Processing Agreement

Parties:

1. The private company with limited liability Skully Care BV, with its registered office in Driebergen (3971 PA) and its principal place of business at Diederichslaan 17, hereby duly represented by Mr FR Noz, director, hereinafter referred to as “ Processor ”;

 

and

2. The therapist, hereinafter referred to as “ Customer ” or “ Controller ”.

 

hereinafter jointly referred to as: “ Parties ”,

Consider the following:

 

a. Processor will perform services on behalf of Controller, consisting of, among other things, making the Skully Care app available, all this as described in the General Terms and Conditions.

 

b. This means that the Processor processes personal data on behalf of the Controller (hereinafter: “ Personal Data ” or the “ Processing ” or “ Processing of (the) Personal Data ”), within the meaning of the applicable privacy laws and regulations. including the General Data Protection Regulation (“GDPR”).  

 

c. Partly in view of the provisions of the applicable privacy laws and regulations such as Article 28 of the GDPR, the Parties wish to record their mutual rights and obligations for the Processing of Personal Data in this Processor Agreement.

 

Agree to the following:

 

Article 1: Subject and assignment of the Processing Agreement

  1. This Processor Agreement applies to the Processing of Personal Data in the context of the implementation of the Product and Services Agreement.
     

  2. The Controller instructs the Processor to Process Personal Data for the performance of the services.
     

  3. The Processor will process the Personal Data in a proper and careful manner and in accordance with the applicable laws and regulations regarding the processing of personal data, including the GDPR.

 

Article 2: Division of roles

  1. With regard to the Processing of Personal Data to be carried out on its behalf, the Controller is the controller within the meaning of the applicable privacy laws and regulations, such as the AVG. Processor is processor within the meaning of the applicable privacy laws and regulations, such as the AVG. Controller  has and retains independent control over the purpose and means of the Processing of the Personal Data, unlike the Processor. The Processor will follow all instructions from the Controller in this regard (subject to deviating legal obligations) and will not make any decisions about the Processing of Personal Data.
     

  2. The Processor ensures that the Controller is adequately informed about the service(s) provided by the Processor and the Processing to be performed prior to concluding this Processor Agreement. The information given must  enable them to make a choice with regard to the services offered.
     

  3. The services referred to in paragraph 2 must be described in comprehensible language in Appendix 1 to this Processor Agreement, after which the Controller  informed consent to the purchase of these service(s). Controller and Processor mutually provide each other with all necessary information in order to enable proper compliance with the relevant privacy laws and regulations.

 

Article 3: Use of Personal Data

  1. The Processor undertakes not to use the Personal Data obtained from the Controller for other purposes or in a different way than for the purpose and the way for which the data has been provided or has become known to it. The Processor is therefore not permitted to carry out data processing other than those instructed to Processor by the Controller (orally, in writing or electronically). This obligation applies both during the term of the Processor Agreement and/or Product and Service Agreement and after its expiry.
     

  2. An overview of the Personal Data to which the Processing of Personal Data relates is included in Appendix 2 to this Processor Agreement.
     

  3. Processor refrains from providing Personal Data to a third party, unless this exchange takes place on behalf of the Controller or when this is necessary to comply with a legal obligation resting on the Processor. In the event of a legal obligation, the Processor verifies the basis of the request and the identity of the requester prior to the provision. In addition, the Processor informs the Controller - if permitted by law - immediately, if possible prior to the provision.

 

Article 4: Confidentiality

  1. Processor ensures that everyone, including its employees, representatives and/or sub-processors, who are involved in the Processing of Personal Data, treats this data as confidential. A sub-processor is understood to mean the party engaged by the Processor as Processor for the Processing of Personal Data in the context of this Processing Agreement (“Sub-processor ”). The Processor ensures that a confidentiality agreement or clause has been concluded for everyone involved in the Processing of the Personal Data.
     

  2. The duty of confidentiality referred to in this article does not apply insofar as the Processing Manager has given explicit permission to provide the Personal Data to a third party, if the provision of the Personal Data to a third party is necessary in view of the nature of the services to be provided by the Processor to the Processing Manager, or if there is a legal obligation to provide the Personal Data to a third party.

 

Article 5: Security and control

  1. Processor will ensure appropriate technical and organizational measures to protect the Personal Data against loss or any form of unlawful Processing. Taking into account the state of the art and the costs involved in the implementation and execution of the measures, these measures will ensure an appropriate level of protection, taking into account the risks associated with the processing of Personal Data and the nature thereof.
     

  2. The measures as referred to in Article 5 paragraph 1 include in any case:

    1. measures to ensure that only authorized personnel have access to the Personal Data processed in the context of the Processor Agreement;

    2. measures to protect the Personal Data against, in particular, accidental or unlawful destruction, loss, accidental alteration, unauthorized or unlawful storage, access or disclosure;

    3. measures to identify vulnerabilities with regard to the Processing of Personal Data in the systems used to provide services to the Controller; and

    4. an appropriate information security policy for the Processing of the Personal Data.
       

  3. Processor will evaluate and tighten, supplement or improve the information security measures it has taken insofar as the requirements or (technological) developments give cause to do so.
     

  4. In Appendix 3 ,  the technical and organizational security measures are described.
     

  5. Processor enables Controller to comply with its  legal obligation to monitor compliance by the Processor with the technical and organizational security measures as well as compliance with the obligations referred to in Article 6 with regard to data leaks (i.e. a personal data breach as referred to in the applicable privacy laws and regulations such as article 33 paragraph 1 GDPR (“Data Leak ”).The Processor can report this on the basis of a valid certification or an equivalent means of verification or evidence.
     

  6. In addition to article 5 paragraph 5, the Controller has the right at all times, in consultation with the Processor and with due observance of a reasonable term, at its own expense, to have the technical and organizational security measures taken by the Processor checked by an independent Register EDP auditor. . The parties can mutually agree that the audit will be performed by a certified and independent auditor to be engaged by the Processor and who will issue a third-party statement (TPM). The controller is informed about the results of the audit.
     

Article 6: Data leaks

  1. Processor has an appropriate policy for dealing with Data Leaks.
     

  2. If the Processor discovers a Data Leak or other incident with regard to the security of Personal Data, it will immediately inform the Processing Manager about this. Processor  provides all relevant information to the Controller with regard to the Data Leak, including information about any developments surrounding the Data Leak or other incident, and the measures taken by the Processor to limit the consequences of the Data Leak as much as possible and to prevent a recurrence. In addition, the Processor will inform the Controller without delay if it appears that the personal data breach is likely to pose a high risk to the rights and freedoms of the Data Subject(s), as referred to in the applicable privacy laws and regulations, such as Article 34 paragraph 1 of the GDPR.
     

  3. In the event of a Data Breach or other incident relating to the security of Personal Data, the Processor will take all measures reasonably necessary to terminate, prevent and limit this and further Data Breach or other incidents relating to the security of Personal Data. The Processor also enables the Controller to take appropriate follow-up steps, if desired, with regard to the Data Leak or other security incident.
     

  4. The Processor will fully cooperate with the Controller in complying with the reporting obligation of the applicable privacy laws and regulations, including Articles 33 and 34 AVG, to the Dutch Data Protection Authority and the Data Subject(s).
     

  5. Any costs associated with Articles 6, paragraphs 1 to 3, shall be borne by the Controller. The costs involved in Article 6 paragraph 4 are for the account of the Processor, insofar as the Data Leak or other security incident is the result of a failure by the Processor in the fulfillment of its obligation(s) from this Processor Agreement.

 

Article 7: Procedure for the rights of Data Subjects

  1. A complaint or request from a data subject (i.e. the person to whom a Personal Data relates (“ Data Subject ”)) regarding the Processing of the Personal Data will be forwarded by the Processor without undue delay to the Controller responsible for handling the request.
     

  2. The Processor provides the Controller - insofar as reasonably possible - with full cooperation to comply with the obligations under the applicable laws and regulations in the field of privacy, including the AVG, within the statutory periods, more in particular the rights of Data Subjects such as a request. to access, rectify, delete, restrict processing, transfer or object to the processing of Personal Data.
     

Article 8: Processing outside the European Economic Area

  1. Processor ensures that insofar as Personal Data is Processed outside the European Economic Area (hereinafter: EEA), this only takes place in accordance with legal regulations, and any obligations that rest on the Controller in this regard. If data is processed outside the EEA, this is indicated in Annex 1 , including a statement of the countries where the Personal Data are processed.

 

 

Article 9: Engagement of Sub-processor

  1. Processor may engage a Sub-processor, whose identity and location details will be included in Appendix 1 . The Processor is not permitted to engage Sub-processors other than those listed in Appendix 1 without the consent of the Controller.
     

  2. Processor contractually obliges each Sub-processor to comply with confidentiality obligations, notification obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.
     

  3. Processor contractually obliges each Sub-processor not to process Personal Data any further than in the context of this Processor Agreement  made an agreement.

 

Article 10: Retention periods and destruction of Personal Data

  1. Personal data and images of the Controller are kept for as long as the Controller purchases the services of the Processor. After that relationship, Processing will anonymize the Personal Data and images of the Controller. This applies unless the Controller already requests the removal of the Personal Data and visual material.
     

  2. Unless the Parties have agreed otherwise, the Processor is not obliged to make a backup of the Personal Data and images.

 

Article 11: Liability

  1. Processor is liable for damage arising from or related to non-compliance with this Processor Agreement or acting in violation of applicable laws and regulations in the field of privacy, including the GDPR.
     

  2. Processor is only liable for direct damage that  The Controller suffers due to an attributable shortcoming in the fulfillment of the Processor Agreement. The liability of the Processor will at all times be limited to the amount that the (professional) liability insurer of the Processor pays out in this regard. If the insurer does not pay out for whatever reason, the liability of the Processor will at all times be limited to a maximum of the amount (excluding VAT) that the Processor charged to the Client in the year prior to the damage-causing event(s) and that by Customer has been paid. If several damage-causing events occur, the total compensation with regard to all events jointly will be limited to the amount as described in the preceding sentence.
     

  3. Processor is in no way liable for indirect and/or consequential damage, including but not limited to loss of profit, damage due to delay and damage as a result of claims from clients/patients of the Customer. The Processor's liability for loss of Personal Data is also excluded.
     

  4. A condition for the existence of any right to compensation is furthermore that the Controller reports the damage in writing to the Processor as soon as possible after it has arisen. Any claim for compensation against the Processor on the basis of this Processor Agreement lapses by the mere lapse of two months after the damage has occurred.

Article 12: Duration and termination

  1. The term of this Processor Agreement is equal to the term of the Product and Service Agreement concluded between the Parties, including any extensions thereof.
     

  2. This Processor Agreement ends by operation of law upon termination of the Product and Services Agreement, i.e. upon completion of the agreed product and service delivery by the Processor. The termination of this Processor Agreement will not release the Parties from their obligations arising from this Processor Agreement, which by their nature are deemed to continue after termination.

 

Article 14: Applicable law

  1. This Processor Agreement is exclusively governed by Dutch law.
     

  2. All disputes arising from or related to this Processor Agreement will be submitted exclusively to the competent court.




     

 

 

 

 

APPENDIX 1: PRODUCT AND/OR SERVICE

 

General information

Product and/or service name: Skully Care app.

Brief explanation and functioning of product and service: measuring method for determining skull deformation using photodetection.

Link to supplier and/or product page: https://www.skullycare.com

Sub-processors

Processor uses the following Sub-processor(s):

 

Yukon Software Ltd in Ukraine.

Task/service: developing and updating the App; develop, improve the AI model for the purpose of automatic measurement and extend the functionality.

 

APPENDIX 2: PERSONAL DATA

Description Personal data, nature of processing and, etc.

This Processor Agreement relates to the following processing of Personal Data. See schedule next page.

APPENDIX 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

 

Description of the measures as referred to in Article 5 paragraph 2 Processing Agreement

  1. Description of the measures to ensure that only authorized personnel have access to the Processing of Personal Data.

The 'Skully Care' mobile application is a digital tool developed to assist the therapist in the treatment of babies with a skull deformity. With the Skully Care app, the therapist can easily and quickly take a measurement, monitor the progress and share information about the treatment with the parents or caregivers of the baby. This shared information is only exchanged between the therapist and parent or guardians. The therapist can invite the child's parents or guardians to view the data. The app runs on a server, where the data is also stored. By photographing the top of the head, the therapist measures the degree of flattening. Calculating the skull deformation is performed by an AI model running on the server. The babies are not recognizable in the photos.

 

The therapist (care professional) creates a profile with contact details (eg name, organization, address, telephone number and email address). The parents or guardians (non-healthcare professionals) can create a profile with contact details (eg name and telephone number). The therapist can create a profile for his or her treated baby (eg first name, first letter last name, date of birth and gender). By using the Skully Care app, the therapist can add information to the baby's profile, such as measurement results, treatment advice and photos of the top of the head. Skully Care concludes a Processing Agreement with the affiliated therapists. It is agreed that the processing of personal data must always be done in accordance with the guidelines of the privacy legislation.

 

During the reliability study, only the measurement functionality of the Skully Care app is used. A number is assigned to each measurement. As a result, no personal data of the baby or tester is stored. Thus, monitoring progress and sharing a treatment plan is not used.

 

Because this is a basic version, any further development of the Skully Care app will lead to a market-ready app (publicly available in the app store) and the necessary formal steps will be taken towards certification. This is in line with the usual procedure in medical product development (in accordance with the MDR Medical Device Regulation), whereby validation and certification is carried out with the end product - in the form as it is actually marketed.

 

Information security

Skully Care uses two servers. The application runs on a server and the data is stored. The second server is fully dedicated to training the AI model.

 

The server where the Skully Care application runs and where the data is stored runs at AWS amazon lightsail in Frankfurt, Germany. AWS provides daily backups (point-in-time recovery PITR) and is end-to-end SSL encrypted. The connection between server and client (mobile phone) is secured using SSH.

 

Communication between app and server is HTTPS protected and is based on 'signature on every request' Oauth. It is possible to access the server via the 'back office'. The back office is set up as a control and management tool. The back office can only be accessed by the Skully Care team. This is secured by the above measures and is username and password protected.

 

One server is fully focused on training the AI model. This server is not connected to the internet. To train this server, a physical connection is required. Only one person has access to this.

 

 

Report

In addition to the notification as referred to in Article 6 paragraph 2, the Processor reports to the Controller  about the measures taken by the Processor with regard to the technical and organizational security measures taken, provided that changes, additions or other points of attention occur therein.

Contact details: FR Noz, info@skullycare.com .