DATA PROCESSING AGREEMENT

ENGAGING SOLUTIONS AB APPLICATION

This Data Processing Agreement (‘DPA”) is the Data Processing Agreement referred to in the Kind Terms of Use between Engaging Solutions AB (referred to as “Kind” in this DPA) and the Customer identified on the Enrollment Form.
The defined terms in the Terms of Use shall apply to this DPA.

In addition, the following definitions shall apply:
“Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including, but not limited to the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.

Terms used in this DPA shall have the same meaning as in the Data Protection Laws.
Under the Service Agreement, Kind will be processing personal data on behalf of the Customer. This DPA sets out the details of that processing and the DPA is effective for so long as the Service Agreement is in force.

2.1. In relation to the data subjects, the Customer is responsible for the processing’s compliance with the Data Protection Laws.
2.2. The Customer warrants that the processing is carried out in accordance with the purpose for which the personal data have been collected.
2.3. It is the Customer’s responsibility to ensure that Kind, at any time, is duly informed of the Customer’s written instructions regarding the processing. If the Customer provides additional instructions which deviate from the instructions that follow from the Service Agreement, and such additional instructions entail that the scope of the Services is materially changed, the matter must be handled under the Service Agreement.
2.4. All instructions provided by the Customer must be in writing.

3.1. The processing is described in detail in Appendix A. Kind undertakes to only process personal data necessary for the performance of the Services, in accordance with the Service Agreement, this DPA or according to specific and documented instructions provided by the Customer in connection with the conclusion of the Service Agreement, which have been approved by Kind.
3.2. Upon receipt of written instructions from the Customer regarding the processing, such as provided for in Appendix A or additional written instructions, Kind must, within a reasonable period of time, take appropriate measures to ensure that the processing is carried out in accordance with the instructions.
3.3. Kind undertakes to ensure that any natural person acting under the authority of Kind, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with the DPA and the Customer’s documented instructions.
3.4. Kind is required to assist the Customer with appropriate technical and organisational measures for the fulfilment of the Customer’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
3.5. Kind must, without undue delay, notify the Customer after becoming aware of a personal data breach. Kind shall assist the Customer by providing information necessary for the fulfilment of the Customer’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Customer’s obligation to communicate the personal data breach to the affected data subjects.
3.6. Kind is required to assist the Customer in connection with any data protection impact assessments and prior consultations carried out by the Customer, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.

4.1. By accepting this DPA, the Customer approves and acknowledges that Kind may engage subcontractors for the purpose of carrying out the processing (“sub-processors”). Should Kind’s engagement of a sub-processor involve the transfer of personal data to a third country, such sub-processor may only be engaged by Kind if the requirements set forth under section 5.1 are met.
4.2. When engaging a sub-processor for the purpose of carrying out the processing, Kind undertakes to enter into an agreement with the sub-processor regarding the processing activities, pursuant to which the sub-processor shall be bound by the same obligations as is Kind under this DPA.
4.3. Kind undertakes to inform the Customer in writing prior to engaging a sub-processor, and the Customer may, within five (5) days of receipt of Kind’s notice hereof, object to Kind’s choice of sub-processor. Kind may not engage the chosen sub-processor if the Customer has presented reasonable objections. The parties agree that the Customer, by accepting this DPA, is deemed to have been informed of Kind’s intended engagement of the sub-processors listed in Appendix B.
4.4. Any transfer of personal data to the sub-processors is made at Kind’s risk and does not alter the allocation of responsibility between Kind and the Customer.

5.1. Kind undertakes not to transfer personal data to a third country (i.e. a country outside of the EU/EEA), unless the Customer has approved of such transfer in writing, and at least one of the following requirements are met:
(i) the receiving country has an adequate level of security;
(ii) the data subject has given its consent to the transfer;
(iii) the Data Protection Laws provide a legal ground for the transfer; or
(iv) agreements including certain standard contractual clauses issued by the European Commission (2010/87/EU) have been entered into, without any conflicting changes or amendments.
5.2. Provided that at least one of the relevant actions set forth in section 5.1 has been taken, the Customer may not unreasonably withhold its approval regarding the transfer.

6.1. Kind may not disclose any personal data to third parties without the Customer’s prior written consent, unless the disclosure or transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, Kind is always entitled to transfer personal data to sub-processors in accordance with section 4.
6.2. Kind shall without undue delay notify the Customer in writing if it is approached by a supervisory authority with any matters regarding, or which may be of relevance for the processing. If Kind by operation of law or injunction is obligated to disclose personal data, section 8.2(iv) shall apply.

7.1. Kind is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data covered by the processing. Kind shall determine how such measures are to be implemented in order to reach an appropriate level of security.
7.2. If the Customer makes probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the parties shall discuss the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. Kind is entitled to reasonable compensation for any extended or additional security measures taken.
7.3. If Kind lacks any instructions from the Customer that Kind deems necessary in order to carry out the processing, or if Kind deems the Customer’s instructions, wholly or partly, be in breach of the Data Protection Laws, Kind shall without delay notify the Customer, and await any further instructions that the Customer deems necessary.

8.1. Kind and the persons working under its authority must maintain confidentiality in all respects when carrying out the processing. This means that personal data may not be unduly disclosed to a third party. Kind undertakes to ensure that the individuals working under its authority and who will process personal data observe and comply with Kind’s confidentiality undertaking according to this section 8.
8.2. Kind undertakes not to disclose to any third party such information which Kind, in its capacity as data processor, has received from the Customer or any other such information which Kind processes in its capacity as data processor under this DPA. Kind undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 8. However, this confidentiality obligation shall not apply to:
(i) information which is generally known or becomes generally known other than as a result of a breach of the Service Agreement or this DPA;
(ii) information which Kind can prove was in Kind’s possession prior to being provided to Kind under the Agreement;
(iii) information which Kind, lawfully and without restrictions regarding the right to transfer such information, receives from any third party outside the scope of the Service Agreement or this DPA; or
(iv) information which Kind is obligated to disclose under law or any court judgment or public authority decision. In such a case, Kind must without undue delay inform the Customer in writing about the disclosure and request that the personal data are kept confidential by the recipient.
8.3. This confidentiality undertaking shall survive the termination of this DPA.

Instructions regarding the processing
Kind shall, in addition to complying with the provisions in this DPA and the Service Agreement, carry out the processing in accordance with the instructions below.

Purpose
The processing may only be performed in order to provide the Services under the Service Agreement, i.e. for the purpose of facilitating communication between Users. The personal data may not be processed or used for Kind’s own or any other purposes.
Types of processing
Kind may use any types of processing which are necessary in order to provide the Services, including, but not limited to, sorting, administering, storing, returning and erasing personal data.
Types of personal data
Kind may only process personal data concerning the Users including first name, last name, personal ID number, user name, password, email address and health information phone number of such users who the Customer grants access to the Services.
Kind may also process other types of personal data, if necessary to provide the Services, including personal data collected through any new feature implemented in the Services after the conclusion of this DPA, which the Customer acquires through the Service Agreement.
Categories of data subjects
The personal data processed by Kind may only concern the Users, such as healthcare professionals, patients and customers.
Duration of the processing
The personal data must be erased by Kind at the time of termination of the Service Agreement, as set forth in the Terms of Use. Furthermore, personal data shall be erased from time to time, in accordance with the Customer’s documented instructions.
Location of the processing
The processing may only be performed within the EU/EEA, using such equipment and/or infrastructure that Kind is in direct or indirect (through approved subcontractors) control over.

Sub-Processors approved by the Customer

The Customer accepts and recognizes that Kind engages the following sub-processors in accordance with section 4.3 of the Agreement.

Amazon Web Service, AWS (Sweden/EU, https://aws.amazon.com/compliance/gdpr-center), for the operation and maintenance of the platform, including storage of encrypted data.