Data Processing Addendum

INTRODUCTION AND ACCEPTANCE

In short

This DPA forms part of your contract with us and applies whenever we process personal data on your behalf. It is automatically in effect once you accept the Terms or otherwise instruct us to process data. The Annexes apply only where your circumstances trigger them: SCCs for GDPR, UK Addendum for UK GDPR, HIPAA BAA for Covered Entities, and the US State Law Addendum for applicable US state laws. Annexes 1, 2, and 3 apply to everyone.

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Jonda Health Terms of Service or such other written agreement entered into between Jonda Health Pte. Ltd. and the Customer for the use of JondaX (the "Principal Agreement").

This DPA applies to the extent that Jonda Health processes Personal Data on behalf of the Customer in connection with the provision of the Services. Where this DPA conflicts with the Principal Agreement in respect of the processing of Personal Data, this DPA shall prevail.

By executing the Principal Agreement, accepting the Terms of Service through the Services sign-up flow, or otherwise instructing Jonda Health to process Personal Data on the Customer’s behalf, the Customer is deemed to have accepted and entered into this DPA.

The Annexes to this DPA contain provisions that apply only where the Customer’s circumstances trigger them. Specifically: Annex 4 (EU SCCs) applies where Personal Data is subject to the GDPR; Annex 5 (UK Addendum) applies where Personal Data is subject to the UK GDPR; Annex 6 (HIPAA BAA) applies where the Customer is a Covered Entity or Business Associate under HIPAA; and Annex 7 (US State Law Addendum) applies where Personal Data is subject to applicable US state privacy laws. Annexes 1, 2 and 3 apply to all Customers.

‍

PARTIES

In short

The parties to this DPA are Jonda Health Pte. Ltd. (the Processor) and you (the Controller, or whichever equivalent term applies in your jurisdiction).

(1) JONDA HEALTH PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN: 202139018N), with its registered office at 1 North Bridge Road, #19-09 High Street Centre, Singapore 179094 (“Jonda Health” or the “Processor”); and

(2) the entity or individual identified as the customer in the Principal Agreement (the “Customer” or the “Controller”),

each a “Party” and together the “Parties”.

‍

BACKGROUND

In short

When you use JondaX, you are instructing us to process personal data on your behalf. You are the Controller, deciding what gets processed and why. We are the Processor, executing your instructions. This DPA is the contract that governs that relationship.

(A) Jonda Health operates JondaX, a data-transformation platform that processes health-related data on behalf of its customers, including the de-identification, redaction or pseudonymisation of such data as part of the Services.

(B) The Customer wishes to use the Services and, in doing so, will instruct Jonda Health to process Personal Data on its behalf.

(C) In respect of such processing, the Customer acts as the Controller (or, equivalently, as the “Organisation” under the Singapore Personal Data Protection Act 2012 or the “Covered Entity” / “Business Associate” under HIPAA, as applicable), and Jonda Health acts as the Processor (or, equivalently, as the “Data Intermediary” under the PDPA or as the “Business Associate” / “Subcontractor” under HIPAA, as applicable).

(D) This DPA sets out the terms on which Jonda Health processes Personal Data on behalf of the Customer in compliance with applicable Data Protection Laws.

It is agreed as follows:

‍

01. DEFINITIONS

In short

This section defines the terms used throughout the DPA. Most cross-reference the relevant law. The most important to know: “Customer Personal Data” is everything you upload or process through the platform; “De-identified Data” is what comes out after we apply our de-identification, redaction or pseudonymisation; and “Restricted Transfer” is any cross-border transfer subject to GDPR, UK GDPR or PDPA transfer rules.

1.1 In this DPA, capitalised terms shall have the meanings set out below. Terms used but not defined herein shall have the meanings given to them in the Principal Agreement or, where applicable, in the relevant Data Protection Law.

1.2 “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (without limitation): (i) the Singapore Personal Data Protection Act 2012 (No. 26 of 2012), as amended (the “PDPA”); (ii) Regulation (EU) 2016/679 (the “GDPR”) and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, including their implementing regulations at 45 CFR Parts 160, 162 and 164 (collectively, “HIPAA”); and (iv) any other applicable national, state, federal or supranational privacy or data protection law, as each is amended or replaced from time to time.

1.3 “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, “Processing” (and “process”) and “Special Categories of Personal Data” shall have the meanings given in the GDPR. Equivalent terms under the PDPA (including “Organisation”, “Data Intermediary”, “Individual”, “Data Breach” and “use, disclose or process”) and HIPAA (including “Covered Entity”, “Business Associate”, “Individual”, “Breach” and “Protected Health Information” or “PHI”) shall be construed with the same meaning insofar as the relevant law applies to the processing in question.

1.4 “Customer Personal Data” means any Personal Data that is uploaded to, transmitted through, generated within, or otherwise processed by Jonda Health under or in connection with the Principal Agreement and on behalf of the Customer.

1.5 “De-identified Data” means data resulting from the application by Jonda Health of de-identification, redaction or pseudonymisation methodologies to Customer Personal Data, where such data: (i) for HIPAA purposes, satisfies the Safe Harbor method set out at 45 CFR §164.514(b)(2); and (ii) for purposes of the PDPA, GDPR and UK GDPR, has had direct identifiers removed or replaced such that re-identification by Jonda Health, in the ordinary course of providing the Services and using only the means reasonably likely to be used by Jonda Health, is not possible. The Parties acknowledge that in respect of pathology data the data subject’s age and biological sex may be retained solely for the purpose of selecting the correct clinical reference range, and that such retention does not, in itself, defeat the De-identified Data status under HIPAA Safe Harbor; the Parties further acknowledge that under GDPR/UK GDPR such retained data may continue to constitute pseudonymised personal data and be subject to those laws accordingly.

1.6 “Personal Data” means any information relating to an identified or identifiable natural person, and includes “personal data” under the GDPR/UK GDPR, “personal data” under the PDPA, and “protected health information” under HIPAA, in each case to the extent processed by Jonda Health on behalf of the Customer.

1.7 “Restricted Transfer” means a transfer of Personal Data that is subject to Applicable Data Protection Laws governing cross-border transfers, including: (i) a transfer of Personal Data from the European Economic Area to a country not benefitting from an adequacy decision under Article 45 GDPR; (ii) a transfer from the United Kingdom subject to the UK GDPR; and (iii) a transfer of personal data from Singapore subject to section 26 of the PDPA.

1.8 “Services” means JondaX, the products and services made available by Jonda Health under the Principal Agreement.

1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914, dated 4 June 2021, as amended or replaced from time to time.

1.10 “Sub-processor” means any third party engaged by Jonda Health to process Customer Personal Data on its behalf.

1.11 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, in force from 21 March 2022, as amended from time to time.

‍

02. SCOPE, ROLES AND COMPLIANCE

In short

For everything processed through JondaX, you are the Controller and we are the Processor. You warrant that you have the rights and consents needed for us to process the data, and that your instructions to us are lawful. You also choose the data hosting region (Singapore, EU, US, or a locally deployed environment for Enterprise), and you are responsible for whether that region is appropriate for your own legal and regulatory obligations.

2.1 This DPA applies to the Processing by Jonda Health of Customer Personal Data in connection with the provision of the Services. The subject-matter, duration, nature and purposes of the Processing, the categories of Personal Data and Data Subjects, and the Customer’s instructions are set out in Annex 1 (Processing Particulars).

2.2 The Parties acknowledge and agree that, in respect of the Processing of Customer Personal Data: (a) the Customer is the Controller and Jonda Health is the Processor; (b) under the PDPA, the Customer is the Organisation and Jonda Health is a Data Intermediary acting on behalf of and for the purposes of the Customer; and (c) where Annex 6 applies, the Customer is a Covered Entity or Business Associate and Jonda Health is a Business Associate or Subcontractor under HIPAA.

2.3 Each Party shall comply with its respective obligations under Applicable Data Protection Laws in respect of the Processing. Without limiting the foregoing, the Customer warrants and represents that: (a) it has provided all notices and obtained all rights, consents, authorisations and lawful bases required under Applicable Data Protection Laws to enable Jonda Health to process the Customer Personal Data as contemplated by this DPA and the Principal Agreement; (b) its instructions to Jonda Health are lawful; and (c) the Customer Personal Data has been collected, used and disclosed by the Customer in compliance with Applicable Data Protection Laws.

2.4 The Customer is solely responsible for selecting, within the Services, the data hosting region (Singapore, European Union, United States, or, for Enterprise customers, a locally deployed environment) appropriate to the Customer’s legal and regulatory obligations and the data subjects to whom the Customer Personal Data relates. Jonda Health shall implement the technical and organisational measures and the cross-border transfer safeguards set out in this DPA in respect of the region selected by the Customer, but Jonda Health does not assess, determine or warrant the adequacy of the Customer’s region selection for the Customer’s own compliance obligations.

‍

03. PROCESSING INSTRUCTIONS

In short

We process your personal data only on your instructions, which live in the Principal Agreement, this DPA (including Annex 1), your configuration of the platform, and any further written instructions you give us. If we believe an instruction would breach data protection law, we will tell you and we are not required to follow it.

3.1 Jonda Health shall process Customer Personal Data only on documented instructions from the Customer, including with regard to Restricted Transfers, unless required to do otherwise by applicable law to which Jonda Health is subject. In such a case, Jonda Health shall (where lawfully permitted) inform the Customer of the legal requirement before processing.

3.2 The Customer’s instructions for the Processing of Customer Personal Data are set out in: (a) the Principal Agreement; (b) this DPA (including Annex 1); (c) the Customer’s configuration and use of the Services from time to time, including the region selection and feature toggles made by the Customer within the Services; and (d) any further written instructions issued by the Customer to Jonda Health and reasonably accepted by Jonda Health as being within the scope of the Services.

3.3 Jonda Health shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. Jonda Health shall not be required to comply with an instruction that, in its reasonable opinion, would cause it to breach Applicable Data Protection Laws.

3.4 Where Jonda Health, acting on the Customer’s instructions, is required to perform de-identification or redaction of Customer Personal Data as part of the Services (including the stripping of patient identifiers from digital data and the redaction of identifiers from non-digital data), the Customer instructs and authorises Jonda Health to do so, on the basis set out in clause 11.

‍

04. PROCESSOR’S OBLIGATIONS AND PERSONNEL

In short

We process your data only as needed to provide the service, on your documented instructions. Our people are bound by confidentiality, trained on data protection, and access is limited to those who need it. We implement the security measures in Annex 2, help you respond to data subject rights requests, support your obligations under GDPR Articles 32 to 36, and make available the information you need to demonstrate compliance.

4.1 Jonda Health shall:

1. process Customer Personal Data only as necessary to provide the Services and only in accordance with the Customer’s documented instructions;
2. ensure that persons authorised by Jonda Health to process Customer Personal Data are bound by enforceable obligations of confidentiality (whether contractual or statutory) and have received appropriate training in the protection and proper handling of Personal Data;
3. take reasonable steps to ensure the reliability of any of its personnel who have access to Customer Personal Data, and limit such access to those personnel who require it in order to perform their duties in connection with the Services;
4. implement and maintain the technical and organisational measures set out in Annex 2 (TOMs);
5. taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligations to respond to requests for the exercise of Data Subjects’ rights, in accordance with clause 8;
6. assist the Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR (and any equivalent obligations under other Applicable Data Protection Laws), in accordance with clauses 5, 9 and 10, taking into account the nature of the Processing and the information available to Jonda Health; and
7. make available to the Customer all information necessary to demonstrate compliance with this DPA and contribute to audits and inspections in accordance with clause 12.

4.2 Jonda Health has appointed a Chief Information Security Officer, with overall responsibility for information security at Jonda Health, and has designated a Data Protection Officer (or equivalent privacy contact) reachable at the contact details set out in clause 16. The Customer may contact Jonda Health’s Data Protection Officer at any time on matters relating to the Processing of Customer Personal Data under this DPA.

‍

05. SECURITY MEASURES

In short

We are certified to ISO/IEC 27001, and we implement the technical and organisational measures set out in Annex 2 to a level of security appropriate to the risk. We may update those measures over time, but never to a less protective level. We regularly test, assess and evaluate how well they work.

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Jonda Health shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Annex 2 (TOMs) and the requirements of Article 32 GDPR, the Eleventh Schedule to the PDPA, and (where applicable) the HIPAA Security Rule at 45 CFR §§164.302–164.318.

5.2 Jonda Health is certified to ISO/IEC 27001 in respect of the Services. Jonda Health may, from time to time, update or substitute the technical and organisational measures set out in Annex 2 provided that the updated or substitute measures provide a level of security that is no less protective than those set out in Annex 2 as at the date of this DPA.

5.3 Jonda Health shall regularly test, assess and evaluate the effectiveness of its technical and organisational measures.

‍

06. SUB-PROCESSORS

In short

You give us general written authorisation to engage sub-processors, with the current list at Annex 3. We give you at least 30 days’ notice of any new or replacement sub-processor, during which you can object on reasonable, documented grounds within 14 days. If we cannot resolve your objection in good faith, you can terminate the affected part of the service. Where we use LLM or generative AI sub-processors, they are on enterprise endpoints with no-training and zero-retention configurations, contractually prohibited from training on anything we send them.

6.1 The Customer grants Jonda Health a general written authorisation to engage Sub-processors in the provision of the Services, subject to this clause 6. Jonda Health’s current Sub-processors are listed in Annex 3 (Sub-processors).

6.2 Jonda Health shall ensure that each Sub-processor is bound by a written contract that imposes on the Sub-processor materially the same data protection obligations as those imposed on Jonda Health under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures, and shall remain fully liable to the Customer for the performance of each Sub-processor’s obligations.

6.3 Where Jonda Health uses sub-processors that are providers of large language model or generative artificial intelligence services to deliver any part of the Services, Jonda Health shall use only those services configured on enterprise, zero data retention and no-training endpoints (or equivalent configurations) such that: (a) Customer Personal Data is not used by the sub-processor to train, fine-tune or otherwise improve any model that is made available to third parties; (b) Customer Personal Data is not retained by the sub-processor beyond the period necessary to return the relevant inference output to Jonda Health (or such minimum period mandated by the sub-processor’s standard service for abuse-monitoring purposes only); and (c) the sub-processor is bound by written contractual obligations of confidentiality and security materially consistent with this DPA. Jonda Health may also use proprietary models hosted in contained environments operated by Jonda Health or its sub-processors, and shall ensure such environments meet the security requirements of this DPA.

6.4 Jonda Health shall maintain an up-to-date list of its Sub-processors at a publicly accessible location notified to the Customer (the “Sub-processor List”), and shall give the Customer at least thirty (30) days’ prior written notice (which may be by email or by update to the Sub-processor List with notice within the Services) of any intended addition or replacement of a Sub-processor.

6.5 The Customer may object in writing to the appointment of a new Sub-processor on reasonable, documented grounds relating to the protection of Customer Personal Data, within fourteen (14) days of receipt of Jonda Health’s notice. The Parties shall discuss such concerns in good faith with a view to reaching a resolution. If no resolution can be reached, Jonda Health may, at its sole discretion, either: (a) refrain from using the proposed Sub-processor in respect of the Customer’s Personal Data; or (b) confirm that it will use the Sub-processor, in which case the Customer’s sole and exclusive remedy is to terminate the affected portion of the Services on written notice without further liability for fees applicable to the period after termination, save that this shall not affect any pre-paid fees already due.

‍

07. INTERNATIONAL DATA TRANSFERS

In short

Your data stays in the region you select unless we need to transfer it to provide the service, to an approved sub-processor, or where required by law. When personal data crosses borders, we apply the standard safeguards: EU SCCs for transfers under GDPR (incorporated through Annex 4), the UK Addendum for transfers under UK GDPR (Annex 5), and equivalent contractual obligations for transfers from Singapore. We will share copies of the safeguards on request.

7.1 Jonda Health shall not transfer Customer Personal Data outside the data hosting region selected by the Customer except: (a) as necessary to provide the Services in accordance with the Customer’s instructions (including the configuration of the Services); (b) to a Sub-processor approved in accordance with clause 6; or (c) where required by applicable law.

7.2 Where any Restricted Transfer takes place under or in connection with this DPA:

1. in respect of Personal Data subject to the GDPR, the Parties shall be deemed to have entered into the EU SCCs (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor as applicable), incorporated by reference into this DPA in accordance with Annex 4;
2. in respect of Personal Data subject to the UK GDPR, the Parties shall be deemed to have entered into the UK Addendum, incorporated by reference into this DPA in accordance with Annex 5; and
3. in respect of Personal Data subject to section 26 of the PDPA being transferred outside Singapore, Jonda Health shall ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that under the PDPA, in accordance with the Personal Data Protection (Transfer of Personal Data outside Singapore) Regulations 2014.

7.3 Jonda Health shall, upon written request, provide the Customer with reasonable information regarding the safeguards in place for any Restricted Transfer, including a copy of the executed Standard Contractual Clauses with each relevant Sub-processor (with confidential commercial information redacted), and shall co-operate with the Customer in conducting any transfer impact assessment required under Applicable Data Protection Laws.

‍

08. DATA SUBJECT RIGHTS

In short

We help you respond to requests from data subjects exercising their rights, taking into account the nature of the processing and what is technically possible. If a data subject contacts us directly about your data, we forward the request to you rather than responding ourselves. Where the platform has self-service tools that handle the request, our help may be limited to enabling you to use them.

8.1 Jonda Health shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to enable the Customer to fulfil its obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including the rights of access, rectification, erasure, restriction of processing, portability, objection, withdrawal of consent, and the right not to be subject to automated decision-making).

8.2 If a Data Subject submits a request directly to Jonda Health in respect of Customer Personal Data, Jonda Health shall, except as required by applicable law, refrain from responding substantively to the request and shall promptly forward the request to the Customer to enable the Customer to respond. Where the Customer has self-service tools available within the Services to fulfil such requests, Jonda Health’s assistance under this clause may be limited to enabling the Customer’s use of those tools.

8.3 Jonda Health may charge the Customer a reasonable fee for assistance provided under this clause 8 to the extent such assistance is materially beyond the standard self-service tools made available within the Services, and provided that any such fee is notified to the Customer in advance.

‍

09. PERSONAL DATA BREACHES

In short

We will notify you of any personal data breach affecting your data within 24 hours of becoming aware of it. The notification will describe what happened, the categories and approximate number of data subjects and records affected, who to contact, the likely consequences, and what we are doing about it. We will support your obligations to notify regulators and affected individuals, and we will cooperate in the investigation and remediation.

9.1 Jonda Health shall notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within twenty-four (24) hours of becoming aware of such Personal Data Breach.

9.2 Such notification shall, to the extent that the relevant information is then available to Jonda Health (and shall be supplemented as further information becomes available):

1. describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of records concerned;
2. communicate the name and contact details of Jonda Health’s Data Protection Officer or other contact point;
3. describe the likely consequences of the Personal Data Breach; and
4. describe the measures taken or proposed to be taken by Jonda Health to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Jonda Health shall co-operate with the Customer and take such reasonable steps as the Customer may direct to assist in the investigation, mitigation and remediation of the Personal Data Breach, and shall assist the Customer in fulfilling any obligations to notify supervisory authorities or affected Data Subjects under Applicable Data Protection Laws (including under Article 33 and Article 34 GDPR, sections 26C and 26D of the PDPA, and 45 CFR §§164.404–164.410).

9.4 Notification of, or response to, a Personal Data Breach by Jonda Health under this clause 9 shall not be construed as an acknowledgement by Jonda Health of any fault or liability with respect to the Personal Data Breach.

‍

10. DPIA AND PRIOR CONSULTATION ASSISTANCE

In short

On your reasonable written request, we will help you with any data protection impact assessment or prior consultation with a supervisory authority that you need to do for processing we perform under this DPA. Help may take the form of documentation, security questionnaire responses, or other relevant information already in our hands.

10.1 Jonda Health shall, on the Customer’s reasonable written request and taking into account the nature of the Processing and the information available to Jonda Health, provide reasonable assistance to the Customer in carrying out any data protection impact assessment (“DPIA”) required under Article 35 GDPR (or equivalent obligations under other Applicable Data Protection Laws) in respect of Processing performed by Jonda Health under this DPA, and in any prior consultation with a supervisory authority required under Article 36 GDPR.

10.2 Jonda Health’s assistance under this clause 10 may, at Jonda Health’s option, take the form of providing relevant documentation, security questionnaire responses, or other information in Jonda Health’s possession or control.

‍

11. DE-IDENTIFIED DATA AND SERVICE IMPROVEMENT

In short

You instruct and authorise us to apply de-identification, redaction and pseudonymisation as part of the service (HIPAA Safe Harbor for PHI, equivalent guidance for GDPR, UK GDPR and PDPA). We may then use the de-identified, aggregated data to operate, maintain, secure and improve the service for all customers, including learning new biomarkers and reference ranges so the platform handles them correctly next time. We do not sell de-identified data, build commercial datasets from it, publish it, or attempt to re-identify it.

Where our personnel review data as part of harmonisation, that review is for data quality and accuracy only. It is not clinical review or medical judgement. Decisions about patient care, diagnosis or treatment remain entirely yours.

11.1 The Customer instructs and authorises Jonda Health to apply de-identification, redaction and pseudonymisation methodologies to Customer Personal Data in the course of providing the Services. Such methodologies shall, in respect of HIPAA Protected Health Information, conform to the Safe Harbor method at 45 CFR §164.514(b)(2), and shall otherwise comply with relevant guidance issued under the GDPR, UK GDPR and PDPA.

11.2 The Customer further instructs and authorises Jonda Health to derive De-identified Data from Customer Personal Data and to use such De-identified Data, in aggregated and non-identifying form, solely for the following purposes:

1. operating, maintaining, securing and improving the Services for all of Jonda Health’s customers, including by updating Jonda Health’s systems with knowledge of new biomarkers, reference ranges, codings and processing rules so that the Services can correctly process such items in subsequent encounters;
2. generating and disclosing aggregated metrics that report on Jonda Health’s overall use of the Services (such as the total number of biomarkers or records processed across the platform), provided that such metrics do not identify, and could not reasonably be used to identify, the Customer or any Data Subject; and
3. complying with applicable law.

11.3 Jonda Health shall not: (a) sell De-identified Data; (b) use De-identified Data to compile or distribute commercial datasets; (c) use De-identified Data for research or publication; or (d) attempt to re-identify any De-identified Data, save where re-identification is required by law or as part of an authorised audit of the de-identification methodology and is performed under appropriate safeguards.

11.4 Where De-identified Data ceases to constitute Personal Data under Applicable Data Protection Laws (because re-identification is not reasonably possible by Jonda Health using only the means likely to be used by it), this DPA shall not apply to Jonda Health’s onward use of such De-identified Data within the limits permitted under clause 11.2 above. The Parties acknowledge that pseudonymised personal data under the GDPR/UK GDPR remains Personal Data and continues to be subject to this DPA.

11.5 Human review by Jonda Health personnel. For the avoidance of doubt, any human review of Customer Personal Data performed by Jonda Health personnel as part of the Services is solely for the purpose of data accuracy and quality assurance of the harmonisation process. Such review is performed under the confidentiality, access-control and security obligations set out in this DPA and Annex 2, and does not constitute clinical review, medical judgement, diagnostic interpretation, or any form of professional healthcare advice. The Customer remains solely responsible for any clinical review, diagnostic interpretation, treatment decision, or other professional judgement applied to the outputs of the Services.

‍

12. AUDITS AND INSPECTIONS

In short

We will provide you with our ISO/IEC 27001 certification and reasonable security questionnaire responses to demonstrate compliance. Where you reasonably believe that is not sufficient, or where a regulator requires it, or following a personal data breach affecting you, you can conduct an on-site audit on 30 days’ notice (or shorter where a regulator demands it), once per 12 months under standard audit conditions. You bear the costs unless the audit follows a breach we are responsible for.

12.1 Jonda Health shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in accordance with this clause 12.

12.2 Jonda Health shall satisfy its obligations under clause 12.1 by:

1. providing the Customer, on reasonable written request, with Jonda Health’s most recent ISO/IEC 27001 certification and statement of applicability (and any other independent third-party audit reports or certifications that Jonda Health holds from time to time in respect of the Services); and
2. responding within a reasonable period to reasonable written information requests from the Customer concerning Jonda Health’s compliance with this DPA, including reasonable security questionnaires.

12.3 Where the Customer reasonably considers that the information made available under clause 12.2 is insufficient, or where an audit is required (i) by a supervisory authority of competent jurisdiction, or (ii) following a Personal Data Breach affecting the Customer’s Personal Data, the Customer may conduct, or appoint an independent third party (subject to written confidentiality undertakings reasonably acceptable to Jonda Health and not being a competitor of Jonda Health) to conduct, an on-site audit of Jonda Health’s relevant facilities and records, on the following terms:

1. the Customer shall give Jonda Health at least thirty (30) days’ prior written notice (or such shorter notice as may be required by a supervisory authority);
2. the audit shall take place during Jonda Health’s normal business hours, at a mutually agreed time, and shall be conducted in a manner that minimises disruption to Jonda Health’s business and to other customers;
3. the audit shall not entitle the Customer to access information relating to other customers, third parties, or Jonda Health’s confidential commercial information unrelated to compliance with this DPA;
4. the Customer shall bear its own costs of the audit and shall reimburse Jonda Health’s reasonable costs of co-operating with the audit, save where the audit is conducted in response to a Personal Data Breach for which Jonda Health is responsible, in which case Jonda Health shall bear its own costs; and
5. audits under this clause 12.3 shall not be conducted more than once in any twelve (12)-month period, save where required by a supervisory authority or following a Personal Data Breach.

‍

13. RETURN AND DELETION OF CUSTOMER PERSONAL DATA

In short

When the agreement ends, or earlier if you ask, we will return or delete your personal data within 30 days, at your option. Backups are overwritten in the rolling backup cycle. We may retain data longer where law requires, in which case it stays protected under this DPA. De-identified data that has already ceased to be personal data is not subject to return or deletion.

13.1 Upon termination or expiry of the Principal Agreement, or upon the Customer’s earlier written request, Jonda Health shall, at the Customer’s option, either return to the Customer all Customer Personal Data in Jonda Health’s possession or control or securely delete such Customer Personal Data, in each case within thirty (30) days of such termination, expiry or request.

13.2 Notwithstanding clause 13.1, Jonda Health may retain Customer Personal Data: (a) in routine system back-ups for the duration of the standard back-up retention cycle, after which they shall be securely overwritten or deleted; and (b) to the extent and for the period required by applicable law, in which case Jonda Health shall continue to protect such Personal Data in accordance with this DPA.

13.3 On the Customer’s reasonable written request, Jonda Health shall confirm in writing the actions taken under this clause 13.

13.4 Nothing in this clause 13 shall require Jonda Health to delete or return De-identified Data that has already ceased to constitute Personal Data, provided that any such retained data is used only as permitted under clause 11.

‍

14. LIABILITY AND INDEMNITY

In short

Liability under this DPA sits within the framework of the Principal Agreement, with one specific change: a separate Data Protection Cap of 2x the fees paid in the preceding 12 months, on top of the general cap. You indemnify us against losses caused by your breach of warranties, your region or configuration choices, or your unlawful instructions. We indemnify you against losses from third-party claims caused by our breach of this DPA, subject to the Data Protection Cap.

14.1 Each Party’s liability arising out of or in connection with this DPA shall be subject to, and form part of, the exclusions and limitations of liability set out in the Principal Agreement, except as expressly modified in this clause 14.

14.2 Without prejudice to any greater liability arising for matters that are not capable of exclusion or limitation under applicable law, each Party’s aggregate liability arising out of or in connection with breaches of this DPA (including any claims for indemnification under this DPA) shall not exceed two (2) times the total fees paid or payable by the Customer to Jonda Health under the Principal Agreement in the twelve (12)-month period immediately preceding the event giving rise to the claim (the “Data Protection Cap”). The Data Protection Cap is in addition to, and shall not be reduced by amounts counted against, the general liability cap in the Principal Agreement; provided that the Data Protection Cap and the general liability cap shall together represent the total maximum aggregate liability of each Party in connection with the Principal Agreement and this DPA.

14.3 The Customer shall indemnify and hold harmless Jonda Health and its affiliates, officers, employees and agents from and against all losses, damages, costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) the Customer’s breach of clause 2.3 (Customer warranties); (b) the Customer’s selection of a data hosting region or configuration of the Services in a manner inconsistent with the Customer’s own legal or regulatory obligations; or (c) any instruction given by the Customer to Jonda Health that is unlawful or otherwise causes Jonda Health to be in breach of Applicable Data Protection Laws.

14.4 Jonda Health shall indemnify and hold harmless the Customer and its affiliates from and against losses, damages, costs and expenses (including reasonable legal fees) arising out of any third-party claim to the extent caused by Jonda Health’s breach of its obligations under this DPA, subject always to the Data Protection Cap.

14.5 Where Jonda Health and the Customer are jointly and severally liable to a Data Subject under Article 82 GDPR (or equivalent provisions of other Applicable Data Protection Laws), the apportionment of liability between the Parties shall reflect their respective responsibility for the damage caused.

‍

15. TERM AND TERMINATION

In short

This DPA takes effect when you enter the Principal Agreement (or first process data, if later) and runs for as long as we process your personal data. Termination does not affect rights or obligations already accrued, and certain clauses (definitions, de-identified data restrictions, return and deletion, liability, notices, governing law) survive.

15.1 This DPA shall take effect on the date on which the Customer enters into the Principal Agreement (or, if later, the date on which Customer Personal Data is first processed by Jonda Health under the Principal Agreement) and shall remain in force for so long as Jonda Health processes Customer Personal Data on behalf of the Customer.

15.2 Termination of this DPA shall not affect any rights or obligations of the Parties that have accrued prior to termination, nor any provisions which by their nature are intended to survive termination, including clauses 1, 11.3, 11.4, 13, 14, 16 and 17.

‍

16. NOTICES

In short

Notices to us go to our Data Protection Officer at privacy@jonda.health or to our Singapore registered office. Notices to you go to the contact details in your account or as specified in the Principal Agreement. Email and platform notifications count as valid notice.

16.1 Notices to Jonda Health under this DPA shall be sent in writing to:

Jonda Health Pte. Ltd.

Attention: Data Protection Officer

1 North Bridge Road, #19-09 High Street Centre, Singapore 179094

Email: privacy@jonda.health

16.2 Notices to the Customer shall be sent to the contact details specified in the Customer’s account within the Services or as otherwise specified in the Principal Agreement.

16.3 Notices shall be deemed received: (a) if delivered by hand, on the date of delivery; (b) if sent by email, on the date of transmission, provided no delivery failure notification is received; and (c) if sent by registered or recorded post, two (2) business days after posting.

‍

17. GOVERNING LAW AND JURISDICTION

In short

This DPA is governed by Singapore law and disputes are heard in Singapore courts. Two carve-outs: the EU SCCs (Annex 4) are governed by Irish law where they apply, and the UK Addendum (Annex 5) is governed by English law where it applies, in each case to the extent the relevant transfer mechanism requires.

17.1 This DPA shall be governed by and construed in accordance with the laws of the Republic of Singapore, without giving effect to any choice or conflict of law provision.

17.2 The Parties submit to the exclusive jurisdiction of the courts of the Republic of Singapore in respect of any dispute arising out of or in connection with this DPA, save that this clause 17.2 shall not preclude either Party from seeking interim or injunctive relief in any court of competent jurisdiction, and shall not override the dispute resolution provisions of the EU SCCs (where they apply) or the UK Addendum (where it applies).

17.3 Notwithstanding clause 17.1: (a) Annex 4 (EU SCCs), where applicable, shall be governed by the law of an EU Member State as set out therein, and disputes thereunder shall be resolved by the courts of that Member State; and (b) Annex 5 (UK Addendum), where applicable, shall be governed by the laws of England and Wales, and disputes thereunder shall be resolved by the courts of England and Wales, in each case to the extent required by the relevant transfer mechanism.

‍

18. GENERAL

In short

The standard legal scaffolding. This DPA together with the Principal Agreement and Annexes is the complete agreement on data processing. Invalid clauses get severed. Variations need both parties’ written signatures, except updates to the sub-processor list which we can make under clause 6.4. Data subjects can enforce rights granted to them under the SCCs and UK Addendum.

18.1 This DPA, together with the Principal Agreement and the Annexes hereto, constitutes the entire agreement between the Parties relating to the Processing of Customer Personal Data and supersedes any prior agreements or understandings on the same subject matter.

18.2 If any provision of this DPA is held to be invalid or unenforceable by any court or regulatory authority of competent jurisdiction, the remaining provisions shall continue in full force and effect.

18.3 No variation of this DPA shall be effective unless in writing and signed by, or on behalf of, both Parties. Updates to Annex 3 (Sub-processors) made by Jonda Health in accordance with clause 6.4 shall not constitute a variation requiring the Customer’s signature.

18.4 A person who is not a party to this DPA shall have no right under the Contracts (Rights of Third Parties) Act 2001 of Singapore to enforce any term of this DPA, except that Data Subjects may enforce rights granted to them under the EU SCCs or the UK Addendum to the extent provided therein.

‍

ANNEX 1: PROCESSING PARTICULARS

In short

This annex sets out the formal particulars of the processing required by GDPR Article 28, the PDPA Eleventh Schedule and (where they apply) the EU SCCs. It covers subject-matter, duration, nature and purpose of processing, categories of data subjects and personal data, special category data, frequency, hosting region and the relevant supervisory authority.

This Annex 1 sets out the particulars of the Processing for the purposes of clause 2.1 of the DPA, Article 28(3) GDPR, the Eleventh Schedule to the PDPA and (where applicable) the equivalent particulars required under Annex I of the EU SCCs.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

In short

This is the detailed list of how we protect your data: information security governance, access controls and MFA, encryption in transit and at rest, network and application security, logging and monitoring, personnel security and training, physical security, incident management, business continuity, de-identification and minimisation, sub-processor management, and audit and assurance. We may update these measures over time but never to a less protective level.

This Annex 2 describes the technical and organisational measures implemented by Jonda Health for the purposes of clause 5 of the DPA, Article 32 GDPR, the Eleventh Schedule to the PDPA and (where applicable) the HIPAA Security Rule. Jonda Health may update or supplement these measures from time to time, provided that the level of protection afforded is not materially diminished.

1. Information security governance

• Jonda Health maintains an Information Security Management System certified to ISO/IEC 27001.
• A Chief Information Security Officer has overall responsibility for information security.
• A Data Protection Officer (or equivalent privacy lead) has overall responsibility for data protection and privacy.
• Documented information security and privacy policies are maintained, reviewed at least annually, and approved by senior management.

2. Access control

• Role-based access control (RBAC) is enforced. Access to Customer Personal Data is granted on a least-privilege, need-to-know basis.
• Multi-factor authentication is required for administrative access to production systems.
• User access is reviewed at regular intervals and revoked promptly upon role change or termination.
• Strong password policies and credential management practices are enforced.

3. Encryption

• Customer Personal Data is encrypted in transit using TLS 1.2 or higher.
• Customer Personal Data is encrypted at rest using industry-standard symmetric encryption (AES-256 or equivalent).
• Cryptographic keys are managed using a key management system with appropriate access controls and rotation.

4. Network and infrastructure security

• Production environments are segregated from development and test environments.
• Network controls, firewalls and security groups are configured to restrict ingress and egress traffic to that which is necessary.
• Vulnerability scanning and patch management processes are operated on a regular basis.
• Penetration tests are conducted at least annually and significant findings are remediated.

5. Application security

• Secure development lifecycle practices, including peer code review and static analysis.
• Dependency vulnerability monitoring and timely remediation.
• Input validation, output encoding and other controls to mitigate common application security risks (e.g., OWASP Top 10).

6. Logging and monitoring

• Centralised logging of administrative, authentication and security events.
• Continuous monitoring with alerting on anomalous events and suspected security incidents.
• Log integrity and retention controls.

7. Personnel security

• Background checks for personnel with access to Customer Personal Data, where lawful.
• Confidentiality undertakings, whether contractual or statutory, are enforceable against personnel.
• Mandatory information security and privacy training at onboarding and at least annually thereafter.

8. Physical security

• Production hosting is provided through certified cloud infrastructure providers (see Annex 3) operating data centres with documented physical security controls (including ISO/IEC 27001 and equivalent certifications).

9. Incident management and breach response

• Documented security incident response procedure, with defined roles, escalation paths and notification timelines.
• Regular testing of incident response procedures.
• Notification to the Customer of Personal Data Breaches without undue delay and in any event within 24 hours of becoming aware (clause 9.1).

10. Business continuity and back-up

• Regular back-up of Customer Personal Data with encryption.
• Documented business continuity and disaster recovery procedures, tested periodically.

11. De-identification and minimisation

• Stripping of patient identifiers from digital health data.
• Redaction of patient identifiers from non-digital data, with retention of age and biological sex in pathology data solely for the purpose of determining clinical reference ranges.
• De-identification methodology aligned with the HIPAA Safe Harbor method (45 CFR §164.514(b)(2)), including aggregation of ages 90+ into a single category.

12. Sub-processor management

• Pre-engagement due diligence on all Sub-processors.
• Written contracts imposing data protection obligations materially equivalent to those in the DPA.
• Use of enterprise / no-training / zero-data-retention configurations for any large language model or generative AI sub-processor.

13. Audit and assurance

• Independent third-party assurance through ISO/IEC 27001 certification.
• Internal audit programme covering information security and privacy controls.

‍

ANNEX 3: LIST OF SUB-PROCESSORS

In short

The current list of sub-processors we use. Google Cloud and AWS are our cloud infrastructure (in your selected region). OpenAI, Anthropic and Vertex AI are our LLM providers, all on enterprise no-training zero-retention endpoints. Jonda Health proprietary models run in contained environments in your selected region. Mailjet handles transactional and notification email delivery. The current list is also published online and you receive at least 30 days’ notice of any addition or replacement.

Jonda Health engages the following Sub-processors to provide the Services. The current list is also published at the URL notified by Jonda Health from time to time. Sub-processors are categorised below for transparency. Where a Sub-processor in the LLM/AI category processes Customer Personal Data, it does so only on enterprise, no-training and zero-retention configurations as required by clause 6.3 of the DPA.

ANNEX 4: EU STANDARD CONTRACTUAL CLAUSES

In short

Where your processing is subject to GDPR, the EU SCCs (Decision (EU) 2021/914) are incorporated by reference. Module 2 (Controller-to-Processor) applies if you are the Controller, Module 3 (Processor-to-Processor) if you are yourself a Processor for a third-party Controller. Governing law is Ireland and disputes go to Irish courts. Annexes I, II and III to the SCCs are populated from Annexes 1, 2 and 3 of this DPA. The SCCs prevail over the DPA in any conflict for GDPR data.

This Annex 4 applies where the Processing of Customer Personal Data under the DPA constitutes a Restricted Transfer subject to the GDPR.

1. Incorporation by reference

The Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 (the “EU SCCs”) are incorporated by reference into this DPA, with the following modules and elections:

• Module 2 (Controller-to-Processor) shall apply where the Customer is a Controller of the Customer Personal Data.
• Module 3 (Processor-to-Processor) shall apply where the Customer is itself a Processor acting on behalf of a third-party Controller.

2. Optional clauses and elections

• Clause 7 (Docking clause): not used.
• Clause 9(a) (Sub-processors): Option 2 (general written authorisation), with the notice period set out in clause 6.4 of the DPA.
• Clause 11(a) (Independent dispute resolution): the optional language is not selected.
• Clause 17 (Governing law): the law of the Republic of Ireland shall apply.
• Clause 18(b) (Choice of forum and jurisdiction): the courts of the Republic of Ireland shall have jurisdiction.

3. Annex I to the EU SCCs

• Part A (List of Parties): the Customer is the data exporter; Jonda Health is the data importer. Contact details are as set out in the Principal Agreement and clause 16 of the DPA.
• Part B (Description of transfer): as set out in Annex 1 of the DPA.
• Part C (Competent supervisory authority): as identified in Annex 1 of the DPA. Where the Customer is established outside the EEA but the transfer is subject to the GDPR by virtue of Article 3(2), the supervisory authority shall be the Irish Data Protection Commission.

4. Annex II to the EU SCCs

The technical and organisational measures set out in Annex 2 of the DPA shall constitute Annex II to the EU SCCs.

5. Annex III to the EU SCCs

The list of Sub-processors set out in Annex 3 of the DPA shall constitute Annex III to the EU SCCs.

6. Conflicts

In the event of any conflict between this DPA and the EU SCCs, the EU SCCs shall prevail in respect of Personal Data subject to the GDPR.

‍

ANNEX 5: UK INTERNATIONAL DATA TRANSFER ADDENDUM

In short

Where your processing is subject to UK GDPR, the UK International Data Transfer Addendum is incorporated by reference. Tables 1 to 4 of the Addendum are populated using the parties to this DPA, the EU SCCs as incorporated under Annex 4, and Annexes 1, 2 and 3 of this DPA. The UK Addendum prevails over the DPA in any conflict for UK GDPR data.

This Annex 5 applies where the Processing of Customer Personal Data under the DPA constitutes a Restricted Transfer subject to the UK GDPR.

1. Incorporation

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018 and in force from 21 March 2022 (the “UK Addendum”), is incorporated by reference into this DPA in respect of any Restricted Transfer of Personal Data subject to the UK GDPR.

2. Tables of the UK Addendum

• Table 1 (Parties): the Customer and Jonda Health, with contact details as set out in the Principal Agreement and clause 16 of the DPA.
• Table 2 (Selected SCCs, modules and selected clauses): the EU SCCs as incorporated under Annex 4 of the DPA, with the modules and elections set out therein.
• Table 3 (Appendix Information): as set out in Annexes 1, 2 and 3 of the DPA.
• Table 4 (Ending the Addendum when the Approved Addendum Changes): the data importer (Jonda Health) may end the UK Addendum as set out in Section 19 of the UK Addendum.

3. Conflicts

In the event of any conflict between this DPA and the UK Addendum, the UK Addendum shall prevail in respect of Personal Data subject to the UK GDPR.

‍

ANNEX 6: HIPAA BUSINESS ASSOCIATE AGREEMENT

In short

This BAA applies where you are a HIPAA Covered Entity (or Business Associate) and the data processed includes Protected Health Information (PHI). It sets the permitted uses and disclosures, our obligations as Business Associate (including the safeguards in Annex 2, breach reporting, sub-processor obligations, and access, amendment and accounting support), the breach notification timeline (24 hours per clause 9, more stringent than HIPAA’s 60-day outside limit), term and termination, and the effect of termination on PHI. The BAA prevails over other parts of the DPA in respect of PHI.

Where our workforce reviews PHI as part of the harmonisation process, that review is for data quality and accuracy only. It is not the provision of healthcare, clinical review or medical judgement. The Covered Entity remains responsible for any clinical, diagnostic or treatment decision that follows.

This Annex 6 (the “BAA”) applies where the Customer is a Covered Entity or a Business Associate under HIPAA and the Customer Personal Data Processed under the DPA includes Protected Health Information (“PHI”) within the meaning of HIPAA. In this BAA, the Customer is the “Covered Entity” (or, where applicable, the “Business Associate” acting on behalf of a Covered Entity), and Jonda Health is the “Business Associate” (or, where applicable, the “Subcontractor”).

1. Definitions

Capitalised terms used but not defined in this BAA shall have the meanings given to them in the HIPAA Privacy, Security and Breach Notification Rules at 45 CFR Parts 160 and 164. References to HIPAA include the HITECH Act and its implementing regulations.

2. Permitted uses and disclosures

Jonda Health may use and disclose PHI only as permitted or required by this BAA, the DPA, the Principal Agreement, or as Required by Law. Jonda Health shall not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity, except that Jonda Health may use and disclose PHI:

1. for the proper management and administration of Jonda Health, or to carry out its legal responsibilities, provided that any disclosure to a third party is Required by Law or made under a written agreement requiring confidentiality and prompt notification of any breach; and
2. to provide Data Aggregation services, as that term is defined at 45 CFR §164.501, relating to the health care operations of the Covered Entity, where such services form part of the Services.

For the avoidance of doubt, any human review of PHI by Jonda Health workforce members performed as part of the Services is solely for the purpose of data accuracy and quality assurance of the harmonisation process. Such review is conducted under the safeguards set out in Annex 2 of the DPA and the workforce confidentiality and access-control obligations imposed under this BAA, and does not constitute the provision of healthcare, clinical review, medical judgement, diagnostic interpretation, or any form of professional healthcare advice. The Covered Entity remains solely responsible for any clinical review, diagnostic interpretation, treatment decision, or other professional judgement applied to the outputs of the Services.

3. Obligations of Jonda Health

Jonda Health shall:

1. not use or further disclose PHI other than as permitted or required by this BAA or as Required by Law;
2. use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI other than as provided for in this BAA, including the technical and organisational measures set out in Annex 2 of the DPA;
3. report to the Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of Unsecured PHI as required by 45 CFR §164.410, and any Security Incident of which it becomes aware (provided that, in respect of routine, unsuccessful attempts to penetrate computer systems or networks, this BAA shall constitute notice that such attempts occur from time to time, and no further notice shall be required unless one or more such attempts results in unauthorised access);
4. in accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain or transmit PHI on behalf of Jonda Health agree to substantially the same restrictions, conditions and requirements that apply to Jonda Health under this BAA;
5. make available PHI in a Designated Record Set to the Covered Entity (or, as directed by the Covered Entity, to an Individual or the Individual’s designee) as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.524;
6. make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy the Covered Entity’s obligations under that section;
7. maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 CFR §164.528;
8. to the extent that Jonda Health is to carry out one or more of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of that Subpart that apply to the Covered Entity in the performance of such obligations; and
9. make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Jonda Health on behalf of, the Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

4. Breach notification

Jonda Health shall notify the Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no case later than the timeline set out in clause 9 of the DPA (which is more stringent than the 60-day outside limit set by 45 CFR §164.410). Notification shall include, to the extent then known, the information required under 45 CFR §164.410(c).

5. Term and termination

This BAA shall be effective for so long as Jonda Health processes PHI on behalf of the Covered Entity. The Covered Entity may terminate this BAA on written notice to Jonda Health if Jonda Health has materially breached this BAA and has failed to cure such breach within thirty (30) days of written notice (or such shorter period as may be required to avoid the Covered Entity’s breach of HIPAA).

6. Effect of termination

Upon termination of this BAA, Jonda Health shall, if feasible, return or destroy all PHI received from, or created or received by Jonda Health on behalf of, the Covered Entity, in accordance with clause 13 of the DPA. Where return or destruction is not feasible, Jonda Health shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Jonda Health retains the PHI.

7. Conflicts

In the event of any conflict between this BAA and any other provision of the DPA or the Principal Agreement, this BAA shall prevail in respect of PHI.

‍

ANNEX 7: US STATE LAW ADDENDUM

In short

Where your data is subject to applicable US state privacy laws (CCPA, MHMDA, TX HB300 and equivalents in other states), this annex sets out our position. We are a Service Provider or Processor under the CCPA acting on your behalf. We do not sell or share personal data, do not combine data across customers, and will not retain, use or disclose data outside our direct business relationship with you. Where Washington consumer health data is involved, we apply additional restrictions and confidentiality protections.

This Annex 7 applies in respect of Customer Personal Data subject to applicable US state privacy laws, including (without limitation) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), the Washington My Health My Data Act (“MHMDA”) and the Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181, “TX HB300”).

1. Service Provider / Processor status (CCPA)

In respect of Personal Data subject to the CCPA:

1. Jonda Health is a “Service Provider” or “Processor” (as those terms are defined under the CCPA) acting on behalf of the Customer as the “Business”.
2. Jonda Health shall not: (i) sell or share Personal Data within the meaning of the CCPA; (ii) retain, use or disclose Personal Data for any purpose other than for the specific business purposes set out in this DPA and the Principal Agreement, or as otherwise permitted by the CCPA; (iii) retain, use or disclose Personal Data outside of the direct business relationship between Jonda Health and the Customer; or (iv) combine Personal Data received from the Customer with Personal Data received from any other source, except as permitted by 11 CCR §7050(b).
3. Jonda Health certifies that it understands the restrictions in this clause 1 and the requirements of the CCPA and will comply with them.
4. Jonda Health shall promptly notify the Customer if Jonda Health determines that it can no longer meet its obligations under the CCPA, and shall co-operate with the Customer in taking reasonable steps to stop or remediate any unauthorised use of Personal Data.

2. Washington My Health My Data Act

Where Customer Personal Data includes “consumer health data” within the meaning of MHMDA: (a) Jonda Health shall process such data only in accordance with the Customer’s written instructions; (b) Jonda Health shall assist the Customer in fulfilling its obligations under MHMDA, including in relation to consumer rights requests and the prohibition on the sale of consumer health data without valid authorisation; and (c) Jonda Health shall not sell consumer health data.

3. Texas Medical Records Privacy Act (TX HB300)

Where the Customer is a “covered entity” under TX HB300, Jonda Health shall: (a) treat protected health information received from or on behalf of the Customer in accordance with TX HB300 and applicable Texas law; and (b) co-operate with the Customer in the provision of training, notice and consumer access required under TX HB300.

4. Other US state laws

To the extent any other US state privacy law (including, but not limited to, those of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Tennessee, Indiana, Delaware or New Jersey) applies to the Processing, Jonda Health shall comply with the obligations applicable to it as a “processor” under such law and shall provide reasonable assistance to the Customer in complying with the Customer’s obligations as a “controller” thereunder.