Thinkwide-Diagnostic and Laboratory Management Software

Data Processing Agreement

This Data Processing Agreement (“DPA”) is concluded by and between ThinkWide Digital Health Pvt. Ltd. (“ThinkLab & ThinkRay”) and the Customer, subject to the provisions set out in the Principal Agreement(s) as defined below. There are some services in which, as the controller of the personal data, the customer will need to process some personal data that it has received from ThinkLab. The parties further understand that it pertains to all such processing that ThinkLab performs concerning the customer under the principal agreement and is in addition to the terms hereof.

Appointment:

The customer, as a controller of some of the PD, hereby appoints ThinkLab as the processor of the PD listed in the Schedule(s) herein, referred to as the data for the permitted purpose and the purposes mentioned in the Schedule(s), or as may be agreed in writing between the parties from time to time. Each party shall ensure that it and its affiliates shall, at all times, perform Section 9.2 in compliance with the applicable data protection law.

Definitions:

The meanings of the following terms are as per applicable data protection laws:

  1. "Principal Agreements" encompass all agreements under which ThinkLab offers services or grants licenses to you. These include, but are not limited to, ThinkLab SaaS Service Terms and Conditions, ThinkLab Customer Agreement (License Agreement), and Services Agreement.
  2. Terms such as "controller," "processor," "data subject," "personal data," "personal data breach," "processing," "special categories of personal data," and "supervisory authority" hold significance based on the jurisdiction's data protection statutes
  3. "Applicable Data Protection Law" refers to the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and any other applicable privacy laws in relevant jurisdictions where personal data of non-Indian residents is processed. Other terms have the meanings defined in the applicable principal agreement.

International Transfers:

Considering the fact that ThinkLab operates on an international level, it could involve data exportation outside of the area of jurisdiction of the customer or data subjects. Such transfers will be done according to current laws or other requirements that govern the transfer of personal data out of the European Economic Area (EEA). Transfers may be done to a third country where the recipient has obtained authorization in compliance with the BCRs of the data exporter under the Applicable Data Protection Law, or they may be done to a third country where the recipient undertakes to implement standard contractual clauses as set by the European Commission or a supervisory authority of its Member State.

Confidentiality in Processing:

According to the GDPR on Data Protection, ThinkLab will make sure that any person authorized to process such personal data (referred to as an “authorized person”) has pledged to keep the said personal data a secret.

Security:

These measures will be included in a schedule that ThinkLab will employ to protect personal data from (i) accidental or unlawful destruction and (ii) loss, disclosure, or access to the personal data without the subject’s authorization.

Subcontracting:

In this case, the customer is the data controller, and they allow ThinkLab the right to subcontract third parties to work on the data to achieve the permitted purpose. However, ThinkLab must adhere to certain conditions: However, ThinkLab must adhere to certain conditions:

  1. ThinkLab must prepare the list of sub-processors and send an update at least 10 days (about 1 and a half weeks) before the changes.

  2. Data protection issues must be agreed upon by ThinkLab with sub-processors as implemented in the Applicable Data Protection Law concerning the protection of personal data.

  3. To clarify the responsibility of ThinkLab in the case when this clause was violated due to the actions or inaction of the sub-processor, it should be stated that.

The customer has the right to object to any appointment or replacement of a sub-processor by ThinkLab before effecting the change. However, if the objection has merit, the customer shall be entitled to pass a resolution to the ThinkLab to either suspend or halt the processing. As for other fees chargeable or payable by the customer under the principal agreement before suspension or termination of this agreement, this action does not apply to them.

Cooperation and Data Subjects' Rights:

ThinkLab will provide reasonable and timely assistance to the customer (at the customer's expense) to help the customer respond to:

  1. Any data subject’s request for any practice concerning their rights under the Applicable Data Protection Law. This comprises rights that include the right to access, the right to rectification, the right to object, the right to erasure, and the right to data portability, where applicable.

  2. Any other message, request, or complaint made by the data subject, the regulations’ authority, or any other party about data processing.

However, to the extent such requests, inquiries, or complaints have been made directly to ThinkLab, it shall promptly communicate to the customer the same in detail.

Personal data breach:

If ThinkLab becomes aware of a confirmed personal data breach, it has to notify the customer that there has been a breach. ThinkLab will provide the customer with reasonable cooperation and support on how to fulfill its reporting duties in case of any data breach as determined by the applicable data protection law. To handle the effects of a particular data violation, ThinkLab will also take the required actions to reverse or alleviate the consequences. At the same time, ThinkLab will update the customer on any essential news connected to the breach.

Deletion or Return of Personal Data:

Upon the termination or expiration of the principal agreement, ThinkLab has two options regarding personal data in its possession or control, as elected by the customer:

  1. Disposal of the personal data

  2. Return the tape containing the personal data to the customer.

  3. This obligation does not apply if the applicable law mandates the retention of some or all of the personal data by ThinkLab.

Moreover, it does not cover personal data stored in the backup systems; such data needs to be segregated and protected from further processing unless needed for some inevitable legal purposes, which is the case for ThinkLab at the moment.

Audit:

ThinkLab admits that it undergoes various international standards checks from independent third-party auditors, as stated in the Schedule(s). This audit report will be kept by ThinkLab, but at the customer’s request, a summarized version of the audit report shall be provided to the latter. All these reports will be governed by the following terms and conditions regarding confidentiality:

ThinkLab will also be able to answer any written audit questions from the customer under the provision that the customer shall not be able to exercise this right more than once in the year. However, if a supervisory authority directly requires an audit, ThinkLab will always help the customer deal with the request and arrange the audit.

Liability:

Any claim against one party by the other in relation to the contract’s breach, negligence, breach of a statutory duty, or other breach regarding these terms and conditions will be limited as provided in the principal agreement.

General:

So too shall the Principal Agreement be governed by these terms and conditions, except where processing of EU residents or citizens’ data is involved or the Principle Agreement's jurisdiction is not governed by the law of a member state. If this is so, the laws of the Republic of Ireland will be presumed to govern the situation. These terms and conditions, and the terms of the principal agreement mentioned hereinabove, contain the entire understanding of the parties on the matters dealt with in this agreement.

Schedule: Security Measures

This schedule describes the technical and organizational security measures implemented by ThinkLab as the processor:

  1. Secure User Authentication Protocols: This involves moderating the user identification and other identification codes, utilizing proper methods of assigning and selecting passwords (or employing two-factor authentication), making sure that the data security passwords are stored properly, restricting the access of the personal information records to only the personnel who are authorized, and making sure that there are proper identification and passwords to maintain the strengths of the access control.

  2. Encryption of Transmitted Data: To the extent that is technologically possible, ThinkLab also practices encryption of all the records and files, which contain personal information, that are shared over the internet, as well as data that is transmitted using wireless networks.

  3. Monitoring Systems: Also, reasonable monitoring at ThinkLab is put in place to identify persons who might have accessed or are accessing personal information in an unauthorized manner.

  4. Encryption of Data on Portable Devices: When it comes to the storage of personal information on laptops or any other portable equipment, all information is encrypted.

  5. Operating System Security Patches: ThinkLab procures rather relevant security updates for the operating systems of the systems that are linked to the internet to keep the integrity of personal information intact.

  6. Security Agent Software: The protective aspects of ThinkLab’s environment also include reasonably current malware protection software and patches, virus definitions, and up-to-date regular security updates.

  7. Employee Training: At ThinkLab, there is more awareness created about the usage of computer security systems and personal information security among the employees of the firm.

  8. Permitted Purpose: The personal data that may be processed under the Permitted Purpose includes information about ThinkLab’s customers in order to provide ThinkLab Cloud LIS and SaaS services. This processing is completed in compliance with the terms and conditions specified in the principal agreement and is executed based on the customer’s request.