In the provision of certain services under the terms of the Principal Agreement(s) as defined below, Customer, as controller will require ThinkWide Digital Health Pvt. Ltd. (“ThinkLab”) to process certain personal data received from Customer.
The parties agree that these terms and conditions shall apply to all such processing undertaken by ThinkLab on behalf of Customer and shall be supplemental to the terms of the Principal Agreement.
Customer, as the controller of certain personal data, appoints ThinkLab as the processor to process the personal data listed in the Schedule(s)(referred to as the "Data") for the purposes also described in the Schedule(s) or as otherwise agreed in writing by the parties (referred to as the "Permitted Purpose"). Both parties shall comply with their respective obligations under Applicable Data Protection Law.
In these terms and conditions:
"Principal Agreements" refers to any agreement between ThinkLab and Customer in which ThinkLab provides services or licenses to Customer, including ThinkLab SaaS Service Terms and Conditions, ThinkLab Customer Agreement (License Agreement), and Services Agreement.
Terms such as "controller," "processor," "data subject," "personal data," "personal data breach," "processing," "special categories of personal data," and "supervisory authority" have the meanings given in Applicable Data Protection Law.
Applicable Data Protection Law" refers to the relevant data protection laws, such as the EU Data Protection Directive (Directive 95/46/EC) prior to May 25, 2018, the EU General Data Protection Regulation (Regulation 2016/679) on and after May 25, 2018, and any applicable privacy laws in relevant jurisdictions where personal data of non-EU residents is processed. Other terms have the meanings defined in the applicable Principal Agreement.
Given ThinkLab's global operations, there may be a necessity to transfer personal data out of the country where the Customer or data subjects are located. All such transfers will comply with applicable laws or other measures that allow lawful transfers of personal data out of the European Economic Area (EEA). This may include transferring personal data to a recipient that has obtained authorization through binding corporate rules in accordance with Applicable Data Protection Law or to a recipient that has executed standard contractual clauses approved by the European Commission.
ThinkLab will ensure that any person authorized to process the personal data (referred to as an "Authorized Person") has committed to maintaining the confidentiality of such personal data.
ThinkLab will implement the technical and organizational measures outlined in the Schedule to protect personal data from (i) accidental or unlawful destruction and (ii) loss, alteration, unauthorized disclosure, or access to the personal data.
As the data controller, the Customer grants ThinkLab permission to engage third-party sub-processors for processing the Data for the Permitted Purpose. However, ThinkLab must adhere to certain conditions:
ThinkLab must maintain an up-to-date list of its sub-processors, updating this list at least 10 days before any changes take effect.
ThinkLab must impose data protection terms on its sub-processors, requiring them to protect personal data as mandated by Applicable Data Protection Law.
ThinkLab remains liable for any breach of this Clause resulting from its sub-processor's actions or oversights.
The Customer has the right to object to ThinkLab's appointment or replacement of a sub-processor before such changes occur. If a valid objection exists, the Customer can require ThinkLab to suspend or terminate processing activities. This action does not affect any fees incurred or committed to by the Customer under the Principal Agreement before suspension or termination.
ThinkLab will provide reasonable and timely assistance to the Customer (at the Customer's expense) to help the Customer respond to:
Any data subject's request to exercise their rights under Applicable Data Protection Law. This includes rights like access, correction, objection, erasure, and data portability, where applicable.
Any other communication, inquiry, or complaint received from a data subject, regulatory authority, or third party related to Data processing.
If ThinkLab directly receives such requests, inquiries, or complaints, it will promptly inform the Customer, providing comprehensive detail.
If ThinkLab becomes aware of a confirmed personal data breach, it must promptly inform the Customer. ThinkLab will provide the Customer with reasonable information and cooperation to help the Customer meet its data breach reporting obligations as required by Applicable Data Protection Law. ThinkLab will also take necessary measures to remedy or mitigate the effects of the personal data breach. Throughout this process, ThinkLab will keep the Customer informed of significant developments related to the breach.
Upon the termination or expiration of the Principal Agreement, ThinkLab has two options regarding personal data in its possession or control, as elected by the Customer:
Additionally, it does not apply to personal data archived on backup systems, which ThinkLab must securely isolate and protect from further processing, except as required by law.
ThinkLab acknowledges that it is regularly audited for compliance with various internationally recognized standards, as detailed in the Schedule(s), by independent third-party auditors. Upon request, ThinkLab will provide a summary copy of its audit report(s) to the Customer. These reports will be subject to the confidentiality provisions outlined in these terms and conditions.
ThinkLab will also respond to any written audit questions from the Customer, with the condition that the Customer exercises this right no more than once per year. However, if a Supervisory Authority directly requests an audit, ThinkLab will always assist the Customer in responding to the request and organizing the audit.
The liability of each party to the other concerning any individual claim for breach of contract, negligence, breach of statutory duty, or any other breach related to these terms and conditions will be subject to the limitations outlined in the Principal Agreement.
The laws governing the Principal Agreement will also apply to these terms and conditions, except when personal data of EU residents or citizens is being processed, and the jurisdiction of the Principal Agreement is not that of a member state of the EU. In such cases, the laws of the Republic of Ireland will apply by default. These terms and conditions, along with the terms of the Principal Agreement referenced herein, constitute the entire agreement between the parties regarding their subject matter.
This schedule provides a description of the technical and organizational security measures implemented by ThinkLab as the processor:
Secure User Authentication Protocols: This includes controlling user IDs and other identifiers, providing secure methods for assigning and selecting passwords (or using two-factor authentication), ensuring data security passwords are stored securely, restricting access to personal information records to authorized personnel, and assigning unique identifications and passwords to maintain access control integrity.
Encryption of Transmitted Data: ThinkLab encrypts, to the extent technically feasible, all records and files containing personal information transmitted across public networks, as well as data transmitted wirelessly.
Monitoring Systems: ThinkLab implements reasonable monitoring of its systems to detect unauthorized use or access to personal information.
Encryption of Data on Portable Devices: All personal information stored on laptops or other portable devices is encrypted.
Operating System Security Patches: ThinkLab provides reasonably up-to-date security patches for the operating systems of systems connected to the internet to maintain the integrity of personal information.
Security Agent Software: ThinkLab ensures the use of reasonably up-to-date versions of system security agent software, including malware protection, patches, virus definitions, and regular updates for security.
Employee Training: ThinkLab educates and trains its employees on the proper use of computer security systems and emphasizes the importance of personal information security.
Permitted Purpose:The Permitted Purpose for processing Personal Data is to deliver ThinkLab Cloud LIS & SaaS Services to the Customer. This processing is performed in strict accordance with the terms and conditions outlined in the Principal Agreement and is carried out based on the Customer's instructions.