INDEPENDENT CONTRACTOR AGREEMENT FOR HEALTH CARE PROVIDERS ("CONTRACTOR AGREEMENT")

INTRODUCTION

• INDEPENDENT CONTRACTOR.

  32Co agrees to provide the professional services described herein as an independent contractor. It is mutually understood and agreed that 32Co is at all times acting and performing these duties and functions in the capacity of an independent contractor; that Provider shall neither have nor exercise any control or direction over the methods by which 32Co performs 32Co's services, nor shall Provider and 32Co be deemed partners. Provider shall have the right to determine what services shall be provided, but not the manner in which services shall be provided. Provider and 32Co recognize that Provider remains the sole treating doctor in all regards for all patients and, thus, after receiving any products or services from 32Co Provider is free to alter those products and services in accordance with the needs of Provider's patients or customers. It is expressly agreed by the Parties hereto that no work, act, commission, or omission by 32Co pursuant to the terms and conditions of this Contractor Agreement shall be construed to make or render 32Co the agent, employee, or servant of the Provider. The Parties also expressly agree that no work, act, commission, or omission by Provider shall be construed to make or render Provider the agent, employee, or servant of 32Co. Each Party shall be responsible for the payment of its own federal, state, and/or local taxes incurred as a result of this Contractor Agreement.

• CUSTOMER

  32Co’s Customer is the Provider whose 32Co customer identity number (allocated to a single individual only) is used to access the password protected 32Co Systems. If a practice or other legal entity with which the Provider works is named on 32Co invoice(s) and/ or that practice pays 32Co’s invoices, then 32Co is entitled to assume that it is the Provider who uses 32Co’s Systems and places Customer Orders with the authorization of, for and on behalf of that entity (the “Practice” or “Clinic”). Under these circumstances, the Practice will also be 32Co’s Customer and the Provider and the Practice will be jointly and severally liable for obligations in these Terms which are obligations of the “Customer.” The Provider and the Practice must read and understand these Terms before downloading any materials or software, uploading Patient information or placing any Customer Order, because in each case, a contract will be formed and Customer will be bound by these Terms which will govern that contract

• LICENSURE AND PROFESSIONAL LIABILITY INSURANCE

  As a condition of this Contractor Agreement, Provider shall maintain all applicable licenses and certification requirements and shall at all times during the term of this Contractor Agreement, meet all requirements of the State or Country, as appropriate, in which Provider resides or is located, and meet all requirements of other regulatory entities for such licensing, certification, or credentialing. Provider shall maintain in force throughout the term of this Contractor Agreement such policies of professional liability insurance as shall be required to qualify Provider for coverage under his or her state's Medical Malpractice Act or equivalent thereof (the "Act"), but in no event will Provider be covered for less than a million dollars (US$1,000,000.00) per occurrence. Provider shall insure that 32Co is held harmless against any claim or claims for damage arising by reason of personal injuries or death occasioned directly or indirectly in connection with the performance of any service provided hereunder in such amount as shall be required from time to time under the Act. Provider shall demonstrate proof of such insurance coverage by providing 32Co with a current certificate of insurance, which shows the applicable policy number, date of expiration, and name of the insurance carrier.

• REPRESENTATIONS OF PROVIDER

  Provider represents and warrants that the following are true (if applicable):(a) Provider's license or certification in any state has never been suspended, revoked, restricted, or deemed to be probationary; (b) Provider has never been reprimanded, sanctioned, or disciplined by any licensing or accrediting board; (c) There has never been entered against Provider a final judgment in a professional liability action and no action, based on an allegation of professional liability or malpractice by the Provider has ever been settled by payment to the plaintiff; (d) Provider has never been denied membership or reappointment of membership on the medical staff of any hospital, and no clinical privileges of the Provider have ever been suspended, curtailed, or revoked; (e) As of the date hereof, Provider has not been the subject of any report or disclosure submitted to the National Practitioner Data Bank or national equivalent database. Provider shall notify 32Co immediately if the foregoing representation becomes untrue, or if Provider is notified by any licensing or accrediting board or other enforcement agencies that an investigation has begun which could lead to such sanction, debarment, or conviction; (f) Provider has the necessary expertise, experience and training to properly perform procedures associated or in conjunction with clear aligner treatment, including the training at or following which access is provided to the Provider for the 32Co Portal; (g) Provider is not purchasing or acquiring Products with the intent that they will be used by any other Dentist and/or for the benefit of any patient other than Customer's own Patient, or outside the EU (if originally shipped to the EU), or otherwise outside the country to which they are shipped by the Manufacturer; (h) Provider will use the Products or devices only in accordance with generally accepted dental standards and as per the Manufacturer’s Instructions for Use (IFU) for the Products; (i) Provider will be fully responsible, and directly and solely liable for the Clear Aligner treatment of the Patient, including the exercise of clinical judgment in the decision to use the Products, the accuracy of Patient Data submitted, the Patient's Treatment Plan, the continued use of the Products, the Patient’s on-going treatment, and achieving the desired outcome for the Patient; (j) Provider will obtain a completed and signed Patient Informed Consent Form from each Patients any Clear Aligner treatment; (k) Provider will ensure that Provider understands and properly assesses in relation to the particular Patient the clinical risks, and that the Patient is aware of the risks relevant to their own treatment prior to commencing their Clear Aligner treatment; (l) Provider will regularly review the 32Co Website to verify Provider is aware of any changes to the Contractor Agreement, to 32Co’s Art and Advertising Standards/Brand Guidelines for 32Co Providers (where applicable), to the Advertising Agreement (where applicable), or the 32Co Practice Marketing Guide (where applicable); (m) Provider will comply with any provision of 32Co’s Art and Advertising Standards/Brand Guidelines for 32Co Providers (where applicable), or with any term of the Advertising Agreement (where applicable); (n) Provider will do nothing inconsistent with or adverse to 32Co’s trademark rights, patent rights, copyrights, trade secrets or other intellectual property rights; (o) Provider will provide, upon request, feedback regarding the status of any Patient's treatment, details of their experience and Customer's 32Co treatment experience, and the success of the 32Co Service(s) or Product(s); (p) Provider will promptly notify 32Co, and in any event within 10 days, of any event (in all available detail) relating to Product use on any Patient which 32Co and/ or Customer is required to notify to any governmental or regulatory authority; (q) Provider understands that their Unique ID, username or unique identifier (“Customer ID”) is to be used only by a single Provider; (r) Provider will only use the Products and Services in relation to the Patient they were ordered for. (s) If Provider participates in professional discussions facilitated by 32Co or at which 32Co representatives are present ("Discussion"), Provider shall obtain the legally required form of consent from every Patient whose images, personal data, sensitive data, or treatment or any other details are shared by Provider. Provider acknowledges that Provider's participation in the Discussion is solely for professional development and Provider will not copy, retain, share or use any patient or other confidential material obtained by Provider through the Discussion.

• COMPLIANCE WITH LAWS

  Provider agrees to comply with all national, federal and state laws or regulations applicable to the services to be provided under this Contractor Agreement. The Parties further agree that they will protect and secure the privacy and confidentiality of patient information and will comply with the requirements contained in the ‘Schedule No. 1’, which is set forth below.

• MEDICAL RECORDS

  Provider agrees to complete all required charting in the medical record in a prompt and timely manner. Provider is responsible for securing all consent from patients required by law in order for records to be disclosed to 32Co in accordance with these Terms. For the avoidance of doubt, such consent should include approval for transmission of records to a jurisdiction outside of the United States or the European Economic Area. 32Co shall have such right of access to such reports, records, and supporting documentation as necessary for the provision of professional services hereunder. 32Co shall also have the right to maintain a copy of all reports, records, and supporting documents for archival purposes.32Co will comply with the applicable requirements of relevant laws, which may include obligations to provide personal information that 32Co holds about a patient to such patient on request by such patient. When 32Co processes personal data from EU patients, 32Co will comply with the EU patient’s additional data subject rights, including the rights of the patient over his or her data to: i) correct or change outdated personal data; ii)      object to, restrict, or limit processing of personal data; iii) request deletion of all or some personal data; and iv) request a portable copy of personal data.Subject to applicable law, records submitted to 32Co or reports and supporting documents created by 32Co become the property of 32Co and will not be returned to Provider. For cases shipped to 32Co from a US address, 32Co may choose to return material to the doctor. Records such as impressions and intra-oral scans require inspection, and 32Co may deem such records unacceptable. If deemed unacceptable, 32Co may request replacement records. 32Co will maintain physical materials such as impressions and study models only for a short time period, until they are discarded and/or archived at the discretion of 32Co.Subject to applicable law, Provider authorizes 32Co to use records, including but not limited to, impressions and intra-oral scans, patient information, radiographs (x-rays), photographs and plaster or stone models for internal use, purposes of orthodontic or dental consultations, education and research purposes, publication in professional journals or use in professional collateral materials, provided such use does not include disclosure of a specific name, patient ID, address, or other personal information that would have the effect of specifically identifying Provider or the patient, unless the appropriate consents are obtained.

• PRODUCTS AND SERVICES

  For purchases of products (“Products”, or an individual "Product") and/ or related services (“Services”), except where we have expressly otherwise agreed in writing.
  32co agrees to provide the following professional health care services (and only the following professional healthcare services) as requested by Provider: (a) diagnosis, assessment or triage based on the completeness and accuracy of the information that You provide to 32Co; (b) treatment plan for orthodontics based on the information that You provide to 32Co; and (c) if requested, then orthodontic appliances. 32Co agrees to perform such services, at all times, in strict accordance with currently approved and accepted methods and practices in the profession. 32Co further agrees to provide services in a professional, timely, and competent manner. After receiving any products or services from 32Co, Provider is free to alter those products and services in accordance with the needs of Provider's patients or customers. 32Co does not provide any warranties or guarantees regarding any treatment or treatment outcomes or the quality of the advice or the Treatment Plans, treatment options and/or products or services, whether express, implied, statutory or otherwise. 32Co specifically disclaims all implied warranties of design, merchantability, fitness for a particular purpose and non-infringement and any other implied warranties
  Orthodontic appliances (including replacements), if manufactured by 32Co will (i) conform to their description, (ii) be free from defects in material and workmanship, and (iii) be of satisfactory quality within the industry until the Treatment Expiration Date for aligners. All warranties are void if the aligners have been misused, modified or been used in combination with third party products. No warranty is made regarding the outcome of any treatment using the aligners, or any combination of the products with third party products, whether or not with any 32Co services. No representative, employee or agent of 32Co is authorized to give any other warranties on behalf of 32Co or modify the limitations or exclusions set forth in the Agreement. The warranties in this clause 7 are the sole warranties for the products, and all other express or implied warranties are disclaimed, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement.
  Where 32Co (i) cannot exclude any express or implied condition or warranty or Rights, or (ii) the Aligner Trays fail to conform to the warranty in this Section, then 32Co’s sole and exclusive liability (other than in circumstances where by law, liability cannot be limited) and Provider’s sole and exclusive remedy is, at the sole discretion of 32Co, (a) to repair or replace the products or (b) to pay the cost of having those products repaired or replaced
  Each party acknowledges that local, state, and federal laws may imply certain conditions and warranties into these Terms and confer certain rights and remedies on Provider that cannot be excluded or modified (“Rights”). Nothing in this Section or otherwise in these Terms excludes or modifies any of those rights if to do so would contravene such rights or make any part of these Terms void

• THIRD-PARTY SERVICES

  If Provider requests manufacture or approves an order through independent manufacturing services, the 32Co Website provides access to services available through independent third parties, via the Manufacturing Marketplace (the “Marketplace”). If third party services are used, the sharing of any records or medical information must adhere to, and it is Provider’s responsibility to ensure compliance with, the 32Co Website Terms and Conditions and all applicable privacy and health laws and other relevant laws and regulations in the jurisdiction(s) in which Provider is licensed and practices, including, where applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the General Data Protection Regulation 2016/679 of the European Union(“GDPR”), and all amendments thereto. Provider’s compliance obligations for sharing patient data as part of third-party manufacturing services include, where required by applicable law, patient consent or, where permissible, an alternative, legally valid mechanism by which to share patient data.
  When Customer purchases any Product through the Marketplace, Customer will buy directly from the relevant third party and the contractual relationship in relation to the sale will be only between Provider and that third party manufacturer. 32Co will not be a party to it. The relevant third party will be responsible for the sale, delivery and other after-sale care and 32Co’s role is limited to acting as commercial agent to conclude the sale by accepting Customer’s order and collecting, or arranging for the collection of, Customer payment on behalf of that third party.
  32Co’s receipt of full payment from Customer will discharge Customer debt to the relevant third party in respect of that order. Though 32Co may assist with certain practical issues on behalf of the relevant third party manufacturer, 32Co does not have any contractual obligations to Customer and Customer does not have any contractual rights against 32Co regarding any Product sold through 32Co by any third party manufacturer.
  The price of Products (each a “Product Price” and collectively “Product Prices”) varies according to the Product selected.
  Product Prices and delivery costs are liable to change at any time, but changes will not affect orders in respect of which Customer has already been sent an Order Confirmation
  Any advice, pertaining to patient treatment or otherwise, given by an Orthodontist, Clinical Instructor, Mentor, or 32Co Clinical Support Staff is the personal opinion of that individual and has not been reviewed, confirmed, or approved by 32Co. It is Provider’s responsibility to ensure that information or advice obtained through the various support channels are correct, proper, and suitable either in general or for a particular patient. 32Co does not make any representations regarding the level of experience, competency, expertise, or qualifications of Customer Support staff, or the opinions of other Customers of 32Co in any community space. 32Co presents community information, case studies advice only as a convenience to trained providers. Provider is under no obligation to adopt or follow any advice, comments or suggestions provided in relation to the treatment of Customer's Patients. Customer must exercise Customer's own professional judgment on making the final decision on whether and how to proceed with the treatment of Provider's Patient. 32Co assumes no liability or responsibility for treatment plans developed with a third party, the associated outcome of such third-party treatment planning services or consequential loss under English law.
  The Services provided through the Website are provided by third parties who have met 32Co’s minimum quality of service requirements, including local regulatory requirements.
  Customer’s use of Marketplace Services is voluntary and at Customer’s sole risk. 32Co has no control over and does not guarantee (i) the existence, quality, safety, suitability, or legality of any third party appliance listings, (ii) the truth or accuracy of any Listing descriptions, ratings, reviews, or other information about Customer including, without limitation, Customer name, likeness, biographical information, or (iii) the performance or conduct of any third party. 32Co does not endorse any third party manufacturer or Listing. Customer should always exercise due diligence and care when deciding whether to use a third party manufacturer, or communicate and interact with other users of Marketplace
  Marketplace Services may contain links to third-party websites or resources (“Third-Party Services”). Such Third-Party Services may be subject to different terms and conditions and privacy practices. 32Co is not responsible or liable for the availability or accuracy of such Third-Party Services, or the content, products, or services available from such Third-Party Services. Links to such Third-Party Services are not an endorsement by 32Co of such Third-Party Services
  32Co does not guarantee the continuous and uninterrupted availability and accessibility of 32Co Marketplace. 32Co may improve, enhance, modify or restrict the availability of Marketplace or certain areas or features thereof for any reason in its sole discretion with no further notice to you
  Third party feedback and performance will be continuously reviewed to maintain a high standard for 32Co’s Customer; Any third party not adhering to 32Co’s requirements shall be removed from the platform

• CUSTOMER ORDERS AND CONTRACT RATE

  If Customer accesses 32Co's IT systems or uses 32Co software, including any 32Co website, the Customer does so with the permission of 32Co, for the purpose of a good faith relationship with 32Co, for ordering Products or Services offered by 32Co from time to time.
  32Co shall be compensated for services performed under this Contractor Agreement as set forth in the order confirmation page when Customer confirms the order with 32Co and / or click acceptance to this Contractor Agreement. Once an order has been submitted by Provider using the Website, or other acceptable means at the discretion of 32Co, the order is considered binding.
  32Co reserves the right, at its option and without liability, to refuse any Customer Order in whole or in part. 32Co is not liable for quality issues, shipping delays, or incorrectly processed orders brought about by third parties.
  Unsuitable Case Fees. If the 32Co Orthodontist advises that the case is not suitable for orthodontics or clear aligner therapy and should be either referred to an external orthodontist or not go ahead, the case will be cancelled and subject to a fee for assessment of the case submission.
  Returning Products: Returns are at the discretion of 32Co. Customer is responsible for Products being returned to 32Co within the applicable time period. All returns should be completed via a reputable courier who provides insurance for the full replacement value.Cancellations. If the Customer does not approve the Treatment Plan, the Customer may cancel the case, subject to payment of cancellation fees.
  The case will also be cancelled and subject to a cancellation fee if the Treatment Plan has been pending Provider approval for longer than 90 days, at 32Co’s sole discretion.Additional charges for inbound and/or outbound shipping may be applied and due upon cancellation in all scenarios above.
  Upon Provider’s approval of the treatment plans, all charges are non- refundable, and any cancellation of the binding order will incur the full applicable charges. Orders are subject to 32Co pricing as of the order receipt date, defined as the date and time Provider submits the completed order.
  32Co may cancel a Customer Order at any time for any reason without liability.The cancellation fee is immediately due from Provider.

• BILLING

  The Customer will pay all 32Co invoices as directed in the invoice in full and in Cleared funds. 32Co shall invoice Provider electronically or by other means. The order confirmation page or an applicable purchase order shall also serve as your invoice. By indicating your acceptance of your order, you are authorizing payment to 32Co.Invoices are due within 30 days of the date of invoice unless otherwise mutually agreed in writing by the parties or as otherwise stated in the invoice. Time of payment is of the essence.
  All prices are exclusive of all sales, use and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any governmental authority on any amounts payable by Provider. Prices are inclusive of shipping unless stated otherwise in the Pricing Terms. Additional fees may apply if a shipping method is requested other than 32Co’s standard shipping procedure. Any fees or charges not specified as included in the price are explicitly excluded.
  If any invoice (or any part of an invoice) remains unpaid at the due date for payment, such invoice will bear interest at the rate of 1.5% compounded monthly from the day after the due date for payment up to (and including) the date of payment of the invoice in full.
  At 32Co’s sole discretion, 32Co might from time to time require full payment in advance of shipment. If this is the case, 32Co will notify Customer no later than the date that the Products would be expected to be shipped and invoiced and might at that time require payment in full before dispatching Products to Customer.
  32Co might limit the amount of credit that it will extend to Customer from time to time. If this occurs, the number of 32Co treatments and other Products and Services that Customer might order will be limited unless Customer has paid in advance for them.32Co is not responsible for pricing, typographical, or other errors and 32Co reserves the right to cancel any Customer Orders arising from or containing such errors.
  Customer shall pay all amounts due to 32Co in full without any setoff, counterclaim, deduction or withholding (except for any deduction or withholding required by law). 32Co may at any time, without limiting any other rights or remedies it may have, set off any amount owing to it by Customer against any amount payable by 32Co to Customer. 32Co does not accept payments from Patients, including payments in the Patient’s name forwarded by Customer or Customer's practice.
  The Provider is responsible for payment of the 32Co invoices. In addition, and without prejudice to the responsibility of the Provider, the Practice, if named in the invoice or if the Practice habitually pays 32Co’s invoices, is jointly and severally liable with the 32Co Dentist for payment of 32Co invoices. 32Co may therefore claim payment of any sums owed under any agreement against the 32Co Dentist, personally and/ or against the Practice.
  Without limiting any other remedies or rights that 32Co may have, if Customer does not pay 32Co on time, 32Co may cancel or suspend any or all agreements with Customer.
  This means that 32Co may cease its performance or not perform Services and may not provide Customer with or disable the Products or Services listed in any Customer Order placed (whether or not accepted) until Customer has paid all outstanding amounts owed to 32Co.

• CONFIDENTIALITY

  The Parties hereby acknowledge and agree that all services provided, and information exchanged under this Contractor Agreement shall be kept confidential and that neither Party shall disclose matters related to this Contractor Agreement without the expressed written consent of the other Party, unless required to disclose such information by statute, regulation or court order. In addition, during the term of this Contractor Agreement, each of the Parties hereto may receive intentionally or unintentionally certain proprietary and confidential information (which may include confidential medical information and records) not otherwise a part of public domain through no fault of a Party hereto ("Proprietary Information"),the disclosure of which would be extremely detrimental to the business affairs of the other. Therefore, each of the Parties hereto (for itself and its employees, agents and representatives) agrees to keep the Proprietary Information of the other in the strictest confidence and each agrees not to duplicate any Proprietary Information of the other and not to directly or indirectly divulge, disclose, reveal, report or transfer such Proprietary Information without the prior written consent of the other. This provision shall survive the termination of this Contractor Agreement.

• INTELLECTUAL PROPERTY RIGHTS, TRADEMARKS

  All rights in intellectual property (including all patents, trademarks, service marks, registered designs, utility models, design right, database rights, copyright (including copyright in software and computer algorithms), trade secrets and other confidential information, know-how, and all other intellectual and industrial property and rights of a similar or corresponding nature in any part of the world) in or relating to the Products, the Services, any materials, information, software, 32Co Systems, documents or items that 32Co prepares or produces for Customer or makes available to Customer will belong solely and exclusively to 32Co.
  Nothing in these Global Terms & Conditions or any contract between 32Co and Customer Order shall be construed as 32Co assigning or agreeing to assign any intellectual property to Customer.
  Customer will inform 32Co promptly if Customer becomes aware of any infringement of 32Co’s trademarks or other intellectual property rights by any person.

• INDEMNITY

  Provider agrees to indemnify, keep indemnified and hold harmless 32Co, its employees, officers, trustees, affiliates, agents, and representatives from and against any losses, costs, obligations, payments, damages, debts, liabilities, costs and expenses (including legal expenses), requests for relief or compensation of any kind, resulting from or relating to: (a) claims for bodily injury or property damage arising out of any services under this Contractor Agreement. (b) Customer's breach of any term of any agreement with 32Co, (c) Customer's breach of any term of any agreement between Customer and their Patient or any acts or failures in respect of a Patient, (d) Customer's provision of incorrect or incomplete information, documents or impressions to 32Co or any failure to timely provide 32Co with any information it requests from Customer or the Practice; (e) any and all dealings with national regulators, licensing or professional bodies in relation to Customer; and (f) any incorrect information, including specific case or treatment plan opinions or recommendations, provided by other Providers and doctors via the 32Co community; and (g) 32Co’s provision of or failure to provide products or services to Provider unless such provision of or failure to provide such products or services was due to 32Co’s negligence or recklessness

• TERM

  This Contractor Agreement shall be effective beginning when Provider indicates acceptance of this Agreement.

• TERMINATION

  Either Party may terminate this Contractor Agreement by providing thirty (30) days prior, written notice to the other Party, or by mutual assent of the Parties. Either Party shall be entitled forthwith to terminate this Contractor Agreement by notice to the other if the other Party commits a material breach of any term of this Contractor Agreement and (if such breach is remediable) fails to remedy that breach within 14 days after being notified in writing to do so. 32Co may terminate this Contractor Agreement immediately if any of the representations of Provider in paragraphs 1.3, 1.4 or 9 of this Contractor Agreement become untrue.

• NOTICE

  Any notice required to be provided to any Party to this Contractor Agreement shall be considered effective as of the date that it is emailed to the other Party. For any notice sent to 32Co, Provider shall send the notice by email to legal@32Co.com. For any notice sent to Provider, 32Co shall send the notice by email to the email address that Provider has designated in the account that Provider has established with 32Co.

• ART AND ADVERTISING STANDARDS

  Any use by Customer of 32 Stories or 32Co trademarks, logos or copyright materials is under a non-exclusive license as set out in and subject to 32Co's Art and Advertising Standards and Advertising Agreement which may be amended from time to time.

• ADDITIONAL DATA PROTECTION TERMS APPLICABLE TO THESE TERMS

  The following data protection terms and conditions shall apply to these Terms: 
  Data Breaches: 32Co will notify Customer without undue delay if 32Co becomes aware of a verified Data Breach and keep Customer informed of any related developments. 32Co will take all reasonable steps to mitigate or negate the effects of any such Data Breach
  Subprocessing: Customer agrees that 32Co may subcontract its processing of Patient Data to Subprocessors (as defined below) provided that: (i) 32Co has in place a written agreement with the Subprocessor that requires it to process Patient Data only in accordance with these Terms and 32Co's Binding Corporate Rules; (ii) 32Co maintains a list of its current Subprocessor categories which it shall update with changes to any Subprocessors; and (iii) 32Co remains liable to Customer for ensuring that 32Co’s Subprocessors process Patient Data in accordance with this Term. 
  Customer may object to the appointment or replacement of a Subprocessor within 30 days of updating the list of current Subprocessors, provided such objection is based on reasonable grounds relating to data protection. In such event, 32Co will either (at 32Co’s discretion): (a) appoint an alternative Subprocessor; or (b) permit Customer to terminate this Contract. 
  Data transfers: 32Co shall only transfer Patient Data outside the EEA where it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Law.Audit: From time to time, 32Co will submit 32Co’s 32Co's data processing facilities, data files and documentation needed for processing Patient Data for audit. From time to time, 32Co will also take measures to verify the compliance of 32Co’s Subprocessors with the requirements of this Term.Data protection impact assessment: if 32Co believes or becomes aware that its processing of Patient Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, 32Co shall inform Customer and provide Customer with reasonable cooperation in connection with any data protection impact assessment that may be required under applicable Data Protection Law.

• NO ASSIGNMENT

  Provider understands that, from time to time, 32Co may enlist consultants or other independent contractors in providing professional services to Provider under this Contractor Agreement. Apart from this, neither this Contractor Agreement nor any rights or obligations hereunder shall be assigned by either Party without the prior written consent of the non-assigning Party.

• NON-SOLICITATION

  Provider understands and agrees that 32Co expends significant time and resources to train consultants, other independent contractors, or employees that, from time to time, provide professional services for 32Co. Consequently, for a period of two (2) years immediately following completion of services by 32Co, Provider agrees that Provider will not solicit any employee, consultant, or other independent contractor of 32Co. Provider further agrees that Provider shall not induce any employee, consultant, or other independent contractor of 32Co to terminate employment with 32Co or terminate or breach any contractual relationship between 32Co and the employee, consultant, or other independent contractor of 32Co. Because the value of the time and resources to train employees, consultants, or other independent contractors is difficult to quantify, if you Provider breaches this Non-Solicitation provision of this Contractor Agreement, then Provider agrees to pay liquidated damages of one-hundred thousand dollars ($100,000.00) to 32Co, which Provider agrees is a reasonable amount to compensate 32Co for its damages

• ENTIRE AGREEMENT

  This Agreement, along with the Schedules, any Addenda and the Agreement for Use of 32Co Website ("Website Agreement"), which is incorporated by reference in its entirety, constitutes the entire agreement of the Parties with respect to the matters contained herein, and supersedes any and all other discussions, statements, and understandings regarding such matters. To the extent that any provision of this Agreement irreconcilably conflicts with the Website Agreement, the provisions of the Website Agreement shall control. A publication of a revised Agreement and Provider's indication of acceptance shall be considered an execution of a written agreement.

• NO THIRD-PARTY BENEFICIARIES

  Nothing express or implied in this Contractor Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

• SEVERABILITY

  If any provision of this Contractor Agreement is held by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions will nevertheless continue in full force without being impaired or invalidated in any way, and any invalid, void, or unenforceable provision shall be replaced to the maximum extent permitted by law with a valid and enforceable provision that most closely matches the intent of the original provision;

• NO WAIVER

  No provision of this Contractor Agreement shall be amended or waived unless it is in writing and signed by the Chief Executive Officer of 32Co (or their authorised representatives). Waiver of any provision on one occasion shall not apply to any other occasion. The waiver by 32Co of any particular default by Provider or any employee of 32Co, shall not affect or impair the rights of 32Co with respect to any subsequent default of the same or of a different kind by Provider or any employee of 32Co; nor shall any delay or omission by 32Co to exercise any right arising from any default by Provider affect or impair any rights that 32Co may have with respect to the same or any future default by Provider or any employee of 32Co.

• MISC

  Each Party to this Contractor Agreement acknowledges that no representations, inducements, promises, or agreements, orally or otherwise, have been made by either Party, or anyone acting on behalf of either Party, which are not embodied herein, and that no other arrangement, statement or promise not contained in this Contractor Agreement shall be valid or binding.

• LAW AND JURISDICTION APPLICABLE TO THESE TERMS:

  This Contractor Agreement and any non-contractual obligations arising from it or in connection with it shall in all respects be governed by and interpreted in accordance with the laws of England and Wales.
  The Parties irrevocably agree that the Courts of England and Wales are to have exclusive jurisdiction over any dispute (a) arising from or in connection with this Contractor Agreement or (b) relating to any non-contractual obligations arising from or in connection with this Contractor Agreement.

• LIMITATION OF LIABILITY

  In no event shall 32Co be responsible to the Customer for the following losses, whether in contract, tort (including negligence), breach of statutory duty or otherwise: indirect losses, consequential losses, loss of income or revenue, loss of profit, third party claims, loss of business, loss of data (including patient data – 32Co expects that customer will have back-up copies or originals of any patient data customer provides to 32Co), loss of anticipated savings, or loss of any opportunity, arising from any claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the agreement. In no event will 32Co, its licensors or suppliers be liable to Provider or to any third party for any indirect, special, incidental, exemplary, punitive or consequential damages however caused and under any theory of liability whether in contract, tort, indemnity or other cause or theory whatsoever (including negligence, delay in delivery, injury to reputation, good will, etc.), whether or not 32Co has been advised of the possibility of such damage.
  32Co's liability to Customer for breach of contract or tort (including negligence) or breach of statutory duty shall be limited to: in the case of loss or damage to physical property whilst we are on customer's premises or customer is on 32co’s premises or on a third party's premises at 32co's invitation, the sum of five thousand pounds (£5000) which is the amount we have estimated is the maximum value of property we might reasonably foresee might be damaged. Where products or services cause loss or damage to physical property, the sum of five thousand pounds (£5000), which is the amount we consider reasonable, given the nature of the products and services. The existence of one or more claims shall not expand such limit.
  The following claims against 32Co and its employees, agents, contractors, officers or directors are hereby waived by Provider: (i) claims based on the failure of 32Co products or third party products to achieve a successful or desirable outcome; and (ii) injury to a patient, either alone or in combination with other treatment appliances

• FORCE MAJEURE

  Neither party shall be in breach of this Contractor Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Contractor Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control including, without limitation, acts of God, riots, war or armed conflict, acts of terrorism, epidemic or pandemic, acts or orders of government, government or regulatory bodies, fire, flood, storm or earthquake. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations

Schedule No.1 (UNITED STATES)

PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION ("PHI").

• 32Co shall be permitted to use and/or disclose PHI created or received on behalf of Provider, and Provider shall be permitted to use and/or disclose PHI received or created on behalf of 32Co, for all purposes necessary to provide the services and to perform its obligations under the Contractor Agreement, provided that said use and/or disclosure complies with the requirements of HIPAA. The Parties acknowledge that under the requirements of HITECH, the HIPAA Privacy and Security Regulations apply to 32Cos and the additional privacy requirements set forth in HITECH apply to the Parties to the same extent that they apply to covered entities under HIPAA. The requirements of the HITECH statutes are incorporated herein by reference. In accordance with the applicable requirements of HITECH, any uses or disclosures of PHI must be limited, to the extent practicable, to the Limited Data Set, or, if needed to accomplish the purposes of this Schedule, to the minimum degree necessary to accomplish the intended purpose of such use or disclosure
• Subject to clause i of this Schedule, The Parties may use PHI created or received, if necessary, for the proper management and administration of the operation of the Parties and to fulfill any current or future legal responsibilities of the Parties.
• Subject to clause i, the Parties may disclose PHI created or received, if necessary, for the proper management and administration of the operation of the Parties and to fulfill any current or future legal responsibilities of the Parties, provided:
  • The disclosure is Required by Law, or
  • The disclosing Party obtains satisfactory assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the disclosing Party will be notified of any instances of which the person is aware in which the confidentiality of the information is breached.
  • As of the effective date of the applicable HITECH regulations, the Parties shall not directly or indirectly receive remuneration in exchange for any PHI of an individual unless the Parties have obtained from the individual a valid authorization that includes specification of whether the PHI can be further exchanged for remuneration by either of the Parties.
    ‍

  RESPONSIBILITIES OF PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION ("PHI")

• Each Party agrees not to use or disclose PHI except as expressly permitted by this Schedule, HIPAA, or as Required by Law.
• Each Party hereby agrees to maintain the security and privacy of all PHI in a manner consistent with federal and state laws and regulations, including but not limited to the HIPAA Privacy Regulations and the Security Regulations (45 C.F.R. Parts 160, 162, and 164) and HITECH, and each Party further agrees to use appropriate safeguards and security procedures to prevent use or disclosure of PHI not permitted by this Schedule.
• Each Party shall not disclose PHI to any member of its workforce unless such member of its workforce has a need to use such PHI, and each Party has advised such person of the privacy and security obligations under this Schedule, including the consequences for violation of such obligations. Each Party shall take appropriate disciplinary action against any member of its workforce who uses or discloses PHI in violation of this Schedule or applicable law.
• Each Party shall require all of its subcontractors and agents that receive or use, or have access to, PHI under this Schedule to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply pursuant to this Schedule.
• Each Party agrees to maintain a record of all disclosures of PHI, including disclosures not made for the purposes of this Schedule, and further agrees within ten (10) days of a written request from either Party, to provide to the requesting Party such information as is necessary to permit the other Party to respond to a request by an individual for an accounting of the disclosures of the individual's PHI in accordance with 45C.F.R. Sec. 164.528. Each Party further agrees to comply with the requirements of HITECH to provide the other Party with an accounting of all disclosures made for treatment, payment and health care operations when the HITECH statute requiring such an accounting becomes applicable to the other Party. Each Party agrees to notify the other Party in advance of the applicability of this requirement.
• Each Party agrees to report any unauthorized use or disclosure of PHI by its workforce, agents, or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure in accordance with the specific provisions of this Schedule.
• Each Party agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services, for purposes of determining compliance with HIPAA.
• Within thirty (30) days of a written request, each Party shall allow a person who is the subject of PHI, such person's legal representative, or the other Party to have access to and to copy such person's PHI. Each Party shall provide PHI in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format. Each Party acknowledges that HITECH requires the Parties to provide electronic health records to the individual in electronic format, and the Parties agree that to the extent applicable, the Parties will produce any PHI in electronic format in a manner requested by the individual who has made the request.
• Within ten (10) days of a written request, the Party receiving the request shall make available PHI for amendment in accordance with 45 C.F.R. Sec. 164.526. Each Party further agrees to make such amendment to PHI within thirty (30) days of a written request.
• Each Party shall implement appropriate administrative, physical and technical safeguards in order to preserve the confidentiality, integrity and availability of all PHI and to prevent any unauthorized use or disclosure of PHI, or any breach or security incident, or other material breach or violation of an underlying contract, this Schedule, HIPAA and HITECH involving said PHI. Each Party shall further:
  • Establish administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity as required by Sec. 164.314 of the Security Regulations.
  • Require all of its subcontractors and agents that receive, use or have access to PHI to implement reasonable and appropriate security safeguards to protect it from unauthorized use or disclosure, and to report any improper use or disclosure of PHI in the time and manner required herein.
  • Immediately report any unauthorized or improper use or disclosure of PHI, including without limitation, any security or privacy incident or breach involving the PHI ("Incident") without unreasonable delay, and not more than twenty-four (24) hours after it becomes aware of the Incident, and to provide notice and a report containing all information necessary to permit the Parties to timely comply with HIPAA notification provisions and its implementing rules or any other applicable reporting law, if necessary. Said report shall identify: (i) the known facts and circumstances related to the Incident; (ii) the individuals affected; (iii) the PHI that is known to be the subject of the Incident; (iv) the persons who are known to have information about the Incident; and (v) the corrective action taken or that will be taken to mitigate any deleterious effects of the Incident and to prevent future incidents. To the extent that each of the Parties must make its own notification involving any disclosure of PHI, the Parties agree to cooperate with each other regarding the notification process prior to making such notification.
  • Implement reasonable policies and procedures designed to detect and provide appropriate response to relevant "Red Flags" that identity theft may be occurring (as defined in 16 CFR 681.2) or that may arise in the performance of either Party's activities, if that Party has access to information protected under the Red Flag Rules. Each Party agrees to update periodically the policies and procedures to detect relevant "Red Flags." Each Party further agrees to notify the other Party of the detection of a Red Flag and to implement reasonable steps to prevent or mitigate identity theft.
  • All other terms of the Contractor Agreement remain unchanged.
• Upon termination of this Contractor Agreement, the Parties shall return or destroy, by rendering the PHI unusable, unreadable or undecipherable, or beyond the ability to recover, all PHI and the Parties shall retain no copies of such information. If the Parties mutually agree that return or destruction of PHI is not feasible, the Parties shall continue to maintain the security and privacy of such PHI in a manner consistent with the obligations of this Schedule and as required by applicable law and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of PHI shall survive the termination of this Contractor Agreement.

  DEFINITIONS

• Limited Data Set. "Limited Data Set" shall have the meaning set out in 45 C.F.R. Sec. 164.514(e)(2), as amended from time to time.
• Protected Health Information or PHI. "Protected Health Information" or "PHI" shall have the meaning set out in 45 C.F.R. Sec. 160.103, as amended or revised from time to time.Required by Law. "Required by Law" shall have the meaning set forth in 45 C.F.R. Sec. 164.103, as amended or revised from time to time.

Schedule No. 2 (UNITED KINGDOM)

• Data Processing
  • Scope. This Schedule applies to Personal Data subject to GDPR that 32Co Processes on behalf of Customer. With respect to such Personal Data (if any), 32Co will act as the Processor of Personal Data to Customer, who may act as either a Controller or Processor of Personal Data.
  • Controller. Customer will determine the scope, purposes, and manner by which Personal Data may be Processed by 32Co. 32Co will Process Personal Data only as set forth in this Schedule (or as required to comply with a legal obligation to which 32Co is subject).  Customer warrants that it has all necessary rights to provide Personal Data to 32Co for the Processing to be performed in relation to this Schedule and the Contractor Agreement. To the extent required by GDPR and the Contractor Agreement, Customer is responsible for ensuring that any necessary Data Subject consents to the Processing described in this Schedule and the Contractor Agreement are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by the Data Subject, Customer is responsible for communicating the fact of such revocation to 32Co, and 32Co remains responsible for implementing any Customer instructions with respect to the further Processing of that Personal Data.
  • Processor. 32Co will only Process Personal Data on the Documented Instructions (as defined in Section 2) of Customer in such manner as to meet 32Co’s obligations to Customer under the Contractor Agreement, except as required to comply with a legal obligation to which 32Co is subject. In such a case, 32Co shall inform Customer of that legal obligation before Processing, unless such law or relevant governmental authority prohibits informing Customer. Subject to the foregoing, 32Co shall never Process Personal Data in a manner inconsistent with the Documented Instructions of Customer. 32Co shall promptly inform Customer if, in its opinion, an instruction infringes GDPR or other European Union or Member State data protection provisions.
  • Details of Data Processing
    • Subject Matter. The subject matter of this Schedule will be the Processing of Personal Data provided by Customer to 32Co.
    • Duration. This Schedule shall remain in effect for as long as 32Co Processes Personal Data on behalf of Customer or until termination of the Contractor Agreement.
    • Purpose. The purpose of the Processing under this Schedule is 32Co’s fulfilment of the services agreed to under the Contractor Agreement.
    • Nature of the Processing. The nature of the Processing under this Schedule is the evaluation of Personal Data for 32Co’s services agreed to under the Contractor Agreement and the associated purchase, production, and distribution of 32Co products and services. 32Co will also Process Personal Data of Customer employees as part of providing access to 32Co products and services.
    • Type of Personal Data. The types of Personal Data include:
      • Customer Patient Data: First and last name, age, and gender; case-supporting photographs and radiographs; orthodontic information; and prescription elements; and
      • Customer Employee Data: First and last name; practice name, practice address, practice and personal telephone numbers, and email address; orthodontic treatment experience; and credit card and billing address.
    • Types of Special Categories of Personal Data. Special categories of Personal Data include Customer patient health data, including case-supporting photographs and radiographs, orthodontic information, and prescription elements.
    • Categories of Data Subjects. The Data Subjects may include Customer’s patients and employees.
  • Compliance with Laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this Schedule, including GDPR
• Customer Instructions
  The parties agree that this Schedule and the Agreement constitute Customer’s complete and final written instructions to 32Co regarding Processing Personal Data (“Documented Instructions”). Any additional instructions outside the scope of the Documented Instructions require prior written agreement between 32Co and Customer.
• Confidentiality and Security
  • Confidentiality. 32Co shall treat all Personal Data as confidential and it shall inform all its employees, agents, and/or approved sub-Processors engaged in Processing Personal Data of the confidential nature of Personal Data. 32Co shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
  • Security. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and 32Co shall implement appropriate technical and organizational measures to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of Personal Data. 32Co security measures include Internet standard 128 bit encryption, managed firewall protocols, and qualified, secured credential access to data storage systems. 32Co also trains all employees on general commerce data security measures.
  • Improvements to Security. Technical and organizational measures are subject to technical progress and further development.  Accordingly, 32Co reserves the right to modify its technical and organizational security measures provided that the functionality and security of Personal Data are not degraded.
• Contracting with Sub-Processors
  • Authorized Sub-Processors. Customer agrees that 32Co may use sub-Processors to fulfil contractual obligations under this Schedule and the Contractor Agreement. 32Co will notify Customer in advance to any changes to sub-Processors set out in this Schedule. Within thirty (30) days of such notice from 32Co, Customer has the right to object to a new sub-Processor based on the reasonable belief that the sub-Processor would cause Customer to violate applicable legal requirements. Such objection shall be in writing and include Customer’s specific reason for its objection and options to mitigate.  If Customer does not object in such period, 32Co may commission the sub-Processor to Process Personal Data under this Schedule and the Contractor Agreement.
  • Sub-Processor Obligations. 32Co will enter into a written agreement with the sub-Processor and impose substantially similar data protection obligations as set out in this Schedule on any approved sub-Processor prior to the sub-Processor Processing any Personal Data. Such agreement will also restrict sub-Processor’s access to Personal Data only to what is necessary to provide contracted services to 32Co in furtherance of meeting 32Co’s obligations to Customer under this Schedule and the Contractor Agreement. 32Co will remain responsible for the sub-Processor’s compliance with this Schedule and for any acts or omissions of the sub-Processor that cause 32Co to breach any of 32Co’s obligations under this Schedule.
• Assistance to Data Controller
  • Data Subject Rights and Requests. To the extent permitted by law, 32Co shall inform Customer of any requests from a Data Subject regarding such Data Subject’s individual rights to their Personal Data addressed directly to 32Co. 32Co shall assist Customer by appropriate technical and organizational measures, as far as reasonable, in fulfilling Customer’s obligation to respond to requests for exercising Data Subject rights under GDPR.
  • Security Incidents and Personal Data Breaches. 32Co will notify Customer of a security incident without undue delay after becoming aware of such an incident and take reasonable steps to mitigate the effects and to minimize the damage resulting from the security incident.  The term “security incident” as used in this Section 5.b shall mean any breach of 32Co security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • Compliance and Audits. 32Co shall make available to Customer all information necessary to demonstrate compliance with 32Co’s obligations and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.  Except where Customer has appointed an auditor, each party will bear its own costs for such audits. Where Customer has appointed an auditor, Customer will be responsible for any fees charged by the appointed auditor for any such audit.  Where appropriate, 32Co shall assist Customer in ensuring compliance with security obligations, preparation of a data protection impact assessment, and where necessary, carrying out consultations with any supervisory authority.
• Data Transfers
  Data Transfers. By agreeing to this Schedule, where the Processing of Personal Data under this Schedule and the Contractor Agreement requires the transfer of Personal Data from the European Economic Area (“EEA”) to a country without adequate protection as determined by the European authorities, 32Co and Customer are entering into the EU Standard Contractual Clauses as referred to in the DPA Exhibit. Customer is the “Data Exporter” and 32Co is the “Data Importer.”
• Return or Destruction of Personal Data
  Upon termination or expiration of this Schedule or the Contractor Agreement, 32Co shall, at the discretion of Customer, either delete, destroy, or return all Personal Data to Customer and destroy or return any existing copies. 32Co shall also notify all sub-Processors supporting its own Processing of Personal Data of the termination of this Schedule or the Contractor Agreement and shall ensure that all such sub-Processors either destroy Personal Data or return Personal Data to Customer, at the discretion of Customer.
• Miscellaneous
  • This schedule is subject to the Contractor Agreement.
    
    For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
    
    The entity identified as “Customer” in this Schedule(the “data exporter”)
    
    and
    
    32Co, 37 Cremer St, London, E2 8HD, UK (the “data importer”)
    each a ‘party’; together the ‘parties’,
    ‍
    HAVE AGREED on the following EU Standard Contractual clauses ("EU Standard Contractual Clauses") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
• Definitions
  
  For the purposes of the EU Standard Contractual Clauses:
  • ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • ‘the data exporter’ means the controller who transfers the personal data;
  • ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the EU Standard Contractual Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the EU Standard Contractual Clauses and the terms of the written subcontract;
  • ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
• Details of the transfer
  
  The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the EU Standard Contractual Clauses.
• Third-party beneficiary clause
  
  • The data subject can enforce against the data exporter this EU Standard Contractual Clause, xiii(b) to (i), xiv(a) to (e), and (g) to (j), xv(a) and (b), xvi, xvii(b), and xx as third-party beneficiary.
  • The data subject can enforce against the data importer this EU Standard Contractual Clause, xiv(a) to (e) and (g), xv, xvi, xvii(b), and xx, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  • The data subject can enforce against the sub-processor this EU Standard Contractual Clause, and xiv(a) to (e) and (g), xv, xvi, xvii(b), and xx, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the EU Standard Contractual Clauses.
  • The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
• Obligations of the data exporter
  ‍
  The data exporter agrees and warrants:
  
  • that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that Country or State;
  • that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the EU Standard Contractual Clauses;
  • that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • that it will ensure compliance with the security measures;
  • that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • to forward any notification received from the data importer or any sub-processor pursuant to EU Standard Contractual Clause xiv(b) and Clause xvii(c) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • to make available to the data subjects upon request a copy of the EU Standard Contractual Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the EU Standard Contractual Clauses, unless the EU Standard Contractual Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • that, in the event of sub-processing, the processing activity is carried out in accordance with EU Standard Contractual Clause xviii by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the EU Standard Contractual Clauses; and
  • that it will ensure compliance with EU Standard Contractual Clause xiii(a) to (i).
  Clause 5
  
• Obligations of the data importer
  
  The data importer agrees and warrants:
  
  • to process the personal data only on behalf of the data exporter and in compliance with its instructions and the EU Standard Contractual Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the EU Standard Contractual Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • that it will promptly notify the data exporter about
    • any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    • any accidental or unauthorised access; and
    • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  • to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the EU Standard Contractual Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • to make available to the data subject upon request a copy of the EU Standard Contractual Clauses, or any existing contract for sub-processing, unless the EU Standard Contractual Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  • that the processing services by the sub-processor will be carried out in accordance with EU Standard Contractual Clause xix;
  • to send promptly a copy of any sub-processor agreement it concludes under the EU Standard Contractual Clauses to the data exporter.
  Clause 6
  
• Liability
  
  • The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in EU Standard Contractual Clause xii or xix by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in EU Standard Contractual Clause xii or xix, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
    
    The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
  • If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in EU Standard Contractual Clause xii or in EU Standard Contractual Clause xix because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the EU Standard Contractual Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the EU Standard Contractual Clauses.
  Clause 7
  
• 
  
  • Mediation and Jurisdiction. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the EU Standard Contractual Clauses, the data importer will accept the decision of the data subject:
    • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • to refer the dispute to the courts in the Member State in which the data exporter is established.
  1) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
  
  Clause 8
  
• Cooperation with supervisory authority
  
  • The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  • The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  • The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in EU Standard Contractual Clause xiv(b).
  Clause 10
  
• Variation of the contract
  
  The parties undertake not to vary or modify the EU Standard Contractual Clauses.  This does not preclude the parties from adding clauses on business related issues where required so long as they do not contradict the EU Standard Contractual Clause.
  
  Clause 11
  
• Sub-processing
  
  • The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the EU Standard Contractual Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the EU Standard Contractual Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the EU Standard Contractual Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  • The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in EU Standard Contractual Clause xii for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of EU Standard Contractual Clause xv against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the EU Standard Contractual Clauses.
  • The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  • The data exporter shall keep a list of sub-processing agreements concluded under the EU Standard Contractual Clauses and notified by the data importer pursuant to EU Standard Contractual Clause xiv(i), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
  Clause 12
  
• Obligation after the termination of the personal data processing services
  
  • The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  • The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.