Data Processing Addendum
Last Updated: February 2021
This Data Processing Addendum (“Addendum”) forms part of the Terms and Conditions or any agreement including any electronic agreement between Amplio Learning Technologies Inc. (formerly AmplioSpeech Inc.) (“Processor” or when only HIPAA is applicable “Business Associate”) and Entity (“Controller” or when only HIPAA applicable “Covered Entity”) for the purchase of services, including use of or access to the Platform (the “Services” and the “Agreement”) to reflect the parties’ agreement with regard to Processor’s processing of Personal Data.
By accepting or signing the Agreement and/or accessing or using the Platform, Entity enters this Addendum.
1. Interpretation and Conflict of Laws
This Addendum constitutes a data processing agreement as required by Applicable Data Protection Laws, and/or a Business Associated Agreement as required by HIPAA where Controller and Processor fall under the HIPAA definitions of “Covered Entity” and “Business Associate”. Any processing of Personal Data shall be governed by Applicable Data Protection Laws.
Any term not defined herein shall have the meaning ascribed thereto in the Agreement.
2.1. “Applicable Data Protection Laws” means all laws and regulations relating to personal data, privacy or databases, that are applicable to the parties in connection with the Services and the Agreement. This may include without limitation: (a) HIPAA (as defined below) (b) The Family Educational Rights and Privacy Act (FERPA); (c) Children’s Online Privacy Protection Act of 1998 (COPPA); (d) Health Information Technology Provisions of American Recovery and Reinvestment Act of 2009 (HITECH) (e) the Israeli Protection of Privacy Law, 5741-1981 and any regulations enacted thereunder and any guidelines and/or instructions published by the Israeli Privacy Protection Authority; (f) the California Consumer Privacy Act and its implementing regulations (g) and any other US federal or state data protection or privacy laws and regulation as may be applicable.
2.2. “Approved Jurisdiction” means jurisdiction as may be approved by Applicable Data Protection Laws as having adequate legal protections for personal data.
2.3. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed by Processor. When a Breach Incident involves PHI, Breach Incident shall also include a Breach (as defined below).
2.4. “Controller”, “Processor”, “Data Subject”, “Special Categories of Personal Data” shall have the meaning ascribed to them in Applicable Data Protection Laws.
2.5. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 P.L. No. 104-191, 110 Stat. 1938 (1996) and/or its relevant regulations, including the HIPAA Rules.
2.6. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules of HIPAA.
2.7. The following terms used in this Addendum shall have the meaning ascribed thereto in the HIPAA Rules: Business Associate, Covered Entity, Breach, Data Aggregation, Designated Record Set, Disclosure )or Disclose), Health Care Operations, Individual, Minimum Necessary Notice of Privacy Practices Required by Law, Secretary, Security Incident, Subcontractor, and Use.
2.8. “Personal Data” shall have the meaning ascribed to such term in the Applicable Data Protection Laws and shall refer to such data which Processor Processes on behalf of Controller in accordance with Controller’s instructions when providing the Services. Personal Data shall include PHI, as applicable.
2.9. “Process” and “processing” shall have the meanings ascribed to them in the Applicable Data Protection Law.
2.10. “Protected Health Information” (“PHI”) shall have the meaning ascribed to such term in the HIPAA and includes electronic PHI (“ePHI”).
2.11. “Sub-Processor(s)” means a person engaged by Processor, including any affiliate, agent or assign of Processor that may process Personal Data.
2.12. “Third Country” means any other country, state, and/or federation that is not an Approved Jurisdiction.
3. Permitted Processing
3.1. Processor shall process Personal Data solely for purpose of carrying out the Services in accordance with the Agreement.
3.2. Processor may use Personal Data to de-identify Personal Data in accordance with Applicable Data Protection Law, and may subsequently Use and Disclose such de-identified data unless prohibited by Applicable Data Protection Laws
3.3. Processor may Use Personal Data for its proper management and administration or carry out its legal responsibilities.
3.4. Processor may Disclose Personal Data for its proper management and administration or to carry out its legal responsibilities, provided the disclosures are required by law, or Processor obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Processor of any instances of which it is aware in which the confidentiality of the information has been breached.,
3.5. Processor may provide Data Aggregation services relating to the operation, including the Health Care Operations, of Controller.
3.6. In addition, Business Associate: (a) may Use or Disclose PHI as required by law; (b) agrees to make Uses and Disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures; and (c) may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 of HIPAA if done by Covered Entity except for the specific Uses and Disclosures set forth above.
3.7. The duration of the processing shall be for the term of the Agreement and shall apply to all of the Services and/or materials delivered by the Processor pursuant thereto.
3.8. The following types of Personal Data may be processed: names, addresses or geographic data, email addresses, telephone and fax numbers, log-on credentials, birth date or age, student ID, school district, name of educators/clinicians/interventionists/supervisors, type of treatment, administrative and clinical information regarding the treatment plan, clinical and educational measurements and notes, audio recordings, video recordings, IP addresses, cookies (including cookie ID), statistical data, school ID number, health plan beneficiary number, certification/license numbers, web URLs, biometric identifiers of voiceprints, full face photographic images and any comparable images.
3.9. The following categories of Data Subjects may be affected by the processing: students, student caregivers, educators/clinicians/interventionists/supervisors, staff members of schools/school districts/cooperation of school districts/education service centers/federal, state or local education agencies/HMOs.4.
4. Compliance with Laws
4.1. Each Party shall comply with its respective obligations under the Applicable Data Protection laws.
4.2. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164 of HIPAA, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
4.3. Controller shall ensure that: (a) Data Subjects are informed of Processor’s Use of Personal Data and all consents and permits from Data Subjects are obtained, as required under Applicable Data Protection Laws; (b) Personal Data will be collected, processed and transferred by Controller in accordance with Applicable Data Protection Laws; and (c) any instruction to Processor in connection with the processing of Personal Data, will be carried out in accordance with Applicable Data Protection Laws.
4.4. Controller shall notify Processor of any: (a) limitation(s) in its Minimum Notice of Privacy Practices under the Applicable Data Protection Laws, (b) changes in, or revocation of, the permission by an Individual to process, Use or Disclose his or her Personal Data; or (c) restriction on the processing, Use or Disclosure of Personal Data that Controller has agreed to or is required to abide by under Applicable Data Protection Laws; all to the extent that such limitations, changes or restrictions may affect Processor’s process, Use or Disclosure of Personal Data.
5. Special Categories of Personal Data. Controller shall notify Processor prior to the processing if the Personal Data includes special categories of Personal Data, whether any restrictions of processing apply thereto and whether it has special instructions to adhere with. In the event that thereof: (a) Controller represents that any collection of special categories of Personal Data is subject to specific consent or alternative legal basis as required by Applicable Data Protection Laws (b) Processor acknowledges that the access to special categories of Personal Data will be restricted to staff who have been informed about the sensitivity of the processing and the measures to be followed; and (b) the parties acknowledge that special security measures shall be taken when transferring, accessing or storing such data, and the transferring shall be in compliance with Applicable Data Protection Laws
6. Obligation of Confidentiality. Processor shall take reasonable steps to ensure that (a) its employees, agents and/or contractors shall have access to Personal Data on a “need to know” basis, (b) they signed or are otherwise legally obligated to confidentiality obligations at a similar level of the Agreement, and (c) they are properly educated and trained to maintain the Personal Data secured and to comply with Applicable Data Protection Laws.
7. Security Measures. Processor shall, in relation to Personal Data, implement commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Processor’s business, the level of sensitivity of the data collected, handled, and stored, and the nature of Processor’s business activities (“Security Measures”), including, as appropriate, the following measures: (a) pseudonymization and/or encryption of Personal Data; (b) ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) ability to quickly restore the availability and access to Personal Data in the event of a physical or technical incident; and (d) maintaining a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In addition, Business Associate shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 of HIPAA with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by the Agreement.
8. Assistance with Safeguarding the Rights of Data Subjects
8.1. Processor shall reasonably assist Controller in safeguarding Data Subjects’ rights and fulfilling its obligations to respond to data portability, rectification, deletion or blocking requests from Data Subjects’ as set forth under Applicable Data Protection Laws.
8.2. In addition, Business Associate shall: (a) make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524 of HIPAA (Access Right); (b) make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526 (Right to Amend), or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526 of HIPAA; (c) Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528 of HIPAA.
8.3. Where Processor receives any requests from individuals to exercise its right under the Applicable Data. Protection Laws Processor will promptly redirect the request to Controller and provide reasonable assistance to exercising the access right.
9. Assistance with Ensuring Compliance with Applicable Data Protection Laws.
9.1. Processor shall reasonably assist Controller in ensuring compliance with privacy obligations of Applicable Data Protection Laws.
9.2. Where Processor receives any requests from applicable data protection authorities relating to the processing of Personal Data, Processor will promptly redirect the request to Controller.
9.3. If Processor receives a legally binding request for the disclosure of Personal Data, Processor shall (to the extent legally permitted) notify Controller upon receipt of such order, demand, or request.
10. Breach Incidents
10.1. Upon becoming aware of a Breach Incident and no later than 72 hours, or where HIPAA is applicable no later than 30 days from the discovery of the Breach after becoming aware of a Breach, the Processor will notify Controller and will provide information known to it at such time with respect to the nature, scope, and consequences of such Breach Incident.
10.2. Processor will use reasonable endeavors to assist Controller in mitigating, where possible, the adverse effects of any Breach Incident.
10.3. Processor’s obligations under this Section shall not apply to Breach Incidents that are caused by Controller.
10.4. Upon reasonable notice, the Processor shall provide reasonable assistance to Controller in compliance with any notification obligations of Breach Incidents to the supervisory authority and communication obligations to Data Subjects, as required under the Applicable Data Protection Laws.
11. Security Assessments and Audits
11.1. Processor shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing policies to be inspected annually by a third party to be agreed upon between Processor and Controller in order to ascertain compliance with this Addendum. Costs of such inspection shall be borne by Controller.
11.2. Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
11.3. Processor shall provide Controller at Controller’s cost and not more than once a year, with reports as reasonably requested by Controller in writing regarding the management and processing of the Personal Data.
12. Transfers to an Approved Jurisdiction and/or Third Country. Unless otherwise prohibited in the Agreement, Controller agrees that Processor may transfer Personal Data to an Approved Jurisdiction and/or a Third Country provided that transfers to a Third Country shall be made subject to safeguards no less protective of Controller and/or Personal Data than those set forth herein and in accordance with the Applicable Data Protection Laws.
13. Sub-Processors. Unless otherwise prohibited in the Agreement, Controller agrees that Processor may engage Sub-Processors to perform its obligations under the Agreement, provided that they agree to process Personal Data in a manner consistent with and no less protective of Controller and/or Personal Data than the terms of this Addendum, and provided that Processor remains liable for the acts and omissions of such Sub-Processors.<.p>
14. Term and Termination
14.1. Term. This Addendum shall be effective as of the effective date of the Agreement and shall terminate on the date the Agreement is terminated and/or Controller terminates for cause as authorized in Section (14.2), whichever is sooner.
14.2. Termination for Cause. Processor authorizes termination of this Addendum by Controller if Controller determines Processor has violated a material term of this Addendum and Processor has not cured the breach or ended the violation within a reasonable time of not less than 30 days.
15. Deletion and Return at the End of Processing
15.1. Upon termination of the Agreement and/or this Addendum, Processor will delete or return to Controller, and instruct its Sub-Processors to delete or return, all existing copies of Personal Data which are in its or its Sub-Processors’ possession.
15.2. Upon written request, the Processor shall provide written certification to Controller that it has fully complied with the requirements under this Section.
15.3. Notwithstanding the foregoing, Processor may retain Personal Data to the extent and for such period as required: (a) by applicable laws; (b) for the purpose of defending itself against legal claims; and (c) to continue its proper management and administration or to carry out its legal responsibilities. During such time, Processor shall not process such Personal Data other than for the purposes set forth above and subject to the same conditions set out in this Addendum. Processor shall delete or return to Controller such Personal Data when it is no longer needed for the above purposes.
15.4. Survival. Provisions which by their nature are intended to survive the suspension or termination of this Addendum shall survive its termination.
16.1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
16.2. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
16.3. Processor may update the terms of this Addendum from time to time. The then-current terms of this Addendum are available at https://ampliolearning.com/terms/