These Terms and Conditions, including the Data Processing Terms set out in the Schedule hereto, are incorporated by reference into the Agreement entered into as of the Effective Date between MedVault Health Limited (the “Supplier”) and Customer.
CERTAIN DEFINITIONS: As used in this Agreement, the following terms shall have the meanings set forth below. Capitalized terms used and not defined herein have the same meanings given them in the Order Form.
“Data Processing Terms” means the terms set out in the Schedule to these terms and conditions.
“Data Protection Legislation” means the Irish Data Protection Acts 1988 to 2018 and the GDPR, as same may be amended from time to time and any regulations or statutory instruments and codes of practice governed thereby.
“Documentation” means the applicable installation information, service descriptions, technical specifications, online help files and user manual for the Services provided by Supplier, as same may be revised from time to time.
“Effective Date” means the date on which the terms of this Agreement are accepted by the Customer by its completion of the Order Form.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Initial Term” shall mean the period commencing on the Effective Date and continuing for 12 months.
“Software” means the software that will enable the Customer to use the Services and includes Supplier proprietary software and software licensed to Supplier by 3rd party licensors.
“Order Form” shall mean the form completed on the Supplier’s website itemizing the Services and the charges for the Services purchased by Customer.
“Passwords” mean any encryption keys, certificates, passwords, access codes, user IDs or other login information provided to or used by Customer for the purpose of accessing and using the Services.
“Personal Data” means, generally, information relating to an identified or identifiable natural person, as defined by Data Protection Legislation and may include ‘Sensitive Personal Data’ as defined under the Data Protection Legislation.
“Platform” means an online platform accessible by Customer with a Password through which the Customer access the Services.
“Services” means the services requested by the Customer via the Order Form which may include, amongst other services, the Software, data analytics services, business intelligence reports and tools.
“SLA” shall mean the form attached to this Agreement that sets forth Service level specifications.
The parties hereby agree as follows:
1. SERVICES AND CUSTOMER EQUIPMENT. Subject to the terms and conditions of this Agreement, during the term of this Agreement Supplier will provide the Services to Customer. Customer is responsible for providing all equipment necessary for it to use the Services.
2. FEES AND BILLING. Customer will pay Supplier all charges set out in the Order Form. All such charges are exclusive of taxes, charges or levies now in force or enacted in the future, all of which Customer will be responsible for and will pay in full. Unless otherwise specified in the Order Form Supplier shall issue invoices on a monthly basis in advance. All payments shall be made in Euro, are due upon receipt of the invoice and if not paid within thirty (30) days of receipt of such invoice (i) will accrue interest at a rate of 8% per annum, or the highest rate allowed by applicable law; and / or (ii) will entitle Supplier to discontinue the Services without further notice.
Promotions. The Supplier may from time to time offer the Services for free or reduced charges (a “Promotion”). A Promotion shall be on the terms set out in the Order Form. During a Promotion, the Customer will be subject to the terms and conditions of this Agreement, save that they will not be charged (/ full (as applicable)) rates and can cancel at any time. If the Customer chooses to continue enjoying the Services following the end of the promotion period specified in the Order Form, they will be automatically charged for such Services at the then prevailing standard rates and will be subject to the full terms and conditions of this Agreement.
Referrals. If a Customer refers a party using a promotional code and such party becomes a Customer, both Customers shall receive a credit for two months free Services. In respect of (i) the referring Customer, this credit shall be applied to their next invoice; and (ii) the referred Customer, this credit shall be applied to months 11 and 12 of their Initial Term.
3. CUSTOMER’S USERS. Customer agrees that it is solely responsible for all individual users including any employees or contractors who access and/or use the Services through Customer’s account.
4. CUSTOMER’S ADMINISTRATOR. As part of the registration process for the Service, Customer shall be required to designate a Customer contact (the “Customer Administrator”) who shall be the sole point of contact for Supplier in respect of this Agreement and the Services. Any change in the Customer Administrator shall be notified in writing to Supplier and shall be verified by Supplier in accordance with Supplier's security policies in place from time to time.
5. CUSTOMER CONDUCT. Supplier reserves the right to take any action with respect to the Services that Supplier deems necessary or appropriate in Supplier’s sole discretion if Supplier believes Customer or its information may create liability for Supplier, compromise or disrupt the Services for other Supplier customers or may cause Supplier to lose the services of its Internet service providers or other suppliers. Customer agrees: (a) to comply with all applicable laws including Data Protection Legislation transmitted through the Services; (b) not to use the Services for illegal purposes; (c) not to use the Services to infringe any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy; and (d) to obtain any consents required under the Data Protection Legislation from its customers or otherwise before transferring data to Supplier pursuant to the Services and to maintain any such consents during the term of this Agreement.
7. DATA PROTECTION. The parties acknowledge that the Services may be used to process Personal Data and agree (i) to comply with Data Protection Legislation in relation such processing; and (ii) that the Data Processing Terms shall apply to the processing of such Personal Data during the Term.
8. SOFTWARE LICENCES.
a. Licences. The Software, the Services, the Platform and Documentation are licensed, not sold, to Customer by Supplier for use only under the terms of this Agreement. Supplier also hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable licence during the term of this Agreement for each Customer to use the Software, Services and Platform in object code form only, and the Documentation only in connection with the Services. The Software, Services, Platform, Documentation and all parts thereof are the subject matter of various proprietary rights, including without limitation copyrights, trade secrets, patents and other similar intellectual and industrial property rights (“Proprietary Rights”).
The licences granted to Customer hereunder to use the Software, Services and Platform are, unless otherwise set out in the Order Form, limited to: (i) using the Software, Services and Platform only for Customer’s internal business needs; and (iii) using the Documentation to support the use of the Services.
At no time shall Customer sublicence, sell, rent, lease, transfer, distribute or otherwise commercially exploit or make the Software, the Platform or the Services available to any third party. Customer shall be bound by and comply with this Agreement, and Customers is solely responsible for all activities of its users and for the accuracy, integrity, legality, reliability and appropriateness of all data.
No licence, right or interest in any trademark, trade name or service mark of Supplier or any third party is granted under the licences contained in this Section 8. Customer acknowledges that this licence shall not in any way be construed to provide an express or implied licence to use, modify or improve any of the Software, Services or Platform, including without limitation any works, inventions, discoveries, technology or other items which are the subject matter of Supplier’s Proprietary Rights, or otherwise to use or exploit the Software, Services, Platform or the Proprietary Rights in any matter not expressly permitted herein.
b. Restrictions. Customer specifically agrees to limit its use of the Software, Services, Platform and the Documentation as expressly authorised by this Agreement. Notwithstanding the foregoing, Customer specifically agrees not to: (i) attempt to create or derive any of the source code or other technology or data within the Software or Services or Platform by disassembly, reverse engineering or any other method, or otherwise reduce the Software or Services or Platform to a human- perceivable form and/or from modifying or translating any part of the Software or Services or Platform; (ii) violate any law, statute ordinance or regulation in connection with this Agreement; (iii) use the Services in violation of any applicable laws, wherever such use occurs, and not use or require Supplier or its service providers to use any Protected Data obtained via the Services for any unlawful purposes; (iv) gain or attempt to gain unpermitted access by any means to any Supplier computer system, network or database; or (v) file copyright or patent applications that include the Software, the Services, the Platform or any portion thereof. Furthermore, Customer accepts that it may be asked to account for any profits earned as a result of a breach of this Clause, and that these profits shall accrue to Supplier, or such 3rd party as Supplier directs.
c. Password Protection. Customer shall be solely responsible for protecting and safeguarding all Passwords. In the event that Customer makes such Passwords available to any third party, Customer shall be liable for all actions taken by such third party in connection with the Services. Customer shall not disclose or make available Customer’s Passwords other than to Customer’s authorised employees or contractors, shall use all commercially reasonable efforts to prevent unauthorised access to, or use of, the Passwords and the Services and will notify Supplier promptly of any such unauthorised access or use and make any disclosures related to such unauthorised access or use which may be required under any applicable laws.
d. Notification of Licence Breaches: Customer shall immediately notify Supplier of any notices received by Customer that might adversely affect Supplier, including without limitation notices of actual or potential 3rd party claims or proceedings arising from, connected with or relating to Software or Services. In addition, Customer will immediately notify Supplier of any breaches or purported breaches of this Agreement or of the Licence of which the Customer becomes aware or has a reasonable suspicion for believing may have occurred. Customer shall take all reasonable steps to protect any software or intellectual property rights acquired or otherwise used by it in the provision of the Services by Supplier, and acknowledges that these rights may include the rights of entities who have entered licence agreements with Supplier, and that such entities may accrue rights directly against the Customer in the event of a breach of this Agreement.
e. Termination of Licences and Suspension of Services. Supplier may terminate or suspend Customer’s licences and/or suspend, terminate or limit any of Customer’s use of the Services without liability, upon seven (7) days’ written notice to Customer (including via email) based on Supplier’s reasonable belief that: (i) the Services are being used by Customer in violation if any applicable law, ordinance or regulation; (ii) the Services are being used in breach of this Agreement or otherwise in a potentially harmful or unlawful manner; or (iii) Customer fails to pay undisputed charges for Services. Supplier may terminate and/or suspend Customer’s use of the Services without liability, immediately upon written notice to the Customer (including via email) whenever practicable if (i) the use of the Services by Customer adversely affects Supplier’s equipment, security network infrastructure or its service to others; (ii) a court or other governmental authority having jurisdiction issues an order prohibiting Supplier from providing the Services to Customer; or (iii) Supplier is prohibited from providing the Services due to the termination by a third party licensor of an essential licence. Fees payable by Customer under this Agreement will continue to accrue notwithstanding any such suspension. In the event that Services are suspended, Supplier will use commercially reasonable efforts to work with Customer to resolve such issues and re-instate the Services.
9. CONFIDENTIAL INFORMATION. “Confidential information” is that information which, regardless of form or method of disclosure, either party specifically designates as confidential at the time of disclosure; and any information, regardless of form or method of disclosure, customarily treated as confidential by a reasonable person. All information provided by Customer to Supplier in connection with the activation of Services is confidential information of Customer. Neither party shall use confidential information of the other party for any purpose other than for the purpose of providing or using the Services or as otherwise expressly permitted herein. Each party shall exercise reasonable care not to disclose, and to prevent its employees and agents from disclosing, any confidential information of the other party. If a party is compelled to disclose confidential information under the authority of a court or governmental agency, the compelled party shall promptly notify the other party. The other party shall have the opportunity to object to the compelled disclosure prior to production of such information.
10. REPRESENTATIONS AND WARRANTIES.
a. Warranties by Customer. Customer represents and warrants to Supplier that: (i) Customer is duly organised and validly existing and has the legal power and authority to enter into this Agreement and to perform its obligations hereunder; (ii) the person signing this Agreement on behalf of Customer is duly authorised to do so, and upon its execution by such person, this Agreement is the valid and legally binding obligation of Customer; (iii) Customer’s use of the Services do not as of the Effective Date and will not during the term of this Agreement, in any manner violate any applicable law or regulation including the Data Protection Legislation; and (iv) Customer is the owner, legal custodian or otherwise has the right to use the Services and has full authority to transmit and direct the disposition of supplied data. Customer shall reimburse Supplier for any expenses incurred by Supplier (including reasonable attorney’s fees and expenses) by reason of Supplier’s complying with the instructions of Customer or any third party concerning the ownership, custody or disposition of data. Customer hereby authorises Supplier to use supplied data to perform the Services pursuant to this Agreement. In the event that Supplier needs to access the supplied data to respond to any technical problems, queries or requests from Customer, Customer shall ensure that both Customer and Supplier are permitted to do so. In such event, all such access will be logged by Supplier and supervised by Customer and Customer shall be fully responsible for such access to the supplied data.
b. Warranties by Supplier. Supplier represents and warrants to Customer that: (i) Supplier owns or has the legal right and authority, and will continue to own or maintain the legal right and authority during the term of this Agreement, to provide the Services as contemplated by this Agreement; (ii) Supplier is duly organised and validly existing and has the legal power and authority to enter into this Agreement and to perform its obligations hereunder; (iii) the person signing this Agreement on behalf of Supplier is duly authorised to do so, and upon its execution by such person, this Agreement is the valid and legally binding obligation of Supplier; (iv) the Services as supplied to Customer in connection with this Agreement do not violate any applicable law or regulation; and (v) the Software does not infringe upon any third party’s patent, trademark or other intellectual property rights.
c. No Other Warranty. EXCEPT FOR ANY EXPRESS WARRANTY SET FORTH IN SECTION 10(b) HEREIN, OR IN THE SLA, THE SERVICES, THE SOFTWARE AND THE PLATFORM ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. Supplier expressly disclaims all warranties of any kind, whether express or implied, including, but not limited to the implied warranties of merchantability, fitness for a particular purpose and any warranties arising from a course of dealing, usage or trade practice Supplier is not responsible for any defects or damages to the Customer’s equipment resulting from Customer’s or Customer’s agents or employees mishandling, abuse, misuse, accident or Force Majeure. Supplier shall bear no liability to Customer or any third party arising from Customer’s decision not to implement any reasonable change to Customer’s technical environment that supports the Software the Platform and/or the Services, which has been advised by Supplier and Customer shall hold Supplier harmless from and against any suit or proceeding (including reasonable attorney’s fees and expenses) brought against Supplier arising directly or indirectly from a failure to provide the necessary access and/or support for Supplier to implement any such change. Customer agrees to inform Supplier of any Customer system change that may reasonably be expected to affect Supplier’s ability to provide the Services. The speed of delivery of the Services is dependent on factors outside the control of Supplier.
Except as set forth in the SLA, Supplier makes no warranty that the Services, the Software or the Platform will be uninterrupted, timely, secure or error free, or that any supplied data will be backed up or available for restoration. Supplier expressly disclaims all liability howsoever arising from any change made to the Customer’s equipment or any changes to Customer’s IT configuration. Supplier confirms and the Customer acknowledges, that no contractor of Supplier (be it by way of 3rd party service provider or software or licence provider) shall be liable for the provision of the Services. No statement, whether oral or written, obtained by Customer from Supplier shall create any warranty not expressly made herein. Some jurisdictions do not allow the exclusion of certain warranties, so to the extent not allowed by law, some of the above exclusions may not apply. The parties acknowledge and agree that the allocation of risk contained herein reflects that it is not within Supplier’s control how and for what purpose the results of the Services are used by the Customer.
11. SERVICE LEVEL AGREEMENT. Supplier’s SLA constitutes Customer’s sole and exclusive remedy for Supplier’s provision of or failure to provide Services to Customer, except that Supplier shall have no obligation to compensate Customer under any SLA while Customer is in Default (as defined below) or not current in its payment obligations under this Agreement. The SLA currently in effect on the Effective Date is available at www.medvault.ie , and Supplier may amend the SLA periodically provided that (a) Customer is informed at least thirty (30) days in advance of any such amendment or relocation; and (b) the amendment does not materially and adversely alter the provision of Services. If Customer reasonably and in good faith believes that an SLA amendment materially and adversely alters the provision of Services hereunder, Customer may provide written notice to Supplier within thirty (30) days of the effective date of the amendment, setting forth in reasonable detail Customer’s basis for such belief. Supplier shall have thirty (30) days to address the Customer’s concern and reach a mutually agreed upon resolution. If mutual resolution is not achieved, the previous version of the applicable SLA will remain in effect for the remainder of the then current term as to the Customer’s use of the applicable Services.
12. LIMITATIONS OF LIABILITY AND INDEMNIFICATION.
a. Consequential Damages Waiver; Limitation of Liability.
IN NO EVENT WILL EITHER PARTY BE LIABLE OR RESPONSIBLE TO THE OTHER FOR ANY TYPE OF INCIDENTAL, PUNITIVE, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOST REVENUE; LOST PROFITS; BUSINESS INTERRUPTION; LOSS OF USE; REPLACEMENT GOODS OR SERVICES; LOSS OF DATA TRANSMITTED THROUGH THE SERVICES; LOSS RESULTING FROM UNAUTHORISED ACCESS TO DATA OR ALTERATION OF CUSTOMER’S DATA EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, WHETHER ARISING UNDER ANY THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE. EACH PARTY’S LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTIES IS LIMITED TO THE LESSER OF (i) THE AMOUNT PAID BY CUSTOMER TO SUPPLIER HEREUNDER DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE LOSS OR DAMAGE FIRST OCCURS, OR (ii) €5,000. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO, TO THE EXTENT NOT ALLOWED BY LAW, SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO THE PARTIES.
b. Indemnification. Subject to the limitations set forth elsewhere in this Agreement, each party (the “Indemnifying Party”) will indemnify, defend and hold the other party and its subsidiaries, affiliates, officers and employees (the “Indemnified Party”) harmless from and against any and all costs, liabilities, losses, and expenses (including but not limited to reasonable attorneys’ fees) resulting from any claim, suit, action, demand, or proceeding (each, an “Action”) brought by any third party against the Indemnified Party arising from: (i) a Default by the Indemnifying Party, (ii) the gross negligence or willful misconduct of the Indemnifying Party or its employees, agents, contractors, or invitees, or (iii) any failure by the Indemnifying Party or its employees, agents, contractors, or invitees, to comply with the law.
c. Procedures. The Indemnifying Party’s obligations under Section 12(b) herein are conditioned upon: (i) the Indemnified Party promptly notifying the Indemnifying Party upon receipt of written notice of the Action for which the Indemnified Party seeks indemnity; (ii) the Indemnified Party tendering control of the defence of such Action and any related settlement discussions to the Indemnifying Party (provided, however, that the Indemnified Party may participate in such defence, at its own expense, with counsel of its own choosing); and (iii) the Indemnified Party, at the Indemnifying Party’s request and expense, reasonably cooperating with and assisting the Indemnifying Party in its efforts to defend the Action. The Indemnifying Party shall obtain the Indemnified Party’s prior written consent, which consent shall not be unreasonably withheld or delayed, for any settlement or compromise of any such Action that does not include an unconditional release of the Indemnified Party from the indemnified liability hereunder.
d. Content. All content found or provided (or not) via the Services is for informational purposes only. Nether the Services nor the content found or provided (or not) are intended to be a substitute for professional medical advice, diagnosis, research or treatment.
13. DEFAULT AND REMEDIES.
a. Default. The occurrence of any of the following will be a “Default” by Customer: (i) Customer fails to pay, when due, any amounts owing to Supplier hereunder; or (ii) the material breach of any representation or warranty made by Customer in this Agreement, except to the extent such breach is susceptible to cure, in which case there shall be no Default unless such breach is not cured by Customer within thirty (30) days after receiving written notice from Supplier of such breach; or (iii) Customer fails to perform or observe any of its other obligations under this Agreement after a period of thirty (30) days after receiving written notice from Supplier of such failure; or (iv) Customer’s insolvency or liquidation as a result of which Customer ceases to do business.
b. Customer’s Remedies for Default by Supplier. Remedies for failure to deliver the Services in accordance with the SLA are addressed entirely in the SLA.
c. Supplier’s Remedies for Default by Customer. If Customer commits a Default, Supplier will be entitled, at its election, to exercise any one or more of the following remedies, then or at any time thereafter: (i) to pursue any remedy available at law or in equity; (ii) to terminate this Agreement; and (iii) to suspend Services.
14. TERM. The term of this Agreement will commence on the Effective Date and continue for the Initial Term, and thereafter shall automatically renew for successive terms equal to the length of the Initial Term (each a “Renewal Term”), unless notice of non-renewal is given by either party no less than ninety (90) days before expiration of the Initial Term or any Renewal Term then in effect. Customer will be deemed to have accepted Supplier’s then current charges for each Renewal Term unless Customer gives notice to Supplier of its rejection of any increase in charges no later than fourteen (14) days after Customer receives notice thereof. If Customer rejects any increase in charges, this Agreement shall terminate on the date that is thirty (30) days after Customer gives notice to Supplier of its rejection of such increase and during such period prior to termination the previous charges will apply. Upon expiration or termination of the Services or this Agreement, Customer’s right to use the Services immediately ceases, Customer shall have no right and Supplier will have no obligation thereafter to forward any unopened or unsent messages to Customer or any third party.
15. INTELLECTUAL PROPERTY
a. Supplier or its suppliers or licensors are the sole and exclusive owner(s) of all right title and interest in the Software, Platform, Services, Documentation and all copies thereof including all derivations, modifications and enhancements thereto (including but not limited to ownership of all intellectual property rights). This Agreement does not grant Customer with title to or any ownership rights or interest in the Software, the Platform, the Services or the Documentation, but only a right of limited use as expressly set forth in this Agreement. Customer agrees to inform Supplier immediately of any infringement or other improper action with respect to Supplier intellectual property as defined herein, or the intellectual property rights of Supplier’s suppliers that come to Customer’s attention.
b. Customer is the sole and exclusive owner or all rights, title and interest in and to all supplied data or materials otherwise managed by the Software (collectively “Customer Materials”). In performing its obligations under this Agreement, Supplier agrees that it shall acquire no rights whatsoever in any Customer Materials. Supplier agrees to inform Customer immediately of any infringement, loss, compromise or other improper action or use with respect to Customer Materials, in each case immediately upon becoming aware of such infringement or improper action.
16. OTHER PROVISIONS.
a. Non-Assignment; No Third-Party Rights. Customer may not assign or transfer this Agreement or any rights hereunder and any attempt to do so is void. Subject to the foregoing, this Agreement will be binding upon, and inure to the benefit of, the parties and their respective successors and permitted assigns. This Agreement is for the sole benefit of the parties, and nothing herein will be construed as giving any rights to any person not a party hereto.
b. Governing Law & Jurisdiction. This Agreement will be governed by and construed in accordance with the substantive laws of Ireland, and further agree that any cause of action relating to this Agreement shall be brought exclusively in a court in Ireland.
c. Notices. Except where other means of communication are expressly provided for in this Agreement, all notices provided for hereunder will be in writing (email being sufficient).
Data Processing Terms
Note: At MedVault Health we endeavour to be as transparent as possible when it comes to how we process your data. So if you have any problems understanding the legal and technical language used below please feel free to contact our team and we will be happy to answer any related questions.
This Schedule sets out the Data Processing Terms applicable to the Services during the Term and form part of and are subject to the Agreement, including the general terms and conditions.
Terms not defined in these Data Processing Terms shall have the meaning set out in the Agreement.
In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party;
“Customer Personal Data” means personal data contained in the Protected Data;
“Customer Representative” means the person designated by Customer from time to time who will act as its primary contact regarding the performance of the Agreement;
“Sub-Processors” means third parties authorised under these Data Processing Terms to process Customer Personal Data in order to provide parts of the Services and any related technical support.
The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.
2. NATURE AND PURPOSE OF PROCESSING
2.1 The Customer expressly acknowledges and agrees that Supplier has no control or influence over the content of the Customer Personal Data, which may include, among other things, personal data and sensitive personal data (as defined under the GDPR) relating to the Customer’s or its customer’s own clients, customers, suppliers, employees, other personnel or other data subjects within the meaning of the GDPR). Should Customer wish to further categorise the data subjects or types of personal data to incorporate into these terms, it may provide such information to Supplier.
2.2 The provision of the Services will include the collecting, recording, organising, structuring, storing in encrypted form, retrieving, erasing and destroying of Customer Personal Data for the purpose of providing the Services and any related technical support to Customer.
2.3 MedVault software generates deidentified and statistical data and metadata through its processing of the raw data. Unless notified to the Supplier via the Platform or in writing, the Customer agrees that the Supplier may aggregate, use, disclose, process, exchange and analyse this data that has been masked in a manner such that it no longer specifically identifies the Customer or subjects of the Customer Personal Data. This deidentified and statistical data and metadata forms the basis of the models and design of the tools and services MedVault delivers.
2.4 In relation to the provision of the Services by Supplier, the Customer or its customer is and shall be a Data Controller and Supplier is and shall be a Data Processor. In the event that the Customer qualifies as a Data Processor Supplier will act as its sub Data Processor and Customer warrants to Supplier that Customer’s instructions and actions with respect to Customer Personal Data, including the appointment of Supplier as another processor, has been authorised by the relevant Controller.
2.5 Customer instructs Supplier to process, and Supplier shall only process, the Customer Personal Data in accordance with the Agreement and otherwise on the instructions of the contact persons designated by the Customer or such third party as the Customer has confirmed in writing (including email) is authorised to provide such instructions (an “Authorised Agent”), taking into account the nature of the Services, including any related technical support, and for the duration of the Agreement. The Customer remains at all times fully liable for any instructions given by its contact person(s) or an Authorised Agent.
2.6 The parties acknowledge and agree that any instructions may be given by email or orally where the Customer or Authorised Agent is using Supplier’s technical support team, provided that Supplier shall keep a record of such oral instructions.
2.7 The Customer further acknowledges and agrees that it (and/or its customer if its customer (also) qualifies as the Controller) is responsible for determining the purposes for and manner in which the Customer Personal Data is processed and hereby undertakes that it and, where applicable, its customer has taken, and shall, throughout the duration of the Agreement, take all measures concerning the Customer Personal Data to ensure compliance with its obligations under the Data Protection Legislation, including the processing activities carried out by the Services and any authorisations required in respect of the provision of such Services by Supplier under these Data Processing Terms.
3. SUPPLIER PERSONNEL
3.1 Supplier will impose and maintain appropriate contractual obligations regarding confidentiality on any personnel authorised by Supplier to access the Customer Personal Data.
3.2 Supplier will implement and maintain access controls and policies in order to restrict Supplier personnel processing Customer Personal Data to those Supplier personnel who need to process Customer Personal Data to provide the Services to the Customer.
4. SECURITY MEASURES
4.1 Supplier has implemented and will maintain appropriate technical and organisational security measures to prevent unauthorised access to the Customer Personal Data, unauthorised or unlawful alteration, disclosure, destruction or unlawful processing of the Customer Personal Data or accidental loss or destruction of, or damage to, the Customer Personal Data, in each case taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing pursuant to the Services.
4.2 Customer is solely responsible for its use of the Services, including securing the account authentication credentials, systems and devices Customer uses to access the Services.
5. STORAGE AND TRANSFERS OF PERSONAL DATA
5.1 Supplier shall store Customer Personal Data in data centres located in EEA, or, if applicable, following the exit of the United Kingdom from European Union, the United Kingdom, provided it qualifies as a third country covered by Article 45, subsection 1 of the GDPR (an Adequate Jurisdiction).
5.2 Technical support services outside of normal business hours may be provided by a Supplier Affiliate located outside of the EEA. Where such services involve the processing of personal data in a jurisdiction which is not an Adequate Jurisdiction, such processing shall be done under another valid transfer mechanism under the GDPR including, for example, entering into the EU Controller-to-Processor Standard Contractual Clauses with Customer at its request.
6.1 The Customer hereby specifically authorises the engagement of any Supplier Affiliate as a sub- Processor.
6.2 Customer also generally authorises the use of third-party sub-Processors by Supplier, provided that:
(a) Supplier shall restrict the sub-Processor's processing of the Customer Personal Data to processing that is necessary to provide or maintain the Services;
(b) Supplier shall enter into contractual arrangements with such sub-Processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein to the extent applicable to the processing activities being provided by such sub-Processor; and
(c) if a sub-Processor fails to comply with its data protection obligations, Supplier shall remain fully liable to the Customer for the performance (or failure of performance) of the sub-Processor’s data protection obligations.
6.3 Supplier shall maintain an up to date list of its sub-Processors relating to any Services it provides to the Customer. Supplier shall provide the list to the Customer upon written request.
6.4 Supplier will notify the Customer if any new sub-Processor is appointed during the Term and Customer shall have the opportunity to object to the use of such sub-Processor. If the Customer:
(a) does not respond (in writing) within 30 days from the date of the notification, it will deemed to have given its authorisation to the use of such sub-Processor;
(b) responds by refusing (in writing) its authorisation and a mutually acceptable resolution to such refusal cannot be agreed, it may terminate the Agreement for convenience or terminate the service or that part of the service which is provided by Supplier using the relevant sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new third-party Sub-processor.
6.5 Notwithstanding sub-sections 6.1 to 6.4 above, and subject to applicable law, Supplier may freely use sub-contractors or suppliers that do not qualify as processors under the Data Protection Legislation, including but not limited to energy suppliers, equipment suppliers, transport suppliers, technical service providers, hardware vendors etc.) without having to inform or seek prior authorisation from the Customer.
6.6 Supplier will impose and maintain appropriate contractual obligations regarding confidentiality on any sub-Processors authorised by Supplier to access the Customer Personal Data.
7. ASSISTANCE WITH DATA SUBJECT REQUESTS
7.1 The Customer acknowledges and agrees that it shall be responsible for compliance with any requests from data subjects under Data Protection Legislation.
7.2 Supplier agrees to provide reasonable assistance to the Customer without undue delay, taking into account the nature and functionality of the Services, in respect of the Customer’s or its customers’ obligations regarding:
(a) requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Customer Personal Data, provided that the Customer acknowledges that Supplier only holds the Customer Personal Data in encrypted form and cannot access the data without the Password, and any such actions shall therefore be performed by the Customer or an Authorised Agent on its behalf and not by Supplier;
(b) the investigation of any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Customer Personal Data and the notification to the supervisory authority and data subjects in respect of such incidents;
(c) at the expense and cost of the Customer, the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority.
8. DEMONSTRATING COMPLIANCE
8.1 Supplier may use independent third-party auditors to periodically verify the adequacy of the security controls that apply to the Services.
8.2 The Customer shall have the right to audit Supplier’s compliance with these Data Processing Terms once per annum.
8.3 Supplier shall not be required to disclose any business confidential or commercially sensitive information, other customers’ information or information that it reasonably considers could be used to compromise the security or integrity of its systems.
9. DATA BREACH
9.1 If Supplier becomes aware of a security breach in relation to any Customer Personal Data which results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data, Supplier will notify the Customer without undue delay, providing sufficient information to enable the Customer to assess the breach and its obligations regarding notifying supervisory authorities or data subject under the Data Protection Legislation. Such notification shall be provided to the Customer Representative. For the avoidance of doubt, Supplier shall not be required to notify Customer of any unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
9.2 Customer is solely responsible for complying with incident notification laws applicable to Customer under the Data Protection Legislation. Notwithstanding the foregoing, the parties will cooperate and provide all reasonable assistance with respect to complying with third party notification obligations under the Data Protection Legislation.
9.3 Supplier’s notification of or response to a data breach incident under this Clause 9 will not be construed as an acknowledgement by Supplier or any of its Affiliates of any fault or liability with respect to the data breach.
10. DELETION OF CUSTOMER DATA
Customer herby instructs Supplier and any sub- processors to, within three months of the date of termination of the Agreement, delete all Customer Personal Data and upon request provide written confirmation (including by email) to the Customer that it has taken such measures.