EFFECTIVE DATE: 01ST JANUARY, 2024
This Data Processing Agreement (the “DPA”) apply to the use of Services (as defined below) offered by Good Methods Global Inc, USA a company established under the laws of Delaware, USA; and Good Methods UK Limited, a company established in England and Wales.
Good Methods Global Inc together with Good Methods UK Limited shall each be referred to by their individual names, and together shall be referred to as “CareStack” and the “Data Processor”.
Customer is identified on the applicable Order Form between CareStack and Customer that references this DPA. Customer shall be referred to as “Data Controller”.
This DPA forms a contract between Data Processor and Data Controller both of whom hereby agree as follows:
1.1 This Data Processing Agreement applies to the processing of personal data subject to Applicable Data Protection Law as defined in the Order Form (“Services”) (hereinafter to be referred to as: the “Service Agreement”).
1.2 The term Applicable Data Protection Law shall mean the United Kingdom’s Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.3 Any capitalised terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Service Agreement. Except as modified below, the terms of the Service Agreement shall remain in full force and effect. Other terms used in this Data Processing Agreement that have meanings ascribed to them in the Applicable Data Protection Law, including but not limited to “Processing,” “Personal Data,” “Data Controller” and “Processor,” shall carry the meanings set forth under Applicable Data Protection Law. “Sub-processor” shall mean any third-party data processor engaged by Data Processor who has or will have access to or process Personal Data.
1.4 Insofar as the Data Processor will be processing Personal Data subject to Applicable Data Protection Law on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller, the terms of this Data Processing Agreement shall apply. In the event of a conflict between any provisions of the Service Agreement and the provisions of this Data Processing Agreement, the provisions of this Data Processing Agreement shall govern and control. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Annex 2.
2.2 The Parties have entered into a Service Agreement in order to benefit from the capabilities of the Data Processor in securing and processing the Personal Data for the purposes set out in Annex 2. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Data Controller’s written instructions.
2.3 The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in Applicable Data Protection Law support the lawfulness of the Processing. To the extent required by Applicable Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in Applicable Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.
3.1 Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/ or Sub Processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the Parties in Annex 3.
4.2 Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Article 4 and shall allow the Data Controller to audit and test such measures. Unless otherwise required by a Supervisory Authority of competent jurisdiction, the Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor to carry out or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data.
4.3 The Data Processor shall provide the Data Controller with access to any personal data processed on its behalf with access and access will be limited to customer’s personal data only.
4.4 The Data Processor’s adherence to an approved certification mechanism recognised under Applicable Data Protection Law may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Article 4.1, provided that the requirements contained in Annex 3 are also addressed by such code of conduct or certification mechanism.
5.1 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Data Protection Law or by data protection authorities of competent jurisdiction.
5.2 Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in Applicable Data Protection Law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.
6.1 The Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its authorisation upon the conclusion of this Data Processing Agreement. Data Processor represents and warrants that it has entered into a written agreement with each Sub-Processor’s mentioned in Annex 4. These agreements impose data protection obligations on the Sub-Processor that are no less protective than those established by the Data Protection Laws in the United Kingdom.
6.2 To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalise international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
7.1 When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of the Services Agreement and if required by the Applicable Data Protection Law, Data Processor shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
7.2 The term “incident” used in Article 7.1 shall be understood to mean in any case:
7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under Applicable Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident.
7.4 Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1, as updated periodically, of this Data Processing Agreement and, in order to assist the Data Controller in fulfilling its obligations under Applicable Data Protection Law, should contain:
8.1 The Data Controller hereby grant a general authorization to Data Processor to (a) appoint other the affiliates of Data Processor (“Group Companies”) as Sub-Processors, and (b) appoint any other third party as Sub-Processors to support the performance of the Services.
8.2 The list of all Sub-Processors including the Group Companies are listed in Annex 4 as updated periodically. The Data Controller authorises the Data Processor to engage the Sub Processors listed in Annex 4 as updated periodically. Data Processor shall provide notice to the Data Controller of any addition or replacement of such Sub-Processor giving the Data Controller an opportunity to object to such changes. If Data Controller has a reasonable objection to any new or replacement Sub-Processor, Data Controller shall notify Data Processor of such objections in writing within ten (10) days from change in the list and the Parties will seek to resolve the matter in good faith. If Data Controller does not provide a timely objection to any new or replacement Sub-Processor in accordance with this section, the Data Controller will be deemed to have consented to the Sub-Processor and waived its right to object. Data Processor shall take all commercially reasonable steps to ensure that it has in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA.
9.1 The Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Applicable Data Protection Law.
9.2 Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 4 (Security), as well as other Data Controller obligations under Applicable Data Protection Law that are relevant to the Data Processing described in Annex 2, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.
9.3 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
10.1 The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller arising out of a breach of this Data Processing Agreement and/or the Applicable Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor arising out of a breach of this Data Processing Agreement and/or the EU Data Law by the Data Controller.
11.1 This Data Processing Agreement shall come into effect on the effective date of the Service Agreement.
11.2 Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.
11.3 The Data Processor shall process Personal Data until the date of expiration or termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.
11.4 Following termination of the Agreement between Data Controller and Data Processor, Data Processor will retain the Personal Data forming part of the Services for one hundred twenty (120) days from such date of termination (“Data Retention Period”). Upon the expiration of the Data Retention Period, Data Processor will no longer have an obligation to maintain or provide any access to the Personal Data provided by the Data Controller. Thereafter, unless required for compliance with applicable laws and regulations, or as necessary by the Data Processor to protect, defend or establish Data Processor’s rights, or defend against potential claims, Data Processor reserves the right to destroy all Personal Data in Data Processor’s possession. Notwithstanding the Data Retention Period, upon the written request following the termination of the Agreement and the DPA, Data Processor will take all commercially and technically reasonable steps to destroy all Personal Data.
12.1 In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.
12.2 This Data Processing Agreement is governed by the laws of the United Kingdom. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of England.
Contact information of the data protection office for the data processor. Email: firstname.lastname@example.org
Types of Personal Data that will be processed in the scope of the Services Agreement shall include but not be limited to:
Data Processor shall:
Transfers to countries outside the European Economic Area without a suitable level of protection for which the Data Controller has granted its authorisation.
I. Group Companies:
The following are Group Companies as defined in the DPA.
These entities function as sub-processors as well with one or more entities providing support and maintenance.
|Good Methods UK Limited
|Good Methods Software Solutions Private Limited
II. Good Methods Global Inc, along with its Group Companies, employs the use of sub-processors to aid in the provision of Services, as outlined in the Terms of Service. These sub-processors are third-party entities and include, but not be limited to:
|PURPOSE/NATURE OF PROCESSING
|Adyen is a payment company with the status of an acquiring bank that allows businesses to accept e-commerce, mobile, and point-of-sale payments.
|EU, the US, India, Singapore and Australia.
|JIRA ticketing tool.
|JIRA is a software development tool used by CareStack team.
|US & INDIA
|Cloud hosting service.
|CareStack web applications and database are hosted on AWS.
|US & UK
|Subscription management platform
|Chargebee empowers subscription businesses to streamline billing, drive growth, and deliver a seamless customer experience.
|5. GOOGLE CLOUD
|For CS Conversations IQ
|Code Execution Monitoring
|For CS Conversations IQ
|7. MICROSOFT AZURE
|Cloud hosting service.
|CareStack web applications and database are hosted on Microsoft Azure.
|US & UK
|Email service provider.
|SendGrid provides cloud-based services
|Application performance monitoring
|For CS Conversations IQ
|Stripe provides CareStack with a payment gateway and API’s for payment processing.
|Web call service provider.
|Twillio provides CareStack with communication services such as making and receiving phone calls, sending and receiving text messages, and performing other communication functions using web service API’s
|Product analytics and Product information.
|Whatfix is a software that helps customer learn new applications easily, right within the application itself.
|Incident management platform.
|Proactively alerts and swiftly mobilizes teams during critical situations, guaranteeing rapid incident resolution and minimizing potential downtime.
|Ticketing tool for support team.
|Streams customer support for smooth interactions, organizes tickets, and empowers agents to resolve issues quickly.