Last updated: Nov 27, 2018
This Data Processing Addendum (“DPA”) is an agreement between GenoBank.io(“GenoBank.io,” “we,” “us,” or “our”) and you (“Customer”, “user” or “you” ).
The parties agree that this DPA constitute Customer’s documented instructions regarding GenoBank.io’s processing of Customer Data (“Documented Instructions”). GenoBank.io will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between GenoBank.io and Customer, including agreement on any additional fees payable by Customer to GenoBank.io for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if GenoBank.io declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
IO will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends GenoBank.io a demand for Customer Data, GenoBank.io will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, GenoBank.io may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then GenoBank.io will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless GenoBank.io is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.
IO restricts its personnel from processing Customer Data without authorization by GenoBank.io as described in the GenoBank.io Security Standards. GenoBank.io imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
(i) An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of GenoBank.io’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-‐on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and GenoBank.io’s obligation to report or respond to a Security Incident is not and will not be construed as an acknowledgement by GenoBank.io of any fault or liability of GenoBank.io with respect to the Security Incident.
GenoBank.io ISO – Certification and SOC Reports. In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA in place, GenoBank.io will make available the following documents and information: the System and Organization Controls (SOC) 1 Report, the System and Organization Controls (SOC) 2 Report and the System and Organization Controls (SOC) 3 Report (or the reports or other documentation describing the controls implemented by GenoBank.io that replace or are substantially equivalent to the SOC 1, SOC 2 and SOC 3).
This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
The Services provide Customer with controls that Customer may use to retrieve or delete Customer Data as described in the Documentation. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Customer Data in accordance with this Section. For 90 days following the Termination Date, Customer may retrieve or delete any remaining Customer Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject GenoBank.io or its Affiliates to liability. No later than the end of this 90 day period, Customer will close all GenoBank.io accounts. GenoBank.io will delete Customer Data when requested by Customer by using the Service controls provided for this purpose by GenoBank.io.
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control.
Unless otherwise defined in the Agreement, all Capitalized terms used in this DPA will have the meanings given to them below:
“GenoBank.io Network” means GenoBank.io’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within GenoBank.io’s control and are used to provide the Services.
“GenoBank.io Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.
“Customer” means you or the entity you represent.
“Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s GenoBank.io accounts.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“Security Incident” means a breach of GenoBank.io’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
“Standard Contractual Clauses” means Annex 2, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.