Data Processing Addendum

This Data Processing Addendum (including its Exhibits) (this “DPA”) is incorporated into and is subject to the terms and conditions of the Master Services Agreement (the “Agreement”) by and between an entity that executed the Agreement (“Controller”) and Definity Workforce Solutions, Inc., DBA Definity (“Definity”). This DPA is effective as of the Effective Date of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent any language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall control.

1. Definitions

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

1.1. “Business” and “Service Provider” shall have the meanings given to them in the CCPA.

1.2. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data and includes the entity for whom Definity Processes Controller Personal Data.

1.3. “Controller Personal Data” means Personal Data Processed by Definity on behalf of Controller to provide the Services.

1.4. “Data Protection Laws” means the privacy and data protection laws, rules, and regulations applicable to a party’s Processing of Controller Personal Data under the Agreement. “Data Protection Laws” may include, but are not limited to, the Australian Privacy Act 1988 (No. 119, 1988) (as amended) and the Australian Privacy Principles; the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; other comprehensive U.S. state privacy laws; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

1.5. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

1.6. “Process” or “Processing” means any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection; recording; organization; structuring; storage; adaptation or alteration; retrieval; consultation; use; disclosure by transmission, dissemination, or otherwise making available; alignment or combination; restriction; erasure; or destruction.

1.7. “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.8. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, or alteration of, or the unauthorized disclosure of or access to, Controller Personal Data attributable to Definity.

1.9. “Subprocessor” means a vendor that Definity has engaged to Process Controller Personal Data.

2. Processing Terms for Controller Personal Data

2.1. Scope and Roles. This DPA applies when Definity Processes Controller Personal Data to provide the Services under the Agreement. The parties agree that Definity is a Processor or Service Provider.

2.2. Documented Instructions. Definity shall Process Controller Personal Data to provide the Services in accordance with the Agreement, this DPA, and any instructions agreed upon by the parties. If applicable law requires Definity to Process Controller Personal Data for other purposes, Definity shall inform Controller of that legal requirement before engaging in such Processing, unless that law prohibits such information on important grounds of public interest.

2.3. Authorization to Use Subprocessors. Controller authorizes Definity to engage Subprocessors. Controller acknowledges that Subprocessors may further engage vendors.

2.4. Definity and Subprocessor Compliance. Definity shall (i) enter into a written agreement with Subprocessors imposing on such Subprocessors data protection requirements for Controller Personal Data consistent with this DPA; and (ii) remain responsible to Controller for the Subprocessors’ failure to perform their obligations with respect to the Processing of Controller Personal Data.

2.5. Right to Object to Subprocessors. Where required by applicable Data Protection Laws, Definity shall notify Controller via email listed in the Notices section of the Agreement prior to engaging any new Subprocessors and allow Controller ten (10) days to object. If Controller has legitimate objections to the appointment of a new Subprocessor, the parties shall work together in good faith to resolve the grounds for the objection.

2.6. Confidentiality. Any person authorized to Process Controller Personal Data shall: (i) be subject to a duty of confidentiality, (ii) contractually agree to maintain the confidentiality of such information, or (iii) be under an appropriate statutory obligation of confidentiality.

2.7. Personal Data Inquiries and Requests. Definity shall provide reasonable assistance to Controller as required by applicable Data Protection Laws in response to any requests from individuals exercising their rights in Controller Personal Data granted to them under applicable Data Protection Laws.

2.8. Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Definity shall provide reasonable assistance and information to Controller as required by applicable Data Protection Laws where, in Controller’s judgment, the type of Processing performed by Definity requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. Controller shall reimburse Definity for all non-negligible costs Definity incurs in performing its obligations under this Section 2.8.

2.9. Demonstrable Compliance. Upon Controller’s reasonable written request, Definity shall provide information reasonably necessary to demonstrate compliance with this DPA as required by applicable Data Protection Laws.

2.10. California-Specific Terms. To the extent that Definity’s Processing of Controller Personal Data is subject to the CCPA, this Section 2.10 also applies. Controller discloses or otherwise makes available Controller Personal Data to Definity for the limited and specific purpose of enabling Definity to provide the Services to Controller in accordance with the Agreement and this DPA. Definity shall (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Controller if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Controller Personal Data; (v) not retain, use, or disclose Controller Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Controller Personal Data outside of the direct business relationship between Controller and Definity; and (vii) unless otherwise permitted by the CCPA, not combine Controller Personal Data with Personal Data that Definity (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Definity will permit Controller, upon reasonable written request, to take reasonable and appropriate steps to ensure that Definity Processes Controller Personal Data subject to this Section 2.10 in a manner consistent with the obligations of a “Business” under the CCPA by requesting that Definity attest to its compliance with this Section 2.10. Following any such request, Definity will promptly provide such requested attestation or an explanation of why it cannot provide it. If Controller reasonably believes that Definity is engaged in unauthorized Processing of Controller Personal Data subject to this Section 2.10, Controller will notify Definity of such belief in writing, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.

2.11. Service Optimization. Where permitted by Data Protection Laws, Definity may Process Controller Personal Data (i) for its internal uses to build or improve the quality of the Services; (ii) to prevent, detect, or investigate Security Incidents; or (iii) to protect against malicious, deceptive, fraudulent, or illegal activity.

2.12. Aggregation and De-Identification. Definity may (i) compile aggregated and/or de-identified information (“Aggregated and/or De-Identified Data”) in connection with providing the Services provided such Aggregated and/or De-Identified Data cannot reasonably be used to identify Controller or any data subject to whom Controller Personal Data relates; and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

3. Information Security Program

Definity shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Controller Personal Data in accordance with the Definity Information Security Standards attached hereto as Exhibit B.

4. Security Incidents

Upon becoming aware of a Security Incident, Definity shall provide written notice without undue delay and within the time frame required under applicable Data Protection Laws to Controller’s Designated POC (as defined in Section 11). Where possible, such notice will include all available details required under applicable Data Protection Laws for Controller to comply with its own notification obligations to government authorities and/or individuals affected by the Security Incident.

5. Cross-Border Transfers of Controller Personal Data

5.1. Cross-Border Transfers of Controller Personal Data. Controller authorizes Definity and its Subprocessors to transfer Controller Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

5.2. EEA, Swiss, and UK Standard Contractual Clauses. If Controller Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Controller to Definity in a country not found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in theAnnex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party’s execution of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

6. Audits and Assessments

Where Data Protection Laws afford Controller an audit or assessment right, Controller (or its appointed representative) may carry out an audit or assessment of Definity’s policies, procedures, and records relevant to the Processing of Controller Personal Data. Any audit or assessment must be (i) conducted during Definity’s regular business hours; (ii) done with reasonable advance written notice to Definity; (iii) carried out in a manner preventing unnecessary disruption to Definity’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority with jurisdiction over the Processing of Controller Personal Data.

7. Controller Personal Data Deletion

At the expiry or termination of the Agreement, Definity shall delete all Controller Personal Data (excluding any backup or archival copies, which shall be deleted in accordance with Definity’s data retention schedule), except where Definity is required to retain copies under applicable laws, in which case Definity will isolate that Controller Personal Data and restrict any further Processing of it except to the extent required by applicable laws.

8. Controller’s Obligations

Controller represents and warrants (i) it has complied and will comply with Data Protection Laws; (ii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Controller Personal Data as contemplated by the Agreement; and (iii) Definity’s Processing of Controller Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Controller and any third party.

9. Processing Details

9.1. Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.

9.2. Duration. The Processing will continue until the expiration or termination of the Agreement.

9.3. Categories of Data Subjects. Data subjects whose Controller Personal Data will be Processed pursuant to the Agreement.

9.4. Nature and Purpose of the Processing. The purpose of the Processing of Controller Personal Data by Definity is the performance of the Services.

9.5. Types of Controller Personal Data. Controller Personal Data that is Processed pursuant to the Agreement.

10. Account Data

Definity may Process Personal Data about Controller’s Authorized Users’ use of the Services (“Account Data”) in accordance with its Privacy Policy available at https://definitywfs.com/privacy-policy/ (as updated from time to time). Account Data is not Controller Data.

11. Contact Information

Controller and Definity agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for each party is:

  • Controller Designated POC: As set forth in the Notices section of the Agreement.
  • Definity Designated POC: As set forth in the Notices section of the Agreement.

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

This Exhibit A forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the DPA.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

  1. Supplemental Terms. The parties agree (i) a new Clause 1(e) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 2.4 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
  1. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
    1. List of Parties:Data exporter: Controller.
      Address: As set forth in the Notices section of the Agreement.
      Contact person’s name, position, and contact details: Controller’s Designated POC.
      Activities relevant to the data transferred under these Clauses: The Services.
      Role: Controller. Data importer: Definity.
      Address: As set forth in the Notices section of the Agreement.
      Contact person’s name, position, and contact details: Definity’s Designated POC.
      Activities relevant to the data transferred under these Clauses: The Services.
      Role: Processor.
    2. Description of the Transfer:
      • Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses include without limitation qualified healthcare professionals, including nurses, clinicians, therapist, and other healthcare providers; and Controller’s employees, consultants, contractors, and agents who are expressly authorized by Controller to access and use the Services.
      • Categories of personal data transferred: The categories of personal data transferred under the Clauses include without limitation personal details, education and training details, employment details, and any relevant personal data in support of a job application, onboarding, and employment/engagement, the extent of which is determined and controlled by the data exporter in its sole discretion.
      • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Sensitive data transferred under the Clauses includes without limitation data relating to an individual’s health; financial account numbers, such as bank account numbers, credit card numbers, and other related information (if that information would permit access to a financial account or other financial assets); data revealing race, ethnicity, national origin, or sexual orientation; any other data designated by the data exporter, and made known to the data importer, as sensitive data, the extent of which is determined and controlled by the data exporter in its sole discretion.
      • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
      • Nature of the processing: The Services.
      • Purpose(s) of the data transfer and further processing: The Services.
      • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the DPA.
      • For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter, nature, and duration are identified above.
    3. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the supervisory authority is the Irish Data Protection Commission, and if this is not possible, then the supervisory authority is as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
    4. Clarifying Terms: The parties agree that (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 6 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.
  2. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
    Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with Exhibit B.Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.
  3. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

    The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

    Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

    Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to, including the Appendix Information, effective as of the effective date of the DPA.

    Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

    Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.

EXHIBIT B TO THE DATA PROCESSING ADDENDUM

Definity Information Security Standards

These Definity Information Security Standards (the “Information Security Standards”) form part of the DPA. All capitalized terms that are not expressly defined in the Information Security Standards will have the meanings given to them in the DPA or the Agreement.

Definity shall implement and maintain an information security program (“Information Security Program”) that includes reasonable administrative, technical, and physical safeguards designed to protect Controller Personal Data. At a minimum, the Information Security Program shall include:

  1. Authentication. Definity shall maintain authentication measures including, as appropriate, multi-factor authentication for key systems that Process Controller Personal Data and industry standard passwords.
  2. Encryption. Definity shall encrypt Controller Personal Data in transit and at rest using industry standard encryption technologies.
  3. Account Management and Access Controls. Definity shall maintain account management and access controls.
  4. Inventory and Management of Controller Personal Data and Information Systems. Definity shall maintain an inventory of Controller Personal Data and the information systems used to Process Controller Personal Data. Definity shall maintain approval processes designed to prevent the unauthorized connection of hardware and devices to Definity’s information systems that Process Controller Personal Data.
  5. Secure Configuration of Hardware and Software. Definity shall maintain controls designed to ensure the secure configuration of Definity hardware and software that is used to Process Controller Personal Data.
  6. Vulnerability Scans, Penetration Testing, and Vulnerability Disclosure and Reporting. Definity shall carry out internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting for key information systems used to Process Controller Personal Data.
  7. Audit-Log Management. Definity shall maintain controls for audit-log management.
  8. Network Monitoring and Defenses. Definity shall maintain controls for monitoring and defending its network.
  9. Antivirus and Antimalware Protection. Definity shall maintain antivirus and antimalware protections on Definity personnel workstations.
  10. Information System Segmentation. Definity shall maintain controls designed to ensure segmentation of its information systems that Process Controller Personal Data.
  11. Limitation and Control of Ports, Services, and Protocols. Definity shall maintain controls designed to limit and control ports, services, and protocols used to Process Controller Personal Data.
  12. Cybersecurity Awareness. Definity shall maintain a cybersecurity awareness program designed to keep Definity informed of changing cybersecurity threats and countermeasures.
  13. Cybersecurity Education and Training. Definity shall provide cybersecurity education and training to all Definity personnel who have access to Definity’s information systems that Process Controller Personal Data.
  14. Secure Development. Definity shall maintain controls designed to ensure secure development.
  15. Vendor Management. Definity shall maintain oversight of Subprocessors.
  16. Data Retention and Disposal. Definity shall maintain data retention and disposal processes for Controller Personal Data.
  17. Security Incident Management. Definity shall maintain processes for the management of Security Incidents.
  18. Business Continuity and Disaster Recovery. Definity shall maintain industry standard business-continuity and disaster-recovery plans as it relates to the Processing of Controller Personal Data.