Data Processing Addendum

This Data Processing Addendum (“DPA”) applies when GrayCyan LLC (“GrayCyan”) processes personal data that is subject to the General Data Protection Regulation (GDPR) on behalf of an organization or person (“Subscriber”) who has subscribed to GrayCyan’s clinic management platform (the “Services”).
This DPA is incorporated into and forms part of the Terms of Use for the Services and will apply for as long as the Subscriber has a valid paid subscription to the Services.
Terminology
• “GDPR”means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• “Personal Data” means any information relating to an identified natural person or which can be used (directly or indirectly) to identify a natural person, such as name, address, email address, username, credit card, billing information, health information or other like information.
• “Process” or “Processing” means the collection, use, storage, disclosure, erasure or destruction of Personal Data, or any other operation or set of operations performed on Personal Data, whether or not by automated means.
Terms
1. Roles. The Subscriber will act as the “Controller”, being the party who determines the purposes and means of the Processing of Personal Data. GrayCyan will act as the “Processor” being the service provider who Processes Personal Data on behalf of the Subscriber. Each party will comply with the provisions of the GDPR that apply to its role as Controller or Processor, respectively.
2. Purpose and Duration of Processing. Each party will Process Personal Data only as necessary for the provision and use of the Services, and for as long as the Subscriber has a valid paid subscription to the Services.
3. Categories of Personal Data. The categories of Personal Data to be Processed will be determined by the Subscriber, but may include: name, address, email address, telephone number, health insurance information, billing information and data concerning health. The categories of individuals whose Personal Data may be processed are: employees, contractors and patients of the Subscriber.
4. Obligations. GrayCyan will: * process Personal Data only on the written instructions of the Subscriber. This DPA and the GrayCyan Terms of Use are the Subscriber’s written instructions for this purpose. The Subscriber warrants that it is and will remain authorized to give these instructions, as well as any future instructions regarding the Processing of Personal Data, and that the Subscriber’s instructions will comply with the GDPR; * not transfer Personal Data to a country outside the European Union, the EEA or the United Kingdom, except where such third country provides appropriate safeguards by way of an adequacy decision (such as Canada) or where the recipient of the Personal Data provides appropriate safeguards through adherence to an approved certification framework (such as the EU-US Privacy Shield), Standard Contractual Clauses or binding corporate rules, or other legal mechanisms are in place to safeguard the Personal Data being transferred; * ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; * implement and maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of the Personal Data (including as appropriate, pseudonymization, encryption, incident management, restoration and access controls), and will regularly monitor compliance with these measures; * use only sub-processors who maintain at least the same level of security measures and adequate safeguards as required under this Addendum and who have entered a written agreement (which may be electronic) with GrayCyan requiring such measures and safeguards. GrayCyan will inform the Subscriber of any intended changes to its sub-processors. If a sub-processor fails to fulfill its data protection obligations, GrayCyan will be liable for the performance of such obligations; * notify the Subscriber, without undue delay, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by GrayCyan, and take all steps reasonably within GrayCyan’s control to mitigate and remediate the breach; * meet its obligations under the GDPR to assist the Subscriber, insofar as this is possible and at the expense of the Subscriber, to:
o respond to individuals’ requests to exercise their rights with respect to their Personal Data being Processed by GrayCyan; provided however, that GrayCyan will not respond directly to any individual; and
o meet the Subscriber’s legal obligations with respect to breach notification, data protection impact assessments, or the cooperation or prior consultation with a supervisory authority with respect to Personal Data Processed by GrayCyan; * upon request of the Subscriber, either delete or return Personal Data after completion of Services relating to the Processing, subject to any legal or regulatory obligations to maintain or store the Personal Data; and * provide the Subscriber with all information necessary to demonstrate GrayCyan’s compliance with the GDPR, and contribute to audits or inspections to be conducted by or on behalf of the Subscriber no more than once in any calendar year, unless an additional audit is required by the GDPR or regulatory authority, or is reasonably necessary due to genuine concerns regarding GrayCyan’s compliance with this DPA. The Subscriber will provide reasonable advance notice of any audit and will abide by GrayCyan’s reasonable security requirements. GrayCyan may charge for any time expended for such audit or inspection at GrayCyan’s then-current hourly rates.

Added to Request Form. Removed from Request Form. >