Data Processing Agreement

This processing order agreement (the “Ordering Agreement“) forms part of:

  • Amelia Virtual Care‘ terms and conditions; or, as the case may be,
  • Any other agreement entered into between you and Amelia Virtual Care to govern the engagement and use of the Platform (collectively, the “Agreement“).

This Entrustment Agreement and the other provisions of the Agreement are complementary, however, in the event of a conflict, this Entrustment Agreement shall prevail.

I. ENTRY INTO FORCE

This Agreement shall become effective upon completion and signature by both parties (the “Effective Date”).

II. EFFECTIVENESS

This Entrustment Agreement shall apply to personal data processed on your behalf and for your account as Customer in the course of providing the Platform (“Customer Personal Data“).

  • The person signing the Entrustment Agreement on behalf of the Client declares to Amelia Virtual Care that he/she has the legal authority to bind the Client and that he/she is legally capable of entering into contracts.
  • The term of this Entrustment Agreement shall be the same as the term of the Agreement. This means that this Entrustment Agreement shall automatically terminate upon termination of the Agreement or upon earlier termination in accordance with the terms of this Entrustment Agreement.

III. TERMS OF THE ORDER CONTRACT

1. Definitions:

The following terms shall have the following meanings:

“Amelia Virtual Care”, “we”, “us”, “our” refers to PSICO SMART APP, S.L. a Spanish company located in Pabellón de Sant Manel, Hospital de Sant Pau, Carrer de Sant Antoni Maria Claret, 167, 08025 Barcelona, author, creator, and developer of the Platform.

“Platform” means our software developed and run on a platform intended to be used by professionals in the field of psychology and/or psychiatry on people with specificphobias, maladaptive fears, anxiety or other mental health related disorder, as an
adjunct to their patients’ therapeutic or psychotherapeutic actions. The Platform is the
product provided to you under the Agreement and includes any product we provide to
you as part of the Platform.

“Controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriatetechnical and organizational measures” “Standard Contractual Clauses” as used inthis Entrustment Agreement shall have the meanings ascribed to them in the European Data Protection Act.

“Client”, “you”, “your” refers to the entity contracting the Amelia Virtual CarePlatform.

“End Users” means your patients’ personal data. For the avoidance of doubt, “End Usersincludes the individuals behind accounts managed by you (in particular, your patients).

“European Data Protection Law” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and theprotection of privacy in the electronic communications sector; (iii) any applicable national implementation.

2. Scope of data protection law.

The parties acknowledge that European Data Protection Law will only applyto Customer Personal Data that is covered by the definitions contained in such laws.

3. Identification of the parties

For the purposes of this Contract of Engagement:

  • Amelia Virtual Carewill be considered the Data Processor.
  • The Client shall be considered the Data Controller.

4. Description of treatment and safety standards

A detailed description of the processing to be carried out can be foundattached as Appendix 1 to this Ordering Agreement. A list of the applicable securitystandards can be found in Appendix 2. A list of all sub-processors involved in the treatment is given in Appendix 3.

5. Customer Responsibility.

The Client, in its capacity as Controller of the Client’s PersonalData is responsible for ensuring that its use of the Platform complies with the European Data Protection Law and for ensuring and supervising, throughout the processing, AmeliaVirtual Care’compliance with the European Data Protection Law.

In this regard and prior to contracting the Platform or requesting the activation of additional functionalities, the Client undertakes to determine at its own expense the need to (i) carry out a data protection impact assessment, (ii) carry out the corresponding prior consultations; (iii) as well as any other analyses or assessments in the field of data protection. To the extent required under European Data Protection Law, Amelia Virtual Care will provide Customer with all reasonable assistance in this processor others of a similar nature and purpose.

IV. GENERAL STIPULATIONS FOR THE PROCESSING OF PERSONAL DATA

In the treatment of the Client’s Personal Data, Amelia Virtual Care is committed to comply with the European Data Protection Law. Also, Amelia Virtual Care has the implementation of HIPAA regulations in the processing of sensitive data, with security measures to ensure the processing of personal data, if you need more information, please contact us

The purpose of the data processing will be exclusively to provide the Platform service on the terms dictated by the Customer. This Assignment Agreement sets out the nature and purpose of the processing, the types of Customer Personal Data that Amelia Virtual Care will process, and the data subjects whose Customer Personal Data will be processed.

In this sense, the treatment will be carried out:

  • By complying with our obligations under Article 28 of the GDPR, that is:

a. process Customer Personal Data only in accordance with your documented instructions (as set out in this Engagement Agreement or the Agreement, or as directed by you through the Platform) for the performance of the service.

b. by taking the necessary measures in accordance with Article 32 GDPR, on the terms set out in Clause VII of this Engagement Agreement and as set out in Appendix 2

c.notifying you without delay if, in our opinion, an instruction to process Customer Personal Data given by you is in breach of European Data Protection Law;

d. making available to you all information that you reasonably request in order to demonstrate that your obligations regarding the appointment of sub-processors have been fulfilled, without prejudice to the provisions of Clause VI;

e. assisting you in fulfilling your obligations under Articles 35 and 36 of the GDPR.

f. assisting you in fulfilling your obligations under Articles 15 to 18 of the GDPR by providing you with documentation or assisting you in retrieving, correcting, deleting or blocking Customer Personal Data;

g. ensuring that Amelia Virtual Care personnel who are required to access Customer Personal Data are subject to a binding duty of confidentiality with respect to such Customer Personal Data;

h. securely deleting Customer Personal Data in our possession following your written request upon termination or early termination of the Agreement, unless retention of the Customer Personal Data is required under Union or Member State law;

  • In addition, and on the condition that you have previously signed a confidentiality and non-disclosure agreement with Amelia Virtual Care

a. We will permit you and your authorized representatives to access and review documents to ensure compliance with the terms of this Assignment Agreement.

b. During the term of the Agreement and as required by European Data Protection Law, we will permit you and your authorised representatives to conduct audits to ensure compliance with the terms of this Engagement Agreement. Without limiting the foregoing, any such audit shall be conducted during our normal business hours with reasonable notice to us and subject to reasonable confidentiality protocols.

The scope of any audit shall not obligate us to disclose to you or your authorized representatives or allow you or your authorized representatives access to: (i) to any data or information of any other Amelia Virtual Care customer;(ii)anyAmelia Virtual Care internal accounting or financial information; (iii) anyAmelia Virtual Care trade secrets; (iv) any information that, in our reasonable opinion, could compromise the security of our systems or facilities; or cause us
to breach our obligations under the European Data Protection Act or our security, confidentiality or privacy obligations to any other Amelia Virtual Care customer or any third party; or (v) any information that you or your authorized representatives seek to access for any reason other than in good faith compliance with your obligations under the European Data Protection Act and our compliance with the terms of this Entrustment Agreement.

In addition, audits will be limited to once a year, unless we have experienced a security breach in the previous twelve (12) months that has affected Customer Personal Data; or an audit reveals a material breach.

V. RIGHTS OF THE INTERESTED PARTIES

If Amelia Virtual Care, as a processor, receives notice of any claim,complaint,request, direction, inquiry, investigation, proceeding or other action from any data subject,court, regulatory or supervisory authority, or any body, organization, or association, whichrelates in any way to personal data processed by us on behalf of Customer, AmeliaVirtualCare undertakes to:

  • notify the Customer of such circumstance so that the Customer may comply with therequest to the extent that such notification is legally permitted
  • provide the Client with reasonable cooperation and assistance; and
  • not respond by its own means, unless the Customer instructs it otherwise in writing islegally bound.

VI. ASSISTANT PROCESSORS

The Client authorizes the use by Amelia Virtual Care of the sub-processors if itis necessary for any service carried out. Likewise, the Client authorizes Amelia Virtual Care to hire additional external sub-processors to process the Client’s Personal Data, provided that:

  • Amelia Virtual Care notifies Customer of the updated list of new sub-processors at least twenty (20) days in advance before allowing them to process Customer Personal Data, thus giving Customer the opportunity to object to such changes.

If the Customer objects to the substitution or hiring of a new subcontractor, the parties shall negotiate in good faith alternative solutions that are commercially reasonable

  • Amelia Virtual Care requires the new subcontractor to protect Customer PersonalData to a level no less stringent than that required by this Assignment Agreement and the European Data Protection Act

Customer understands that, by virtue of confidentiality restrictions that may apply to subcontractors, Amelia Virtual Care may be limited in its ability to disclose subcontractor agreements to Customer. In this regard, Amelia Virtual Care agrees to use reasonable efforts to require any sub-subcontractor it designates to permit it to disclose the sub-subcontractor agreement to Customer. Where, despite its best efforts, Amelia Virtual Care is unable to disclose a sub-supplier agreement to Customer, the parties agree that, upon Customer’s request, Amelia Virtual Care will provide, on a confidential basis, such information as it reasonably can in connection with such sub-supplier agreement to Customer

VII. TREATMENT SAFETY

Amelia Virtual Care shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, in accordance with the Entrustment Agreement. Such measures will be appropriate to the harm that could result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data to be protected. In this regard, Amelia Virtual Care may update the technical and organizational measures, provided that suchmodifications do not diminish the overall level of security

If Amelia Virtual Care becomes aware of and confirms any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access to your Customer Personal Data (“SecurityBreach”) that we process in the course of providing the Platform we will notify you without undue delay and in any event no later than 48 hours

VIII. DATA TRANSFERS.

It is part of Amelia Virtual Care’ policy to give preference in the contracting of suppliers to those companies located in the European Economic Area that comply with the highest standards of privacy and data protection.

Notwithstanding the foregoing, in the event that AmeliaVirtualCare processesthe Customer’s Personal Data in a country that does not have an adequacy decision (within the meaning of Article 45 GDPR), Amelia Virtual Care will adopt an appropriate transfer mechanism in accordance with the GDPR

If Amelia Virtual Care makes any international transfer for which the transfer mechanism employed is no longer valid under the GDPR (e.g. as a result of an invalid court judgment, etc.), Customer will allow Amelia Virtual Care a reasonable period of time to cure the breach (“CurePeriod”) in order to identify what additional safeguards or other measures can be taken to ensure its compliance with the GDPR

IX. VARIOUS.

  • Customer acknowledges and agrees that, as part of the provision of the Platform, Amelia Virtual Care is entitled to use data related to or obtained in connection with the operation, support or use of the Platform for its legitimate internal business purposes,such as supporting billing processes, administering the Platform, improving,benchmarking and developing our products and services, complying with applicable laws (including law enforcement requests), ensuring the security of our Platform and preventing fraud or mitigating risk.

With respect to Customer Personal Data, Amelia Virtual Care warrants that it will be used for its own purposes unless it has aggregated and anonymized the data so that it does notidentify Customer or any other person or entity, in particular End Users.

  • This Entrustment Agreement is subject to applicable law and the terms of jurisdiction of the Agreement.
  • Without limiting the foregoing, to the extent permitted by applicable law, all liability arising under this Assignment Agreement shall be governed by the limitations of liability (including caps on liability) in the Agreement.
  • In the event that any of the provisions of this Ordering Agreement shall be held to be invalid, illegal or unenforceable; the validity, legality and enforceability of the remaining provisions shall not be affected or impaired thereby and such provision shall only be ineffective to the extent of such invalidity, illegality or unenforceability.