By using any of the AgilityHealth® software (the “Software”, as defined below) made available via the AgilityHealth® portal (the “Portal”), you agree to the following terms and conditions of this AgilityHealth® Terms and Licensing Agreement (“Agreement”). If you do not agree, you are not to copy, install, or otherwise use the Software and you are not to log into, use, or otherwise access the Portal.

Agile Transformation, Inc. d/b/a AgilityHealth (“AH”) reserves the right, at its discretion, to update or revise this Agreement. The amended version will be effective at the time AH posts or presents it. AH may provide you with notice of substantial changes to the Agreement when you log into (or try to log into) the Portal. Your continued use of the Portal and/or Software following the posting of any changes to this Agreement constitutes your acceptance of those changes. No revision or update will apply to a dispute of which AH had actual notice on the date AH posts or presents the amended version.

The “Effective Date” of this Agreement is the date of (a) your initial access to or use of the Software or (b) the effective date of the first order referencing this Agreement, whichever is earlier.  All Software and the Portal are owned and licensed by AH. This Agreement grants a limited, non-exclusive, no-cost license to registered users of the Portal (“Registered User”) to use the Software made available via the Portal.

In consideration of the mutual promises and benefits set forth herein, you, as a Registered User, agree as follows:

Designation of Software Being Accessed.

  1. The terms set herein govern Registered User’s use and access to the AgilityHealth® software, which includes the AgilityHealth® Radar Assessment. This software system and all related electronic or printed documentation (including but not limited to: PDFs, videos, content, scoring models, radar design and dimensions, processes, systems, and methods of operation; survey questions, cheat sheets, handouts, guides, research and statistics, reference materials, visual aids, instructor notes, documentation, inventions, discoveries, and know-how; and all related copies, translations, compilations, and modifications of the foregoing) shall be referred to hereinafter as the “Software”.
  2. AH will provide the Software in accordance with the terms of this Agreement, including any exhibits attached hereto.
  3. Registered User’s authorized employees (and Registered User’s authorized agents and contractors, if applicable) shall access the Software via AH’s Web-based delivery platform. The Software will not be installed on Registered User’s computer server equipment at Registered User’s site, but rather will reside on computer equipment at a location of AH’s choosing. It is required that Registered User desktops support the following platforms and configurations, which will evolve as third-party platforms have additional releases and discontinue support for prior releases.

    Preferred Browsers and OS

    • Google Chrome – Most recent version

    Supported Browsers and OS

    • Microsoft Internet Explorer – Most recent version
    • Microsoft Windows 7 or later

    Recommended IE Settings
    Configure these AH domains as Trusted Sites:

    • *.agiletransformation.com
    • *.agilityhealthradar.com

    AH reserves the right to discontinue the delivery, support and maintenance of such prior releases upon reasonable advance notice to Registered User.  In such event, AH will provide a migration plan, and take reasonable precautions to minimize the impact of such migration on Registered User.  Registered User understands that such migration may require additional cost and/or upgrades to Registered User’s hardware, software or users’ skill, which are the responsibility of Registered User.

  4. AH will automatically charge Registered User annually and on each periodic renewal until cancellation. Registered User is responsible for all applicable taxes, and AH will charge tax when required to do so. Registered User’s payments are non-refundable unless required by law (e.g., registered users living in the European Union have the right to cancel their paid subscription within fourteen (14) days of signing up for or renewing their account for the Software). Registered User will provide AH with a valid credit card or completed electronic funds transfer (EFT) form for payment and Registered User hereby authorizes AH to charge such annual fees to such card or EFT transfer. AH may change the fees in effect but will give Registered User advance notice of these changes via a message to the email address associated with Registered User’s account.

Grant of Rights to Access and Conditions of Use.

  1. AgilityHealth® Radar Assessment:
    1. The AgilityHealth® Radar Assessment is intended to be delivered as a facilitated retrospective session guided by a certified AgilityHealth Facilitator (“AHF”) or AgilityHealth Coach (“AHC”) following the format of delivery advised by AH. Registered User acknowledges and agrees that this specific assessment should only be delivered by an individual who has passed either certification; AH is not responsible for selecting, providing, or otherwise identifying any such certified individual.
    2. For the term of this Agreement, AH hereby grants to each Named User (as hereinafter defined) a personal right to gain access to the AgilityHealth® Radar Assessment including all tools, improvements, third party applications, or general updates to the Software as and when made available by AH in the ordinary course of its business. A “Named User” is defined as an individual employee or authorized independent contractor of Registered User who has been requested to use the Software by Registered User (and subsequently issued a User ID), regardless of whether the individual is actively using the Software at any given time. Each Named User will treat its User ID/password as confidential and will maintain reasonable and appropriate security precautions for the protection of the same to prevent disclosure to any other party (whether employees of Registered User or third parties).  Registered User is responsible and will be liable for assuring full compliance with this Agreement by its employees and any authorized third parties who use and access the Software as permitted hereunder.
    3. Registered User’s Named User(s) are authorized to use the Software internally within Registered User and in accordance with the scope of this Agreement, and Registered User may not use (or permit any third parties to use) the Software with any other third party without AH’s prior written consent. For example, if Registered User nominates and pays for a non-employee, independent contractor to become certified to deliver the AgilityHealth® Radar Assessments under Registered User’s license, that non-employee, independent contractor may not use the Software with any other third party they may be working with.
  2. AH hereby grants to Registered User a limited, revocable, nonexclusive, nontransferable, non-sublicensable right and license to access, use, execute and display the Software on its internal computer screens and to generate outputs from the Software as designed and intended per descriptions in the Software’s relevant documentation. Where applicable, potential or actual agents and contractors for Registered User may also access and use the Software provided they do so solely for Registered User’s benefit and internal business purposes, as defined in Section 4.B. below.
  3. AH will not be liable or held at fault for any performance or operational problems resulting from Registered User’s or Registered User’s employees’ or contractors’ non-conformance to the published guidelines and technical specifications necessary for access to the Software. Also, AH shall not be liable or held to be in default of performance or operational obligations due to any technical or design problem within the Registered User’s electronic network that compromises its employees’ access to the Software or cloud servers.
  4. Registered User’s use of the Software shall be limited to Registered User’s regular internal business matters. Neither the Software, nor the hard-copy outputs generated from Registered User’s use of the Software (including use by Registered User’s employees and Registered User’s contractors), may be used by or disclosed to any parties outside the parties to this Agreement without AH’s prior written consent, except as may be required in connection with inquiries by government or regulatory authorities, and shall always contain AH’s copyright notice.  In the event that Registered User receives any request or demand to produce or disclose any portion of the Software or outputs from the Software for any reason, to any party, including any attorney, court or government or regulatory authority, Registered User shall first promptly contact AH in order to provide AH notice of such request or demand so that AH may pursue its rights to object to, limit or prevent such disclosure.
  5. Registered User and its employees must take appropriate measures to adequately protect AH’s proprietary materials to prevent unauthorized parties to have access to AH’s proprietary materials. Registered User must notify its contractors in writing that access to AH’s Software does not grant them any ownership interest or license to AH’s proprietary materials.  In addition, Registered User shall require that any such contractors allowed access to the Software for the specific purposes authorized by AH in writing, shall implement and maintain practices and policies sufficient to preserve the confidentiality of all AH’s proprietary materials covered under this Agreement, and Registered User shall be responsible for any breach of confidentiality, misappropriation, and/or infringement with respect to AH’s proprietary materials.  Registered User shall not transfer or sublicense the Software to any third party, in whole or in part, in any form, whether modified or unmodified.
  6. Registered User may not transfer or sublicense the Software to any third party, in whole or in part, in any form, whether modified or unmodified, except as set forth in Section 2.A. of this Agreement.
  7. This Agreement does not create a partnership or joint venture between the parties, and does not make either party the employee, agent or legal representative of the other for any purpose whatsoever. Neither party is granted any right or authority to assume or create any obligation or responsibility, express or implied, on behalf of or in the name of the other party.

AgilityHealth® Assessment Data and Results.

  1. AH shall deliver to Registered User participant data generated from Registered User’s authorized use of the Software. Notwithstanding the foregoing, AH reserves the right to use the foregoing information and the content of any usage statistics, results, and reports generated from Registered User’s use of the Software in aggregated form for the purposes of statistical norming and research and development. AH also reserves the right to edit verbatims and recorded interviews (if and when applicable) to remove content that might identify a respondent or their organization.
  2. AH shall protect the participant data with periodic backups for a period of up to two (2) years (or less per Registered User’s written request). During or at completion of such period, Registered User may request from AH an archive copy of participant data in an appropriate format and on an appropriate media for a reasonable fee based on time and materials.
  3. Certain services that AH provides require that AH protect the anonymity of the participants in order to protect the integrity and value of the services and to protect the individual participants. In these limited circumstances, notwithstanding the terms of Section 3.A. above, Registered User will not own or have access to the line item responses provided at the participant level.  AH will inform Registered User of which Services the foregoing applies as needed.
  4. For compliance with the EU General Data Protection Regulation (the “GDPR”), the parties shall comply with the provisions of Addendum A as attached to this Agreement.

Protection of Software Being Accessed.

  1. The Software is the exclusive property or licensed intellectual property of AH, and AH (on behalf of itself and its licensors) retains all rights to the application, manufacture, development, use, display, reproduction, modification and transfer of the Software and all rights to all worldwide patents and copyrights for the Software, including any derivative works thereof. Registered User recognizes that AH regards the Software as its proprietary materials and as confidential trade secrets of significant value.
  2. Registered User further agrees to treat the Software with at least the same degree of care with which Registered User treats its own Confidential Information (as defined below), and in no event with less care than is reasonably required to protect the confidentiality of the Software. Registered User shall at all times exercise all due and diligent precautions to protect the integrity of AH’s Confidential Information.  Registered User’s limited, restricted use license to the Software does not include the right to disclose AH’s intellectual property to third parties without AH’s consent, which may be conditioned upon: (a) execution of a third party access agreement detailing the proposed scope of access/use, and any on-line access or software tools (“Access Tools”); (b) retention of all proprietary/confidential markings; and/or (c) payment of fees, which may include access license fees; Access Tool fees; and/or AH fees for administration, maintenance of third party IDs, monitoring, and, the scoping of on-line access/software access projects.
  3. Notwithstanding the foregoing, Registered User may permit its Independent Contractors (as defined below) to access the Software solely for Registered User’s Internal Business Purposes. To the extent Registered User requests an Independent Contractor be a Named User, (a) Registered User must require that Independent Contractor abide by the terms of this Agreement; (b) Registered User bears responsibility and liability for any and all breach of the terms of this Agreement by the conduct of Independent Contractor; and (c) Registered User will indemnify, defend, and hold AH harmless from any and all third party claims, losses, suits, damages, costs and expenses, including, without limitation, reasonable attorneys’ fees and court costs, or liabilities arising from or related to Independent Contractor’s access, use, disclosure or resale of the Software that violates the terms of this Agreement. “Independent Contractor” means a person under contract with Registered User to perform services for Registered User, whether the person is an individual, corporation, partnership, joint venture, limited liability company, governmental body or agency, unincorporated organization, trust, association, or other entity. “Internal Business Purpose” means access and use to improve organization and performance of Registered User’s product and/or process development for generating Registered User sales and maximizing associated revenues.
  4. Registered User shall promptly notify AH in writing of any unauthorized use, infringement, misappropriation, dilution or other violation of AH’s proprietary materials provided to Registered User of which it becomes aware.
  5. Registered User acknowledges and understands that in the event of any breach of this Section 4, AH shall be entitled to specific performance and injunctive relief as remedies for any such breach. Such remedies shall not be deemed to be the exclusive remedies for a breach of this Section of the Agreement, but shall be in addition to all other remedies available to AH at law or in equity. If AH brings an action to enforce any provision of this Agreement, AH, if the prevailing party, shall be entitled to reasonable attorneys’ fees and court costs.
  6. ANY WARRANTIES ARISING IN THE COURSE OF DEALING, USAGE OR TRADE PRACTICE ARE EXCLUDED AND EXCEPT AS OTHERWISE PROVIDED IN THE TERMS OF THIS AGREEMENT, AH DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. REGISTERED USER IS RESPONSIBLE FOR REGISTERED USER’S SELECTION AND USE OF THE SOFTWARE AND SERVICES PROVIDED BY AH.
  7. Except as expressly authorized herein, Registered User and its agents, employees or consultants shall not:  (i) copy the Software, or any content contained in the Software, in whole or in part – this specifically prohibits Registered User from copying the Software, including any text of content contained therein such as competencies, assessment questions, radar design, dimensions and categories, or videos – into any other system, format, media or software product, without AH’s prior written consent; (ii) reverse compile, reverse assemble, or access with intent to “hack” all or any portion of the Software; (iii) distribute, market, rent, lease, sublicense, provide access to, or transfer the Software to third parties; (iv) modify the Software except as otherwise provided in this Agreement; or (v) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in or on the Software.  No license, right, or interest in any of AH’s trademarks, trade names, or service marks is granted hereunder.  The provisions set forth in this Section 5 shall survive termination or expiration of this Agreement.

Limitation of Remedy.

If the Software is found to be defective, AH’s obligation is expressly limited to the repair or replacement of such defective Software, or to a refund of an equitable portion of related fees, up to and including a full refund of the access fee for the Software, at AH’s discretion.

IT IS UNDERSTOOD AND AGREED THAT AH’S LIABILITY, WHETHER IN CONTRACT OR TORT, UNDER ANY WARRANTY, IN NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, SHALL NOT EXCEED: THE FEES PAID BY REGISTERED USER FOR THE AFFECTED SOFTWARE GIVING RISE TO SUCH LIABILITY IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE IN WHICH THE CLAIM ARISES.  FURTHER, IN NO EVENT SHALL AGILE TRANSFORMATION, INC. BE LIABLE FOR SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST DATA OR LOST PROFITS.

Confidential Information.

Confidential Information” means any non-public information of the parties hereto relating to its business activities, operations, financial affairs, technology, marketing or sales plans that is disclosed to, and received by, the other party pursuant to this Agreement.  Confidential Information includes, but is not limited to, the terms and pricing of this Agreement and AH’s Software.  Neither party will, without the prior written consent of the other party, use or disclose the Confidential Information of the other party during the Term of this Agreement and for three (3) years following its expiration or termination, or, in the case of a party’s trade secrets (including applicable AH Software), a party’s confidentiality obligations will continue for as long as the applicable information is deemed a trade secret or otherwise protected under applicable law.  Notwithstanding the foregoing, AH may disclose Confidential Information to subcontractors on a need-to-know basis who have agreed to be bound by non-disclosure provisions at least as stringent as those contained in this Agreement.  Confidential Information will not include information which: (i) is or becomes public knowledge through no breach of the Agreement by the receiving party, (ii) is received by recipient from a third party not under a duty of confidence, or (iii) is already known or is independently developed by the receiving party without use of the Confidential Information.

In addition to the Confidential Information provisions set forth in the Agreement, the following shall apply to the Software: the Software includes Confidential Information which are AH’s trade secrets, including the design, form and function of all information screens, input screens and output screens. Registered User shall utilize its best efforts to prevent disclosure of such information, at least to the extent that it protects its own Confidential Information.

Term.

The term of the Agreement, and the license granted hereunder, shall commence on the Effective Date and will continue for one (1) year (the “Initial Term”), unless terminated pursuant to Section 9 hereof and subject to Registered User’s proper performance of its obligations hereunder. At the conclusion of the Initial Term, the term of the Agreement will automatically renew for one (1) year periods (each a “Renewal Term”) unless written notice of non-renewal is provided by either party prior to the expiration of the then-current Term. AH will send Registered User a notice email reminding Registered User that its plan is about to renew within a reasonable period of time prior to the renewal date. The Initial Term and any Renewal Terms are collectively referred to as the “Term”.

Termination

AH may terminate this Agreement if Registered User is in default of any of the terms and conditions of this Agreement and fails to correct such default within thirty (30) days after written notice thereof from AH, and without refund of any amount paid to AH or release of any amounts due AH at the time of termination.

Registered User’s account will remain in effect until it is cancelled or terminated under this Agreement. If Registered User fails to pay for its account and access to the Software on time, AH reserves the right to suspend Registered User’s account.

Without limiting its rights to modify, upgrade or provide new releases of the Software, AH may decide to discontinue the Software, as a whole, in response to unforeseen circumstances beyond AH’s control or to comply with a legal requirement. If AH does so, AH will provide Registered User reasonable prior notice. If AH discontinues the Software in this way before the end of any fixed or minimum term paid for by Registered User, AH will refund the portion of the fees Registered User pre-paid but has not received for the remainder of such term.

Termination Certificate

In the event of termination, Registered User will immediately discontinue use of the Software.  Within fifteen (15) days after termination of this Agreement, Registered User will furnish to AH a certificate certifying any and all proprietary materials belonging to AH provided to Registered User’s employees and/or contractors, as authorized pursuant to this Agreement, have been returned to AH or destroyed.

Publicity

Registered User shall not use the name of AH in any news release, public announcement, advertisement, sales promotion material or other form of publicity without the prior written consent of AH. Notwithstanding the foregoing, AH may use Registered User’s name in AH’s client lists, sales materials (including AH’s website(s) and social media accounts (e.g., LinkedIn)), and conferences or similar presentations as a reference to AH’s prospective clients or as a relevant representative client that receives (or has received) AH’s products and/or services.

Notices

All notices in connection with this Agreement shall be in writing. AH will provide notice via email or through Registered User’s account. Registered User agrees that any such electronic communication will satisfy any applicable legal communication requirements, including that such communications be in writing. AH’s notices will be deemed given upon the first business day after it is sent. Notices to AH will be by post to Agile Transformation, Inc. d/b/a Agility Health, 11919 Grant Street, Suite #200, Omaha, NE 68164, Attn: Customer Success Manager. Any notices to AH will be deemed given upon AH’s receipt thereof.

Successors

This Agreement will be binding upon and will inure to the benefit of the parties hereto and their respective representatives, successors and assigns except as otherwise provided herein.

Severability

In the event any provision of this Agreement is determined to be invalid or unenforceable, the remainder of this Agreement shall remain in force as if such provision were not a part.

Governing Law/Venue

This Agreement shall be governed and interpreted by the laws of the State of Nebraska, USA.  The appropriate venue and jurisdiction for the resolution of any disputes hereunder will be in Douglas County, Nebraska, USA.

Assignment

Neither party may assign this Agreement, or any of its rights under this Agreement, without the other party’s prior written consent; notwithstanding the foregoing, AH may assign this Agreement, upon written notice but without consent, to a successor-in-interest to substantially all of the business or in the event of internal business restructuring of AH.  Any assignment attempted in violation of this Agreement will be null and void.

Entire Agreement

This Agreement sets forth the entire understanding between the parties with respect to the subject matter hereof, and merges and supersedes all prior agreements, discussions and understandings, express or implied, concerning such matters.

Addendum A | Data Privacy and Security Addendum

This Data Privacy and Security Addendum (“Addendum”) is made a part of the attached Agreement. In the event of a conflict or inconsistency between the terms and conditions of the Agreement and this Addendum, the terms and conditions of this Addendum shall prevail except as otherwise specifically set forth in this Addendum. Capitalized terms used and not defined in this Addendum shall have the meanings given in the Agreement.

To the extent AH processes personal data of individuals within the European Union, European Economic Area and Switzerland (“EU”) in connection with its performance of the Agreement, “DP Law” shall be deemed to include: (i) EU Regulation 2016/679 (“GDPR”), (ii) the Swiss Data Protection Act (“DPA”), and any equivalent, replacement or similar legislation implemented in the United Kingdom after that date, whether in light of the United Kingdom’s withdrawal from the European Union or otherwise.

  1. Definitions. For purposes of this Addendum, the following terms have the meanings prescribed in this Section, irrespective of capitalization.
    1. Data Subject means a natural person that can be identified by any Personal Data.
    2. Registered User Data means any Personal Data or Pseudonymized Data.
    3. Personal Data means any information that (i) AH possesses or is able to access arising out of its performance under the Agreement; and (ii) can be used to directly or indirectly identify a natural person.
    4. Processing means any operation or set of operations that (i) arises out of AH’s performance under this Agreement; and (ii) is performed upon Personal Data.
    5. Pseudonymized Data means Personal Data which has been transformed into a form which is not attributable to a specific Data Subject without the use of additional information.
    6. Restricted Transfer means one of the following transfers, but only where such transfer would be prohibited by DP Law (or by the terms of data transfer agreements put in place to address the data transfer restrictions of DP Law) in the absence of the Standard Contractual Clauses to be established under Section 9 below:
      • a transfer of personal data from Registered User to AH; or
      • an onward transfer of personal data from AH to a processor on behalf of Registered User.
    7. Standard Contractual Clauses means the Clauses in Addendum B, as they may be amended from time to time in accordance with Section 12.
  2. Processing. Irrespective of AH’s role as a “controller,” AH shall process Registered User data only for the benefit of Registered User, and not for its own or a third party’s benefit. Notwithstanding the foregoing, AH may use pseudonymized data for its own benefit as permitted under the Agreement. AH shall keep any additional information which could be combined with any pseudonymized data to identify a data subject separate from all pseudonymized data, and implement technical and organizational measures designed to prevent such identification.
  3. Administration. AH shall implement and maintain appropriate technical and organizational measures (e.g., encryption of personal data, access control, logs, audits, instructions, trainings, ability to restore the availability and access to personal data in a timely manner, etc.) designed to reasonably safeguard all personal data against unintentional or illegal destruction or unintentional loss, modification, unauthorized disclosure, or unauthorized access in view of the risks associated with the processing and type of the data to be protected. At a minimum, these technical and organizational measures shall comply with the requirements set forth in Art. 32 GDPR and any applicable DP Law.
  4. Contractors. AH shall ensure that only authorized persons have access to, and otherwise process, Registered User Data, and that such persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and shall comply with the provisions of this Addendum as applicable to them. This shall also apply to any affiliate, subcontractor, supplier and other party on the part of AH that are given access to or otherwise process personal data by or for AH. Upon request, AH shall disclose the names, address, contact details and function of any such parties. To the extent that such parties are processors for AH under GDPR with respect to personal data under DP Law, they shall be bound pursuant to Art. 28 GDPR or the equivalent provision of applicable DP Law. AH shall be responsible for such parties and any other persons on its part with access to Registered User Data as it is for itself under this Agreement or any DP Law. Any personal data shall be considered Confidential Information of Registered User under this Agreement.
  5. Registered User Disclosure; AH Return. Registered User shall ensure that it is permitted under DP Law to disclose Registered User Data to AH as per this Addendum, and that data subjects have been informed as to the processing of their personal data by Registered User in compliance with DP Law. AH shall at any time upon request return to Registered User any personal data processed by it, with or without (as per Registered User’s request) keeping a copy of it except as required by applicable law. Registered User shall supply all personal data to AH in a format compatible with Art. 20 GDPR.
  6. Data Subject Requests. The responsibility for, and the control over, handling data subject requests in connection with Registered User Data shall be with Registered User, unless a data subject request expressly indicates that it is to be handled by AH and not by Registered User. AH shall without delay forward to Registered User any such request. AH shall assist Registered User with Registered User’s technical and organizational measures required to fulfill such requests insofar as AH is required to do so under DP Law, taking into account the nature of AH’s processing and of the Registered User data.
  7. Infringement of GDPR. Each party shall inform the other party immediately if it has reason to believe that the processing of Registered User Data under or in connection with this Agreement infringes any DP Law or this Addendum or if it has reason to believe that it can no longer comply with this Addendum, including any request by a supervisory authority concerning Registered User Data or the processing of such Registered User Data (except where applicable law prohibits such information), if such information could be of relevance for the other party in its capacity as a data controller; the parties shall cooperate in responding to requests of supervisory authorities. AH shall not make any filing, notification or other registration with a public authority or other party that contains personal data or otherwise discloses the identity of Registered User without the express written approval of Registered User, unless prohibited by applicable law, in which case AH shall inform Registered User as soon thereafter as is reasonably possible.
  8. Notice. AH shall notify Registered User without undue delay after becoming aware of any actual security breach pertaining to personal data as required by DP Law and provide the information, as per Article 33 para. 3 GDPR and corresponding provisions of other applicable DP Law, available to AH regarding: (a) the nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records; (b) probable consequences of a personal data breach; and (c) measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage. This shall apply even if AH concludes that Registered User itself has no data breach notification obligation in the specific case. The reporting of a data breach to the authorities shall be undertaken by each party on its own, with prior consultation of the other party and subject to the foregoing paragraph; any notifications to the data subjects shall be done through, and by, Registered User.
  9. Access; Transfer. AH shall not permit any access to personal data from outside the European Economic Area, except with the written approval of Registered User or where such access occurs by Registered User or parties acting on behalf of Registered User. In light of the foregoing, the parties acknowledge and agree approval shall be granted for having Registered User data stored by Microsoft in its European Azure Cloud. To the extent that the transfer of personal data out of the European Union is required, the parties agree that such transfer shall be made in compliance with this Section 9.
    1. Subject to the other subsections of this Section 9, Registered User (as “data exporter”) and AH (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Registered User to AH.
    2. The Standard Contractual Clauses shall come into effect under Section A only after all three of the following events have occurred:
      • the data exporter becomes a party to them;
      • the data importer becomes a party to them; and
      • the relevant Restricted Transfer commences.
    3. Section A shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from data subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable DP Law.
    4. If either party determines in its reasonable discretion that Restricted Transfers will no longer be required under this Agreement after the Standard Contractual Clauses have come into effect under Section 9.B., that party may deliver notice of its determination to the other party.
      • If the other party consents or does not respond to the notice of such determination within thirty (30) days after such notice was delivered, the Standard Contractual Clauses shall be deemed inactive under this Agreement.
      • If the other party objects to the first party’s determination, then the Standard Contractual Clauses shall remain in effect.
    5. If the Standard Contractual Clauses are inactive pursuant to Section 9.D.(i), they may be revived at a later date by any of the triggering events under Section 9.B.
    6. Any notice or objection made pursuant to Section 9.D. shall not affect either party’s rights under Section 12.
  10. Audit. AH shall make available to Registered User all information and access necessary to demonstrate and verify AH’s compliance with this Addendum and DP Law in processing Registered User personal data and allow for and contribute to audits, including inspections, conducted by the Registered User or another auditor mandated by Registered User to achieve the foregoing.
  11. Costs. Each party shall bear its own costs for implementing this Addendum, and compliance with DP Law, except that each party shall indemnify and hold the other party harmless against any liability, claims, losses, costs and expenses arising from the indemnifying party’s violations of this Addendum or any DP Law.
  12. Changes in DP Law.
    1. Either party may:
      • by at least thirty (30) days’ written notice to the other party, from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under Section 9), as they apply to Restricted Transfers which are subject to a particular DP Law, if such changes are required as a result of any change in or decision of a competent authority under the applicable DP Law, in order to allow those Restricted Transfers to be made (or continue to be made) without breach of that DP Law; and
      • propose any other variations to this Addendum which either party reasonably considers to be necessary to address the requirements of any DP Law.
    2. If either party gives notice under Section A.(i) or proposes other variations under Section 12.A.(ii), the other party shall not unreasonably withhold or delay its agreement to any variations to this Addendum reasonably designed to mitigate the risks identified in such notice.
    3. If either party gives notice under Section A.(ii), the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in such party’s notice as soon as is reasonably practicable.
  13. Severability. Should any provision of this Addendum be determined by a court of competent jurisdiction to be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either:
    1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible;
    2. construed in a manner as if the invalid or unenforceable part had never been contained therein.

Addendum B | Standard Contractual Clauses

Standard contractual clauses for the transfer of
personal data from the community to third countries
(controller to controller transfers)

Data transfer agreement

between:

Registered User hereinafter “data exporter”

and

Agile Transformation, Inc. d/b/a Agility Health

hereinafter “data importer”

each a “party”; together “the parties”.

Definitions

For the purposes of the clauses of and the Annexes to this Addendum B:

  • “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
  • “the data exporter” shall mean the controller who transfers the personal data;
  • “the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;
  • “clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
  • “Agreement” means the Agreement to which this Addendum B is attached.

The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.

  1. Obligations of the data exporter

The data exporter warrants and undertakes that:

  • The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
  • It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
  • It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
  • It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
  • It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
  1. Obligations of the data importer

The data importer warrants and undertakes that:

  • It will have in place appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
  • It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data.
  • It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
  • It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
  • It will identify to the data exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
  • At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
  • Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
  • It will process the personal data, at its option, in accordance with:
    • the data protection laws of the country in which the data exporter is established, or
    • the relevant provisions[1] of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorization or decision and is based in a country to which such an authorization or decision pertains, but is not covered by such authorization or decision for the purposes of the transfer(s) of the personal data[2], or
    • the data processing principles set forth in Annex A.

Data importer to indicate which option it selects:                                               

Initials of data importer:                                                                                   

  • It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and
    • the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or
    • the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or
    • data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or
    • with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.
  • Liability and third party rights
    • Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
    • The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
  1. Law applicable to the clauses

These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.

  1. Resolution of disputes with data subjects or the authority
    • In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
    • The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
    • Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.
  2. Termination
    • In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
    • In the event that:
      • the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);
      • compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
      • the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
      • a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
      • a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs

then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.

  • Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
  • The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
  • Variation of these clauses

The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.

  • Description of the Transfer

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.

ANNEX A to ADDENDUM B

DATA PROCESSING PRINCIPLES

  1. Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorized by the data subject.
  2. Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
  3. Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
  4. Security and confidentiality: Technical and organizational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
  5. Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organization holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organizations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organization may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
  6. Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
  7. Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
  8. Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:

(a)

(i)  such decisions are made by the data importer in entering into or performing a contract with the data subject, and

(ii) the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties;

or

(b) where otherwise provided by the law of the data exporter.

[1] “Relevant provisions” means those provisions of any authorization or decision except for the enforcement provisions of any authorization or decision (which shall be governed by these clauses).

[2] However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and objection must be applied when this option is chosen and take precedence over any comparable provisions of the Commission decision selected.

Effective Date: 8/19/14 Last Updated: 4/23/2020