Company has identified that, as part of the services or products provided by Service Provider in the Service Agreement between the parties, Company may Process the Personal Data of Company. Accordingly, this DPA applies to the extent Service Provider Processes Company Personal Information. However, Company and Service Provider acknowledge that this DPA does not apply to Service Provider’s Processing of Protected Health Information (“PHI”), as defined by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). To the extent Service Provider Processes PHI for or on behalf of Company, the parties shall separately enter into a Business Associate Agreement (“BAA”). In the event of conflict between the provisions of this DPA and any BAA, the BAA shall control with regard to PHI.

Accordingly, Company and Service Provider agree to the following terms and conditions, which are intended to comply with the Privacy Laws:

  1. General Definitions. These terms shall have the following meanings when used in this DPA:
    • a) “Company Personal Information” means Personal Information Service Provider collects or receives from, or otherwise Processes on behalf of, Company.
    • b) “Contracted Business Purposes” shall mean the analysis, benchmarking and research permitted by the tracking and comparing of Patient progress, monitoring of clinical outcomes and operations of the Center, which allows for Healogics to prepare reports for the Hospital, as contemplated by the Services Agreement.
    • c) “Personal Information” means any information that identifies or, alone or in combination with any other information, could reasonably be used to identify, locate, or contact a person, including name, street address, telephone number, email address, identification number issued by a governmental authority, credit card number, bank information, customer or account number, online identifier, device identifier, IP address, browsing history, search history, or other website, application, or online activity or usage data, location data, biometric data, medical or health information, or any other information that is considered “personally identifiable information,” “personal information,” or “personal data” under the Privacy Laws. This may include, without limitation, information regarding employees and business-to-business contact information.
    • d) “Privacy Laws” shall mean all laws concerning the privacy, security, or Processing of Personal Information applicable to Company, including without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq., and all implementing regulations.
    • e) “Process” or “Processing” means any operation performed on Personal Information, including the collection, creation, receipt, access, use, handling, compilation, analysis, monitoring, maintenance, retention, storage, transmission, transfer, protection, disclosure, distribution, destruction, or disposal of Personal Information.
    • f) “Sell,” “Selling,” “Sale,” or “Sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information to a Third Party for monetary or other valuable consideration.
    • g) “Service Agreement” shall mean the separate agreement(s) between the parties in which Service Provider performs functions or activities on behalf of Company.
    • h) “Share,” “Shared,” or “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information to a Third Party for “cross-context behavioral advertising,” whether or not for monetary or other valuable consideration, including transactions between a business and a Third Party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s Personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
    • i) “Third Party” shall mean an entity that is not the Company and that is not the Service Provider.
  2. Service Provider’s Privacy Laws Obligations
    • a) Service Provider will not retain, use, disclose, or otherwise Process Company Personal Information except for the Contracted Business Purposes specified in the Service Agreement or as otherwise expressly permitted by the Privacy Laws, solely to the extent any such Processing is not inconsistent with the terms in the Service Agreement. Service Provider will not retain, use, disclose, or otherwise Process Company Personal Information for any commercial purpose other than the Contracted Business Purposes, nor for any purposes outside of its direct business relationship with Company.
    • b) Service Provider will not Sell or Share Company Personal Information.
    • c) Service Provider acknowledges that Company has disclosed that the Company Personal Information may be collected from consumers residing in multiple states and Company will not disaggregate Company Personal Information on a state-by-state basis to allow for Processing of data by Service Provider which may be permitted in one state but prohibited in another.
    • d) Service Provider will not combine or update Company Personal Information with Personal Information that it receives from or on behalf of another person or that Service Provider collects from its own interactions with a consumer, unless expressly permitted under Services Agreement.
    • e) In the event Service Provider is legally required to disclose Company Personal Information, Service Provider will, unless legally prohibited, inform Company within two (2) business days of Service Provider’s receipt of the legal request, and cooperate with Company’s objection or challenge to the disclosure.
    • f) Service Provider shall comply with all Privacy Laws with respect to Company Personal Information and shall provide the same level of privacy protection to Company Personal Information as is required of Company under the Privacy Laws. Such compliance includes, without limitation: (a) reasonably cooperating with Company in responding to and complying with consumer requests made pursuant to the Privacy Laws; and (b) implementing reasonable security procedures and practices, appropriate to the nature of the Company Personal Information and in line with a recognized security framework, to protect the Company Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.
    • g) Service Provider will immediately notify Company if it determines that it can no longer meet its obligations under applicable provisions of any of the Privacy Laws.
    • h) Company shall have the right to take reasonable and appropriate steps to ensure that Service Provider Processes Company Personal Information in a manner consistent with Company’s obligations under the Privacy Laws. These steps may include, without limitation, manual reviews and automated scans of Service Provider’s information systems, and regular internal or third-party assessments, audits, or other technical and operational testing at periodic intervals not to exceed once every twelve (12) months unless earlier testing identified unacceptable defects or vulnerabilities.
    • i) Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate Processing of Company Personal Information that is not authorized under the Privacy Laws and/or this DPA, including, without limitation, requiring Service Provider to provide documentation verifying that it no longer retains or uses Company Personal Information of consumers that submitted to Company a valid request to delete.
    • j) If the Contracted Business Purposes require the collection of Personal Information directly from consumers on Company’s behalf, Company will provide Service Provider a notice to distribute at collection and/or privacy policy. Service Provider shall make this notice and/or privacy policy available to such consumers at or before collection of such information in accordance with the Privacy Laws. Service Provider will not modify or alter the notice without Company’s written consent.
  3. Assistance with Company’s State Privacy Law Obligations
    • a) Service Provider shall reasonably cooperate with Company to comply with consumer requests made pursuant to any Privacy Laws. In the event Service Provider receives requests directly from consumers, Service Provider will promptly, within two (2) business days, forward such requests to Company and reasonably cooperate with Company in responding to such requests.
    • b) Upon notice that Company has agreed to a consumer’s request to delete Personal Information, Service Provider will (i) delete the Personal Information in accordance with the Privacy Laws; and (ii) notify its service providers, contractors, or third parties that may have accessed Personal Information from or through Service Provider of the obligation to delete the Personal Information.
    • c) Service Provider shall comply with Company’s instructions with regard to responding to consumers’ rights, including without limitation (i) responding to a consumer’s request to access Personal Information; and (ii) correcting Personal Information or enabling Company to make the corrections.
  4. Subcontracting. If Service Provider subcontracts with another individual or entity in connection with the Contracted Business Purposes, Service Provider shall (a) notify Company of the engagement no later than ten (10) days prior to the subcontractor Processing any Company Personal Data; and (b) have a written contract with such person binding that subcontractor to comply with requirements at least as stringent as those as set forth under this DPA and all Privacy Laws. Company reserves the right to object to subcontractor.
  5. Unauthorized Processing. Service Provider shall notify Company promptly and in no case later than three (3) days after discovery of any Processing of Company Personal Information in violation of this DPA or the Privacy Laws (“Unauthorized Processing”). Service Provider shall provide Company with any reasonably requested information regarding the Unauthorized Processing. Service Provider shall cooperate with Company in meeting Company’s obligations with respect to such Unauthorized Processing. Company shall have sole control over the timing and method of providing notification of such Unauthorized Processing to the affected consumers, regulators, and any other third parties. Without regard to any limitation of liability in the Service Agreement, Service Provider shall reimburse Company for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected consumers whose Personal Information has or may have been compromised as a result of the Unauthorized Processing.
  6. Interpretation and Restatement of this DPA. Any ambiguity or inconsistency in this DPA shall be interpreted to permit compliance with the Privacy Laws. This DPA supersedes any and all prior representations, understandings, or agreements, written or oral, concerning the subject matter herein, including conflicting provisions in the Service Agreement. In the event of a conflict between this DPA and the Service Agreement, this DPA shall control. If Company determines it is necessary to restate this DPA from time to time to comply with the requirements of the Privacy Laws or to become compliant with newly adopted or amended privacy laws which were not in place as of the Effective Date, Company shall provide Service Provider with written notice of the restated DPA via email at the email address provided by Service Provider in Section 8 (Notices) of this DPA. Such email shall advise Service Provider of a restated DPA, any related grounds for the restatement, and direct Service Provider to the following site on Company’s webpages at which Company’s then effective general DPA shall be continually published: Healogics.com. If Service Provider is unable to comply with any such restated DPA published by Company, it shall so notify Company in writing no later than fifteen (15) days after receipt of Company’s email notice or the restated DPA will be deemed to be effective as to any Service Agreement in place between the parties.If Service Provider is unable to comply with a restated general DPA and the parties are unable to agree on terms of an individualized DPA for Service Provider, Company may, at its option, terminate the DPA in effect between the parties as well as the underlying Service Agreement. Service Provider stipulates that if it fails to maintain a valid email address for delivery of notices of a restated DPA, Company’s publication of its then effective general DPA at the web address identified in this section establishes sufficient notice.
  7. Survival, Term, and Termination
    • a) Term. Except as otherwise provided herein, the term of this DPA shall coincide with the Service Agreement and shall be terminable in accordance with the termination provisions of the Service Agreement, the date Company terminates for cause as authorized in paragraph (b) of this Section, or as set forth in Section 6 (Interpretation and Restatement of this DPA), whichever is sooner.
    • b) Termination for Cause. Service Provider authorizes termination of this DPA and the Service Agreement by Company, if Company determines Service Provider has violated a material term of this DPA. Company may, but is not required to, provide Service Provider with an opportunity to cure any violation.
    • c) Effect of Termination. Upon termination of this DPA, for any reason, Consultant shall return to Company or Company’s designee or, upon Company’s written request, destroy, all Company Personal Information that Service Provider still maintains in any form. This provision shall apply to Company Personal Information that is in the possession of Service Provider or agents or subcontractors of Service Provider. Service Provider shall retain no copies of the Company Personal Information. When requested to destroy Company Personal Information, Service Provider shall provide written confirmation to Company within ten (10) days of destroying Company Personal Information.
    • d) Survival. Service Provider’s obligations under this DPA shall survive the termination or expiration of this DPA for any reason.
  8. Notices. Any notice required or permitted by this DPA to be given or delivered – but for the notice of restated DPA as set forth in Section 6 (Interpretation and Restatement of this DPA) – shall be in writing and shall be deemed given or delivered if delivered in person, or delivered by courier or expedited delivery service, or delivered by registered or certified mail, postage prepaid, return receipt requested, to the points of contact identified in the Service Agreement. As to the email notice requirements as set forth in Section 6 (Interpretation and Restatement of this DPA), Service Provider identifies the following email(s) as those to receive said notices:Service Provider may update this email notice designation in the same mechanism authorized for updating the notice provision of the underlying Service Agreement.
  9. Severability. Whenever possible, each provision of this DPA shall be interpreted so as to be effective and valid under applicable law. If any provision of this DPA should be prohibited or found invalid under applicable law, such provision shall be ineffective to the extent of such prohibition or invalidity without invalidating the other of such provision or the remaining provisions of this DPA; provided, however, that if any such invalid provision is material to an extent that a party would not have entered into the DPA absent such provision, then that party may terminate the DPA upon ninety (90) calendar days’ prior written notice to the other party.
  10. Indemnification. Notwithstanding anything to the contrary which may be contained in the Service Agreement, including but not limited to any limitations on liability contained therein, Service Provider hereby agrees to indemnify and hold harmless Company, its subsidiaries and affiliates, and their respective officers, directors, managers, members, shareholders, employees and agents from and against any and all fines, penalties, damages, claims or causes of action and expenses (including, without limitation, court costs and attorney’s fees) arising from or related to (i) any acts or omissions in violation of the Privacy Laws or this DPA by Service Provider or its employees, agents, contractors, 3or subcontractors; or (ii) any Unauthorized Processing. Company shall be entitled to enjoin and restrain Service Provider from any continued violation of this DPA.
  11. No Third-Party Beneficiaries. Nothing in this DPA, whether expressed or implied, is intended to confer any rights or remedies to any person, including any consumer, other than to Company, Service Provider, and their respective successors and permitted assigns. All rights afforded to consumers are set forth in the Privacy Laws alone and are enforceable only as set forth therein without resort to any claim for breach of contract related to this DPA. No provision within this DPA shall give any third party any right of subrogation or action against any party to the Service Agreement or this DPA.
  12. Counterparts; Electronic Signatures. This DPA may be executed in one or more counterparts, all of which together shall constitute only one agreement. If any signature is delivered by facsimile or email or is signed in any electronic format, such signature shall create a valid and binding obligation with the same force and effect as if such signature were handwritten.