Last update: March 15, 2023
This Data Processing Addendum ("Addendum") forms part of the Master Services Agreement and Order Form or other similar agreement (collectively, the "Agreement") between Modern Health Arizona P.L.L.C. (“Modern Health”) ("Processor"), and the applicable Controller customer which is also a party to such Agreement (“Customer”). Processor and Customer are each referred to as a “Party” and collectively as the “Parties”.
Except as modified below, the terms of the Agreement shall remain in full force and effect. Any previous data processing addendum or data processing agreement entered into between the Parties is hereby deleted in its entirety and replaced with this Addendum. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
European Union’s Standard Contractual Clauses
The European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) are hereby incorporated by reference as if set forth herein in full along with Annexes I through III attached hereto, which form an integral part of the Clauses.
Module 2 (Controller to Processor) Clauses shall be in effect for purposes of personal data transfers from the European Economic Area, Switzerland, and the UK between Modern Health and Customer. Customer shall be the controller and data exporter under Module 2. Processor shall be the processor and data importer under Module 2. The following Module 2 options and selections apply:
Clause 7 (Optional Docking Clause)
In effect
Clause 9a(Sub-Processor Option)
Option 2: General Written Authorization
Clause 9a(Sub-Processor Notice Period)
thirty (30) days
Clause 11 (Optional Redress Language)
Not in effect
Clause 17 (Governing Law)
The governing law shall be the governing law of the supervisory authority that has jurisdiction over the Data Exporter.
Clause 18(Choice of Forum and Jurisdiction)
The governing law shall be the governing law of the supervisory authority that has jurisdiction over the Data Exporter.
1. Personal Data Transfers from Switzerland
a. The term “Member State” as used in the European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries, including these Annexes, shall be interpreted as including Switzerland and data subjects in Switzerland.
b. Data subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries.
c. The European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries will additionally protect data pertaining to Swiss legal entities until the revised Swiss Federal Act on Data Protection enters into force.
2. Standard Data Protection Clauses to be issued by the Information Commissioner under S119A(1) Data Protection Act 2018 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses – VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the UK Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start Date
The Effective Date
The Parties
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details
• Full legal name: As set forth in the Order Form
• Trading name (if different):
• Main address (if a company registered address): As set forth in the Order Form
• Official registration number (if any) (company number or similar identifier):
Full legal name: Modern Health Arizona PLLC
Trading name (if different):
Main address (if a company registered address): 650 California St Floor 7, Office 07-128, San Francisco, CA 94108
Official registration number (if any) (company number or similar identifier):
Key Contact
Full Name (optional):
As set forth in the Order Form
Job Title:
As set forth in the Order Form
Contact details including email:
As set forth in the Order Form
Full Name (optional): Kimyatta Holder
Job Title:
Privacy Officer
Contact details including email: privacy@modernhealth.com
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module
Module in operation
Clause 7 (Docking Clause)
Clause 11 (Option)
Clause 9a (Prior Authorisation or General Authorisation)
Clause 9a (Time period)
Is personal data received from the Importer combined with personal data collected by the Exporter?
2
In effect
In effect
Not in effect
Option II Prior General Authorisation
30 calendar days
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Exhibit B
Annex 1B: Description of Transfer: See Exhibit B
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit C
Annex III: List of Sub-processors (Modules 2 and 3 only): See Exhibit D
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19:
☐ Importer
☐ Exporter
☒ Neither Party
Part 2: Mandatory Clauses
Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
A. LIST OF PARTIES
Data exporter(s):
1. Name: As set forth in the Order Form
Address: As set forth in the Order Form
Contact person’s name, position and contact details: As set forth in the Order Form
Activities relevant to the data transferred under these Clauses: Receipt of the services in accordance with the underlying agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Controller
Data importer(s):
1. Name: Modern Health Arizona PLLC
Address: 650 California St Floor 7, San Francisco, CA 94108, Office 07-128
Contact person’s name, position and contact details: Kimyatta Holder, Privacy Officer, privacy@modernhealth.com
Activities relevant to the data transferred under these Clauses: The data importer provides the services to the data exporter in accordance with the underlying agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
☒ Eligible employees (staff and employees, including present workers, deemed eligible for Modern Health related benefits)
☐ Other Categories of Data Subjects: ________________________________________
Categories of personal data transferred
☒ Eligibility File: Name, contact information, and any other demographic information specified in Section IV(2)(a) of the Order Form for each individual enrollee eligible for Modern Health related benefits.
☐ Other data categories: ______________________________________________
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
☒ No sensitive data
The frequency of the transfer (whether the data is transferred on a one-off or continuous basis)
On a continuous basis during the term of the applicable underlying agreement.
Nature of the processing
As described in the applicable underlying agreement.
Purpose(s) of the data transfer and further processing
As described in the applicable underlying agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of performance of the services in the applicable underlying agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in the applicable underlying agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter.
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
Physical Security
Modern Health is exclusively hosted in the United States on AWS who provides robust, physical data center security and environmental controls.
Network Security
Modern Health controls access to our production networks through the use of strictly defined rules and requires multi-factor authentication and encrypted connections. We also utilize intrusion detection systems in our production network and advanced email filtering in our corporate network to identify potential security threats.
Application Security
Modern Health employs both internal and external testing of our product. We regularly scan source code and systems for vulnerabilities and perform necessary patching and updates based on those results. On an annual basis we utilize a nationally recognized firm to test our application and network to provide ourselves and our customers assurance that data is being robustly protected. Our infrastructure uses industry standard security controls to protect against threats.
Training and Awareness
Modern Health requires all employees and contractors to sign a confidentiality agreement prior to commencement. During the onboarding process, security awareness and privacy training is delivered to all new hires and we continually publicize security alerts through our internal communication channels.
Backup and Disaster Recovery
Modern Health utilizes geographically separate environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Modern Health maintains daily backups and a disaster recovery policy that is tested and verified on an annual basis.
Data Protection
Modern Health encrypts data in transit with a minimum of TLS 1.2 using strong cipher suites. Modern Health also encrypts data at rest with AES256. At end-of-life, AWS destroys disks per NIST 800-88 standards.
1. Access control to systems
Unauthorized access to IT systems must be prevented.
Technical (ID/password security) and organizational (user master data) measures for user identification and authentication:
X Password Policy and Procedures
X End-User Access Authentication Using
Multi-Factor Authentication to Validate Appropriate Levels of Access
X Unique User Identification
X Policies and Procedures
X Use of Multiple Authorization Levels to Sensitive Systems
X Secure Single Sign On (SSO)
X Network Firewalls
X Identity and Access Management for Provisioning and Deprovisioning, Access Requests, Access Certifications, and Separation of Duties
X Automatic Blocking (e.g., Password or Timeout)
X Creation of One Master Record per User
X Up to Date Virus Protection Software
X Security Patch Management is Implemented to Ensure Regular and Periodic Deployment of Relevant Security Updates
X Additional Measure: Additional technical measures can be found at security.joinmodernhealth.com
2. Access control to data
Activities in IT systems not covered by the allocated access rights must be prevented.
Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses:
X Access Granted on a Need-to-Know Basis
X Logging and Monitoring of System Access, Change and Deletion Events
X Data Classification Policy
X Differentiated Access Rights
X Governing Standard How Data is Deleted or Destroyed Once it is No Longer Needed
X Policies and Procedures
3. Disclosure control
Aspects of the disclosure of Personal Data must be controlled: electronic transfer, data transport, transmission control, etc.
Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:
X Encryption at Rest
X Authorized Users May Not Connect Employee-Owned Devices to Company-Owned Networks or Devices without Permission
X Unique User Identification
X Policies and Procedures
X Encryption in Transit
X Mobile Computing Device, such as Smart Phones, Tablets and Laptops, with access to Company Personal Data is Encrypted
X Network Firewalls
X Security Patch Management is Implemented to Ensure Regular and Periodic Deployment of Relevant Security Updates
X Virtual Private Network (VPN)
X Creation of One Master Record per User
X Up to Date Virus Protection Software
X Security/Privacy Incident Response Plan and Procedure
X Data Loss Prevention (DLP) Mechanisms such as Restricted Use of USB
X Use of Multiple Authorization Levels to Sensitive Systems
4.Input control
Full documentation of data management and maintenance must be maintained.
Measures for subsequent checking whether data have been entered, changed, or removed (deleted), and by whom:
X Access by Authorized Personnel Only
X Logging System for Input, Modification and Deletion of Personal Data
X Policies and Procedures
5. Job control
Processing must be carried out according to Instructions.
Measures (technical/organizational) to segregate the responsibilities between the Data Controller and the Data Processor:
X Data Processing Agreement or Other Contractual Agreement
X Jobs with Critical Impact are Proceeded According a Formal Commissioning (Request Form, Ticket Systems)
X Personal Data Processing Personnel Receive Training
X Policies and Procedures
X Selection Criteria for Sub-processors and Service Providers
6.Availability control
The data must be protected against accidental destruction or loss.
Measures to assure data security (physical/logical):
X Employs Backup Processes and Other Measures that Allow Restoration of
Business-Critical Systems As and When Necessary
X Disaster Recovery Plans
X Use of Next Generation Firewalls and Advanced Threat Protection as well as Web Application Firewalls
for Each Externally Facing Application with User Interfaces
X Processes Regularly Tested
e.g., Tabletop Exercises)
X Utilization of Cloud-Based Data Hosting Solutions Which Offer a High Availability and Resiliency with Geographically Dispersed Data Center Locations
X Data Loss Prevention (DLP) Monitoring
X Penetration Testing
X Additional Measure: Modern Health relies on AWS control mechanisms for all physical security controls and all physical backup controls
7. Segregation control
Data collected for different purposes must also be Processed separately.
Measures to provide for separate Processing (storage, amendment, deletion, transmission) of data for different purposes:
X Test and Production Data are Separated
X Policies and Procedures
X Personal Data Processing Personnel Receive Training
X Development and Production Environments are Separated
X Customers Can Only Access Own Instance
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Sub-processors listed in Modern Health’s Security Portal available at: https://security.joinmodernhealth.com/