Nurse-1-1 Data Processing Agreement
Last Updated: November 13, 2023
This Data Processing Agreement (“DPA”) governs the Processing of Personal Data by VideWell, Inc. doing business as Nurse-1-1 on behalf of our client (“Customer”) in relation to the Nurse-1-1 Services as outlined in the Nurse-1-1 Customer Terms of Service found at https://legal.nurse-1-1.com/legal/customer-terms-of-service. This DPA serves as a supplementary and integral part of the Agreement between you and us, also referred to as the “Agreement.” Upon its inclusion into the Nurse-1-1 Customer Terms of Service, whether specified in the Agreement itself, an Order Form, or an executed amendment to the Agreement, this DPA becomes effective. In the event of any conflict or inconsistency with the terms of the Agreement, this DPA will prevail to the extent of such conflict or inconsistency.
From time to time, Additional Terms may conflict with these Terms. In the event of such a conflict, the Additional Terms will control. Any reference to the “Terms” in this agreement includes all Additional Terms.
1. Definitions
“Controller” refers to the natural or legal person, public authority, agency, or any other entity that, either alone or in conjunction with others, determines the purposes and methods of Processing Personal Data.
“Data Protection Laws” encompass all relevant legislation worldwide pertaining to data protection and privacy, which is applicable to the respective party responsible for Processing the specific Personal Data under the Agreement. This includes, but is not limited to, European Data Protection Laws, and other applicable U.S. federal and state privacy laws. It also encompasses the data protection and privacy laws of Australia, Singapore, and Japan, as they may be amended, repealed, consolidated, or replaced from time to time. However, for Nurse-1-1, Data Protection Laws do not include regulations governing Sensitive Information, as defined in the Agreement.
“Data Subject” denotes an identified or identifiable natural person to whom the Personal Data relates.
“Europe” encompasses the European Union, the European Economic Area, and their respective member states, as well as Switzerland and the United Kingdom.
“European Data” refers to Personal Data that is protected under European Data Protection Laws.
“European Data Protection Laws” encompass the data protection laws applicable in Europe, which include: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, commonly known as the General Data Protection Regulation (“GDPR”); (ii) Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) the relevant national implementations of (i) and (ii). Alternatively, it may refer to the UK GDPR, which incorporates the GDPR into the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018. Furthermore, it includes the Swiss Federal Data Protection Act of 19 June 1992 and its associated Ordinance (“Swiss DPA”). These laws may be amended, superseded, or replaced over time.
“Instructions” refer to written and documented directives issued by a Controller to a Processor, specifying a particular or general action to be taken concerning Personal Data. These actions may include, but are not limited to, depersonalization, blocking, deletion, or making the data available.
“Permitted Affiliates” pertain to any of your Affiliates that meet the following criteria: (i) they are authorized to use the Services as per the Agreement, but have not entered into a separate agreement with us and do not qualify as a “Customer” as defined in the Agreement; (ii) they fulfill the role of a Controller regarding the Personal Data Processed by us; and (iii) they are subject to European Data Protection Laws.
“Personal Data” encompasses any information related to an identified or identifiable individual. This information is considered Personal Data when (i) it is included within Customer Data and (ii) it receives similar protection as Personal Data, personal information, or personally identifiable information under the applicable Data Protection Laws.
“Personal Data Breach” refers to a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors during the provision of the Services. However, it does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as failed login attempts, pings, port scans, denial of service attacks, and other network attacks targeting firewalls or networked systems.
“Processing” encompasses any operation or series of operations performed on Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission by disclosure, dissemination, or making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process,” “Processes,” and “Processed” are interpreted accordingly.
“Processor” refers to a natural or legal person, public authority, agency, or any other entity that Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” denote the standard contractual clauses that are annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021. These clauses can currently be found at https://eur-lex.europa.eu/eli/dec_impl/2021/914. They may be subject to amendments, replacements, or updates in the future.
“Sub-Processor” represents any Processor engaged by us to assist in fulfilling our obligations concerning the provision of Services under the Agreement. Sub-Processors may include third parties, excluding Nurse-1-1 employees or consultants.
“Targeted Advertising” means advertising to a Data Subject based on the Data Subject’s Personal Data obtained from the Data Subject’s activity across businesses, distinctly branded websites, applications, or services, other than the business’s distinctly branded website, application, or service with which the Data Subject intentionally interacts.
“UK Addendum” signifies the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018. The current version of the UK Addendum can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. It may be subject to amendments, replacements, or updates.
2. Roles of the Parties
The Parties acknowledge and agree that where Customer’s use of the Services includes Processing which is subject to Data Protection Law requirements with regard to the Processing of Personal Data, Customer is the Controller, Nurse 1-1 is the Processor, and that Nurse 1-1 may engage Sub-Processors pursuant to the requirements set forth below.
3. Customer Responsibilities
a. Compliance with Laws. Under the Agreement and in your utilization of the services, it is your responsibility to adhere to all requirements imposed on you by this DPA and applicable Data Protection Laws regarding the Processing of Personal Data and your Instructions issued to us.
Specifically, without limiting the general applicability of the above, you acknowledge and agree that you bear sole responsibility for: (i) the accuracy, quality, and legality of Customer Data, as well as the methods employed to obtain Personal Data; (ii) compliance with transparency and lawfulness requirements stipulated by applicable Data Protection Laws for the collection and use of Personal Data, including the acquisition of necessary consents and authorizations (especially for Customer’s marketing purposes); (iii) ensuring your entitlement to transfer or provide us access to Personal Data for Processing in accordance with the terms outlined in the Agreement (including this DPA); (iv) ensuring that your Instructions concerning the Processing of Personal Data comply with relevant laws, including Data Protection Laws; and (v) adhering to all laws (including Data Protection Laws) applicable to any emails or other content generated, sent, or managed through the Services, including requirements related to obtaining consents (where necessary) for email communications, the content of such emails, and email deployment practices. If you find it impossible to fulfill your responsibilities under this ‘Compliance with Laws’ section, this DPA, or any applicable Data Protection Laws, you shall promptly notify us.
b. Controller Instructions. The parties acknowledge that the Agreement (including this DPA) and your utilization of the Service in accordance with the Agreement constitute your comprehensive Instructions to us regarding the Processing of Personal Data. However, you retain the option to provide additional instructions during your usage of the Service, as long as these instructions align with the Agreement and the nature and lawful utilization of the Service.
c. Security. It is your responsibility to independently assess whether the data security measures provided by the Service adequately meet your obligations under applicable Data Protection Laws. You are also accountable for securely using the Service, which includes safeguarding the security of Personal Data during its transit to and from the Service (including securely backing up or encrypting such Personal Data).
4. Nurse-1-1 Obligations and Restrictions
a. Compliance with Instructions. We will only handle Personal Data as described in this DPA or as otherwise agreed within the scope of your authorized instructions, except where required by applicable law. We are not responsible for ensuring compliance with any Data Protection Laws that are specific to your industry and do not generally apply to us. When requested in writing by Customer or where required under Data Protection Laws, Nurse 1-1 shall not: (i) sell, or share for Targeted Advertising purposes, Personal Data it receives from or on behalf of Customer, as required by Data Protection Law; (ii) retain, use, or disclose the Personal Data it receives under the Agreement and this DPA outside of the direct business relationship between Nurse 1-1 and Customer unless expressly permitted under Data Protection Laws; and (iii) combine the Personal Data it receives from or on behalf of the Customer with Personal Data it receives from or on behalf of another person or persons, or collects from its own interactions with the Data Subject, provided that Nurse 1-1 may combine Personal Data to perform any business purpose permitted under Data Protection Laws. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, as required under Data Protection Laws.
b. Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by law, and (ii) if necessary, temporarily suspend all Processing activities (except for storage and maintaining the security of the affected Personal Data) until you provide new instructions that we can comply with. If this provision is invoked, we will not be held liable under the Agreement for any failure to perform the relevant services until you provide new lawful instructions regarding the Processing.
c. Security. We will establish and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data as required by Data Protection Law, as outlined in Annex 2 of this Data Processing Agreement (“Security Measures”). While we reserve the right to modify or update the Security Measures at our discretion, any such changes will not significantly reduce the level of protection provided by the Security Measures.
d. Confidentiality. We will ensure that any authorized personnel involved in the Processing of Personal Data on our behalf are bound by appropriate confidentiality obligations, whether through contractual agreements or statutory requirements, to uphold the confidentiality of such data.
e. Personal Data Breaches. Upon becoming aware of any Personal Data Breach, we will promptly notify you and provide timely information as it becomes available or upon your reasonable request. If required by Data Protection Laws, we will offer reasonable, necessary assistance to enable you to notify competent authorities and/or affected Data Subjects about relevant Personal Data Breaches, as per your request. Nurse 1-1 agrees that it will not communicate with any third party, including, but not limited to the media, vendors, consumers and affected Data Subjects regarding Customer in connection to any Personal Data Breach without the express written consent and direction of Customer, unless required under Data Protection Law. Customer acknowledges and agrees that this Section 5 does not restrict or limit in any way Nurse 1-1’s right to communicate with its other affected customers and, without disclosing Customer’s identity, issue public statements or communicate with law enforcement regarding such security breach. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s end users.
f. Deletion or Return of Personal Data. Upon termination of your Service, we will either delete or return all Customer Data, including Personal Data and any copies Processed under this Data Processing Agreement (DPA). This provision applies unless applicable law requires us to retain certain Customer Data or if we have stored Customer Data on backup systems. In such cases, we will securely isolate and protect the data from further Processing, and delete it in accordance with our deletion practices. If you wish to delete your Nurse-1-1 account after terminating your use of the Service, please submit a request through our privacy request form at privacy@nurse-1-1.com. We strongly recommend retrieving your Customer Data before ending your usage of the Service. If you require assistance in retrieving your Customer Data while using the Service, we will offer reasonable support at your expense, subject to the provisions of the ‘Confidentiality’ section of the Agreement.
5. Data Subject Requests
The Service offers various controls to enable you to retrieve, correct, delete, or restrict Personal Data. These controls are designed to assist you in fulfilling your obligations under Data Protection Laws, including your responsibilities concerning Data Subject requests to exercise their rights under applicable Data Protection Laws.
If you encounter a Data Subject request that cannot be resolved independently through the Service, you may request our reasonable assistance in responding to such requests or inquiries from data protection authorities regarding the Processing of Personal Data under the Agreement. You will be responsible for reimbursing us for commercially reasonable costs incurred in providing this assistance.
In the event that we receive a Data Subject Request or any other communication directly related to the Processing of Personal Data under the Agreement, we will promptly notify you and advise the Data Subject to redirect their request to you. It will be your sole responsibility to provide substantive responses to such Data Subject Requests or communications involving Personal Data.
6. Sub-Processors
You acknowledge and agree that we may enlist the services of Sub-Processors to carry out the Processing of Personal Data on your behalf. These Sub-Processors may be engaged to assist us with hosting and infrastructure, as well as to support product features and integrations.
At present, we have designated certain third parties as Sub-Processors, and you can find their details listed on our Sub-Processor Page at https://legal.nurse-1-1.com/legal/sub-processors.
Both parties agree that, by adhering to the provisions outlined in this subsection, Nurse-1-1 fulfills its obligations as stipulated in Section 9 of the Standard Contractual Clauses.
When we engage Sub-Processors, we will impose data protection terms on them that ensure, to the extent applicable to the nature of the services they provide, a level of protection for Personal Data equivalent to that outlined in this Data Processing Agreement (DPA). These terms may include the implementation of the Standard Contractual Clauses where appropriate. We will maintain responsibility for ensuring that each Sub-Processor complies with the obligations set forth in this DPA, and we will be liable for any acts or omissions by such Sub-Processors that result in our breach of obligations under this DPA.
7. Data Transfers
You understand and consent that we have the right to access and handle Personal Data worldwide as required to deliver the Service as stated in the Agreement. Specifically, Personal Data may be transferred to and Processed by Nurse-1-1 in the United States and in other locations where our subcontractors operate. Whenever Personal Data is transferred outside its country of origin, both parties will ensure that such transfers comply with the regulations set forth by Data Protection Laws.
8. Additional Provisions for European Data
a. Scope: The provisions in this section titled “Additional Provisions for European Data” shall solely apply to European Data.
b. Roles of the Parties: When Processing European Data in accordance with your Instructions, both parties acknowledge and agree that you act as the Controller of European Data, and we act as the Processor.
c. Instructions: If we believe that your Instructions violate European Data Protection Laws (where applicable), we will promptly notify you.
d. Sub-Processor Agreements: In accordance with Clause 9(c) of the Standard Contractual Clauses, we acknowledge that we may have restrictions on disclosing Sub-Processor agreements. However, we will make reasonable efforts to require any Sub-Processor we engage to allow us to disclose the Sub-Processor agreement to you. Additionally, we will provide you with all information we reasonably can on a confidential basis.
e. Data Protection Impact Assessments and Consultation with Supervisory Authorities. We will offer reasonable assistance to you, as per European Data Protection Laws, in conducting data protection impact assessments and engaging in prior consultations with supervisory authorities or other competent data privacy authorities, to the extent that the necessary information is reasonably accessible to us and you do not have access to such information through other means.
f. Transfer Mechanisms for Data Transfers.
(A) Nurse-1-1 will not transfer European Data to any country or recipient that does not provide an adequate level of protection for Personal Data, as defined by applicable European Data Protection Laws, unless it has taken all necessary measures to ensure compliance with such laws. These measures may include (but are not limited to) transferring the data to a recipient covered by a suitable international data transfer framework or other legally recognized transfer mechanism that provides adequate protection for Personal Data, transferring to a recipient with binding corporate rules authorization in accordance with European Data Protection Laws, or transferring to a recipient that has executed appropriate standard contractual clauses, as adopted or approved in accordance with applicable European Data Protection Laws.
(B) You acknowledge that Nurse-1-1 in the United States receives European Data in connection with the provision of Services. Subject to subsections (C) and (D), both parties agree to incorporate the Standard Contractual Clauses by reference, which will become a part of the Agreement in the following manner:
- (a) EEA Transfers:Regarding European Data that falls under the scope of the GDPR, the following provisions apply:
(i) The Customer is designated as the “data exporter,” and Nurse-1-1 is designated as the “data importer.”
(ii) Module Two terms apply when the Customer acts as a Controller of European Data, and Module Three terms apply when the Customer acts as a Processor of European Data.
(iii) The optional docking clause in Clause 7 applies.
(iv) Option 2 in Clause 9 applies, and any changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA.
(v) The optional language in Clause 11 is removed.
(vi) For Clauses 17 and 18, the governing law and forum for disputes under the Standard Contractual Clauses will be determined as specified in the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms. If no EU Member State is specified in that section, the governing law and forum for disputes will be the Republic of Ireland (without considering conflicts of law principles).
(vii) The Annexes of the Standard Contractual Clauses will be deemed completed with the information provided in the Annexes of this DPA.
(viii) If there is a conflict between any provision of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of such conflict.
- (b) UK Transfers:
- Regarding European Data subject to the UK GDPR, the Standard Contractual Clauses will apply as described in subsection (a) with the following modifications:
(i) The Standard Contractual Clauses will be adjusted and interpreted according to the UK Addendum, which will be incorporated by reference and become an integral part of the Agreement.
(ii) Tables 1, 2, and 3 of the UK Addendum will be considered complete with the information provided in the Annexes of this DPA. Table 4 will be completed by selecting “neither party.”
(iii) In the event of any conflict between the terms of the Standard Contractual Clauses and the UK Addendum, the resolution will be determined in accordance with Section 10 and Section 11 of the UK Addendum.
- (c) Swiss Transfers:Regarding European Data subject to the Swiss DPA, the Standard Contractual Clauses will apply as outlined in subsection (a) with the following modifications:
(i) References to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA.
(ii) References to “EU,” “Union,” and “Member State law” will be understood as references to Swiss law.
(iii) References to the “competent supervisory authority” and “competent courts” will be replaced with “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland.”
(C) In cases where the contracting entity under the Agreement is not Nurse-1-1, that specific contracting entity (and not Nurse-1-1) will assume full and sole responsibility and liability towards you regarding the execution of the Standard Contractual Clauses by Nurse-1-1. You should direct any instructions, claims, or inquiries concerning the Standard Contractual Clauses to that contracting entity.
If Nurse-1-1 is unable to fulfill its obligations under the Standard Contractual Clauses or breaches any warranties stated in the Standard Contractual Clauses or UK Addendum (where applicable), and you intend to suspend the transfer of European Data to Nurse-1-1 or terminate the Standard Contractual Clauses or UK Addendum, you agree to provide us with reasonable notice to allow us to rectify such non-compliance. We will cooperate reasonably with you to identify any additional safeguards that could be implemented to address the non-compliance. If we are unable to rectify the non-compliance, you may suspend or terminate the relevant part of the Service in accordance with the Agreement, without any liability to either party (subject to any fees you have incurred prior to such suspension or termination).
9. General Provisions
a. Amendments: Notwithstanding any contrary provisions in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we retain the right to make updates and modifications to this DPA. The terms stated in the ‘Amendment; No Waiver’ section of the Agreement will govern such changes.
b. Severability: If any individual provisions of this DPA are deemed invalid or unenforceable, it will not affect the validity and enforceability of the remaining provisions of this DPA.
c. Limitation of Liability: The liability of each party and its Affiliates, collectively, arising from or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort, or under any other theory of liability, will be subject to the limitations and exclusions of liability outlined in the ‘Limitation of Liability’ section of the Agreement. Any references in that section to a party’s liability include the aggregate liability of that party and all its Affiliates under the Agreement (including this DPA). If Nurse-1-1 is not a party to the Agreement, the ‘Limitation of Liability’ section of the Agreement will apply between you and Nurse-1-1, and any references to ‘Nurse-1-1,’ ‘we,’ ‘us,’ or ‘our’ will encompass both Nurse-1-1 and the Nurse-1-1 entity that is a party to the Agreement. Notwithstanding the above, neither party’s liability will be limited concerning an individual’s data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.
d. Governing Law: The provisions of this DPA will be governed by and interpreted in accordance with the ‘Contracting Entity,’ ‘Applicable Law,’ and ‘Notice’ sections of the Jurisdiction Specific Terms, unless Data Protection Laws require a different approach.
e. Audit: No more than once annually, Nurse-1-1 will comply with all reasonable requests or directions by Customer, or its designee, to enable Customer to verify that Nurse-1-1 is in full compliance with its obligations under this DPA by responding to a questionnaire provided by the Customer. Should Customer require a third-party auditor, Customer shall bear all related costs, including costs associated with personnel time and related expenses and all audits shall be conducted during regular business hours.
10. Parties to this DPA
a. Approved Associates. By signing the Agreement, you are entering into this Data Processing Agreement (including, where applicable, the Standard Contractual Clauses) on your behalf and on behalf of your approved associates. For the purposes of this Data Processing Agreement only, unless stated otherwise, the terms “Customer,” “you,” and “your” will encompass both you and your approved associates.
b. Authorization. The legal entity accepting this Data Processing Agreement as the Customer represents that it has the authority to accept and enter into this agreement on behalf of itself and, when applicable, each of its approved associates.
c. Remedies. The parties agree that (i) only the Customer entity that is a party to the Agreement will exercise any rights or seek any remedies that any approved associate may have under this Data Processing Agreement, (ii) the Customer entity that is a party to the Agreement will exercise such rights collectively for itself and all its approved associates, rather than separately for each approved associate, and (iii) the Customer entity that is a contracting party is responsible for coordinating all instructions, authorizations, and communications with us under this Data Processing Agreement, and has the authority to communicate on behalf of its approved associates in relation to this agreement.
d. Additional Rights. The parties mutually agree that, during the review of our compliance with this Data Processing Agreement, you shall make reasonable efforts to minimize any potential impact on us. This will be achieved by consolidating multiple audit requests conducted on behalf of the Customer entity bound by the Agreement and its authorized affiliates into a single comprehensive audit.
Annex 1 – Details of Processing
A. List of Parties
Data exporter:
Name: Customer, as defined in the Nurse-1-1 Customer Terms of Service (on behalf of itself and Permitted Affiliates)
Address: The Customer’s address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Nurse-1-1 Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Nurse-1-1 Services under the Nurse-1-1 Customer Terms of Service
Role (Controller/Processor): Controller
Data importer:
Name: VideWell, Inc. doing business as Nurse-1-1
Address:
Nurse-1-1 c/o VideWell Inc.
101 Middlesex Tpke, Ste 6 PMB 369
Burlington, MA 01803-4914
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Nurse-1-1 Services under the Nurse-1-1 Customer Terms of Service
Role (Controller/Processor): Processor
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You have the option to provide Personal Data while using the Service, and the amount of data you share is solely determined and managed by you. This may encompass, but is not restricted to, Personal Data pertaining to various categories of individuals, such as:
- Your contacts and other end users, including your employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.
- Data Subjects who may include individuals trying to communicate with or transfer Personal Data to your end users.
Categories of Personal Data Transferred
You have the authority to provide Personal Data to the Services, and the scope of such data is determined and managed solely by you. The Personal Data transferred concern the following categories of data in an electronic or physical form:
1. Contact Information, as defined in the Agreement.
2. Any other Personal Data that you or your end users submit, send, or receive through the Service.
3. Personal identifiers, including any information that identifies the Data Subject and their personal characteristics, including: name, address, contact details, age, date of birth, gender, and physical description.
4. Internet or electronic network activity information, such as IP address, device identifiers, browsing history, search history, and diagnostic information (log files and crash reports).
5. Audio, electronic, thermal, olfactory, or similar information, such as call recordings, photographs, or videos.
6. Inferences based on Personal Data, such as user profiles reflecting preferences, characteristics, psychological trends, behavior, habits, or abilities.
7. Content of communications, such as content of phone calls, emails, or text messages.
8. Demographic information, such as family, lifestyle and social circumstances, including any information relating to the family of the Data Subject and the Data Subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, housing, travel details, leisure activities, and membership of charitable or voluntary organizations.
9. Education and training details, including information which relates to the education and any professional training of the Data Subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.
10. Employment details, including information relating to the employment of the Data Subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records.
11. Financial details, including information relating to the financial affairs of the Data Subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.
12. Commercial data, such as goods or services provided and related information, including details of the goods or services supplied, licenses issued, and contracts.
13. Personal Data relating to criminal convictions and offenses.
Sensitive Data transferred and applied restrictions or safeguards
The Parties will not intentionally collect or Process any Sensitive Personal Data, as defined under applicable Data Privacy Legislation. Vendor will immediately report any unintentional receipt of Sensitive Personal Data.
Nature of the Processing
The Personal Data transferred or Processed will be subject to the following Processing activities:
- Receiving Personal Data, including collection, accessing, retrieval, recording, and data entry.
- Holding Personal Data, including storage, organization, and structuring.
- Using Personal Data, including analyzing, consultation, testing, automated decision making, and profiling.
- Updating Personal Data, including correcting, adaptation, alteration, alignment, and combination.
- Protecting Personal Data, including restricting, encrypting, and security testing.
- Sharing Personal Data, including disclosure, dissemination, allowing access or otherwise making available.
- Returning Personal Data to Customer or Data Subject.
- Erasing data, including destruction and deletion.
Purpose of the transfer and further Processing
We will undertake the necessary Processing of Personal Data to fulfill our obligations in providing the Services as outlined in the Agreement. The specific details regarding the Processing activities will be further specified in the Order Form and guided by your instructions in the use of the Services.
Frequency of the transfer
The Personal Data is transferred on a continuous basis.
Period for which Personal Data will be retained
Except as stated in the “Deletion or Return of Personal Data” section of this Data Processing Agreement, we will Process Personal Data throughout the duration of the Agreement, unless otherwise explicitly agreed upon in writing. We store Personal Data for as long as the information is required to fulfill our legitimate business needs or the purposes for which the information was collected. Additionally, we store your personal information for as long as is required to resolve disputes or as long as required by applicable law.
B. Competent Supervisory Authority
In accordance with the General Data Protection Regulation (GDPR), the supervisory authority designated as the competent authority for the purposes of the Standard Contractual Clauses will be determined.
Annex 2 – Security Measures
We are currently adhering to the Security Measures outlined in Annex 2. Any capitalized terms not explicitly defined in this document will carry the meanings as defined in the Agreement.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced Processing: Our Service is hosted on cloud infrastructure providers external to our organization. Additionally, we have established contractual relationships with vendors to ensure the provision of the Service in alignment with our Data Processing Agreement (DPA). We rely on contractual agreements, privacy policies, and vendor compliance programs to safeguard the data Processed or stored by these vendors.
Physical and Environmental Security: Our product infrastructure is hosted by outsourced infrastructure providers, which operate multi-tenant environments. We do not possess or maintain the hardware located within the data centers of these outsourced infrastructure providers. Our production servers and client-facing applications are subject to both logical and physical security measures to separate them from our internal corporate information systems.
Authentication: To ensure the security of our customer products, we implement a uniform password policy. Customers interacting with our products through the user interface must authenticate themselves before accessing non-public customer data.
Authorization: Customer data is stored within multi-tenant storage systems, accessible to customers solely through application user interfaces and application programming interfaces (APIs). Direct access to the underlying application infrastructure is not granted to customers. Each of our products incorporates an authorization model designed to restrict access to relevant features, views, and customization options based on the assigned user’s permissions. Authorization to specific data sets is granted by validating the user’s permissions against the attributes associated with each data set.
ii) Preventing Unauthorized Product Use
We employ industry-standard access control measures and detection capabilities within our internal networks that support our products.
Access Controls: Network access controls are designed to prevent unauthorized network traffic from accessing our product infrastructure. The specific technical measures employed may vary depending on the infrastructure providers, including the implementation of Virtual Private Cloud (VPC), assignment of security groups, and utilization of traditional firewall rules.
Intrusion Detection and Prevention: To safeguard hosted customer websites and other internet-accessible applications, we utilize a Web Application Firewall (WAF) solution. The WAF is specifically designed to identify and prevent attacks against publicly available network services.
Static Code Analysis: The code stored in our source code repositories undergoes regular automated checks using tools that evaluate best practices and identify any detectable software flaws.
iii) Limitations of Privilege & Authorization Requirements
Product Access: Only a designated group of employees are granted access to our products and customer data through controlled interfaces. This access is intended to facilitate efficient customer support, sales, our medical/audit team, and product development. It also serves the purpose of troubleshooting potential issues, promptly detecting and responding to security incidents, and implementing data security measures. Access is granted through “just in time” (JITA) requests, which are meticulously logged. Employee access is assigned based on their roles, and regular reviews are conducted to evaluate high-risk privilege grants, with daily initiations. Administrative or high-risk access permissions undergo review at least once every six months.
Background Checks: In accordance with applicable laws, Nurse-1-1 Health Experts may undergo third-party background or reference checks. In the United States, the results of a third-party background check are required before employment offers can be finalized. All Nurse-1-1 employees are expected to adhere to company guidelines, maintain confidentiality, and uphold ethical standards.
b) Transmission Control
In-transit: To ensure secure communication, we enforce HTTPS encryption (also known as SSL or TLS) for all login interfaces and provide it for free on every customer site hosted on Nurse-1-1 products. Our HTTPS implementation utilizes industry-standard algorithms and certificates.
At-rest: We follow industry-standard security practices when storing user passwords. We have implemented technologies that encrypt stored data to maintain its security while at rest.
c) Input Control
Detection: Our infrastructure is designed to generate comprehensive logs that capture system behavior, incoming traffic, system authentication, and other application requests. These logs are aggregated within our internal systems, allowing us to identify and promptly alert the relevant personnel about any malicious, unintended, or abnormal activities. Our dedicated security, operations, and support teams are responsive to known incidents, ensuring a swift response.
Response and Tracking: We maintain a detailed record of known security incidents, including descriptions, relevant activity dates and times, and incident resolutions. Security, operations, or support personnel investigate suspected and confirmed security incidents, identifying appropriate steps for resolution and documenting them accordingly. In the case of confirmed incidents, we take necessary measures to minimize any potential harm, such as product damage or unauthorized disclosure, both for our products and our customers. Notification regarding such incidents will be made in accordance with the terms specified in the Agreement.
d) Availability Control
Infrastructure Availability: Our infrastructure providers make commercially reasonable efforts to maintain a minimum uptime of 99.95%. They ensure redundancy by maintaining back-up power equipment, the HVAC system, and fire suppression equipment as all part of their Infrastructure Layer.
Fault Tolerance: We have implemented backup and replication strategies to ensure redundancy and fail-over protection in the event of a significant Processing failure. Customer data is backed up in multiple durable data stores and replicated across multiple availability zones.
Online Replicas and Backups: Whenever feasible, production databases are designed to replicate data between at least one primary and one secondary database. All databases undergo regular backups and are managed using industry-standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to ensure the availability of information in the event of an interruption or failure of critical business processes.
Redundancy and Failover: Our products are designed with redundancy and seamless failover capabilities. The server instances supporting our products are architected to prevent single points of failure. This design facilitates smooth operations, allowing us to maintain and update product applications and backend systems while minimizing downtime.
Annex 3 – Sub-Processors
In order to support the delivery of the Service by Nurse-1-1, we may collaborate with Sub-Processors who assist us in our data processing operations. You can find a comprehensive list of our Sub-Processors, along with the purposes for which we engage them, on our Nurse-1-1 Sub-Processors Page accessible at https://legal.nurse-1-1.com/legal/sub-processors. This Sub-Processors Page is an integral part of this DPA and is incorporated herein.