DATA PROTECTION AGREEMENT (DEFAULT D.P.A.)
DATA PROTECTION AGREEMENT (DEFAULT D.P.A.)
Data Processing Agreement (DPA) Effective Date: 03rd December 2024
Section A: Definitions
1.1. Data Controller: The entity that determines the purposes and means of the processing of personal data.
1.2. Data Processor: The entity that processes personal data on behalf of the Data Controller. This in terms of Healthwoosh services is Healthwoosh.
1.3. Sub-Processor or Third Parties:
A) Healthwoosh in this DPA, may use sub-processors in relation to any elements it uses to build its service offers to market to enable Data Controllers to build services or request turn key services to specification.
B) Also, any third party appointed by the Controller or used by their other Data Processors to process personal data on behalf of the Data Controller. This requires direct agreements between data controllers separately. Healthwoosh is not responsible for other processor or sub processor commitments to Data Controllers in such instance. In such instances the Data Contoller is responsible for approval workflow to validate the sub-processor compliance with GDPR.
In the event of any doubt or ambiguity regarding the roles and responsibilities of Data Controller, Data Processor, or Sub-Processor, the determination made by Healthwoosh (Quantum Touch Limited) shall be paramount and binding, unless otherwise established through a separate, explicit contract and Data Processing Agreement (DPA). This clause ensures that Healthwoosh's interpretation of roles and responsibilities is the default standard in the absence of additional agreements.
1.4. Personal Data: Any information relating to an identified or identifiable natural person.
1.5. Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
1.6. GDPR: General Data Protection Regulation, the EU regulation for data protection and privacy.
1.7. Platform: Healthwoosh's application creation, hosting, and management platform.
1.8. Services: The services provided by Healthwoosh, including the Platform and any additional features or support.
Section B: Healthwoosh as Data Processor
Parties: This Agreement is made between Quantum Touch Limited ("Healthwoosh"), registered at [Insert Address], and [Client Name] ("Controller"), registered at [Insert Address].
Purpose: This DPA sets forth the terms and conditions under which Healthwoosh processes personal data on behalf of the Controller in connection with the services provided by Healthwoosh.
2. Roles and Responsibilities
2.1. Healthwoosh's Obligations:
Process personal data only on documented instructions from the Controller.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
Assist the Controller in ensuring compliance with GDPR, including data subject rights and data breach notifications.
Delete or return all personal data to the Controller after the end of the provision of services.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
2.2. Controller's Obligations:
Compliance with Laws: The Controller must comply with the Data Protection Acts and GDPR at all times and is responsible for determining the purposes and means of processing under this Agreement.
Data Adequacy: Ensure all data is adequate, relevant, and adheres to data minimization principles.
Third-Party Compliance: Ensure any third-party services or integrations used in conjunction with Healthwoosh services comply with applicable data protection laws. Obtain necessary consents and ensure the compliance of third-party services or subprocessors required for any integration.
Data Provision: Make available to the Processor all data agreed to be processed in a timely manner and in the agreed format. Ensure the quality and accuracy of the data.
Due Diligence: Verify the validity and suitability of the Processor before entering into a business relationship. Conduct adequate onboarding and due diligence checks for all Processors, ensuring compliance with Data Protection Law requirements.
Explicit Instructions: Provide explicit instructions to the Processor regarding the duration for which personal data should be retained and the specific conditions under which data should be deleted. Ensure these instructions comply with applicable data protection laws and are documented in Schedule 3 of this Agreement.
Verification of Processes: Verify that the Processor has adequate and documented processes for data breaches, data retention, and data transfers in place.
Use of Services: Use Healthwoosh products, services, and features as intended, ensuring adherence to provided guidelines and documentation. Maintain and update data protection terms and policies within the application.
Regular Reviews: Conduct regular reviews of the personal data processed and update or delete data as required to ensure ongoing compliance with data protection principles.
Timely Information Provision: Provide the Processor with timely and accurate information regarding any changes to processing activities or requirements, including updates to data protection impact assessments and new or amended legal obligations.
Roadmap Participation: Actively participate in the development and maintenance of a roadmap for future upgrades and integrations of Healthwoosh services. Engage in regular planning sessions, approve project plans, timelines, and budgets for any new developments or modifications in a timely manner.
Support and Communication: Utilize the support and communication channels provided by Healthwoosh for any issues or requests related to the services, including using the designated support portal and providing detailed and accurate information when reporting issues or requesting changes.
Cost Bearing for Custom Developments: Bear the costs of any custom developments, integrations, or significant upgrades outside the standard scope of services provided by Healthwoosh, with costs agreed upon in writing before commencement.
Verification Obligations: Obtain evidence from the Processor regarding verification and reliability of employees, certificates, accreditations, policies, and technical and operational measures described in Schedule 1 of this Agreement. Ensure procedures are in place for data subjects to exercise their rights, including access requests, erasure, rectification, and restriction of processing.
Sub-Processor Agreements: Verify that similar data protection agreements are in place between the Processor and any authorized Sub-Processor. Ensure the details of the Sub-Processor are added to Schedule 2 of this Agreement.
Liability Limitation: The liability of the Processor under this Agreement shall not exceed 10% of the total service fees paid by the Controller to the Processor during the 12 months preceding the claim, reflecting the mutual responsibility of the Data Controller in evolving the proposition and integrating systems, subprocessors, and workflows. Healthwoosh is not liable for service disruptions arising from the Data Controller’s failure to implement recommended security measures, integration standards, or configurations as advised
Proportionality of Application: Scale the obligations of the Processor according to the size of the Processor and the volume of data processed, ensuring obligations are not disproportionately burdensome.
Non-Interference: The Controller has no authority to interfere, suppress, or act in any manner to cause damage to Healthwoosh. Any requests for data deletion, preferred workflows, enhancements, and levels of support must be mutually agreed upon.
3. Sub-Processing
3.1. Use of Sub-Processors: The Controller authorizes Healthwoosh to engage sub-processors to fulfill its obligations under this DPA.
3.2. Sub-Processor Obligations:
Healthwoosh shall ensure that the sub-processor is bound by data protection obligations no less protective than those in this DPA.
Healthwoosh will conduct regular audits of sub-processors to ensure compliance with GDPR and data protection obligations.
Healthwoosh will maintain an updated list of sub-processors and notify users of any changes promptly within a specified timeframe.
Implement a rating and scoring system for sub-processors based on their compliance and performance.
Establish a red card strike system where third parties or sub-processors receive warnings and face penalties for repeated non-compliance.
4. Security Measures
4.1. Technical and Organizational Measures: Healthwoosh shall implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Healthwoosh will continuously review and enhance security measures to address emerging threats and vulnerabilities. However at no point will this responsibility overshadow the Data Controllers responsibility to also protect its data by any recommendations from Healthwoosh for its Business Scaling pan.
Establish a dedicated security team to monitor and enhance security measures continuously.
Implement regular, mandatory security training for all staff.
Upon exceeding data thresholds and scaling plan when advised by Healthwoosh, the Data Controller will migrate hosting responsibilities to an infrastructure under their own control. Healthwoosh will remain the Data Processor for platform functionalities and front end experience but will not retain responsibility for database hosting, security, or compliance beyond scaling migration plan when notified and advised to each Data Controller. Data responsibility for compliance with Healthwoosh Security recommendations are paramount and must be followed in timely fashion of 8 weeks from issuance.
The Data Controller is responsible for adhering to security protocols as advised by Healthwoosh and maintaining compliance with all data management requirements. Failure to comply may result in service disruptions or increased liability exposure.
5. Data Subject Rights and Assistance
5.1. Assistance: Healthwoosh will assist the Controller in responding to data subject requests and ensuring compliance with GDPR, including access, rectification, erasure, restriction of processing, data portability, and objection to processing.
Introduce a self-service portal for data subjects to manage their rights requests efficiently.
Automate the request management process to handle requests promptly and accurately.
Implement SLA for response times to data subject requests.
6. Audit and Compliance
6.1. Audit Rights: The Controller has the right to request evidence of annual audit, and Healthwoosh’s compliance with this DPA and applicable data protection laws, provided that such audits are conducted in a reasonable manner and do not interfere with Healthwoosh’s business operations. One singular audit can be available to all customers at cost borne by the applicant data controller.
Healthwoosh reserves the right to audit users’ compliance with this DPA and applicable data protection laws.
Implement a tiered audit process to balance thoroughness with user cooperation. Provide a shared audit report for all Controllers.
6.2. Documentation and Information: Healthwoosh will provide the Controller with the necessary documentation and information to demonstrate compliance with this DPA and applicable data protection laws either by email/document or publication to our website and direction to link.
7. Liability and Indemnity
7.1. Liability: 7.1.1. Healthwoosh's Liability: Healthwoosh’s liability arising out of or related to this DPA shall be limited to direct damages and capped at the amount paid by the Controller for the services under this DPA in the twelve (12) months preceding the event giving rise to the liability.
7.1.2. User's Liability: Users acting as Data Controllers or Data Processors shall be liable for any damages arising out of their breach of this DPA or applicable data protection laws. Users must bear full liability for any misuse or inappropriate utilization of the platform. The Data Controller agrees to indemnify and hold Healthwoosh harmless from any claims, penalties, or damages resulting from their failure to maintain adequate insurance, comply with applicable regulations, or properly manage data and workflows within the platform
7.2. Indemnity:
7.2.1. Indemnification by Data Controller: agrees to indemnify, defend, and hold the Controller harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to Healthwoosh’s breach terms of this DPA or GDPR.
The Data Controller agrees to indemnify and hold Healthwoosh harmless from any claims, penalties, or damages resulting from their failure to comply with hosting transition requirements, maintain adequate security, or properly manage data and workflows within the platform, particularly if ignoring advices for scaling plan and Data Controller obligations to assume control of their data via facilities offered by Healthwoosh.
The Data Controller assumes full responsibility for ensuring that any third-party hosting providers or processors comply with GDPR and other applicable regulations. Healthwoosh disclaims liability for any breaches or disruptions arising from third-party actions
7.2.2. Indemnification by Users: Users agree to indemnify, defend, and hold Healthwoosh harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to the user’s breach of this DPA, GDPR, or any applicable data protection laws.
7.3. Liability for Inappropriate Use: Parties utilizing the platform inappropriately bear all liability for resulting issues.
7.4. Mediation Service: Introduce an optional mediation step before any legal proceedings can be initiated. If either party chooses not to avail of mediation, they may update, fix, or resolve their service or may choose to exit the Healthwoosh ecosystem with no recourse to a lawsuit, acknowledging the associated risks.
8. Users as Data Controllers and Processors
8.1. Parties: This Agreement is made between Quantum Touch Limited ("Healthwoosh") and the Data Contoller ("User"), which can act as a Data Controller or Data Processor or add sub processors when using the Healthwoosh platform.
8.2. Purpose: This DPA sets forth the terms and conditions under which users of the Healthwoosh platform process personal data either as data controllers or data processors.
9. Definitions Specific to Users
9.1. User as Data Controller: A user who determines the purposes and means of processing personal data on the Healthwoosh platform.
9.2. User as Data Processor: A user who processes personal data on behalf of another Data Controller using the Healthwoosh platform. 9.3. End User: An individual who interacts with a service or application created by a user on the Healthwoosh platform.
10. Roles and Responsibilities
10.1. User as Data Controller:
• Users may act as Data Controllers when they use the platform to create and manage their own applications and services if they are the brand owner of the service or acting under another contract as agent that allows such directly from a Data Contoller.
• As Data Controllers, users are responsible for determining the purposes and means of processing personal data.
• Users must ensure compliance with GDPR and other applicable data protection laws.
• Users are required to conduct Data Protection Impact Assessments (DPIAs) and appoint Data Protection Officers (DPOs) where necessary.
• Controllers must form their own direct contracts and DPAs with any processors or third parties not managed by Healthwoosh. 10.2. User as Data Processor:
• Users may act as Data Processors when they process personal data on behalf of another Data Controller.
• As Data Processors, users must process personal data only on documented instructions from the Data Controller and comply with the same obligations outlined in Section B for Healthwoosh.
• Users must regularly provide compliance reports to Healthwoosh.
• Implement a detailed checklist and certification process for users before they can act as Data Processors.
11. Onboarding and Management
11.1. Onboarding Process:
• During the onboarding process, users must specify their role (Data Controller or Data Processor) and provide necessary documentation to demonstrate compliance with GDPR.
• Healthwoosh will provide detailed onboarding and training for controllers and processors on GDPR compliance. 11.2. Management of Controllers and Processors:
• Healthwoosh will manage the roles of users on the platform and ensure that all parties are aware of their responsibilities.
• Users must ensure that any third-party processors they engage also comply with GDPR and are bound by data protection obligations no less protective than those in this DPA.
• Users must notify and obtain approval from Healthwoosh before engaging any sub-processors.
• Implement a red card strike system for users who repeatedly fail to comply with data protection requirements.
12. Security Measures
12.1. Technical and Organizational Measures: Users must implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• Healthwoosh will provide ongoing support and resources to help users manage their data protection responsibilities.
13. Data Subject Rights
13.1. Assistance with Requests: Users, whether acting as Data Controllers or Data Processors, must assist with requests from data subjects to exercise their rights under GDPR, including access, rectification, and erasure.
14. Breach Notification
14.1. Obligation to Notify: Users must notify Healthwoosh without undue delay after becoming aware of a personal data breach.
14.2. Cooperation: Users must cooperate with Healthwoosh in managing and mitigating the effects of any data breach.
15. Audit and Compliance
15.1. Audit Rights: Healthwoosh reserves the right to audit users’ compliance with this DPA and applicable data protection laws, provided that such audits are conducted in a reasonable manner and do not interfere with the users’ business operations.
Implement a tiered audit process to balance thoroughness with user cooperation. Provide a shared audit report for all Controllers.
15.2. Documentation and Information: Users must provide Healthwoosh with the necessary documentation and information to demonstrate compliance with this DPA and applicable data protection laws.
Schedule regular compliance review options.
16. General Provisions
16.1. Governing Law: This DPA shall be governed by and construed in accordance with the laws of Ireland, without regard to its conflict of law principles.
16.2. Severability: Should any provision of this DPA be found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable. If such modification is not possible, the invalidity or unenforceability of any provision shall not affect the validity or enforceability of the remaining provisions, which shall remain in full force and effect. Healthwoosh shall have the discretion to enforce the remaining provisions independently.
17. Dispute Resolution
17.1. Dispute Resolution Procedures: Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution procedures outlined in the Terms of Service. Disputes will be resolved by non-binding arbitration administered by the Irish Arbitration Association under its Commercial Arbitration Rules in Dublin, Ireland, or other agreed jurisdictions if mutually consented by all parties.
Mediation Service: Introduce an optional mediation step before any legal proceedings can be initiated. If either party chooses not to avail of mediation, they may update, fix, or resolve their service or may choose to exit the Healthwoosh ecosystem with no recourse to a lawsuit, acknowledging the associated risks.
18. Changes to the DPA
18.1. Right to Change: Healthwoosh reserves the right to make changes to this DPA. When such changes are made, they will be posted on Healthwoosh's website, and users will be notified through the platform.
Acknowledgment of Changes: Users are required to acknowledge and accept changes within a specified timeframe.
19. Contact Information
For any questions or concerns regarding this DPA, please contact:
Quantum Touch Limited (Healthwoosh)
Email: fisk@healthwoosh.ai
20. Specific Obligations of Users
20.1. User Responsibilities as Data Controllers:
Compliance with Laws: Users acting as Data Controllers must ensure that their processing of personal data complies with GDPR and any other applicable data protection laws.
Privacy Notices: Data Controllers must provide data subjects with clear and comprehensive information about how their personal data is processed, including purposes, legal basis, and data subject rights.
Insurance: The Data Controller shall maintain insurance coverage, including but not limited to Professional Indemnity and Cyber Liability Insurance, to mitigate risks arising from the use of the platform. This coverage must address potential data breaches, regulatory fines, and operational disruptions related to workflows, integrations, and data management.
Data Protection Impact Assessments (DPIAs): When necessary, Data Controllers must conduct DPIAs to assess the impact of their data processing activities on the protection of personal data.
Data Protection Officer (DPO): If required by GDPR, Data Controllers must appoint a DPO to oversee data protection compliance and act as a point of contact for data subjects and supervisory authorities.
Direct Contracts and DPAs: Controllers must form their own direct contracts and DPAs with any processors or third parties not managed by Healthwoosh.
Responsibility for Third Parties: Controllers are solely responsible for the compliance of their integrated processors and third-party services.
20.2. User Responsibilities as Data Processors:
Processing on Instructions: Users acting as Data Processors must only process personal data based on the documented instructions of the Data Controller.
Confidentiality: Data Processors must ensure that all personnel involved in the processing of personal data are committed to confidentiality.
Security Measures: Data Processors must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, and other security incidents.
Assistance to Data Controllers: Data Processors must assist Data Controllers in ensuring compliance with their obligations under GDPR, including responding to data subject requests and conducting DPIAs.
21. Sub-Processing by Users
21.1. Authorization of Sub-Processors: Data Processors must not engage sub-processors without the prior written authorization of the Data Controller.
Data Processors must notify Healthwoosh and obtain necessary authorizations before engaging sub-processors.
21.2. Sub-Processor Agreements: Data Processors must ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.
21.3. Liability for Sub-Processors: Data Processors remain fully liable to the Data Controller for the performance of the sub-processor’s obligations.
22. Data Transfers
22.1. Transfers Outside the EU: Any transfer of personal data outside the EU must comply with GDPR requirements, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
22.2. Notification of Transfers: Users must notify Healthwoosh and obtain necessary authorizations before transferring personal data outside the EU.
Section F: A) Liability and Indemnity Data Contoller / Third Party Processors
23.1. Healthwoosh's Liability: Healthwoosh’s liability arising out of or related to this DPA shall be limited to any and all direct damages caused by the Data Contoller misusing, misdirecting, mis managing either by negligence or not upgrading and managing their services to industry standards required and in the event giving rise to any liabilities to Healthwoosh or its other Customers availing of its platforms and services.
23.2. User's Liability: Users acting as Data Controllers or Data Processors shall be liable for any damages arising out of their breach of this DPA or applicable data protection laws. Users must bear full liability for any misuse or inappropriate utilization of the platform.
23.3. Data Contoller Responsibility for Processors/Sub Processors/Third Party Integrations: The data controller bears all responsibility for its third party processors it chooses to integrate with into workflows or services offered by Healthwoosh and is responsible to ensure their compliance needs.
Section F: B) Liability and Indemnity Healthwoosh
24.1. Indemnification by Healthwoosh: Limited to 20% of annual revenue with to Data Controller if and only in event of breach occurring through actions taken by Healthwoosh and not the improper use of its services, facilities and business model terms and practices.
24.2. Indemnification by Users: Users agree to indemnify, defend, and hold Healthwoosh harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to the user’s breach of this DPA, GDPR, or any applicable data protection laws.
24.3. Liability for Inappropriate Use: Parties utilizing the platform inappropriately bear all liability for resulting issues.
Section G: Term and Termination
25.1. Term: This DPA shall remain in effect for the duration of the agreement between Healthwoosh and the Controller or User unless terminated earlier in accordance with the terms of this DPA.
26.1. Termination for Convenience: Either party may terminate this DPA by providing thirty (30) days written notice to the other party. Healthwoosh reserves the right to suspend or terminate services for failure to meet payment obligations, non-compliance with security protocols, or breach of contractual responsibilities, with notice as required by applicable law.
26.2. Termination for Cause: Either party may terminate this DPA immediately upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) days of receipt of notice of such breach.
26.2. Termination for Cause: Either party may terminate this DPA immediately upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) days of receipt of notice of such breach.
27.1. Effect of Termination: Upon termination of this DPA, Healthwoosh shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless applicable law requires storage of the personal data.
27.2. If no other DPA is agreed upon, the user must deactivate their services if they cannot operate within Healthwoosh's business model and practices. In such instances, the user is responsible for managing their application independently.
27.3. Ecosystem Responsibilities and Change Collaboration
The Data Controller recognizes their responsibility to actively manage their role within the Healthwoosh ecosystem, including evaluating terms and services prior to procurement and collaborating on enhancements where advised. When notified of scaling plan requirements or other necessary changes, the Data Controller agrees to avail of such options in a timely manner to ensure operational continuity and compliance.
Healthwoosh will make reasonable efforts to address concerns or gaps if in agreement through its established change request process that Data Controllers must fund based on quote response, provided such changes are beneficial to the ecosystem and industry. The Data Controller agrees to provide adequate time, resources, and collaboration for the implementation of any enhancements or updates deemed necessary and mutually agreed upon. Failure to comply with these responsibilities does not constitute a breach on the part of Healthwoosh.
Customizations or endpoint upgrades requested by the Data Controller must follow the documented Change Request (CR) process, with associated costs detailed via Purchase Orders (POs). These requests are outside the scope of standard services and must align with Healthwoosh’s operational guidelines.
Healthwoosh retains the right to reject requests that fundamentally alter the business model or impose disproportionate operational burdens without mutual agreement.
Customizations or endpoint upgrades requested by the Data Controller must follow the documented Change Request (CR) process, with associated costs detailed via Purchase Orders (POs). These requests are outside the scope of standard services and must align with Healthwoosh’s operational guidelines.
27.4. No funds or compensations are applicable upon termination as the onus is on the Data Controller and any Third Party at all times to understand Healthwoosh's business model or agree to different terms by way of contract, if they wish more than the default terms, policies, or DPA's.
29. Contact Information
For any questions or concerns regarding this DPA or suggested improvements, please contact:
Healthwoosh reserves the right to update this DPA from time to time as required to support new and evolving services and will notify customers.
Quantum Touch Limited (Healthwoosh)
Email: mike@healthwoosh.ai
Section A: Definitions
1.1. Data Controller: The entity that determines the purposes and means of the processing of personal data.
1.2. Data Processor: The entity that processes personal data on behalf of the Data Controller. This in terms of Healthwoosh services is Healthwoosh.
1.3. Sub-Processor or Third Parties:
A) Healthwoosh in this DPA, may use sub-processors in relation to any elements it uses to build its service offers to market to enable Data Controllers to build services or request turn key services to specification.
B) Also, any third party appointed by the Controller or used by their other Data Processors to process personal data on behalf of the Data Controller. This requires direct agreements between data controllers separately. Healthwoosh is not responsible for other processor or sub processor commitments to Data Controllers in such instance. In such instances the Data Contoller is responsible for approval workflow to validate the sub-processor compliance with GDPR.
In the event of any doubt or ambiguity regarding the roles and responsibilities of Data Controller, Data Processor, or Sub-Processor, the determination made by Healthwoosh (Quantum Touch Limited) shall be paramount and binding, unless otherwise established through a separate, explicit contract and Data Processing Agreement (DPA). This clause ensures that Healthwoosh's interpretation of roles and responsibilities is the default standard in the absence of additional agreements.
1.4. Personal Data: Any information relating to an identified or identifiable natural person.
1.5. Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
1.6. GDPR: General Data Protection Regulation, the EU regulation for data protection and privacy.
1.7. Platform: Healthwoosh's application creation, hosting, and management platform.
1.8. Services: The services provided by Healthwoosh, including the Platform and any additional features or support.
Section B: Healthwoosh as Data Processor
Parties: This Agreement is made between Quantum Touch Limited ("Healthwoosh"), registered at [Insert Address], and [Client Name] ("Controller"), registered at [Insert Address].
Purpose: This DPA sets forth the terms and conditions under which Healthwoosh processes personal data on behalf of the Controller in connection with the services provided by Healthwoosh.
2. Roles and Responsibilities
2.1. Healthwoosh's Obligations:
Process personal data only on documented instructions from the Controller.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
Assist the Controller in ensuring compliance with GDPR, including data subject rights and data breach notifications.
Delete or return all personal data to the Controller after the end of the provision of services.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
2.2. Controller's Obligations:
Compliance with Laws: The Controller must comply with the Data Protection Acts and GDPR at all times and is responsible for determining the purposes and means of processing under this Agreement.
Data Adequacy: Ensure all data is adequate, relevant, and adheres to data minimization principles.
Third-Party Compliance: Ensure any third-party services or integrations used in conjunction with Healthwoosh services comply with applicable data protection laws. Obtain necessary consents and ensure the compliance of third-party services or subprocessors required for any integration.
Data Provision: Make available to the Processor all data agreed to be processed in a timely manner and in the agreed format. Ensure the quality and accuracy of the data.
Due Diligence: Verify the validity and suitability of the Processor before entering into a business relationship. Conduct adequate onboarding and due diligence checks for all Processors, ensuring compliance with Data Protection Law requirements.
Explicit Instructions: Provide explicit instructions to the Processor regarding the duration for which personal data should be retained and the specific conditions under which data should be deleted. Ensure these instructions comply with applicable data protection laws and are documented in Schedule 3 of this Agreement.
Verification of Processes: Verify that the Processor has adequate and documented processes for data breaches, data retention, and data transfers in place.
Use of Services: Use Healthwoosh products, services, and features as intended, ensuring adherence to provided guidelines and documentation. Maintain and update data protection terms and policies within the application.
Regular Reviews: Conduct regular reviews of the personal data processed and update or delete data as required to ensure ongoing compliance with data protection principles.
Timely Information Provision: Provide the Processor with timely and accurate information regarding any changes to processing activities or requirements, including updates to data protection impact assessments and new or amended legal obligations.
Roadmap Participation: Actively participate in the development and maintenance of a roadmap for future upgrades and integrations of Healthwoosh services. Engage in regular planning sessions, approve project plans, timelines, and budgets for any new developments or modifications in a timely manner.
Support and Communication: Utilize the support and communication channels provided by Healthwoosh for any issues or requests related to the services, including using the designated support portal and providing detailed and accurate information when reporting issues or requesting changes.
Cost Bearing for Custom Developments: Bear the costs of any custom developments, integrations, or significant upgrades outside the standard scope of services provided by Healthwoosh, with costs agreed upon in writing before commencement.
Verification Obligations: Obtain evidence from the Processor regarding verification and reliability of employees, certificates, accreditations, policies, and technical and operational measures described in Schedule 1 of this Agreement. Ensure procedures are in place for data subjects to exercise their rights, including access requests, erasure, rectification, and restriction of processing.
Sub-Processor Agreements: Verify that similar data protection agreements are in place between the Processor and any authorized Sub-Processor. Ensure the details of the Sub-Processor are added to Schedule 2 of this Agreement.
Liability Limitation: The liability of the Processor under this Agreement shall not exceed 10% of the total service fees paid by the Controller to the Processor during the 12 months preceding the claim, reflecting the mutual responsibility of the Data Controller in evolving the proposition and integrating systems, subprocessors, and workflows. Healthwoosh is not liable for service disruptions arising from the Data Controller’s failure to implement recommended security measures, integration standards, or configurations as advised
Proportionality of Application: Scale the obligations of the Processor according to the size of the Processor and the volume of data processed, ensuring obligations are not disproportionately burdensome.
Non-Interference: The Controller has no authority to interfere, suppress, or act in any manner to cause damage to Healthwoosh. Any requests for data deletion, preferred workflows, enhancements, and levels of support must be mutually agreed upon.
3. Sub-Processing
3.1. Use of Sub-Processors: The Controller authorizes Healthwoosh to engage sub-processors to fulfill its obligations under this DPA.
3.2. Sub-Processor Obligations:
Healthwoosh shall ensure that the sub-processor is bound by data protection obligations no less protective than those in this DPA.
Healthwoosh will conduct regular audits of sub-processors to ensure compliance with GDPR and data protection obligations.
Healthwoosh will maintain an updated list of sub-processors and notify users of any changes promptly within a specified timeframe.
Implement a rating and scoring system for sub-processors based on their compliance and performance.
Establish a red card strike system where third parties or sub-processors receive warnings and face penalties for repeated non-compliance.
4. Security Measures
4.1. Technical and Organizational Measures: Healthwoosh shall implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Healthwoosh will continuously review and enhance security measures to address emerging threats and vulnerabilities. However at no point will this responsibility overshadow the Data Controllers responsibility to also protect its data by any recommendations from Healthwoosh for its Business Scaling pan.
Establish a dedicated security team to monitor and enhance security measures continuously.
Implement regular, mandatory security training for all staff.
Upon exceeding data thresholds and scaling plan when advised by Healthwoosh, the Data Controller will migrate hosting responsibilities to an infrastructure under their own control. Healthwoosh will remain the Data Processor for platform functionalities and front end experience but will not retain responsibility for database hosting, security, or compliance beyond scaling migration plan when notified and advised to each Data Controller. Data responsibility for compliance with Healthwoosh Security recommendations are paramount and must be followed in timely fashion of 8 weeks from issuance.
The Data Controller is responsible for adhering to security protocols as advised by Healthwoosh and maintaining compliance with all data management requirements. Failure to comply may result in service disruptions or increased liability exposure.
5. Data Subject Rights and Assistance
5.1. Assistance: Healthwoosh will assist the Controller in responding to data subject requests and ensuring compliance with GDPR, including access, rectification, erasure, restriction of processing, data portability, and objection to processing.
Introduce a self-service portal for data subjects to manage their rights requests efficiently.
Automate the request management process to handle requests promptly and accurately.
Implement SLA for response times to data subject requests.
6. Audit and Compliance
6.1. Audit Rights: The Controller has the right to request evidence of annual audit, and Healthwoosh’s compliance with this DPA and applicable data protection laws, provided that such audits are conducted in a reasonable manner and do not interfere with Healthwoosh’s business operations. One singular audit can be available to all customers at cost borne by the applicant data controller.
Healthwoosh reserves the right to audit users’ compliance with this DPA and applicable data protection laws.
Implement a tiered audit process to balance thoroughness with user cooperation. Provide a shared audit report for all Controllers.
6.2. Documentation and Information: Healthwoosh will provide the Controller with the necessary documentation and information to demonstrate compliance with this DPA and applicable data protection laws either by email/document or publication to our website and direction to link.
7. Liability and Indemnity
7.1. Liability: 7.1.1. Healthwoosh's Liability: Healthwoosh’s liability arising out of or related to this DPA shall be limited to direct damages and capped at the amount paid by the Controller for the services under this DPA in the twelve (12) months preceding the event giving rise to the liability.
7.1.2. User's Liability: Users acting as Data Controllers or Data Processors shall be liable for any damages arising out of their breach of this DPA or applicable data protection laws. Users must bear full liability for any misuse or inappropriate utilization of the platform. The Data Controller agrees to indemnify and hold Healthwoosh harmless from any claims, penalties, or damages resulting from their failure to maintain adequate insurance, comply with applicable regulations, or properly manage data and workflows within the platform
7.2. Indemnity:
7.2.1. Indemnification by Data Controller: agrees to indemnify, defend, and hold the Controller harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to Healthwoosh’s breach terms of this DPA or GDPR.
The Data Controller agrees to indemnify and hold Healthwoosh harmless from any claims, penalties, or damages resulting from their failure to comply with hosting transition requirements, maintain adequate security, or properly manage data and workflows within the platform, particularly if ignoring advices for scaling plan and Data Controller obligations to assume control of their data via facilities offered by Healthwoosh.
The Data Controller assumes full responsibility for ensuring that any third-party hosting providers or processors comply with GDPR and other applicable regulations. Healthwoosh disclaims liability for any breaches or disruptions arising from third-party actions
7.2.2. Indemnification by Users: Users agree to indemnify, defend, and hold Healthwoosh harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to the user’s breach of this DPA, GDPR, or any applicable data protection laws.
7.3. Liability for Inappropriate Use: Parties utilizing the platform inappropriately bear all liability for resulting issues.
7.4. Mediation Service: Introduce an optional mediation step before any legal proceedings can be initiated. If either party chooses not to avail of mediation, they may update, fix, or resolve their service or may choose to exit the Healthwoosh ecosystem with no recourse to a lawsuit, acknowledging the associated risks.
8. Users as Data Controllers and Processors
8.1. Parties: This Agreement is made between Quantum Touch Limited ("Healthwoosh") and the Data Contoller ("User"), which can act as a Data Controller or Data Processor or add sub processors when using the Healthwoosh platform.
8.2. Purpose: This DPA sets forth the terms and conditions under which users of the Healthwoosh platform process personal data either as data controllers or data processors.
9. Definitions Specific to Users
9.1. User as Data Controller: A user who determines the purposes and means of processing personal data on the Healthwoosh platform.
9.2. User as Data Processor: A user who processes personal data on behalf of another Data Controller using the Healthwoosh platform. 9.3. End User: An individual who interacts with a service or application created by a user on the Healthwoosh platform.
10. Roles and Responsibilities
10.1. User as Data Controller:
• Users may act as Data Controllers when they use the platform to create and manage their own applications and services if they are the brand owner of the service or acting under another contract as agent that allows such directly from a Data Contoller.
• As Data Controllers, users are responsible for determining the purposes and means of processing personal data.
• Users must ensure compliance with GDPR and other applicable data protection laws.
• Users are required to conduct Data Protection Impact Assessments (DPIAs) and appoint Data Protection Officers (DPOs) where necessary.
• Controllers must form their own direct contracts and DPAs with any processors or third parties not managed by Healthwoosh. 10.2. User as Data Processor:
• Users may act as Data Processors when they process personal data on behalf of another Data Controller.
• As Data Processors, users must process personal data only on documented instructions from the Data Controller and comply with the same obligations outlined in Section B for Healthwoosh.
• Users must regularly provide compliance reports to Healthwoosh.
• Implement a detailed checklist and certification process for users before they can act as Data Processors.
11. Onboarding and Management
11.1. Onboarding Process:
• During the onboarding process, users must specify their role (Data Controller or Data Processor) and provide necessary documentation to demonstrate compliance with GDPR.
• Healthwoosh will provide detailed onboarding and training for controllers and processors on GDPR compliance. 11.2. Management of Controllers and Processors:
• Healthwoosh will manage the roles of users on the platform and ensure that all parties are aware of their responsibilities.
• Users must ensure that any third-party processors they engage also comply with GDPR and are bound by data protection obligations no less protective than those in this DPA.
• Users must notify and obtain approval from Healthwoosh before engaging any sub-processors.
• Implement a red card strike system for users who repeatedly fail to comply with data protection requirements.
12. Security Measures
12.1. Technical and Organizational Measures: Users must implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• Healthwoosh will provide ongoing support and resources to help users manage their data protection responsibilities.
13. Data Subject Rights
13.1. Assistance with Requests: Users, whether acting as Data Controllers or Data Processors, must assist with requests from data subjects to exercise their rights under GDPR, including access, rectification, and erasure.
14. Breach Notification
14.1. Obligation to Notify: Users must notify Healthwoosh without undue delay after becoming aware of a personal data breach.
14.2. Cooperation: Users must cooperate with Healthwoosh in managing and mitigating the effects of any data breach.
15. Audit and Compliance
15.1. Audit Rights: Healthwoosh reserves the right to audit users’ compliance with this DPA and applicable data protection laws, provided that such audits are conducted in a reasonable manner and do not interfere with the users’ business operations.
Implement a tiered audit process to balance thoroughness with user cooperation. Provide a shared audit report for all Controllers.
15.2. Documentation and Information: Users must provide Healthwoosh with the necessary documentation and information to demonstrate compliance with this DPA and applicable data protection laws.
Schedule regular compliance review options.
16. General Provisions
16.1. Governing Law: This DPA shall be governed by and construed in accordance with the laws of Ireland, without regard to its conflict of law principles.
16.2. Severability: Should any provision of this DPA be found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable. If such modification is not possible, the invalidity or unenforceability of any provision shall not affect the validity or enforceability of the remaining provisions, which shall remain in full force and effect. Healthwoosh shall have the discretion to enforce the remaining provisions independently.
17. Dispute Resolution
17.1. Dispute Resolution Procedures: Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution procedures outlined in the Terms of Service. Disputes will be resolved by non-binding arbitration administered by the Irish Arbitration Association under its Commercial Arbitration Rules in Dublin, Ireland, or other agreed jurisdictions if mutually consented by all parties.
Mediation Service: Introduce an optional mediation step before any legal proceedings can be initiated. If either party chooses not to avail of mediation, they may update, fix, or resolve their service or may choose to exit the Healthwoosh ecosystem with no recourse to a lawsuit, acknowledging the associated risks.
18. Changes to the DPA
18.1. Right to Change: Healthwoosh reserves the right to make changes to this DPA. When such changes are made, they will be posted on Healthwoosh's website, and users will be notified through the platform.
Acknowledgment of Changes: Users are required to acknowledge and accept changes within a specified timeframe.
19. Contact Information
For any questions or concerns regarding this DPA, please contact:
Quantum Touch Limited (Healthwoosh)
Email: fisk@healthwoosh.ai
20. Specific Obligations of Users
20.1. User Responsibilities as Data Controllers:
Compliance with Laws: Users acting as Data Controllers must ensure that their processing of personal data complies with GDPR and any other applicable data protection laws.
Privacy Notices: Data Controllers must provide data subjects with clear and comprehensive information about how their personal data is processed, including purposes, legal basis, and data subject rights.
Insurance: The Data Controller shall maintain insurance coverage, including but not limited to Professional Indemnity and Cyber Liability Insurance, to mitigate risks arising from the use of the platform. This coverage must address potential data breaches, regulatory fines, and operational disruptions related to workflows, integrations, and data management.
Data Protection Impact Assessments (DPIAs): When necessary, Data Controllers must conduct DPIAs to assess the impact of their data processing activities on the protection of personal data.
Data Protection Officer (DPO): If required by GDPR, Data Controllers must appoint a DPO to oversee data protection compliance and act as a point of contact for data subjects and supervisory authorities.
Direct Contracts and DPAs: Controllers must form their own direct contracts and DPAs with any processors or third parties not managed by Healthwoosh.
Responsibility for Third Parties: Controllers are solely responsible for the compliance of their integrated processors and third-party services.
20.2. User Responsibilities as Data Processors:
Processing on Instructions: Users acting as Data Processors must only process personal data based on the documented instructions of the Data Controller.
Confidentiality: Data Processors must ensure that all personnel involved in the processing of personal data are committed to confidentiality.
Security Measures: Data Processors must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, and other security incidents.
Assistance to Data Controllers: Data Processors must assist Data Controllers in ensuring compliance with their obligations under GDPR, including responding to data subject requests and conducting DPIAs.
21. Sub-Processing by Users
21.1. Authorization of Sub-Processors: Data Processors must not engage sub-processors without the prior written authorization of the Data Controller.
Data Processors must notify Healthwoosh and obtain necessary authorizations before engaging sub-processors.
21.2. Sub-Processor Agreements: Data Processors must ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.
21.3. Liability for Sub-Processors: Data Processors remain fully liable to the Data Controller for the performance of the sub-processor’s obligations.
22. Data Transfers
22.1. Transfers Outside the EU: Any transfer of personal data outside the EU must comply with GDPR requirements, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
22.2. Notification of Transfers: Users must notify Healthwoosh and obtain necessary authorizations before transferring personal data outside the EU.
Section F: A) Liability and Indemnity Data Contoller / Third Party Processors
23.1. Healthwoosh's Liability: Healthwoosh’s liability arising out of or related to this DPA shall be limited to any and all direct damages caused by the Data Contoller misusing, misdirecting, mis managing either by negligence or not upgrading and managing their services to industry standards required and in the event giving rise to any liabilities to Healthwoosh or its other Customers availing of its platforms and services.
23.2. User's Liability: Users acting as Data Controllers or Data Processors shall be liable for any damages arising out of their breach of this DPA or applicable data protection laws. Users must bear full liability for any misuse or inappropriate utilization of the platform.
23.3. Data Contoller Responsibility for Processors/Sub Processors/Third Party Integrations: The data controller bears all responsibility for its third party processors it chooses to integrate with into workflows or services offered by Healthwoosh and is responsible to ensure their compliance needs.
Section F: B) Liability and Indemnity Healthwoosh
24.1. Indemnification by Healthwoosh: Limited to 20% of annual revenue with to Data Controller if and only in event of breach occurring through actions taken by Healthwoosh and not the improper use of its services, facilities and business model terms and practices.
24.2. Indemnification by Users: Users agree to indemnify, defend, and hold Healthwoosh harmless from and against any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to the user’s breach of this DPA, GDPR, or any applicable data protection laws.
24.3. Liability for Inappropriate Use: Parties utilizing the platform inappropriately bear all liability for resulting issues.
Section G: Term and Termination
25.1. Term: This DPA shall remain in effect for the duration of the agreement between Healthwoosh and the Controller or User unless terminated earlier in accordance with the terms of this DPA.
26.1. Termination for Convenience: Either party may terminate this DPA by providing thirty (30) days written notice to the other party. Healthwoosh reserves the right to suspend or terminate services for failure to meet payment obligations, non-compliance with security protocols, or breach of contractual responsibilities, with notice as required by applicable law.
26.2. Termination for Cause: Either party may terminate this DPA immediately upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) days of receipt of notice of such breach.
26.2. Termination for Cause: Either party may terminate this DPA immediately upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) days of receipt of notice of such breach.
27.1. Effect of Termination: Upon termination of this DPA, Healthwoosh shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless applicable law requires storage of the personal data.
27.2. If no other DPA is agreed upon, the user must deactivate their services if they cannot operate within Healthwoosh's business model and practices. In such instances, the user is responsible for managing their application independently.
27.3. Ecosystem Responsibilities and Change Collaboration
The Data Controller recognizes their responsibility to actively manage their role within the Healthwoosh ecosystem, including evaluating terms and services prior to procurement and collaborating on enhancements where advised. When notified of scaling plan requirements or other necessary changes, the Data Controller agrees to avail of such options in a timely manner to ensure operational continuity and compliance.
Healthwoosh will make reasonable efforts to address concerns or gaps if in agreement through its established change request process that Data Controllers must fund based on quote response, provided such changes are beneficial to the ecosystem and industry. The Data Controller agrees to provide adequate time, resources, and collaboration for the implementation of any enhancements or updates deemed necessary and mutually agreed upon. Failure to comply with these responsibilities does not constitute a breach on the part of Healthwoosh.
Customizations or endpoint upgrades requested by the Data Controller must follow the documented Change Request (CR) process, with associated costs detailed via Purchase Orders (POs). These requests are outside the scope of standard services and must align with Healthwoosh’s operational guidelines.
Healthwoosh retains the right to reject requests that fundamentally alter the business model or impose disproportionate operational burdens without mutual agreement.
Customizations or endpoint upgrades requested by the Data Controller must follow the documented Change Request (CR) process, with associated costs detailed via Purchase Orders (POs). These requests are outside the scope of standard services and must align with Healthwoosh’s operational guidelines.
27.4. No funds or compensations are applicable upon termination as the onus is on the Data Controller and any Third Party at all times to understand Healthwoosh's business model or agree to different terms by way of contract, if they wish more than the default terms, policies, or DPA's.
29. Contact Information
For any questions or concerns regarding this DPA or suggested improvements, please contact:
Healthwoosh reserves the right to update this DPA from time to time as required to support new and evolving services and will notify customers.
Quantum Touch Limited (Healthwoosh)
Email: mike@healthwoosh.ai
Join Newsletter