ANNEX 2

V7 Data Processing Addendum (DPA)

Last modified April 10, 2024

Previous version:
August 21, 2023
October 13, 2022

NTERPRETATION 

  1. In this DPA, the following additional terms shall have the meanings set out in this Paragraph 1, unless expressly stated otherwise:
    1. “CCPA” means the California Consumer Privacy Act of 2018.
    2. “Cessation Date” has the meaning given in Paragraph 10.1.
    3. “Controller” means the party that determines the purposes and means of the Processing of Personal Data, and includes a “business” as defined in the CCPA.
    4. “Data Protection Laws” means, collectively: (i) the GDPR;  (ii) the CCPA; and (iii) all other applicable laws relating to the collection, Processing and protection of Personal Data and privacy that may exist in any relevant jurisdiction.
    5. “Data Subject Request” means the exercise by a Data Subject of their rights under, and in accordance with, the GDPR in respect of Personal Data.
    6. “EEA” means the European Economic Area.
    7. “GDPR” means, as appropriate and as amended from time to time: (i) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“EU GDPR”);  and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and/or (iii) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them.
    8. “Processor” means the party which Processes Personal Data on behalf of the Controller, and includes a “service provider” as defined in the CCPA.
    9. “Relevant Body” means:
      1. in the context of the UK GDPR, the UK Information Commissioner’s Office; and/or
      2. in the context of the EU GDPR, the European Commission.
    10. “Restricted Country” means:
      1. in the context of the UK, a country or territory outside the UK; and
      2. in the context of the EEA, a country or territory outside the EEA,
      3. that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the GDPR.
    11. “Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person located in:
      1. in the context of the EEA, a Restricted Country outside the EEA (an “EEA Restricted Transfer”); and/or
      2. in the context of the UK, a Restricted Country outside the UK (a “UK Restricted Transfer”).
    12. “Security Statement” means the V7 Security Statement found at https://www.v7labs.com/terms/security.
    13. “Services” means any services provided by V7 to Customer pursuant to an Order.
    14. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914).
    15. “Subprocessors” means additional Processors appointed by V7 to Process Personal Data on its behalf, including the sub-processors listed at https://www.v7labs.com/terms/security.
    16. “Supervisory Authority” means: (i) in the context of the EU GDPR, any authority within the meaning of Article 4(21) of the EU GDPR;  and (ii) in the context of the UK GDPR, the UK Information Commissioner’s Office.
    17. “UK” means the United Kingdom.
    18. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the Mandatory Clauses included in Part 2 thereof (the “Mandatory Clauses”).
  2. In this DPA:
    1. the terms “Data Subject”, “Personal Data Breach” and “Processing / Process / Processed” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws.
    2. unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Terms and Conditions; and
    3. any reference to any statute, regulation or other legislation in this DPA shall be construed as meaning such statute, regulation or other legislation, together with any applicable judicial or administrative interpretation thereof (including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority).

2. ROLES OF THE PARTIES

  1. In the course of V7 providing the Services pursuant to an Order, Customer may from time-to-time provide or make available Personal Data to V7 for Processing on the Platform in connection with the Services. The Parties acknowledge and agree that, in relation to any such Personal Data, Customer will be the Controller and V7 will be a Processor for the purposes of the Data Protection Laws.

3. DETAILS OF PROCESSING

  1. The Order determines the subject-matter and duration of V7’s Processing of Personal Data, and the obligations and rights of Customer in relation to such Processing. The types of Personal Data, categories of Data Subjects and nature of V7’s Processing of Personal Data are set out in Attachment 1 (Personal Data Attachment).

4. INSTRUCTIONS

  1. V7 shall Process Personal Data:
    1. on behalf of Customer and only in accordance with the instructions given by Customer from time to time as documented in, and in accordance with, the terms of the Order and the Terms and Conditions; or
    2. as required by applicable laws, in which case V7 shall (to the extent not prohibited by such laws) inform Customer of that legal requirement before the relevant Processing of that Personal Data.
  2. V7 shall promptly inform Customer if, in its opinion, an instruction infringes against applicable laws.

5. LAWFUL PROCESSING

  1. Customer shall ensure that it is entitled to give access to the relevant Personal Data to V7 so that V7 may lawfully Process Personal Data in accordance with the Order on Customer’s behalf, which may include V7 Processing the relevant Personal Data outside the country where Customer and/or the Data Subjects are located in order for V7 to provide the Services and perform its other obligations under the Order.
  2. Customer shall:
    1. comply with its obligations under the Data Protection Laws which arise in relation to this DPA, the Order and the receipt of the Services; and
    2. not do or omit to do anything which causes V7 (or any Subprocessor) to breach any of its obligations under the Data Protection Laws.

6. PERSONNEL

  1. V7 shall ensure that all persons it authorizes to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  2. Each Party shall take reasonable steps to ensure that any natural person acting under its authority who has access to Personal Data does not Process it except on instructions from it.

7. SECURITY MEASURES

  1. V7 shall implement appropriate technical and organizational measures to protect Personal Data and ensure a level of security appropriate to the risk. V7’s measures comprise those documented in its Security Statement.

8. RESTRICTED TRANSFERS

  1. any improper use, misuse or unauthorized alteration of the Platform by Customer;
  2. any use of the Platform by Customer in a manner inconsistent with the then-current Documentation;
  3. any use of the Platform in combination with other products, hardware, equipment, software or data not expressly authorized by V7 to be used with the Platform;
  4. any failure of Customer to: (i) maintain Internet connectivity to the extent necessary to prevent network performance degradation; or (ii) maintain an Internet connection with adequate bandwidth to access and use the Platform;
  5. any factors outside of V7’s reasonable control (including any Force Majeure Event); or
  6. any failure of Customer to ensure that all Authorized Users have installed, and access the Platform via, a supported version of both an internet browser and operating system that is listed in the Documentation as supported by V7 from time to time.

9. SUBPROCESSORS

  1. Customer hereby authorizes V7 to appoint the Subprocessors as additional Processors of Personal Data under the Order, provided that V7 shall:
    1. impose upon such Subprocessors data protection obligations that ensure at least the same level of data protection as set out in this DPA;  and
    2. be responsible for the acts and omissions of such Subprocessors under the Order.
  2. V7 shall inform Customer of any intended changes concerning the addition or replacement of a Subprocessor by making such information available to Customer at https://www.v7labs.com/terms/security (and Customer may subscribe to receive electronic notifications of any addition or replacement of Subprocessors). Customer may object to such changes in writing setting out its reasonable concerns in detail within fifteen (15) days from such notice. If Customer does not respond to such changes, V7 shall have the right to continue to Process the Personal Data in accordance with the terms of this DPA, including using the relevant Subprocessors. If Customer objects, V7 shall consult with Customer, consider Customer’s concerns in good faith and inform Customer of any measures taken to address Customer’s concerns. If Customer upholds its objection and/or demands significant accommodation measures which would result in a material increase in cost to provide the Services, V7 shall be entitled to increase the Fees for the Services or, at its option, terminate the Order.
  3. Where necessary to legalize the use of any Subprocessors, Customer hereby authorizes V7 to enter into SCCs in accordance with Paragraph 8 with such Processors as agent on behalf of Customer and (if required) Customer’s Affiliates. Each such conclusion of SCCs shall be considered a supplement to the Order and shall be subject to the terms and conditions set out therein.
  4. Notwithstanding anything to the contrary in this Section 9, in the event Customer elects to add a Foundation Model to the Platform, the third party owning such Foundation Model shall automatically be deemed a Subprocessor to whom Customer has not objected.

10. DELETION

  1. Upon the date of termination or expiry of Services involving the Processing of Personal Data (the “Cessation Date”), V7 shall cease all Processing of Personal Data related to such Services except as set out in this Paragraph.
  2. Customer hereby acknowledges and agrees that, due to the nature of Personal Data Processed by V7, return (as opposed to deletion) of Personal Data may require exceptional effort by V7 in some circumstances. At any time, whether prior to, or following, the Cessation Date, Customer may request that V7 delete all relevant Personal Data Processed on behalf of Customer, and V7 shall so delete such Personal Data then in its possession within thirty (30) days of request, subject to V7 retaining any copies required by applicable laws (and in that case, for such period as may be required by such applicable laws).

11. ASSISTANCE AND COOPERATION

  1. V7 shall, upon Customer’s reasonable written request, provide reasonable assistance to Customer with its legal obligations under Data Protection Laws, including any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Data Protection Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing by, and information available to, V7.

12. DATA SUBJECT REQUESTS

  1. V7 shall, upon Customer’s reasonable written request, provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
  2. Upon receipt of any Data Subject Request that relates to Personal Data that V7 Processes for Customer, V7 shall promptly notify Customer and not respond to such Data Subject Request except on the written instructions of Customer.
  3. Customer is solely responsible for responding to Data Subject Requests. V7’s notification of or response to a Data Subject Request under this Paragraph is not an acknowledgement by V7 of any fault or liability with respect to the Data Subject Requests.

13. PERSONAL DATA BREACHES

  1. If V7 becomes aware of any actual Personal Data Breach affecting Personal Data that V7 Processes for Customer, V7 shall: (i) notify Customer of such Personal Data Breach without undue delay;  and (ii) take reasonable steps to mitigate the effects of the Personal Data Breach. The notification shall at least:
    1. describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point at V7 where more information can be obtained;
    3. describe the likely consequences of the Personal Data Breach;  and
    4. describe the measures taken or proposed to be taken by V7 to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  2. Customer is solely responsible for complying with data breach notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. V7’s notification of, or response to, a Personal Data Breach under this Paragraph is not an acknowledgement by V7 of any fault or liability with respect to the Personal Data Breach.

14. DEMONSTRATION OF COMPLIANCE

  1. If Customer (acting reasonably and in good faith) considers that the information provided in accordance with Paragraph 14.2 is not sufficient to demonstrate V7’s compliance with the obligations set out in this DPA, or where otherwise required by Data Protection Laws, Customer may (at its cost) perform on-site audits at the V7 processing facility (or facilities) that provides the Services to Customer, subject to the following:
  2. V7 shall, upon Customer’s reasonable written request, make available to Customer all information reasonably necessary to demonstrate V7’s compliance with the obligations set out in this DPA in relation to Personal Data that V7 Processes for Customer. V7 and Customer will use current certifications or other existing audit reports to minimize repetitive audits.
    1. on-site audits may only be carried out once per calendar year, unless a Supervisory Authority having jurisdiction over Customer expressly requires more frequent audits (in which case the request for audit shall detail the applicable requirements under which the Supervisory Authority requires the audit and/or information from Customer, including details of the relevant regulation or regulatory obligation which necessitates such request);
    2. requests for on-site audit visits shall be made in writing by Customer at least sixty (60) days in advance (unless shorter notice is given by the Supervisory Authority or specifically required by the relevant regulatory obligation, in which case Customer will give as much advance notice as is possible in the circumstances and provide the reasoning for the shorter notice), and shall specify the scope of the information sought and the specific purpose of the audit;
    3. on-site audits will be limited to a review of V7’s compliance with this DPA;
    4. on-site audits shall be conducted during normal business hours for the facility and shall be coordinated with V7 so as to cause minimal disruption to V7’s business operations;
    5. on-site audits must be reasonable in scope and duration, shall not last more than two (2) Business Days;
    6. on-site audits shall be performed by Customer’s employees and/or a reputable third-party auditor agreed to by both Parties, it being understood that Customer (and its representatives) shall at all times be bound by the confidentiality provisions of the Terms and Conditions and shall be accompanied by a representative of V7;
    7. V7 may require on-site audits to be conducted remotely if necessary for health and safety reasons;
    8. except as prohibited by applicable laws or the relevant Supervisory Authority, V7 shall receive and be entitled to comment on any report prepared by or on behalf of Customer prior to that report being published or disseminated (such report to be V7 Confidential Information except to the extent it relates to the business or affairs of Customer, which information will be Customer Confidential Information), which publication or dissemination shall be done only pursuant to the confidentiality provisions of the Terms and Conditions;
    9. when performing audits in multi-customer environments, care should be taken to ensure that risks to another customer’s environment (e.g.  impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated;
    10. V7 does not allow any form of direct security testing initiated by Customer or on behalf of Customer, including but not limited to, vulnerability scanning, penetration testing, application code scanning, dynamic testing, installation of audit software, direct access to systems, or ethical hacking of V7 systems, applications, databases, or networks, except as may otherwise be agreed by V7’s Chief Information Security Officer and/or designee in writing and signed by both Parties; and
    11. V7 will not acknowledge any results from any form of security testing that is not performed by V7. V7 will provide Customer and any Supervisory Authority with access to a summary of its annual vulnerability assessment findings in accordance with the section ‘Patch and Vulnerability Management’ in the Security Statement.

15. REIMBURSEMENT

  1. Customer shall reimburse V7 for any costs reasonably incurred by V7 in performing its obligations under Paragraphs 11 to 14, in each case except to the extent that such costs were incurred as a result of any breach by V7 of its obligations under this DPA.

Attachment 1

Personal Data Attachment

V7’s activities

V7 offers a web-based software-as-a-service data management and machine learning analytics platform.

Subject matter and duration of the Processing of Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in the Order and the DPA.

The nature and purpose of the Processing of Personal Data

V7 will process the Personal Data to deliver the Services pursuant to the Order.

The types of Personal Data to be Processed

V7 may process Personal Data of the following categories:

  • Identification data (e.g. name, date of birth)
  • Identification documents (e.g. passport, identity card)
  • Contact data (e.g. email address, postal address)
  • Anonymised/pseudonymised medical imagery / scans and written medical records
  • Imagery of faces or personally identifiable traits such as tattoos or name tags
  • Imagery captured from within private properties, or of the premises of a private property

The categories of Data Subjects to whom the Personal Data relates

V7 may process Personal Data from Data Subjects of the following categories:

  • Customer’s and Customer Affiliates’ customers / users
  • Customer’s and Customer Affiliates’ prospective customers / users
  • Customer and Customer Affiliates’ patients
  • Participants in clinical trials sponsored or conducted by Customer or Customer Affiliates

Authorized Subprocessors

Customer authorizes V7 to appoint the Subprocessors listed at https://www.v7labs.com/terms/dps.

Data retention

V7 will delete the Personal Data from its systems on expiry or termination of the Services in accordance with Paragraph 10 of the DPA.

Attachment 2

Population of SCCs

Notes:

  • In the context of any EEA Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 2 are incorporated by reference into and form an effective part of the DPA.
  • In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 2 are incorporated by reference into and form an effective part of the DPA.

PART 1: EEA RESTRICTED TRANSFERS

  1. SIGNATURE OF THE SCCs‍

Where the SCCs apply in accordance with Paragraph 8 of this DPA, each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

  1. MODULE

Module Two of the SCCs shall apply to any EEA Restricted Transfer.

  1. POPULATION OF THE BODY OF THE SCCs
    1. The SCCs shall be populated as follows:
      1. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
      2. In Clause 9, OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Paragraph 9 of this DPA.
      3. In Clause 11, the optional language is not used and is deleted.
      4. In Clause 13, all square brackets are removed and all text therein is retained.
      5. In Clause 17, OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer.
      6. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.    ‍
  2. POPULATION OF ANNEXES TO THE SCCs
    1. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 (Personal Data Attachment) to this DPA, with Customer being ‘data exporter’ and V7 being ‘data importer’.
    2. Part C of Annex I to the Appendix to the SCCs is populated as below:

The competent Supervisory Authority shall be determined as follows:

  • Where Customer is established in an EU Member State: the competent Supervisory Authority shall be the Supervisory Authority of that EU Member State in which Customer is established.
  • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
  • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent Supervisory Authority shall be the Supervisory Authority of the EU Member State notified in writing to V7’s contact point, which must be an EU Member State in which the Data Subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located
  • Annex II to the Appendix to the SCCs is populated by reference to the Security Statement.


PART 2: UK RESTRICTED TRANSFERS

Where relevant in accordance with Paragraph 8 of this DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below:

  1. Part 1 of the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree that:
    1. Tables 1, 2 and 3 of Part 1 of the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 (Personal Data Attachment) to this DPA and the foregoing provisions of Part 1 of this Attachment 2 (subject to the variations affected by the Mandatory Clauses described in (b) below); and
    2. Table 4 of Part 1 of the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked. ‍
  2. Part 2 of the UK Transfer Addendum. The Parties agree to be bound by the Mandatory Clauses of the UK Transfer Addendum.
  3. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs shall be read as a reference to those SCCs as varied in the manner set out in this Part 2.‍

Next up: V7 Acceptable Use Policy