Menu
Menu
This Data Processing Addendum supplements and is incorporated into the Agreement between RadiusXR and Customer. The DPA is binding on both parties without further action or signature. By executing or otherwise entering into the Agreement, Customer agrees to the terms of this DPA.
Capitalized terms used and not defined in this DPA shall have the respective meanings set forth in the Agreement and/or applicable Data Protection Law.
1.1 This DPA serves as a written data processing agreement between RadiusXR and Customer (on its behalf and on behalf of each Controller referenced in this DPA) and shall apply to any Processing of Personal Data by RadiusXR or any of its Sub-processors in connection with services provided under the terms of the Agreement. This DPA shall be effective for the period RadiusXR provides services to Customer under the Agreement to which this DPA applies and for any period after during which RadiusXR retains Personal Data.
1.2 The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the RadiusXR Services. In the event of any conflict between the terms of the Agreement, including any previously or concurrently executed addendums, and the terms of this DPA, the relevant terms of this DPA shall take precedence. If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.
2.1 “Customer Data” means all data provided or otherwise made available by Customer to RadiusXR in the course of RadiusXR providing services pursuant to the Agreement.
2.2 “Data Protection Law” means laws and regulations applicable to the Processing of Personal Data under the Agreement, including (i) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR, (ii) the Swiss Federal Act on Data Protection; and (iii) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time. The terms “Controller,” Data Subject,” “Processing,” “Processor,” and “supervisory authority” shall have the definitions set forth in the GDPR.
2.3 “EEA” means, for purposes of this DPA, the European Economic Area, Switzerland, and the United Kingdom.
2.4 “Personal Data” shall have the meaning set forth in the GDPR, to the extent such data is Customer Data.
2.5 “Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by RadiusXR.
2.6 “Standard Contractual Clauses” means:
2.7 “Sub-processor” means any Processor engaged by RadiusXR, including affiliates of RadiusXR acting as Processors.
3.1 It is acknowledged and agreed that regarding the processing of Personal Data under this DPA, Customer is the Controller and RadiusXR is the Processor (whether acting itself or through Sub-processors pursuant to Section 8 (Sub-processors) below).
3.2 Both Parties shall, in their respective roles, comply with all Data Protection Laws regarding Personal Data Processed under this DPA.
3.3 The nature and purpose of the Processing, the types of Personal Data and categories of Data Subject Processed under this DPA are specified in Schedule 1 – Part 1 hereto, as may be updated by the Parties as applicable from time to time.
3.4 Customer shall, in its use and receipt of the services provided or made available by RadiusXR pursuant to the Agreement (“RadiusXR Services”), Process Personal Data in accordance with the requirements of Data Protection Laws.
4.1 Customer acts as, and as between Customer and RadiusXR, will at all times remain, the Controller:
4.2 Customer shall, in its use of the RadiusXR Services, process Personal Data in accordance with Data Protection Law, including any applicable requirements to provide notice to Data Subjects of the use of RadiusXR as a Processor.
4.3 Except as may be otherwise required under the applicable Data Protection Law, Customer shall serve as a single point of contact for RadiusXR in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to RadiusXR as well as the onward distribution of any information, notifications and reports provided by RadiusXR hereunder.
4.4 In its capacity as Controller, Customer represents and warrants that it is entitled to provide access to Personal Data to RadiusXR for purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant Data Subjects for RadiusXR’s performance of the RadiusXR Services.
4.5 Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
5.1 Purposes for Processing: Subject to as legally permitted in its capacity as a Processor under this DPA, RadiusXR shall Process Personal Data hereunder solely in accordance with the documented instructions for the Customer and for the following limited purposes:
5.2 Unauthorized Processing: RadiusXR will promptly, but in no event later than five (5) days from the date of such determination, inform Customer if, in its determination, any instruction or request by Customer violates Data Protection Law.
5.3 Legal Requests: RadiusXR will report to Customer without undue delay any request, demand, or order received by RadiusXR from a competent supervisory authority or Data Subject relating to the Processing of Personal Data.
5.4 Assistance and Cooperation: Taking into account the nature of the Processing, RadiusXR will assist Customer in complying with its obligation to respond to requests of Data Subjects under Data Protection Law by appropriate technical and organizational measures, insofar as this is possible, provided that RadiusXR will provide such assistance to the extent:
5.5 Retention and Destruction of Personal Data. Subject to applicable legal retention obligations, upon termination of the Agreement, RadiusXR will return to Customer or delete any Personal Data in its control, in accordance with the procedures and timeframes applied by RadiusXR from time to time, and, if requested, confirm such deletion to Customer in writing.
5.6 Confidentiality. RadiusXR will only rely on personnel in the Processing of Personal Data who are contractually or by statutory obligation bound to maintain confidentiality, ensure that access to Personal Data Processed is limited to those personnel who require such access to perform the applicable RadiusXR Services, and take commercially reasonable steps to ensure the reliability of personnel engaged in the Processing of Personal Data hereunder.
5.7 Non-Delegation. RadiusXR will not delegate the processing of Personal Data to a Sub-processor other than pursuant to section 8 (Sub-processors) below.
6.1 Security Obligations. In connection with its Processing of Personal Data hereunder RadiusXR will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such Processing, which measures are intended to protect Personal Data against accidental, illegal, or unauthorized loss, use, destruction, alteration, modification, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the Processing. In this connection:
6.2 Data Breach. RadiusXR will inform Customer without undue delay after it becomes aware of any Personal Data Breach in connection with the Processing of Personal Data under this DPA, observing the following process:
6.3 To the extent that a Personal Data Breach is caused by Customer, Customer affiliate or anyone acting for Customer, RadiusXR will inform the Customer of the Personal Data Breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, Customer affiliate or anyone acting for the Customer. Further assistance to investigate such a Personal Data Breach is subject to additional agreement of the Parties.
7.1 If required under applicable Data Protection Law or reasonable grounds exist to suspect non-compliance of this DPA or applicable Data Protection Law on RadiusXR’s part, RadiusXR shall, upon Customer’s written request, make all necessary information available to demonstrate compliance hereof. This may include a summary audit report or certification produced by a reputable third party which demonstrates RadiusXR’s compliance in line with a generally accepted privacy and security framework. If required by applicable Data Protection Law or if, in the Customer’s reasonable opinion, the scope of the audit is insufficient to demonstrate compliance with this DPA, then RadiusXR shall allow for audits, including inspections, to be performed by Customer (or an independent third party auditor mandated by Customer that is reasonably acceptable to RadiusXR and subject to signature of a confidentiality agreement with RadiusXR) of RadiusXR relevant to the Personal Data Processed under this DPA. It is agreed that:
8.1 RadiusXR may delegate the Processing of Personal Data to a Sub-processor which is bound to comply with provisions relating to confidentiality and data protection no less stringent than the terms of this DPA. RadiusXR shall remain fully liable for the conduct of any of its Sub-processors as for its own conduct.
8.2 Subject to Section 8.1, Customer hereby gives its general written consent and authorization to RadiusXR to use Sub-processors identified in Schedule 1 – Part 3 for Processing of Personal Data for the purposes set forth in this DPA. RadiusXR shall provide Customer with notification of new Sub-processor(s) at least thirty (30) days before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable services.
8.3 Customer may object to RadiusXR’s use of a new Sub-processor on reasonable grounds by notifying RadiusXR in writing within ten (10) business days after receipt of notification pursuant to Section 8.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, RadiusXR will use commercially reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s configuration or use of the services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If RadiusXR is unable to make available such change, the Customer may as its sole remedy terminate the portion of the RadiusXR Service(s) which cannot be provided by RadiusXR without the use of the objected-to Sub-processor, provided that the Parties shall always first use their mutual reasonable endeavors to resolve the issue at hand and Customer acknowledges that any termination shall be used as a last resort only.
RadiusXR’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the “Limitation of Liability” section in the Agreement, and any reference in such section to the liability of RadiusXR means the aggregate liability of RadiusXR and all of its affiliates under the Agreement and this DPA taken together.
It is acknowledged that RadiusXR, either itself or using permitted Sub-processors, as part of its regular business performs services from locations in countries and territories outside the EEA. This Section 10 sets forth the provisions on how Personal Data Processed under this DPA may be transferred from a country or territory within the EEA to, or accessed from, a country or territory outside the EEA, either directly or via onward transfer (each a “ Transfer”) by RadiusXR, acting itself and/or through permitted Sub-processors, and Customer hereby gives its specific written mandate, authorization and instruction to RadiusXR for the purposes of conducting such Transfers when providing the services from locations outside the EEA, as set forth below.
For the purposes of Transfers of Personal Data under this DPA, Customer and RadiusXR incorporate the relevant Standard Contractual Clauses as if they were set out in full in this DPA (the “Data Transfer Agreement”) and under which Customer acts as the “data exporter” and RadiusXR, itself and/or through any permitted Sub-processor outside of the EEA, acts as the “data importer” (as those terms are defined in the Standard Contractual Clauses). The Parties’ signature and dating of this DPA shall be deemed to be the signature and dating of the Data Transfer Agreement (with the Customer signing as the data exporter and RadiusXR signing as the data importer). The terms of the relevant Data Transfer Agreements, if applicable, will prevail over conflicting or inconsistent terms in this DPA to the extent of the conflict or inconsistency.
Transfers of Personal Data shall only be permitted if:
Without prejudice to section 10.3 of this DPA, the following provisions will be used to assist in the interpretation of the Standard Contractual Clauses incorporated as part of this DPA:
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Law.
Schedule 1
Part 1: Details of Processing
Nature and Purpose of Processing | RadiusXR will Process Personal Data as necessary to perform the RadiusXR Services pursuant to the Agreement, and as further instructed by Customer in its use of the RadiusXR Services and this DPA. This processing services include storing and maintaining personal data for use by the relevant clinician in providing treatment to patients, as well as maintaining account information for use by Customer in connection with clinician training and recordkeeping. |
Duration of Processing | Subject to section 5.5 of the DPA, RadiusXR will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing. |
Categories of Data Subjects | The categories of Data Subjects whose Personal Data are Processed on behalf of the Customer consist of the following:
|
Categories of Personal Data Processed | The categories of Personal Data consist of the following: check all that apply
The following special categories of Personal Data are Processed:
|
Purposes for which Personal Data is Processed on Behalf of Customer | Personal Data is processed for the following purposes on behalf of the Customer:
|
Part 2: Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data
RadiusXR shall maintain reasonable administrative, organizational, technical and physical controls designed to ensure the privacy, security, and confidentiality of the Personal Data (“Safeguards”), that comply with this DPA and Data Protection Law, including:
☐ All facilities used to store and process Customer Data will implement and maintain administrative compliance with the current versions of the following applicable security framework(s), and RadiusXR will provide certificate(s) of compliance with such framework(s) on an annual basis upon Customer’s request:
☐ ISO/IEC 27001 and 27002 standards
☐ The NIST Cybersecurity Framework
☐ The Payment Card Industry-Data Security Standards (required if RadiusXR stores, processes, or transmits payment card primary account numbers or cardholder data).
☐ Other:
☐ In absence of the foregoing, RadiusXR agrees to the following:
☐ | Physical Access. RadiusXR will maintain physical access controls designed to secure relevant facilities, infrastructure, data centers, hard copy files, servers, backup systems, and equipment (including mobile devices) used to access Personal Data, including controls to prevent, detect, and respond to attacks, intrusions, or other system failures; |
☐ | User Authentication. RadiusXR will maintain user authentication and access controls within operating systems, applications, equipment, and media; |
☐ | Personnel Security. RadiusXR will maintain personnel security policies and practices restricting access to Personal Data, including written confidentiality agreements and background checks consistent with Data Protection Law for all personnel with access to Personal Data or who maintain, implement, or administer RadiusXR’s information security program and Safeguards; |
☐ | Logging and Monitoring. RadiusXR will log and monitor the details of all access to Personal Data on networks, systems, and devices operated by RadiusXR. RadiusXR’s logging and monitoring systems shall meet generally accepted standards and RadiusXR shall maintain all access logs for at least 90 days; |
☐ | Malware Controls. RadiusXR will maintain reasonable and up-to-date controls to protect all networks, systems, and devices that access Personal Data from malware and unauthorized software; |
☐ | Security Patches. RadiusXR will maintain controls and processes designed to ensure that networks, systems, and devices (including operating systems and applications) that access Personal Data are up-to-date, including prompt implementation of all security patches when issued; |
☐ | User Account Management. RadiusXR must implement reasonable user account management procedures to securely create, amend, and delete user accounts on RadiusXR’s networks, systems, and devices, including monitoring redundant accounts and ensuring that information owners properly authorize all user account requests: |
☐ | Infrastructure and network security. RadiusXR must implement and maintain confidentiality by implementing endpoint security, network security protocols, network identification services, data encryption services, integrity by firewall services, communications security management, intrusion detection services and intrusion prevention systems, data availability safeguards (back-ups, redundant disk systems), reliable and interoperable security processes and network security mechanisms; |
☐ | Security architecture and design. RadiusXR must enforce appropriate security policies that can be applied to all aspects of RadiusXR’s IT infrastructure (e.g. workstations, servers, storage area network, switches, fireworks, routers, visualization, or cloud computing). |
☐ | Business continuity and disaster recovery planning. RadiusXR must put in place appropriate technical and organizational systems to preserve and continued business in the wake of a disaster. |
☐ | Encryption Requirements. Using a reasonable encryption standard, RadiusXR will encrypt all Personal Data that is (a) stored on portable devices or portable electronic media; (b) stored or maintained outside of Customer’s or RadiusXR’s facilities, excluding hard copy documents; or (c) transferred across any network other than an internal RadiusXR network owned and managed by RadiusXR. |
☐ | Access Controls. RadiusXR will: (a) maintain reasonable controls to ensure that only individuals who have a legitimate need to access Personal Data under the Agreement will have such access; (b) promptly terminate an individual’s access to Personal Data when such Access is no longer required for performance under the Agreement; (c) log the appropriate details of access to Personal Data on RadiusXR’s systems and equipment, and retain such records for no less than 90 days; and (d) be responsible for any unauthorized access to Personal Data under RadiusXR’s custody or control or Sub-processor’s custody or control. |
☐ | Training and Supervision. RadiusXR will provide reasonable ongoing privacy and information protection training and supervision for all RadiusXR’s personnel who access Personal Data. |
☐ | Other: |
Part 3: List of Sub-Processors
Subprocessor | Type of Service | Location | More information |
Amazon Web Services (AWS) – Security & Monitoring Tools (includes CloudTrail, GuardDuty, Security Hub, Config, Inspector, and CloudWatch) | Cloud-based security monitoring, compliance auditing, configuration tracking, vulnerability detection (cloud/IaaS) | US | AWS Trust Center: https://aws.amazon.com/trust-center/ |
MongoDB | Cloud database (cloud/SaaS) | US | MongoDB Trust Center: |
AWS SES (Pinpoint) | Email delivery (cloud/SaaS) | US | See AWS above |
MailChimp (Intuit) | Email service provider (SaaS) | US | MailChimp DPA: https://mailchimp.com/legal/privacy- |
Google Workspace | Productivity / email (SaaS) | US | Google Cloud Trust Center: |
Twilio | Communications APIs (SaaS) | US | Twilio Trust Center: |
Power BI (Microsoft) | Analytics / BI Cloud (SaaS) | US | Microsoft Trust Center: |
Mixpanel | User analytics, event tracking (SaaS) | US | Mixpanel DPA: |
Zendesk | Customer Support tools (SaaS) | US | Zendesk Trust Center: |
Salesforce | Customer Support tools (SaaS) | US | Salesforce Trust Center: |
Knox | Customer Support tools | US | https://www.samsungknox.com/en/knox-platform |
Intuit Quickbooks | Financial Services | US | |
Pangea | User analytics, event tracking (SaaS) | US |
ANNEX I
Data exporter(s): Customer
Role: Controller
Data importer(s):
Name: RadiusXR, Inc.
EU Contact name and contact details: MedEnvoy Global BV, Prinses Margrietplantsoen 33, Suite 123, 2595 AM Hague, The Netherlands.
Contact email: vigilance@medenvoyglobal.com.
Activities relevant to the data transferred under these Clauses: Provision of the RadiusXR Services as described in the Agreement.
Role: Processor
Categories of data subjects whose personal data is transferred
The categories described in Schedule 1 of the DPA between the parties.
Categories of personal data transferred
The categories described in Schedule 1 of the DPA between the parties.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The categories described in Schedule 1 of the DPA between the parties.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous for the duration of the Processing under the DPA.
Nature of the processing/Purpose(s) of the data transfer and further processing
The nature and purpose of processing is described in Schedule 1 of the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data to be retained during the performance of the Agreement and for a reasonable period of time following termination in order to effectuate the appropriate return and/or destruction of Personal Data in accordance with the Agreement and/or applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter and nature described in Schedule 1 of the DPA between the parties.
Identify the competent supervisory authority/ies in accordance with Clause 13
The data protection authority of the country of the Netherlands.
