Last updated and effective as of August 12, 2024 (the “DPA Date”).
This Data Processing Addendum (“DPA”), forms part of the Software-as-a-Service Subscription Agreement (as applicable, the “Agreement”) between Auxilius, Inc. (“Auxilius”) and the entity that has engaged Auxilius to provide the Service (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. Each of Auxilius and Customer is referred to in this DPA individually as a “party”, collectively the “parties”. By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.
- Definitions
- “Customer Data” means any information Processed by Auxilius solely on behalf of Customer, including without limitation any EU Personal Data and/or UK Personal Data.
- “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “Personal Data” means any information relating to any identified or identifiable individual.
- “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “UK” means the United Kingdom.
- “UK Data Protection Laws” means the UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).“UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
- To the extent Auxilius Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and Auxilius is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Auxilius and to Auxilius’ Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Schedule A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
- To the extent Auxilius Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and Auxilius is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Auxilius and to Auxilius’ Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Schedule B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
- To the extent Auxilius Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and Auxilius is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Auxilius and to Auxilius’ Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Schedule B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
- To the extent Auxilius Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK DTA”) will apply to the transfer of such UK Personal Data by Customer to Auxilius and to Auxilius’ Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Schedule C. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
- Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Auxilius to lawfully Process Customer Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Auxilius under the Agreement and this DPA; and (iii) Auxilius’ Processing of the Customer Data in accordance with the Agreement, this DPA, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Auxilius harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement.
- Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Auxilius shall have a right to anonymize Customer Data and to use such anonymous data in connection with its business. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Auxilius further shall have a right to use and disclose data pertaining to Customer’s representatives relating to the operation, support and/or use of the Service for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data pertaining to Customer’s representatives is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Auxilius is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Auxilius is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws.
- This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Auxilius reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.
- In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word “or” is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.
Schedule A
MODULE 2 – CONTROLLER TO PROCESSOR
STANDARD CONTRACTUAL CLAUSES
For the purposes of the Controller to Processor Standard Contractual Clauses:
- Clause 7. The parties agree that the optional language in Clause 7 is included.
- Clause 9(a). The parties agree that under Option 2, Auxilius has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Auxilius will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
- Clause 11. The parties agree that the optional language in Clause 11 is excluded.
- Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
- Clause 17. Option 1 shall apply and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
- Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
- Annex I.A.
- The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth on the signature page to the Agreement.
- The name and address of Auxilius, and the name, position, and contact details of the contact person of Auxilius (which is the data importer) are as follows:
- Name: Auxilius, Inc.
- Address: 73 Spring Street (4th Floor), New York, NY 10012
- Contact person’s name, position and contact details: Erin Warner Guill, Chief Operating Officer, erin@auxili.us
- The activities relevant to the data transferred are the provision and receipt of the Service as described in the Agreement.
- The signature and date are the signature and date set forth in the Agreement.
- The roles of the parties are as follows: Auxilius is a processor and Customer is a controller.
- Annex I.B.
- The categories of data subjects are: personnel of the institution where the clinical study is conducted (“Institution”); and clinical study subjects.
- The categories of personal data are:
- For personnel of the Institution: business contact details including name, email, or phone number; and
- For clinical study subjects (for which each category of personal data will be pseudonymized by the data exporter prior to transfer) transferred are:
- subject ID number;
- subject visit dates; and
- subject enrollment and discontinuation reports (excluding treatment efficacy information).
- The sensitive data transferred includes pseudonymous data concerning clinical study subjects described above to the extent that such data constitutes pseudonymous data concerning health.
- The frequency of the transfer shall be on a continuous basis.
- The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service by data importer to the data exporter in accordance with the terms of the Agreement.
- The purpose of the data transfer and further processing is provision of the Service by data importer to data exporter.
- The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
- For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Service to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
- Annex 1.C.
- The data exporter's competent supervisory authority will be determined in accordance with the GDPR.
- Annex II.
- The data importer utilizes a number of technical and organizational measures including the following measures:
- Implements appropriate organizational, technical and administrative controls for all personal data that data importer processes.
- Implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.
- Prior to issuing system credentials and granting system access, the data importer registers and authorizes new internal and external users. User system credentials are removed by data importer when user access is no longer authorized.
- Encrypts or pseudonymizes personal data where possible to protect the data that it transfers and stores. Where encryption or pseudonymization are not possible, implements alternative, equivalent controls to protect the data.
- Restricts access to all personal data to only those personnel or subprocessors who have a need to know or access the data.
- Restricts physical access to its facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel.
- Implements logical access security measures to protect against threats from sources outside its system boundaries.
- Restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal.
- Implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.
- Monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the data importer’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
- Responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
- Identifies, develops, and implements activities to recover from identified security incidents.
- Assesses and manages risks associated with its vendors and business partners and executes required agreements and data transfer provisions where required by applicable law.
- Tests recovery plan procedures supporting system recovery.
- Deletes or destroys personal (including pseudonymous) data at the direction of the data exporter and in accordance with internal records retention policies or as soon as no longer needed for business purposes.
- Annex III.
- Customer hereby authorizes the use of the following sub-processor(s)
- Amazon Web Services
Schedule B
MODULE 3 – PROCESSOR TO PROCESSOR
STANDARD CONTRACTUAL CLAUSES
For the purposes of the Processor to Processor Standard Contractual Clauses:
- Clause 7. The parties agree that the optional language in Clause 7 is included.
- Clause 9(a). The parties agree that under Option 2, Auxilius has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Auxilius will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
- Clause 11. The parties agree that the optional language in Clause 11 is excluded.
- Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
- Clause 17. Option 1 shall apply and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
- Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
- Annex I.A.
- The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth on the signature page to the Agreement.
- The name and address of Auxilius, and the name, position, and contact details of the contact person of Auxilius (which is the data importer) are as follows:
- Name: Auxilius, Inc.
- Address: 73 Spring Street (4th Floor), New York, NY 10012
- Contact person’s name, position and contact details: Erin Warner Guill, Chief Operating Officer, erin@auxili.us
- The activities relevant to the data transferred are the provision and receipt of the Service as described in the Agreement.
- The signature and date are the signature and date set forth in the Agreement.
- The roles of the parties are as follows: Auxilius is a processor and Customer is a processor.
- Annex I.B.
- The categories of data subjects are: personnel of the Institution; and clinical study subjects.
- The categories of personal data are:
- For personnel of the Institution: business contact details including name, email, or phone number; and
- For clinical study subjects (for which each category of personal data will be pseudonymized by the data exporter prior to transfer) transferred are:
- subject ID number;
- subject visit dates; and
- subject enrollment and discontinuation reports (excluding any treatment efficacy information).
- The sensitive data transferred includes pseudonymous data concerning clinical study subjects described above to the extent that such data constitutes pseudonymous data concerning health.
- The frequency of the transfer shall be on a continuous basis.
- The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service by data importer to the data exporter in accordance with the terms of the Agreement.The purpose of the data transfer and further processing is provision of the Service by data importer to data exporter.
- The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
- For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Service to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Service to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
- Annex I.C.
- The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
- Annex II.
- Section (a)(10)(i) of Schedule A is incorporated herein by reference.
- Annex III.Section (a)(11)(i) of Schedule A is incorporated herein by reference.
Schedule C
UK DTA
For the purposes of the UK DTA:
- For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Date or the Effective Date, and the names of the parties, their roles and their details shall be as set out in Schedule A Section (a)(7) and Schedule B Section (a)(7), respectively;
- For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Schedule A Section (a)(8), (10), and (11)(i) and Schedule B Section (a)(8), (10), and (11)(i), respectively, shall apply; and
- For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.