Healthcare Platform Banner

DATA PROTECTION ADDENDUM

This Data Protection Addendum ("Addendum"), dated 4th March 2024, and effective as of the Addendum Effect Date (as defined below), forms part of the Terms of Service ("Terms") between (i) InstaPract Healthtech IT Solutions LLC ("InstaPract") and (ii) customer (as defined in this document) each being a "Party" and together the "Parties".

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms and references in this Addendum to the Terms are to the Terms as amended by, and including, this Addendum.

Definitions

1. 1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  • tick"Addendum Effective Date" has the meaning given to it in section 2;
  • tick"Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or InstaPract (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
  • tick"Client Personal Data" means any Personal Data Processed by InstaPract (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by InstaPract, in each case pursuant to or in connection with instructions given by Client in writing, consistent with the Terms;
  • tick"Controller to Processors" means the Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as the same are revised or updated from time to time by the European Commission;
  • tick"Data Protection Laws" means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998;
  • tick"Privacy Shield" means the EU-US Privacy Shield Framework; and
  • tick"Services" means the services to be supplied by InstaPract to Client or Client Affiliates pursuant to the Terms.

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and "Supervisory Authority" have the same meanings as described in applicable Data Protection Laws, and cognate terms shall be construed accordingly.

2. Capitalized Terms

Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.

The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in "Addendum Effective Date", being the later of (i) the date that this Addendum is accepted by Client; and (ii) InstaPract.

3. Roles of the Parties

This Addendum is deemed agreed by the Parties and comes into effect on the Annex 1 hereto, Client acts as a Controller and InstaPract acts as a Processor (as defined in section 5.2.4 below).

The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client's Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client's Affiliates or the relevant Controller(s) to comply with such Laws.

4. Description of Personal Data Processing

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by InstaPract pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.

5. Data Processing Terms

5.1

Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to InstaPract of Client Personal Data. Client agrees not to provide InstaPract with any data concerning a natural person's health, religion, or any special categories of data as defined in Article 9 of the GDPR.

5.2

InstaPract shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and InstaPract shall:

  1. process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Client Personal Data to a third country outside to an international organization; InstaPract shall immediately inform Client if, in InstaPract's opinion, an instruction infringes applicable Data Protection Laws;
  2. ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:
    1. pseudonymization and encryption of Client Personal Data;
    2. ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that process Client Personal Data;
    3. restoring availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
    4. regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data.

6. Transfers

InstaPract is certified by Information Security Management as per ISO 27001:2013. InstaPract shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, InstaPract will have the option of (i) promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the Terms. InstaPract acts as a Processor with respect to Personal Data received pursuant to a data transfer.

7. Precedence

The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.

8. Indemnity

To the extent permissible by law, Client shall indemnify and hold harmless InstaPract against all (i) losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by InstaPract and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.

9. Severability

The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

10. Others

The organization ensures that the contract to process PII addresses the organization's role in providing assistance with the customer's obligations.

The Agreement considers the following and follows:

  1. Privacy by Design and default
  2. Achieving Security of Processing
  3. Notification of breaches involving PII to a Supervisory authority
  4. Notification of breaches involving PII to Customers and PII Principals
  5. Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection authorities are needed
  6. InstaPract shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation or regulation
  7. The organization does not use PII processed under a contract for the purposes of Marketing and Advertising
  8. Coordinate with Clients to help Audit the systems. The organization provides the customer with the appropriate information so that it can demonstrate compliance with its obligations
  9. InstaPract shall use AWS and PIPL as subprocessors with Security and Privacy requirements full filled
  10. The organization shall comply with all statutory and regulatory requirements, ISO 27001:2013, ISO 27701:2019, and EU GDPR requirements
  11. The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected is complete)
  12. InstaPract shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII
  13. For Access, Correction, and/or Erasure of the PII of Data subjects can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related with PII that can be done by contacting the Data Protection Officer below:

Contact Information

Name: Stefany Prakash

Email ID: stefany@instapract.ae

Description of the image

Annex 1: Description of Processing of Client Personal Data

This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR and, as applicable, Controller to Processor SCC.

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Client's Personal Data are set out in Section 2 of the Terms.

The nature and purpose of the Processing of Personal Data

Due diligence and Background Verification of Organizations and Individuals.

The categories of Data Subject to whom the Client's Personal Data relates

Employees and Contractors of Clients.

The types of Client Personal Data to be Processed

Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, and Username

Special categories of data

None

The obligations and rights of Client

The obligations and rights of Client are set out in the Terms and this Addendum.

Data exporter (as applicable)

The data exporter is: Client of InstaPract that uses the Services

Data importer (as applicable)

The data importer is: PIPL, a company that provides services to the client, which requires receiving the Client's query data

Processing operations (as applicable)

The personal data transferred will be subject to the following basic processing activities: The provision of InstaPract limited to Client for Due Diligence and Background Verification as per Client requirements.

Annex 2: List of Other Processors

Name of Other ProcessorDescription of ProcessingLocation of Other Processor
Amazon Web ServicesHosting the Production Environment
Healthcare Platform Banner

Boost patient satisfaction and accelerate revenue growth with our powerful, HIPAA-compliant, white-labeled digital healthcare platforms—designed for hospitals, clinics, SMEs, and solo practitioners.

Quick Links

Let's Connect

Phone

Google reCAPTCHA Verification