Caremate Data Processing & Privacy Addendum
v1.0
This Data Processing & Privacy Addendum ("DPA") forms part of the Caremate Master Services Agreement ("Agreement") between Caremate Health Inc. ("Caremate") and the Customer. In the event of a conflict between this DPA and the Agreement, this DPA governs with respect to the processing of Personal Health Information.
1. Definitions
"Personal Health Information" or "PHI" means any information about an identifiable individual that relates to their health, healthcare history, or the provision of healthcare services, as defined under applicable provincial health privacy legislation.
"Processing" means any operation performed on PHI, including collection, use, storage, transmission, analysis, and deletion.
"Sub-Processor" means any third party engaged by Caremate to process PHI in connection with the delivery of the Service.
"Breach" means any unauthorized access to, use, disclosure, loss, or destruction of PHI.
2. Scope & Role
2.1 Applicability. This DPA applies wherever Caremate processes PHI on behalf of Customer in connection with the Service.
2.2 Role of the Parties. Customer is the Health Information Custodian (or equivalent) under applicable law and retains ownership and control of all PHI. Caremate acts as a data processor in the following capacity depending on the Customer's jurisdiction of operation:
2.3 Instructions. Caremate shall process PHI only on documented instructions from Customer, as set out in the Agreement and this DPA, unless otherwise required by law.
3. Purpose Limitation
3.1 Permitted Purposes. Caremate shall use PHI solely to provide the Service as described in the Agreement, including:
receiving and transcribing audio recordings of clinical interactions;
generating draft clinical notes and documentation;
storing Clinical Records during the active subscription term; and
providing reporting and analytics features to Customer.
3.2 Prohibition on Secondary Use. Caremate shall not use PHI for any purpose other than those listed in Section 3.1, including without limitation for marketing, advertising, or the development of products or services for third parties.
4. Caremate's Obligations
4.1 Confidentiality. Caremate shall ensure that all personnel authorized to process PHI are bound by confidentiality obligations no less protective than those in this DPA.
4.2 Data Minimization. Caremate shall collect and retain only the minimum PHI necessary to provide the Service.
4.3 Accuracy. Caremate shall maintain reasonable processes to support the accuracy and integrity of PHI while in its custody, and shall promptly action corrections communicated by Customer.
4.4 Retention & Deletion. Caremate shall retain and delete PHI in accordance with Section 3.4 of the Agreement. Upon termination, Caremate shall make PHI available for export during the Grace Period and shall thereafter delete PHI in accordance with Section 3.4(d) of the Agreement, unless otherwise required by law.
5. Sub-Processors
5.1 Authorized Sub-Processors. Customer authorizes Caremate to engage Sub-Processors to assist in delivering the Service. All Sub-Processors are bound by data protection obligations no less protective than this DPA.
5.2 Cross-Border Processing. Some Sub-Processors may process PHI in the United States. All such transfers are governed by binding contractual protections consistent with Canadian privacy law requirements. See Section 3.3 of the Agreement.
5.3 Change Notification. Caremate will provide reasonable notice of material changes to its Sub-Processor arrangements where such changes may affect the processing of PHI.
6. Security
6.1 Safeguards. Caremate shall implement and maintain administrative, technical, and physical safeguards appropriate to the sensitivity of PHI, including:
encryption of PHI at rest (AES-256) and in transit (TLS 1.2 or higher);
access controls limiting PHI access to authorized personnel on a need-to-know basis;
regular review of access privileges; and
confidentiality obligations for all personnel with access to production systems.
6.2 No Warranty. The safeguards described in Section 6.1 represent Caremate's current practices. Caremate does not warrant that its security measures will prevent all unauthorized access or Breaches.
7. Breach Notification
7.1 Initial Notice. In the event Caremate becomes aware of a confirmed or reasonably suspected Breach affecting Customer's PHI, Caremate shall notify Customer within seventy-two (72) hours of becoming aware. The initial notice shall include, to the extent then known:
a description of the nature of the Breach;
the categories and approximate volume of PHI affected;
the likely consequences of the Breach; and
the measures Caremate has taken or proposes to take in response.
7.2 Full Incident Report. Caremate shall provide Customer with a complete written incident report within thirty (30) days of the initial notice, or as soon as reasonably practicable, containing sufficient detail to enable Customer to meet its own breach reporting obligations under applicable law.
7.3 Cooperation. Caremate shall cooperate with Customer in investigating and remediating the Breach and shall not make any public disclosure regarding the Breach without Customer's prior written consent, except as required by law.
8. Individual Access Requests
8.1 Cooperation. If Caremate receives a request from an individual seeking access to, correction of, or deletion of their PHI, Caremate shall promptly forward the request to Customer. Customer, as Health Information Custodian, is responsible for responding to such requests.
8.2 Technical Assistance. Caremate shall provide reasonable technical assistance to Customer in fulfilling individual access or correction requests, at Customer's reasonable request.
9. Audit Rights
9.1 Compliance Verification. Customer may, no more than once per calendar year and upon reasonable written notice, request written confirmation that Caremate is complying with its obligations under this DPA. Caremate shall respond within thirty (30) days with documentation reasonably sufficient to demonstrate compliance, which may include written attestations, completed security questionnaires, or summaries of relevant internal controls.
9.2 Costs. Customer shall bear its own costs in connection with any audit or verification request.
10. Survival & Governing Law
10.1 Survival. The obligations in this DPA survive the termination or expiry of the Agreement for so long as Caremate retains any PHI.
10.2 Governing Law. This DPA is governed by the laws of the Province of Manitoba and the federal laws of Canada, consistent with Section 10.6 of the Agreement.
10.3 Conflict. In the event of a conflict between this DPA and the Agreement with respect to the processing of PHI, this DPA prevails.
For privacy inquiries, contact Caremate's Privacy Officer at: privacy *_at_* caremate.ai
This Data Processing & Privacy Addendum ("DPA") forms part of the Caremate Master Services Agreement ("Agreement") between Caremate Health Inc. ("Caremate") and the Customer. In the event of a conflict between this DPA and the Agreement, this DPA governs with respect to the processing of Personal Health Information.
1. Definitions
"Personal Health Information" or "PHI" means any information about an identifiable individual that relates to their health, healthcare history, or the provision of healthcare services, as defined under applicable provincial health privacy legislation.
"Processing" means any operation performed on PHI, including collection, use, storage, transmission, analysis, and deletion.
"Sub-Processor" means any third party engaged by Caremate to process PHI in connection with the delivery of the Service.
"Breach" means any unauthorized access to, use, disclosure, loss, or destruction of PHI.
2. Scope & Role
2.1 Applicability. This DPA applies wherever Caremate processes PHI on behalf of Customer in connection with the Service.
2.2 Role of the Parties. Customer is the Health Information Custodian (or equivalent) under applicable law and retains ownership and control of all PHI. Caremate acts as a data processor in the following capacity depending on the Customer's jurisdiction of operation:
2.3 Instructions. Caremate shall process PHI only on documented instructions from Customer, as set out in the Agreement and this DPA, unless otherwise required by law.
3. Purpose Limitation
3.1 Permitted Purposes. Caremate shall use PHI solely to provide the Service as described in the Agreement, including:
receiving and transcribing audio recordings of clinical interactions;
generating draft clinical notes and documentation;
storing Clinical Records during the active subscription term; and
providing reporting and analytics features to Customer.
3.2 Prohibition on Secondary Use. Caremate shall not use PHI for any purpose other than those listed in Section 3.1, including without limitation for marketing, advertising, or the development of products or services for third parties.
4. Caremate's Obligations
4.1 Confidentiality. Caremate shall ensure that all personnel authorized to process PHI are bound by confidentiality obligations no less protective than those in this DPA.
4.2 Data Minimization. Caremate shall collect and retain only the minimum PHI necessary to provide the Service.
4.3 Accuracy. Caremate shall maintain reasonable processes to support the accuracy and integrity of PHI while in its custody, and shall promptly action corrections communicated by Customer.
4.4 Retention & Deletion. Caremate shall retain and delete PHI in accordance with Section 3.4 of the Agreement. Upon termination, Caremate shall make PHI available for export during the Grace Period and shall thereafter delete PHI in accordance with Section 3.4(d) of the Agreement, unless otherwise required by law.
5. Sub-Processors
5.1 Authorized Sub-Processors. Customer authorizes Caremate to engage Sub-Processors to assist in delivering the Service. All Sub-Processors are bound by data protection obligations no less protective than this DPA.
5.2 Cross-Border Processing. Some Sub-Processors may process PHI in the United States. All such transfers are governed by binding contractual protections consistent with Canadian privacy law requirements. See Section 3.3 of the Agreement.
5.3 Change Notification. Caremate will provide reasonable notice of material changes to its Sub-Processor arrangements where such changes may affect the processing of PHI.
6. Security
6.1 Safeguards. Caremate shall implement and maintain administrative, technical, and physical safeguards appropriate to the sensitivity of PHI, including:
encryption of PHI at rest (AES-256) and in transit (TLS 1.2 or higher);
access controls limiting PHI access to authorized personnel on a need-to-know basis;
regular review of access privileges; and
confidentiality obligations for all personnel with access to production systems.
6.2 No Warranty. The safeguards described in Section 6.1 represent Caremate's current practices. Caremate does not warrant that its security measures will prevent all unauthorized access or Breaches.
7. Breach Notification
7.1 Initial Notice. In the event Caremate becomes aware of a confirmed or reasonably suspected Breach affecting Customer's PHI, Caremate shall notify Customer within seventy-two (72) hours of becoming aware. The initial notice shall include, to the extent then known:
a description of the nature of the Breach;
the categories and approximate volume of PHI affected;
the likely consequences of the Breach; and
the measures Caremate has taken or proposes to take in response.
7.2 Full Incident Report. Caremate shall provide Customer with a complete written incident report within thirty (30) days of the initial notice, or as soon as reasonably practicable, containing sufficient detail to enable Customer to meet its own breach reporting obligations under applicable law.
7.3 Cooperation. Caremate shall cooperate with Customer in investigating and remediating the Breach and shall not make any public disclosure regarding the Breach without Customer's prior written consent, except as required by law.
8. Individual Access Requests
8.1 Cooperation. If Caremate receives a request from an individual seeking access to, correction of, or deletion of their PHI, Caremate shall promptly forward the request to Customer. Customer, as Health Information Custodian, is responsible for responding to such requests.
8.2 Technical Assistance. Caremate shall provide reasonable technical assistance to Customer in fulfilling individual access or correction requests, at Customer's reasonable request.
9. Audit Rights
9.1 Compliance Verification. Customer may, no more than once per calendar year and upon reasonable written notice, request written confirmation that Caremate is complying with its obligations under this DPA. Caremate shall respond within thirty (30) days with documentation reasonably sufficient to demonstrate compliance, which may include written attestations, completed security questionnaires, or summaries of relevant internal controls.
9.2 Costs. Customer shall bear its own costs in connection with any audit or verification request.
10. Survival & Governing Law
10.1 Survival. The obligations in this DPA survive the termination or expiry of the Agreement for so long as Caremate retains any PHI.
10.2 Governing Law. This DPA is governed by the laws of the Province of Manitoba and the federal laws of Canada, consistent with Section 10.6 of the Agreement.
10.3 Conflict. In the event of a conflict between this DPA and the Agreement with respect to the processing of PHI, this DPA prevails.
For privacy inquiries, contact Caremate's Privacy Officer at: privacy *_at_* caremate.ai