Processing Agreement
Parties:
1. The private company with limited liability Skully Care BV, with its registered office in Driebergen (3971 PA) and its principal place of business at Diederichslaan 17, hereby duly represented by Mr FR Noz, director, hereinafter referred to as “ Processor ”;
and
2. The therapist, hereinafter referred to as “ Customer ” or “ Controller ”.
hereinafter jointly referred to as: “ Parties ”,
Consider the following:
a. The Processor will perform services on behalf of the Controller, consisting of, among other things, making the Skully Care app available, as described in the General Terms and Conditions.
b. This means that the Processor processes personal data on behalf of the Controller (hereinafter: “ Personal Data ” or the “ Processing ” or “ Processing of (the) Personal Data ”), within the meaning of the applicable privacy laws and regulations. including the General Data Protection Regulation (“GDPR”).
c. Partly in view of the provisions of the applicable privacy laws and regulations, such as Article 28 of the GDPR, the parties wish to record their mutual rights and obligations for the Processing of Personal Data in this Processor Agreement.
Agree to the following:
Article 1: Subject and assignment Processor Agreement
This Processor Agreement applies to the Processing of Personal Data in the context of the implementation of the Product and Services Agreement.
The Controller instructs the Processor to Process Personal Data for the performance of the services.
The Processor will process the Personal Data in a proper and careful manner and in accordance with the applicable laws and regulations regarding the processing of personal data, including the GDPR.
Article 2: Division of roles
With regard to the Processing of Personal Data to be carried out on its behalf, the Controller is the controller within the meaning of the applicable privacy laws and regulations, such as the AVG. Processor is processor within the meaning of the applicable privacy laws and regulations, such as the AVG. Controller has and retains independent control over the purpose and means of the Processing of the Personal Data, unlike the Processor. The Processor will follow all instructions from the Controller in this regard (subject to deviating legal obligations) and will not make any decisions about the Processing of Personal Data.
The Processor ensures that the Controller is adequately informed prior to concluding this Processor Agreement about the service(s) provided by the Processor and the Processing to be performed. The information given must enable them to make a choice with regard to the services offered.
The services referred to in paragraph 2 must be described in comprehensible language in Appendix 1 to this Processor Agreement, after which Controller informed consent to the purchase of these service(s). Controller and Processor mutually provide each other with all necessary information in order to enable proper compliance with the relevant privacy laws and regulations.
Article 3: Use of Personal Data
The Processor undertakes not to use the Personal Data obtained from the Processing Manager for other purposes or in a different way than for the purpose and the way for which the data has been provided or has become known to it. The Processor is therefore not permitted to carry out data processing other than those instructed to Processor by the Controller (orally, in writing or electronically). This obligation applies both during the term of the Processor Agreement and/or Product and Service Agreement and after its expiry.
An overview of the Personal Data to which the Processing of Personal Data relates is included in Appendix 2 to this Processor Agreement.
Processor refrains from providing Personal Data to a third party, unless this exchange takes place on behalf of the Controller or when this is necessary to comply with a legal obligation resting on the Processor. In the event of a legal obligation, the Processor verifies the basis of the request and the identity of the requester prior to the provision. In addition, the Processor will inform the Controller - if permitted by law - immediately, if possible prior to the provision.
Article 4: Confidentiality
The Processor ensures that everyone, including its employees, representatives and/or sub-processors, who are involved in the Processing of the Personal Data, treats this data as confidential. A sub-processor is understood to mean the party engaged by the Processor as Processor for the Processing of Personal Data in the context of this Processing Agreement (“ Sub-processor ”). The Processor ensures that a confidentiality agreement or clause has been concluded for everyone involved in the Processing of the Personal Data.
The duty of confidentiality referred to in this article does not apply insofar as the Processing Manager has given explicit permission to provide the Personal Data to a third party, if the provision of the Personal Data to a third party is necessary in view of the nature of the services to be provided by the Processor to the Processing Manager, or if there is a legal obligation to provide the Personal Data to a third party.
Article 5: Security and control
Processor will ensure appropriate technical and organizational measures to protect the Personal Data against loss or any form of unlawful Processing. Taking into account the state of the art and the costs involved in the implementation and execution of the measures, these measures will ensure an appropriate level of protection, taking into account the risks associated with the processing of Personal Data and the nature thereof.
The measures as referred to in Article 5 paragraph 1 include in any case:
measures to ensure that only authorized personnel have access to the Personal Data processed in the context of the Processor Agreement;
measures to protect the Personal Data against, in particular, accidental or unlawful destruction, loss, accidental alteration, unauthorized or unlawful storage, access or disclosure;
measures to identify vulnerabilities with regard to the Processing of Personal Data in the systems used to provide services to the Controller; and
an appropriate information security policy for the Processing of the Personal Data.
Processor will evaluate and tighten, supplement or improve the information security measures it has taken insofar as the requirements or (technological) developments give cause to do so.
In Appendix 3 , the technical and organizational security measures are described.
Processor enables Controller to comply with its legal obligation to monitor compliance by the Processor with the technical and organizational security measures as well as compliance with the obligations referred to in Article 6 with regard to data leaks (i.e. a personal data breach as referred to in the applicable privacy laws and regulations such as Article 33(1) of the GDPR (“Data Leak”), which the Processor can report on the basis of a valid certification or equivalent verification or evidence.
In addition to article 5 paragraph 5, the Controller has the right at all times, in consultation with the Processor and with due observance of a reasonable term, at its own expense, to have the technical and organizational security measures taken by the Processor checked by an independent Register EDP auditor. . The parties can mutually agree that the audit will be performed by a certified and independent auditor to be engaged by the Processor and who will issue a third-party statement (TPM). The controller is informed about the results of the audit.
Article 6: Data leaks
Processor has an appropriate policy for dealing with Data Leaks.
If the Processor discovers a Data Leak or other incident with regard to the security of Personal Data, it will immediately inform the Processing Manager about this. Processor provides all relevant information to the Controller with regard to the Data Leak, including information about any developments surrounding the Data Leak or other incident, and the measures taken by the Processor to limit the consequences of the Data Leak as much as possible and to prevent a recurrence. In addition, the Processor will inform the Controller without delay if it appears that the personal data breach is likely to pose a high risk to the rights and freedoms of the Data Subject(s), as referred to in the applicable privacy laws and regulations, such as Article 34(1) of the GDPR.
In the event of a Data Breach or other incident relating to the security of Personal Data, the Processor will take all measures reasonably necessary to terminate, prevent and limit this and further Data Breach or other incidents relating to the security of Personal Data. The Processor also enables the Controller to take appropriate follow-up steps, if desired, with regard to the Data Leak or other security incident.
The Processor will fully cooperate with the Controller in complying with the reporting obligation of the applicable privacy laws and regulations, including Articles 33 and 34 AVG, to the Dutch Data Protection Authority and the Data Subject(s).
Any costs associated with Articles 6, paragraphs 1 to 3, shall be borne by the Controller. The costs involved in Article 6 paragraph 4 are for the account of the Processor, insofar as the Data Leak or other security incident is the result of a failure by the Processor in the fulfillment of its obligation(s) from this Processor Agreement.
Article 7: Procedure for the rights of Data Subjects
A complaint or request from a data subject (i.e. the person to whom a Personal Data relates (“ Data Subject ”)) regarding the Processing of the Personal Data will be forwarded by the Processor without undue delay to the Controller responsible for handling the request.
The Processor grants the Controller - insofar as reasonably possible - full cooperation to comply with the obligations under the applicable laws and regulations in the field of privacy, including the AVG, within the statutory periods, more in particular the rights of Data Subjects such as a request to access, rectify, delete, restrict processing, transfer or object to the processing of Personal Data.
Article 8: Processing outside the European Economic Area
Processor ensures that, insofar as Personal Data is Processed outside the European Economic Area (hereinafter: EEA), this only takes place in accordance with legal regulations, and any obligations that rest on the Controller in this regard. If data is processed outside the EEA, this is indicated in Annex 1 , including a statement of the countries where the Personal Data are processed.
Article 9: Engagement of Sub-processor
Processor may engage a Sub-processor, whose identity and location details will be included in Appendix 1 . The Processor is not permitted to engage Sub-processors other than those listed in Appendix 1 without the consent of the Controller.
Processor contractually obliges each Sub-processor to comply with confidentiality obligations, notification obligations and security measures with regard to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor Agreement.
Processor contractually obliges each Sub-processor not to process Personal Data any further than in the context of this Processor Agreement made an agreement.
Article 10: Retention periods and destruction of Personal Data
Personal data and images of the Controller are kept for as long as the Controller purchases the services of the Processor. After that relationship has ended, Processing will anonymize the Personal Data and images of the Controller. This applies unless the Controller already requests the removal of the Personal Data and visual material.
Unless the Parties have agreed otherwise, the Processor is not obliged to make a backup of the Personal Data and images.
Article 11: Liability
Processor is liable for damage arising from or related to non-compliance with this Processor Agreement or acting in violation of applicable laws and regulations in the field of privacy, including the GDPR.
Processor is only liable for direct damage that The Controller suffers due to an attributable shortcoming in the fulfillment of the Processor Agreement. The liability of the Processor will at all times be limited to the amount that the (professional) liability insurer of the Processor pays out in this regard. If the insurer does not pay out for whatever reason, the liability of the Processor will at all times be limited to a maximum of the amount (excluding VAT) that the Processor charged to the Client in the year prior to the damage-causing event(s) and that by Customer has been paid. If several damage-causing events occur, the total compensation with regard to all events jointly will be limited to the amount as described in the preceding sentence.
Processor is in no way liable for indirect and/or consequential damage, including but not limited to loss of profit, damage due to delay and damage as a result of claims from clients/patients of the Customer. The Processor's liability for loss of Personal Data is also excluded.
A condition for the existence of any right to compensation is furthermore that the Controller reports the damage in writing to the Processor as soon as possible after it has arisen. Any claim for compensation against the Processor on the basis of this Processor Agreement lapses by the mere lapse of two months after the damage has occurred.
Article 12: Duration and termination
The term of this Processor Agreement is equal to the term of the Product and Service Agreement concluded between the Parties, including any extensions thereof.
This Processor Agreement ends by operation of law upon termination of the Product and Services Agreement, i.e. upon completion of the agreed product and service delivery by the Processor. The termination of this Processor Agreement will not release the Parties from their obligations arising from this Processor Agreement, which by their nature are deemed to continue after termination.
Article 14: Applicable law
Only Dutch law applies to this Processor Agreement.
All disputes arising from or related to this Processor Agreement will be submitted exclusively to the competent court.
APPENDIX 1: PRODUCT AND/OR SERVICE
General information
Product and/or service name: Skully Care app.
Brief explanation and functioning of product and service: measuring method for determining skull deformation using photodetection.
Link to supplier and/or product page: https://www.skullycare.com
sub-processors
Processor uses the following Sub-processor(s):
Yukon Software Ltd in Ukraine.
Task/service: developing and updating the App.
APPENDIX 2: PERSONAL DATA
Description Personal data, nature of processing and, etc.
This Processor Agreement relates to the following processing of Personal Data. See schedule next page.
APPENDIX 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Description of the measures as referred to in Article 5 paragraph 2 Processing Agreement
Description of the measures to ensure that only authorized personnel have access to the Processing of Personal Data.
The mobile application 'Skully Care' is a digital tool developed to assist the therapist in the treatment of babies with a skull deformity. With the Skully Care app, the therapist can easily and quickly take a measurement, monitor progress and share treatment information with the baby's parents or caregivers. This shared information is only exchanged between the therapist and parent or guardians. The therapist can invite the child's parents or guardians to view the data. The app runs on a server, where the data is also stored. By photographing the top of the head, the therapist measures the degree of flattening. Calculating the skull deformation is performed by one of our employees. The babies are not recognizable in the photos.
The therapist (care professional) creates a profile with contact details (eg name, organization, address, telephone number and email address). The parents or guardians (non-healthcare professionals) can create a profile with contact details (eg name and telephone number). The therapist can create a profile for his or her treated baby (eg first name, first letter last name, date of birth and gender). By using the Skully Care app, the therapist can add information to the baby's profile, such as measurement results, treatment advice and photos of the top of the head. Skully Care concludes a Processing Agreement with the affiliated therapists. In this it is agreed that the processing of personal data must always be done in accordance with the guidelines of the privacy legislation.
During the reliability study, only the measurement functionality of the Skully Care app is used. A number is assigned to each measurement. As a result, no personal data of the baby or tester is stored. Thus, monitoring progress and sharing a treatment plan is not used.
Because this is a basic version, any further development of the Skully Care app will lead to a market-ready app (publicly available in the app store) and the necessary formal steps will be taken towards certification. This is in line with the usual procedure in medical product development (in accordance with the MDR Medical Device Regulation), whereby validation and certification is carried out with the end product - in the form as it is actually marketed.
Information security
Skully Care uses a server. The application runs on a server and the data is stored.
The server where the Skully Care application runs and where the data is stored runs at AWS Amazon Lightsail in Frankfurt, Germany. AWS provides daily backups (point-in-time recovery PITR) and is end-to-end SSL encrypted. The connection between server and client (mobile phone) is secured using SSH.
Communication between app and server is HTTPS protected and is based on 'signature on every request' Oauth. It is possible to access the server via the 'back office'. The back office is set up as a control and management tool. The back office can only be accessed by the Skully Care team. This is secured by the above measures and is username and password protected.
Report
In addition to the notification as referred to in Article 6 paragraph 2, the Processor reports to the Controller about the measures taken by the Processor with regard to the technical and organizational security measures taken, provided that changes, additions or other points of attention occur.
Contact details: FR Noz, info@skullycare.com .