DATA PROCESSING ADDENDUM
Last update: March 15, 2023
This Data Processing Addendum ("Addendum") forms part of the Master Services Agreement and Order Form or other similar agreement (collectively, the "Agreement") between Modern Health Arizona P.L.L.C. (“Modern Health”) ("Processor"), and the applicable Controller customer which is also a party to such Agreement (“Customer”). Processor and Customer are each referred to as a “Party” and collectively as the “Parties”.
Except as modified below, the terms of the Agreement shall remain in full force and effect. Any previous data processing addendum or data processing agreement entered into between the Parties is hereby deleted in its entirety and replaced with this Addendum. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:
1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Customer or Processor, respectively.
1.2 “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Customer is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018 (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 (“EU GDPR”) including the applicable implementing legislation of each Member State, (c) the UK Data Protection Act 2018, and the UK General Data Protection Regulation (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, (e) any other applicable law with respect to any Personal Data in respect of which the Customer is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.
1.3 “Data Subject” shall mean an identified or identifiable natural person.
1.4 “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, as provided by Customer to Processor in the Eligibility File and to the extent Processed by Processor, on behalf of Customer, in connection with Processor’s performance of the Services.
1.5 “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of Customer.
1.6 “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
1.7 “Security Breach” shall mean an actual or reasonably suspected accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.
1.8 “Services” shall mean the services as described in the Agreement or any related order form or statement of work.
1.9 “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), and (b) with respect to restricted transfers subject to the UK GDPR and other Applicable Privacy Laws pursuant to which the EU Clauses have not been adopted, such other transfer clauses as may be adopted from time to time under the UK GDPR and other Applicable Privacy Laws, including, but not limited to those Standard Contractual Clauses as adapted in the United Kingdom International Data Transfer Addendum to Standard Contractual Clauses, issued by the ICO in accordance with s119A of the Data Protection Act 2018.
1.10 “Subprocessor” shall mean any subcontractor (including any third party and/or Customer Affiliate) engaged by Processor to Process Personal Data on behalf of Processor.
2.1. Processor shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Processor’s instructions, and as may subsequently be agreed between the Parties in writing. Processor shall promptly inform Customer if (a) in Processor’s opinion, an instruction from Customer violates Applicable Privacy Law; or (b) Processor is required by applicable law to otherwise Process Personal Data, unless Processor is prohibited by that law from notifying Customer under applicable law.
2.2. Processor shall implement and maintain reasonable and appropriate technical measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:
(a) updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;
(b) cancelling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer;
(c) otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law; and
(d) Processor shall promptly re-direct any request from a Data Subject to exercise any of its Data Subject rights to Customer and shall not respond directly to the Data Subject unless instructed so by Customer in writing.
2.3. Processor acknowledges that (a) Customer discloses Personal Data to Processor solely for the business purposes of Customer, and (b) Processor has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to Processor under the Agreement relates only to Processor’s provision of the Services. Processor shall not collect, retain, use, disclose, or otherwise Process the Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Customer, or (ii) outside of the direct business relationship between Customer and Processor. Processor (i) shall comply with applicable obligations under Applicable Laws and shall provide at least the same level of privacy protection to Personal Data as is required by this Addendum and Applicable Laws; (ii) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Processor’s use of Personal Information is consistent with Customer’s obligations under this Addendum and Applicable Laws; (iii) shall promptly notify Customer in writing of any determination made by Processor that it can no longer meet its obligations under this Addendum or Applicable Laws; and (iv) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data and to ensure that the Personal Data is used in a manner consistent with applicable law. Further, Processor shall not (and will require that its subcontractors do not): (i) sell or share (as defined under Applicable Privacy Laws, including without limitation, the California Consumer Privacy Act) Personal Data; or (ii) combine Personal Data with personal information that Processor receives from or on behalf of another business or person, or that it collects from its own interactions with individuals. To the extent Processor receives any de-identified Personal Data, Processor shall comply with all provisions of Applicable law and shall not attempt to re-identify the data.
2.4. Processor shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Processor’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority.
2.5. For avoidance of doubt, any data submitted to Modern Health by or on behalf of Customer, including the Eligibility File, which Modern Health then modifies through aggregation, analyzation, trend analysis, anonymization, de-identification, or any other methodology to alter the nature and remove identifying features of the data as permitted under the Agreement shall not be Personal Data or subject to this Addendum.
3.2. Processor shall ensure the reliability of any employees who Process Personal Data.
4.2. Processor shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.
4.3. Processor will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Customer under this Addendum.
5.2 Investigation. Processor shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.
(a) any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
(b) any Data Subject,
and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Processor shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.
9.2 In the event that Processor is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority or other government body, Processor shall attempt to redirect the government request to Customer. If Processor is unable to redirect the request, Processor shall, unless prohibited by applicable law, notify Customer promptly and shall provide all reasonable assistance to Customer to enable Customer to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines. If Processor is prohibited by applicable law from providing notice to Customer of a Legal Request, Processor shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data. Processor shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 9.2.
Exhibit A
European Union’s Standard Contractual Clauses
The European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) are hereby incorporated by reference as if set forth herein in full along with Annexes I through III attached hereto, which form an integral part of the Clauses.
Module 2 (Controller to Processor) Clauses shall be in effect for purposes of personal data transfers from the European Economic Area, Switzerland, and the UK between Modern Health and Customer. Customer shall be the controller and data exporter under Module 2. Processor shall be the processor and data importer under Module 2. The following Module 2 options and selections apply:
Clause 7 (Optional Docking Clause)
In effect
Clause 9a(Sub-Processor Option)
Option 2: General Written Authorization
Clause 9a(Sub-Processor Notice Period)
thirty (30) days
Clause 11 (Optional Redress Language)
Not in effect
Clause 17 (Governing Law)
The governing law shall be the governing law of the supervisory authority that has jurisdiction over the Data Exporter.
Clause 18(Choice of Forum and Jurisdiction)
The governing law shall be the governing law of the supervisory authority that has jurisdiction over the Data Exporter.
Supplemental Clauses
1. Personal Data Transfers from Switzerland
a. The term “Member State” as used in the European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries, including these Annexes, shall be interpreted as including Switzerland and data subjects in Switzerland.
b. Data subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries.
c. The European Commission’s Standard Contractual Clauses for Personal Data Transfers to Third Countries will additionally protect data pertaining to Swiss legal entities until the revised Swiss Federal Act on Data Protection enters into force.
2. Standard Data Protection Clauses to be issued by the Information Commissioner under S119A(1) Data Protection Act 2018 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses – VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the UK Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start Date
The Effective Date
The Parties
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details
• Full legal name: As set forth in the Order Form
• Trading name (if different):
• Main address (if a company registered address): As set forth in the Order Form
• Official registration number (if any) (company number or similar identifier):
Full legal name: Modern Health Arizona PLLC
Trading name (if different):
Main address (if a company registered address): 650 California St Floor 7, Office 07-128, San Francisco, CA 94108
Official registration number (if any) (company number or similar identifier):
Key Contact
Full Name (optional):
As set forth in the Order Form
Job Title:
As set forth in the Order Form
Contact details including email:
As set forth in the Order Form
Full Name (optional): Kimyatta Holder
Job Title:
Privacy Officer
Contact details including email: privacy@modernhealth.com
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module
Module in operation
Clause 7 (Docking Clause)
Clause 11 (Option)
Clause 9a (Prior Authorisation or General Authorisation)
Clause 9a (Time period)
Is personal data received from the Importer combined with personal data collected by the Exporter?
2
In effect
In effect
Not in effect
Option II Prior General Authorisation
30 calendar days
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Exhibit B
Annex 1B: Description of Transfer: See Exhibit B
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit C
Annex III: List of Sub-processors (Modules 2 and 3 only): See Exhibit D
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19:
☐ Importer
☐ Exporter
☒ Neither Party
Part 2: Mandatory Clauses
Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Exhibit B
A. LIST OF PARTIES
Data exporter(s):
1. Name: As set forth in the Order Form
Address: As set forth in the Order Form
Contact person’s name, position and contact details: As set forth in the Order Form
Activities relevant to the data transferred under these Clauses: Receipt of the services in accordance with the underlying agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Controller
Data importer(s):
1. Name: Modern Health Arizona PLLC
Address: 650 California St Floor 7, San Francisco, CA 94108, Office 07-128
Contact person’s name, position and contact details: Kimyatta Holder, Privacy Officer, privacy@modernhealth.com
Activities relevant to the data transferred under these Clauses: The data importer provides the services to the data exporter in accordance with the underlying agreement.
Signature and date: As set forth in the Order Form
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
☒ Eligible employees (staff and employees, including present workers, deemed eligible for Modern Health related benefits)
☐ Other Categories of Data Subjects: ________________________________________
Categories of personal data transferred
☒ Eligibility File: Name, contact information, and any other demographic information specified in Section IV(2)(a) of the Order Form for each individual enrollee eligible for Modern Health related benefits.
☐ Other data categories: ______________________________________________
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
☒ No sensitive data
The frequency of the transfer (whether the data is transferred on a one-off or continuous basis)
On a continuous basis during the term of the applicable underlying agreement.
Nature of the processing
As described in the applicable underlying agreement.
Purpose(s) of the data transfer and further processing
As described in the applicable underlying agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of performance of the services in the applicable underlying agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in the applicable underlying agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter.
Exhibit C
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
Physical Security
Modern Health is exclusively hosted in the United States on AWS who provides robust, physical data center security and environmental controls.
Network Security
Modern Health controls access to our production networks through the use of strictly defined rules and requires multi-factor authentication and encrypted connections. We also utilize intrusion detection systems in our production network and advanced email filtering in our corporate network to identify potential security threats.
Application Security
Modern Health employs both internal and external testing of our product. We regularly scan source code and systems for vulnerabilities and perform necessary patching and updates based on those results. On an annual basis we utilize a nationally recognized firm to test our application and network to provide ourselves and our customers assurance that data is being robustly protected. Our infrastructure uses industry standard security controls to protect against threats.
Training and Awareness
Modern Health requires all employees and contractors to sign a confidentiality agreement prior to commencement. During the onboarding process, security awareness and privacy training is delivered to all new hires and we continually publicize security alerts through our internal communication channels.
Backup and Disaster Recovery
Modern Health utilizes geographically separate environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Modern Health maintains daily backups and a disaster recovery policy that is tested and verified on an annual basis.
Data Protection
Modern Health encrypts data in transit with a minimum of TLS 1.2 using strong cipher suites. Modern Health also encrypts data at rest with AES256. At end-of-life, AWS destroys disks per NIST 800-88 standards.
1. Access control to systems
Unauthorized access to IT systems must be prevented.
Technical (ID/password security) and organizational (user master data) measures for user identification and authentication:
X Password Policy and Procedures
X End-User Access Authentication Using
Multi-Factor Authentication to Validate Appropriate Levels of Access
X Unique User Identification
X Policies and Procedures
X Use of Multiple Authorization Levels to Sensitive Systems
X Secure Single Sign On (SSO)
X Network Firewalls
X Identity and Access Management for Provisioning and Deprovisioning, Access Requests, Access Certifications, and Separation of Duties
X Automatic Blocking (e.g., Password or Timeout)
X Creation of One Master Record per User
X Up to Date Virus Protection Software
X Security Patch Management is Implemented to Ensure Regular and Periodic Deployment of Relevant Security Updates
X Additional Measure: Additional technical measures can be found at security.joinmodernhealth.com
2. Access control to data
Activities in IT systems not covered by the allocated access rights must be prevented.
Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses:
X Access Granted on a Need-to-Know Basis
X Logging and Monitoring of System Access, Change and Deletion Events
X Data Classification Policy
X Differentiated Access Rights
X Governing Standard How Data is Deleted or Destroyed Once it is No Longer Needed
X Policies and Procedures
3. Disclosure control
Aspects of the disclosure of Personal Data must be controlled: electronic transfer, data transport, transmission control, etc.
Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:
X Encryption at Rest
X Authorized Users May Not Connect Employee-Owned Devices to Company-Owned Networks or Devices without Permission
X Unique User Identification
X Policies and Procedures
X Encryption in Transit
X Mobile Computing Device, such as Smart Phones, Tablets and Laptops, with access to Company Personal Data is Encrypted
X Network Firewalls
X Security Patch Management is Implemented to Ensure Regular and Periodic Deployment of Relevant Security Updates
X Virtual Private Network (VPN)
X Creation of One Master Record per User
X Up to Date Virus Protection Software
X Security/Privacy Incident Response Plan and Procedure
X Data Loss Prevention (DLP) Mechanisms such as Restricted Use of USB
X Use of Multiple Authorization Levels to Sensitive Systems
4.Input control
Full documentation of data management and maintenance must be maintained.
Measures for subsequent checking whether data have been entered, changed, or removed (deleted), and by whom:
X Access by Authorized Personnel Only
X Logging System for Input, Modification and Deletion of Personal Data
X Policies and Procedures
5. Job control
Processing must be carried out according to Instructions.
Measures (technical/organizational) to segregate the responsibilities between the Data Controller and the Data Processor:
X Data Processing Agreement or Other Contractual Agreement
X Jobs with Critical Impact are Proceeded According a Formal Commissioning (Request Form, Ticket Systems)
X Personal Data Processing Personnel Receive Training
X Policies and Procedures
X Selection Criteria for Sub-processors and Service Providers
6.Availability control
The data must be protected against accidental destruction or loss.
Measures to assure data security (physical/logical):
X Employs Backup Processes and Other Measures that Allow Restoration of
Business-Critical Systems As and When Necessary
X Disaster Recovery Plans
X Use of Next Generation Firewalls and Advanced Threat Protection as well as Web Application Firewalls
for Each Externally Facing Application with User Interfaces
X Processes Regularly Tested
e.g., Tabletop Exercises)
X Utilization of Cloud-Based Data Hosting Solutions Which Offer a High Availability and Resiliency with Geographically Dispersed Data Center Locations
X Data Loss Prevention (DLP) Monitoring
X Penetration Testing
X Additional Measure: Modern Health relies on AWS control mechanisms for all physical security controls and all physical backup controls
7. Segregation control
Data collected for different purposes must also be Processed separately.
Measures to provide for separate Processing (storage, amendment, deletion, transmission) of data for different purposes:
X Test and Production Data are Separated
X Policies and Procedures
X Personal Data Processing Personnel Receive Training
X Development and Production Environments are Separated
X Customers Can Only Access Own Instance
Exhibit D
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Sub-processors listed in Modern Health’s Security Portal available at: https://security.joinmodernhealth.com/