Data Processing Addendum
1. Structure
This Data Processing Addendum ("DPA") is subject to and forms part of the Agreement between True Medicine, Inc. ("True Medicine, Inc." or "Company") and the applicable Merchant, and governs True Medicine, Inc.'s Processing of Personal Data. In the event of a conflict between this DPA and True Medicine, Inc.'s Terms, this DPA shall control. Terms used but not defined in this DPA have the meanings ascribed to them in the Agreement.
2. True Medicine, Inc. as a Data Processor, Data Controller, and Business Associate
2.1 Data Processing Roles
| Role | Description |
|---|---|
| True Medicine, Inc. as a Processor | When True Medicine, Inc. Processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of the Merchant, acting as the Data Controller. |
| True Medicine, Inc. as a Controller | When True Medicine, Inc. Processes Personal Data as a Data Controller, it has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through the Merchant or the applicable End User. |
| True Medicine, Inc. as a Business Associate | When True Medicine, Inc. Processes personal data that is Protected Health Information as a Business Associate, it is acting as a HIPAA business associate to one or more Telehealth Partners in their capacity as a HIPAA covered entity. |
2.2 Data Processing Purposes
| Role | Purposes |
|---|---|
| True Medicine, Inc. as a Processor | The purposes of True Medicine, Inc.'s Processing of Personal Data in its capacity as a Data Processor are to: market True Medicine, Inc.'s and Merchant's services for or on behalf of Merchant, to the extent expressly agreed upon by True Medicine, Inc. and Merchant; perform other services as expressly agreed-upon between True Medicine, Inc. and Merchant; and process Personal Data on behalf of certain Telehealth Partners. |
| True Medicine, Inc. as a Controller | The purposes of True Medicine, Inc.'s Processing of Personal Data in its capacity as a Data Controller when providing True Medicine, Inc.'s Services are to: provide True Medicine, Inc.'s Services to End Users pursuant to the Agreement; utilize third parties (e.g., payment method providers like Stripe) in connection with the performance of the Services; monitor, prevent and detect fraudulent transactions and fraudulent activity, and monitor, prevent and mitigate financial loss, security risks, and other harms; implement, maintain and perform internal processes that enable True Medicine, Inc. to provide and improve its Services, including analytics, relationship management, billing, and invoicing; comply with Applicable Laws; and analyze, develop, and promote True Medicine, Inc.'s Services. |
| True Medicine, Inc. as a Business Associate | The purposes of True Medicine, Inc.'s Processing of Protected Health Information in its capacity as a Business Associate are to: collect, process, and store Protected Health Information for or on behalf of certain of its Telehealth Partner(s); and comply with individual rights requests and other requirements under HIPAA pursuant to True Medicine, Inc.'s obligations to certain of its Telehealth Partner(s). |
2.3 Categories of Data Subjects and Personal Data
| Category | Description |
|---|---|
| True Medicine, Inc. as a Processor and as a Controller | True Medicine, Inc. may Process the Personal Data of End Users, Merchant representatives, and any natural person who accesses or uses the True Medicine, Inc. Services. |
| True Medicine, Inc. as a Business Associate | True Medicine, Inc. may Process the Protected Health Information of End Users for and on behalf of True Medicine, Inc.'s Telehealth Partner(s). |
| Personal Data | If applicable, True Medicine, Inc. may Process payment account details, billing/shipping address, name, order description (including date, time, amount, product or service description), device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, and identity information. |
| Sensitive Data | True Medicine, Inc. may Process Protected Health Information and other Sensitive Data, including information about End Users health, medical history, and family history, provided by End Users to True Medicine, Inc., including for and on behalf of True Medicine, Inc.'s Telehealth Partner(s). |
3. True Medicine, Inc. Obligations when Acting as a Data Processor
3.1 Obligations
When True Medicine, Inc. is acting as a Data Processor for a Merchant, True Medicine, Inc. will:
- process Personal Data on Merchant's behalf and according to its Instructions. True Medicine, Inc. will inform Merchant if, in its opinion, Merchant's Instructions violate or infringe Applicable Data Protection Laws;
- ensure that all persons True Medicine, Inc. authorizes to Process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data;
- to the extent required by Applicable Data Protection Laws, inform Merchant of each request True Medicine, Inc. receives from Data Subjects (including "verifiable consumer requests" as defined under the CCPA) exercising their rights under Applicable Data Protection Laws to (i) access (e.g., right to know under the CCPA) their Personal Data; (ii) have their Personal Data corrected or erased; (iii) restrict or object to True Medicine, Inc.'s Processing; or (iv) data portability (collectively "Data Subject Request"). Other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to the Merchant as Data Controller, True Medicine, Inc. will not respond to these requests unless it is instructed in writing to do so by the applicable Merchant. Taking into account the nature of the Processing, True Medicine, Inc. will assist Merchant by appropriate technical and organizational measures, insofar as this is possible, to enable Merchant to meet its obligations to respond to a Data Subject Request;
- to the extent required by Applicable Data Protection Laws, inform Merchant of each law enforcement request True Medicine, Inc. receives from a Governmental Authority requiring True Medicine, Inc. to disclose Personal Data or participate in an investigation requiring True Medicine, Inc. to disclose Personal Data, unless prohibited by Applicable Laws;
- implement and maintain a written information security program to implement the Data Security Measures;
- if True Medicine, Inc. experiences a Data Breach, notify Merchant without undue delay, in each case after becoming aware of the Data Breach. To the extent known to True Medicine, Inc., True Medicine, Inc.'s notification will describe in reasonable detail (i) the type of Personal Data that was the subject of the Data Breach, (ii) the categories and potential number of individuals or records affected (including their countries), and (iii) the status of True Medicine, Inc.'s investigation and current or planned remediation. Following the notification, True Medicine, Inc. will provide relevant updates to assist Merchant in complying with its obligations under Applicable Data Protection Laws;
- to the extent required by Applicable Data Protection Laws and following a written request from Merchant, contribute to audits or inspections by making available audit reports. Following this request, and no more frequently than once annually, True Medicine, Inc. will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding True Medicine, Inc.'s Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are True Medicine, Inc.'s confidential information; and
- at Merchant choice, delete or return all Personal Data Processed in connection with the Services, and delete existing copies, following termination of the Agreement, except that True Medicine, Inc. will not be required to delete or return that Personal Data, or delete existing copies, to the extent that True Medicine, Inc.'s storage of that Personal Data or those copies is (i) required by True Medicine, Inc. to exercise its rights and perform its obligations under this Agreement; or (ii) required or authorized by Applicable Data Protection Laws for a longer period.
3.2 Sub-processors
- True Medicine, Inc. engages Sub-processors as necessary to perform the Services. Merchant consents to True Medicine, Inc.'s use of its existing Sub-processors and grants True Medicine, Inc. a general written authorization to engage Sub-processors as necessary to perform the Services. Merchant acknowledges that True Medicine, Inc.'s Sub-processors are essential to provide the Services and that if Merchant objects to True Medicine, Inc.'s use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement (including this DPA), True Medicine, Inc. will not be obligated to provide Services for which True Medicine, Inc. uses that Sub-processor.
- True Medicine, Inc. will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on True Medicine, Inc. under this DPA, including the obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, True Medicine, Inc. will remain liable for the acts and omissions of its Sub-processor to the same extent True Medicine, Inc. would be liable if performing the relevant Services directly under this DPA.
3.3 CCPA
If the CCPA applies and True Medicine, Inc. is acting as a Data Processor, True Medicine, Inc. will not: (a) sell or share (as defined under the CCPA) Personal Data; (b) retain, use or disclose Personal Data outside of its direct business relationship with Merchant other than to provide True Medicine, Inc.'s Services and as required to comply with Applicable Laws; and (c) combine Personal Data received from Merchant with Personal Data received from or on behalf of an individual or collected from True Medicine, Inc.'s own interactions with the individual, except to provide True Medicine, Inc.'s Services and as permitted by Applicable Laws. True Medicine, Inc. certifies that it understands and will comply with the requirements in this DPA relating to the CCPA and will provide the same level of privacy protection to Personal Data as required by the CCPA. True Medicine, Inc. will inform Merchant if it determines that it can no longer meet its obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
3.4 Disclaimer of Liability
Notwithstanding anything to the contrary in the Agreement, including this DPA, True Medicine, Inc. will not be liable for any claim made by a Data Subject related to True Medicine, Inc.'s acts or omissions, to the extent that such a claim arises from Merchant's breach of Applicable Laws, negligence, or intentional misconduct.
4. Merchant's Obligations as a Data Controller
Merchant acknowledges and agrees that it shall:
- only provide Instructions to True Medicine, Inc. that are lawful;
- comply with and perform its obligations under Applicable Data Protections Law, including with regard to Data Subject rights, data security and confidentiality, and ensure it has an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this DPA; and
- provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice)and, where required by Applicable Data Protection Law, obtain all necessary consents, regarding its and True Medicine, Inc.'s Processing of Personal Data for the purposes described in the Agreement, including this DPA.
5. True Medicine, Inc.'s Obligations as a Data Controller
True Medicine, Inc. shall comply with and perform its obligations under Applicable Data Protection Laws when Processing Personal Data.
6. Definitions
Capitalized terms used but not defined in this DPA have the meanings ascribed to them in the Terms or an Order Form.
- "Applicable Data Protection Law" means Applicable Laws that apply to Personal Data Processing under the Agreement and this DPA, including federal, state, and local Applicable Laws relating in any way to privacy, data protection or data security.
- "Business Associate" has the meaning ascribed to it in HIPAA.
- "CCPA" means California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and its implementing regulations.
- "Covered Entity" has the meaning ascribed to it in HIPAA.
- "Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a "Business" as defined under the CCPA.
- "Data Breach" means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party's, or a party's subcontractor's, agent's or representative's, possession or control.
- "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a "Service Provider" as defined under the CCPA.
- "Data Security Measures" means physical, technical, and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing, including without limitation measures regarding user authentication; vulnerability, patch, and configuration management; application security; and encryption.
- "HIPAA" means the Health Insurance Portability and Accessibility Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, as each have been and may be amended from time to time, and their respective implementing rules and regulations.
- "Instructions" means any communication or documentation, including that which may be provided through a True Medicine, Inc. API or written agreements between you and True Medicine, Inc. through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.
- "Personal Data" means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes "personal information" as defined under the CCPA, but excludes Protected Health Information.
- "Process" means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under Applicable Data Protection Laws.
- "Protected Health Information" has the meaning ascribed to it by HIPAA.
- "Sensitive Data" means sensitive personal data to extent treated distinctly as a special category of Personal Data under Applicable Data Protection Laws, such as "sensitive personal information" as defined under the CCPA, but excludes Protected Health Information.
- "Sub-processor" means an entity a Data Processor engages to Process Personal Data on that Data Processor's behalf in connection with the Services.
