This Data Processing Addendum ("DPA"), which includes the Business Associate Agreement ("BAA") clauses, is part of the Master Service Agreement between the Client ("Data Controller") and Continuous Labs SpA, operating as VeriFlow.me ("Data Processor").
1. Subject Matter, Duration, Nature, and Purpose of Processing
- Subject Matter: The processing of Personal Data for the provision of credential verification services by the Data Processor to the Data Controller.
- Duration: The processing will be carried out for the term of the Agreement.
- Nature and Purpose: The collection, storage, consultation, and communication of Personal Data for the sole purpose of verifying professional credentials as instructed by the Data Controller.
- Types of Personal Data and Categories of Data Subjects: The types of Personal Data and categories of Data Subjects are as described in the Data Processor's Privacy Policy.
2. Roles and Responsibilities
The parties agree that, for the purposes of applicable Data Protection Laws, the Client is the Data Controller (or "Business" / "Covered Entity") and VeriFlow.me is the Data Processor (or "Service Provider" / "Business Associate"). This definition is the basis upon which all subsequent obligations are built.
3. Obligations of the Data Processor (VeriFlow.me)
3.1. Processing under Documented Instructions: The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by Union or Member State law.
3.2. Confidentiality: The Data Processor shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality.
3.3. Security of Processing: The Data Processor shall implement and maintain appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, protecting data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures will be detailed in an Annex to this DPA and will include, at a minimum, encryption of data in transit and at rest, strict access controls, and incident response plans.
3.4. Sub-processors: The Data Processor shall not subcontract to any other processor (a "Sub-processor") without the prior specific or general written authorization of the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes, thereby giving the Controller the opportunity to object. The Data Processor shall impose on the Sub-processor the same data protection obligations as set out in this DPA.
3.5. Assistance with Data Subject Rights: The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
3.6. Notification of Personal Data Breaches: The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data Breach.
3.7. Data Protection Impact Assessments: The Data Processor shall assist the Data Controller in carrying out data protection impact assessments (DPIAs), where necessary.
4. Obligations of the Data Controller (The Client)
The Data Controller is solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired such Personal Data. The Data Controller warrants that its processing instructions comply with all applicable Data Protection Laws.
5. Audit Rights
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits. Such audits shall normally be carried out by the Data Controller's review of the Data Processor's third-party audit reports (e.g., SOC 2, ISO 27001), no more frequently than once per year.
6. Specific Provisions for HIPAA Compliance (Business Associate Clauses)
This section applies only if the Client is a "Covered Entity" and the Client Data includes "Protected Health Information" (PHI), as defined in HIPAA.
6.1. HIPAA-Specific Definitions: Terms used in this section shall have the meanings ascribed to them in HIPAA and the HITECH Act.
6.2. Permitted Uses and Disclosures of PHI: The Data Processor (as "Business Associate") shall not use or disclose PHI other than as permitted or required by the Agreement or as Required By Law.
6.3. Safeguards for PHI: The Data Processor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Data Controller (the "Covered Entity").
6.4. Breach Notification: The Data Processor shall notify the Data Controller of any Breach of Unsecured PHI without undue delay, and in no case later than 60 calendar days after discovery of the Breach, in accordance with the requirements of the HIPAA Breach Notification Rule.
6.5. Supremacy Clause for Data Protection Obligations: The integration of a BAA into a GDPR-focused DPA requires careful management of potential regulatory overlaps or conflicts. To address this, the following rule is established: In the event of a conflict between the provisions of this Addendum relating to GDPR and those relating to HIPAA, the provision that imposes the stricter data protection standard shall prevail.