Legal center

Vastian Privacy Policy

• Personal Information
  • We consider all information you provide to us, including but not limited to name, phone number, e-mail, and address, as confidential personal information.
  • We collect personal information to:
    • Provide you with additional information about our products and services at your request.
    • Ensure correct billing.
    • Contact you about updates, new features, and additional courses and assessments that become available with your subscription.
    • Respond to technical support inquiries.
  • Vastian does not give, sell, trade, or otherwise provide your personal information to third parties, partners, or outside entities.
  • Subscribers to Vastian may collect personal information from their employees when they use the Vastian system. This personal information is used to:
    • Deliver training.
    • Record CE credit.
    • Inform employees when they have new required training.
    • Respond to technical support inquiries.
  • Vastian's policies on personal information apply to individual subscribers, institutional subscribers, and all employees of subscribers.
• CE Credit Information
  • Vastian is an accredited provider of P.A.C.E. credits. Each quarter, we are required to provide the American Society of Clinical Laboratory Science (ASCLS), the body that oversees the P.A.C.E. program, with a list of all awarded CE credits.
  • This information includes:
    • Awardee's name
    • Subscriber's institution
    • Course completed
    • Date completed
    • Amount of credit awarded
  • Vastian is an accredited provider of continuing education through Florida's Board of Clinical Laboratory Science. Subscribers with Florida licenses who choose to have Florida credit reported may provide Vastian with their Florida license numbers. Vastian will then report CE credit to Florida's CEBroker system upon completion of any course. A Vastian subscriber may opt-in to Florida CEBroker reporting by providing a Florida license number.
  • This information includes:
    • Awardee's Florida license number
    • Course completed
    • Date completed
    • Amount of credit awarded
• Cookies
  • Vastian uses cookies throughout its website. Cookies are essential to the functioning of this website, as well as many others.
  • When you log in to Vastian, you receive a cookie. This cookie remains until you close your web browser. This cookie verifies your logon information. If cookies are blocked, you will not be able to use Vastian courseware.
  • When you browse the Vastian site, you receive a cookie. This helps us refine our website to better inform visitors of our products and services.
• Ownership of Reports
  • Reports that are generated through Vastian are password-protected to be viewed only by authorized users on your account.
  • Vastian Technical Support staff have the ability to view these reports but are bound to do so only in response to technical questions received from you.
  • From time to time, Vastian will access aggregated, anonymous course activity data, which may include data provided by you and your students, to improve the quality of our courses and system. For example, we look at the average score for a question over time, calculating all users' data, in order to determine if the question is too hard or too easy.
  • Post-course survey results, which are submitted and stored anonymously, are also used for course review and improvement.
• Ownership of Uploaded Materials
  • Materials that are uploaded to CourseBuilder, including images, audio, video, Word, PowerPoint, and PDF files, remain the property of the original copyright holder.
  • Written materials included in custom CourseBuilder courses remain the property of the original copyright holder.
  • Vastian content, questions, and images do not become your copyright or property if they are used in a custom course, nor do courses that you create in CourseBuilder become the property of Vastian.
  • Vastian includes a feature to enable you to share courses with other subscribers. This feature is optional and is not activated by default. You may opt in to this feature to share certain courses that you create with other Vastian users.
  • Unless this feature is activated, only you and your designated users may access your custom courses.
  • Vastian Technical Support staff have the ability to view these courses, but are bound to do so only in response to technical questions received from you.
  • Copyright clearance and infringement prevention are the responsibility of the uploading party. Please reference standard fair-use policies if you are looking to include copyrighted, non-original material in your custom courses. Vastian is not responsible for copyright infringement on the part of its users or obtaining copyright clearance for custom courses. At the request of the copyright holder, Vastian will remove any and all infringing material.
• Credit Card and Billing Information
  • We collect credit card or other billing information when you subscribe to Vastian.
  • Credit card information is passed directly to our merchant services provider and is not retained in any form.
  • No credit card information is stored long-term.
  • Vastian subscriptions are sold on a yearly basis, but all credit card charges are one-time only. You will receive a renewal notice, and should you wish to renew, you may provide us with credit card information. You will never receive an automatic subscription renewal or credit card charge.
  • Prices listed on the website are all-inclusive. There are no additional charges for new courses and features added to your subscription during the year. There are no charges for printing certificates or reporting CE credit.
  • Orders for online subscriptions do not incur shipping or sales tax.
• Additional Questions
  • Questions, concerns, and clarifications regarding the Vastian privacy policy may be addressed to: privacy@medialab.com.

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into by and between MediaLab Solutions, LLC dba Vastian (“Business Associate”) and Covered Entity effective as of the date that Covered Entity first receives services from Business Associate that involve access to or custody of Protected Health Information (the "Effective Date").  "Covered Entity" means, in the case of an individual accepting this BAA on his or her behalf, such individual, or in the case of an individual accepting this BAA on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this BAA, along with any Affiliate of such company or entity named in any ordering documents or online orders specifying the services to be provided to Covered Entity by Business Associate (each an "Order Form" and, collectively, the "Order Forms") or whose laboratory site(s) or Authorized Users are included within the scope of the site-based or Authorized User-based licensing limitations set forth in the Order Form(s).  "Affiliate" means an entity that directly or indirectly controls (i.e., control is direct or indirect ownership or control of more than 50% of the voting interests), is controlled by, or is under common control with the subject company or legal entity.

BY AFFIRMATIVELY OPTING INTO THIS BAA IN AN ACCEPTED ORDER FORM YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS BAA; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS BAA AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION AND ITS AFFILIATES (AND YOU AGREE THAT ALL REFERENCES IN THIS AGREEMENT TO "COVERED ENTITY" INCLUDES SUCH ORGANIZATION AND ITS AFFILIATES); AND (C) ACCEPT THIS BAA AND AGREE THAT COVERED ENTITY IS LEGALLY BOUND BY ITS TERMS.  IF YOU DO NOT HAVE AUTHORITY TO ACCEPT THIS BAA OR DO NOT AGREE TO THESE TERMS, YOU MUST NOT ACCEPT THIS BAA.

‍RECITALS‍

‍WHEREAS, Covered Entity and Business Associate have entered into a Vastian Service Agreement (the “Services Arrangement”) pursuant to which Business Associate provides certain services and/or resources to Covered Entity that involve access to or custody of Protected Health Information (defined below) by Business Associate;

‍WHEREAS, Covered Entity and Business Associate are entering into this BAA in order to comply with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and Subtitle D of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and the regulations and guidance promulgated pursuant to the foregoing laws (collectively, “HIPAA”); and

‍WHEREAS, to the extent the parties have previously entered into a business associate contract, this BAA supersedes and replaces such contract as of the date stated above.

‍NOW, THEREFORE, in consideration of the mutual promises set forth in this BAA and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Business Associate hereby agree to the following terms.

1. Definitions
   
   1.1. Breach shall have the same meaning as the term “breach” in 45 CFR §164.402.
   ‍
   1.2. Designated Record Set shall have the same meaning as the term “designated record set” in 45 CFR §164.501.
   
   1.3. Electronic Protected Health Information shall have the same meaning as the term “electronic protected health information” in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
   
   1.4. Individual shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
   
   1.5. Privacy Rule shall mean 45 CFR Part 160 and Part 164, Subparts A and E.
   
   1.6. Protected Health Information shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
   
   1.7. Required By Law shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
   
   1.8. Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee.
   
   1.9. Security Incident shall have the same meaning as the term “security incident” in 45 CFR § 164.304.
   
   1.10. Security Rule shall mean 45 CFR Part 160 and Party 164, Subparts A and C.
   
   1.11. Subcontractor shall have the same meaning as the term “subcontractor” in 45 CFR § 160.103.
   
   1.12. Unsecured Protected Health Information shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402
   
   Unless otherwise provided in this BAA, all terms have the same meaning as set forth in HIPAA, as amended.  All citations to the Code of Federal Regulations set forth in this BAA shall include all subsequent, updated, amended and/or revised provisions thereto.
   ‍
2. Obligations and Activities of Businesss Associate
   
   2.1. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law.
   
   2.2. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the information other than as provided for by this BAA.
   
   2.3. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware, including any Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410.
   
   2.4. In accordance with 45 CFR §164.502(e)(1)(ii), Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to restrictions and conditions substantially similar to those that apply through this BAA to Business Associate with respect to such information.
   
   2.5. If Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make available such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 and make available such Protected Health Information for amendment and incorporate any amendments to such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526.
   
   2.6. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
   
   2.7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures of Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528 and the HITECH Act.
   
   2.8. With respect to Electronic Protected Health Information, Business Associate agrees to (a) comply with the applicable requirements of the Security Rule, (b) in accordance with 45 CFR §164.308(b)(2), ensure that any Subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with 45 CFR §164.314, and (c) report to Covered Entity any Security Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410.  This section constitutes ongoing notice by Business Associate to Covered Entity of the existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity is required.  The term “Unsuccessful Security Incidents” includes, without limitation: pings and other broadcast attacks on Business Associate's firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the foregoing, so long as no such incident results in unauthorized access to, use or disclosure of Electronic Protected Health Information.
   
   2.9. To the extent Business Associate is to carry out any obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity with respect to such obligation.
   ‍
3. Permitted Uses and Disclosures by Business Associate
   
   3.1. Business Associate may use or disclose Protected Health Information to perform functions, activities or services for or on behalf of Covered Entity pursuant to the Services Arrangement, provided that any such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
   
   3.2. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
   
   3.3. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
   
   3.4. Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity, as permitted by 42 CFR § 164.504(e)(2)(i)(B), and Business Associate may de-identify Protected Health Information provided that such de-identification conforms to the requirements of the Privacy Rule.
   
   3.5. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
   ‍
4. Obligations of Covered Entity
   
   4.1. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except that Business Associate may use or disclose Protected Health Information as specified in Section 3 above.
   
   4.2. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
   
   4.3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by any Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
   
   4.4. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
   ‍
5. Term and Termination
   
   5.1. Term. The term of this BAA shall begin as of the Effective Date and shall terminate upon (i) the later of the termination or expiration of the Services Arrangement or the cessation of all services pursuant to the Services Arrangement or (ii) the termination of this BAA pursuant to Section 5.2 below.
   
   5.2. Termination for Cause.  This BAA may be terminated by either party upon the material breach of this BAA by the other party in the event that the defaulting party fails to cure such material breach within thirty (30) days following written notice from the non-defaulting party describing such material breach.
   
   5.3. Effect of Termination.  Upon termination of this BAA for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity.  Notwithstanding the foregoing sentence, in the event Business Associate determines that returning or destroying certain Protected Health Information is infeasible, Business Associate shall retain such Protected Health Information, extending the protections of this BAA to such Protected Health Information and limiting further uses and disclosures of such Protected Health Information to those purposes for which such PHI was retained.  For purposes of this Section 5.3, "infeasible" includes but is not limited to circumstances in which further use or disclosure of Protected Health Information is or may be Required By Law or otherwise necessary for Business Associate's proper management and administration or carrying out its legal responsibilities.
   ‍
6. Miscellaneous
   
   6.1. Regulatory References. A reference in this BAA to a section in the Privacy or Security Rule or other section of the HIPAA regulations means the section as in effect or as amended.
   
   6.2. Survival.  Any provision of this BAA which imposes an obligation after termination of this BAA, including but not limited to Sections 5.3 and 6.3, shall survive the termination of this BAA and continue to be binding on the parties.
   
   6.3. Interpretation; Entire Agreement.  Any ambiguity in this BAA shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA.  With respect to the subject matter of this BAA, this BAA supersedes all previous contracts by and between the parties and, together with the Services Arrangement and Order Form(s), constitutes the entire agreement between the parties.  In the event that a provision of this BAA conflicts with a provision of the Services Arrangement or Order Form(s), the provision of this BAA shall control; provided, however, that to the extent any provision within the Services Arrangement imposes more stringent requirements than those required in the BAA, the parties agree to adhere to the terms of the Services Arrangement.  Otherwise, this BAA shall be construed under, and in accordance with, the terms of the Services Arrangement. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS BAA, THE SERVICES ARRANGEMENT, THE ORDER FORM(S) OR IN ANY OTHER CUSTOMER STANDARD TERMS OR DOCUMENTS, THIS BAA SHALL BE GOVERNED BY ANY LIMITATION OF LIABILITY PROVISIONS SET FORTH IN THE SERVICES ARRANGEMENT.
   
   6.4. Binding Effect.  This BAA shall be binding upon and shall inure to the benefit of the parties, their respective successors and permitted assignees.
   
   6.5. Notices.  Any notice required or permitted under this BAA shall be given in writing and delivered by electronic mail or facsimile with confirmation of receipt, by hand, by nationally recognized overnight delivery service or by registered or certified mail, postage pre-paid and return receipt requested, to Business Associate at the address set forth below or to Covered Entity at the notice address set forth in the Order Form.
   ‍
   Business Associate:
   ‍
   MediaLab Solutions, LLC dba Vastian
   Attention: Timothy Westover
   1745 North Brown Road, Suite 300
   Lawrenceville GA 30043
   
   Notice of a change in address of one of the parties shall be given in writing to the other party as provided above.  All notices shall be effective upon receipt.
   ‍
   6.6. Governing Law. To the extent not preempted by Federal law, this BAA shall be governed and construed in accordance with the laws of the State of Georgia, without regard to conflicts of law provisions that would require application of the law of another state.
   
   6.7. No Third Party Beneficiaries.  Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and assigns of the parties any rights, remedies, obligations, or liabilities whatsoever.
   
   6.8. Other Requirements.  Business Associate and Covered Entity agree that, to the extent not incorporated or referenced in this BAA, other requirements under the HITECH Act (as well as any other requirements under HIPAA) that apply to business associates, and that are required to be incorporated by reference in a business associate agreement, are incorporated into this BAA as if set forth in this BAA in their entirety and are effective as of the applicable date for each such requirement on which the Secretary will require business associates to comply with such requirement.  Business Associate shall comply with the obligations of a business associate as prescribed by HIPAA and the HITECH Act commencing on the applicable date of each such requirement.
   
   Agreement Last Modified: July 2024

Terms of Service

This Vastian Service Agreement ("Agreement") is entered into by and between MediaLab Solutions, LLC dba Vastian ("Vastian", "we", "us") and Customer (Customer is also referred to in this Agreement as "you" and "your"). "Customer" means, in the case of an individual accepting this Agreement on his or her behalf, such individual, or in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this Agreement, along with any Affiliate of such company or entity that is named in Order Form(s) or whose laboratory site(s) or Authorized Users are included within the scope of the site-based or Authorized user-based licensing limitations set forth in the Order Form(s) or otherwise use the Services. "Affiliate" means an entity that directly or indirectly controls (i.e., control is direct or indirect ownership or control of more than 50% of the voting interests), is controlled by, or is under common control with the subject company or legal entity. This Agreement governs your access to and use of the Services (defined below).

BY CHECKING AND/OR CLICKING ON A BOX AND/OR BUTTON THAT INDICATES ACCEPTANCE OR BY EXECUTING, PAYING ANY FEES SET FORTH IN, OR USING ANY SERVICES SET FORTH IN, AN ORDER FORM (DEFINED BELOW) THAT REFERENCES THIS AGREEMENT, YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION AND ITS AFFILIATES (AND YOU AGREE THAT ALL REFERENCES IN THIS AGREEMENT TO "CUSTOMER", "YOU" OR "YOUR" INCLUDE SUCH ORGANIZATION AND ITS AFFILIATES); AND (C) ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS. IF YOU DO NOT HAVE AUTHORITY TO ACCEPT THIS AGREEMENT OR DO NOT AGREE TO THESE TERMS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.‍

Services: Subject to and conditioned on Customer's payment of the fees set forth in one or more ordering documents, order forms or online orders specifying the Services (defined below) to be provided hereunder that is entered into between Vastian and Customer, including any addenda and supplements thereto (collectively, the "Order Forms" and each, individually, an "Order Form"), and compliance with the terms and conditions of this Agreement, Vastian hereby grants Customer a non-exclusive, non-transferable right to internally access and use the services further described in Vastian's online Service Descriptions, that are set forth in one or more Order Forms (collectively, the "Services" and each, individually, a "Service") during the respective Initial Terms and any Renewal Terms of such Order Forms, solely for use by Customer and Customer's human individual employees, contractors and agents who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and for whom access to the Services has been purchased hereunder (collectively, "Authorized Users"), in accordance with the terms and conditions herein. For purposes of clarification, the Services will not include any services that are not expressly set forth in the Order Forms, with the exception of the Sandbox if provided to Customer by Vastian, as noted in the "Use or Access to Sandbox Environment" paragraph below. The Services are subject to the site-based and Authorized User-based licensing limitations set forth in the Order Forms, in accordance with the terms and conditions herein.‍

Fees: Customer shall pay Vastian the fees ("Fees") as set forth in each Order Form, in advance and without offset or deduction, on the Services Start Date. If Customer fails to make any payment when due and such failure continues for 30 days or more, without limiting Vastian's other rights and remedies, Vastian may suspend Customer's and its Authorized Users' access to any portion or all of the Services Vastian provides to Customer until such amounts are paid in full. If Customer (inclusive of any Affiliate of Customer) exceeds the site-based and/or Authorized User-based licensing limitations set forth in any Order Form, Vastian may prepare an additional Order Form, with retroactive and prospective Fees as necessary, to cover retroactive and prospective use of the Services, as applicable, with respect to such excess sites or Authorized Users of Customer, and Vastian may suspend Customer's and its Authorized Users' access to any portion or all of the Services Vastian provides to Customer until such additional Order Form is accepted and the applicable Fees are paid by Customer. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Vastian's income.‍

Implementation: Vastian's Services are cloud-based (SaaS). Vastian's Services are designed to be easy-to-use, and implementation is designed to facilitate easy completion by the user. You are responsible for implementation of Vastian's Services, including but not limited to adding Authorized Users, configuring groups and permissions, uploading files / documents, creating assignments, and creating custom courses. You are responsible for providing Internet access to your Authorized Users (including but not limited to Internet provider, hardware, and software). Vastian shall provide Customer with technical support for questions regarding implementation as provided herein.‍

Service Term: The Services set forth in each Order Form will be provided for an initial term identified in the applicable Order Form under "Initial Term" or a similar heading (the "Initial Term"), beginning on the services start date set forth in the Order Form, as may be adjusted by Vastian pursuant to the terms of the Order Form (the "Services Start Date"). Such Order Form shall then automatically renew for additional successive renewal terms set forth in the Order Form (each a "Renewal Term") unless (i) either party provides the other party with written notice of nonrenewal of such Order Form at least thirty (30) days prior to the expiration of the then current Initial Term or Renewal Term or (ii) a replacement Order Form is duly offered and accepted in accordance with this Agreement, in which case the Services set forth in such replacement Order Form will be provided for an Initial Term and Renewal Terms set forth in the replacement Order Form. Collectively, the Initial Terms and Renewal Terms of the Order Forms offered and accepted pursuant to this Agreement are the "Service Term" of this Agreement.‍

Support: Vastian provides implementation assistance and ongoing technical support for subscribers by toll-free phone number and e-mail. Support is available Monday through Friday, 10AM to 5:30PM ET, excluding federal holidays. We strive to respond to all support voicemails and e-mails within 1 business day. Vastian does not provide on-site support.‍

Access, Passwords, and Security: You agree to maintain the security of your administrative level user ID and password. We will verify the identity of your Authorized Users via individual user IDs and passwords, which you agree to keep secure and to require your Authorized Users to keep secure. You agree to notify Vastian immediately if you become aware of or suspect any unauthorized access to any ID or password of Customer or your Authorized Users.‍

Registration Information: You agree to keep your registration information, including email address, current and accurate.‍

Administrator Contacts: You agree to provide a spreadsheet of qualified institutions within your network, to include the full name of the Laboratory Director and Managers, institution addresses, email addresses, and phone numbers.‍

Electronic Communications: You agree that Vastian may, at its discretion, review, but is not obligated to review, Customer and Authorized User information and activity within Vastian systems and resources provided in connection with the Services for purposes of monitoring the performance of Vastian systems and resources as well as your, and your Authorized Users', compliance with this Agreement. You agree that Customer will not, and will ensure that its Authorized Users will not, (a) use the Services for any purpose that is unlawful, abusive, harassing, libelous, defamatory, obscene, or threatening; or (b) upload, post, reproduce, or distribute any information, software, images, or other material that is protected by copyright or any other intellectual property rights (including rights of publicity and privacy), without written permission of the intellectual property rights holder. You agree that you are solely responsible for any violation of intellectual property rights or applicable law in connection with any material not provided by Vastian that you or your Authorized Users submit to, or use in connection with, the Services.‍

Security of Data transmission: You agree to use, and to ensure that your Authorized Users use, browser software that supports Secure Socket Layer protocol (SSL).‍

Confidentiality: From time to time during the Service Term, either party may disclose or make available to the other party information about its business affairs, products (including without limitation software interfaces, object code, images, text and videos), confidential intellectual property, trade secrets, third-party confidential information, confidential software related materials and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, and whether or not marked, designated, or otherwise identified as "confidential" (collectively, "Confidential Information"). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving party at the time of disclosure; (c) rightfully obtained by the receiving party on a non-confidential basis from a third party; or (d) independently developed by the receiving party. The receiving party shall not disclose the disclosing party's Confidential Information to any person or entity, except to the receiving party's employees, independent contractors, attorneys and advisors who have a need to know the Confidential Information for the receiving party to exercise its rights or perform its obligations hereunder. In particular, and not by way of limiting the non-disclosure requirements of this paragraph, Customer may not disclose any Vastian Confidential information on the Internet or any publicly-accessible forum. Notwithstanding the foregoing, each party may disclose Confidential Information to the limited extent required in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the party making the disclosure pursuant to the order shall first have given written notice to the other party, if legally permitted.‍

Security and Storage of Data: Customer data will be hosted in a professional data center. Vastian maintains an industry standard information security program, including without limitation the receipt of annual favorable SSAE 16 SOC 2 audit report with respect to any data center in which Customer data is stored. Vastian maintains a signed HIPAA-compliant Business Associate Agreement with its data center provider.‍

HIPAA; Maintenance of PHI; Use of Vastian Services: If Vastian acts as a "business associate" of Customer in providing the Services, for purposes of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Subtitle D of the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated pursuant to the foregoing laws (collectively, "HIPAA"), Customer will in the Order Form opt into Vastian's HIPAA Business Associate Agreement ("BAA"), available at https://www.medialab.com/business-associate-agreement. Customer acknowledges and agrees to, and will ensure that its Authorized Users comply with, the following: (i) Customer is permitted to input and maintain limited quantities of HIPAA protected health information ("PHI") using Vastian's IQE (Intelligent Quality Engine) (for purposes of laboratory non-conforming event documentation and management processes) solution and using Vastian's Compass (using specific patient examples for competency assessment) and Inspection Proof (clinical inspections may involve some PHI) solutions, but Customer will enter into a BAA with Vastian prior to inputting or maintaining any PHI using IQE, Compass or Inspection Proof; (ii) all other products, services, modules and solutions provided by Vastian are not intended for maintenance of any PHI, and Customer will not input or maintain any PHI using any Vastian product, service, module or solution other than IQE, Compass and Inspection Proof; and (iii) Customer agrees not to use any Vastian product, service, module or solution in any manner other than as expressly contemplated in this Agreement and any product or service-specific documentation provided to Customer by Vastian (e.g., no Vastian product, service, module or solution is intended to be used as or in a manner similar to an electronic or personal health or medical record).‍

Vastian's Proprietary Rights; Use Restrictions: Customer acknowledges that our Services contain proprietary copyrighted software code and proprietary interfaces. Customer acknowledges that, as between Customer and Vastian, Vastian owns all right, title, and interest, including all intellectual property rights, in and to the Vastian IP. "Vastian IP" means the Services and any and all intellectual property and proprietary materials provided to Customer or any Authorized User in connection with the Services. For the avoidance of doubt, Vastian IP includes Aggregated Statistics and any information, data, or other content derived from Vastian's monitoring of Customer's access to or use of the Services, but does not include Customer Data.

Customer is responsible and liable for all uses of the Services resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement's provisions as applicable to such Authorized Users' use of the Services, and shall cause Authorized Users to comply with such provisions.

Customer shall not use, and shall not permit its Authorized Users to use, the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, and shall not permit any Authorized Users to, directly or indirectly: (i) copy, modify, or create derivative works of the Vastian IP or Vastian Confidential Information, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Vastian IP or Vastian Confidential Information; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Vastian IP or Vastian Confidential Information, in whole or in part; (iv) bypass or breach any security device or protection used by the Vastian IP or Vastian Confidential Information or access the Vastian IP or Vastian Confidential Information other than by an Authorized User through the use of his or her own then valid access credentials; (v) input, upload, transmit or otherwise provide to or through the Services any information or materials that are unlawful or injurious or contain, transmit or activate any Harmful Code; (vi) damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Vastian IP, Vastian Confidential Information or Vastian's provision of Services to any third party, in whole or in part; (vii) remove, delete, alter or obscure any intellectual property or proprietary rights notices, specifications, documentation, warranties or disclaimers from the Vastian IP or Vastian Confidential Information; (viii) access or use the Vastian IP or Vastian Confidential Information in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law; (ix) access or use the Vastian IP or Vastian Confidential Information for purposes of competitive analysis of the Vastian IP or Vastian Confidential Information, the development, provision or use of a competing software service or product or any other purpose that is to the Vastian's detriment or commercial disadvantage; or (x) perform, run or disclose any security, benchmark or performance testing of the Services or associated infrastructure including without limitation network discovery, port and service identification, vulnerability scanning, password cracking, remote access testing, penetration testing, code scanning, use of automated scripts or any other test or procedure not authorized by Vastian. "Harmful Code" means any software, hardware, or other technology, device, or means, including any virus, worm, malware, or other harmful computer code, the purpose or effect of which is to (i) permit unauthorized access to, or to destroy, disrupt, disable, distort, or otherwise harm or impede in any manner any (a) computer, software, firmware, hardware, system, or network; or (b) any application or function of any of the foregoing or the security, integrity, confidentiality, or use of any data processed thereby; or (ii) prevent Customer or any Authorized User from accessing or using the Vastian IP or Vastian Confidential Information as intended by this Agreement.

Vastian reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Vastian IP or Vastian Confidential Information.‍

Customer Data; Aggregated Statistics: Vastian acknowledges that, as between Vastian and Customer, and with the exception of the Aggregated Statistics, Customer owns all right, title, and interest, including all intellectual property rights, in and to the information, data, and other content, in any form or medium, that is owned by Customer and inputted or submitted into the Services by Customer or an Authorized User of Customer ("Customer Data"). Customer hereby grants to Vastian a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Vastian to provide the Services to Customer.

Notwithstanding anything to the contrary in this Agreement, Vastian may monitor Customer's use of the Services and collect and compile data and information related to Customer's use of the Services that is used by Vastian in an aggregate and anonymized manner, including without limitation to compile statistical and performance information related to the Services ("Aggregated Statistics"). As between Vastian and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Vastian. Customer acknowledges that Vastian may compile Aggregated Statistics based on Customer Data input into the Services.‍

Use or Access to Sandbox Environment: Vastian may, in its sole and absolute discretion, grant Customer and a limited, prescribed number of its Authorized Users access to Vastian's non-production information technology environment known as the "Sandbox" for purposes of experimentation with application workflows, configuration, set-up changes and feature previews outside of the Customer production environment. Customer acknowledges and agrees that (i) the Sandbox is not intended for computer system or software validation; (ii) that the code and functionalities within the Sandbox may not match those within Vastian's other Services intended for a live, production environment; and (iii) agrees that no Customer data may ever be moved between the Sandbox and Customer's production environment. Customer acknowledges and agrees that Customer's and its Authorized Users' access to and use of the Sandbox shall be deemed a part of the Services for all purposes under this Agreement except as otherwise expressly stated in this Agreement. Vastian may terminate Customer's and its Authorized Users' access to and use of the Sandbox at any time and for any or no reason upon written notice to Customer.‍

Backup Feature: Vastian provides a feature whereby Customer may create a full backup of Customer Data. Use of this Vastian backup feature by Customer is limited to once per month. For Customers who use the Backup feature more than once per month, Vastian may charge the fee outlined in an Order Form.‍

Limited Warranty and Warranty Disclaimer: Subject to the "Limitation of Liability" paragraph set forth below, Vastian warrants to Customer that the Services (excluding the Sandbox) will be consistent with applicable accreditation, certification, and professional registration requirements. In the event the Services (excluding the Sandbox) do not conform to the foregoing limited warranty, Vastian will use reasonable efforts consistent with industry standards to remedy such defect, provided that Customer promptly notifies Vastian of the same. The foregoing shall be Vastian's sole obligation and Customer's sole remedy for any breach of the foregoing limited warranty. VASTIAN MAKES NO WARRANTY AS TO RESULTS TO BE ATTAINED BY USING THE SERVICES.

EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN THE FOREGOING PARAGRAPH, THE SERVICES ARE PROVIDED "AS IS" AND ON AN "AS AVAILABLE" BASIS AND VASTIAN HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. VASTIAN SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE.‍

Limitation of Liability: IN NO EVENT WILL VASTIAN BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY, OR RECOVERY OF ANY DATA; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER VASTIAN WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL VASTIAN'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THREE TIMES (3X) THE TOTAL FEES PAID BY CUSTOMER TO VASTIAN FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.‍

Services Availability: Vastian monitors its servers 24/7/365 for critical issues using several internal and external monitoring tools. We guarantee a 99.5% uptime (no more than 3.6 hours of downtime per month) from 7am to 11pm Eastern Time Monday through Friday, and 99% uptime (no more than 7.2 hours of downtime per month), from 11pm to 7am Eastern Time Monday through Friday and all day Saturday and Sunday, as measured from the first day to the last day of each calendar month, provided that such uptime guarantee does not apply to the Sandbox. Notwithstanding the foregoing, Vastian is not responsible should Services become unavailable due to factors outside of Vastian's control, including without limitation Customer's Internet connectivity, hardware or third party issues which may affect availability.

Vastian may, directly or indirectly, and by use of any lawful means, suspend or otherwise deny Customer's, any Authorized User's, or any other person's access to or use of all or any part of the Vastian IP or Vastian Confidential Information if: (i) Vastian receives a judicial or other governmental demand or order, subpoena, or law enforcement request that expressly or by reasonable implication requires Vastian to do so or Vastian's provision of the Services to Customer or any Authorized User is prohibited by applicable law; or (ii) Vastian believes, in its good faith discretion, that: (a) Customer's or any Authorized User's use of, access to or acts or omissions with respect to the Vastian IP disrupt, or pose or contribute to a material threat or security risk to, the Vastian IP or to any other customer or vendor of Vastian; (b) Customer or any Authorized User has failed to comply with any term of this Agreement, or accessed or used the Services beyond the scope of the rights granted or for a purpose not authorized under this Agreement (following written notice to Customer and three (3) business days to cure); or (c) Customer or any Authorized User is, has been, or is likely to be involved in any fraudulent, misleading, or unlawful activities relating to or in connection with any of the Services (following written notice to Customer); (iii) in accordance with the "Fees" paragraph or (iv) if this Agreement expires or is terminated (in which case access/use shall be terminated). Except where otherwise expressly stated above, Vastian will provide written notice of any access suspension or denial to Customer promptly after the applicable suspension or denial. Vastian will reestablish any temporarily suspended account or access after the issue causing the suspension has been resolved to its reasonable satisfaction. Customer agrees to notify Vastian promptly upon learning of any use of or access to Vastian IP beyond the scope of or for a purpose not authorized under this Agreement as well as any security issue related to the Vastian IP. This section does not limit any of Vastian's other rights or remedies, whether at law, in equity, or under this Agreement.‍

Force Majeure: In no event shall either party be liable to the other party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to pay Fees), if and to the extent such failure or delay is caused by any circumstances beyond such party's reasonable control, including but not limited to acts of God, flood, fire, earthquake, pandemics, epidemics, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.‍

Termination: This Agreement may be terminated at any time: (a) by Vastian, effective on written notice to Customer, if Customer fails to pay any amount when due under this Agreement, where such failure continues more than thirty (30) days after the payment is due; or (b) by either party, effective on written notice to the other party, if the other party materially breaches this Agreement and such breach: (i) is incapable of cure; or (ii) being capable of cure, remains uncured thirty (30) days after the non-breaching party provides the breaching party with written notice of such breach.

Upon the expiration or termination of this Agreement: (a) Vastian shall refund to Customer the pro-rated portion of any pre-paid and unearned Fees, as determined and calculated by Vastian in its sole and absolute discretion; and (b) all rights and/or authorizations granted to Customer hereunder will immediately terminate and Customer will immediately cease all use of and other activities with respect to the Services.‍

Notices: Except as otherwise expressly stated in this Agreement, all notices required under or regarding this Agreement will be in writing and delivered personally, mailed via registered or certified mail (return receipt requested and postage prepaid) or sent by courier (confirmed by receipt, with all fees pre-paid) addressed to Vastian at the address set forth below or to Customer at its notice address set forth in the Order Form.

If to Vastian:
MediaLab Solutions, LLC
1745 North Brown Rd
Suite 300
Lawrenceville, GA 30043‍

Survival: The provisions set forth in the following paragraphs, and any other right, obligation or provision under this Agreement that, by its nature, should survive termination or expiration of this Agreement, will survive any expiration or termination of this Agreement: Fees, Confidentiality, Vastian's Proprietary Rights; Use Restrictions, Customer Data; Aggregated Statistics, Use or Access to Sandbox Environment, Limited Warranty and Warranty Disclaimer, Limitation of Liability, Termination, Notices, Survival, Independent Contractor Status, Entire Agreement, Amendment and Modification, Waiver, Severability, Governing Law; Submission to Jurisdiction and Assignment.‍

Independent Contractor Status: The relationship between the parties is that of independent contractors. Nothing contained in this Agreement will be construed as creating any agency, partnership, joint venture, or other form of joint enterprise, employment, or fiduciary relationship between the parties, and neither party shall have authority to contract for or bind the other party in any manner whatsoever.‍

Entire Agreement: This Agreement, together with any other documents incorporated herein by reference, and all related exhibits, schedules and Order Forms, constitutes the sole and entire agreement of the parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. The parties agree that any term or condition stated in a Customer purchase order or in any other Customer order documentation (excluding Order Forms) is void. In the event of a conflict between the terms of this Agreement and the terms of any Order Form(s), the terms of the Order Form(s) shall govern.‍

Amendment and Modification; Acceptance of Order Forms; Waiver: No amendment to or modification of this Agreement is effective unless it is in writing and accepted or signed by an authorized representative of each party, unless otherwise expressly stated in this Agreement or any Order Form. Notwithstanding anything to the contrary in this Agreement (a) this Agreement may be modified by Vastian (such modified Agreement will be effective when implemented by Vastian and made available at the Uniform Resource Locator (web address) reflected in the Order Form(s), with the latest revision date reflected herein), and (b) all references in this Agreement to Order Forms, which are incorporated into this Agreement by reference and governed by this Agreement, shall mean the Order Forms as amended by (and which shall be amended by) any updated, additional and/or renewal Order Forms offered by Vastian and accepted by Customer. Payment of the applicable Fees set forth in an Order Form by Customer, execution of any Order Form by Customer or access to and use of the services set forth in such Order Form by Customer, shall be deemed acceptance by Customer of such Order Form, and signatures shall not be necessary, whether or not a signature line is included in such Order Form. Except to the extent expressly modified by an Order Form or other amendment or modification, this Agreement shall remain in full force and effect pursuant to its terms. In the event of a conflict between the terms of any Order Forms, the Order Form offered and accepted later in time shall govern. No waiver by any party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the party so waiving. Except as otherwise set forth in this Agreement, (a) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (b) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.‍

Severability: If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.‍

Governing Law; Submission to Jurisdiction: This Agreement is governed by and construed in accordance with the internal laws of the State of Delaware without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Delaware. Any legal suit, action, or proceeding arising out of or related to this Agreement will be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.‍

Assignment: Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Vastian. Any purported assignment or delegation in violation of this paragraph will be null and void. No assignment or delegation will relieve the assigning or delegating party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the parties (for purposes of clarification, including any applicable Affiliates of Customer pursuant to the first paragraph of this Agreement) and their respective permitted successors and assigns.‍

Agreement Last Modified: July 2024

DATA PROCESSING ADDENDUM

Last updated July 2024

This Data Processing Addendum (“DPA”) supplements the Vastian Service Terms and Conditions and the Order Form(s) (together, the “Agreement”) entered into by and between the Customer named therein (together with its Affiliates, “Customer”) and MediaLab Solutions, LLC dba Vastian (“Vastian”). Any terms not defined in this DPA shall have the meaning set forth in the Agreement.

In the event of a conflict between this DPA and the Agreement, this DPA shall supersede and control.

By signing this DPA, the signing Customer entity enters into this DPA on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Affiliates, if and to the extent Vastian Processes Personal Data for which such Affiliates qualify as the entity that determines the purposes and means of the Processing.

For the purposes of this DPA only (unless otherwise stated in the Agreement), the term “Customer” shall include Customer and its Authorized Affiliates.

Capitalized terms used and not defined in this DPA shall have the respective meanings set forth in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall supersede and control.

In the course of providing the Services to Customer pursuant to the Agreement, Vastian may Process Personal Data on behalf of Customer. The parties agree to comply with the provisions in this DPA with respect to any such Personal Data, each acting reasonably and in good faith. In the event of any inconsistency between a term of this DPA and a term of the Agreement, the term of this DPA shall prevail.‍

DATA PROCESSING TERMS

1. DEFINITIONS

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement, and the following terms shall have the following meanings, unless the context otherwise requires:

“Applicable Laws” has the meaning set forth in the Agreement and, for the purpose of this DPA, includes Data Protection Laws.

“Vastian Security Program” means the Vastian Security Program applicable to the Services purchased by Customer, as updated from time to time.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means all laws and regulations, including laws and regulations of Canada and its provinces and territories, the United States and its states, the European Union, the European Economic Area (“EEA”) and their member states, Switzerland and the United Kingdom, if and to the extent applicable to the Processing of Personal Data under the Agreement. For greater certainty, Data Protection Laws includes the GDPR and the CCPA, to the extent applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“GDPR” means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person, where such information is part of the Customer Data Processed under the Agreement.

“Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” means the Standard Contractual Clauses (Data Controller to Data Processor) attached as an annex to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. The Standard Contractual Clauses are set out in Attachment 1 to this DPA.

“Sub-processor” means any Processor engaged by Vastian.

2. PROCESSING OF PERSONAL DATA
   ‍
   1. Roles of the Parties. The parties agree that, with regard to the Processing of Personal Data, Customer is the Controller and Vastian is the Processor, and that Vastian may engage Sub-processors subject to the requirements in the section titled “Sub-processors”.
      ‍
   2. Customer’s Processing of Personal Data Customer will, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Vastian as a Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with all Data Protection Laws. Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of Personal Data and for the means by which Customer acquires Personal Data, and Customer shall be responsible for establishing the legal basis for Processing under all Data Protection Laws. Customer represents and warrants to Vastian that (a) Customer has all rights, consents, permissions and legal authority as may be necessary to provide the Personal Data to Vastian and to authorize Vastian to Process the Personal Data to provide the Services, and (b) Customer’s use of the Services will not violate the rights of any Data Subject under Data Protection Laws.
      ‍
   3. Vastian’s Processing of Personal Data. The parties agree that this DPA, the Agreement, and the provision by Customer of instructions via features, tools and APIs made available by Vastian for the Services constitute Customer’s documented instructions regarding Vastian’s Processing of Personal Data (“Documented Instructions”), including with respect to transfers of personal data to a third country or an international organization. Vastian will Process Personal Data only in accordance with Documented Instructions, unless required to do so under Applicable Laws. Customer agrees that the Documented Instructions are Customer’s complete and final instructions to Vastian in relation to Processing of Personal Data. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Vastian and Customer, including agreement on any additional fees payable by Customer to Vastian for carrying out such instructions. Customer will ensure that the Documented Instructions comply with all Applicable Laws, and that the Processing of Personal Data in accordance with the Documented Instructions will not cause Vastian to be in breach of any Applicable Laws.
      ‍
   4. Details of the Processing.
      1. Subject matter. The subject matter of the Processing under this DPA is Personal Data provided by Customer to Vastian in connection with the Services.
         ‍
      2. Duration. The duration of the Processing under this DPA is the duration of the subscription term for the Services, as provided in the Agreement.
         ‍
      3. Nature and purpose. The nature and purpose of the Processing under this DPA is the provision of the Services ordered by Customer under the Agreement, as more particularly described in the Documentation, and which are generally SaaS solutions for legal entity management.
         ‍
      4. ‍Type of Personal Data. The type of Personal Data that will be Processed under this DPA is Personal Data provided by Customer to the Services, as more particularly described in the Documentation, including but not limited to name, title, position, personal address, business address, citizenship, relationship to managed legal entity, role within managed legal entity, contact information, and identification.‍
         ‍
      5. Categories of Data Subjects. The categories of Data Subjects whose data will be Processed under this DPA may include
         • (i) shareholders, partners, limited partners, directors, officers, employees and other individuals connected with corporations and other legal entities, the records of which are managed by Customer using the Services, and
         • (ii) Customer’s employees and end-users.

5. Use and Disclosure of Personal Data. Vastian will only use Personal Data to provide the Services to Customer, except with the prior written consent of Customer or as otherwise expressly permitted under the Agreement or this DPA, or unless otherwise required under Applicable Laws. Vastian will not disclose Personal Data outside of Vastian or its Affiliates except (a) as Customer directs or as required to provide the Services, (b) to Customer’s third party service providers as directed by Customer, (c) to Sub-processors as described in the section titled “Sub-processors”, (d) as otherwise described in the Agreement or this DPA, or (e) as required by Applicable Laws.
   ‍
6. Disclosure of Personal Data under Applicable Laws. If Vastian is required to disclose Personal Data by Applicable Laws to which Vastian is subject, then Vastian will promptly notify Customer unless prohibited by law. On receipt of any other third-party request for Personal Data, Vastian will promptly notify Customer unless prohibited by law. Vastian will reject the request unless required by law to comply. If the request is valid, Vastian will attempt to redirect the third party to request the Personal Data directly from Customer.
   ‍
7. Storage and Transfer of Personal Data. For the purposes of this section, “Region” means the United States, unless a different region is specified in the Order Form. Except as described elsewhere in this DPA or the Agreement, Personal Data that Vastian processes on Customer’s behalf may be transferred to, and stored and Processed in, the Region or any other location where Vastian or its Sub-processors operate. All transfers of Personal Data out of the European Union, European Economic Area, and Switzerland by the Services shall be governed by the terms of the section titled “GDPR Specific Provisions”. All Personal Data that is Processed directly by Vastian will be stored at rest in the Region and Processed directly by Vastian within the Region, except as provided below. Sub-processors may store or Process Customer Data outside the Region. Vastian may transfer Personal Data from the Region, with the consent of Customer, or as necessary to comply with Applicable Laws or a binding order of a Governmental Authority (such as a subpoena or court order). If Customer provides Personal Data as part of a request for Support Services, Vastian may Process that Personal Data in the locations from which Vastian provides those Support Services. To investigate fraud, abuse or violations of the Agreement, Vastian may Process Personal Data where Vastian maintains its support and investigation personnel. Vastian does not control or limit the locations from which Customer or Customer’s end-users may access Personal Data or to which they may move Personal Data (except as otherwise provided under “Export Compliance” in the Agreement). Customer may interconnect the Services with certain other services provided by third parties. Vastian does not control or limit the locations from such third parties may access Personal Data or to which they may move Personal Data (except as otherwise provided under “Export Compliance” in the Agreement).

3. RIGHTS OF DATA SUBJECTS
   ‍
   1. Data Subject Request. Vastian will, to the extent legally permitted, promptly notify Customer if Vastian receives a request from a Data Subject (“Data Subject Request”) to exercise any right of the Data Subject under Data Protection Laws, including any right of access, right to rectification, restriction of Processing, erasure (right to be forgotten), data portability, objection to the Processing, or a right not to be subject to automated individual decision making. Taking into account the nature of the Processing, Vastian will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Vastian will on Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Vastian is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. Customer will pay for assistance provided by Vastian at the Consulting Services Rates.

4. VASTIAN PERSONNEL
   1. Confidentiality. Vastian will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.
      ‍
   2. Limitation of Access. Vastian will ensure that only those Vastian personnel performing Services in accordance with the Agreement have access to Personal Data.
5. SUB-PROCESSORS
   1. Appointment of Sub-processors. Customer agrees that Vastian may engage third-party Sub-processors in connection with the provision of the Services.
      ‍
   2. Agreements with Sub-processors. Vastian will enter into a written agreement with each Sub-processor (a) permitting the Sub-processor to access and use Personal Data only to deliver the services Vastian has retained the Sub-processor to provide and for no other purpose, and (b) requiring the Sub-processor to provide at least the level of data protection required of Vastian under this DPA.‍
      ‍
   3. List of Current Sub-processors and Notification of New Sub-processors. A list of the Sub-processors that are currently engaged by Vastian to carry out Processing activities on Personal Data on behalf of Customer is set forth herein. ‍
      ‍
   4. Objection Right for New Sub-processors. Customer may object to Vastian’s use of a new Sub-processor where there are reasonable grounds to believe that the new Sub-processor will be unable to comply with the terms of this DPA or the Agreement. If Customer objects to Vastian’s use of a new Sub-processor, Customer will notify Vastian promptly in writing within ten days after notification regarding such Sub-processor. Customer acknowledges that Vastian’s inability to use a particular new Sub-processor may result in delay in performing the Services, inability to perform the Services, or increased fees. Vastian will notify Customer in writing of any change to Services or fees that would result from Vastian’s inability to use a new Sub-processor to which Customer has objected. Customer may either execute a written amendment to the Agreement implementing such change or elect to terminate the Agreement by notice to Vastian. If Customer elects to terminate the Agreement, then Customer will pay to Vastian a termination fee equal to the total of the minimum fees payable for the Services for the remainder of the subscription term applicable to the Services. Such termination will not constitute termination for breach of the Agreement. Vastian will have a right to terminate the Agreement if Customer unreasonably objects to a Sub-processor, or does not agree to a written amendment to the Agreement implementing changes in fees or Services resulting from the inability to use the Sub-processor at issue.‍
      ‍
   5. Liability. Vastian shall be liable for the acts and omissions of its Sub-processors to the same extent that Vastian would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. SECURITY
   ‍
   1. Vastian Security Measures. Vastian will implement and maintain appropriate technical and organizational measures to protect Personal Data, including measures to protect Personal Data from unauthorized access, use, modification, encryption, deletion, loss or disclosure. Those measures will be described in the Vastian Security Program. Vastian will make that Vastian Security Program available to Customer, along with other information reasonably requested by Customer regarding Vastian security practices and policies.
      ‍
   2. Customer Responsibilities. Customer is solely responsible for making an independent determination as to whether Vastian’s technical and organizational measures for the Services meet Customer’s requirements, including any of its security obligations under Applicable Laws. Customer agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as the risks to individuals) Vastian’s technical and organizational measures for the Services provide a level of security appropriate to the risk.
      ‍
   3. Third-Party Certifications and Audits. Vastian has obtained the third-party certifications and audits set forth in the Vastian Security Program. On Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Vastian will make available to Customer a copy of Vastian’s then most recent third-party audits or certifications, as applicable.
7. AUDITS
   ‍
   1. Vastian Audits. For the purpose of evaluating Vastian’s compliance with the terms of this DPA, Vastian will provide Customer’s internal or external auditors with access to documents and records related to the Services, at Customer’s expense. For greater certainty, Customer auditors will not be entitled to access the data centers of the data center service provider from which the Services are provided without the consent of the data center service provider. Vastian will provide the Customer auditors with any assistance that they may reasonably request in connection with such audits. The audits must be conducted in a manner that minimizes the disruption on Vastian’s operations, during normal business hours, on at least 30 days’ prior notice, and not more than once each calendar year. External auditors must enter into a nondisclosure agreement with Vastian substantially similar to the confidentiality provisions of the Agreement. Customer will pay for assistance provided by Vastian at the Consulting Services Rates.
      ‍
   2. Demonstration of Compliance. At Customer’s reasonable written request, Vastian will provide Customer with information to demonstrate Vastian’s compliance its obligations under this DPA. Customer will pay for work performed by Vastian in response to the request at the Consulting Services Rates.
8. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

Vastian maintains security incident management policies and procedures specified in the Vastian Security Program. Vastian will notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Vastian or its Sub-processors of which Vastian becomes aware (a “Personal Data Incident”). Vastian will make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Vastian deems necessary and reasonable to remediate the cause of such a Personal Data Incident to the extent the remediation is within Vastian’s reasonable control. These obligations shall not apply to incidents that are caused by Customer or Customer’s Users.

9. RETURN AND DELETION OF PERSONAL DATA

On request by Customer made within 90 days after the expiry or termination of the Agreement, Vastian will make any Personal Data in Vastian’s possession or control available to Customer for export or download in open source format as reasonably agreed between the parties. After such 90-day period, Vastian will have no obligation to maintain or provide any Personal Data, and will delete or destroy all copies of Personal Data in its systems or otherwise in its possession or control, unless legally prohibited by Applicable Laws.

10. LIMITATION OF LIABILITY

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA together.

11. GDPR SPECIFIC PROVISIONS
    ‍
    1. Application. This section titled “GDPR Specific Provisions” shall apply only if and to the extent that Processing of Personal Data is governed by the GDPR. In the event of any inconsistency between a term of this section and another term of this DPA, the term of this section shall apply for GDPR-Subject Personal Data.
       ‍
    2. Definition. In this section titled “GDPR Specific Provisions”, the following terms shall have the following meanings:
       “GDPR-Subject Personal Data” shall mean Personal Data (1) that is Processed by Vastian, and (2) for which the Processing by Vastian is governed by the GDPR.‍
       ‍
    3. GDPR Requirements. Vastian will Process GDPR-Subject Personal Data in accordance with the GDPR requirements directly applicable to Vastian’s provision of the Services
       .
    4. Processing of GDPR-Subject Personal Data under Applicable Laws of Europe. Vastian will Process GDPR-Subject Personal Data only in accordance with Documented Instructions, unless required to do so under Applicable Laws of a member state of the European Union or the EEA to which Vastian is subject. If Vastian is required to Process GDPR-Subject Personal Data by Applicable Laws of a member state of the European Union or the EEA to which Vastian is subject, then Vastian will promptly notify Customer unless prohibited by law.‍
    5. Records of Processing Activities. Vastian will maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the Processing of Personal Data on behalf of Customer, will make those records available to Customer on request.‍
       ‍
    6. Data Protection Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to Vastian, Vastian will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Vastian. Customer will pay for assistance provided by Vastian at the Consulting Services Rates.‍
       ‍
    7. Application of Standard Contractual Clauses. The Standard Contractual Clauses will not apply to GDPR- Subject Personal Data that is transferred, either directly or by onward transfer, to (a) any country that is a member of the European Union or the EEA, (b) any country recognised by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR), (c) any organization within the Vastian group of companies that is subject to binding corporate rules under the GDPR, or (d) any country or organization where the transfer is otherwise permitted under the GDPR. The Standard Contractual Clauses will apply to all other transfers of GDPR-Subject Personal Data to a country that is not a member of the European Union or the EEA.‍
       ‍
    8. Standard Contractual Clauses, Terms. If and to the extent that the Standard Contractual Clauses apply, then:
       1. For the purposes of Clauses 8.1 and 8.8 of the Standard Contractual Clauses, the Documented Instructions are deemed to be Customer’s complete and final instructions to Vastian in relation to Processing of Personal Data.
       
       2. For the purposes of Clauses 8.9 of the Standard Contractual Clauses, the parties agree that the obligation of Vastian to permit audits shall be satisfied by Vastian’s provision of third-party audits or certifications under the section titled “Third-Party Certifications and Audits”.
       
       3. For the purposes of Clause 9 of the Standard Contractual Clauses, Customer agrees that Vastian may engage Sub-processors as described in the section titled “Sub-processors”.
       
       4. For the purposes of Clause 9(c) of the Standard Contractual Clauses, copies of any Sub-processor agreement that must be provided by Vastian to Customer may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Vastian beforehand; and, that such copies will be provided by Vastian, in a manner to be determined in its discretion, only on request by Customer.
       
       5. For the purposes of Clause 16(d) of the Standard Contractual Clauses, the parties agree that the certification of deletion of Personal Data will be provided by Vastian to Customer only on Customer’s request.
       
       6. In the event of any inconsistency between a term of the Standard Contractual Clauses as amended by this section and another term of this DPA, the term of the Standard Contractual Clauses shall apply.

12. CCPA SPECIFIC PROVISIONS
    ‍
    1. Application. This section titled “CCPA Specific Provisions” shall apply only if and to the extent that Processing of Personal Data is governed by the CCPA. In the event of any inconsistency between a term of this section and another term of this DPA, the term of this section shall apply for CCPA-Subject Personal Data.
       ‍
    2. Definitions. In this section titled “CCPA Specific Provisions”, the following terms shall have the following meanings:
       “CCPA-Subject Personal Data” shall mean Personal Information (1) that is Processed by Vastian as part of the Services, and (2) for which the Processing by Vastian is governed by the CCPA.
       “Personal Information” shall have the meaning provided under the CCPA.
       “Sell” shall have the meaning provided under the CCPA.‍
       ‍
    3. CCPA Requirements. For the purposes of this DPA, Vastian is a “service provider” to Customer under the CCPA. Customer may be either a “business” or a “service provider’ under the CCPA. Vastian will Process CCPA-Subject Personal Data in accordance with the CCPA requirements directly applicable to Vastian’s provision of the Services. Vastian will not: (a) retain, use, or disclose CCPA-Subject Personal Data except as permitted in the Agreement, this DPA, or the CCPA; or (b) Sell CCPA-Subject Personal Data.

MEDIALAB SOLUTIONS, LLC DBA VASTIAN

SECTION I

Clause 1 Purpose and scope

Attachment 1 to the Data Processing Addendum The Standard Contractual Clauses (Processors)

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. The Parties:some text
   1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
   2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
   ‍
2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:some text
   1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
   2. Clause 8 –Clause 8.1(b), 8.9(a), (c), (d) and (e);
   3. Clause 9 – Clause 9(a), (c), (d) and (e);
   4. Clause 12 – Clause 12(a), (d) and (f);
   5. Clause 13;
   6. Clause 15.1(c), (d) and (e);
   7. Clause 16(e);
   8. Clause 18 – Clause 18(a) and (b).
2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
   

Clause 4 Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
   ‍
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
   ‍
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 - Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Docking clause

1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
   ‍
2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
   ‍
3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 - Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

1. Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
   ‍
2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

2. Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

3. Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

4. Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

5. Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

6. Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
   ‍
2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   ‍
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
   ‍
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

7. Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8. Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

9. Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9 Use of sub-processors

1. GENERAL WRITTEN AUTHORISATION. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
   ‍
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
   ‍
3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
   ‍
   
4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
   ‍
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10 - Data subject rights

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
   ‍
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
   ‍
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11 - Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
   ‍
2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
   ‍
3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:some text
   1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
   2. refer the dispute to the competent courts within the meaning of Clause 18.
4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
   ‍
5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
   ‍
6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 - Liability

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
   ‍
2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
   ‍
3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub- processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
   ‍
   
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
   ‍
5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
   ‍
6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
   ‍
7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13 - Supervision

1. SUPERVISORY AUTHORITIESsome text
   1. where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
      ‍
   2. where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
      ‍
   3. where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 - Local laws and practices affecting compliance with the Clauses

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
   ‍
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:some text
   ‍
   1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
      ‍
      
   2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
      ‍
   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
   ‍
4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
   ‍
5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
   ‍
6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 - Obligations of the data importer in case of access by public authorities

1. Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:some text
   1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
   ‍
3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
   ‍
4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
   ‍
   
5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

2. Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
   ‍
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
   ‍
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16 - Non-compliance with the Clauses and termination

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
   ‍
2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
   ‍
3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:some text
   ‍
   1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
      ‍
   2. the data importer is in substantial or persistent breach of these Clauses; or
      ‍
   3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
   ‍
5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 - Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18 - Choice of forum and jurisdiction

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
   ‍
2. The Parties agree that those shall be the courts of Ireland.
   ‍
3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
   ‍
4. The Parties agree to submit themselves to the jurisdiction of such courts.
   

Vastian Artificial Intelligence & Clementine AI Usage Policy

Clementine AI, powered by Vastian, is an expert in the healthcare industry and is designed to help users to brainstorm or gain insights on topics in this field.

Please be aware that:

• Clementine is only allowed to handle prompts regarding healthcare or medical topic. It will be unable to respond outside of this scope.
• This version of Clementine does not have specific knowledge about Vastian, its systems or documents, nor does it have access to your data to answer those type questions.
• Clementine is an AI chatbot, built using GPT 4o. The quality of responses will be influenced by the quality of the prompts provided.

By using Clementine AI, you are agreeing to the terms and conditions found here:‍

Disclaimer and Waiver of Claims: This answer or other content ("Output") was created in whole or in part using generative artificial intelligence (GenAI). It may contain errors or inaccuracies and should not be relied upon without expert human review and verification.  By using this Output, you acknowledge and agree that you are solely responsible for the use of this Output, including evaluating the accuracy of the Output, and that any use of the Output is at your sole risk.  BY USING THIS OUTPUT, YOU AGREE THAT YOU WILL NOT PURSUE OR MAINTAIN ANY CLAIM, AND HEREBY EXPRESSLY WAIVE AND RELEASE ANY AND ALL CLAIMS NOW KNOWN OR HEREAFTER KNOWN, AGAINST MEDIALAB SOLUTIONS, LLC DBA VASTIAN OR ANY THIRD PARTY ARISING FROM OR RELATING TO THE USE OF THIS OUTPUT.