Data Processing Agreement
Last Updated: March 12, 2024
This Data Processing Agreement (“DPA”) is subject to and forms part of the Sales Service Agreement (the “Service Agreement”) and governs Flex Technology Co. (“Flex”) and its affiliates’ processing of Personal Data (as defined below). Capitalized terms not defined in Section 1 shall have the meaning ascribed to them in the Service Agreement.
DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Service Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Applicable Data Protection Laws” means all applicable US Data Protection Laws, as they may be amended or otherwise updated from time to time.
“CCPA” means the California Consumer Privacy Act.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of the Customer to Flex in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Flex, or its agents or subcontractors, for purposes of providing the Services. “Covered Data” does not include Personal Data collected or Processed by any licensed healthcare or telehealth provider or any Letter of Medical Necessity issued thereby.
“Customer” or “you” has the same meaning as the term “Customer” under the Service Agreement.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Letter of Medical Necessity” means a formal document provided by a licensed healthcare provider that explains why a specific treatment, product, piece of medical equipment, medication, or medical service is essential for a Data Subject’s health and well-being.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
“Processor” means the entity which is Processing data on behalf of Customer, as Controller.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
“Sensitive Data” means certain Personal Data that is treated as a special category under US Data Protection Laws and includes “sensitive personal information” as defined under the CCPA.
"Services" means the services to be provided by Flex pursuant to the Service Agreement.
"Sub-processor" means an entity appointed by Flex to Process Covered Data on its behalf.
“US Data Protection Laws” means, to the extent applicable, federal and state laws, rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Service Agreement. This DPA supplements and (in case of contradictions) supersedes the Service Agreement with respect to any Processing of Covered Data.
2.2 Details of the Data Processing:
Subject Matter and the Nature of the Processing: The subject matter and the nature of the Processing is to provide the Services under the Service Agreement.
Categories of Data Subjects that Flex may Process. Flex may Process the Personal Data of Customer, representatives of Customer, and any natural person that uses or accesses Flex’s website or Services, including any natural person that accesses or uses a Flex account or the Flex Platform.
Categories of Personal Data that Flex may Process. Flex may Process contact information about Customer (such as name, business address, email address, job title, and phone number) or Customer’s subscribers or clients; account information (including payment account information, profile information and payment and purchase history); payment and transaction information; inquiry, feedback, or communications or other data provided to the Services; and device information, including IP address.
Categories of Sensitive Data: If necessary to provide Services, Flex may collect Sensitive Data (e.g., information concerning an individual’s health).
Purpose of the Processing. When Flex acts as Customer’s Processor, Flex’s purposes for Processing Personal Data are to provide the Services, including the Flex Platform. When providing the Services, Flex’s may also Process Personal Data to:
- Build, analyze, or improve the quality of the Services;
- Comply with applicable laws, court orders, or subpoenas;
- Cooperate with law enforcement in connection with any civil, criminal, or regulatory inquiry, investigation, subpoena, or summons;
- implement, maintain and improve internal processes that enable Flex to provide its products and services, including Customer account management, invoicing, and relationship management; and
- monitor or investigate fraud or other security incidents.Frequency and Duration of the Processing. Flex will Process Personal Data throughout the term of the Service Agreement and any period thereafter as required to meet Flex’s obligations and comply with applicable laws.
Access Restrictions/Data Security. Flex maintains a written information security program that takes into account the nature of the data and the security of the risks involved and restricts access to Covered Data to only those who need access to perform their duties. Flex will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data. A list of security controls and policies Flex will implement is set forth in Schedule 1 of this DPA.
ROLE OF THE PARTIES
The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Flex will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Service Agreement and this DPA. At all times Flex will Process Personal Data in compliance with Applicable Data Protection Laws.
FLEX OBLIGATIONS WHEN ACTING AS PROCESSOR
4.1 Flex will only Process Covered Data on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Service Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Flex will inform you if, in its opinion, any written instructions violate Applicable Data Protection Laws. Without limiting the foregoing, Flex will not:
sell Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
share Covered Data with any third party for cross-context behavioural advertising;
retain, use, or disclose Covered Data for any purpose other than for the business purposes specified in the Service Agreement or as otherwise permitted by Applicable Data Protection Laws;
retain, use, or disclose Covered Data outside of the direct business relationship between the Parties; and
except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Flex receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, except to provide the Services.
4.2 Flex will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Service Agreement.
4.3 Flex may Process Covered Data anywhere that Flex or its Sub-processors maintain facilities, subject to Section 5 of this DPA.
4.4 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will provide reasonable assistance to Customer, following Customer’s written request, to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. If Customer requires assistance that, in Flex’s reasonable judgment, goes beyond Flex’s obligation to provide assistance under Applicable Data Protection Laws or this DPA, then Flex may charge Customer reasonable fees. In addition, Flex will notify Customer promptly if Flex determines that it can no longer meet its obligations under Applicable Data Protection Laws.
4.5 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will, following Customer’s written request, contribute to audits or inspections by making audit reports available to Customer. Following this request, and no more frequently than once annually, Flex will provide documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards or complete a written data security questionnaire of reasonable scope and duration regarding Flex’s Processing of Personal Data. Notwithstanding the foregoing, Flex may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Flex confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. All reports and documentation provided, including any response to a security questionnaire, are Flex’s confidential information; and
4.6 Controller will have the right to take reasonable and appropriate steps to ensure that Flex uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.
CUSTOMER OBLIGATIONS
5.1 Customer must only provide lawful instructions to Flex.
5.2 Customer must comply with its obligations under Applicable Data Protection Laws, including observing the rights of the Data Subject, protecting the security and confidentiality of Personal Data, and ensuring there is a proper legal basis for Processing Personal Data.
5.3 Customer must provide Customers with all required privacy notices and obtain all necessary consents or authorizations for collecting or Processing Personal Data.
SUB-PROCESSORS
6.1 Customer grants Flex the general authorisation to engage Sub-processors, subject to Section 6.2, as well as Flex’s current Sub-processors listed in Schedule 2 as of the Effective Date (as defined in the Service Agreement).
6.2 Flex will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Flex’s obligations under this DPA. Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
6.3 Flex will provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Customer may object to Flex’s use of a new Sub-processor by providing Flex with written notice of the objection within ten (10) days after Flex has provided notice to Customer of such proposed change (an "Objection"). If Customer does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. Customer may reasonably object to a change within 30 days after receiving notice for legitimate reasons. However, certain Sub-processors are essential to enabling Flex to provide the Services and if Customer’s object to Flex’s use of a Sub-processor after good faith attempts to negotiate a favourable or alternative arrangement, then, Flex will not be obligated to provide you the Services for which Flex requires the use of that Sub-processor. Notwithstanding the foregoing and subject to Section 6.2, Customer authorizes Flex to use any payment processor as a permitted Sub-processor, including without limitation Stripe, Inc.
DATA SUBJECT RIGHTS REQUESTS
7.1 As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").
7.2 Flex will promptly forward to Customer without undue delay any Data Subject Request received by Flex or any Sub-processor and may advise the individual to submit their request directly to Customer.
7.3 To the extent required by Applicable Data Protection Laws, Flex will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.
7.4 To the extent required by Applicable Data Protection Laws, Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
7.5 Notwithstanding anything to the contrary in the Service Agreement and this DPA, Flex will not be liable for any claim made by a Data Subject arising from or related to Flex’s or any of its employees’, directors’, representatives’, agents’, or affiliates’ acts or omissions, to the extent that Flex was acting in accordance with Customer’s instructions.
SECURITY INCIDENTS
Flex will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Flex will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Flex’s notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by Flex of any fault or liability with respect to the Security Incident.
Flex will provide reasonable assistance with Customer's investigation of the possible Security Incident and any notification obligation of Customer under Applicable Data Protection Laws, such as in relation to individuals or government authorities.
DElETION AND RETURN
Flex will, within thirty (30) days of the date of termination or expiry of the Service Agreement, (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
DEIDENTIFIED DATA
If Flex receives Deidentified Data from or on behalf of Customer, then Flex will:
take reasonable measures to ensure the information cannot be associated with a Data Subject.
publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
Schedule 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Information Security Program and Policies
Flex maintains a written information security program that describes how Flex protects the availability, integrity, and confidentiality of information and information systems, including the security controls used to safeguards the same. The security program includes documented security policies that reviewed and approved annually; appointed staff responsible for the development, implementation, and maintenance of Flex’s information security program; policies covering, as applicable, access control, classification, encryption, portable media, and multifactor authentication; periodic risk reviews and reviews of key controls, systems and procedures.
Risk and Asset Management
Flex performs audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Flex’s organization, monitoring and maintaining compliance with Flex’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Access Control
All Flex personnel are only granted access to information if required to perform their duties and all personnel must acknowledge their data security and privacy responsibilities. Flex regularly conducts access reviews, terminates employee access promptly upon departure, and conducts background checks and screening.
Flex’s access policies require personnel to authenticate using appropriate authentication credentials such as strong passwords and enforces multi-factor authentication for any remote or network access to Flex’s information systems.
Training and Awareness
Flex requires its personnel complete an annual cybersecurity and privacy training and conducts periodic social engineering exercises to ensure resiliency.
Network Security
Flex implements network security controls, restricting access to its network to only authorized users. Flex routinely logs and monitors user activity on its network and segments its network based on data classifications.
Security Controls
Flex uses commercially available and industry standard encryption technologies for Covered Data that is: (a) being transmitted by Flex over public networks (i.e., the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media.
Flex also implements other logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Flex enforces password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Flex’s passwords that are assigned to its personnel: (i) be at least ten (10) characters in length, (ii) not be stored in readable format on Flex’s systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
Flex regularly audits system logs and conducts event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Resiliency
Flex implements and maintains a business continuity and disaster recovery plan and maintains robust measures to ensure that the integrity and availability of Personal Data is preserved in the event of a physical or technical incident, including: database backup procedures, hardware redundancy, and regularly tested site recovery plans.
Operations Management
Flex maintains operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Flex’s possession.
Flex also maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Flex’s technology and information assets.
Vulnerability Management; Incident Response and Notification
Flex maintains a vulnerability management program and regularly scans for, and patches identified vulnerability based on severity.
Flex maintains and regularly tests its written incident response plan, which incorporates notification requirements to Customers and governmental authorities as required under Applicable Data Protection Laws and this DPA.
Data Retention and Deletion
Flex implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate.
Schedule 2
SUB-PROCESSORS
Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
Data Processing Agreement
Last Updated: March 12, 2024
This Data Processing Agreement (“DPA”) is subject to and forms part of the Sales Service Agreement (the “Service Agreement”) and governs Flex Technology Co. (“Flex”) and its affiliates’ processing of Personal Data (as defined below). Capitalized terms not defined in Section 1 shall have the meaning ascribed to them in the Service Agreement.
DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Service Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Applicable Data Protection Laws” means all applicable US Data Protection Laws, as they may be amended or otherwise updated from time to time.
“CCPA” means the California Consumer Privacy Act.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of the Customer to Flex in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Flex, or its agents or subcontractors, for purposes of providing the Services. “Covered Data” does not include Personal Data collected or Processed by any licensed healthcare or telehealth provider or any Letter of Medical Necessity issued thereby.
“Customer” or “you” has the same meaning as the term “Customer” under the Service Agreement.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Letter of Medical Necessity” means a formal document provided by a licensed healthcare provider that explains why a specific treatment, product, piece of medical equipment, medication, or medical service is essential for a Data Subject’s health and well-being.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
“Processor” means the entity which is Processing data on behalf of Customer, as Controller.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
“Sensitive Data” means certain Personal Data that is treated as a special category under US Data Protection Laws and includes “sensitive personal information” as defined under the CCPA.
"Services" means the services to be provided by Flex pursuant to the Service Agreement.
"Sub-processor" means an entity appointed by Flex to Process Covered Data on its behalf.
“US Data Protection Laws” means, to the extent applicable, federal and state laws, rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Service Agreement. This DPA supplements and (in case of contradictions) supersedes the Service Agreement with respect to any Processing of Covered Data.
2.2 Details of the Data Processing:
Subject Matter and the Nature of the Processing: The subject matter and the nature of the Processing is to provide the Services under the Service Agreement.
Categories of Data Subjects that Flex may Process. Flex may Process the Personal Data of Customer, representatives of Customer, and any natural person that uses or accesses Flex’s website or Services, including any natural person that accesses or uses a Flex account or the Flex Platform.
Categories of Personal Data that Flex may Process. Flex may Process contact information about Customer (such as name, business address, email address, job title, and phone number) or Customer’s subscribers or clients; account information (including payment account information, profile information and payment and purchase history); payment and transaction information; inquiry, feedback, or communications or other data provided to the Services; and device information, including IP address.
Categories of Sensitive Data: If necessary to provide Services, Flex may collect Sensitive Data (e.g., information concerning an individual’s health).
Purpose of the Processing. When Flex acts as Customer’s Processor, Flex’s purposes for Processing Personal Data are to provide the Services, including the Flex Platform. When providing the Services, Flex’s may also Process Personal Data to:
- Build, analyze, or improve the quality of the Services;
- Comply with applicable laws, court orders, or subpoenas;
- Cooperate with law enforcement in connection with any civil, criminal, or regulatory inquiry, investigation, subpoena, or summons;
- implement, maintain and improve internal processes that enable Flex to provide its products and services, including Customer account management, invoicing, and relationship management; and
- monitor or investigate fraud or other security incidents.Frequency and Duration of the Processing. Flex will Process Personal Data throughout the term of the Service Agreement and any period thereafter as required to meet Flex’s obligations and comply with applicable laws.
Access Restrictions/Data Security. Flex maintains a written information security program that takes into account the nature of the data and the security of the risks involved and restricts access to Covered Data to only those who need access to perform their duties. Flex will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data. A list of security controls and policies Flex will implement is set forth in Schedule 1 of this DPA.
ROLE OF THE PARTIES
The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Flex will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Service Agreement and this DPA. At all times Flex will Process Personal Data in compliance with Applicable Data Protection Laws.
FLEX OBLIGATIONS WHEN ACTING AS PROCESSOR
4.1 Flex will only Process Covered Data on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Service Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Flex will inform you if, in its opinion, any written instructions violate Applicable Data Protection Laws. Without limiting the foregoing, Flex will not:
sell Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
share Covered Data with any third party for cross-context behavioural advertising;
retain, use, or disclose Covered Data for any purpose other than for the business purposes specified in the Service Agreement or as otherwise permitted by Applicable Data Protection Laws;
retain, use, or disclose Covered Data outside of the direct business relationship between the Parties; and
except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Flex receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, except to provide the Services.
4.2 Flex will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Service Agreement.
4.3 Flex may Process Covered Data anywhere that Flex or its Sub-processors maintain facilities, subject to Section 5 of this DPA.
4.4 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will provide reasonable assistance to Customer, following Customer’s written request, to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. If Customer requires assistance that, in Flex’s reasonable judgment, goes beyond Flex’s obligation to provide assistance under Applicable Data Protection Laws or this DPA, then Flex may charge Customer reasonable fees. In addition, Flex will notify Customer promptly if Flex determines that it can no longer meet its obligations under Applicable Data Protection Laws.
4.5 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will, following Customer’s written request, contribute to audits or inspections by making audit reports available to Customer. Following this request, and no more frequently than once annually, Flex will provide documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards or complete a written data security questionnaire of reasonable scope and duration regarding Flex’s Processing of Personal Data. Notwithstanding the foregoing, Flex may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Flex confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. All reports and documentation provided, including any response to a security questionnaire, are Flex’s confidential information; and
4.6 Controller will have the right to take reasonable and appropriate steps to ensure that Flex uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.
CUSTOMER OBLIGATIONS
5.1 Customer must only provide lawful instructions to Flex.
5.2 Customer must comply with its obligations under Applicable Data Protection Laws, including observing the rights of the Data Subject, protecting the security and confidentiality of Personal Data, and ensuring there is a proper legal basis for Processing Personal Data.
5.3 Customer must provide Customers with all required privacy notices and obtain all necessary consents or authorizations for collecting or Processing Personal Data.
SUB-PROCESSORS
6.1 Customer grants Flex the general authorisation to engage Sub-processors, subject to Section 6.2, as well as Flex’s current Sub-processors listed in Schedule 2 as of the Effective Date (as defined in the Service Agreement).
6.2 Flex will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Flex’s obligations under this DPA. Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
6.3 Flex will provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Customer may object to Flex’s use of a new Sub-processor by providing Flex with written notice of the objection within ten (10) days after Flex has provided notice to Customer of such proposed change (an "Objection"). If Customer does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. Customer may reasonably object to a change within 30 days after receiving notice for legitimate reasons. However, certain Sub-processors are essential to enabling Flex to provide the Services and if Customer’s object to Flex’s use of a Sub-processor after good faith attempts to negotiate a favourable or alternative arrangement, then, Flex will not be obligated to provide you the Services for which Flex requires the use of that Sub-processor. Notwithstanding the foregoing and subject to Section 6.2, Customer authorizes Flex to use any payment processor as a permitted Sub-processor, including without limitation Stripe, Inc.
DATA SUBJECT RIGHTS REQUESTS
7.1 As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").
7.2 Flex will promptly forward to Customer without undue delay any Data Subject Request received by Flex or any Sub-processor and may advise the individual to submit their request directly to Customer.
7.3 To the extent required by Applicable Data Protection Laws, Flex will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.
7.4 To the extent required by Applicable Data Protection Laws, Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
7.5 Notwithstanding anything to the contrary in the Service Agreement and this DPA, Flex will not be liable for any claim made by a Data Subject arising from or related to Flex’s or any of its employees’, directors’, representatives’, agents’, or affiliates’ acts or omissions, to the extent that Flex was acting in accordance with Customer’s instructions.
SECURITY INCIDENTS
Flex will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Flex will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Flex’s notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by Flex of any fault or liability with respect to the Security Incident.
Flex will provide reasonable assistance with Customer's investigation of the possible Security Incident and any notification obligation of Customer under Applicable Data Protection Laws, such as in relation to individuals or government authorities.
DElETION AND RETURN
Flex will, within thirty (30) days of the date of termination or expiry of the Service Agreement, (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
DEIDENTIFIED DATA
If Flex receives Deidentified Data from or on behalf of Customer, then Flex will:
take reasonable measures to ensure the information cannot be associated with a Data Subject.
publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
Schedule 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Information Security Program and Policies
Flex maintains a written information security program that describes how Flex protects the availability, integrity, and confidentiality of information and information systems, including the security controls used to safeguards the same. The security program includes documented security policies that reviewed and approved annually; appointed staff responsible for the development, implementation, and maintenance of Flex’s information security program; policies covering, as applicable, access control, classification, encryption, portable media, and multifactor authentication; periodic risk reviews and reviews of key controls, systems and procedures.
Risk and Asset Management
Flex performs audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Flex’s organization, monitoring and maintaining compliance with Flex’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Access Control
All Flex personnel are only granted access to information if required to perform their duties and all personnel must acknowledge their data security and privacy responsibilities. Flex regularly conducts access reviews, terminates employee access promptly upon departure, and conducts background checks and screening.
Flex’s access policies require personnel to authenticate using appropriate authentication credentials such as strong passwords and enforces multi-factor authentication for any remote or network access to Flex’s information systems.
Training and Awareness
Flex requires its personnel complete an annual cybersecurity and privacy training and conducts periodic social engineering exercises to ensure resiliency.
Network Security
Flex implements network security controls, restricting access to its network to only authorized users. Flex routinely logs and monitors user activity on its network and segments its network based on data classifications.
Security Controls
Flex uses commercially available and industry standard encryption technologies for Covered Data that is: (a) being transmitted by Flex over public networks (i.e., the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media.
Flex also implements other logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Flex enforces password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Flex’s passwords that are assigned to its personnel: (i) be at least ten (10) characters in length, (ii) not be stored in readable format on Flex’s systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
Flex regularly audits system logs and conducts event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Resiliency
Flex implements and maintains a business continuity and disaster recovery plan and maintains robust measures to ensure that the integrity and availability of Personal Data is preserved in the event of a physical or technical incident, including: database backup procedures, hardware redundancy, and regularly tested site recovery plans.
Operations Management
Flex maintains operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Flex’s possession.
Flex also maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Flex’s technology and information assets.
Vulnerability Management; Incident Response and Notification
Flex maintains a vulnerability management program and regularly scans for, and patches identified vulnerability based on severity.
Flex maintains and regularly tests its written incident response plan, which incorporates notification requirements to Customers and governmental authorities as required under Applicable Data Protection Laws and this DPA.
Data Retention and Deletion
Flex implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate.
Schedule 2
SUB-PROCESSORS
Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
Data Processing Agreement
Last Updated: March 12, 2024
This Data Processing Agreement (“DPA”) is subject to and forms part of the Sales Service Agreement (the “Service Agreement”) and governs Flex Technology Co. (“Flex”) and its affiliates’ processing of Personal Data (as defined below). Capitalized terms not defined in Section 1 shall have the meaning ascribed to them in the Service Agreement.
DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Service Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Applicable Data Protection Laws” means all applicable US Data Protection Laws, as they may be amended or otherwise updated from time to time.
“CCPA” means the California Consumer Privacy Act.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of the Customer to Flex in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Flex, or its agents or subcontractors, for purposes of providing the Services. “Covered Data” does not include Personal Data collected or Processed by any licensed healthcare or telehealth provider or any Letter of Medical Necessity issued thereby.
“Customer” or “you” has the same meaning as the term “Customer” under the Service Agreement.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Letter of Medical Necessity” means a formal document provided by a licensed healthcare provider that explains why a specific treatment, product, piece of medical equipment, medication, or medical service is essential for a Data Subject’s health and well-being.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
“Processor” means the entity which is Processing data on behalf of Customer, as Controller.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
“Sensitive Data” means certain Personal Data that is treated as a special category under US Data Protection Laws and includes “sensitive personal information” as defined under the CCPA.
"Services" means the services to be provided by Flex pursuant to the Service Agreement.
"Sub-processor" means an entity appointed by Flex to Process Covered Data on its behalf.
“US Data Protection Laws” means, to the extent applicable, federal and state laws, rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Service Agreement. This DPA supplements and (in case of contradictions) supersedes the Service Agreement with respect to any Processing of Covered Data.
2.2 Details of the Data Processing:
Subject Matter and the Nature of the Processing: The subject matter and the nature of the Processing is to provide the Services under the Service Agreement.
Categories of Data Subjects that Flex may Process. Flex may Process the Personal Data of Customer, representatives of Customer, and any natural person that uses or accesses Flex’s website or Services, including any natural person that accesses or uses a Flex account or the Flex Platform.
Categories of Personal Data that Flex may Process. Flex may Process contact information about Customer (such as name, business address, email address, job title, and phone number) or Customer’s subscribers or clients; account information (including payment account information, profile information and payment and purchase history); payment and transaction information; inquiry, feedback, or communications or other data provided to the Services; and device information, including IP address.
Categories of Sensitive Data: If necessary to provide Services, Flex may collect Sensitive Data (e.g., information concerning an individual’s health).
Purpose of the Processing. When Flex acts as Customer’s Processor, Flex’s purposes for Processing Personal Data are to provide the Services, including the Flex Platform. When providing the Services, Flex’s may also Process Personal Data to:
- Build, analyze, or improve the quality of the Services;
- Comply with applicable laws, court orders, or subpoenas;
- Cooperate with law enforcement in connection with any civil, criminal, or regulatory inquiry, investigation, subpoena, or summons;
- implement, maintain and improve internal processes that enable Flex to provide its products and services, including Customer account management, invoicing, and relationship management; and
- monitor or investigate fraud or other security incidents.Frequency and Duration of the Processing. Flex will Process Personal Data throughout the term of the Service Agreement and any period thereafter as required to meet Flex’s obligations and comply with applicable laws.
Access Restrictions/Data Security. Flex maintains a written information security program that takes into account the nature of the data and the security of the risks involved and restricts access to Covered Data to only those who need access to perform their duties. Flex will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data. A list of security controls and policies Flex will implement is set forth in Schedule 1 of this DPA.
ROLE OF THE PARTIES
The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Flex will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Service Agreement and this DPA. At all times Flex will Process Personal Data in compliance with Applicable Data Protection Laws.
FLEX OBLIGATIONS WHEN ACTING AS PROCESSOR
4.1 Flex will only Process Covered Data on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Service Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Flex will inform you if, in its opinion, any written instructions violate Applicable Data Protection Laws. Without limiting the foregoing, Flex will not:
sell Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
share Covered Data with any third party for cross-context behavioural advertising;
retain, use, or disclose Covered Data for any purpose other than for the business purposes specified in the Service Agreement or as otherwise permitted by Applicable Data Protection Laws;
retain, use, or disclose Covered Data outside of the direct business relationship between the Parties; and
except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Flex receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, except to provide the Services.
4.2 Flex will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Service Agreement.
4.3 Flex may Process Covered Data anywhere that Flex or its Sub-processors maintain facilities, subject to Section 5 of this DPA.
4.4 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will provide reasonable assistance to Customer, following Customer’s written request, to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. If Customer requires assistance that, in Flex’s reasonable judgment, goes beyond Flex’s obligation to provide assistance under Applicable Data Protection Laws or this DPA, then Flex may charge Customer reasonable fees. In addition, Flex will notify Customer promptly if Flex determines that it can no longer meet its obligations under Applicable Data Protection Laws.
4.5 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will, following Customer’s written request, contribute to audits or inspections by making audit reports available to Customer. Following this request, and no more frequently than once annually, Flex will provide documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards or complete a written data security questionnaire of reasonable scope and duration regarding Flex’s Processing of Personal Data. Notwithstanding the foregoing, Flex may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Flex confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. All reports and documentation provided, including any response to a security questionnaire, are Flex’s confidential information; and
4.6 Controller will have the right to take reasonable and appropriate steps to ensure that Flex uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.
CUSTOMER OBLIGATIONS
5.1 Customer must only provide lawful instructions to Flex.
5.2 Customer must comply with its obligations under Applicable Data Protection Laws, including observing the rights of the Data Subject, protecting the security and confidentiality of Personal Data, and ensuring there is a proper legal basis for Processing Personal Data.
5.3 Customer must provide Customers with all required privacy notices and obtain all necessary consents or authorizations for collecting or Processing Personal Data.
SUB-PROCESSORS
6.1 Customer grants Flex the general authorisation to engage Sub-processors, subject to Section 6.2, as well as Flex’s current Sub-processors listed in Schedule 2 as of the Effective Date (as defined in the Service Agreement).
6.2 Flex will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Flex’s obligations under this DPA. Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
6.3 Flex will provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Customer may object to Flex’s use of a new Sub-processor by providing Flex with written notice of the objection within ten (10) days after Flex has provided notice to Customer of such proposed change (an "Objection"). If Customer does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. Customer may reasonably object to a change within 30 days after receiving notice for legitimate reasons. However, certain Sub-processors are essential to enabling Flex to provide the Services and if Customer’s object to Flex’s use of a Sub-processor after good faith attempts to negotiate a favourable or alternative arrangement, then, Flex will not be obligated to provide you the Services for which Flex requires the use of that Sub-processor. Notwithstanding the foregoing and subject to Section 6.2, Customer authorizes Flex to use any payment processor as a permitted Sub-processor, including without limitation Stripe, Inc.
DATA SUBJECT RIGHTS REQUESTS
7.1 As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").
7.2 Flex will promptly forward to Customer without undue delay any Data Subject Request received by Flex or any Sub-processor and may advise the individual to submit their request directly to Customer.
7.3 To the extent required by Applicable Data Protection Laws, Flex will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.
7.4 To the extent required by Applicable Data Protection Laws, Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
7.5 Notwithstanding anything to the contrary in the Service Agreement and this DPA, Flex will not be liable for any claim made by a Data Subject arising from or related to Flex’s or any of its employees’, directors’, representatives’, agents’, or affiliates’ acts or omissions, to the extent that Flex was acting in accordance with Customer’s instructions.
SECURITY INCIDENTS
Flex will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Flex will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Flex’s notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by Flex of any fault or liability with respect to the Security Incident.
Flex will provide reasonable assistance with Customer's investigation of the possible Security Incident and any notification obligation of Customer under Applicable Data Protection Laws, such as in relation to individuals or government authorities.
DElETION AND RETURN
Flex will, within thirty (30) days of the date of termination or expiry of the Service Agreement, (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
DEIDENTIFIED DATA
If Flex receives Deidentified Data from or on behalf of Customer, then Flex will:
take reasonable measures to ensure the information cannot be associated with a Data Subject.
publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
Schedule 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Information Security Program and Policies
Flex maintains a written information security program that describes how Flex protects the availability, integrity, and confidentiality of information and information systems, including the security controls used to safeguards the same. The security program includes documented security policies that reviewed and approved annually; appointed staff responsible for the development, implementation, and maintenance of Flex’s information security program; policies covering, as applicable, access control, classification, encryption, portable media, and multifactor authentication; periodic risk reviews and reviews of key controls, systems and procedures.
Risk and Asset Management
Flex performs audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Flex’s organization, monitoring and maintaining compliance with Flex’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Access Control
All Flex personnel are only granted access to information if required to perform their duties and all personnel must acknowledge their data security and privacy responsibilities. Flex regularly conducts access reviews, terminates employee access promptly upon departure, and conducts background checks and screening.
Flex’s access policies require personnel to authenticate using appropriate authentication credentials such as strong passwords and enforces multi-factor authentication for any remote or network access to Flex’s information systems.
Training and Awareness
Flex requires its personnel complete an annual cybersecurity and privacy training and conducts periodic social engineering exercises to ensure resiliency.
Network Security
Flex implements network security controls, restricting access to its network to only authorized users. Flex routinely logs and monitors user activity on its network and segments its network based on data classifications.
Security Controls
Flex uses commercially available and industry standard encryption technologies for Covered Data that is: (a) being transmitted by Flex over public networks (i.e., the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media.
Flex also implements other logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Flex enforces password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Flex’s passwords that are assigned to its personnel: (i) be at least ten (10) characters in length, (ii) not be stored in readable format on Flex’s systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
Flex regularly audits system logs and conducts event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Resiliency
Flex implements and maintains a business continuity and disaster recovery plan and maintains robust measures to ensure that the integrity and availability of Personal Data is preserved in the event of a physical or technical incident, including: database backup procedures, hardware redundancy, and regularly tested site recovery plans.
Operations Management
Flex maintains operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Flex’s possession.
Flex also maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Flex’s technology and information assets.
Vulnerability Management; Incident Response and Notification
Flex maintains a vulnerability management program and regularly scans for, and patches identified vulnerability based on severity.
Flex maintains and regularly tests its written incident response plan, which incorporates notification requirements to Customers and governmental authorities as required under Applicable Data Protection Laws and this DPA.
Data Retention and Deletion
Flex implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate.
Schedule 2
SUB-PROCESSORS
Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
Data Processing Agreement
Last Updated: March 12, 2024
This Data Processing Agreement (“DPA”) is subject to and forms part of the Sales Service Agreement (the “Service Agreement”) and governs Flex Technology Co. (“Flex”) and its affiliates’ processing of Personal Data (as defined below). Capitalized terms not defined in Section 1 shall have the meaning ascribed to them in the Service Agreement.
DEFINITIONS
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Service Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Applicable Data Protection Laws” means all applicable US Data Protection Laws, as they may be amended or otherwise updated from time to time.
“CCPA” means the California Consumer Privacy Act.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of the Customer to Flex in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Flex, or its agents or subcontractors, for purposes of providing the Services. “Covered Data” does not include Personal Data collected or Processed by any licensed healthcare or telehealth provider or any Letter of Medical Necessity issued thereby.
“Customer” or “you” has the same meaning as the term “Customer” under the Service Agreement.
“Data Subject” means a natural person whose Personal Data is Processed.
“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“Letter of Medical Necessity” means a formal document provided by a licensed healthcare provider that explains why a specific treatment, product, piece of medical equipment, medication, or medical service is essential for a Data Subject’s health and well-being.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
“Processor” means the entity which is Processing data on behalf of Customer, as Controller.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
"Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
“Sensitive Data” means certain Personal Data that is treated as a special category under US Data Protection Laws and includes “sensitive personal information” as defined under the CCPA.
"Services" means the services to be provided by Flex pursuant to the Service Agreement.
"Sub-processor" means an entity appointed by Flex to Process Covered Data on its behalf.
“US Data Protection Laws” means, to the extent applicable, federal and state laws, rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Service Agreement. This DPA supplements and (in case of contradictions) supersedes the Service Agreement with respect to any Processing of Covered Data.
2.2 Details of the Data Processing:
Subject Matter and the Nature of the Processing: The subject matter and the nature of the Processing is to provide the Services under the Service Agreement.
Categories of Data Subjects that Flex may Process. Flex may Process the Personal Data of Customer, representatives of Customer, and any natural person that uses or accesses Flex’s website or Services, including any natural person that accesses or uses a Flex account or the Flex Platform.
Categories of Personal Data that Flex may Process. Flex may Process contact information about Customer (such as name, business address, email address, job title, and phone number) or Customer’s subscribers or clients; account information (including payment account information, profile information and payment and purchase history); payment and transaction information; inquiry, feedback, or communications or other data provided to the Services; and device information, including IP address.
Categories of Sensitive Data: If necessary to provide Services, Flex may collect Sensitive Data (e.g., information concerning an individual’s health).
Purpose of the Processing. When Flex acts as Customer’s Processor, Flex’s purposes for Processing Personal Data are to provide the Services, including the Flex Platform. When providing the Services, Flex’s may also Process Personal Data to:
- Build, analyze, or improve the quality of the Services;
- Comply with applicable laws, court orders, or subpoenas;
- Cooperate with law enforcement in connection with any civil, criminal, or regulatory inquiry, investigation, subpoena, or summons;
- implement, maintain and improve internal processes that enable Flex to provide its products and services, including Customer account management, invoicing, and relationship management; and
- monitor or investigate fraud or other security incidents.Frequency and Duration of the Processing. Flex will Process Personal Data throughout the term of the Service Agreement and any period thereafter as required to meet Flex’s obligations and comply with applicable laws.
Access Restrictions/Data Security. Flex maintains a written information security program that takes into account the nature of the data and the security of the risks involved and restricts access to Covered Data to only those who need access to perform their duties. Flex will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data. A list of security controls and policies Flex will implement is set forth in Schedule 1 of this DPA.
ROLE OF THE PARTIES
The Parties acknowledge and agree that for the purposes of the US Data Protection Laws, Flex will act as a "service provider" or “processor” (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Service Agreement and this DPA. At all times Flex will Process Personal Data in compliance with Applicable Data Protection Laws.
FLEX OBLIGATIONS WHEN ACTING AS PROCESSOR
4.1 Flex will only Process Covered Data on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Service Agreement and this DPA will generally constitute instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA. Flex will inform you if, in its opinion, any written instructions violate Applicable Data Protection Laws. Without limiting the foregoing, Flex will not:
sell Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
share Covered Data with any third party for cross-context behavioural advertising;
retain, use, or disclose Covered Data for any purpose other than for the business purposes specified in the Service Agreement or as otherwise permitted by Applicable Data Protection Laws;
retain, use, or disclose Covered Data outside of the direct business relationship between the Parties; and
except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Flex receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, except to provide the Services.
4.2 Flex will limit access to Covered Data to personnel who have a business need to have access to such Covered Data and will ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Service Agreement.
4.3 Flex may Process Covered Data anywhere that Flex or its Sub-processors maintain facilities, subject to Section 5 of this DPA.
4.4 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will provide reasonable assistance to Customer, following Customer’s written request, to enable Controller to conduct and document any data protection assessments required under Applicable Data Protection Laws. If Customer requires assistance that, in Flex’s reasonable judgment, goes beyond Flex’s obligation to provide assistance under Applicable Data Protection Laws or this DPA, then Flex may charge Customer reasonable fees. In addition, Flex will notify Customer promptly if Flex determines that it can no longer meet its obligations under Applicable Data Protection Laws.
4.5 To the extent required by Applicable Data Protection Laws and taking into account the nature of the Processing and the Covered Data available to Flex, Flex will, following Customer’s written request, contribute to audits or inspections by making audit reports available to Customer. Following this request, and no more frequently than once annually, Flex will provide documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards or complete a written data security questionnaire of reasonable scope and duration regarding Flex’s Processing of Personal Data. Notwithstanding the foregoing, Flex may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Flex confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report. All reports and documentation provided, including any response to a security questionnaire, are Flex’s confidential information; and
4.6 Controller will have the right to take reasonable and appropriate steps to ensure that Flex uses Covered Data in a manner consistent with Controller’s obligations under Applicable Data Protection Laws.
CUSTOMER OBLIGATIONS
5.1 Customer must only provide lawful instructions to Flex.
5.2 Customer must comply with its obligations under Applicable Data Protection Laws, including observing the rights of the Data Subject, protecting the security and confidentiality of Personal Data, and ensuring there is a proper legal basis for Processing Personal Data.
5.3 Customer must provide Customers with all required privacy notices and obtain all necessary consents or authorizations for collecting or Processing Personal Data.
SUB-PROCESSORS
6.1 Customer grants Flex the general authorisation to engage Sub-processors, subject to Section 6.2, as well as Flex’s current Sub-processors listed in Schedule 2 as of the Effective Date (as defined in the Service Agreement).
6.2 Flex will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Flex’s obligations under this DPA. Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
6.3 Flex will provide Customer with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Customer may object to Flex’s use of a new Sub-processor by providing Flex with written notice of the objection within ten (10) days after Flex has provided notice to Customer of such proposed change (an "Objection"). If Customer does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. Customer may reasonably object to a change within 30 days after receiving notice for legitimate reasons. However, certain Sub-processors are essential to enabling Flex to provide the Services and if Customer’s object to Flex’s use of a Sub-processor after good faith attempts to negotiate a favourable or alternative arrangement, then, Flex will not be obligated to provide you the Services for which Flex requires the use of that Sub-processor. Notwithstanding the foregoing and subject to Section 6.2, Customer authorizes Flex to use any payment processor as a permitted Sub-processor, including without limitation Stripe, Inc.
DATA SUBJECT RIGHTS REQUESTS
7.1 As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a "Data Subject Request").
7.2 Flex will promptly forward to Customer without undue delay any Data Subject Request received by Flex or any Sub-processor and may advise the individual to submit their request directly to Customer.
7.3 To the extent required by Applicable Data Protection Laws, Flex will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests, including if applicable, Customer’s obligation to respond to requests for exercising the rights set out in Applicable Data Protection Laws.
7.4 To the extent required by Applicable Data Protection Laws, Flex will audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with Applicable Data Protection Laws and the Sub-processors’ contractual obligations.
7.5 Notwithstanding anything to the contrary in the Service Agreement and this DPA, Flex will not be liable for any claim made by a Data Subject arising from or related to Flex’s or any of its employees’, directors’, representatives’, agents’, or affiliates’ acts or omissions, to the extent that Flex was acting in accordance with Customer’s instructions.
SECURITY INCIDENTS
Flex will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in any obligation of Customer under Applicable Data Protection Laws to make any notifications, such as to individuals or supervisory authorities. Flex will take reasonable steps to contain, investigate, and mitigate any Security Incident, and will send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Flex’s notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by Flex of any fault or liability with respect to the Security Incident.
Flex will provide reasonable assistance with Customer's investigation of the possible Security Incident and any notification obligation of Customer under Applicable Data Protection Laws, such as in relation to individuals or government authorities.
DElETION AND RETURN
Flex will, within thirty (30) days of the date of termination or expiry of the Service Agreement, (a) if requested to do so by Customer within that period, return a copy of all Covered Data or provide a self-service functionality allowing Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.
DEIDENTIFIED DATA
If Flex receives Deidentified Data from or on behalf of Customer, then Flex will:
take reasonable measures to ensure the information cannot be associated with a Data Subject.
publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
Schedule 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Information Security Program and Policies
Flex maintains a written information security program that describes how Flex protects the availability, integrity, and confidentiality of information and information systems, including the security controls used to safeguards the same. The security program includes documented security policies that reviewed and approved annually; appointed staff responsible for the development, implementation, and maintenance of Flex’s information security program; policies covering, as applicable, access control, classification, encryption, portable media, and multifactor authentication; periodic risk reviews and reviews of key controls, systems and procedures.
Risk and Asset Management
Flex performs audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Flex’s organization, monitoring and maintaining compliance with Flex’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Access Control
All Flex personnel are only granted access to information if required to perform their duties and all personnel must acknowledge their data security and privacy responsibilities. Flex regularly conducts access reviews, terminates employee access promptly upon departure, and conducts background checks and screening.
Flex’s access policies require personnel to authenticate using appropriate authentication credentials such as strong passwords and enforces multi-factor authentication for any remote or network access to Flex’s information systems.
Training and Awareness
Flex requires its personnel complete an annual cybersecurity and privacy training and conducts periodic social engineering exercises to ensure resiliency.
Network Security
Flex implements network security controls, restricting access to its network to only authorized users. Flex routinely logs and monitors user activity on its network and segments its network based on data classifications.
Security Controls
Flex uses commercially available and industry standard encryption technologies for Covered Data that is: (a) being transmitted by Flex over public networks (i.e., the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media.
Flex also implements other logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Flex enforces password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Flex’s passwords that are assigned to its personnel: (i) be at least ten (10) characters in length, (ii) not be stored in readable format on Flex’s systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
Flex regularly audits system logs and conducts event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Resiliency
Flex implements and maintains a business continuity and disaster recovery plan and maintains robust measures to ensure that the integrity and availability of Personal Data is preserved in the event of a physical or technical incident, including: database backup procedures, hardware redundancy, and regularly tested site recovery plans.
Operations Management
Flex maintains operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Flex’s possession.
Flex also maintains change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Flex’s technology and information assets.
Vulnerability Management; Incident Response and Notification
Flex maintains a vulnerability management program and regularly scans for, and patches identified vulnerability based on severity.
Flex maintains and regularly tests its written incident response plan, which incorporates notification requirements to Customers and governmental authorities as required under Applicable Data Protection Laws and this DPA.
Data Retention and Deletion
Flex implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate.
Schedule 2
SUB-PROCESSORS
Customer to do the same; and (b) delete all other copies of Covered Data Processed by Flex or any Sub-processors, in each case unless Flex is required by applicable law to retain such Covered Data, in which case Flex shall only Process such Covered Data as required by applicable law.