Data Processing and Sharing Agreement

The Customer have entered into or shall enter into a separate agreement with LUXXERA that governs the provision to and receipt of the Services by LUXXERA to the Customer (the “Terms”).

This Agreement is supplementary to the Terms and sets out the additional terms on which LUXXERA and the Customer may process Personal Data, LUXXERA as part of the provision of the LUXXERA Services to the Customer under the Terms.

1. Definitions

1.1. Capitalised terms used but not defined in this Agreement have the meaning given to them in the Terms and all rules of interpretation as set out in the Terms shall apply in this Agreement.

1.2. The following additional definitions shall apply in this Agreement:

Appropriate Safeguards: means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the Data Protection Legislation from time to time, including the UK International Data Transfer Agreement, or the UK IDTA along with the EU Standard Contractual Clauses (as applicable), or any other mechanisms as set out in Article 46 of the EU GDPR and the UK GDPR (as applicable).

Business Purposes: the LUXXERA Services to be provided by LUXXERA to the Customer as described in the Terms and any other purposes specifically identified in Annex A.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.

Data Protection Legislation: To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data. To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which LUXXERA or the Customer is subject, which relates to the protection of Personal Data. And any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications.

EEA: the European Economic Area.

EU GDPR: the General Data Protection Regulation 2016/679.

EU Standard Contractual Clauses: means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).

Personal Data: means Personal Data (as defined under applicable Data Protection Legislation) shared between the parties pursuant to the provisions of the Terms and this Agreement, including but not limited to that specified in Annex A. 

Restricted Transfer: means a transfer of Personal Data between any party to this Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Legislation.

SCCs: means: (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries published at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&qid=1693902889407, (“EU SCCs”); and (ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(c), (“UK SCCs”). 

Supervisory Authority: means a governmental or government chartered regulatory body having binding legal authority over a party.

Third Country: means a country or territory that is not part of the United Kingdom or the EEA.

UK DPA 2018: means the UK Data Protection Act 2018.

UK GDPR: means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the UK DPA 2018.

UK IDTA: means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) UK DPA 2018, Version B1.0, in force as of 21 March 2022.

2. Data Protection Obligations

2.1. The parties envisage that under this Agreement: 

(a) Each party is a separate independent Data Controller of the Personal Data processed for the provision and receipt of the LUXXERA Services in respect of the Personal Data of prospective patients/end-users as specified in Annex A Part 1 (“C2C Processing”); and

(b) LUXXERA may act as a Data Processor on behalf of the Customer in respect of the Personal Data it processes of the Customer’s members of staff, personnel, and medical institutions for the provision and receipt of the LUXXERA Services (i.e. providing them with accounts to contact and be contacted by the prospective patients/end-users including via our platform) as specified in Annex A Part 2 (“C2P Processing”).

2.2. LUXXERA may process, transfer and disclose Personal Data as described in their relevant privacy notices in particular for (i) the delivery of the LUXXERA Services, (ii) administration of engagement and general correspondence with the Customer and its personnel; (iii) screening of individuals associated with the other party against international sanctioned parties lists, and (iv) aggregation, de-identification and, where feasible, full anonymisation of Personal Data for benchmarking, market research and data analysis purposes associated with the development of LUXXERA’ products and services. The Customer acknowledges and understands that LUXXERA shall act as an independent Data Controller of any Personal Data which is processed pursuant to this Clause and shall comply with Data Protection Legislation in respect of such processing.

3. Controller Processing Obligations

3.1. Each party agrees for its own part that, to the extent that it processes Personal Data under or in connection with the Terms and this Agreement as a separate independent Data Controller, including in respect of the C2C Processing:

(a) It will observe all applicable requirements of the Data Protection Legislation and this Agreement in relation to its processing of Personal Data; and

(b) All Personal Data collected or sourced by it or on its behalf for processing in connection with the Terms and/or this Agreement or which is otherwise provided or made available to the other party shall have been collected or otherwise obtained in compliance with Data Protection Legislation, and may be processed, disclosed and transferred as described in or in connection with the Terms and this Agreement.

(c) It shall implement appropriate technical and organisational measures to protect the Personal Data under or in connection with the Terms and this Agreement against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

(d) Both parties will work together in good faith to ensure the information prescribed by the Data Protection Legislation is made available to relevant Data Subjects.

(e) If either party receives any complaint, notice or communication from a supervisory authority which relates to the other party’s processing of Personal Data under or in connection with the Terms and this Agreement or potential failure to comply with the Data Protection Legislation in respect of that Personal Data, that party shall direct the supervisory authority to the other party.

(f) If a Data Subject makes a written request to a party to exercise any of their rights in relation to the Personal Data that concerns processing of the other party, that party, shall direct the Data Subject to the other party.

(g) If either party becomes aware of a Personal Data Breach that requires notification to a Supervisory Authority, it shall notify the other party without undue delay, and each party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to supervisory authorities and/or to affected Data Subjects.

(h) Annex A Part 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which LUXXERA may process the Personal Data to fulfil the Business Purposes in respect of the C2C Processing.

4. Processor Processing Obligations

4.1. The Customer retains control of the C2P Processing of Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to LUXXERA, as applicable.

4.2. To the extent that LUXXERA processes Personal Data in the course of providing the LUXXERA Services as a Data Processor, it will:

(a) only process the Personal Data only for the purpose of providing the LUXXERA Services or otherwise on the Customer’s written instructions, which may be specific instructions or instructions of general nature, and including in order to comply with its obligations under the Terms;

(b) implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, theft or disclosure, having regard to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected. Such security measures are further set out in Annex B;

(c) at the Customer’s request and choice, either deliver to the Customer or delete the Personal Data from its systems on termination of the LUXXERA Services, unless LUXXERA is required to retain such copies pursuant to applicable law;

(d) take reasonable steps to ensure that any personnel, agents and/or contractors who process the Personal Data under the Terms for LUXXERA are subject to appropriate contractual or statutory obligations of confidentiality and understand their obligations when handling Personal Data in accordance with this Agreement; 

(e) provide reasonable assistance to the Customer to meet its obligations to: (i) respond to requests by Data Subjects exercising their rights under the Data Protection Legislation, (ii) in meeting its legal obligations in relation to the security of processing of Personal Data, (iii)  notifying Personal Data breaches to supervisory authorities and Data Subjects upon the specific written request of the Customer in its role as a Data Controller or otherwise as required under applicable law (iv) in undertaking data protection impact assessments and the prior consultation with applicable Supervisory Authorities in relation to high risk processing, as applicable; 

(f) notify the Customer without undue delay of any Personal Data breaches and provide information when known as to the source and nature of the data breach, the type of data that was subject to the breach, and the identity of the affected Data Subjects;

(g) maintain adequate records, and, on the Customer’s written request, make available such information as the Customer may reasonably request to demonstrate LUXXERA’ compliance with its obligations under this Agreement and in relation to the Personal Data processed under the Terms only, and allow for and contribute to audits, including inspections, by the Customer or the Customer’s designated auditor on a minimum of fifteen (15) working days’ written notice, to demonstrate its compliance with Data Protection Legislation and this clause.  Such audits shall be conducted at the Customer’s cost, during usual business hours and shall not be carried out more frequently that once in any twelve (12) month period; and

(h) notify the Customer if, in LUXXERA’ reasonable opinion, the Customer’s instructions in respect of any processing of Personal Data by LUXXERA are unlawful.

4.3. Annex A Part 2 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which LUXXERA may process the Personal Data to fulfil the Business Purposes in respect of the C2P Processing.

4.4. The Customer hereby (i) specifically authorises the Sub-Processors set out in Annex A to this Agreement, and (ii) generally authorises LUXXERA to engage Sub-processors from time to time to process the Personal Data as part of the provision of the LUXXERA Services. 

4.5. LUXXERA shall ensure in each case that it enters into a written contract with the Sub-processor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and remain liable to the Customer for the performance of that Sub-processor’s performance of its obligations.

4.6. LUXXERA shall provide the Customer with an opportunity to object to the appointment of each new Sub-processor, provided such objection is reasonable, within (10) working days after LUXXERA supplies the Customer with full details in writing regarding such Sub-processor, after which the Sub-processor change shall be deemed approved.

5. Transfers of Personal Data

5.1. The parties agree that the Personal Data will not be transferred outside of the United Kingdom or the European Economic Area under this Agreement and/or the Terms unless:

(a) It is to a Third Country that the United Kingdom and/or the EU has recognised as providing adequate protection under Chapter V of the EU GDPR or the UK GDPR as applicable; or

(b) Appropriate Safeguards are in place, e.g. the parties have executed an agreement with the importing third party incorporating the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where necessary, importing parties are registered with the data privacy framework; or

(c) The transfer otherwise complies with the Data Protection Legislation.

5.2. In accordance with clause 5.1.2 the parties agree that, where the transfer of Personal Data between the parties is a Restricted Transfer, the following shall apply to the transfer and this Agreement:

(a) Where the EU GDPR applies, and the transfer of Personal Data is from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission:

(i) The parties agree that the EU Standard Contractual Clauses shall apply to Restricted Transfers from the EEA. The EU Standard Contractual Clauses shall be deemed entered into (and incorporated into this Agreement by reference) and completed as follows: (i) Module One (Controller to Controller) shall apply where both parties are Data Controllers and Modules Two (Controller to Processor) and Four (Processor to Controller) shall apply when the Customer is Data Controller and LUXXERA is the Data Processor, and shall be completed with the following specifications where relevant to each Module; (ii) In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply; (iii) In Clause 11 of the EU Standard Contractual Clauses, the optional language shall not apply; (iv) In Clause 13(a) of the EU Standard Contractual Clauses the Supervisory Authority shall be determined by the place of establishment of the data exporter, (v) In Clause 17 of the EU Standard Contractual Clauses, Option 1 applies and the EU Standard Contractual Clauses shall be governed by Irish law; (vi) In Clause 18(b) of the EU Standard Contractual Clauses, disputes shall be resolved by the courts of Ireland; (vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Annex A of this Agreement; (viii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information and requirements of Annex B of this Agreement. The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by the Customer in relation to C2P Processing only, and each independent Data Controller otherwise, except where such party is required by applicable laws to retain Personal Data in accordance with its record retention schedules and policies, or as otherwise specified in the definition of Personal Data.

(b) Where the UK GDPR applies, and the transfer of Personal Data is from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

(i) The parties agree that, with respect to Restricted Transfers subject to the UK GDPR, the EU Standard Contractual Clauses are hereby incorporated into this Agreement by reference as follows: incorporating the selections in 5.1.4.1 and shall be deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Annex A and B of this Agreement, and shall be amended as follows:

(A) For the purpose of Module 1 of the EU Standard Contractual Clauses where both parties are Data Controllers (data importer and exporter): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the Data Subjects, categories of personal data and processing operations set out in Annex A and in the Terms and this Agreement.

(B) The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

(C) The parties agree that Annex I.A will be populated as follows: Data Exporter and Data Importer Contact details: as detailed in this Agreement (each party being both Data Exporter and Data Importer). 

(D) The parties agree that Annex I.B of the IDTA shall be completed as described in Annex A of this Agreement.

(E) The parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

(F) The parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in the Terms and/or this Agreement.

5.3. For the purpose of Modules 2 and 4 of the EU Standard Contractual Clauses where LUXXERA acts as Data Processor (data importer): Appendices 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the Data Subjects, categories of personal data and processing operations set out in Annex A and the organisational and technical measures as described in Annex B of this Agreement.

5.4. The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

5.5. The parties agree that Annex I.A will be populated as follows: With respect to Module 2: Data Exporter is the Customer and Data Importer is LUXXERA as a Data Processor. With respect to Module 4: Data Exporter is LUXXERA as Data Processor and Data Importer is the Customer as Data Controller. Data Exporter and Data Importer Contact details: as detailed in this Agreement. 

5.6. The parties agree that Annex I.B of the IDTA shall be completed as described in Annex A of this Agreement..

5.7. The parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

5.8. The parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in the Terms and/or this Agreement.

5.9. The parties agree that Annex III of the IDTA shall be completed with the Authorised Sub-Processors detailed in Annex A of this Agreement.

6. Term and Termination

6.1. This Agreement will remain in full force and effect so long as:

(a) the Terms remain in effect; or

(b) LUXXERA retains any of the Personal Data related to the Terms in its possession or control.

7. Liability

7.1. Liability for breach of this Agreement shall be subject to the relevant clauses of the Terms.

8. General

8.1. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Terms in order to protect the Personal Data will remain in full force and effect.

8.2. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Terms, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within sixty (60) days, either party may terminate the Terms on not less than thirty (30) working days on written notice to the other party.

8.3. Any notice or other communication given to a party under or in connection with this Agreement shall comply with the relevant terms of the Terms.

9. Precedence

9.1. If there is an inconsistency between any of the provisions of this Agreement and the provisions of the Terms, the provisions of this Agreement shall prevail.  

10. Variation 

10.1. We may update the terms of this Agreement at any time upon notice to you in accordance with clause 11. The Customer’s continued use of the Services following deemed receipt of this notice will constitute acceptance of the terms of this Agreement, as varied. 

10.2. If the Customer does not wish to accept the terms of this Agreement, as varied, it acknowledges and accepts that it will immediately cease use and access of the Services on deemed receipt of the notice provided under clause 10.1.

11. Notices

11.1. Any notice or communication required or permitted under this Agreement shall be sent by e-mail to [email protected]. 

12. Third Party Rights

12.1. This Agreement does not confer any rights on any person or party (other than the parties to this agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.

13. Governing Law

13.1. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales. 

14. Jurisdiction 

14.1. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.

ANNEX A: Personal Data Processing Purposes and Details

Part 1: C2C Processing

Subject Matter of Processing: provision of the Personal Data of the end-users of the LUXXERA Services (i.e. the prospective patients/end-users) under the Terms and this Agreement.

Duration of Processing: the duration of the Terms and this Agreement.

Nature of Processing: collecting, displaying, using, transferring, analysing, contacting, publishing and/or presenting the Personal Data as part of the delivery of the Services.

Business Purposes: provision of the Personal Data by LUXXERA to the Customer pursuant to the Terms and this Agreement.

Personal Data Categories (including Special Category Data): 

● Identity and contact information including first name, last name, username or similar identifier, email addresses, profile pictures, date of birth, location (including future flight details), gender, language information;

● Ticket information, any information provided to Customer via messenger;

● Payment information; and

● Health data including details of chronic conditions, allergies, medications, images (headshots, facial, mouth), emergency contact details, follow-ups including photo verification, ticket, appointment, invoices and platform messages information. 

Data Subject Types: end-users, prospective patients.

Part 2: C2P Processing

Subject matter of Processing: provision of the Personal Data of the end-users of the LUXXERA Services (i.e. the nominated personnel by the Customer to have accounts to use the LUXXERA Services and be contacted by the prospective patients/end-users) under the Terms and this Agreement.

Duration of Processing: the duration of the Terms and this Agreement.

Nature of Processing: collecting, displaying, using, transferring, analysing, contacting, publishing and/or presenting the Personal Data as part of the delivery of the Services.

Business Purposes: provision of the Personal Data by the Customer to LUXXERA (and in return) as part of the delivery and use of the Services pursuant to the Terms and this Agreement.

Personal Data Categories (including Special Category Data): 

● Identity data: (including first name, surname, username or similar identifier, title, date of birth, email address, profile picture, gender, location); and

● IP address.

Data Subject Types: Customer personnel who are to have accounts and/or use the LUXXERA Services.

Approved Sub-processors:

ANNEX B: Security measures

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

- Personal data is logically separated by user and role.

- Secrets, API keys, and credentials are stored using secure environment-level configuration and are never hard-coded into source code repositories.

- Role-based access control (RBAC).

- Strict separation is maintained between development, staging, and production environments.

- Dependencies and infrastructure are monitored for vulnerabilities, and updates are applied in a timely manner.

- Secure authentication mechanisms are implemented for all users, including strong password requirements and support for third-party identity providers where applicable.

- Session management and token-based authentication are used to prevent unauthorized access.

- All data transmitted between clients, servers, and third-party services is encrypted using HTTPS/TLS.

- Media and document uploads are stored in secured object storage with restricted access policies.

- Messaging uses Stream, which is SOC2, ISO 27001, HIPAA, and GDPR compliant.