Data Processing Addendum
This Data Processing Agreement Addendum (“DPA”) supplements the XPS Health Terms of Service, as updated from time to time between Customer (the “Controller”) and XPS Health (the “Processor”, or other agreement between Customer and XPS Health governing Customer’s use of the Services. In case of a conflict between the terms of this DPA and the XPS Health Terms of Service, this DPA will take precedence.
The Controller and the Processor shall collectively be referred to as the “Parties”.
1. Introduction
On the basis of the Processor’s Terms of Service (https://xpshealth.com/termsofservice) (“Terms”), the Parties have entered into an agreement where the Processor undertakes to provide the Controller services, as defined in the Terms (the “Services”).
In relation to the Services the Processor may process information and data, which can be considered Personal Data, as defined in section 2, based on Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”) or other applicable data protection legislation (collectively referred to as “Data Protection Legislation”), on behalf of the Controller.
Where the Processor processes such data on behalf of the Customer, the Processor is considered a data processor according to Data Protection Legislation and the Controller a data controller.
The purpose of this Data Processing Agreement (“Processing Agreement”) is to regulate the Parties’ rights and obligations in relation to such processing and to ensure the secure processing of the data.
The Processor takes the matters of protection and security of Personal Data seriously and will process such data in accordance with the Data Protection Legislation and this Processing Agreement.
2. Scope of Processing
2.1 General
The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with the Agreement and the Controller's documented instructions, and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation.
"Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject").
2.2 The nature of the processing
The Processor stores the data that the Controller puts into the Services.
The Processor facilitates the analysis of aforementioned data by the Controller.
The Processor stores data that enters through XPS Health API from Sideline Sports XPS Network about the Controller’s athletes, trainers and teams and in some cases athlete replies to forms.
The Processor sends data to the Controller’s Sideline Sports XPS Network account about the availability (ready, modified, not ready) and status (injured/ill/good) of each athlete and when the estimated date of return is.
When initiated by the user, the Processor sends data to the Controller’s Sideline Sports XPS Network about messages that the users wish to deliver to trainers and athletes there.
2.3 The purpose of the processing
The purpose of the processing, including operations and basic processing activities, is to provide the Services as further described in the terms of services.
2.4 Categories of Personal Data and Data Subjects
The processing involves processing of Personal Data related to Controller's trainers, teams, co-trainers, athletes, depending on the Controller's use of the Services.
The Services are meant to be used for people 16 years of age and older. If the Controller registers personal data for younger people, the Controller must have a custodian consent to do so.
The Processing relates to the following categories of Personal Data, subject to the Controller's concrete use of the Services:
• Basic Personal Data (such as name, age, profile picture), contact details (such as email, phone number etc).
• Injury data such as ICD-10 code, how it happened, description, pain level, plans and any attachments.
• Illness data such as ICD-10 code, description, plan and any attachments.
• Treatment data such as medications, physiotherapy and surgeries.
• Usage and device data (includes IP addresses) about the user for legal purposes and security.
• Communication between users (athletes and trainers).
3. Instructions
The Processor and other persons acting under the authority of the Processor who have access to the Personal Data shall process the Personal Data only on behalf of the Controller and only in compliance with the Terms, the Controller's documented instructions, and in accordance with this Processing Agreement, unless otherwise stipulated in applicable statutory laws.
The Processor shall immediately inform the Controller if, in the Processor's opinion, any instruction provided by the Controller infringes the Data Protection Legislation.
4. Obligations of the Controller
The Controller warrants that the Personal Data is processed for legitimate and objective purposes and that the Controller has the right to appoint the Processor to process the Personal Data on its behalf.
The Controller is responsible for ensuring that a valid legal basis for the processing exists at the time of transferring the Personal Data to the Processor, including that any consent is given explicitly, voluntarily, unambiguously and on an informed basis.
In addition, the Controller warrants that the Data Subjects to which the personal data pertains have been provided with sufficient information on the processing of their Personal Data.
5. Confidentiality and Training
The Processor and other persons acting under the authority of the Processor who have access to the Personal Data are subject to a duty of confidentiality in relation to all processing of Personal Data on behalf of the Controller. The Processor is responsible for ensuring that any Sub-processor, or other persons acting under its authority, is also subject to such duty of confidentiality.
The Processor shall ensure that all employees, who have access to the Personal Data from the Controller, have received appropriate training on Data Protection Legislation and are aware, both of the Processor’s duties, as well as their personal duties and obligations under such laws and this Agreement.
The Controller is subject to a duty of confidentiality regarding any documentation and information, received from the Processor, related to the Processor's and its Sub-processors' implemented technical and organisational security measures, or information which the Processor otherwise wants to keep confidential.
The confidentiality obligations also apply after the termination of the Processing Agreement.
6. Security Measures
The Processor shall ensure that appropriate technical and organizational measures are implemented to ensure an appropriate level of security of the Personal Data processed on behalf of the Controller. The choice of technical and organizational security measures shall take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks for the rights and freedoms of natural persons, which may be of varying likelihood and severity.
A description of the security measures which the Processor is obligated to take, can be found in Appendix 2 to this Agreement.
7. Data Subject’s Rights
The Processor shall refer any data subjects’ requests which relate to the processing of Personal Data on behalf of the Controller to the Controller, without undue delay.
The Processor shall assist the Controller by appropriate technical and organizational measures, and to the extent possible, to respond to requests for exercising the data subject’s rights in accordance with Data Protection Legislation, e.g. access to Personal Data, information on processing, rectification or erasure of Personal Data, right to object to processing, limitation of processing, destruction of Personal Data and portability of Personal Data.
The Processor shall be compensated for its assistance at the Processor's then current rates, unless otherwise agreed.
8. Other Assistance to the Controller
If the Processor receives a request for access or information from the relevant supervisory authority relating to the registered Personal Data or processing activities subject to this Processing Agreement, the Processor shall notify the Controller, for the Controller's further processing thereof, unless the Processor is entitled to handle such request itself or mandatory legislation states otherwise.
If the Controller decides to undertake an impact assessment in connection to certain processing activities, or consult the applicable supervisory authority, the Processor shall assist the Controller in accordance with Articles 35 and 36 of the GDPR.
The Processor shall be compensated for its assistance at the Processor's then current rates, unless otherwise agreed.
9. Notification of Personal Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a breach related to the processing of Personal Data ("Personal Data Breach"). The Controller is responsible for notifying the Personal Data Breach to the relevant supervisory authority, and the Data Subjects, as applicable.
The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
In the event the Controller is obliged to notify authorities or Data Subjects and requests the Processor’s assistance, the Controller shall bear any costs related to such notifications.
10. Use of Sub-Processors
By this Processing Agreement the Controller agrees to the Processors use of the processors (“Sub-Processors”) listed in Appendix 1 to the Agreement.
The Processor shall not engage new Sub-Processors for the processing of Personal Data under the Agreement, without notifying the Controller. The Processor shall inform the Controller of any intended changes concerning addition or replacement of any Sub-Processors, and the Controller has the right to object to such changes.
The Processor shall ensure that its data protection obligations set out in the Processing Agreement and in Data Protection Legislation are imposed to any Sub-processors by a written agreement. Any Sub-Processor shall in particular provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Legislation, and provide the Processor and relevant supervisory authorities with access and information necessary to verify such compliance.
The Processor shall remain fully liable to the Controller for the performance of any Sub-Processor.
11. Transfer
Disclosure, transfer of Personal Data or access to Personal Data from countries located outside EU/EEA ("Third Country") may only occur if the Controller has consented to such transfer (including by accepting the use of a Sub-Processor established outside the EEA) and the conditions laid down in chapter V of the GDPR are complied with by the Processor.
12. Audits
Processor shall provide the Controller with documentation of implemented technical and organisational measures to ensure an appropriate level of security, and other information necessary to demonstrate the Processor's compliance with its obligations under the Processing Agreement and relevant Data Protection Legislation.
Controller and the supervisory authority under the relevant Data Protection Legislation shall be entitled to conduct audits, including on-premises inspections and evaluations of Personal Data being processed, the systems and equipment used for this purpose, implemented technical and organisational measures, including security policies and similar, and Sub-processors. Controller shall not be given access to information concerning Processor's other customers and information subject to confidentiality obligations.
Controller is entitled to conduct such audits once a year. If Controller appoints an external auditor to perform the audits, such external auditor shall be bound by a duty of confidentiality.
Controller shall bear any costs related to audits initiated by Controller or accrued in relation to audits of Controller, including compensation to Processor for reasonable time spent by it and its employees complying with on premises audits.
13. Term and Termination
The Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller.
In the event of the Processor's breach of the Processing Agreement or non-compliance of the Data Protection Legislation, the Controller may (i) instruct the Processor to stop further processing of Personal Data with immediate effect; and/or (ii) terminate the Processing Agreement with immediate effect.
14. Effects of Termination
The Processor shall, upon the termination of the Processing Agreement and at the choice of the Controller, delete or provide means for returning all Personal Data to the Controller, unless otherwise stipulated in applicable statutory law.
Unless instructed otherwise by the Controller, Processor will retain data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreement. 5 years after expiration, the data is hidden and marked for deletion, 3 years after that it is permanently deleted.
The Processor shall document in writing to the Controller that deletion has taken place in accordance with the Processing Agreement and as instructed by the Controller.
15. Limitation of Liability
Neither party shall be liable to the other party for any incidental, special, consequential, or indirect damages of any kind (including without limitation damages for interruption of business, loss of data, loss of profits or the like) regardless of the form of action, whether in contract, tort (including without limitation negligence), strict product liability, or other, even if advised of the possibility of such damages (jointly "Indirect Damages").
Neither party shall be liable to the other party for
a) errors or delays that are outside the defaulting party's reasonable control, including general internet or
line delays, power failure or faults on any machines; or
b) errors caused by the other party's systems or actions, negligence or omissions, which shall be the sole
responsibility of that party.
The total and maximum liability in each twelve (12) month period of either party towards the other party under any provision of the Data Processing Agreement or any transaction contemplated by the Data Processing Agreement shall in no event exceed an amount equal to the total amounts paid for the Services under the Agreement in the twelve (12) months preceding the event that incurs liability.
The above limitations shall not apply to damages attributable to fraud, gross negligence or intentional misconduct.
16. Data Protection Officer
The Processor has a Data Protection Officer who can be contacted directly: dpo@xpshealth.com
17. Notices and Amendments
All notices relating to the Processing Agreement shall be submitted in writing to the email address stated on the first page of the Processing Agreement.
In case changes in Data Protection Legislation, a judgement or opinion from another authoritative source causes another interpretation of Data Protection Legislation, or changes to the Services require changes to this Processing Agreement, the parties shall in good faith cooperate to update the Processing Agreement accordingly.
Any modification or amendment of this Processing Agreement shall be effective only if agreed in writing and signed by both Parties.
18. Governing Law and Legal Venue
This Processing Agreement shall be governed by and construed in accordance with the laws of Iceland. Héraðsdómur Reykjavíkur is the court having exclusive jurisdiction.
APPENDIX 1 – Sub-processors
Use of Sub-Processors
By this Agreement the Controller agrees that the Processor can use the following Sub-Processors:
- Amazon Web Services
Database service in Germany
Virtual servers in Germany
As AWS’s parent company is established in the United States, a transfer to the US can not be precluded. Such transfer would be based on the EU-US Data Privacy Framework: (https://www.dataprivacyframework.gov/).
APPENDIX 2 – Security Measures
1. Requirement of Information Security
The Processor, which according to the Agreement processes Personal Data on behalf of the Controller, shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by relevant supervisory authority pursuant to Data Protection Legislation or other applicable statutory law to ensure an appropriate level of security.
The Processor shall assess the appropriate level of security and take into account the risks related to the processing in relation to the Services, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Person Data transmitted, stored or otherwise processed.
All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done at a sufficient security level, or otherwise as agreed between the Parties.
This Appendix contains a general description of technical and organisational measures that shall be implemented by the Processor to ensure an appropriate level of security.
To the extent the Processor has access to such information, the Processor shall provide the Controller with general descriptions of its Sub-processors' technical and organisational measures implemented to ensure an appropriate level of security.
2. Technical and Organisational Measures
2.1 Physical access control
All data is hosted by sub-processors.
2.2 Access control to systems
Processor will take proportionate measures to prevent unauthorised access to systems holding Personal Data. Measures shall include:
• Password procedures (including e.g. requirements to length and/or special characters)
• Access to systems subject to approval from management
• No access to systems for guest users or anonymous accounts
• Routines of manual lock when workstations are left unattended, and automatic lock within maximum 10 minutes
2.3 Data entry control
Processor will take proportionate measures to check and establish whether and by whom Personal Data has been supplied in the systems, modified or removed. Measures shall include:
• Differentiated access rights based on duties
• Automated log of user access, and frequent review of security logs to uncover and follow-up on any potential incidents
2.4 Disclosure control
Processor will take proportionate measures to prevent unauthorised access, alteration or removal of Personal Data during transfer of the Personal Data. Measures shall include:
• Use of state of the art encryption on all electronic transfer of Personal Data
• Using a firewall filter, VPN or HTTPS for remote access, transport and communication of Personal Data
2.5 Availability control
Processor will take proportionate measures to ensure that Personal Data are protected from accidental destruction or loss. Measures shall include:
• Frequent back-up of Personal Data
• Remote storage
• Use of anti-virus/firewall protection
• Monitoring of systems in order to detect viruses etc.
• Uninterruptible power supply (UPS)
2.5 Damage control
Processor will take proportionate measures to prevent damage in the case of information leak.
• Log files are deleted periodically
• Passwords are one-way encrypted
Last updated: March 5, 2024