B2B Terms of Service and GDPR Data Processing Agreement for:
ShareMyXray, bbRad, VNA and Data Migration
Software as a Service
Applicability
These Terms of Service (ToS) and Data Processing Agreement (DPA) are for hospitals, clinics and other healthcare service providers entering into a Business-to-Business (B2B) relationship with ourselves where we are a data processor or sub-processor.
These ToS and DPA do not apply to Patients registered with an account on the ShareMyXray platform, entering into a Business-to-Consumer (B2C) relationship with ourselves where we are the data controller. For Patients’ Terms of Service refer to https://sharemyxray.com/tos-patients
Parties
-
Cypher Information Technology Ltd, a company incorporated in England and Wales (registration number 4235054) having its registered office The Factory, 14 Alder Hills, Poole, Dorset, BH12 4AS (the “Provider“) and
-
The contracting organisation, a healthcare service provider (the “Customer“).
Agreement
1. Definitions
1.1 In this Agreement:
“Account” means an account enabling a person to access and use Hosted or on-site Services;
“Agreement” means this agreement including any Schedules, and any amendments to this Agreement from time to time;
“Business Day” means any weekday other than a bank or public holiday in England;
“Business Hours” means the hours of 09:00 to 17:00 GMT/BST on a Business Day;
“Charges” means the following amounts:
(a) such amounts as may be agreed in writing by the parties from time to time
“Customer Confidential Information” means:
(a) any information disclosed by or on behalf of the Customer to the Provider at any time before the termination of this Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure:
(i) was marked or described as “confidential”; or
(ii) should have been reasonably understood by the Provider to be confidential
“Patient Data” means any clinical Personal Data that is processed by the Provider on behalf of the Customer in relation to this Agreement, but excluding data with respect to which the Provider is a data controller;
“Customer Data” means all data, works and materials, other than Patient Data, supplied by the Customer to the Provider for the performance of the Platform or as a result of the use of the Services by the Customer (but excluding analytics data relating to the use of the Platform and server log files);
“Data Protection Laws” means all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Patient Data, the General Data Protection Regulation (Regulation (EU) 2016/679);
“Documentation” means the documentation for the Services produced by the Provider and delivered or made available by the Provider to the Customer;
“Effective Date” means the date of execution of this Agreement;
“Force Majeure Event” means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);
“Services” means ShareMyXray hosted Service, bbRad Gateway, VNA and exoPACS onsite Services, which will be made available by the Provider to the Customer as a service in accordance with this Agreement;
“Services Defect” means a defect, error or bug in the Platform having a material adverse effect on the operation, functionality or performance of the Services, but excluding any defect, error or bug caused by or arising as a result of:
(a) any act or omission of the Customer or any person authorised by the Customer to use the Platform or Services;
(b) any use of the Platform or Services contrary to the Documentation, whether by the Customer or by any person authorised by the Customer;
(c) a failure of the Customer to perform or observe any of its obligations in this Agreement; and/or
(d) an incompatibility between the Platform or Services and any other system, network, application, program, hardware or software not specified as compatible in the Services Specification;
“Services Specification” means the specification for the Platform and Services set out in the Documentation;
“Intellectual Property Rights” means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these “intellectual property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);
“Maintenance Services” means the general maintenance of the Platform and Services, and the application of Updates and Upgrades;
“Mobile App” means any mobile application that may be made available by the Provider through the Google Play Store and the Apple App Store;
“Personal Data” has the meaning given to it in the Data Protection Laws applicable in the United Kingdom and EU from time to time;
“Platform” means the platform managed by the Provider and used by the Provider to provide the Services, including the application and database software for the Services, the system and server software used to provide the Services, and the computer hardware on which that application, database, system and server software is installed;
“Schedule” means any schedule attached to the main body of this Agreement;
“Services” means any services that the Provider provides to the Customer, or has an obligation to provide to the Customer, under this Agreement;
“Support Services” means support in relation to the use of, and the identification and resolution of errors in, the Services, but shall not include the provision of training services;
“Supported Web Browser” means the current release from time to time of Microsoft Edge, Mozilla Firefox, Google Chrome or Apple Safari, or any other web browser that the Provider agrees in writing shall be supported;
“Term” means the term of this Agreement, commencing in accordance with Clause 3.1 and ending in accordance with Clause 3.2;
“Update” means a hotfix, patch or minor version update to any Platform software; and
“Upgrade” means a major version upgrade of any Platform software.
2. Credit
2.1 This document was created using a template from SEQ Legal (https://seqlegal.com).
This document must retain the above credit. Use of this document without the credit is an infringement of SEQ Legal’s copyright.
3. Term
3.1 This Agreement shall come into force upon the Effective Date.
3.2 This Agreement shall continue in force for the duration of the Service provision specified in the Customer’s Order Document, subject to termination in accordance with Clause 18 or any other provision of this Agreement, after which this Agreement shall terminate automatically unless renewed and fully paid.
4. Services
4.1 The Provider shall ensure that the Platform will generate an Account for the Customer and provide to the Customer login details for that Account.
4.2 The Provider hereby grants to the Customer a worldwide, non-exclusive licence to use the Services for the internal business purposes of the Customer in accordance with the Documentation during the Term.
4.3 The licence granted by the Provider to the Customer under Clause 4.2 is subject to the following limitations:
(a) the Services may only be used by the officers, employees, agents and subcontractors of the Customer;
4.4 Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the licence granted by the Provider to the Customer under Clause 4.2 is subject to the following prohibitions:
(a) the Customer must not sub-license its right to access and use the Services;
(b) the Customer must not permit any unauthorised person to access or use the Services;
(c) the Customer must not resell or use the Services to provide services to third parties;
(d) the Customer must not republish or redistribute any material from the Services;
(e) the Customer must not make any alteration to the Platform, except as permitted by the Documentation; and
(f) the Customer must not conduct or request that any other person conduct any load testing or penetration testing on the Platform or Services without the prior written consent of the Provider.
4.5 The Customer shall use reasonable endeavours, including reasonable security measures relating to Account access details, to ensure that no unauthorised person may gain access to the Services.
4.6 The Provider shall use reasonable endeavours to maintain the availability of the Services to the Customer, but does not guarantee 100% availability.
4.7 For the avoidance of doubt, downtime caused directly or indirectly by any of the following shall not be considered a breach of this Agreement:
(a) a Force Majeure Event;
(b) a fault or failure of the internet or any public telecommunications network;
(c) a fault or failure of the Customer’s computer systems or networks;
(d) any breach by the Customer of this Agreement; or
(e) scheduled maintenance carried out in accordance with this Agreement.
4.8 The Customer ensure that all persons using the Services with the authority of the Customer or by means of an Account comply with Acceptable Use Policy.
4.9 The Customer must not use the Services in any way that causes, or may cause, damage to the Services or Platform or impairment of the availability or accessibility of the Services.
4.10 The Customer must not use the Services:
(a) in any way that is unlawful, illegal, fraudulent or harmful; or
(b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
4.11 For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Term.
4.12 The Provider may suspend the provision of the Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least [30 days’] written notice, following the amount becoming overdue, of its intention to suspend the Services on this basis.
5. Maintenance Services
5.1 The Provider shall provide the Maintenance Services to the Customer during the Term.
5.2 The Provider shall where practicable give to the Customer at least 5 Business Days’ prior written notice of scheduled Maintenance Services that are likely to affect the availability of the Services or are likely to have a material negative impact upon the Services, without prejudice to the Provider’s other notice obligations under this main body of this Agreement.
5.3 The Provider shall give to the Customer at least 5 Business Days’ prior written notice of the application of an Upgrade to the Platform.
5.4 The Provider shall give to the Customer written notice of the application of any security Update to the Platform and at least 5 Business Days’ prior written notice of the application of any non-security Update to the Platform.
5.5 The Provider shall provide the Maintenance Services in accordance with the standards of skill and care reasonably expected from a leading service provider in the Provider’s industry.
5.6 The Provider may suspend the provision of the Maintenance Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue.
6. Support Services
6.1 The Provider shall provide the Support Services to the Customer during the Term.
6.2 The Provider shall make available to the Customer a helpdesk in accordance with the provisions of this main body of this Agreement.
6.3 The Provider shall provide the Support Services with reasonable skill and care.
6.4 The Customer may use the helpdesk for the purposes of requesting and, where applicable, receiving the Support Services; and the Customer must not use the helpdesk for any other purpose.
6.5 The Provider shall respond promptly to all requests for Support Services made by the Customer through the helpdesk.
6.6 The Provider may suspend the provision of the Support Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue.
7. Customer Data
7.1 The Customer hereby grants to the Provider a non-exclusive licence to process the Customer Data to the extent reasonably required for the performance of the Provider’s obligations and the exercise of the Provider’s rights under this Agreement. The Customer also grants to the Provider the right to sub-license these rights to its hosting, connectivity and telecommunications service providers, subject to any express restrictions elsewhere in this Agreement.
7.2 The Customer warrants to the Provider that the Customer Data will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation.
7.3 The Provider shall create a back-up copy of the Customer Data at least weekly, shall ensure that each such copy is sufficient to enable the Provider to restore the Services to the state they were in at the time the back-up was taken, and shall retain and securely store each such copy for a minimum period of 30 days.
8. Mobile App
8.1 The parties acknowledge and agree that the use of the Mobile App, the parties’ respective rights and obligations in relation to the Mobile App and any liabilities of either party arising out of the use of the Mobile App shall be subject to separate terms and conditions, and accordingly this Agreement shall not govern any such use, rights, obligations or liabilities.
- No assignment of Intellectual Property Rights
9.1 Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from the Provider to the Customer, or from the Customer to the Provider.
10. Charges
10.1 The Customer shall pay the Charges to the Provider in accordance with this Agreement.
10.2 If the Charges are based in whole or part upon the time spent by the Provider performing the Services, the Provider must obtain the Customer’s written consent before performing Services that result in any estimate of time-based Charges given to the Customer being exceeded or any budget for time-based Charges agreed by the parties being exceeded; and unless the Customer agrees otherwise in writing, the Customer shall not be liable to pay to the Provider any Charges in respect of Services performed in breach of this Clause 10.2.
10.3 All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider.
10.4 The Provider may elect to vary any element of the Charges to the Customer on any anniversary of the date of execution of this Agreement, providing that no such variation shall result in an aggregate percentage increase in the relevant element of the Charges during the Term that exceeds 4 percentage points per annum over the percentage increase, during the same period, in the Retail Prices Index (all items) published by the UK Office for National Statistics.
11. Payments
11.1 The Provider shall issue invoices for the Charges to the Customer in advance of the period to which they relate.
11.2 The Customer must pay the Charges to the Provider within the period of 30 days following the issue of an invoice in accordance with this Clause 11.
11.3 The Customer must pay the Charges by direct debit or bank transfer (using such payment details as are notified by the Provider to the Customer from time to time).
11.4 If the Customer does not pay any amount properly due to the Provider under this Agreement, the Provider may:
(a) charge the Customer interest on the overdue amount at the rate of 16% per annum above the Bank of England base rate from time to time (which interest will accrue daily until the date of actual payment and be compounded at the end of each calendar month); or
(b) claim interest and statutory compensation from the Customer pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.
12. Provider’s confidentiality obligations
12.1 The Provider must:
(a) keep the Customer Confidential Information strictly confidential;
(b) not disclose the Customer Confidential Information to any person without the Customer’s prior written consent, and then only under conditions of confidentiality no less onerous than those contained in this Agreement;
(c) use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider’s own confidential information of a similar nature, being at least a reasonable degree of care;
(d) act in good faith at all times in relation to the Customer Confidential Information; and
(e) not use any of the Customer Confidential Information for any purpose other than those specified int he Dta Processing Agreement.
12.2 Notwithstanding Clause 12.1, the Provider may disclose the Customer Confidential Information to the Provider’s officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Customer Confidential Information for the performance of their work with respect to this Agreement and who are bound by a written agreement or professional obligation to protect the confidentiality of the Customer Confidential Information.
12.3 This Clause 12 imposes no obligations upon the Provider with respect to Customer Confidential Information that:
(a) is known to the Provider before disclosure under this Agreement and is not subject to any other obligation of confidentiality;
(b) is or becomes publicly known through no act or default of the Provider; or
(c) is obtained by the Provider from a third party in circumstances where the Provider has no reason to believe that there has been a breach of an obligation of confidentiality.
12.4 The restrictions in this Clause 12 do not apply to the extent that any Customer Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of the Provider on any recognised stock exchange.
12.5 The provisions of this Clause 12 shall continue in force for a period of 5 years following the termination of this Agreement, at the end of which period they will cease to have effect.
13. Data protection
13.1 Each party shall comply with the Data Protection Laws with respect to the processing of the Patient Data and Personal Data.
13.2 The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement.
13.3 The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to this Agreement, the Personal Data of data subjects falling within the categories specified in Part 1 of Schedule 3 (Data Processing Agreement) and of the types specified in Part 2 of Schedule 3 (Data Processing Agreement); and the Provider shall only process the Patient Data for the purposes specified in Part 3 of Schedule 3 (Data Processing Agreement).
13.4 The Provider shall only process the Patient Data during the Term, subject to the other provisions of this Clause 13.
13.5 The Provider shall only process the Patient Data on instructions of the Customer.
13.6 The Provider shall not validate the Data Protection legitimacy of Patient Data transfers initiated by the Customer, as Data Controller, on the ShareMyXray or bbRad Services platforms, and the Customer indemnifies Cypher IT of fines or costs of enforcement orders in respect of such Customer-initiated transfers; notwithstanding this, Cypher IT will notify Customer without undue delay if, in the opinion of the Provider, an other instruction of the Customer relating to the processing of the Patient Data infringes the Data Protection Laws.
13.7 Notwithstanding any other provision of this Agreement, the Provider may process the Patient Data if and to the extent that the Provider is required to do so by applicable law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information.
13.8 The Provider shall ensure that persons authorised to process the Patient Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
13.9 The Provider and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Patient Data, including those measures specified in Part 4 of Schedule 3 (Data Processing Agreement).
13.10 The Provider must not engage any third party to process the Patient Data without the general written authorisation of the Customer. In the case of a general written authorisation, the Provider shall inform the Customer at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Customer may terminate this Agreement on 7 days’ written notice to the Provider, providing that such notice must be given within the period of 7 days following the date that the Provider informed the Customer of the intended changes. The Provider shall ensure that each third party processor is subject to equivalent legal obligations as those imposed on the Provider by this Clause 13.
13.11 As at the Effective Date, the Provider is hereby authorised by the Customer to engage, as sub-processors with respect to Patient Data, the third parties identified in Part 5 of Schedule 3 (Data Processing Agreement).
13.12 The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer’s obligation to respond to requests exercising a data subject’s rights under the Data Protection Laws.
13.13 The Provider shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Provider shall report any Personal Data breach relating to the Patient Data to the Customer within 24 hours following the Provider becoming aware of the breach. The Provider may charge the Customer at its standard time-based charging rates for any work additional to the standard GDPR work required to do business within the EU, performed by the Provider at the request of the Customer pursuant to this Clause 13.13.
13.14 The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with its obligations under this Clause 13 and the Data Protection Laws.
13.15 The Provider shall delete all of the Patient Data provided by the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that such data is not also the Patient Data of another Customer.
13.16 The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider’s processing of Patient Data with the Data Protection Laws and this Clause 13. The Provider may charge the Customer [at its standard time-based charging rates] for any work additional to the standard GDPR work required to do business within the EU, performed by the Provider at the request of the Customer pursuant to this Clause 13.16.
13.17 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.
14. Warranties
14.1 The Provider warrants to the Customer that:
(a) the Provider has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement;
(b) the Provider will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider’s rights and the fulfilment of the Provider’s obligations under this Agreement; and
(c) the Provider has or has access to all necessary know-how, expertise and experience to perform its obligations under this Agreement.
14.2 The Provider warrants to the Customer that:
(a) the Platform and Services will conform in all material respects with the Services Specification;
(b) the Platform will incorporate security features reflecting the requirements of good industry practice.
14.3 The Provider warrants to the Customer that the Services, when used by the Customer in accordance with this Agreement, will not breach any laws, statutes or regulations applicable under English law.
14.4 The Provider warrants to the Customer that the Services, when used by the Customer in accordance with this Agreement, will not infringe the Intellectual Property Rights of any person in any jurisdiction and under any applicable law.
14.5 If the Provider reasonably determines, or any third party alleges, that the use of the Services by the Customer in accordance with this Agreement infringes any person’s Intellectual Property Rights, the Provider may at its own cost and expense:
(a) modify the Services in such a way that they no longer infringe the relevant Intellectual Property Rights; or
(b) procure for the Customer the right to use the Services in accordance with this Agreement.
14.6 The Customer warrants to the Provider that it has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement.
14.7 All of the parties’ warranties and representations in respect of the subject matter of this Agreement are expressly set out in this Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of this Agreement will be implied into this Agreement or any related contract.
15. Acknowledgements and warranty limitations
15.1 The Customer acknowledges that complex software is never wholly free from defects, errors and bugs; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Services will be wholly free from defects, errors and bugs.
15.2 The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Services will be entirely secure.
15.3 The Customer acknowledges that the Services are designed to be compatible only with that software and those systems specified as compatible in the Services Specification; and the Provider does not warrant or represent that the Services will be compatible with any other software or systems.
15.4 The Customer acknowledges that the Provider will not provide any legal, financial, accountancy or taxation advice under this Agreement or in relation to the Services; and, except to the extent expressly provided otherwise in this Agreement, the Provider does not warrant or represent that the Services or the use of the Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person.
16. Limitations and exclusions of liability
16.1 Nothing in this Agreement will:
(a) limit or exclude any liability for death or personal injury resulting from negligence;
(b) limit or exclude any liability for fraud or fraudulent misrepresentation;
(c) limit any liabilities in any way that is not permitted under applicable law; or
(d) exclude any liabilities that may not be excluded under applicable law.
16.2 The limitations and exclusions of liability set out in this Clause 16 and elsewhere in this Agreement:
(a) are subject to Clause 16.1; and
(b) govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement.
16.3 The Provider shall not be liable to the Customer in respect of any losses arising out of a Force Majeure Event.
16.4 The Provider shall not be liable to the Customer in respect of any loss of profits or anticipated savings.
16.5 The Provider shall not be liable to the Customer in respect of any loss of revenue or income.
16.6 The Provider shall not be liable to the Customer in respect of any loss of use or production.
16.7 The Provider shall not be liable to the Customer in respect of any loss of business, contracts or opportunities.
16.8 The Provider shall not be liable to the Customer in respect of any loss or corruption of any data, database or software; providing that this Clause 16.8 shall not protect the Provider unless the Provider has fully complied with its obligations under Clause 7.3 and Clause 7.4.
16.9 The Provider shall not be liable to the Customer in respect of any special, indirect or consequential loss or damage.
16.10 The liability of the Provider to the Customer under this Agreement in respect of any event or series of related events shall not exceed the greater of:
(a) £10,000; and
(b) the total amount paid and payable by the Customer to the Provider under this Agreement in the 12 month period preceding the commencement of the event or events.
16.11 The aggregate liability of the Provider to the Customer under this Agreement shall not exceed the greater of:
(a) £10,000; and
(b) the total amount paid and payable by the Customer to the Provider under this Agreement in the 12 month period preceding the commencement of the event or events.
17. Force Majeure Event
17.1 If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under this Agreement, that obligation will be suspended for the duration of the Force Majeure Event.
17.2 A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under this Agreement, must:
(a) promptly notify the other; and
(b) inform the other of the period for which it is estimated that such failure or delay will continue.
17.3 A party whose performance of its obligations under this Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event.
18. Termination
18.1 Either party may terminate this Agreement by giving to the other party at least 30 days’ written notice of termination.
18.2 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if the other party commits a material breach of this Agreement.
18.3 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:
(a) the other party:
(i) is dissolved;
(ii) ceases to conduct all (or substantially all) of its business;
(iii) is or becomes unable to pay its debts as they fall due;
(iv) is or becomes insolvent or is declared insolvent; or
(v) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
(b) an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
(c) an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement); or
(d) if that other party is an individual:
(i) that other party dies;
(ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or
(iii) that other party is the subject of a bankruptcy petition or order.
19. Effects of termination
19.1 Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise 5 years): Clauses 1, 4.11, 8, 11.2, 11.4, 12, 13.1, 13.3, 13.4, 13.5, 13.6, 13.7, 13.8, 13.9, 13.10, 13.11, 13.12, 13.13, 13.14, 13.15, 13.16, 13.17, 16, 19, 22 and 23.
19.2 Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party.
19.3 Within 30 days following the termination of this Agreement for any reason:
(a) the Customer must pay to the Provider any Charges in respect of Services provided to the Customer before the termination of this Agreement; and
(b) the Provider must refund to the Customer any Charges paid by the Customer to the Provider in respect of Services that were to be provided to the Customer after the termination of this Agreement,
without prejudice to the parties’ other legal rights.
20. Notices
20.1 Any notice from one party to the other party under this Agreement must be given by email and optionally one of the following additional methods (using the relevant contact details set out in Clause 20.2:
(a) sent by recorded signed-for post, in which case the notice shall be deemed to be received 2 Business Days following posting,
providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time.
20.2 The Provider’s contact details for notices under this Clause 20 are as follows: admin@cypherit.co.uk, The Factory, 14 Alder Hills, Poole, BH12 4AS.
20.3 The addressee and contact details set out in Clause 20.2 may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 20.
21. Subcontracting
21.1 Subject to any express restrictions elsewhere in this Agreement, the Provider may subcontract any of its obligations under this Agreement, providing that the Provider must give to the Customer, promptly following the appointment of a subcontractor, a written notice specifying the subcontracted obligations and identifying the subcontractor in question.
21.2 The Provider shall remain responsible to the Customer for the performance of any subcontracted obligations.
21.3 Notwithstanding the provisions of this Clause 21 but subject to any other provision of this Agreement, the Customer acknowledges and agrees that the Provider may subcontract to any reputable third party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform.
22. General
22.1 No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.
22.2 If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted).
22.3 This Agreement may not be varied except by a written document signed by or on behalf of each of the parties.
22.4 Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
22.5 This Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.
22.6 Subject to Clause 16.1, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
22.7 This Agreement shall be governed by and construed in accordance with English law.
22.8 The courts of England shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.
23. Interpretation
23.1 In this Agreement, a reference to a statute or statutory provision includes a reference to:
(a) that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
(b) any subordinate legislation made under that statute or statutory provision.
23.2 The Clause headings do not affect the interpretation of this Agreement.
23.3 References in this Agreement to “calendar months” are to [the 12 named periods (January, February and so on) into which a year is divided].
23.4 In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.
Execution
The parties have indicated their acceptance of this Agreement and the Data Protection Agreement by agreeing online, such acceptance and date of acceptance of each recorded against the Customer’s account.
Schedule 3 (Data Processing Agreement)
This GDPR Data Processing Agreement (“DPA”) is for hospitals, clinics, radiologists, dentists and other healthcare service providers entering into a Business-to-Business (B2B) relationship with ourselves where we are Data Processor or sub-processor and forms part of the Terms of Service available at https://sharemyxray.com/tos-b2b/ or such other location as the Terms of Service may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and Cypher Information Technology Ltd. (“Cypher IT”), pursuant to which Customer has accessed Cypher IT’s Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
This Data Processing Agreement (DPA) does not apply to Patients registered with an account on the ShareMyXray platform, who enter into a Business-to-Consumer (B2C) relationship directly with ourselves such that we are Data Controller for their Personal Data. For Patients’ Terms of Service refer to https://sharemyxray.com/tos-patients
If the Customer entity entering into this DPA has executed an order form or statement of work with Cypher IT pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Services to Customer pursuant to the Agreement, Cypher IT may process personal data on behalf of Customer. Cypher IT agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
The parties agree that Customer is the data controller and that Cypher IT is its data processor in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Cypher IT pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Cypher IT’s websites (sharemyxray.com, bbrad.net or cypherit.co.uk), or through an Ordering Document provided by the Customer to Cypher IT, or as additionally described in the Agreement or the DPA. For VNA, Data Migration and bbRad Gateway Services, Cypher IT will not process any Patient Data except in receipt of specific support request from Customer to do so. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases, or until the support request is closed in the case of VNA, Data Migration and bbRad Gateway Services. Further details of the data processing are set out in Annex 1 below.
In respect of personal data processed in the course of providing the Application Services, Cypher IT:
Shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Cypher IT (from time to time);
If Cypher IT is required to process the personal data for any other purpose provided by applicable law to which it is subject, Cypher IT will inform Customer of such requirement prior to the processing unless that law prohibits this;
Shall not validate the Data Protection legitimacy of Patient Data transfers initiated by the Customer, as Data Controller, on the ShareMyXray or bbRad Services platforms, and the Customer indemnifies Cypher IT of fines or costs of enforcement orders in respect of such Customer-initiated transfers; notwithstanding this, Cypher IT will notify Customer without undue delay if, in Cypher IT’s opinion, any other instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
Shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
May hire other companies to provide limited services on its behalf, provided that Cypher IT complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Cypher IT has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Cypher IT remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Cypher IT transfers personal data will have entered into written agreements with Cypher IT requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer listed in Annex 1, bullet 5 ‘Sub-processors of Personal Data’. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing support@cypherit.co.uk. Cypher IT will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Cypher IT’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Cypher IT, terminate the Agreement.
Shall ensure that all Cypher IT personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
At the Customer’s request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Cypher IT reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
When the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Cypher IT reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
At the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy personal data held;
Or its sub-processors may transfer personal data from the EEA to the US for the purposes of this DPA pursuant to the EU-US Privacy Shield provided that Cypher IT or sub-processors maintain certification under the EU-US Privacy Shield and EU General Data Protection Regulations (GDPR);
Shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Cypher IT in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Cypher IT is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Cypher IT of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Cypher IT’s IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Cypher IT’s IT system, data hosting sites or centers, or infrastructure will be permitted;
If Cypher IT becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Cypher IT in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Cypher IT shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
Cypher IT shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Annex 1 (Data Processing Agreement)
0. Subject Matter of the Processing
Patient Data sent to, from or between ShareMyXray Customers; for bbRad Customers Patient Data relating to specific support requests.
Customer Personal Data, to maintain Provider’s normal business relations with the Customer and institutions it shares Patient Data with.
Processing is compressing, encrypting and routing Patient Data, on instruction from the Customer as Data Controller, to share Patient Data between institutions.
1. Categories of data subject
Patient Data including patients, non-patient clients and clinical trials.
Customer Personal Data including person identifiable information regarding staff, suppliers, customers, agents and representatives.
2. Types of Personal Data
Patient Data includes medical images, clinical reports, clinical request request details, names, addresses, dates of birth, patient identifiers and similar metadata.
Customer Personal Data includes names, roles, contact details and, where they are also application users, browser/machine details of Customer’s staff, suppliers, agents, customers and representatives.
3. Purposes of processing
To support the Customer as Data Controller to share its patients’ medical images and metadata between institutions.
4. Security measures for Patient Data and Customer Personal Data
Patient Data
All Patient Data are always strong encrypted both in transit and at rest.
Provider’s staff and agents have no access to Patient Data, unless specifically required for their role in accordance this Agreement.
Provider’s global system system accounts do not give access to Patient data.
Provider’s per-Customer system accounts that do give access to Patient Data may only be used upon request by the customer, if needed for the support request in question.
Provider staff contracts specify this segregation of Patient Data unless required by both job role and support request, and identify breach of obligations as gross misconduct.
Patient data (Studies) are deleted 30 days (or less) after last use.
When a Patient’s study is deleted, the key used to derive anonymised Provider data for activity and accounting purposes is deleted, making Provider accounting data irreversible.
Customer Personal Data
All Customer Personal Data are always strong encrypted both in transit and at rest.
Provider’s staff and agents have no access to Customer Personal Data, unless specifically required for their role in accordance this Agreement.
Emails are processed locally; upon download onto encrypted volumes they are immediately removed from email hosting service.
Dormant Accounts, which may include Customer Personal Data, are deleted after 2 years.
Business records and emails, which may include Customer Personal Data, are retained for duration of tax record keeping requirements, currently 6 years.
5. Sub-processors of Personal Data
Sub-processors with access to Patient Data
None
Suppliers handling only encrypted Patient Data but without access to that data – these are not sub-processors under GDPR but included for completeness.
SolVPS (SolVPS)
Interactive Web Solutions Ltd (iWebFTP)
Sub-processors handling Customer Personal Data:
Zen Internet Ltd. Used for website and email accounts; they will have access to Customer email addresses and contact names only. Our DPA with them is https://www.zen.co.uk/resources/docs/default-source/document-library/global-documents/customer-data-processing-agreement_final.pdf
Mailchimp. Used for sending emails to Customers; they will have access to Customer email addresses and contact names only. Our DPA with them is https://mailchimp.com/en-gb/legal/data-processing-addendum/
MixPanel. Used for application activity measurement, development and improvement; they will have access to Customer email addresses, city and browser/machine details. Our DPA with them is https://mixpanel.com/legal/dpa/