This Data Processing Addendum (“DPA”) is entered into as of the Effective Date by and between Reify Health, Inc. (“Reify”) and the Customer as identified in the Underlying Services Agreement (“Customer”), each individually a “Party” and collectively, the “Parties.”
This DPA is hereby incorporated into and forms part of the Underlying Services Agreement (as defined below), and applies to the extent that Reify processes Personal Data (as defined below) on behalf of Customer in the provision of services thereunder. The purpose of this DPA is to set out the rights and obligations of the Parties with respect to Personal Data processed by Reify in its capacity as Data Processor (as defined below) and Customer as Data Controller (as defined below). The Parties are committed to complying with applicable legislation related to the protection of Personal Data (hereinafter, collectively, the “Privacy Law”).
The Parties agree as follows:
Any capitalized terms not otherwise defined herein shall have the same meaning given to them in the Underlying Services Agreement. For the purpose this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data;
1.2 “Data Controller” means the entity that determines the purposes and means of the processing of personal data. For purposes of this DPA, Customer is Data Controller of Personal Data.
1.3 “Data Processor” means the entity which processes personal data on behalf of the Data Controller. For purposes of this DPA, Reify is a Data Processor of Personal Data.
1.4 “Data Subject” means the individual to whom Personal Data relates.
1.5 “Effective Date” means the date on which the Underlying Services Agreement is signed by Customer.
1.6 “General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended from time to time.
1.7 “Personal Data” means any information relating to an identified or identifiable person that is processed by Reify from or on behalf of the Customer pursuant to the Underlying Services Agreement. The types of Personal Data Processed and the categories of data subjects to whom the Personal Data relates under this DPA are set forth in Annex I. Personal Data does not include data that falls outside the scope of the applicable Privacy Law, an example of which includes but is not limited to anonymized data.
1.8 “Process” or “Processing” means any operation or set of operations performed on data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.9 “Standard Contractual Clauses” or “SCC” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, or such alternative as may be approved by the European Commission from time to time, incorporated herein by reference and attached hereto as Annex I.
1.10 “Sub-processor” means any third party engaged by Reify to Process Personal Data in accordance with this DPA and Privacy Law.
1.11 “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992, the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and, when in force, the Swiss Federal Data Protection Act of 25 September 2020, and its corresponding ordinances as amended, superseded, or replaced from time to time.
1.12 “Underlying Services Agreement” means the written agreement(s) (other than this DPA) by and between the Parties, pursuant to which the Reify accesses, receives, maintains, creates, or transmits Personal Data for or on behalf of Customer in connection with the provision of the services described in that agreement(s) or in performance of Reify’s obligations under such agreement(s).
1.13 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force 21 March 2022, issued by the Information Commissioner’s Office (“ICO”) under s119A(1) of the Data Protection Act 2018, as currently set out at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/, or such alternative as may be approved by the ICO from time to time, incorporated herein by reference and attached hereto as Annex II.
1.14 “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy, or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
2.1 Reify shall Process the Personal Data only: in accordance with the Underlying Services Agreement; as instructed by Customer; or as required by the Privacy Law.
2.2 Reify shall Process Personal Data in accordance with the requirements of Privacy Law and Customer shall ensure that its instructions for the Processing of such data duly comply with the applicable Privacy Law. Reify shall notify Customer if Reify believes that Customer’s instructions may conflict with Privacy Law.
2.3 Reify agrees to use appropriate technical and organizational safeguards, based on the relative risk of the Personal Data, intended to appropriately protect the confidentiality, integrity, and availability of the Personal Data and to prevent Processing or disclosure of the Personal Data other than as provided for by the Underlying Services Agreement and this DPA.
2.4 Where, in order to perform under this DPA, it is necessary for Reify to transfer Personal Data from the country of origin, Reify shall ensure the Personal Data is protected as is required by the applicable Privacy Law in the country of origin.
2.5 Reify shall make available to the Customer all information necessary to demonstrate compliance with the applicable Privacy Law and allow for and contribute to audits, including inspections, conducted by the Customer or its delegate reasonably acceptable to Reify, provided reasonable notice and an undertaking of confidentiality is provided prior to such audit.
3.1 Should Reify become aware of any Data Breach affecting Personal Data, then it shall: (i) notify the Customer of such Data Breach without undue delay; (ii) investigate the Data Breach and provide the Customer with all relevant information then known to Reify; (iii) assist the Data Controller in notifying the data subjects and/or other applicable authorities, as required by the Privacy Law; and (iv) take all reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Breach.
3.2 Notification(s) of any Data Breach shall be promptly delivered by Reify to an email address specified by the Customer.
4.1 Reify shall assist the Customer in fulfilling Customer’s obligation to respond to Data Subjects’ requests under Privacy Law. In this respect, to the extent the Customer, in its use of the Services, does not have the ability to correct, amend, restrict, block, delete or ensure the portability of the Personal Data, as required by the Privacy Law, Reify shall comply with any reasonable requests by the Customer to facilitate such actions on Customer’s behalf, to the extent Reify is reasonably able to do so from a legal and technical standpoint.
4.2 Reify shall promptly notify the Customer in the unlikely event Reify receives from a Data Subject a request to exercise of one or more rights in accordance with Privacy Law. Reify shall not directly respond to any such Data Subject.
5.1 The Customer shall notify Reify of any limitation(s) or changes in its privacy practices, to the extent that such limitation or changes may affect Reify’s Processing of Personal Data under this DPA.
5.2 As between the Parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal data. The Customer shall be responsible for ensuring a legal basis exists for Processing activities performed under this DPA (including but not limited to obtaining valid consent of Data Subjects and compliance with data transfer obligations for the Personal Data).
6.1 Customer acknowledges and agrees that Reify may engage third-party Sub-Processors to Process Personal Data in connection with the Services. This authorization shall be considered as expressly given herein by the Customer in relation to any Sub-processor already engaged by Reify, as listed in the StudyTeam Sub-Processor List (see Section 6(b)) as of the Effective Date.
6.2 Information regarding current Sub-processors can be found on the StudyTeam Sub-processor web page located at https://www.studyteamapp.com/Subprocessors.html (“StudyTeam Sub-Processor List”). This Sub-processor list may be updated from time to time by Reify in accordance with this Section 6.
6.3 Reify shall provide at least fourteen (14) days’ notice prior to the engagement of any new Sub-processor. Such notice shall be provided by sending an email to the Customer’s designated recipient, whom Customer may designate by visiting the StudyTeam Sub-Processor List web page and following the subscription prompt on that page. Authorization for such Sub-processor shall be deemed to be given if no objection is received from Customer within the notice period.
6.4 Reify agrees to enter into a written agreement with each Sub-processor, which requires the latter to ensure at least the same level of protection for the Personal Data as in this DPA. Reify shall remain fully responsible to Customer for the performance of any Sub-processor under this DPA.
7.1 This DPA shall commence upon the Effective Date and continue for the duration of Reify’s Processing of Personal Data pursuant to the Underlying Services Agreement.
7.2 Upon termination of this DPA for any reason and upon written instructions from Customer, Reify shall return or destroy all Personal Data processed on behalf of the Customer in connection with the Underlying Services Agreement(s). This provision shall also apply to the Personal Data that is in the possession of any Sub-processor. Reify shall retain no copies of the Personal Data, unless permitted to do so and for such period as required by applicable legislation, including Privacy Law, or by competent authorities.
8.1 Standard Contractual Clauses. To the extent Customer Data from the European Economic Area (“EEA”), Switzerland, or the United Kingdom is Processed by or on behalf of Reify, either directly or via onward transfer to the United States, Reify and Customer agree to comply with the terms and conditions of the SCCs (Module Two: Transfer Controller to Processor), incorporated herein by reference and attached hereto as Annex I, as the data Importer and data exporter, respectively, throughout the period that Reify Processes Customer Data under the Underlying Services Agreement
8.2 UK Addendum. To the extent Customer Data from the United Kingdom is Processed by or on behalf of Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with the terms and conditions of the UK Addendum, version B1.0, incorporated herein by reference and attached hereto as Annex II, as the data importer and data exporter, respectively, throughout the period that Reify Processes Customer Data under the Underlying Services Agreement.
8.3 Swiss Addendum. To the extent any transfers of Customer Data fall within the scope of the Swiss Data Protection Laws, the Parties agree that all such transfers shall be governed by the SCCs as supplemented and amended by the Swiss Addendum to the SCCs, attached hereto as Annex III.
9.1 Amendment. The Parties agree to amend this DPA from time to time as is necessary for compliance with the requirements of Privacy Law.
9.2 Interpretation. The provisions of this DPA shall prevail over any provisions in the Underlying Services Agreement that may conflict or appear inconsistent with specific regards to the Parties’ compliance obligations under the Privacy Law.
Name: Reify Health, Inc.
Address: 33 Arch Street, 17th Floor, Boston, MA 02110
Contact: Martha Wrangham
Title: Data Protection Officer
Email: privacyofficer@onestudyteam.com
Activities relevant to the data transferred:
Processing of personal data by Data Importer’s software application(s) to support Data Exporter’s work in the clinical trial field.
Role: Processor
Signature: Indicated with signature by Data Importer’s authorized representative of the Underlying Services Agreement
The data exporter is the Customer who executed the Underlying Services Agreement with the data importer. The data exporter’s designated point of contact and contact details are identified in the Underlying Services Agreement.
Activities relevant to the data transferred under theses Clauses:
Processing of personal data by Data Importer’s software application(s) to support Data Exporter’s work in the clinical trial field.
Role: Controller
Signature: Indicated with signature by Data Exporter’s authorized representative of the Underlying Services Agreement.
CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED:
• Patients or clinical subjects of the Customer
• Customer’s authorized users of Reify’s products and services
CATEGORIES OF PERSONAL DATA TRANSFERRED MAY INCLUDE, BUT ARE NOT LIMITED TO:
• Name
• Date of birth
• Gender
• Race
• Ethnicity
• Research indications
• Appointment dates and details
• Data concerning health, including clinical data
SENSITIVE DATA TRANSFERRED MAY INCLUDE, BUT ARE NOT LIMITED TO:
• Data Concerning Health
RESTRICTIONS OR SAFEGUARDS THAT FULLY TAKE INTO CONSIDERATION THE NATURE OF THE DATA AND THE RISKS INVOLVED:
• Access only to staff following requirement to complete data protection and security training.
• Internal logging of data access.
• Restrictions on onward transfers designed to ensure such transfers are done in compliance with applicable data protection law.
• For additional security measures, please refer to the attached Section III of this Annex I.
THE FREQUENCY OF THE TRANSFER (E.G., WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS):
Continuous basis.
NATURE OF THE PROCESSING:
To the extent personal data is processed by data importer, such processing may include: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
PURPOSE(S) OF THE DATA TRANSFER AND FURTHER PROCESSING:
The purpose is to fulfill data importer’s obligations to data exporter in the DPA and the Underlying Services Agreement.
THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE RETAINED, OR, IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD:
Personal data shall be retained until data exporter instructs data importer otherwise.
FOR TRANSFERS TO SUB-PROCESSORS, ALSO SPECIFY SUBJECT MATTER, NATURE AND DURATION OF THE PROCESSING:
Data importer may engage sub-processors in order to fulfill data importer’s obligations to data exporter under this DPA and the Underlying Services Agreement.
In accordance with Clause 13, the competent supervisory authority shall be England and Wales.
DATA IMPORTER’S TECHNICAL AND ORGANIZATIONAL MEASURES:
The following Technical and Organizational Measures (“TOMs”) herein apply to all product and service offerings provided by Reify except where Reify’s Customer is explicitly responsible for security and/or privacy (as identified in an applicable agreement between Reify and its Customer).
1. Security Policies
Reify maintains, updates and follows its own written information technology (IT) security policies at all times. Compliance with Reify’s IT policies and procedures are mandatory for all Reify personnel, including subcontractors as relevant. IT security policies are reviewed periodically and amended as Reify deems reasonably necessary to maintain an adequate level of protection of personal data. Reify personnel complete mandatory security and privacy training at the time of onboarding and on an annual basis thereafter.
2. Corrective Action
Reify implements a problem-correction and disciplinary process for violations of company policies or procedures. Non-compliance by Reify personnel is met with appropriate disciplinary action, up to and including the possibility of termination.
3. Security Incident Management
Reify maintains internal policies and procedures addressing incident response and notification. These policies are overseen by Reify’s Compliance and Information Security teams and subject to regular review. Reify’s established procedures for notifying Reify customer(s) are at all times subject to the terms of Reify’s customer contracts and applicable law.
4. Access Control
Reify maintains appropriate security controls for requesting, approving, granting, modifying, revoking, and revalidating user access to systems, networks and applications containing personal data. Reify grants access to personal data only when there is a clear business need for such access, and access is granted in accordance with the principle of least privilege. Access authorizations and provisioning are segregated among two or more individuals. Access authorizations are reviewed on a regular basis for business need and scope, including removal within 24 hours of the conclusion of a Reify user’s employment relationship. Reify monitors and logs system access, including access for privileged accounts. When technologically feasible, privileged access is limited in duration. Reify prohibits the sharing or insecure storage of access credentials, provides tools to detect and prevent such use, and maintains written policies and procedures requiring corrective action upon any personnel violating these policies.
5. Application and Network Security
Reify employs encrypted and authenticated connectivity to all Reify-controlled network environments. Reify denies access to networks at the firewall and virtual private networks layers, except where explicitly allowed. Reify implements network segmentation and utilizes security logging and monitoring designed to detect unauthorized or malicious application and network activity monitoring. Reify implements Web Application Firewalls to protect the confidentiality and integrity of applications and associated personal data. Reify implements denial of service protection mechanisms designed to ensure the availability of access to applications and personal data.
6. Business Continuity and Disaster Recovery
Reify ensures the availability of personal data through written business continuity policies and procedures, disaster recovery planning, and playbooks which include recovery time and recovery point objectives. Disaster recovery plans and playbooks are updated and tested on a regular basis, at least annually. Access to backup data requires multi-factor authentication and backups are encrypted at rest and in transit.
7. Data Transfer and Storage
Reify protects personal data through encryption in transit and at rest. Authentication is required to access personal data processed by Reify. Only systems developed by Reify or third-party systems vetted and approved under Reify’s established supplier qualification procedures are permitted to transfer Personal Data to Reify. Reify’s supplier qualification procedures include a mandatory review and approval by Reify’s Information Security team to ensure the third party offers sufficient protections and to identify security controls appropriate to the scope of data processing and the specific processing activity involved. A privacy impact assessment is also conducted as part of the vendor qualification process.
Data storage locations may vary depending on the particular services utilized by Reify’s customer; however, at all times Reify processes personal data in accordance with data protection law, including data residency requirements where applicable. All cross-border transfers of personal data are lawfully facilitated, including where applicable through the use of data transfer agreements and, in the case of data pertaining to individuals protected by the General Data Protection Regulation (GDPR), the use of Standard Contractual Clauses. Data is retained in accordance with Reify’s internal data retention schedule, customer agreements, and applicable law.
8. Vulnerability Management
Reify implements and maintains measures to identify, manage, mitigate and remediate vulnerabilities in its computing environment. These measures include (but are not limited to): patch management, anti-virus/anti-malware, mobile device management, application blocking, vulnerability scanning, annual penetration testing. Vulnerabilities are remediated in accordance with risk and criticality.
9. Risk Management
Reify regularly assesses risks related to processing of personal data and creates action plans as required to mitigate identified risks.
10. Change Management
Reify implements a change management procedure to identify, categorize, assess, and track changes to systems impacting personal data. The procedure includes segregation among two or more individuals who propose and approve changes. Significant changes that may impact personal data undergo a risk assessment.
11. Secure Software Development
Reify adheres to secure software development practices including, but not limited to: code review, change control, developer training, security assessments, and iterative review and updates as required. Source code changes are documented and reviewed prior to production deployment. Source code is further controlled through branch protection and code ownership. Developers are trained in secure development best practices for web applications. Products impacting personal data are penetration tested at least annually. Included libraries are scanned for vulnerabilities. Identified vulnerabilities are remediated in accordance with risk and criticality.
12. Physical and Device Security
Reify-controlled systems and networks are hosted in Amazon Web Services with appropriate physical access controls designed to protect personal data. Workstations are encrypted and protected from theft or malicious user action by mobile device management software. Anti-virus/anti-malware controls are in place and continuously updated. Workstations are password-protected, utilize password management software, and have inactivity timeouts requiring reauthentication. Operating systems and related software are updated on a regular basis.
Data importer’s sub-processor list is available through the following URL: https://www.studyteamapp.com/Subprocessors.html
To the extent that Reify is recipient of Customer Data governed by the UK Data Protection Law in a country that is not recognized as providing an adequate level of protection for Personal Data as described in the UK GDPR, the Parties agree to abide by the Standard Contractual Clauses set forth in Annex I of this DPA together with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/; as may be amended, superseded, or replaced. The UK Addendum is incorporated into this DPA by reference, and each Party agrees that execution of this DPA is deemed to constitute execution of the UK Addendum. The UK Addendum is deemed completed as follows:
a. Table 1 will be populated by the information in this DPA and the Agreement. For the avoidance of doubt, Reify is the importer and Customer is the exporter.
b. Table 2: The Parties agree the UK Addendum is appended to the Standard Contractual Clauses set forth in the Annex I of this DPA.
c. Table 3 is completed as follows:
i. Annex 1A: List of Parties: As set forth in Annex I of this DPA.
ii. Annex 1B: Description of Transfer: As set forth in Annex I of this DPA.
iii. Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of data: As set forth in Annex I of this DPA
iv. Annex III: List of Sub-Processors: As set forth in Annex I of this DPA.
d. Table 4: The Parties elect that neither Party may end the UK Addendum with respect to Section 19 of the UK Addendum.
To the extent the Swiss Addendum shall apply to any processing of Customer Data subject to the Swiss Data Protection Laws, the Parties hereby agree to the following modifications to the SCCs:
1. Supervisory Authority. The Swiss Federal Data Protection and Information Commissions (“FDPIC”) is the exclusive Supervisory Authority.
2. Applicable Law for Contractual Claims under Clause 17. The applicable law shall be Swiss law or the law of a country that allows and grants rights as a third-party beneficiary for contractual claims regarding Processing subject to this DPA.
3. Place of Jurisdiction for Actions between the Parties pursuant to Clause 18(b). The choice of forum and jurisdiction shall be the courts of Ireland.
4. “Member State” pursuant to Clause 18(c). “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
5. Adjustments or Additions regarding References to the GDPR. References to the GDRP should be understood as references to the Swiss Data Protection Laws.
6. Legal Entities. Where the Swiss Data Protection Laws protect legal entities, the SCCs will also protect the data of legal entities.