPA. |
| 7.6 | No Further Amendment. Except as modified by this DPA, the terms and conditions of the Agreement remains unmodified and in full force and effect. |