Last revised: November 12th, 2021
1. Privacy Practices
2. Services Provided – No Medical Care or Advice by Kindbody
We offer an online education and communication platform for Providers and their patients to connect via the Site through the use of general health and wellness information, synchronous and asynchronous telecommunications and other electronic medical record technologies.
Kindbody does not provide medical advice or care. Kindbody contracts with Kindbody Medical Practice, an independent, physician-owned medical group with a network of United States based Providers who provide clinical telehealth services. Kindbody Medical Practice Providers deliver clinical services and may communicate with their patients via the Kindbody platform. Providers are independently contracted or employed by Kindbody Medical Practice. Providers are not contracted or employed by Kindbody. The Providers, and not Kindbody, are responsible for the quality and appropriateness of the care they render to you.
The Providers are independent of Kindbody and are merely using the Site as a way to provide educational information and/or communicate with you. Any information or advice received from a Provider comes from them alone, and not from Kindbody. Your interactions with the Providers via the Site are not intended to take the place of your relationship with your regular health care practitioners or primary care physician. Neither Kindbody, nor any of its subsidiaries or affiliates or any third party who may promote the Site or Service or provide a link to the Service, shall be liable for any professional advice obtained from a Provider via the Site or Service, nor any information obtained on the Site. Kindbody does not recommend or endorse any specific Providers, tests, physicians, medications, products, or procedures. You acknowledge that your reliance on any Providers or information delivered by the Providers via the Site or Service is solely at your own risk and you assume full responsibility for all risks associated herewith.
Kindbody does not make any representations or warranties about the training or skill of any Providers who deliver services via the Site or Service. You will be provided with available Providers based solely on the information you submit to the Site. You are ultimately responsible for choosing your particular Provider.
The content of the Site and the Services, including without limitation, text, copy, audio, video, photographs, illustrations, graphics and other visuals, is for informational purposes only and does not constitute professional medical advice, diagnosis, treatment, or recommendations of any kind by Kindbody. You should always seek the advice of your qualified health care professionals with any questions or concerns you may have regarding your individual needs and any medical conditions. All information provided by Kindbody, or in connection with any communications supported by Kindbody, is intended to be for general information purposes only, and is in no way intended to create a provider-patient relationship as defined by state or federal law. While Kindbody may facilitate your selection of, and communications with, Providers, Kindbody does not provide medical services, and the doctor-patient relationship is between you and the Kindbody Medical Practice Provider you select.
Not for Emergencies
IF YOU ARE EXPERIENCING A MEDICAL EMERGENCY, YOU SHOULD DIAL “911” IMMEDIATELY.
Kindbody’s Site and Services are not for medical emergencies or urgent situations. You should not disregard or delay to seek medical advice based on anything that appears or does not appear on the Site. If you believe you have an emergency, call 9-1-1 immediately. You should seek emergency help or follow up care when recommended by a Provider or when otherwise needed. You should continue to consult with your primary provider and other healthcare professionals as recommended. Always seek the advice of a physician or other qualified healthcare provider concerning questions you have regarding a medical condition and before stopping, starting, or modifying any treatment or modification.
Risks of Telehealth Services
By using the telehealth offering of our Services, you acknowledge the potential risks associated with telehealth services. These include but are not limited to the following: information transmitted may not be sufficient (e.g. poor resolution of images) to allow for appropriate medical or health care decision making by the Provider; delays in evaluation or treatment could occur due to failures of electronic equipment; a lack of access to your medical records may result in adverse drug interactions or allergic reactions or other judgment errors; although the electronic systems we use incorporate network and software security protocols to protect the privacy and security of health information, those protocols could fail causing a breach of privacy of your health information.
3. Availability of Services
Kindbody and Kindbody Medical Practice operate subject to state and federal regulations, and the Services may not be available in your state. You represent that you are not a person barred from enrolling for and/or receiving the Services under the laws of the United States or other applicable jurisdictions in which you may be located. Access to and use of the Site and/or the Services is limited exclusively to users located in States within the United States where the Services are available. Services are not available to users located outside the United States. Accessing the Site or Services from jurisdictions where content is illegal, or where we do not offer Services, is prohibited.
4. Payment Services For Subscribing Practitioners
Payment processing services for Providers on the Site are provided by Stripe, Inc. and are subject to the Stripe Connected Account Agreement, which includes the Stripe Terms of Service (collectively, the “Stripe Services Agreement”). By agreeing to these terms or continuing to operate as a Subscribing Practitioner on the Site, you agree to be bound by the Stripe Services Agreement, as the same may be modified by Stripe from time to time. As a condition of the Site enabling payment processing services through Stripe, you agree to provide the Site accurate and complete information about you and your business, and you authorize the Site to share it and transaction information related to your use of the payment processing services provided by Stripe.
- Typographical Errors and Incorrect Pricing. In the event a Product or Service is listed at an incorrect price due to typographical error or error in pricing information received from a third party, we shall have the right to refuse or cancel any purchase placed for the Service(s) listed at the incorrect price. We shall have the right to refuse or cancel any such purchase order whether or not the purchase has been confirmed and your credit or debit card charged. If you credit or debit card has already been charged for the purchase and your purchase order is canceled, we will promptly issue a credit to your credit or debit card account in the amount of the charge.
- Eligibility; Site Access, Security and Restrictions; Passwords
In order to access the Site and the Services, you represent and warrant that you are older than 18 years old. You agree to fully, accurately, and truthfully create your Kindbody Account (“Account”), including but not limited to your name, mailing address, phone number, email address, and password, which become your Kindbody ID and credentials. The Kindbody ID and/or credentials are personal to you, and you are solely responsible for maintaining the confidentiality of your Kindbody ID and/or credentials, and for all activities that occur under such Kindbody ID and/or credentials. You agree to prohibit anyone else from using your Kindbody ID and/or credentials and agree to immediately notify Kindbody of any actual or suspected unauthorized use of your Kindbody ID and/or credentials or other security concerns of which you become aware. Your access to the Site may be revoked by Kindbody at any time with or without cause.
You may not use any scraper, crawler, spider, robot or other automated means of any kind to access or copy data on the Site, deep-link to any feature or content on the Site, bypass our robot exclusion headers or other measures we may use to prevent or restrict access to the Site. Violations of system or network security may result in civil or criminal liability. Kindbody will investigate occurrences that may involve such violations and may involve, and cooperate with, law enforcement authorities in prosecuting users who are involved in such violations. You agree not to use any device, software or routine to interfere or attempt to interfere with the proper working of this Site or any activity being conducted on this Site.
5. Electronic Communications
When you use the Site or Services, or send e-mails, messages, and other communications from your desktop or mobile device to us, you are communicating with us electronically. You consent to receive communications from us electronically. You agree that (a) all agreements and consents can be signed electronically and (b) all notices, disclosures, and other communications that we provide to you electronically satisfy any legal requirement that such notices and other communications be in writing. Kindbody and Kindbody Medical Practice may contact you by telephone, mail, or email to verify your account information. Kindbody and Kindbody Medical Practice may request further information from you and you agree to provide such further information to ensure that you have not fraudulently created your Account. If you do not provide this information in the manner requested within 14 days of the request, we reserve the right to suspend, discontinue, or deny your access to and use of the Site and the Services until you provide the information to us as requested.
5. Consent to Receive Calls and Text Messages
By providing your mobile number, you are agreeing to be contacted by or on behalf of Kindbody and Kindbody Medical Practice at the mobile number you have provided, including calls and text messages, to receive informational, Product or Service related (e.g., progress tracking, refill reminders, checkup reminders, etc.) and marketing communications relating to the Site and Services. Message and data rates may apply. For help, text the word HELP to (833) 745-3377. To stop receiving text messages text the work STOP (833) 745-3377. We may confirm your opt out by text message. If you subscribe to multiple types of text messages from us, we may unsubscribe you from the service that most recently sent you a message and/or respond to your STOP message by texting you a request to identify services you wish to stop. Keep in mind that if you stop receiving text messages from us you may not receive important and helpful information and reminders about your progress and treatment.
6. Ownership Of The Site And Related Materials; Additional Restrictions
All pages within this Site and any material made available for download are the property of Kindbody, or its licensors or suppliers, as applicable. The Site is protected by United States and international copyright and trademark laws.
7. No Users Under 18 Years Old
The Site and Services are only for users of the age of 18. If you are under the age of 18, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under the age of 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please email us at email@example.com
8. Accuracy of Information; Functionality
Although Kindbody attempts to ensure the integrity and accurateness of the Site and Product descriptions, it makes no representations, warranties or guarantees whatsoever as to the correctness or accuracy of the Site, Product descriptions and other content on the Site. It is possible that the Site could include typographical errors, inaccuracies or other errors, and that unauthorized additions, deletions and alterations could be made to the Site by third parties. In the event that an inaccuracy arises, please inform Kindbody so that it can be corrected. If a Product described on our Site is not as described when you receive it, or the packaging on the Site does not match the product to receive, your sole remedy is to return it to us in unused and undamaged condition. Information contained on the Site may be changed or updated without notice. Additionally, Kindbody shall have no responsibility or liability for information or content posted to the Site from any non-Kindbody affiliated third party.
Kindbody and Kindbody Medical Practice each reserves complete and sole discretion with respect to the operation of the Site and the Services. We may withdraw, suspend, or discontinue any functionality or feature of the Site or the Services among other things. We are not responsible for transmission errors, corruption, or compromise of information carried over local or interchange telecommunications carrier. We are not responsible for maintaining information arising from use of the Site or with respect to the Services. We reserve the right to maintain, delete, or destroy all communications or information posted or uploaded to the Site or the Services in accordance with our internal record retention and/or destruction policies.
9. Links to Other Sites
Kindbody makes no representations whatsoever about any other website that you may access through this Site. When you access a non-Kindbodysite, please understand that it is independent from Kindbody, and that Kindbody has no control over the content on that website. In addition, a link to a non-Kindbody website does not mean that Kindbody endorses or accepts any responsibility for the content, or the use, of the linked site. It is up to you to take precautions to ensure that whatever you select for your use or download is free of such items as viruses, worms, Trojan horses, and other items of a destructive nature. If you decide to access any of the third party sites linked to this Site, you do this entirely at your own risk.
10. User Information
If you submit, upload, post or transmit any health information, medical history, conditions, problems, symptoms, personal information, consent forms, agreements, requests, comments, ideas, suggestions, information, files, videos, images or other materials to us or our Site (“User Information”), you agree not to provide any User Information that (1) is false, inaccurate, defamatory, abusive, libelous, unlawful, obscene, threatening, harassing, fraudulent, pornographic, or harmful, or that could encourage criminal or unethical behavior, (2) violates or infringes the privacy, copyright, trademark, trade dress, trade secrets or intellectual property rights of any person or entity, or (3) contains or transmits a virus or any other harmful component. You agree not to contact other site users through unsolicited e-mail, telephone calls, mailings or any other method of communication. You represent and warrant to Kindbody and Kindbody Medical Practice that you have the legal right and authorization to provide all User Information to Kindbody and Kindbody Medical Practice for use as set forth herein and required by Kindbody and the Kindbody Medical Practice Provider.
You agree not to (i) access the Site or use the Services in any unlawful way or for any unlawful purpose; (ii) post or transmit (a) a message under a false name, or (b) any data, materials, content, or information (including, without limitation, advice, and recommendations) (collectively “Information”) which is (1) libelous, defamatory, obscene, fraudulent, false, or contrary to the ownership or intellectual property rights of any other person, or (2) contains or promotes any virus, worm, Trojan horse, time bomb, malware, or other computer programing or code that is designed or intended to damage, destroy, intercept, download, interfere, manipulate, or otherwise interrupt or expropriate the Site or the Services, personal information, software, equipment, servers, or Information or facilitate or promote hacking or similar conduct; (iii) impersonate or misrepresent your identity or falsely state or misrepresent your affiliation with a person or entity; (iv) tamper, hack, spoof, copy, modify, or otherwise corrupt the administration, security, or proper function of the Site or the Services; (v) use robots or scripts with the Site; (vi) attempt to reverse engine, reverse assemble, reverse compile, decompile, disassemble, translate, or otherwise alter, defraud, or create false results from any executable code, information on, or received by this Site; (vii) to have any antivirus or antispyware software running that is set to override the internet browser’s cookies setting; (viii) incorrectly identify the sender of any message transmitted to Kindbody. You may not alter the attribution or origin of electronic mail, messages, or posting; (ix) harvest or collect PHI about any other individual who uses the Site or the Services; (x) infringe or facilitate infringement on any copyright, patent, trademark, trade secret, or other proprietary, publicity, or privacy rights of any party, including such rights of third parties.
You agree to defend, indemnify and hold harmless Kindbody, Kindbody Medical Practice, and the Providers from and against all third party claims, damages and expenses (including reasonable attorneys’ fees) against or incurred by us arising out of any User Information you upload to or transmit through the Site.
11. Claims of Copyright Infringement
We disclaim any responsibility or liability for copyrighted materials posted on our site. If you believe that your work has been copied in a manner that constitutes copyright infringement, please follow the procedures set forth below.
Kindbody respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act (“DMCA“), we will respond promptly to notices of alleged infringement that are reported to Kindbody’s Designated Copyright Agent, identified below
Notices of Alleged Infringement for Content Made Available on the Site
If you are a copyright owner, authorized to act on behalf of one, or authorized to act under any exclusive right under copyright, please report alleged copyright infringements taking place on or through our Site by sending us notice (“Notice”) complying with the following requirements.
- Identify the copyrighted works that you claim have been infringed.
- Identify the material or link you claim is infringing (or the subject of infringing activity) and that access to which is to be disabled, including at a minimum, if applicable, the URL of the link shown on the Site where such material may be found.
- Provide your mailing address, telephone number, and, if available, email address.
- Include both of the following statements in the body of the Notice:
- “I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).”
- “I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.”
- Provide your full legal name and your electronic or physical signature.
Deliver this Notice, with all items completed, to firstname.lastname@example.org.
12. Intellectual Property
With the exception of your electronic medical record, Kindbody and Kindbody Medical Practice, as applicable, retain all right, title, and interest in and to the Site, the Services and any information, products, documentation, software, or other materials on the Site, and any patent, copyright, trade secret, trademark, service mark, or other intellectual property, or proprietary right in any of the foregoing, except for information on the Site licensed by Kindbody or Kindbody Medical Practice (in that case, the license provider retains all right, title, and interest therein). The information available through the Site and the Services is the property of Kindbody or Kindbody Medical Practice, as applicable. You agree not to store, copy, modify, reproduce, retransmit, distribute, disseminate, rent, lease, loan, sell, publish, broadcast, display, or circulate such information to anyone. Use, reproduction, copying, or redistribution of Kindbody or Kindbody Medical Practice trademarks, service marks, and logos are strictly prohibited without the prior written permission of Kindbody or Kindbody Medical Practice, as applicable. The immediately foregoing sentence also applies to any third party trademarks, service marks, and logos posted on the Site. Nothing contained on the Site should be construed as granting, by implication, estoppel, waiver or otherwise, any license or right to use any trademarks, service marks or logos displayed on the Site without the written grant thereof by Kindbody, Kindbody Medical Practice or the third party owner of such trademarks, service marks, and/or logos. The Site may contain other proprietary notices and copyright information, the terms of which you agree to follow.
Kindbody may delete any information provided by you that it deems in its sole discretion fraudulent, abusive, defamatory, obscene, or in violation of copyright, trademark, or other intellectual property or ownership right of any other person or entity.
13. Disclaimer of Warranties
KINDBODY DOES NOT WARRANT THAT ACCESS TO OR USE OF THE SITE WILL BE UNINTERRUPTED OR ERROR-FREE OR THAT DEFECTS IN THE SITE WILL BE CORRECTED. THIS SITE, INCLUDING ANY CONTENT OR INFORMATION CONTAINED WITHIN IT OR ANY SITE-RELATED SERVICE, IS PROVIDED “AS IS,” WITH ALL FAULTS, WITH NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY OF INFORMATION, QUIET ENJOYMENT, AND TITLE/NON-INFRINGEMENT. Kindbody DOES NOT WARRANT THE ACCURACY, COMPLETENESS OR TIMELINESS OF THE INFORMATION OBTAINED THROUGH THE SITE.
YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THIS SITE, SITE-RELATED SERVICES, AND LINKED WEBSITES. Kindbody DOES NOT WARRANT THAT FILES AVAILABLE FOR DOWNLOAD WILL BE FREE OF VIRUSES, WORMS, TROJAN HORSES OR OTHER DESTRUCTIVE PROGRAMMING. YOU ARE RESPONSIBLE FOR IMPLEMENTING PROCEDURES SUFFICIENT TO SATISFY YOUR NEEDS FOR DATA BACK UP AND SECURITY.
WARRANTIES RELATING TO PRODUCTS OR SERVICES OFFERED, SOLD AND DISTRIBUTED BY KINDBODY ARE SUBJECT TO SEPARATE WARRANTY TERMS AND CONDITIONS, IF ANY, PROVIDED BY KINDBODY OR THIRD PARTIES WITH OR IN CONNECTION WITH THE APPLICABLE PRODUCTS OR SERVICES
14. Limitation of Liability Regarding Use of Site
EXCEPT AS PROVIDED BY LAW, AND WITHOUT LIMITATION:
KINDBODY SHALL NOT BE LIABLE FOR THE ACTS OR OMISSIONS OF KINDBODY MEDICAL PRACTICE OR THE PROVIDERS. KINDBODY AND ANY THIRD PARTIES MENTIONED ON THIS SITE ARE NEITHER RESPONSIBLE NOR LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, PUNITIVE, OR OTHER DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION) ARISING OUT OF OR RELATING IN ANY WAY TO THE SITE, SITE-RELATED SERVICES, CONTENT OR INFORMATION CONTAINED WITHIN THE SITE, AND/OR ANY LINKED WEBSITE, WHETHER BASED ON WARRANTY, CONTRACT, TORT, OR ANY OTHER LEGAL THEORY AND WHETHER OR NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR SOLE REMEDY FOR DISSATISFACTION WITH THE SITE, SITE-RELATED SERVICES, AND/OR LINKED WEBSITES IS TO STOP USING THE SITE AND/OR THOSE SERVICES. TO THE EXTENT ANY ASPECTS OF THE FOREGOING LIMITATIONS OF LIABILITY ARE NOT ENFORCEABLE, THE MAXIMUM LIABILITY OF Kindbody TO YOU WITH RESPECT TO YOUR USE OF THIS SITE IS $500 (FIVE HUNDRED DOLLARS). YOU HEREBY AGREE TO WAIVE, TO THE FULLEST EXTENT PERMITTED BY LAW, ALL LAWS THAT LIMIT THE EFFICACY OF SUCH INDEMNIFICATIONS OR RELEASES.
15. No Third Party Rights
17. Supplemental Terms Applicable to Providers
To be a healthcare provider using the Site (“Provider” or “you”) you must be a licensed physician contracted or employed by Kindbody Medical Practice, and must agree to comply with all laws, medical board rules and other rules and regulations applicable to you as a Provider or otherwise. Your relationship with the Kindbody users (including your Kindbody Medical Practice patients) is directly between you and the patient. The patient will never have a physician-patient relationship with Kindbody. Kindbody does not practice medicine and offers no medical services. As set forth more fully below, Provider is solely responsible for all agreements, consents, notices and other interactions with patients and other consumers. Without limiting the generality of the foregoing, Provider is solely responsible for all billings and collections from patients and other consumers, and Kindbody shall have no liability whatsoever to Provider with respect to any amounts owed by any patient or other consumer to Provider.
Kindbody does not provide any medical advice, legal advice, or representations in any way regarding any legal or medical issues associated with Provider, goods or services offered by Provider, including but not limited any compliance obligations or steps necessary to comply with any state or federal laws and regulations. Provider should seek legal counsel regarding any legal and compliance issues, and should not rely on any materials or content associated with the Services in determining Provider’s compliance obligations under law. Provider and Kindbody agree that Kindbody is not providing, to Customer or anyone else, medical advice or legal advice.
Provider will use the Site and Services only in accordance with applicable standards of good medical practice. While software products such as the Site and Services can facilitate and improve the quality of service that Provider can offer patients, many factors, including the provider/patient relationship can affect a patient outcome, and with intricate and interdependent technologies and complex decision-making it is often difficult or impossible to accurately determine what the factors were and in what proportion they affected an outcome. Provider shall be solely responsible for its use of the Site and Services, and the provision of medical services to Provider’s patients. In this regard, Provider releases Kindbody and waives any and all potential claims against Kindbody as a result of Provider’s use of the Site and Services, and the provision of services to Provider’s patients.
As a result of the complexities and uncertainties inherent in the patient care process, Provider agrees to defend, indemnify and hold Kindbody harmless from any claim by or on behalf of any patient of Provider, or by or on behalf of any other third party or person claiming damage by virtue of a familial or financial relationship with such a patient, which is brought against Kindbody, regardless of the cause if such claim arises for any reason whatsoever, out of Provider’s use or operation of the Site and Services. To the extent applicable, Provider will obtain Kindbody’s prior written consent to any settlement or judgment in which Provider agrees to any finding of fault of Kindbody or defect in the Site or Services. Kindbody will promptly notify Provider in writing of any claim subject to this indemnification, promptly provide Provider with the information reasonably required for the defense of the same, and grant to Provider exclusive control over its defense and settlement.
If you submit, upload, transmit, or post any consents, notices, advice, recommendations, comments, files, videos, images or other materials to us or our Site (“Provider Content”) or provide any Provider Content to patients or other consumers, you agree not to provide any Provider Content that (1) is defamatory, abusive, libelous, unlawful, obscene, threatening, harassing, fraudulent, pornographic, or harmful, or that could encourage criminal or unethical behavior, (2) violates or infringes the privacy, copyright, trademark, trade dress, trade secrets or intellectual property rights of any person or entity, or (3) contains or transmits a virus or any other harmful component. Provider is solely responsible for obtaining all necessary agreements and consents from, and providing all required notices to, patients and other consumers. You agree not to contact other users through unsolicited e-mail, telephone calls, mailings or any other method of communication. You represent and warrant to Kindbody that you have the legal right and authorization to upload all Provider Content at the Site. Kindbody shall have a royalty-free, irrevocable, transferable right and license to use the Provider Content however Kindbody desires, including without limitation, to copy, modify, delete in its entirety, adapt, publish, translate, create derivative works from and/or sell and/or distribute such Provider Content and/or incorporate such Provider Content into any form, medium or technology throughout the world. Kindbody is and shall be under no obligation (1) to maintain any Provider Content in confidence; (2) to pay to you any compensation for any Provider Content; or (3) to respond to any Provider Content.
Kindbody does not regularly review Provider Content, but does reserve the right (but not the obligation) to monitor and edit or remove any Provider Content submitted to the Site. You grant Kindbody the right to use the name that you submit in connection with any Provider Content. You agree not to use a false email address, impersonate any person or entity, or otherwise mislead as to the origin of any Provider Content. You are and shall remain solely responsible for the content of any Provider Content you post to the Site or provide to patients or other consumers. Kindbody and its affiliates take no responsibility and assume no liability for any Provider Content submitted by you or any third party.
18. Dispute Resolution; Arbitration Agreement
We will try work in good faith to resolve any issue you have with Site, including Products and Services ordered or purchased through the Site, if you bring that issue to the attention of our customer service department. However, we realize that there may be rare cases where we may not be able to resolve an issue to a customer’s satisfaction.
YOU AND COMPANY AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Further, unless both you and Kindbody agree otherwise, the arbitrator may not consolidate more than one person’s claims with your claims, and may not otherwise preside over any form of a representative or class proceeding. The arbitrator may award declaratory or injunctive relief only in favor of the individual party seeking relief and only to the extent necessary to provide relief warranted by that party’s individual claim.
19. Force Majeure
21. Revisions; General
Copyright/Trademark Information. Copyright ©2021 Kindbody, Inc. All rights reserved. All trademarks, logos and service marks (“Marks”) displayed on the Site are our property or the property of other third parties. You are not permitted to use these Marks without our prior written consent or the consent of such third party which may own the Marks.
TERMS OF DATA PROCESSING
These Terms of Data Processing form part of the Master Services Agreement between Kindbody and Customer (“Agreement“). Kindbody and Customer are each referred to herein as a “Party” and collectively as the “Parties“. Capitalized terms used but not defined herein shall have the meaning given in the Agreement
In the course of providing the Services, Kindbody will process personal data within the meaning of Art. 4 no 1 and 2 of the EU General Data Protection Regulation (“GDPR“) of Customer or Kindbody’s friendly professional corporations located in the European Economic Area (“EEA“), the United Kingdom and Switzerland, for which Customer or Kindbody’s friendly professional corporations are responsible as provided under Art. 4 no 7 GDPR (“Customer Personal Data“).
These Terms of Data Processing regulate the data protection obligations of the Parties when processing Customer Personal Data under the Agreement and will ensure such processing will only be rendered on behalf of and under the Instructions of Customer and in accordance with the EU Standard Contractual Clauses for Processors pursuant to European Commission Decision of 5 February 2010 (“SCC“) and Art. 28 et seq. GDPR.
These Terms of Data Processing cover Customer Personal Data contained in the eligibility file provided by the Customer to Kindbody. The Customer Personal Data contained in the eligibility file is processed by Kindbody to verify whether a Customer’s employee, director, agency worker, consultant or contractor (“Eligible Individual”) is eligible to receive the Services from Kindbody. These Terms of Data Processing are not applicable to personal data provided by an Eligible Individual to Kindbody directly. Personal data provided by the Eligible Individual directly is covered by the contractual relationship between Kindbody and the Eligible Individual. For personal data provided by the Eligible Individual, Kindbody is responsible as provided under Art. 4 no 7 GDPR.
In addition to the definition in Clause 1 SCC, the following shall apply:
- “Instruction” means any documented instruction, submitted by Customer to Kindbody, directing Kindbody to perform a specific action with regard to personal data, including but not limited to the rectification, erasure or restriction of processing of personal data. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, supplemented or replaced by Customer by separate written or text form instructions, provided that such instructions still fall within the scope of the Services. Instruction issued for the purpose of complying with statutory claims under the GDPR such as rectification, erasure, restriction or portability of personal data fall within the scope of the Services.
- “Applicable Law” means all laws, rules and regulations applicable to each party in its use of or provisioning of the Services, including but not limited to those applicable to the processing of personal data. This means, in particular, the GDPR and all national laws validly amending the applicable rules for the processing of personal data, or in relation to the United Kingdom or Switzerland, the respective laws applicable in these countries.
- “Sub-processor” means a third-party data processor engaged by Kindbody and processing Customer Personal Data on Kindbody’s behalf and instructions.
- Terms used but not defined in this Section or in the SCC, including but not limited to “personal data”, “personal data breach”, “processing”, “controller”, “processor” and “data subject”, shall have the same meaning as set forth in Art. 4 GDPR. Where the scope of the definitions in Art. 4 GDPR go beyond of what is defined in the SCC, the broader understanding shall apply.
- References to the GDPR shall, in relation to Customer Personal Data subject to either the privacy law in the United Kingdom or in Switzerland, refer to the respective applicable privacy law in the United Kingdom or Switzerland.
2. AMENDMENT OF MASTER AGREEMENT
These Terms of Data Processing amend the Agreement with respect to any processing of Customer Personal Data provided by Customer or Kindbody’s friendly professional corporations located in the EEA, UK or Switzerland (each affiliate is hereinafter referred to as: “European Customer Affiliate“) as amended from time to time by written agreement between both Parties.
For purposes of these Terms of Data Processing, Customer and Kindbody agree that Customer, including European Customer Affiliates, is the controller of personal data and Kindbody is the processor of such data, except when Customer or Customer’s affiliate acts as a processor of personal data, in which case Kindbody is a sub-processor.
3 DATA PROCESSING AND STANDARD CONTRACTUAL CLAUSES
Any processing operation as described in Sec. 5. shall be subject to these Terms of Data Processing which include the SCC as contained in Exhibit B whereby the SCC shall prevail over any conflicting clauses in the Agreement or these Terms of Data Processing.
The Parties agree that the SCC shall be directly binding between Kindbody as Data Importer (as defined therein), Customer and each European Customer Affiliate as Data Exporter (as defined therein) in relation to the personal data provided by Customer or such European Customer Affiliate.
Customer is authorized to enter into these Terms of Data Processing on behalf of its European Customer Affiliates in which case each European Customer Affiliate will have the same rights and obligations as referred to Customer with the exception of this Sec. 3.3. Alternatively, each European Customer Affiliate can co-sign these Terms of Data Processing. Customer is responsible for ensuring that each of the European Customer Affiliates is bound by these Terms of Data Processing.
References to various Articles and terms from the Directive 95/46/EC in the SCC will be treated as references to the relevant and appropriate Articles in the GDPR.
4 SAFEGUARDS AND SUPPORT FOR INTERNATIONAL DATA TRANSFERS
Kindbody will support Customer to ensure compliance with Applicable Law for the transfer of Customer Personal Data to third countries with respect to data subjects located in the EEA by providing a risk assessment in the form contained in Exhibit C. The Parties agree to document this risk assessment and to make it available to the competent supervisory authority upon request. The Parties acknowledge and agree that as further guidance about the use of the SCC and accompanying supplementary measures becomes available, the Parties will reconvene and discuss potentially required amendments to these Terms of Data Processing and this Sec. 4. In particular, the Parties waive this Sec. 4 or parts thereof, to the extent the respective safeguard is no longer required.
Kindbody agrees and warrants that it has no reason to believe that Applicable Law, including any requirements to disclose Customer Personal Data or measures authorizing access by public authorities, prevents Kindbody from fulfilling its obligations under these Terms of Data Processing and the SCC contained herein.
Kindbody shall promptly notify Customer if Kindbody becomes aware of any laws or change in law, government policies or jurisprudence that affects the risk assessment under Exhibit C of these Terms of Data Processing, in particular if any such law or government policies or jurisprudence has a substantial adverse effect on the warranties and obligations provided by these Terms of Data Processing. Upon such notification by Kindbody, the Parties will reconvene and discuss whether conducting a new risk assessment is required. In such a case Customer is entitled to suspend the transfer of data.
Kindbody certifies that (i) it has not purposefully created back doors (non-transparent access capabilities) or similar programming that could be used to access the system and/or Customer Personal Data (ii) it has not purposefully created or changed its business processes in a manner that facilitates unauthorized access to Customer Personal Data or systems, and (iii) that Applicable Law does not require Kindbody to create or maintain back doors or to facilitate unauthorized access to Customer Personal Data or systems or for Kindbody to be in possession or to hand over keys to decrypt the Customer Personal Data.
Unless prohibited by Applicable Law, Kindbody commits to regularly publish to or notify the Customer by a message (“Warrant Canary”) that it has not received an order to disclose Customer Personal Data within the period since the last Warrant Canary has been issued. The Warrant Canary should include the certain date and time in which Kindbody has not received such an order. If Kindbody does not publish such a message, this indicates that Kindbody may have received an order.
To mitigate risks to the rights and freedoms of data subjects, the Parties agree that in the case of a transfer of Customer Personal Data to a third country not providing an adequate level of protection, the following provisions will apply to the Parties in addition to the SCC:
- As provided for in Clause 4 (c) SCC, Kindbody will implement and maintain appropriate technical and organizational security measures as described in Appendix 2 to Exhibit B. The Parties acknowledge that the technical measures should reflect the risks associated with the transfer of Customer Personal Data to a third country. The Parties agree to reconvene and discuss whether further additional safeguards are required in the light of the risk assessment pursuant to Sec. 4.1 and Exhibit C.
- In addition to Clause 4 (f) SCC, Customer represents and warrants that, if the transfer involves special categories of personal data and any other kind of Customer Personal Data, the data subject has been informed or will be informed, or as soon as possible after the transfer, that its data could be transmitted to a third country not providing an adequate level of protection.
- Customer will ensure that data subjects will be informed about where and by whom their data is processed.
- In addition to Clause 5 (d) (i) SCC, Kindbody represents and warrants that it will promptly notify Customer and, where possible and in cooperation with Customer, also the data subjects about any legally binding request for disclosure of or actual or documented access attempts by public authorities to Customer Personal Data by a law enforcement authority unless otherwise prohibited by Applicable Law. Such notification shall generally include information about the Customer Personal Data requested, the requesting authority, the legal basis for the request and the response provided. If such notification is prohibited, Kindbody will seek further guidance from a competent supervisory authority. If Kindbody is prohibited from disclosing such information to the data subject by law, it will inform Customer of any request received from the competent supervisory authorities. The data subject can enforce this Sec. 4.6.4 against Kindbody in accordance with the requirements of Clause 3 para 2 SCC.
- In addition to Clause 5 (d) (i) SCC, Kindbody represents and warrants to reasonably take legal actions against any request of disclosure of Customer Personal Data and to then refrain from disclosing Customer Personal Data to the relevant authorities until a competent court has issued a final ruling on the disclosure. The data subject can enforce this Sec. 4.6.5 against Kindbody in accordance with the requirements of Clause 3 para 2 SCC.
- In addition to Clause 6 (1) SCC, the Parties agree that the data subject is entitled to receive compensation from Customer and Kindbody for any damage suffered as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 SCC.
- In addition to the SCC, Kindbody as data importer agrees to indemnify the data subject from any material and non-material damage caused by the access to its Customer Personal Data of a governmental authority of a third country. Notwithstanding the foregoing, Kindbody shall have no obligation to indemnify the data subject under this Sec. 4.6.7 to the extent the data subject has already received compensation for the same damage.
- The indemnification pursuant to Sec. 4.6.7 is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Kindbody´s infringement of the GDPR.
5. SUBJECT MATTER, DURATION, NATURE AND PURPOSE, AND SPECIFICATION OF PROCESSING OPERATIONS
The subject matter, nature and purpose of the processing are described in the Agreement, Exhibit A and this Sec. 5.1. Unless provided for otherwise in the Agreement, the processing will be limited to (i) the storage/processing of certain limited Customer Personal Data on a server and incidental access to such data when providing the SaaS services pursuant to the Agreement, and/or (ii) when rendering maintenance services for on-premise solutions. When providing on-premise maintenance, there shall be no access to or processing of Customer Personal Data but incidental access to such data stored on Customer’s premises cannot be excluded.
The categories of personal data and data subjects which may be concerned by the processing are listed in Exhibit A.
The duration of the processing shall correspond to the duration of these Terms of Data Processing as set forth in Sec. 11.
6. Kindbody’S OBLIGATIONS
Kindbody shall in the course of providing Services, including with regard to transfers of personal data to a third country, process Customer Personal Data only on behalf of and under the documented Instructions of Customer unless required to do so otherwise under Applicable Law; in such a case, Kindbody shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (the corresponding Clause 5 (a) SCC shall remain unaffected).
Kindbody shall ensure that any natural person acting under its authority who has access to personal data does not process any personal data except on Instructions from Customer, unless Kindbody, or such person is otherwise required to do so by Applicable Law.
Kindbody ensures that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that the obligation will remain after termination of these Terms of Data Processing.
6.4 Technical and Organizational Data Security Measures
- The measures specified in Exhibit B, Appendix 2 are subject to technical advancements and development (the corresponding Clause 5 (a) SCC shall remain unaffected).
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kindbody shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR. As appropriate, this may include
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- If Kindbody significantly modifies the measures specified in Exhibit B, Appendix 2, such modifications have to meet the obligations pursuant to Sec. 6.4.2 and 6.4.3. Kindbody shall make available to Customer a description of such measures which enables Customer to assess compliance with Art. 32 GDPR. Kindbody and Customer shall agree on such significant modifications by signing the modified Exhibit B, Appendix 2 after every amendment. Customer shall not refuse to accept any modification that meets the requirements pursuant to Sec. 6.4.2 and 6.4.3 unless Customer has reason to believe that the modifications fall below the agreed level of security.
- Kindbody shall implement a data protection management procedure according to Art. 32 para 1 lit. d) GDPR, for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to reasonably ensure the security of the processing. Kindbody will further, by way of regular self-audits, reasonably ensure that the processing of Customer Personal Data conforms with the provisions as agreed with Customer or to Customer’s Instructions.
Kindbody shall, while taking into account the nature of the processing, assist Customer through appropriate technical and organizational measures, with the fulfilment of Customer’s obligations to respond to requests for exercising rights of data subjects in accordance with Applicable Law, in particular Art. 15 through 18 and 21 GDPR.
Taking into account the nature of the processing and the information available to Kindbody, Kindbody shall assist Customer with ensuring compliance with the obligations pursuant to Art. 33 through 36 GDPR (Data Security Breach Notification, Data Protection Impact Assessment, Consultation with Data Protection Supervisory Authorities).
6.7 Documentation and Audit Rights
- Kindbody shall, upon request and subject to a non-disclosure agreement, provide to Customer a comprehensive documentation of the technical and organizational data security measures in accordance with industry standards. The effectiveness of Kindbody’s technical and organizational security measures will be audited by an independent third-party on an annual basis, in an SSAE16 SOC 2 Type 2 audit or equivalent. In addition, Kindbody may, in its discretion provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, by a publicly certified auditing company or by another customer of Kindbody.
- If Customer has justifiable reason to believe that Kindbody is not complying with the terms and conditions under these Terms of Data Processing, in particular with the obligation to implement and maintain the agreed technical and organizational data security measures, and only once per year (unless there are specific indications that require a more frequent inspection), Customer is, subject to a non-disclosure agreement, entitled to audit Kindbody (the corresponding Clause 5 (f) SCC shall remain unaffected). This audit right can be exercised by (i) requesting additional information, (ii) accessing the databases which process Customer Personal Data or (iii) by inspecting Kindbody’s working premises whereby in each case no access to personal data of other customers or Kindbody’s confidential information will be granted. Alternatively, Customer may also engage third party auditors to perform such tasks on its behalf in accordance with Sec. 6.7.4. The costs associated with such audits and/or for providing additional information shall be borne by Customer unless such audit reveals Kindbody’s material breach with these Terms of Data Processing.
- If Customer intends to conduct an audit at Kindbody’s working premises, Customer shall give reasonable notice to Kindbody and agree with Kindbody on the time and duration of the audit. In the case of a special legitimate interest, such audit can also be conducted without prior notice. Inspections shall be made during regular business hours and in such a way that business operations are not disturbed. At least one employee of Kindbody may accompany the auditors at any time. Kindbody may memorialize the results of the audit in writing which shall be confirmed by Customer.
- Customer may not appoint a third party as auditor who (i) Kindbody reasonably considers to be in a competitive relationship to Kindbody, or (ii) is, as provided in Clause 5 (f) SCC not sufficiently qualified to conduct such an audit, or (iii) is not independent. Any such third-party auditor shall only be engaged if the auditor is bound by a non-disclosure agreement with Kindbody prior to conducting any audit or is bound by statutory confidentiality obligations.
- Kindbody shall audit its Sub-processors on a regular basis and will upon Customer’s request confirm their compliance with data protection law and the obligations set upon the Sub-processors according to the data processing agreement concluded with them. Only in the case of justified reasons, Customer shall issue Instructions to Kindbody to conduct further audits that Kindbody will conduct to the extent permitted.
6.8 Notification Duties
Kindbody shall inform Customer without undue delay in text form (e.g. letter, fax or e-mail) of the events listed in Clause 5 (d) SCC and the following events:
- Requests from third parties including such from a data protection supervisory authority regarding Customer Personal Data; or
- Threats to Customer Personal Data in possession of Kindbody by garnishment, confiscation, insolvency and settlement proceedings or other incidents or measures by third parties. In such case, Kindbody shall immediately inform the respective responsible person/entity that Customer holds the sovereignty and ownership of the personal data.
The corresponding Clauses 5 (b) and (d) SCC shall remain unaffected.
For the purpose of complying with Clause 5 (d) SCC and for enabling Customer to comply with its own data breach notification obligations pursuant to Art. 33 para 1 GDPR and Art. 34 para 1 GDPR, Kindbody shall notify Customer without undue delay after becoming aware of a personal data breach. Such notice will, if possible, include the following information:
- a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- a description of the measures taken or proposed to be taken by Kindbody and/or Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- any further information which is available and known to Kindbody and (i) that is necessary for Customer to comply with Customer’s notification obligations according to this Sec. 6.8.2 and (ii) which Customer does not otherwise have access to.
Kindbody shall inform Customer immediately if, from its point of view, an Instruction of Customer may lead to a violation of the GDPR or other Applicable Law. Until Customer either confirms or alternates the Instruction, Kindbody may refuse to comply with the Instruction issued.
6.9 Rectification, Erasure (Deletion), Restriction
- If legally required and Customer is unable to perform the applicable task itself, or if provided so in the services description contained in the Agreement, Kindbody shall rectify, erase (delete), restrict (block) or transmit Customer Personal Data upon Customer’s request. Any erasure of Customer Personal Data pursuant to this Sec. 6.9 shall be executed in such a manner that restoring or recovering such data is rendered reasonably impossible.
- At Customer’s request, Kindbody shall conduct a data protection-compliant destruction of data media and other material provided by Customer. Alternatively, at the request of Customer, Kindbody shall provide the data carriers and other material to Customer or store it on Customer’s behalf.
- Unless Union or Member State law requires a retention of the personal data, Kindbody shall, upon completion of the Services in consultation with Customer, either delete or return all Customer Personal Data in its possession to Customer.
- Without prejudice to the generality of Clause 5 (d) of the SCC, if a data subject addresses Kindbody with claims for access, rectification, erasure, restriction, objection or data portability, Kindbody shall refer the data subject to Customer.
Kindbody will inform Customer of the name and the official contact details of its data protection officer if Kindbody is, by Applicable Law, required to appoint a data protection officer. If Kindbody is not required to appoint a data protection officer, Kindbody shall – in its own discretion – name a person responsible for dealing with questions relating to applicable data protection law and data security in the context of performing these Terms of Data Processing.
In the case claims based on Art. 82 GDPR are raised against Customer, Kindbody shall reasonably support Customer with its defense to the extent the claim arises in connection with the processing of personal data by Kindbody in connection with performing the Services to Customer.
Kindbody will make available to Customer all information necessary to demonstrate compliance with the obligations laid down in these Terms of Data Processing and Art. 28 GDPR.
7. CUSTOMER’S OBLIGATIONS
Customer shall provide all Instructions pursuant to these Terms of Data Processing to Kindbody in written, electronic or verbal form (the corresponding Clause 4 (b) SCC shall remain unaffected). Verbal Instructions shall be confirmed immediately in written form thereafter.
Customer shall notify Kindbody in writing of the names of the persons who are entitled to issue Instructions to Kindbody. In any event, the managing directors and personnel/human resource management of Customer are entitled to issue Instructions.
Customer shall inform Kindbody without undue delay if processing by Kindbody might lead to a violation of data protection regulations.
In the case claims based on Art. 82 GDPR are raised against Kindbody, Customer shall reasonably support Kindbody with its defense (at Kindbody’s expense) to the extent the claim arises in connection with the processing of personal data by Kindbody in connection with performing the Services to Customer.
Customer provides its general written authorization to the engagement of Sub-processors by Kindbody if the requirements of this Sec. 8.1, 8.2 and 8.3 are fulfilled. Any Sub-processor is obliged before initiating the processing, to commit itself in writing for the benefit of Customer and its European Customer Affiliates to comply with the same data protection obligations as the ones under these Terms of Data Processing or legal Act within the meaning of Art. 28 para 3, 4 and 6 GDPR vis-à-vis Customer unless explicitly agreed otherwise. The agreement with the Sub-processor must provide at least the level of data protection required by these Terms of Data Processing. Kindbody shall remain fully liable to Customer for the performance of the Sub-processor’s obligations (the corresponding Clause 11 SCC shall remain unaffected).
Any Sub-processor must in particular agree to comply with the agreed technical and organizational security measures in accordance with Sec. 6.4 herein and provide Kindbody and also Customer, with a list of the implemented technical and organizational measures. Sub-processor’s measures may differ from the ones agreed between Customer and Kindbody but shall not fall below the level of data security as provided by the measures of Kindbody.
Kindbody shall not add or replace any Sub-processor except where Kindbody has provided Customer with at least 14 days’ prior notice by electronic means or via email and the opportunity to object to such Sub-processor in accordance with this Sec. 8.3. Upon Customer’s request, Kindbody will provide all information necessary to demonstrate that the Sub-processor will meet all requirements pursuant to Sec. 8.1 and 8.2. In the case Customer objects to the sub-processing, Kindbody can choose to either not engage the Sub-processor or to terminate the Agreement or any related service agreement with two (2) months prior written notice. Until the termination of the Agreement and/or any service agreement, Kindbody may suspend the portion of the Services which is affected by the objection of Customer. Customer shall not be entitled to a pro-rata refund of the remuneration for the Services, unless the objection is based on justified reasons of incompliance with applicable data protection law.
- Google Workspace provided by Google LLC for the purpose of internal business data storage in the United States
- Amazon Web Services provided by Amazon Web Services, Inc. for the purpose of providing data hosting services in the United States
Where a Sub-processor refuses to be bound by the same data protection obligations as the ones under these Terms of Data Processing, Customer may consent to such other terms whereby such consent shall not be unreasonably withheld if, upon request of the Customer, Kindbody can demonstrate Sub-processor’s compliance with Applicable Law.
Customer and Kindbody shall be each liable for damages of concerned data subjects according to Art. 82 GDPR (external liability). Either Party shall be entitled to claim back from the other, Kindbody or Customer, that part of the compensation corresponding to their part of responsibility for the damage.
As regards the internal liability and without any effect as regards the external liability towards data subjects, the Parties agree that notwithstanding anything contained hereunder, when providing the Services, Kindbody’s liability for breach of any of these Terms of Data Processing shall be subject to the liability clause agreed in the Agreement. Further, no European Customer Affiliate shall become beneficiary of these Terms of Data Processing without being bound by these Terms of Data Processing and without accepting this liability clause.
10. COSTS FOR ADDITIONAL SERVICES
If Customer’s Instructions lead to a change from or increase of the agreed Services or in the case of Kindbody’s compliance with its obligations to assist Customer with Customer’s own statutory obligations, Kindbody is entitled to charge reasonable fees for such tasks which are based on the prices agreed for rendering the Services and/or notified to Customer in advance.
11. CONTRACT PERIOD
The duration of these Terms of Data Processing depends on the duration of the Agreement. It commences and terminates with the provisioning of the Services under the Agreement, unless otherwise stipulated in the provisions of these Terms of Data Processing.
Kindbody may modify or supplement these Terms of Data Processing, with notice to the other Customer, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Applicable Law, (iii) to implement standard contractual clauses laid down by the European Commission or (iv) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Art 40, 42 and 43 of the GDPR. Customer shall notify Kindbody if it does not agree to a modification, in which case Customer may terminate these Terms of Data Processing and the Agreement with two (2) weeks’ prior written notice, whereby in the case of an objection not based on incompliance of the modifications with applicable data protection law, Kindbody shall remain entitled to claim its agreed remuneration until the term end.
13. WRITTEN FORM
Any side agreements to these Terms of Data Processing as well as changes and amendments of these Terms of Data Processing or the Services hereunder, including this Sec. 13, shall be in writing.
14 CHOICE OF LAW
These Terms of Data Processing is governed by, and shall be interpreted in accordance with, the laws of the place of residence of Customer or European Customer Affiliates, or, if these parties are not controllers, Customer’s or European Customer Affiliates’ customers excluding conflict of law provisions, to the extent not otherwise provided by Clause 7 SCC.
With respect to any issues arising of or in connection with data protection, these Terms of Data Processing shall prevail over all other agreements between the Parties.
In the event a clause under the Agreement has been found to violate the GDPR or any other Applicable Law, the Parties will mutually agree on modifications to the Agreement to the extent necessary to ensure data privacy-law compliant processing.
Exhibit A – Specifications of the Processing
- Subject-matter, nature and purpose of the processing
Please describe the subject matter, nature and purpose of the processing in a manner that third party is able to understand what the subject-matter of the processing is and how and why personal data is processed:
The following information is collected and processed for the purpose of determining employee eligibility for fertility benefits through Kindbody.
- Types of personal data
Please list the types of personal data affected by the processing (e.g. contact details, financial data, purchase data etc.):
- Employee first name and last name
- Employee geography
- Employee ID
- Employee eligibility date
- Employee company e-mail address
- Special categories of data (if appropriate)
Please list the types of special categories of personal data affected by the processing (e.g., data regarding health, religion, ethnicity, political opinion, trade union membership):
- Categories of data subjects
Please list the categories of data subjects affected by the processing (e.g., customers, customers of the customer, employees, suppliers):
Employees, directors, agency workers, consultants and contractors of the Customer.
- Data Exporter
The Data Exporter is the Customer as defined in the Agreement.
- Data Importer
The Data Importer is Kindbody, an online service provider that offers fertility benefit services to employees through its online platform.
Exhibit B – Standard Contractual Clauses for Processors
Standard Contractual Clauses for Processors
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Customer and/or each of the European Customer Affiliates is hereinafter referred to as the “Data Exporter” with respect to the personal data provided by the respective Data Exporter.
Processor is hereinafter referred to as the “Data Importer“.
The Data Exporter(s) and the Data Importer, each a “party” and collectively “the parties” HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the Data Exporter’ means the controller who transfers the personal data;
(c) ‘the Data Importer’ means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) the ‘Subprocessor’ means any processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer personal data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the Applicable Data Protection Law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;
(f) ‘Technical and Organisational Security Measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the Applicable Data Protection Law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the Data Importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the Applicable Data Protection Law and the Clauses;
(c) that the Data Importer will provide sufficient guarantees in respect of the Technical and Organisational Security Measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the Applicable Data Protection Law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the Data Importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) to process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the Technical and Organisational Security Measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the Data Exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the Data Exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the Data Exporter;
(h) that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent;
(i) that the processing services by the Subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the Data Exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor, is entitled to receive compensation from the Data Exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the data subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the data subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and Jurisdiction
- The Data Importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the Applicable Data Protection Law.
- The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the Applicable Data Protection Law.
- The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses (This requirement may be satisfied by the Subprocessor co-signing the contract entered into between the Data Exporter and the Data Importer which is based on the terms and conditions of this Agreement.). Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.
- The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
- The Data Exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Data Exporter is the entity as defined in Sec. 5 of Exhibit A of the Terms of Data Processing.
The Data Importer is the entity as defined in Sec. 6 of Exhibit A of the Terms of Data Processing.
As defined in Sec. 4 of Exhibit A of the Terms of Data Processing.
Categories of data
As defined in Sec. 2 of Exhibit A of the Terms of Data Processing.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The data listed above is processed solely to provide the Software as a Service (SaaS) and/or maintenance services as more fully described in the Agreement. Specifically, the processing will be limited to the storage/processing of certain limited Customer Personal Data on a server and incidental access to such data when providing the SaaS services pursuant to the Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the Technical and Organizational Security Measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Sub-Processors will be bound to adhere to similar but not identical organizational security measures which shall not fall below the level of data security as agreed herein. Any organizational security measures are subject to change of technical standards and can be adopted. If so requested, Data Importer will provide Data Exporter with a description of the then current measures.
- Pseudonymization and Encryption, Art. 32 para 1 point a GDPR
Pseudonymization contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.
- Stored data is encrypted where appropriate, including any backup copies of the data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR
Confidentiality and integrity are ensured by the secure processing of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
2.1.1. Physical access control
Measures that prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
- Physical access control systems
- Definition of authorized persons and Management and documentation of individual authorizations
- Regulation of Visitors and external staff
- Monitoring of all facilities housing IT systems
- Logging of physical access
2.1.2 System/Electronic access control
Measures that prevent data processing systems from being used without authorization.
- User Authentication by simple authentication methods (using username/password)
- Secure transmission of credentials using networks (using TSL and SSL)
- Automatic account locking, beginning in 2021
- Guidelines for Handling of passwords
- Definition of authorized persons
- Managing means of authentication
- Access control to infrastructure that is hosted by cloud service provider
2.1.3 Internal Access Control
Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.
- Automatic and manual locking
- Access right management
- Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights
2.1.4 Isolation/Separation Control
Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.
- Network separation
- Segregation of responsibilities and duties
- Document procedures and applications for the separation
2.1.5 Job Control
Measures that ensure that, in the case of commissioned processing of personal data, the data are processed strictly corresponding the instructions of the principal.
- Training and confidentiality agreements for internal staff and external staff
2.2.1 Data transmission control
Measures ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.
- Secure transmission between client and server and to external systems by using industry-standard encryption
- Secure network interconnections ensured by Firewalls, etc.
- Logging of transmissions of data from IT system that stores or processes personal data
2.2.2 Data input control
Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.
- Logging authentication and monitored logical system access
- Logging of data access including, but not limited to access, modification, entry and deletion of data
- Documentation of data entry rights and partially logging security related entries
2.3 Availability and Resilience of Processing Systems and Services
Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.
- Cloud-based backup solution
- Implementation of transport policies
- Backup Concept
- Protection of stored backup media
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, Art. 32 para 1 point c GDPR
Organizational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.
- Continuity planning (Recovery Time Objective)
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, Art. 32 para 1 point d GDPR
Organizational measures that ensure the regular review and assessment of technical and organizational measures.
- Testing of emergency equipment
- Documentation of interfaces and personal data fields
- Internal assessments
To the extent certain Kindbody Products, such as KBI Services, Inc.’s At-Home Fertility Test (the “Fertility Test”), may be provided with additional or different terms or conditions (“Product Terms”). In the event of any Product Terms conflict with this Agreement, the Product Terms will control.
The Fertility Tests are available only to individuals who are at least 18 years old. Therefore, you represent and warrant that if you are an individual, you are at least 18 years old and accept this Agreement. You also certify that you take full responsibility for the selection and use of the Services. This Agreement is void where prohibited by law, and the right to access the Service is revoked in such jurisdictions.
FERTILITY TEST NOTICE: Please note, notwithstanding the foregoing, the Fertility Tests are not currently available in the States of New York, New Jersey, or Rhode Island.
The information, content or reports provided derived from the Fertility Test or any applicable Product is for purposes of improving your wellness only and is not intended to provide medical advice, diagnosis, or treatment. We engaged the services of a licensed physician or other person authorized by law to order the blood and/or bodily fluid test and to receive your results prior to making your reports available to you. However, these interactions are not intended to create, nor do they create, any doctor-patient relationship. The Fertility Tests are often similar as those offered in fertility clinics. These Fertility Tests serve an important function in fertility but are not a definite predictor of fertility. The information, content or reports or Services related to the Fertility Test or any applicable Product are for informational purposes only. Any health related choices you make are yours and may require the advice of a health care provider. The information, content or reports are not intended to be a substitute for professional medical advice, diagnosis, or treatment or recommendation regarding medication. We do not warrant the accuracy, completeness or usefulness of this information. Any reliance you place on such information is strictly at your own risk. We disclaim all liability and responsibility arising from any reliance placed on such information by you or any other visitor to the Services, Fertility Test or any appliable Product, or by anyone who may be informed of any of its information, content or reports. Furthermore, you should not interpret any information, content or reports related to the Fertility Test or any applicable Product we provide you as recommending any specific treatment plan, product or course of action. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition. Never disregard professional medical advice or delay in seeking it because of something you have read on the Services or related to the Fertility Test or any applicable Product.
If you think you may have a medical emergency, call your doctor or 911 immediately. The Services does not endorse any specific tests, physicians, products, procedures, opinions, or other information that may be mentioned on the Services. The Services provides information and answers to certain reproductive health questions based on the information you input. The information the Services provides are meant to be considered by you and your physician. Reliance on any information provided by the Services is solely at your own risk.
Kindbody offers a variety of for-fee Products and Services. You hereby authorize Kindbody (and its third-party payment processor) to charge your payment account (such as your credit card) for owed amounts. All payments are non-refundable except as otherwise specified by us. You are responsible for all taxes associated with your purchase, if applicable. You represent and warrant that your payment information (such as credit card number and address) will be accurate and update-to-date at all times.
RETURNS OR REFUNDS
For prompt service, please email our Kindbody Patient Care Navigator at navigator@kindbody and provide your order number for any request for the following:
· If your order has not shipped, you are eligible for a 100% refund of your order.
· If it has been 30 days or less since you’ve placed your order, you are eligible for a full refund less $20 USD per test kit to cover shipping, handling, and processing fees. Please include your Kit ID information when you contact us.
· Orders over 30 days old and orders where results have been released are not eligible for any refund.
· In all cases, Kindbody cannot accept returned/unused kits. If you received your order and do not wish to continue with the test, we ask that you dispose of the kit.
· If you’ve purchased a kit for a discounted rate and are no longer interested in the kit, we’re happy to honor a refund based on the above guidelines. Discounts that are made available through the purchase of multiple kits will not reflect in any refunds that are completed by Kindbody.
All test kits must be registered and returned to the lab within 6 months of purchase. In addition, unregistered kits expire after 3 months. Any samples that are delivered to the lab after this time will not be processed. We are unable to provide a replacement kit or refund due to expiration.
If the lab is unable to process your results, you will be notified, and a new test will be shipped to you.
THIRD PARTY PRODUCTS, ADVICE AND SERVICES
Kindbody and its suppliers shall not be liable to you or any other person for any loss, damage or delay resulting from your use of any third party services. In the event that you have a dispute with one or more other third parties, you release Kindbody, its directors, officers, managers, employees, agents, contractors and successors from claims, demands, and damages of every kind or nature, known or unknown, suspected or unsuspected, disclosed or undisclosed, arising out of or in any way related to such disputes and/or the Fertility Test, Services, and any applicable Product. If you are a California resident, you shall and hereby do waive California Civil Code Section 1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in the creditor’s favor at the time of executing the release, which, if known by the creditor must have materially affected the creditor’s settlement with the debtor.”
Service, Fertility Test, and any applicable Product availability, price and time-related information appearing on the Services are subject to change. Kindbody is not responsible for any such changes and advises you to confirm all specific terms appearing on the or through the Services before acting in reliance on such terms.
Third-party products and services represented on the Services are not necessarily endorsed or recommended by Kindbody and Kindbody disclaims all responsibility regarding the performance or the use of third-party products and services. Kindbody does not necessarily endorse or sanction the content, products or actions of websites that are linked to or from the Services.
THE SERVICES, FERTILITY TEST, ANY APPLICABLE PRODUCT, INFORMATION, REPORTS AND CONTENT ARE PROVIDED BY KINDBODY (AND ITS LICENSORS AND SUPPLIERS) ON AN “AS IS” BASIS AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, KINDBODY (AND ITS LICENSORS AND SUPPLIERS) DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD PARTIES’ RIGHTS, AND FITNESS FOR A PARTICULAR PURPOSE. KINDBODY DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED ON AND AVAILABLE THROUGH THE SERVICES, FERTILITY TEST OR ANY APPLICABLE PRODUCT WILL BE UNINTERRUPTED OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVICES OR THE SERVER THAT MAKES THEM AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. KINDBODY DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OR THE RESULTS OF THE USE OF THE SERVICES, FERTILITY TEST, ANY APPLICABLE PRODUCT, INFORMATION, REPORTS AND CONTENT IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE. APPLICABLE LAW MAY NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
UNDER NO CIRCUMSTANCES, INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE, SHALL KINDBODY BE LIABLE FOR ANY DAMAGES (INCLUDING, WITHOUT LIMITATION, SPECIAL OR CONSEQUENTIAL DAMAGES) THAT RESULT FROM THE USE OF, OR THE INABILITY TO USE, THE SERVICES, FERTILITY TEST, ANY APPLICABLE PRODUCT, INFORMATION, REPORTS AND CONTENT, EVEN IF KINDBODY OR A KINDBODY AUTHORIZED REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. APPLICABLE LAW MAY NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY OR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL KINDBODY’S TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION (WHETHER IN CONTRACT, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE), OR OTHERWISE) EXCEED IN THE AGGREGATE, THE GREATER OF (I) ONE HUNDRED SIXTY DOLLARS ($160), OR (II) THE AMOUNT PAID BY YOU, IF ANY, FOR ACCESSING THE PRODUCT OR SERVICES IN THE TWELVE (12) MONTH PERIOD PRECEDING THIS APPLICABLE CLAIM.
WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT KINDBODY WILL HAVE NO LIABILITY IN CONNECTION WITH ANY INPUT ERRORS CAUSED BY ITS APPS’ SCANNING TECHNOLOGIES (I.E. IF DATA OR OTHER INFORMATION IS SCANNED WITH YOUR MOBILE DEVICE AND THEN INACCURATELY RECORDED INTO THE APP). IT IS YOUR RESPONSIBILITY TO REVIEW (‘DOUBLE-CHECK’) ALL SUCH SCANNED INPUTS – AND TO MANUALLY MAKE ANY NECESSARY CORRECTIONS.
September 21, 2020
|Company name|| |
Kindbody Fertility, Inc. (“Kindbody“)
|Brief description of transfer (Please indicate the scale and regularity of transfers in this regard)|| |
Customer will transfer limited employee eligibility information of European-based employees to Kindbody
|Data privacy role in regard to the data processing for us (e.g. data processor)|| |
Kindbody acts as Data Processor
|Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article 49 General Data Protection Regulation)|| |
Standard Contractual Clauses
|A. SYSTEMATIC DESCRIPTION OF THE DATA PROCESSING|
|Describe the nature, scope and context of the data processing|
|Kindbody processes the Customer employee eligibility file for the purpose of identifying the Customer employees who are eligible to access services through Kindbody.|
|Purposes of the data processing||1||Identifying Customer employees who are eligible to access services through Kindbody.|
|2||Providing location-specific services to employees based on the country where they are located|
|Functional/technical description of the data processing|
|Employee eligibility files are temporarily downloaded to an authorized individual’s MDM-enforced company-issued laptop (encrypted, timed lockout, remote wipeable) to be uploaded to the Kindbody application, and deleted from the device immediately after.|
|Categories of personal data being processed|
|Contact information (e.g., first name, last name, work email address), country of residence, and start date.|
|Number of datasets that are being processed||1, with periodic updates|
|The recipients of the personal data||Company entities|
|Kindbody Fertility Inc.|
|Files.com, Azure, Google Drive, Zendesk|
|Assets on which the personal data sits (e.g. hardware, software, networks, people, paper or paper transmission channels)|
|Personal data is stored in Files.com, Azure, Google Drive, and Zendesk.|
|B. REGULATORY FRAMEWORK|
|Factors relevant to the assessment||Analysis|
|Applicable regulatory regime||U.S. Law|
|Safeguard offered by local data privacy laws|
|None (regarding non-U.S. persons)|
|Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for security or other reasons (including laws applicable to company’s cloud service or other communication providers)||Foreign Intelligence Surveillance Act, Sec. 702||Risk of surveillance mainly on U.S. soil.|
|Executive Order 12333 & Presidential Policy Directive 28||Risk of surveillance mainly during transit to/through the U.S.|
|[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable sector-specific laws)||Kindbody is not aware of any further laws applicable in this respect.|
|Access to judicial process to protect data subject rights|
|None (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions by the FISC|
|Role of regulators and supervisory authorities in protecting data|
|None (regarding non-U.S. persons)|
|Ability of individuals to raise complaints, appeal and enforce decisions|
|None (regarding non-U.S. persons)|
|C. REQUEST FOR INFORMATION|
|Factors relevant to the assessment||Analysis|
|Note: Please indicate if you are under a legal obligation not to answer one of the following questions.|
|Please indicate whether you qualify as an electronic communication service provider within the meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication service, provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of any such entity)||There is a risk, even though not probable, that Kindbody may qualify as an Electronic Communication Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the services it currently provides to its end-customers or may provide in the future, in particular with respect to the function to get in touch with fertility experts as well as the provision of the Desktop & mobile app.|
|Please indicate whether you have been subject to additional government requests for customer data.|
|Please indicate whether you cooperate in any respect with US authorities conducting surveillance of communications under EO 12.333, should this be mandatory or voluntary.||No, this has never been requested.|
|Please indicate whether you periodically issue transparency reports including Information on data access requests in regard to the U.S.||No.|
|D. MITIGATING MEASURES|
|Please indicate whether you have implemented any safeguards to mitigate the risk associated with the data transfer (e.g. encryption).||Yes.|
|If applicable, describe these measures as precise as possible.||Technical Measures: |
All connections to the Kindbody application are secured with SSL/TLS. This is enforced using HSTS. The signature algorithm of Kindbody’s backend TLS certificate is SHA-256 with RSA Encryption.
Kindbody leverages an encrypted SQL Server DB in Azure with all sensitive information leveraging column-level encryption following RFC 2898.
The entire database is encrypted in Azure leveraging Azure’s Transparent Data Encryption Strategy (https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption). This is 256 AES encryption.
For sensitive information at the column level, Kindbody additionally use a PBKDF2 strategy to encrypt within the application before writing to the DB (https://en.wikipedia.org/wiki/PBKDF2).
Access and access controls must abide by the following principles of Deny by Default, Need-To-Know, Least Privilege, and Unique User Identification. Access is revoked upon termination or change of job responsibilities.
Amendment of the SCC in the Terms of Data Processing in accordance with the latest guidance provided by the European Data Protection Board and the German Supervisory Authority for the Land Baden Württemberg.
How to Contact Us:
KBI Services, Inc.
120 5th Ave, 5th floor
New York, NY 10011
Telephone: 1(855) KIND-BODY
We’re currently offering virtual consultations with a board certified physician.
Sign up for a consult or just to stay in touch.