Data Processing Agreement
Last Updated: 02/10/2024
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between DataActs (“Processor”, “we”, “us”, or “our”) and the customer (“Controller”, “you”, or “your”) using our DataActs BI product (the “Product”).
1. Definitions
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Processing” means any operation performed on Personal Data.
- “Data Subject” means the individual to whom Personal Data relates.
- “Protected Health Information” or “PHI” has the meaning given to it under HIPAA.
2. Scope and Roles
2.1. This DPA applies to the Processing of Personal Data and PHI by DataActs on behalf of the customer in connection with the provision of our Product.
2.2. For the purposes of this DPA, the customer is the Controller (and, where applicable, the Covered Entity under HIPAA) and DataActs is the Processor (and, where applicable, the Business Associate under HIPAA).
3. Data Ownership and Storage
3.1. DataActs does not own the data processed through our Product. We collect data from various sources as specified by you and consolidate it in a data warehouse that you own and control.
3.2. You have full control over the location and region where your data is stored within your chosen data warehouse. DataActs does not store your data on our servers.
3.3. DataActs creates data models based on your data and uses the resulting tables in our DataActs BI App for visualization purposes only.
4. Customer Responsibilities
4.1. The customer warrants that it has all necessary rights to provide the Personal Data and PHI to DataActs for Processing in connection with the provision of the Product.
4.2. The customer is responsible for ensuring that it has provided all necessary notices to Data Subjects and obtained all necessary consents for the Processing of Personal Data by DataActs.
4.3. If the customer is a Covered Entity under HIPAA, it is responsible for ensuring that it has a valid Business Associate Agreement in place with DataActs before providing any PHI.
5. DataActs' Obligations
5.1. DataActs shall Process Personal Data and PHI only on documented instructions from the customer, including with regard to transfers of Personal Data to a third country or an international organization.
5.2. DataActs shall ensure that persons authorized to Process the Personal Data and PHI have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. DataActs shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures required by GDPR Article 32 and the HIPAA Security Rule.
5.4. DataActs shall assist the customer in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including GDPR and HIPAA.
5.5. DataActs shall assist the customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and the HIPAA Security and Privacy Rules.
5.6. At the choice of the customer, DataActs shall delete or return all the Personal Data and PHI to the customer after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data or PHI.
6. HIPAA Compliance
6.1. When Processing PHI on behalf of a Covered Entity, DataActs agrees to:
a) Not use or disclose PHI other than as permitted or required by this DPA or as required by law;
b) Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this DPA;
c) Report to the customer any use or disclosure of PHI not provided for by this DPA of which it becomes aware;
d) Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of DataActs agree to the same restrictions and conditions that apply to DataActs with respect to such information;
e) Make available PHI in accordance with HIPAA Privacy Rule;
f) Make available PHI for amendment and incorporate any amendments to PHI in accordance with the HIPAA Privacy Rule;
g) Make available the information required to provide an accounting of disclosures in accordance with the HIPAA Privacy Rule;
h) Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining the customer’s compliance with HIPAA.
7. Sub-processors
7.1. The customer provides general authorization for DataActs to engage sub-processors for the Processing of Personal Data.
7.2. DataActs shall inform the customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the customer the opportunity to object to such changes.
8. International Transfers
8.1. DataActs shall not transfer Personal Data outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable data protection law.
9. Data Breach Notification
9.1. DataActs shall notify the customer without undue delay after becoming aware of a Personal Data breach.
10. Audit Rights
10.1. The customer may audit DataActs’ compliance with this DPA, provided that such audit shall be carried out with reasonable notice and no more than once per year.
11. Liability
11.1. DataActs’ liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service.
12. Term and Termination
12.1. This DPA shall remain in effect for as long as DataActs carries out Personal Data Processing operations on behalf of the customer or until the termination of the Terms of Service (and all Personal Data has been returned or deleted in accordance with this DPA).
13. Governing Law and Jurisdiction
13.1. This DPA is governed by the laws specified in the Terms of Service and any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Terms of Service.
By using our Product, you acknowledge that you have read this Data Processing Agreement and agree to its terms.
For any questions about this Data Processing Agreement, please contact us at: info[at]dataacts.com