GDPR Data Processing Addendum

Updated October 14, 2021

EKO DATA SECURITY OFFICER: Jason Tugman

This GDPR Data Processing Addendum (“DPA”) is entered into by and between the undersigned customer (“Customer”) and Eko Devices, Inc., a Delaware corporation, having its principal place of business at 1212 Broadway Suite 100, Oakland, CA 94612 (“Eko”) and is effective as of the last date appearing on the signature block below (the “Effective Date”). Customer and Eko are referred to herein collectively, as the “Parties” and individually, as a “Party.”

In the course of providing services (“the Services”) to Customer described in and pursuant to the Master Services Agreement (“Underlying Agreement”) between the Parties, Eko may Process Personal Data as identified in the Attachments. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in the Underlying Agreement (including any existing data processing addendum to the Underlying Agreement). However, this DPA will control over any conflicting terms set forth in the Underlying Agreement.


I. Definitions

  1. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Underlying Agreement.  Except as modified below, the terms of the Underlying Agreement shall remain in full force and effect.   
  1. Notwithstanding the above, the following terms will have the same meaning as those terms in the European General Data Protection Regulation (the “GDPR”): Personal Data, Process/Processing, Data Exporter, Data Importer, European Union, Pseudonymization, Controller, Processor, Sub-Processor, Recipient, Third Party, Consent, Personal Data Breach, Genetic Data, Biometric Data, Data Concerning Health, Representative, Supervisory Authority, Module and Standard Contractual Clauses. A change to the Privacy Laws which modifies any defined term, or which alters the regulatory citation for the definition will be deemed incorporated into this DPA.
  1. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).


II. Status of Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data that Customer transmits to Eko, Customer is the Data Exporter and a Controller, Eko is a Data Importer, Processor, and a Controller. Eko may engage Sub-Processors pursuant to the requirements set forth below. This DPA incorporates and is intended to comply with the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 pursuant to Regulation (EU) 2016/679. 

  1. Controller-Processor Transfers. Eko is a Processor when it processes Personal Data on behalf of and at the direction of Customer as more fully described in Attachment A (“Controller-Processor Transfers”).
  1. Controller-Controller Transfers. Eko is a Controller when, jointly with Customer, Eko determines the purposes and means of Processing as more fully described in Attachment B (“Controller-Controller Transfers”).


III. Purpose and Scope. The subject-matter of Processing of Personal Data, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data to be Processed, the Sub-Processors, and categories of Data Subjects subject to Processing under this DPA are specified in the Attachments. When Eko is functioning as a Processor, Eko shall process the Personal Data only for the purpose(s) and duration set forth in Attachment A, unless on further instructions from Customer. 


IV. Controller-to-Processor Transfers. The following terms apply to Controller-Processor Transfers: 

a. Customer Obligations. 

  1. Customer shall, in its use of the Services, only direct Eko to Process Personal Data in accordance with the requirements of applicable Data Protection Laws and Regulations throughout the duration of the Underlying Agreement. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquires Personal Data. If Eko reasonably determines that an instruction it receives from Customer with respect to Processing of Personal Data violates the GDPR or other applicable laws, rules, or regulations, Eko shall be entitled to cease providing the Services until the Parties mutually agree upon amended instructions that are compliant. 
  1. Customer shall, upon request of a Data Subject, make a copy of this DPA, including the Attachments, available to Data Subjects free of charge. To the extent necessary to protect business secrets or other confidential information, Customer may redact part of this DPA prior to sharing a copy with the Data Subject, but shall provide a meaningful summary where the Data Subject would not otherwise be able to understand the content of this DPA or exercise their rights. Upon request of a Data Subject, Customer shall provide, to the extent possible and without revealing the redacted information, the reason for any redaction.
  1. Customer represents and warrants that it has appropriate legal authority to transmit Personal Data to Eko. Further, Customer represents and warrants that it will not share any Personal Data with Eko that it is not legally authorized to transmit to Eko. To the extent legally permitted, Customer will promptly notify Eko if Customer receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to Processing, or its right not to be subject to automated individual decision making (“Data Subject Request”) if such request will impact Eko or Eko’s Processing under this DPA. 
  1. Customer represents and warrants, in its use of the Service, that it will comply with the terms of the Underlying Agreement, this DPA and the Data Protection Laws and Regulations. All Affiliates of the Customer who use the Service will comply with the obligations of the Customer set out in this DPA and in the Underlying Agreement.
  1. Customer represents and warrants that, during transmission, it shall implement appropriate technical and organizational measures to ensure the security of the Personal Data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (a “Personal Data Breach”). 
  1. Customer understands and agrees that some instructions from the Customer, including requesting Eko’s assistance with audits, inspections or DPIAs (defined below) by Eko, may result in additional fees. Eko will notify the Customer in advance of its fees for providing such assistance. 
  1. Customer represents and warrants that it shall hold Eko harmless from any security breach related to security controls not directly managed by Eko. Such controls that are the sole responsibility of Customer include, without limitation: enforcing the use of encrypted transmissions; settings to restrict access by country (geo-fencing); settings to restrict individual logins by IP address and by protocol; settings to control password strength and expiration; settings to require multi-factor authentication for user logins; settings to configure folder access by user; settings to configure folder permissions per user (e.g., upload, download, delete and list permissions); settings to automatically purge files based on age since upload on a sitewide or folder basis; and settings to suspend and delete users based on calendar date or length of inactivity.


b. Eko Obligations. 

  1. Eko shall treat Personal Data as confidential and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Underlying Agreement and applicable Attachments; (ii) Processing initiated by users of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Underlying Agreement. Eko shall immediately notify Customer if it is unable to follow documented instructions. 
  1. Eko shall ensure that persons authorized to process the Personal Data on behalf of Eko (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training on their responsibilities, (iii) are granted minimum necessary access to Personal Data for the implementation, management, and monitoring of the Underlying Agreement; and (iv) have executed written confidentiality agreements; 
  1. To the extent legally permitted, Eko shall promptly notify Customer if Eko receives a Data Subject Request. Eko will not respond to the Data Subject Request unless authorized to do so under instruction by Controller. Taking into account the nature of the Processing, Eko shall assist Customer with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Eko’s provision of such assistance;
  1. With state of the art, costs of implementation, the nature, scope, context, and purpose(s) of Processing and the risks to Data Subjects in mind, Eko shall maintain appropriate technical and organizational measures for protection of the security (including protection against a Personal Data Breach), confidentiality and integrity of Personal Data, including, at minimum, those set forth in Attachment C. Eko will regularly monitor these measures to ensure maintenance of appropriate levels of security. Eko will not materially decrease the overall security of the Services during the term of the Underlying Agreement without prior written permission from the Customer. 
  1. Eko shall notify Customer without undue delay if Eko becomes actually aware of a Personal Data Breach. Eko shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. Eko shall provide notification to Customer that includes a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and the Personal Data concerned), the likely consequences of the breach and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Eko shall include then-available information in the initial notification to Customer and shall, as available, subsequently provide additional notifications to Customer without undue delay.
  1. Eko shall notify Customer without undue delay if Eko becomes actually aware that Personal Data it has received is inaccurate or outdated and cooperate with Customer to rectify or erase the data;

  2. Eko shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. Eko shall promptly address any complaints it receives from a Data Subject; 
  1. Eko shall cooperate with and assist Customer to enable Customer to comply with its obligations under Regulation (EU) 2016/679. Eko shall, taking into account the nature of Processing and information available to Eko, notify the competent Supervisory Authority and affected Data Subjects in the event of a Personal Data Breach in accordance with applicable laws, rules, and regulations.


c. Onward Transfers. Eko shall only disclose the Personal Data to a Third Party on documented instructions from Customer. Personal Data may only be disclosed to a Third Party located outside the European Union (in the same country as Eko or in another third country, hereinafter “Onward Transfer”) if the Third Party is or agrees to be bound by the Standard Contractual Clauses, under the appropriate Module, or if: 

  1. The Onward Transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covered the Onward Transfer; 
  1. The Third Party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the Processing in question; 
  1. The Onward Transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or 
  1. The Onward Transfer is necessary in order to protect the vital interest of the Data Subject or of another natural person. 

Any Onward Transfer is subject to compliance by Eko with all the other safeguards under this DPA, in particular, purpose limitation.  


d. Sub-Processors

  1. Customer hereby grants Eko general authorization to engage Sub-Processors to assist Eko in Processing Personal Data from an agreed list. Eko shall specifically inform Customer in writing of any intended changes to that list through the addition or replacement of Sub-Processors at least thirty (30) days in advance, thereby giving Customer sufficient time to object to such changes prior to the engagement of the Sub-Processor. Eko shall provide Customer with the information necessary to enable Customer to exercise the right to object. 
  1. In the event that transferring data to a Sub-Processor involves an Onward Transfer, Eko will comply with the requirements set forth in paragraph (c) above.
  1. Eko shall enter into contractual arrangements with such Sub-Processors requiring, in substance, the same level of data protection compliance and information security as that provided for herein. Eko shall ensure that such Sub-Processor complies with the obligations to which Eko is subject pursuant to this DPA. 
  1. Eko shall provide, at Customer’s request, a copy of each Sub-Processor agreement and any subsequent amendments to Customer. To the extent necessary to protect business secrets or other confidential information, including Personal Data, Eko may redact the text of the agreement prior to providing a copy to Customer. In the event that Eko refuses to provide a copy of each Sup-Processor agreement and subsequent amendments, Customer may, at its option, terminate this DPA and the Underlying Agreement. 
  1. Eko shall remain fully responsible to Customer for the performance of Sub-Processor’s obligations under its contract with Eko. Eko shall notify Customer of any failure by Sub-Processor to fulfill its obligations under that contract. 
  1. Eko shall agree to a third-party beneficiary clause with Sub-Processor whereby, in the event Eko has factually disappeared, ceased to exist in law or become insolvent, Customer shall have the right to terminate the Sub-Processor contract and instruct Sub-Processor to erase or return the personal data. 


e. Documentation.

  1. Eko shall promptly and adequately address inquiries from Customer that relate to Processing under this DPA. 
  1. The Parties shall be able to demonstrate compliance with this DPA. In particular, Eko shall keep appropriate documentation on the Processing carried out on behalf of Customer. 
  1. Eko shall make available to Customer, within sixty (60) days of a request from Customer, all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA, and, at Customer’s request, allow for and contribute to audits of the Processing covered by the Underlying Agreement and this DPA, at mutually agreed upon reasonable intervals or if there are indications of non-compliance, in any case upon reasonable notice to Eko. In deciding on a review or audit, Customer may take into account relevant certifications held by Eko. In the event that Eko denies an audit or refuses to comply with Customer’s audit request, Customer may, at its option, terminate this DPA and the Underlying Agreement. 
  1. Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of Eko to the extent necessary to assess Eko’s compliance with this DPA and shall, where appropriate, be carried out with reasonable notice. 
  1. The Parties shall make the information referred to in paragraphs ii. and iii. of this Section, including the results of any audits, available to the competent Supervisory Authority upon request.


f. Data Protection Impact Assessment. Upon Customer’s request, Eko shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a Data Protection Impact Assessment (“DPIA”) related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Eko. Eko shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section, to the extent required under the GDPR. To the extent legally permitted, Customer shall be responsible for any costs arising from Eko’s provision of such assistance.


V. Controller-to-Controller Transfers. The following terms apply to Controller-to-Controller transfers: 

a. Customer Obligations. 

i. Customer represents and warrants that, during transmission, it shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a Personal Data Breach. 

b. Eko Obligations. 

i. Eko shall Process the Personal Data only for the specific purpose(s) of the transfer, as set forth in Attachment B. Notwithstanding the foregoing, Eko may only Process Personal Data for another purpose not identified in Attachment B where: 

  1. Eko has obtained the Data Subject’s prior consent; 
  1. Processing is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or 
  1. Processing is necessary to protect the vital interests of the Data Subject or of another natural person. 

ii. Unless the Data Subject already possesses the information, including when such information is provided by Customer, or providing the information would be impossible or would involve a disproportionate effort for Eko, Eko shall inform Data Subjects of: 

  1. Eko’s identity and contact details; 
  1. The categories of Personal Data Processed; 
  1. The right to obtain a copy of this DPA; 
  1. Where it intends to Onward Transfer Personal Data to any Third Party, the recipient or categories of recipients, the purpose of the Onward Transfer, and the grounds upon which the Onward Transfer is based pursuant to paragraph (d). 

iii. Eko shall retain the Personal Data for no longer than necessary for the purpose(s) for which it is Processed. Eko shall put into place appropriate technical and organizational measures to ensure compliance with this obligation, including erasure or anonymization of Personal Data, where appropriate, and all back-ups at the end of the retention period. 

iv. With state of the art, costs of implementation, the nature, scope, context, and purpose(s) of Processing and the risks to Data Subjects in mind, Eko shall maintain appropriate technical and organizational measures for protection of the security (including protection against a Personal Data Breach), confidentiality and integrity of Personal Data, including, at minimum, those set forth in Attachment C.

v. Eko shall ensure that persons authorized to process the Personal Data on behalf of Eko (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training on their responsibilities, (iii) are granted minimum necessary access to Personal Data for the implementation, management, and monitoring of the Underlying Agreement; and (iv) have executed written confidentiality agreements. 

vi. Eko shall notify Customer without undue delay if Eko becomes actually aware of a Personal Data Breach. Eko shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. If a Personal Data Breach of which Eko is aware is likely to result in a risk to the rights and freedoms of natural persons, Eko shall, without undue delay, notify both Customer and the competent Supervisory Authority pursuant to Section XI. 

vii. Eko shall, where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, notify without undue delay the Data Subjects concerned. This notification should include the information set forth in Section XI unless Eko has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or the notification would involve disproportionate efforts for Eko, in which case Eko shall instead issue a public communication. 

viii. Eko shall, in the event of a Personal Data Breach, document all relevant facts and keep a record of effects and any remedial action taken. 

ix. Eko shall ensure that any person acting under its authority, including a Processor, Processes the Personal Data only on its instruction. 


c. Obligations of the Parties.

i. Either Party shall, upon request of a Data Subject, make a copy of this Agreement, including the Attachments, available to Data Subjects free of charge. To the extent necessary to protect business secrets or other confidential information, either Party may redact part of this Agreement prior to sharing a copy with the Data Subject, but shall provide a meaningful summary where the Data Subject would not otherwise be able to understand the content of this Agreement or exercise their rights. Upon request of a Data Subject, either Party shall provide, to the extent possible and without revealing the redacted information, the reason for any redaction.

ii. If either Party becomes aware that the Personal Data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay. 

iii. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. Each Party shall take every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purpose(s) of the Processing, is erased or rectified without undue delay. 

iv. Each Party shall ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of Processing. 


d. Data Subject Rights. 

i. Eko shall respond to requests from Data Subjects relating to the Processing of Personal Data and the exercise of their rights under this DPA without undue delay and, at the latest, within one (1) month of receipt of the inquiry or request. Eko shall take appropriate measures to facilitate such inquiries, requests and the exercise of Data Subject rights. Eko shall respond to Data Subject requests in an intelligible and easily accessible form, using clear and plain language.

ii. Upon request by the Data Subject, Eko shall, free of charge: 

  1. Provide confirmation to the Data Subject as to whether Personal Data concerning them is being Processed and, where applicable, a copy of the data relating to them and the information contained in the Attachments. If Personal Data has been or will be onward transferred, Eko shall provide information on the recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the Personal Data has been or will be onward transferred, the purpose(s) of the Onward Transfer, and information describing the Data Subject’s right to lodge a complaint with a Supervisory Authority. 
  1. Rectify inaccurate or incomplete data concerning the Data Subject; 
  1. Erase Personal Data concerning the Data Subject if such data is being or has been Processed in violation of this Agreement or if the Data Subject withdraws the consent upon which the Processing is based. 

iii. Eko shall cease Processing Personal Data for direct marketing purpose(s) where a Data Subject objects to it. 

iv. Eko shall not make a decision based solely on the automated Processing of the Personal Data transferred (hereinafter, an “automated decision”), which would produce legal effects concerning the Data Subject or similarly significantly affect the Data Subject, unless with the explicit consent of the Data Subject or if authorized to do so under the laws of the country of destination, provided that such laws provide suitable measures to safeguard the Data Subject’s rights and legitimate interests. Where necessary in cooperation with Customer, Eko shall: 

  1. Inform the Data Subject about the envisaged automated decision, the envisaged consequences and the logic involved; and 
  1. Implement suitable safeguards, at least by enabling the Data Subject to contest the decision, express their point of view and obtain review by a human being. 

v. Eko may, where requests from a Data Subject are excessive or repetitive, charge a reasonable fee, taking into account the administrative costs of granting the Data Subject’s request, or refuse to act on the request. 

vi. Eko may refuse a Data Subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect of the objectives listed in Article 23(1) of Regulation (EU) 2016/279. Eko shall inform the Data Subject of the reasons for the refusal and the possibility of lodging a complaint with the competent Supervisory Authority and/or seeking judicial redress. 

e. Onward Transfers. Eko shall not disclose Personal Data to a Third Party located outside the EU unless the Third Party is or agrees to be bound by the Standard Contractual Clauses, under the appropriate Module, or if: 

i. The Onward Transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covered the Onward Transfer; 

ii. The Third Party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the Processing in question; 

iii. The Third Party enters into a binding instrument with Eko ensuring the same level of data protection as under this DPA, and Eko provides a copy of these safeguards to Customer; 

iv. The Onward Transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; 

v. The Onward Transfer is necessary in order to protect the vital interest of the Data Subject or of another natural person; or 

vi. Where none of the other conditions apply, Eko has obtained the explicit consent of the Data Subject for an Onward Transfer in a specific situation, after having informed the Data Subject of the purposes(s) of the transfer, the identity of the recipient and the possible risks of such transfer to the Data Subject due to the lack of appropriate data protection safeguards. In the event Eko makes use of this condition, Eko shall inform Customer and, upon Customer’s request, shall transmit a copy of the information provided to the Data Subject. 

Any Onward Transfer is subject to compliance by Eko with all the other safeguards under this DPA, in particular, purpose limitation.  



f. Documentation. 

i. Each Party shall be able to demonstrate compliance with its obligations under this DPA.  

ii. Eko shall keep appropriate documentation of the Processing activities carried out under its responsibility. 

iii. Eko shall make documentation available to the competent Supervisory Authority upon request. 

VI. Sensitive Data. Where the transfer of Personal Data from Customer to Eko reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“Sensitive Data”), Eko shall apply the specific restrictions and/or additional safeguards set forth in the Attachments. 


VII. Supervision.

a. The Supervisory Authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 with regards to the Processing of Personal Data under the Underlying Agreement and this DPA will act as competent Supervisory Authority.

b. Eko agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory Authority in any procedures aimed at ensuring compliance with this DPA. In particular, Eko agrees to respond to inquiries, submit to audits and comply with the measures adopted by the Supervisory Authority, including remedial and compensatory measures. Eko shall provide the Supervisory Authority with written confirmation that any necessary actions have been taken. 


VIII. Liability.

a. Each Party shall be liable to the other for any damages it causes the other Party by any breach of this Agreement. 

b. Eko shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages Eko or its Sub-Processor causes the Data Subject by breaching the third-party beneficiary rights under this DPA.

c. With respect to Controller-Processor Transfers ONLY, and notwithstanding paragraph (b) of this Section, Customer shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages Customer or Eko (or its Sub-Processor) causes the Data Subject by breaching the third-party beneficiary rights under this DPA. This is without prejudice to the liability of Customer.

d. With respect to Controller-Processor Transfers ONLY, the Parties agree that if Customer is held liable under this DPA for damages caused by Eko (or its Sub-Processor), Customer shall be entitled to indemnification from Eko for the part of the compensation corresponding to Eko’s responsibility for the damage. 

e. Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA, all responsible Parties will be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.

f. The Parties agree that if one Party is held liable under paragraph (e) of this Section, the liable Party shall be entitled to indemnification from the other Party for the compensation relating to their responsibility for the damage.

g. Eko will not invoke the conduct of a Sub-Processor to avoid its own liability. 


IX. Redress.

a. Eko shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. Eko shall promptly address any complaints it receives from a Data Subject.

b. In the case of a dispute between a Data Subject and one of the Parties regarding compliance with this DPA, that Party shall use its best efforts to resolve the issue amicably and in a timely fashion. Each Party shall keep the other Party informed about such disputes and, where appropriate, cooperate in resolving them. 

c. Where the Data Subject invokes a third-party beneficiary right pursuant to this DPA, Eko shall accept the decision of the Data Subject to:

  1. Lodge a complaint with the Supervisory Authority in the Member State of their habitual residence or place of work; or

  2. Refer the dispute to the competent courts.

d. The Parties accept that the Data Subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

e. Eko shall abide by a decision that is binding under the applicable EU or Member State law;

f. Eko agrees that the choice made by the Data Subject will not prejudice their substantive and procedural rights to seek remedies in accordance with applicable laws. 


X. Data Transfer. Customer hereby consents to the transfer of Personal Data to, and the Processing of Personal Data in, the United States of America. When making such transfers, Eko shall ensure appropriate protection is in place to safeguard the Personal Data transferred in connection with the Underlying Agreement and this DPA. 


XI. Breach

a. In the event of a Personal Data Breach concerning Personal Data Processed by Eko under this DPA, Eko shall take appropriate measures to address the Personal Data Breach, including measures to mitigate its possible adverse effects.  

b. In the event of a Personal Data Breach concerning Personal Data Processed by Eko that is likely to result in a risk to the rights and freedoms of natural persons, Eko shall, without undue delay, notify Customer and the competent Supervisory Authority. Such notification shall at least:

  1. Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
  1. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  1. Describe the likely consequences of the Personal Data Breach;
  1. Describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

c. With respect to Controller-Processor Transfers, Eko shall cooperate and assist Customer to enable Customer to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent Supervisory Authority and the affected Data Subjects, taking into account the nature of Processing and the information available to Eko. 

d. With respect to Controller-Controller Transfers and in the event of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of natural persons, Eko shall notify, without undue delay, the Data Subjects of the Personal Data Breach and its nature, if necessary, in cooperation with Customer. This notification must include the information referred to in paragraph (b), points i. to iv., unless Eko has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts, in which case Eko shall issue a public communication. Eko shall document all relevant facts relating to the Personal Data Breach, including its effects and any remedial action taken, and keep a record thereof. 


XII. Local Laws. 

a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the Processing of Personal Data by Eko, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent Eko from fulfilling its obligations under the Underlying Agreement or this DPA. 

b. The Parties declare that in providing the warranty in paragraph (a) of this Section, they have taken due account in particular of the following elements: 

  1. The specific circumstances of the Processing, including the length of the Processing chain, the number of actors involved, and the transmission channels used; intended Onward Transfers; the type of Recipient; the Purpose of Processing; the categories and format of the transferred Personal Data; the economic sector in which the transfer occurs; and, the storage location of the data transferred; 
  1. The laws and practices of the third country of destination (including those requiring the disclosure of Personal Data to public authorities or authorizing access by such authorities) relevant in light of the specific circumstances of the Processing, and the applicable limitations and safeguards;
  1. Any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under this DPA (including measures applied during transmission and to the Processing of Personal Data in the country of destination).

XIII. Request from Public Authority; Notification.

a.
Eko shall notify Customer and, where possible, the Data Subject, promptly if it:

  1. Receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of Personal Data Processed pursuant to this DPA. Such notification shall include information about the Personal Data requested, the requesting authority, the legal basis for the request and the response provided; or

  2. Becomes aware of any direct access by public authorities to Personal Data Processed pursuant to this DPA in accordance with the laws of the country of destination. Such notification shall include all information available to Eko.

b. If Eko is prohibited from notifying Customer and/or the Data Subject under the laws of the country of destination, Eko agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Eko agrees to document its best efforts in order to be able to demonstrate them on request of Customer. 

c. Where permissible under the laws of the country of destination, Eko agrees to provide Customer, at regular intervals for the duration of the Underlying Agreement and this DPA, with as much relevant information as possible on the requests received (in particular, the number of requests, type of data requested, requesting authority, and whether requests have been challenged and the outcome of such challenges).

d. Eko shall preserve the information pursuant to paragraphs (a) to (c) for the duration of the Underlying Agreement and this DPA and make it available to the competent Supervisory Authority on request. 

e. Eko shall promptly notify Customer where it is unable to comply with this Section.

f. Eko shall review the legality of the public authority request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Eko shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Eko shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. Eko shall not disclose the Personal Data requested until required to do so under applicable procedural rules. 

g. Eko agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to Customer. 

h. Eko shall provide the minimum amount of information necessary when responding to a request for disclosure, based on a reasonable interpretation of the request. 


XIV. Third-party Beneficiaries. 

a. Data Subjects may invoke and enforce the provisions of this DPA, as third-party beneficiaries, against Customer and Eko with the following exceptions: 

  1. Sections I, II, and III;
  2. For Controller-to-Controller transfers: Section XII(b) and Section VI(f)(iii); For Controller-to-Processor transfers: Section V(b)(i) and Sections V(e)(i), (iii), (iv) and (v); 
  3. For Controller-to-Processor transfers: Section V(d)(i), (iv), (v) and (vi), Section IX(a), (d), and (f);
  4. For Controller-to-Controller transfers: Section VIII(a) and (d); 
  5. Section VII; 
  6. Sections XII(c), (d), and (e); 
  7. Section XV(e); and 
  8. Sections XVII (a) and (b). 

b. Paragraph (a) is without prejudice to rights of Data Subjects under Regulation (EU) 2016/679.


XV. Non-Compliance and Termination.

a. Eko shall promptly inform Customer if it is unable to comply with this DPA, for whatever reason.

b. In the event Eko is in breach or is unable to comply with the terms of this DPA, Customer shall suspend the transfer of Personal Data to Eko until compliance is again ensured or this DPA and the Underlying Agreement are terminated. 

c. Customer shall be entitled to terminate the Underlying Agreement and this DPA, insofar as it concerns the Processing of Personal Data under this DPA, where: 

  1. Customer has suspended the transfer of Personal Data to Eko pursuant to paragraph (b) of this Section and compliance with this DPA is not restored within a reasonable time and, in any event, within thirty (30) days of suspension;

  2. Eko is in substantial or persistent breach of this DPA; or 
  1. Eko fails to comply with a binding decision of a competent court or Supervisory Authority regarding its obligations under this DPA. 

d. Personal Data that has been transferred prior to the termination of the Underlying Agreement and this DPA must, at the option of Customer, be immediately returned to Customer or deleted in its entirety. Copies of the Personal Data must also be immediately returned or deleted. Until the Personal Data is deleted or returned, Eko shall continue to ensure compliance with this DPA. In the event that local laws applicable to Eko prevent the return or destruction of Personal Data, Eko will continue to protect the Personal Data in accordance with this DPA and will only Process the Personal Data to the extent and for as long as required under that applicable law. 

e. Either Party may revoke its agreement to be bound by this DPA where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of Personal Data to which this DPA applies, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the Personal Data is transferred. 


XVI. Severability. All rights and restrictions contained herein may be exercised and shall be applicable and binding only to the extent that they do not violate any applicable laws and are intended to be limited to the extent necessary so that they will not render this DPA illegal, invalid or unenforceable. If any term of this DPA shall be held to be illegal, invalid or unenforceable by a court of competent jurisdiction, it is the intention of the Parties that the remaining terms hereof shall constitute their agreement with respect to the subject matter hereof, and all such remaining terms shall remain in full force and effect.


XVII. Governing Law; Forum. 

a. This DPA shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the EU Member State where Customer is located at the time of the data transfer.  

b. Any dispute arising from this DPA shall be resolved by the courts of the EU Member State where Customer is located at the time of the data transfer.       

c. A Data Subject may also bring legal proceedings against Customer or Eko before the courts of the EU Member State in which the Data Subject has habitual residence. 

d. The Parties agree to submit themselves to the jurisdiction of such courts. 


XVIII. Order of Precedence. This DPA does not include GDPR requirements that are already required by HIPAA—this DPA shall be considered together with the Business Associate Agreement and, where GDPR is implicated, both shall form a part of the Underlying Agreement. In the event of a conflict between the Business Associate Agreement and the DPA, the requirement that is most protective of individual privacy shall prevail. Nothing in this DPA reduces Eko’s obligations under the Underlying Agreement or the Business Associate Agreement. In the event of any conflict or inconsistency between this DPA and the standard clauses of the Underlying Agreement, the Underlying Agreement shall prevail. 

                                             

Attachment A

This Attachment A includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

CONTROLLER-TO-PROCESSOR PROCESSING

Parties: 

Data Exporter (Customer): 

Name: The name of Customer is the name provided upon creating an account in the Eko.

Customer’s Address and Contact Details are those Customer provided at the time Customer’s Eko Device(s) were ordered. To update Customer’s contact details, please contact Eko at contact@Ekohealth.com.

Role: Processor 

Data Importer (Eko): 

Name: _____Eko Devices, Inc._________

Address: ___1212 Broadway___________

______________Suite 100________________

____________Oakland, CA 9461_________

Contact: Jason Tugman

Eko Director of Information Technology & Data Security Officer

Privacy@ekohealth.com


Role: Processor

Subject matter and duration of the Processing of Personal Data

Subject Matter: Eko collects the following data: heart sounds, lung sounds, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, and geographic location of data acquisition. 

Duration of Processing: Personal Data processing shall not exceed the duration of Personal Data retention described below.


The nature and purpose of the Processing of Customer Personal Data

The software is provided in order to: 

  • Automatically transmit a Data Subject’s lung sounds, heart sounds, ECG data, and data analysis to the Data Subject’s provider; and 
  • Allow providers to access the transmitted Personal Data on Eko’s wireless, mobile, and web-based management systems and technologies.


The types of Customer Personal Data to be Processed

Eko will process account information, physiologic and usage date, and data pertaining to support inquiries.


The types of Sensitive Data to be Processed (if applicable) and applied restrictions or safeguards

Eko will process special categories of Personal Data including data concerning the health of the patient. Eko has implemented and shall maintain all reasonable and necessary technical and physical security controls to protect these data. Specific information on these protections is listed in Attachment C Description of Security Controls section of this document. 


The categories of Data Subject to whom the Personal Data relates

Personal Data relates to patients.  


The period for which Personal Data will be retained

We store your Personal Data for as long as the account is maintained and up to five (5) years after the account is closed. At the end of this five-year period, we may remove the Personal Data from the Eko databases and will request that our business partners remove the associated Personal Data from their databases. When we delete any information, it will be deleted from the active database, but may remain in our archives. However, once we disclose Personal Data to third parties, we may not be able to access that Personal Data any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Data other than as described should be directed to privacy@ekohealth.com. We retain anonymized data indefinitely.


Eko’s activities relevant to the Personal Data Processed under this DPA

Where permitted by law, Eko uses Personal Data to: 

  • Provide, evaluate, and improve the software and services, including to provide Customers with heart sound analysis, lung sound analysis, and ECG analysis services and reports based on the analysis of health-related information, including physiologic data, health data, and data from third-party devices and services; 
  • Train Eko algorithms to improve services and devices; 
  • Analyze Eko products and their usage to enhance and improve the existing service, to develop new products and services, and to manage communications; and 
  • Perform accounting, auditing, and other internal functions.

Customer’s activities relevant to the Personal Data Processed under this DPA

Where permitted by law, the Customer uses Personal Data to: 

  • Collect and provide, evaluate, patient heart sound analysis, lung sound analysis, and ECG analysis services and reports based on the analysis of health-related information, including physiologic data, health data, and data from third-party devices and services.

SUB-PROCESSORS


Customer has authorized the use of the following Sub-Processors

Sub-Processor Country Processing will occur Description of Processing

*EKO DOES NOT EXPORT CUSTOMER DATA. Customer’s use of the Service to export data outside the U.S. does not constitute an export by Eko.

Attachment B

This Attachment B includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.


CONTROLLER-TO-CONTROLLER PROCESSING

Parties:

Data Exporter (Customer): 


Name: The name of Customer is the name provided upon creating an account in the Eko Services.

Customer’s Address and Contact Details are those Customer provided at the time Customer’s Eko Device(s) were ordered. To update Customer’s contact details, please contact Eko at contact@ekohealth.com.

Role: Controller 


Name: _____Eko Devices, Inc._________

Address: ___1212 Broadway___________

______________Suite 100________________

_________Oakland, CA 9461___________


Contact: Jason Tugman

Eko Director of Information Technology & Data Security Officer

privacy@ekohealth.com


Role: Controller


Subject matter, duration, and frequency of the Processing of Personal Data


Subject Matter: Eko collects the following data: heart sounds, lung sounds, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, and geographic location of data acquisition. 


Duration of Processing: Personal Data processing shall not exceed the duration of Personal Data retention described below.

The nature and purpose of the Processing of Customer Personal Data

The software is provided in order to: 

  • Automatically transmit a Data Subject’s lung sounds, heart sounds, ECG data, and data analysis to the Data Subject’s provider; and 
  • Allow providers to access the transmitted Personal Data on Eko’s wireless, mobile, and web-based management systems and technologies.

The types of Customer Personal Data to be Processed

Eko will process account information, physiologic and usage date, and data pertaining to support inquiries. 

The types of Sensitive Data to be Processed (if applicable) and applied restrictions or safeguards

Eko will process special categories of Personal Data including data concerning the health of the patient. Eko has implemented and shall maintain all reasonable and necessary technical and physical security controls to protect these data. Specific information on these protections is listed in Attachment C Description of Security Controls section of this document. 

The categories of Data Subject to whom the Personal Data relates

Personal Data relates to patients.  

The period for which Personal Data will be retained

Eko retains Personal Data for as long as an account is active and for up to five (5) years after the account is closed. 

Eko’s activities relevant to the Personal Data Processed under this DPA

Where permitted by law, Eko uses Personal Data to: 

  • Provide, evaluate, and improve the software and services, including providing Customers with heart sound analysis, lung sound analysis, and ECG analysis services and reports based on the analysis of health-related information, including physiologic data, health data, and data from third-party devices and services; 
  • Train Eko algorithms to improve services and devices; 
  • Analyze Eko products and their usage to enhance and improve the existing service, to develop new products and services, and to manage communications; and 
  • Perform accounting, auditing, and other internal functions. 

Customer’s activities relevant to the Personal Data Processed under this DPA

Where permitted by law, the Customer uses Personal Data to: 

  • Collect and provide, evaluate, patient heart sound analysis, lung sound analysis, and ECG analysis services and reports based on the analysis of health-related information, including physiologic data, health data, and data from third-party devices and services.


Attachment C


DESCRIPTION OF SECURITY CONTROLS


  • Eko shall have in place security safeguards that are designed to conform to or exceed industry best practices regarding the protection of the confidentiality, integrity, and availability of Personal Data.  These information security safeguards shall be materially consistent with, or more stringent than, the safeguards described in this Schedule.
  • Eko’s information security safeguards are consistent with Federal and State Laws, HIPAA and GDPR, and industry best practices to protect the confidentiality, integrity, and availability of Personal Data. Eko uses a defence-in-depth strategy to ensure the security of Personal Data. This is achieved by utilizing the HITRUST Common Security as the foundation of our information security program.
  • Eko employs role-based access controls to servers containing Personal Data that are consistent with job duties and contractual requirements. Access to Personal Data is limited to authorized company employees having a “need to know.” Authorized employees must use an individual account and multi-factor authentication to gain access to Personal Data. Authorization is done on a “least privilege” model. 
  • Eko stores Personal Data on cloud servers housed within independently verified SSAE-16/SOC 1 Type II, ISO 27001, HIPAA, and GDPR certified data centers. All Eko’s Sub-Processors are required to have a signed BAA (Business Associates Agreement) and, when applicable, a signed DPA (Data Processing Agreement) with Eko. All Sub-Processors are required to maintain security practices that meet or exceed those employed within the Eko secure architecture. Eko sub-contractors maintain appropriate audit practices to verify that its information security practices, policies, procedures, and operations meet or exceed industry standards for security, availability, confidentiality, and processing integrity.
  • Eko’s Sub-Processors encrypt Eko Personal Data at rest using only FIPS 140-2 approved algorithms (AES-256).
  • To secure data in transit, Eko utilizes HTTPS using TLS for all communication between Client Apps and the Cloud Platform. Communication between the application and 3rd party services is only done over HTTPS AES-256. 
  • To secure data at rest. all databases that store personal data are configured to require an encrypted connection and audited to ensure that they do not allow unencrypted traffic. 
  • All Personal Data is stored in compliance with HIPAA and GDPR requirements. This includes a documented process for pseudonymization and the isolation of these data from their deriving Personal Data attributes.
  • In accordance with GDPR Article 35, prior to processing Personal Data, Eko performs a Data Processing Impact Assessment. This assessment is documented and an inventory of processing activities is kept. 
  • Eko’s systems and networks are constantly monitored for security incidents, system health, network and traffic anomalies, and availability. Eko performs periodic internal web application vulnerability assessments to ensure application security controls are properly applied and operating effectively as designed. On at least an annual basis, Eko performs external vulnerability and penetration testing. Vulnerability and penetration results are incorporated into the Eko Software Development Lifecycle (SDLC) to remediate vulnerabilities and internally tracked through resolution. 
  • To ensure prompt recovery from an availability event, at least annually, Eko Health conducts incident response and disaster recovery tabletop exercises. Defined data recovery testing is also performed and evidenced. 


SUPERVISORY AUTHORITY 


The competent Supervisory Authority under the Underlying Agreement and this DPA shall be the Supervisory Authority as defined in the EU GDPR.