DPA| Tenet Data Systems

Data Processing Addendum

Parties And Background

(A) Customer ("Customer") has entered into an agreement with Tenet Data Systems, Inc. ("Tenet") (each a "Party" and collectively the "Parties") under which Tenet has agreed to provide the Services in accordance with such agreement (the "Agreement"). This Data Processing Addendum (the "DPA") is incorporated into and forms part of the Agreement and shall be effective on the effective date of the Agreement.

(B) To the extent that Tenet processes any Customer Personal Data (as defined below) on behalf of the Customer (or where applicable, the Customer's end user defined as "Customer End User") in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.

Please note that the Tenet DPA has been modified to reflect Tenet's certification under the EU-U.S. Data Privacy Framework. The Data Privacy Framework (including the Swiss-U.S. Privacy Framework and the UK Extension to the DPF) has been formally approved by the United States Department of Commerce and the European Commission and the European Commission has issued adopted an adequacy decision in favor of the DPF. This means that personal data from the European Union (EU), Switzerland and the United Kingdom (UK) can be safely transferred from those locations by Tenet customers to Tenet in the United States (U.S.). The DPF replaces the Privacy Shield and, like Privacy Shield, personal data can be transferred to companies in the U.S. who are certified under the DPF without the need to enter into additional data transfer mechanisms such as the Standard Contractual Clauses or Binding Corporate Rules.

1. Definitions

1.1 Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:

  • "Account Information" means Customer's information, including Personal Data of Customer and Customer End User's users, provided for account creation, access, administration, and maintenance, and may include names, usernames, login credentials, phone numbers, email addresses, and billing information associated with a Tenet account;
  • "Australian Data Protection Laws" means the Australian Privacy Act 1988 and the Australian Privacy Principles at Schedule 1 to the Australian Privacy Act 1988.
  • "End User" or "Customer End User" means an entity that is a user of Customer's services;
  • "Applicable Data Protection Laws" means all applicable laws, rules, regulations and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time;
  • "Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;
  • "Customer Personal Data" means the Personal Data processed by Tenet on behalf of Customer or Customer End User in connection with the provision of the Services, which, however, specifically excludes Personal Data contained in Account Information;
  • "DPF" or "Data Privacy Framework" means the EU-U.S. Data Privacy Framework, or where applicable, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework;
  • "EEA" means the European Economic Area;
  • "GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as defined in section 3 of the Data Protection Act 2018;
  • "LGPD" means Brazilian General Data Protection Law (Lei Gerai de Proteção de Dados Pessoais);
  • "Mandatory Clauses" means "Part 2: Mandatory Clauses" of the Approved Addendum;
  • "Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;
  • "Personal Data" means any information relating to an identified or identifiable individual or device, or is otherwise "personal data," "personal information," "personally identifiable information" and similar terms, and such terms shall have the same meaning as defined by Applicable Data Protection Laws;
  • "Security Incident" means a breach of information or network security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data;
  • "Standard Contractual Clauses" or "SCCs" means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;
  • "Sub-processor" means third-party processors appointed by Tenet to process Customer Personal Data;
  • "UK" means the United Kingdom of Great Britain and Northern Ireland; and
  • "US Data Protection Laws" means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.

1.2 The terms "controller", "processor", "data subject", "process", "supervisory authority" "sell", and "service provider" shall have the same meaning as set out in the Applicable Data Protection Laws.

2. Interaction With The Agreement

2.1 This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Customer Personal Data.

2.2 With respect to Customer End Users, by entering into the Agreement Customer warrants it is duly authorized to enter into this DPA for and on behalf of any such Customer End Users and, subject to clause 2.3, each Customer End User shall be bound by the terms of this DPA as if they were the Customer.

2.3 Customer warrants that it is duly mandated by any Customer End Users on whose behalf Tenet processes Customer Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer End Users, and to act on behalf of the Customer End Users in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer End Users.

2.4 The Parties agree that any notice or communication sent by Tenet to Customer shall satisfy any obligation to send such notice or communication to a Customer End User.

3. Role Of The Parties

3.1 The Parties acknowledge and agree that:

(a) for the purposes of the GDPR, Tenet acts as "processor" or "sub-processor." Tenet's function as processor or sub-processor will be determined by the function of Customer:

  • (i) In general, Customer functions as a controller, whereas Tenet functions as a processor.
  • (ii) In certain cases, Customer functions as a processor on behalf of Customer's customers where Customer and Customer's customer have concluded a data processing agreement in relation to the processing of Personal Data of Customer's customers and Tenet is a sub-processor; and
  • (iii) With respect to Account Information, Tenet is an independent controller, not a joint controller with Customer. Tenet will process Account Information as a controller to manage the relationship with Customer; carry out Tenet's core business operations; to comply with legal or regulatory obligations applicable to processing and retention of Account Information; and as otherwise permitted under Applicable Data Protection Laws, this DPA and the Agreement. Tenet may also process Account Information as a controller to provide, optimize, and maintain the Services, to the extent permitted by Applicable Data Protection Laws. Any processing by Tenet as a controller shall be in accordance with Tenet's Privacy Policy.

(b) Except for Account Information, for the purposes of the US Data Protection Laws, Tenet will act as a "service provider" or "processor" (as applicable) in its performance of its obligations pursuant to the Agreement.

4. Details Of Data Processing

4.1 The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Schedule 1.

4.2 Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall be Customer's instructions for the processing of Customer Personal Data. Customer may issue further written instructions in accordance with this DPA.

4.3 If Customer's instructions will cause Tenet to process Customer Personal Data in violation of Applicable Data Protection Laws or outside the scope of the Agreement or the DPA, Tenet shall promptly inform Customer thereof, unless prohibited by Applicable Data Protection Laws (without prejudice to the SCCs).

4.4 Tenet may store and process Customer Personal Data anywhere Tenet or its Sub-processors maintain facilities, subject to clause 5 of this DPA.

5. Sub Processors

5.1 Customer grants Tenet general authorization to engage Sub-processors, subject to clause 5.2, from an agreed list, as well as Tenet's current Sub-processors listed at /legal/subprocessors as of the Effective Date.

5.2 Tenet shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than Tenet's obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor's compliance with the obligations under this DPA.

5.3 Tenet shall provide Customer with at least fifteen (15) days' notice of any proposed changes to the Sub-processors it uses to process Customer Personal Data (including any addition or replacement of any Sub-processors). Customer may reasonably object to Tenet's use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs) by providing Tenet with written notice of the objection within ten (10) days after Tenet has provided notice to Customer of such proposed change (an "Objection"). In the event Customer objects to Tenet's use of a new Sub-processor, Customer and Tenet will work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, Tenet may suspend the affected portion of the Services.

6. Data Subject Rights Requests

6.1 As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data ("Data Subject Request").

6.2 Tenet will forward to Customer without undue delay any Data Subject Request received by Tenet or any Sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.

6.3 Tenet will (taking into account the nature of the processing of Customer Personal Data) provide Customer and its End Users with the ability to utilize an application programming interface (API) for self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests. Tenet may charge Customer, and Customer shall reimburse Tenet, for any such assistance beyond providing self-service features included as part of the Services.

7. Security And Audits

7.1 Tenet will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Customer Personal Data) and against accidental loss, destruction, or damage of or to it.

7.2 Tenet will implement and maintain as a minimum standard the measures set out in Schedule 2. Tenet may update or modify the security measures set out in Schedule 2 from time to time, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Customer Personal Data by Tenet under this DPA.

7.3 Customer or its independent third-party auditor reasonably acceptable to Tenet (which shall not include any auditors who are not suitably qualified or independent or are a competitor of Tenet) may audit Tenet's compliance with its obligations under this DPA up to once per year, or more frequently in the event a Security Incident has occurred or to the extent required by applicable data protection laws, including where mandated by Customer's regulatory or governmental authority.

7.4 To request an audit, Customer must submit a detailed proposed audit plan to Tenet at least two weeks in advance of the proposed audit date. Tenet will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and Tenet's health and safety or other relevant policies, and may not unreasonably interfere with Tenet business activities. Nothing in this clause 7.4 shall require Tenet to breach any duties of confidentiality.

7.5 If the requested audit scope is addressed in an ISO 27001 certification, SOC 2 Type 2 report or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer's audit request and Tenet confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

7.6 Customer will promptly notify Tenet of any non-compliance discovered during the course of an audit and provide Tenet any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

7.7 Any audits are at Customer's expense. Customer shall reimburse Tenet for any time expended by Tenet or its Sub-processors in connection with such audits.

7.8 Customer acknowledges and agrees that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 2 are appropriate to ensure the security of the Customer Personal Data.

8. Security Incidents

Tenet will promptly notify Customer in writing in the event of any breach of this DPA, Applicable Data Protection Laws or any instruction by Customer in connection with the processing of Customer Personal Data under this DPA. Without limiting the generality of the foregoing, Tenet shall notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in the investigation of any such Security Incident and any obligation of Customer under Applicable Data Protection Laws to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident. Tenet shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Tenet's notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Tenet of any fault or liability with respect to the Security Incident.

9. Deletion And Return

Tenet shall (a) if requested to do so by Customer by the date of termination or expiry of the Agreement, return a copy of all Customer Personal Data or provide self-service functionality allowing Customer to do the same; and (b) within 90 days of the termination or expiry of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Tenet or any Sub-processors.

10. Contract Period

This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Tenet's deletion of all Customer Personal Data as described in this DPA.

11. Cross Border Data Transfers

11.1 Standard Contractual Clauses

The Parties agree that the terms of the Standard Contractual Clauses Module One (Controller to Controller), Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Tenet (as data importer) to the extent and for as long as Tenet cannot rely on the DPF according to clause 11.2.

11.2 Data Privacy Framework

Tenet is self-certified under the DPF and complies with the data privacy principles thereunder. To the extent and for as long as the DPF is acknowledged as a valid transfer mechanism in the relevant country/region, Personal Data originating from the EEA, UK, or Switzerland, or otherwise being subject to the GDPR shall be transferred on the basis of the DPF. See Tenet's DPF Policy here.

11.3 Support for Cross-Border Data Transfers

Tenet will provide Customer reasonable support to enable Customer's compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Tenet will, upon Customer's request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment ("TIA"). Tenet further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Customer's compliance with requirements imposed on the transfer of personal data to third countries. Tenet may charge Customer, and Customer shall reimburse Tenet, for any assistance provided by Tenet with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Customer.

12. Customer Personal Data Subject To The UK And Swiss Data Protection Laws

To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 5 shall apply.

13. Customer Personal Data Subject To US Data Privacy Laws

To the extent that the processing of Customer Personal Data is subject to US Data Protection Laws, the U.S. Addendum set out in Schedule 6 shall apply.

The Customer understands and agrees that if it is using the Services for purposes of storing or transmitting protected health information under US Data Protection Laws, it must separately enter into and execute a Business Associate Agreement ("BAA") if Customer qualifies as a Covered Entity or Business Associate. Where the parties have entered into a BAA, the BAA shall take precedence over this DPA with respect to any protected health information.

Continue Exploring

Terms of Use

Privacy Policy

Subprocessors

Select your location

🌐 Global | EN
Worldwide
Europe
Asia Pacific