Processor agreement

Parties:

1. The private company with limited liability Skully Care BV, with its registered office in Driebergen (3971 PA) and with offices at Diederichslaan 17, hereby duly represented by Mr FR Noz, director, hereinafter referred to as “ Processor ”;

and

2. The Pediatric Physiotherapist, hereinafter referred to as “ Customer ” or “ Controller ”.

hereinafter jointly referred to as: “ Parties ”,

Consider the following:

a. Processor will perform services on behalf of Controller, consisting of, among other things, making the Skully Care app available, as described in the General Terms and Conditions.

b. This results in the Processor processing personal data on behalf of the Controller (hereinafter: “ Personal Data ” or the “ Processing ” or “ Processing of (the) Personal Data ”), within the meaning of the applicable privacy laws and regulations. including the General Data Protection Regulation (“GDPR”).

c. The parties wish, partly in view of the provisions of the applicable privacy laws and regulations such as Article 28 GDPR, to record their mutual rights and obligations for the Processing of Personal Data in this Processor Agreement.

Agree to the following:

Article 1: Subject and assignment Processor Agreement

  1. This Processor Agreement applies to the Processing of Personal Data in the context of the performance of the Product and Services Agreement.

  2. The Controller gives the Processor the order to Process Personal Data for the performance of the services.

  3. Processor will process the Personal Data in a proper and careful manner and in accordance with the applicable laws and regulations regarding the processing of personal data, including the GDPR.

Article 2: Division of roles

  1. With regard to the Processing of Personal Data to be carried out on his behalf, the Controller is the controller within the meaning of the applicable privacy laws and regulations, such as the GDPR. Processor is processor within the meaning of the applicable privacy laws and regulations, such as the GDPR. Unlike the Processor, the Controller has and retains independent control over the purpose and means of the Processing of the Personal Data. The Processor will follow all instructions of the Controller in this regard (barring deviating legal obligations) and will not make any decisions regarding the Processing of Personal Data.

  2. Processor ensures that, prior to entering into this Processor Agreement, the Controller is adequately informed about the service (s) that the Processor provides and the Processing to be carried out. The information provided must enable a choice with regard to the services offered.

  3. The services referred to in paragraph 2 must be described in an understandable language in Appendix 1 to this Processor Agreement, after which the Controller can give informed consent to the purchase of these service (s). Controller and Processor mutually provide each other with all necessary information in order to enable proper compliance with the relevant privacy laws and regulations.

Article 3: Use of Personal Data

  1. The Processor undertakes not to use the Personal Data obtained from the Controller for any other purpose or in any other way than for the purpose and the manner for which the data was provided or became known to it. The Processor is therefore not permitted to carry out data processing other than that assigned to the Processor (orally, in writing or electronically) by the Controller (orally, in writing or electronically). This obligation applies both during the term of the Processor Agreement and / or Product and Services Agreement and after its expiry.

  2. An overview of the Personal Data to which the Processing of Personal Data relates is included in Appendix 2 to this Processor Agreement.

  3. Processor will refrain from providing Personal Data to a third party, unless this exchange takes place on behalf of the Controller or when this is necessary to comply with a legal obligation resting on the Processor. In case of a legal obligation, the Processor verifies the basis of the request and the identity of the requesting party prior to the provision. In addition, the Processor informs the Controller - if permitted by law - immediately, if possible prior to the disclosure.

Article 4: Confidentiality

  1. Processor ensures that everyone, including its employees, representatives and / or sub-processors, who are involved in the Processing of the Personal Data treats this data as confidential. A sub-processor is understood to mean the party engaged by the Processor as a Processor for the Processing of Personal Data in the context of this Processing Agreement (“Sub-processor ”). Processor ensures that a confidentiality agreement or clause has been concluded for anyone involved in the Processing of the Personal Data.

  2. The duty of confidentiality referred to in this article does not apply insofar as the Controller has expressly given permission to provide the Personal Data to a third party, if the provision of the Personal Data to a third party is necessary in view of the nature of the services to be provided by the Processor to the Controller, or if there is a legal obligation to provide the Personal Data to a third party.

Article 5: Security and control

  1. Processor will take appropriate technical and organizational measures to protect the Personal Data against loss or any form of unlawful Processing. Taking into account the state of the art and the costs involved in the implementation and execution of the measures, these measures will ensure an adequate level of protection, taking into account the risks involved in the processing of Personal Data, and the nature thereof.

  2. The measures as referred to in Article 5 paragraph 1 include in any case:

    1. measures to ensure that only authorized personnel has access to the Personal Data processed under the Processor Agreement;

    2. measures to protect the Personal Data against in particular accidental or unlawful destruction, loss, accidental alteration, unauthorized or unlawful storage, access or disclosure;

    3. measures to identify vulnerabilities with regard to the Processing of Personal Data in the systems used to provide services to the Controller; and

    4. an appropriate information security policy for the Processing of Personal Data.

  3. Processor will evaluate the information security measures it has taken and tighten, supplement or improve it insofar as the requirements or (technological) developments give cause to do so.

  4. Appendix 3 describes the technical and organizational security measures.

  5. The Processor enables the Controller to comply with its legal obligation to monitor compliance by the Processor with the technical and organizational security measures as well as compliance with the obligations referred to in Article 6 with regard to data leaks (i.e. a breach in connection with with personal data as referred to in the applicable privacy laws and regulations such as Article 33 paragraph 1 GDPR (“Data breach ”) The Processor can report this on the basis of a valid certification or an equivalent means of verification or evidence.

  6. In addition to article 5 paragraph 5, the Controller has the right at all times, in consultation with the Processor and with due observance of a reasonable term, at his own expense, to have the technical and organizational security measures taken by the Processor tested by an independent Register EDP auditor. . The parties can agree in mutual consultation that the audit will be carried out by a certified and independent auditor to be engaged by the Processor who will issue a third party statement (TPM). The controller is informed about the results of the audit.

Article 6: Data leaks

  1. The Processor has an appropriate policy for dealing with Data Leaks.

  2. If the Processor establishes a Data Breach or other incident with regard to the security of Personal Data, it will immediately inform the Controller of this. The Processor provides all relevant information to the Controller with regard to the Data Breach, including information about any developments surrounding the Data Breach or other incident, and the measures that the Processor takes to limit the consequences of the Data Breach as much as possible and to prevent repetition. In addition, the Processor will immediately inform the Controller if it appears that the breach in connection with personal data probably poses a high risk to the rights and freedoms of the Data Subject (s), as referred to in the applicable privacy laws and regulations such as Article 34 paragraph 1 GDPR.

  3. In the event of a Data Breach or other incident related to the security of Personal Data, Processor will take all reasonably necessary measures to terminate, prevent and limit these and further Data Leaks or other incidents related to the security of Personal Data. The Processor also enables the Controller to take appropriate follow-up steps himself or have it taken with regard to the Data Breach or other security incident.

  4. The Processor will fully cooperate with the Controller in complying with the notification obligation of the applicable privacy laws and regulations, including Articles 33 and 34 GDPR, to the Dutch Data Protection Authority and the Data Subject (s).

  5. Any costs involved in Articles 6, paragraphs 1 to 3, will be borne by the Controller. The costs involved in article 6, paragraph 4, will be borne by the Processor, insofar as the Data Breach or other security incident is the result of a failure by the Processor to fulfill its obligation (s) under this Processor Agreement.

Article 7: Procedure for rights of Data Subjects

  1. A complaint or request from a data subject (ie the person to whom a Personal Data relates (“ Data Subject ”)) with regard to the Processing of the Personal Data will be immediately forwarded by the Processor to the Controller who is responsible for handling the request.

  2. Processor will - insofar as reasonably possible - cooperate fully with the Controller to comply with the obligations under the applicable privacy laws and regulations, including the GDPR, within the legal deadlines, more in particular the rights of the Data Subjects such as a request. to access, rectify, delete, restrict processing, transfer or object to the processing of Personal Data.

Article 8: Processing outside the European Economic Area

  1. Processor ensures that, insofar as Personal Data is Processed outside the European Economic Area (hereinafter: EEA), this only takes place in accordance with legal regulations, and any obligations that rest on the Controller in this regard. If data is processed outside the EEA, this is indicated in Appendix 1 , including a list of the countries where the Personal Data are processed.

Article 9: Engaging Sub-processor

  1. Processor can engage a Subprocessor, whose identity and location details will be included in Appendix 1 . The Processor is not permitted to engage Sub-processors other than those listed in Annex 1 without the consent of the Controller.

  2. The Processor contractually obliges each Sub-processor to comply with the confidentiality obligations, reporting obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.

  3. Processor contractually obliges each Sub-processor not to further process Personal Data other than as agreed in the context of this Processor Agreement.

Article 10: Retention periods and destruction of Personal data

  1. Personal data and images of the Controller will be kept for as long as the Controller purchases the services of the Processor. At the end of that relationship, Processor will anonymize the Personal Data and image material of the Controller. This applies unless the Controller has already requested the removal of the Personal Data and image material.

  2. Unless the Parties have agreed otherwise, Processor is not obliged to make a backup of the Personal Data and image material.

Article 11: Liability

  1. Processor is liable for damage arising from or related to non-compliance with this Processor Agreement or acting in violation of applicable privacy laws and regulations, including the GDPR.

  2. The Processor is only liable for direct damage that the Controller suffers due to an attributable shortcoming in the fulfillment of the Processor Agreement. The liability of the Processor will at all times be limited to the amount that the (professional) liability insurer of the Processor pays out in this respect. If the insurer does not pay out for any reason whatsoever, the liability of the Processor will at all times be limited to a maximum of the amount (excluding VAT) that the Processor charged to the Client in the year prior to the event (s) causing damage and that by Customer has been paid. If several damage-causing events occur, the total compensation with regard to all events together will be limited to the amount as described in the previous sentence.

  3. Processor is under no circumstances liable for indirect and / or consequential damage, including but not limited to loss of profit, delay damage and damage as a result of claims by clients / patients of the Client. The liability of the Processor for loss of Personal Data is also excluded.

  4. A condition for any right to compensation to arise is furthermore that the Processing Manager reports the damage to the Processor in writing as soon as possible after it has arisen. Any claim for compensation against the Processor on the basis of this Processor Agreement will lapse by the mere lapse of two months after the damage has arisen.

Article 12: Duration and termination

  1. The term of this Processor Agreement is equal to the term of the Product and Services Agreement concluded between the Parties, including any extensions thereof.

  2. This Processor Agreement ends by operation of law upon termination of the Product and Services Agreement, i.e. after completion of the agreed product and services delivery by Processor. The termination of this Processor Agreement will not release the Parties from their obligations arising from this Processor Agreement, which by their nature are deemed to continue even after termination.

Article 14: Applicable law

  1. This Processor Agreement is exclusively governed by Dutch law.

  2. All disputes arising from or in connection with this Processor Agreement will be submitted exclusively to the competent court.




APPENDIX 1: PRODUCT AND / OR SERVICE

General information

Name of product and / or service: Skully Care app.

Brief explanation and operation of product and service: measurement method for determining skull deformation by means of photo detection.

Link to supplier and / or product page: https://www.skullycare.com

Sub-processors

Processor uses the following Subprocessor (s):

Yukon Software Ltd in Ukraine.

Task / service: developing and updating the App; develop, improve the AI ​​model for the purpose of automatically measuring and expanding the functionality.

APPENDIX 2: PERSONAL DATA

Description Personal data, nature of processing and, etc.

This Processor Agreement relates to the following processing of Personal Data. See diagram next page.

APPENDIX 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Description of the measures as referred to in Article 5 paragraph 2 Processor Agreement

  1. Description of the measures to ensure that only authorized personnel have access to the Processing of Personal Data.

The mobile application 'Skully Care' is a digital tool developed to assist the pediatric physiotherapist (KFT) in the treatment of babies with a cranial deformity. With the Skully Care app, the KFT can easily and quickly take a measurement, monitor the progress and share information about the treatment with the parents or carers of the baby. This shared information is only exchanged between the KFT and parent or caregivers. The KFT can invite the parents or guardians of the child to view the data. The app runs on a server, where the data is also stored. By photographing the top of the head, the KFT measures the degree of flattening. Calculation of the skull deformation is performed by an AI model that runs on the server. The babies are not recognizable in the photos.

The KFT (healthcare professional) creates a profile with contact details (eg name, organization, address, telephone number and email address). The parents or guardians (non-healthcare professional) can create a profile with contact details (eg name and telephone number). The KFT can create a profile for his or her treated baby (eg first name, first letter last name, date of birth and gender). By using the Skully Care app, the KFT can add information to the profile of the baby, such as measurement results, treatment advice and photos of the top of the head. Skully Care concludes a Processing Agreement with the affiliated KFTs. It is agreed in this that the processing of personal data must always take place in accordance with the guidelines of privacy legislation.

During the reliability investigation, only the measurement functionality of the Skully Care app is used. A number is assigned per measurement. As a result, no personal data of the baby or tester is stored. Thus, monitoring progress and sharing a treatment plan is not used.

Because this is a basic version, any further development of the Skully Care app will lead to a market-ready app (publicly available in the app store) and the necessary formal steps will be taken towards certification. This is in line with the common procedure in medical product development (in accordance with MDR Medical Device Regulation), whereby validation and certification is carried out with the end product - in the form as it is actually brought to the market.

Information security

Skully Care uses two servers. The application runs on a server and the data is stored. The second server is fully dedicated to training the AI ​​model.

The server on which the Skully Care application runs and where the data is stored runs at Yukon Software Ltd. Yukon Software Ltd provides daily backups (point-in-time recovery PITR) and is end-to-end SSL encrypted. The connection between server and client (mobile phone) is secured using SSH.

Communication between app and server is HTTPS protected and is based on 'signature on every request' Oauth. It is possible to access the server via the 'back office'. The back office is designed as a control and management tool. The back office can only be approached by the Skully Care team. This is protected by the above-mentioned measures and is username and password protected.

One server is fully focused on training the AI ​​model. This server is not connected to the internet. A physical connection is required to train this server. Only one person has access to this.

Report

In addition to the notification as referred to in Article 6 paragraph 2, the Processor reports to the Controller about the measures taken by the Processor with regard to the technical and organizational security measures taken, provided that there are changes, additions or other points for attention.

Contact details: FR Noz, freeknoz@skullycare.com .