Data Processing Addendum
This Data Processing Addendum ("Addendum") reflects the parties’ agreement specifically as it relates to the collection, usage, and sharing of Personal Information (as defined below) provided to Cadwell Industries, Inc. (herein “Processor”) by Licensee (herein “Controller”) or collected, used, shared, or processed by Processor at Controller’s instruction, in accordance with and pursuant to Applicable Privacy Laws (as defined below). Unless otherwise noted, in the event of any conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum prevail. Capitalized terms not defined herein are defined as set forth in the Agreement.
1. Definitions.
1.1. “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Information under this Addendum, including, without limitation, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Texas Data Privacy and Security Act, and all other enacted U.S. State privacy laws.
1.2. "Authorized Persons" means persons authorized by Processor to access Personal Information, including Processor employees, contractors, agents, subcontractors, and Sub-Processors.
1.3. “Consumer” means any natural person who is a resident of a U.S. state with an enacted privacy law.
1.4. "Consumer Request" means any request by a Consumer to exercise rights under Applicable Data Protection Laws, such as access, correction, deletion, or portability.
1.5. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information. For the purposes of U.S. state privacy laws, “Controller” shall include a “Business” as defined by the CCPA.
1.6. “Personal Information" means, for purposes of this Addendum, any personal information or data, as defined in the Applicable Data Protection Laws, which is collected, stored, accessed, or otherwise Processed by Processor for Controller.
1.7. "Process" or "Processing" means any operation performed on Personal Information, such as collection, use, storage, disclosure, erasure, or destruction.
1.8. “Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Information on behalf of the Controller. For the purposes of U.S. state privacy laws, “Processor” shall include a “Service Provider” or “Contractor” as defined by the CCPA.
1.9. “Regulator” means any governmental authority, department, or agency that has the jurisdiction to enforce compliance with Applicable Data Privacy Laws, including but not limited the California Attorney General’s Office, California Privacy Protection Agency, and other relevant data protection authorities in the EEA.
1.10. “Sensitive Data” means Personal Information that reveals a Consumer’s past, present, or future physical or mental health status, condition, or diagnosis.
1.11. “Services” means those certain services and obligations of Processor under the Agreement.
1.12. "Sub-Processor" means any third party engaged by Processor to Process Personal Information.
2. Purpose and Scope. This Addendum governs Processor’s Processing of Personal Information provided or made accessible by Controller in connection with the Agreement. The specific details of the Processing operations, including the subject matter, nature, purpose, categories of Consumers, and types of Personal Information, are set forth in Annex 1 (Description of Processing), which is incorporated herein by reference.
3. Roles of the Parties.
3.1. Controller Role. Controller determines the purposes and means of Processing of Personal Information. Controller represents and warrants that it has a valid legal basis under the Applicable Data Protection Laws for the Processing of Personal Information by Processor, including having obtained any necessary consents.
3.2. Processor Role. Processor will Process Personal Information solely in accordance with Controller’s documented instructions, and will not retain, use, or disclose Personal Information except as permitted by this Addendum or Applicable Data Protection Laws.
4. Processing Instructions.
4.1. Processor will comply with all obligations applicable to it as a “Processor”, “Service Provider”, or “Contractor” under Applicable Data Protection Laws and shall provide the level of privacy protection as is required by such laws. Further, Processor will provide the same level of privacy protection as is required of the Controller.
4.2. Processor will process Personal Information on behalf of Controller in accordance with Applicable Data Protection Laws and only for the following business purposes: (i) performing Services on behalf of Controller as described in the Agreement; (ii) in accordance with Controller’s documented instructions; and (iii) as required by Applicable Data Protection Laws.
4.3. Processor is prohibited from: (i) selling or "sharing" (for cross-context behavioral advertising) Personal Information; (ii) retaining, using, or disclosing Personal Information for any purpose other than for the specific business purposes of performing the Services as defined in the Agreement; (iii) processing Personal Information outside the direct business relationship between Processor and Controller; and (iv) combining Personal Information received from Controller with Personal Information received from other sources, except as permitted by Applicable Data Protection Laws.
4.4. Processor shall not process Sensitive Data for any purpose other than those strictly necessary to provide the Services.
4.5. Processor shall provide reasonable assistance to Controller, taking into account the nature of the processing and the information available to Processor, for: (i) fulfilling Controller’s obligation to respond to Consumer requests to exercise their rights (e.g., access, deletion, correction, and opt-outs); (ii) meeting obligations regarding the security of processing and notification of Personal Information Breaches; and (iii) providing necessary information to assist Controller in conducting and documenting "Data Protection Impact Assessments" or "Data Protection Assessments" where required.
4.6. Processor will retain Personal Information only for as long as necessary to fulfill the purposes of the Agreement. Upon termination or expiration of the Agreement Processor will securely delete all Personal Information unless retention is required by Applicable Data Protection Laws.
5. Personal Information Location. Processor will host and Process Personal Information exclusively within the U.S.
6. Confidentiality and Security.
6.1. Processor will ensure that Authorized Persons are bound by appropriate confidentiality obligations no less stringent than those contained herein.
6.2. Processor will implement and maintain industry standard technical and organizational security measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, consistent with Applicable Data Protection Laws.
7. Sub-Processors.
7.1. Controller hereby grants Processor a general authorization to engage Sub-Processors, including the Sub-Processors listed in Annex 1.
7.2. Where Processor engages a Sub-Processor, Processor shall enter into a written agreement with such Sub-Processor imposing data protection obligations no less protective than those set out in this Addendum. Processor is liable for the acts and omissions of its Sub-Processors. The subject matter, nature and duration of the Processing activities carried out by the Sub-Processor(s) will not exceed the subject matter, nature and duration of the Processing activities as described in this Addendum.
7.3. Processor shall inform Controller in advance of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving Controller the opportunity to object to such changes within a reasonable period.
8. Consumer Requests. Processor will notify Controller without undue delay, and in any event within 72 hours, of any Consumer Request regarding data Processed by Processor. Processor will not respond directly to such requests without Controller’s prior written approval unless required by law. Processor will support the Controller in responding to such requests and provide reasonable assistance in fulfilling Consumer Requests (e.g., access, deletion) and complying with legal obligations.
9. Personal Information Breach. Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Information breach, provide detailed information about the Personal Information breach, and cooperate in mitigation efforts.
10. Audit Rights.
10.1. Controller may audit Processor’s compliance with this Addendum once per year or as required by Applicable Data Protection Laws, either by itself or through an independent third-party auditor. Controller shall first exercise its audit right by reviewing Processor’s most recent SOC2 Type II report, ISO 27001 certification, or self-assessment. A physical or third-party audit shall only be permitted if such reports do not provide sufficient information to demonstrate compliance. In such instance, the audit will be performed upon reasonable notice and during regular business hours.
10.2. Compliance, Verification, and Cure. Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in this Addendum. Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.
11. Term and Termination. This Addendum will survive termination of the Agreement.
12. Governing Law. This Addendum shall be governed by the laws of the State of Washington, provided that privacy obligations will be consistently with the law of the applicable State.
Annex 1
Description of Processing
1. Subject Matter and Duration
The subject matter of the Processing is the provision of technical support and fleet management services for medical device workstations as defined in the Agreement. The Processing will continue for the duration of the Agreement plus a 30-day post-termination period for data retrieval.
2. Nature and Purpose of Processing
Processor will collect and analyze system-level data to:
· Detect, diagnose, and solve technical problems remotely.
· Monitor device health, disk integrity, and driver stability.
· Verify software license compliance and perform automated Agent updates.
3. Categories of Data Subjects
The Processing may incidentally affect the following groups:
· Clinicians and hospital staff whose identity is inadvertently captured in application logs or crash dumps.
· Patients whose identifying information is inadvertently captured in application logs or crash dumps.
4. Categories of Personal Information
The following types of data are processed:
· Hardware/System Metadata: PC specifications, OS version, disk health, and IP addresses.
· Application Logs: Performance data, application access, error codes, and driver versions.
· Troubleshooting Data: Crash dumps (set to auto-delete after 30 days) and license verification data.
· User Identifiers: Login IDs or names of clinicians recorded in system event logs.
5. Special Categories of Data / Sensitive Data.
While the Services are not a repository for personal health information, Processor may Process Sensitive Data that may be inadvertently included in error logs or system crash dumps provided by the Controller. Processor will not process Sensitive Data for any other purpose.
6. Sub-Processor(s).
Microsoft Azure