Business Associate Agreement (USA) – Default
Version 1.1 – 30 November 2020
This Business Associate Agreement applies to the processing of Personal Data that Zaurus B.V. – located at Comeniusstraat 5 in Alkmaar, registered in the Trade Register of the Chamber of Commerce under number 72991941 and legally represented by Niels Greidanus, CEO – (hereinafter: “Business Associate”) performs on behalf of the other party to whom it provides services (hereinafter: “Covered Entity”).
- The Business Associate offers a communication platform aimed at the healthcare sector that the Covered Entity wishes to use;
- The Covered Entity wishes to have certain forms of processing carried out by the Business Associate, whereby the Covered Entity indicates the purpose and means;
- The Business Associate uses appropriate safeguards, and complies with Subpart C of 45 CFR Part 164 of the HIPAA with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
- The Parties wish to record their rights and obligations in writing, partly in view of the requirement from Article 28 paragraph 3 GDPR.
It is agreed as follows:
1.1. In this Data Processing Agreement, the following capitalized terms mean the following:
Means this Business Associate Agreement and all schedules.
b) Business Associate
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Covered Entity.
c) Business Associate Agreement
d) Covered Entity
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
e) Data Protection Officer
Appointed person within an organization that ensures that the organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as Data Subjects) in compliance with the applicable data protection rules.
f) Data Subject
An identified or identifiable natural person.
The natural person involved by the Parties for the implementation of this Data Processing Agreement, who works for one of the Parties.
h) HIPAA Rules
“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
i a complaint or (information) request from a Data Subject regarding the processing of Personal data by the Business Associate;
ii an investigation into or seizure by government officials of the Personal Data or a suspicion that this will take place;
iii a breach in relation to Personal Data;
iv Any unauthorized access, deletion, mutilation, loss or any other form of unlawful processing of the Personal Data.
Written or electronically sent designation from the Covered Entity to the Business Associate within the framework of its powers as formulated in this Business Associate Agreement or in the Agreement(s).
Instructions are provided by and to the contact persons of the parties as set out in Appendix 4.
Covered Entity or Business Associate.
Covered Entity and Business Associate.
m) Personal Data
All information about an identified or identifiable natural person.
Means any person appointed by the Business Associate to process Personal Data on behalf of the Business Associate in connection with the Agreement.
o) Third Party
A person or group besides the two primarily involved in a situation.
1.2. The aforementioned and other terms are interpreted in accordance with the HIPAA and GDPR.
1.3. If, in this Agreement, certain standards are mentioned, this always refers to the most current version thereof. If the relevant standard is no longer maintained, the most recent version of the logical successor to the relevant standard should be read instead.
2. Subject and assignment of this Business Associate Agreement
2.1 This Business Associate Agreement applies to the processing of Personal Data in the context of the performance of the Agreement (s).
2.2. In accordance with Article 28 of the GDPR, the Covered Entity gives the Business Associate an order and instructions to process Personal Data on behalf of the Covered Entity. The instructions of the Covered Entity may be further described in, among other things, this Business Associate Agreement and the Agreement(s).
2.3. The Parties conclude the Agreement(s) to use the expertise that Business Associate has with regard to processing and securing Personal Data for the purposes arising from the Agreement (s) and further described in this Business Associate Agreement. Business Associate guarantees that he is qualified for this.
2.4. Business Associate will immediately notify the Covered Entity if it finds that a processing order violates applicable laws and/or regulations or if the Business Associate can no longer comply with the Business Associate Agreement.
2.5. This Business Associate Agreement is an inseparable part of the Agreement(s). Insofar as the provisions of the Business Associate Agreement conflict with the provisions of the Agreement(s), the provisions of this Business Associate Agreement will prevail.
3. Implementation of processing and provision
3.1. The Business Associate guarantees that it will only process Personal Data on behalf of Covered Entity if:
a) this is necessary for the execution of the Principal Agreement; or
b) the Covered Entity has given further written instructions to that effect.
3.2. In the context of the provisions of the first paragraph of Article 3 under a), the Business Associate will only process the Personal Data specified in Annex 1 in the context of the nature and purposes of the processing described in that Annex.
3.3. The Business Associate will follow all reasonable instructions from the Covered Entity in connection with processing Personal Data.
3.4. The Business Associate will reject all requests with regard to the provision of Personal Data that have no legal binding, unless otherwise agreed in writing with the Covered Entity.
3.5. Without prejudice to the provisions of the first paragraph of this article 3, the Business Associate is permitted to process or provide Personal Data if a statutory regulation (including judicial or administrative orders based thereon) obliges it to process or provide it. In that case, the Business Associate shall notify the Covered Entity of the intended processing or provision and the statutory requirement to the processing or provision, unless such legislation prohibits such notification for important reasons of public interest. The Business Associate will enable the Covered Entity, if possible, to defend themselves against this mandatory processing or provision and otherwise limit the processing or provision required to what is strictly necessary.
3.6. The Business Associate will demonstrably, properly and carefully process Personal Data and in accordance with its obligations as Business Associate under the HIPAA, GDPR and other laws and regulations. The Business Associate keeps, in this specific context, a register of its processing operations. The Business Associate can provide a copy of this register at any given time.
3.7. If the service provided by the Business Associate implies the processing of health data or other special Personal Data, the Business Associate guarantees that it will not act in violation of any applicable US or European health legislation.
3.8. The Business Associate guarantees that the Employees involved have signed a confidentiality agreement and allows the Covered Entity to inspect these confidentiality agreements on request.
4. Transfer to third countries
4.1. The Business Associate is only entitled to transfer Personal Data to a third country or international organization if the Covered Entity has given prior, specific consent for this, unless a European Union or Member State law applicable to Business Associate requires Business Associate to process. In that case, the Business Associate will notify the Covered Entity in writing of this provision prior to the processing, unless that legislation prohibits such notification for important reasons of public interest.
4.2. If, after consent of the Covered Entity, Personal Data is passed on to third countries outside the European Economic Area (“EEA”) or to an international organization as referred to in Article 4 paragraph 26 GDPR, then the Parties will ensure that this only takes place in accordance with legal regulations and any obligations resting on the Covered Entity in this regard. If data is transferred to a third country or an international organization, this is indicated in Annex 1 to this Business Associate Agreement, including a list of the countries where, or international organizations by whom, the Personal Data are processed. It also indicates how the conditions on the basis of the GDPR for transfer of Personal Data to third countries or international organizations have been met.
5. Security of Personal Data and control
5.1. The Business Associate will demonstrably take appropriate and effective technical and organizational security measures, which (given the current state of the art and the associated costs) correspond to the nature of the Personal Data to be processed (specified in Appendix 1), in order to protect the Personal Data against loss, unauthorized knowledge, mutilation or any form of unlawful processing, as well as to guarantee the (timely) availability of the data. In any case, the measures include:
a) measures to ensure that processes and systems are designed in such a way that collection and processing of Personal Data (including use, provision, retention, transfer and deletion) is limited to what is necessary for the purposes of the processing (‘privacy by design’ and ‘privacy by default’);
b) measures to ensure that only authorized Employees have access to the Personal Data for the purposes mentioned in the Business Associate Agreement;
c) measures to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access of disclosure;
d) measures to identify vulnerabilities with regard to the processing of Personal Data in the systems used to provide services to the Covered Entity;
e) the other measures agreed by the Parties as set out in Appendix 2.
5.3. At the Covered Entity’s first request, the Business Associate will submit a valid certificate issued by an independent and expert third party, which shows that Business Associate complies with the obligations under this article.
5.4. In addition to the foregoing paragraphs, the Covered Entity has the right at all times, in consultation with the Business Associate and subject to a reasonable term, to check (or have checked by means of an audit performed by an independent certified external experts) whether the Business Associate complies with applicable laws and regulations regarding the processing of Personal Data, the Agreement(s) and this Business Associate Agreement, including the technical and organizational security measures taken by the Business Associate:
a) The Parties may agree in mutual consultation that the audit will be carried out by an external expert to be engaged in consultation with the Covered Entity, who will issue a Third-Party statement;
b) The auditor provides the audit report only to the Parties;
c) The Parties make mutual agreements about how to deal with the results of the audit;
d) The Parties can agree in mutual consultation that, on the basis of a valid (inter) nationally recognized certification or an equivalent means of control or evidence, an audit already carried out and a Third-Party statement issued from it can be used. In that case, the Covered Entity will be reactively informed about the results of the audit;
e) The Parties agree that the costs of this audit will be borne by the Covered Entity, unless the audit reveals (major) defects that can be attributed to the Business Associate. In that case, the parties will consult on the division of the costs of the audit.
5.5. The Parties recognize that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvement of outdated security measures. The Business Associate will therefore periodically evaluate the measures as implemented on the basis of this article and, where necessary, improve the measures to continue to comply with the obligations under this article. The foregoing is without prejudice to the Business Associate’s authority to take additional measures or have them taken if necessary.
6. Monitoring, information obligations and incident management
6.1. The Business Associate will actively monitor possible vulnerabilities regarding the security of information and report any vulnerabilities that affect the security of information to the Covered Entity.
6.2. As soon as an Incident occurs, has occurred or could occur, the Business Associate is obliged to inform the Covered Entity immediately, at least within 48 hours after the occurrence of the Incident, providing all relevant information about:
a) the nature of the Incident;
b) the (possibly) affected Personal Data;
c) the identified and likely consequences of the Incident; and
d) the measures that have been or will be taken to resolve the Incident or to limit the consequences/damage as much as possible.
6.3. The Business Associate is, without prejudice to the other obligations in this article, obliged to take measures that can reasonably be expected of him to repair the Incident as soon as possible or to limit the further consequences as much as possible. The Business Associate will consult with the Covered Entity without delay in order to make further agreements about this.
6.4. The Business Associate will cooperate with the Covered Entity at all times and will follow the instructions of the Covered Entity and enable the Covered Entity to conduct a proper investigation into the Incident, formulate a correct response and take appropriate follow-up steps with regard to the Incident, including:
a) informing the Dutch Data Protection Authority (AP) and/or the Data Subject as determined in Article 5.8.
b) informing patients, the HHS Office for Civil Rights and, if necessary, the media as determined in Article 5.8.
6.5. The Business Associate will at all times have written procedures in place that enable it to provide the Covered Entity with an immediate response to an Incident, and to work effectively with the Covered Entity to handle the Incident. The Business Associate will provide the Covered Entity with a copy of such procedures if the Covered Entity requests this.
6.6. Notifications made in relation to article 5.2 are immediately addressed to the Covered Entity or, if relevant, to Employees of the Covered Entity. If the Covered Entity has appointed a Data Protection Officer (DPO), reports will be sent to the DPO.
6.7. The Business Associate is not permitted to provide information about Incidents to Third Parties, except if the Business Associate is legally obliged to do so or the Parties have agreed otherwise.
6.8. If the Parties have agreed that the Business Associate maintains direct contact with authorities or other Third Parties in relation to an Incident, the Business Associate will keep the Covered Entity continuously informed in order to make further agreements about this.
7. Cooperation obligations
The HIPAA, GDPR and other (privacy) legislation assigns certain rights to the Data Subject. Business Associate will fully and timely cooperate with the Covered Entity in the fulfillment of the obligations resting on the Covered Entity with regard to, but not limited to:
7.1. Fulfilling (as far as reasonably possible) the obligation of the Covered Entity to comply with requests for the Data Subject’s rights laid down in HIPAA and GDPR within the legal deadlines, such as a request for access, correction, addition, deletion or protection of Personal Data.
7.2. The Business Associate shall notify the Covered Entity of any limitation(s) relating to its privacy practices under 45 CFR 164.520 of the HIPAA, to the extent that such limitation may affect Covered Entity’s use or disclosure of protected Personal Data.
7.3. The Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her Personal Data, to the extent that such changes may affect Business Associate’s use or disclosure of protected Personal Data.
7.4. The Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected Personal Data that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522 of the HIPAA, to the extent that such restriction may affect Business Associate’s use or disclosure of protected Personal Data.
7.5. Performing checks and audits as referred to in Article 5, paragraph 4 of this Business Associate Agreement.
7.6. Carrying out a data protection impact assessment (DPIA) and any mandatory prior consultation with the Dutch Data Protection Authority (‘Autoriteit Persoonsgegevens’).
7.7. Compliance with requests from the Data Protection Authorities or other applicable government agencies.
7.8. Preparing, assessing and reporting Incidents, as referred to in Article 6 of this Business Associate Agreement.
7.9. A complaint or request from a Data Subject or a request or investigation from Data Protection Authorities with regard to the processing of the Personal Data, will be forwarded by the Business Associate, to the extent permitted by law, without delay to the Covered Entity, who is responsible for handling the request.
7.10. Parties do not charge each other any costs for cooperation that is reasonably provided. In the event that one of the Parties wishes to charge costs, this Party shall notify the other Party thereof in advance.
8. Engaging Sub-processors
8.1. During the term of this Business Associate Agreement the Business Associate will inform the Covered Entity of a proposed addition of a new Sub-processor or change in the composition of the existing Sub-processors. The Business Associate is given the opportunity to object to these changes within a reasonable period of time.
8.2. The Business Associate will not outsource its activities that consist of the processing of Personal Data or require that Personal Data be processed to a Sub-processor without the prior consent of the Covered Entity. The foregoing does not apply to the Sub-processors listed in Appendix 1.
8.3. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) of the HIPAA, if applicable, the Business Associate ensures that any Sub-processors that create, receive, maintain, or transmit protected health information on behalf of the Covered Entity agree to the same restrictions, conditions, and requirements that apply to the Covered Entity with respect to such information. The Business Associate will record these Sub-processor agreements in writing and will monitor compliance with them by the Sub-processor . The Business Associate will provide the Covered Entity with a copy of the agreement(s) concluded with the Sub-processor upon request.
8.4. Notwithstanding the consent of the Covered Entity to engage a Sub-processor who (partially) processes data on behalf of the Business Associate, the Business Associate remains fully liable to the Covered Entity for the consequences of outsourcing work to a Sub-processor. The consent of the Covered Entity for the outsourcing of activities to a Sub-processor does not affect the fact that permission is required for the development of Sub-processors in a country outside the European Economic Area in accordance with Article 4 of this Business Associate Agreement.
9.1. Parties are each responsible and liable for their own actions.
9.2. Any limitation of liability in the Agreement applies mutatis mutandis to this Agreement, provided that:
a) any (implicit or explicit) exclusions of liability for loss and/or mutilation of Personal Data are excluded;
b) any (implicit or explicit) exclusions of liability for fines imposed by the Dutch Data Protection Authority or another supervisory authority that are directly related to an attributable shortcoming on the part of the Business Associate, or an act attributable to or negligent to the Business Associate, are excluded.
9.3. The Business Associate indemnifies the Covered Entity for all claims, actions, claims of Third Parties, as well as fines of the US and European Data Protection Authorities, that result directly from an attributable shortcoming by Business Associate and/or its subcontractors/Sub-processors in the fulfillment of its obligations under this Agreement and/or any violation by Business Associate and/or its subcontractors/Sub-processors of applicable law regarding the processing of Personal Data.
9.4. As far as the Parties are jointly and severally liable towards Third Parties or are jointly fined by the US or European Data Protection Authorities, they are each obliged towards each other, each for the part of the debt that concerns them in their mutual relationship.
9.5. Insofar as the Agreement does not contain a limitation of liability for the Covered Entity, the limitation for Business Associate included in paragraph 2 also applies to the Covered Entity.
9.6. Any limitation of liability will also lapse for the Party concerned in the event of intent or gross negligence on the part of the Party concerned.
9.7. Parties ensure adequate liability coverage.
10.1. The costs of processing data inherent in the normal performance of the Agreement are deemed to be included in the fees already payable under the Agreement.
10.2. Any support or other additional service that Business Associate is required to provide under this Agreement, or that is requested by Covered Entity, including any requests for additional information, will be charged to Covered Entity in accordance with the rates specified in Appendix 3.
10.3. The preceding provision does not apply if the work is related to a shortcoming of the Business Associate under this Agreement. In that case, the work will be performed free of charge (without prejudice to the Covered Entity’s right to recover the actual damage suffered from the Business Associate).
11.1. Confidential information means all information of any kind, including technical, commercial, know-how, plans, drawings, reports, computer data and archives, exchanged by the Parties in any way, and which is expressly or indirectly marked as confidential.
11.2. It is expressly agreed that the following information is not confidential information:
- Information of which the Parties were already aware, and which is not classified as confidential or of which the confidential nature cannot be assumed;
- Information that has come into the public domain or is known to the public;
- Information that is disclosed by a Third Party without there being an error or breach of this Business Associate Agreement or of a duty of confidentiality;
- Information for which written permission for disclosure is given by the issuing Party.
11.3. In the event that part or elements of the information falls under one of the above exceptions, the information in its entirety remains under the protection of this Business Associate Agreement.
11.4. The Parties undertake to treat the confidential information confidentially during the term of the Agreement(s) and after the end of the Agreement(s).
11.5. As such, no confidential information may be disclosed to a Third Party without the written consent of the Party that provided the confidential information.
12. Duration and termination
12.1. This Business Associate Agreement takes effect after the online ordering process has been successfully completed and the first invoice has been paid in full. The duration of this Business Associate Agreement is equal to the duration of the underlying Agreement(s), including any extensions thereof.
12.2. After it has been signed by both Parties, the Agreement forms an integral and inseparable part of the Principal Agreement. Termination of the Agreement, on whatever ground (termination/ dissolution), means that the Business Associate Agreement is also terminated on the same ground (and vice versa), unless the Parties agree otherwise.
12.3. Obligations which by their nature are intended to continue (even after termination of this Agreement) will continue to apply after termination of this Agreement. These provisions include, for example, those arising from the provisions on confidentiality, liability, dispute resolution and applicable law.
12.4. Each of the Parties is entitled, without prejudice to what is stipulated in the Agreement, to suspend the implementation of this Agreement and the related Principal Agreement, or to dissolve it without judicial intervention with immediate effect, if:
a) the other Party is dissolved or otherwise ceases to exist;
b) the other Party demonstrably (seriously) fails in the fulfillment of the obligations arising from this Agreement and that attributable failure has not been remedied within 30 days after a written notice of default to that effect;
c) a Party is declared bankrupt or applies for a moratorium.
12.5. Given the dependence of the Business Associate as well as the continuity risk in case of security incidents and calamities (such as bankruptcy), the Business Associate declares to be willing to make additional agreements with the Covered Entity to reduce such risks. These additional agreements may include:
a) making agreements about periodically returning or processing the data processed by the Business Associate to a Third Party; and/or
b) entering into an agreement with a Third Party that the Third Party concerned undertakes jointly and severally to guarantee the fulfillment of the Agreement; and/or
c) entering into a (tri-partite) agreement with a Third Party that aims to provide the Third Party in question with (all the time) all the necessary information to (where applicable) provide (part of) the information under the Agreement.
12.6. The Covered Entity is entitled to dissolve this Agreement immediately if the Business Associate indicates that it is no longer able to meet the requirements that are imposed on processing of the Personal Data on the basis of developments in the law and/or case law.
12.7. The Business Associate must inform the Covered Entity in advance and in a timely manner of an intended takeover or transfer of ownership.
12.8. The Business Associate is not permitted to transfer this Agreement and the rights and obligations associated with this Agreement to a Third Party without the express and written consent of the Covered Entity.
13. Retention periods, return and destruction of Personal Data
13.1. Covered Entity will adequately inform the Business Associate about (legal) retention periods that apply to the processing of Personal Data by the Business Associate. The Business Associate does not store Personal Data longer than strictly necessary, including the legal retention periods or any agreement made between the Parties about retention periods as laid down in appendix 1.
13.2. Under no circumstances will the Business Associate keep the Personal Data longer than until the end of this Agreement. The Covered Entity determines whether, and, if so, for how long data must be retained.
13.3. Upon termination of the Business Associate Agreement, or if applicable at the end of the agreed retention periods, or at the written request of the Covered Entity, the Business Associate will irrevocably destroy the Personal Data or have it returned to the Covered Entity, possibly at reasonable costs, at the discretion of the Covered Entity. At the request of the Covered Entity, the Business Associate will provide proof that the data have been irrevocably destroyed or deleted. Any return of data will take place electronically in a generally accepted, structured and documented data format.
14. Intellectual property rights
Insofar as the (collection of) Personal Data is protected by any intellectual property right, the Covered Entity gives permission to the Business Associate to use the Personal Data in the context of the execution of this Agreement.
15. Final provisions
15.1. The considerations form part of this Agreement.
15.2. In the event of nullity or voidability of one or more provisions of this Agreement, the other provisions remain in full force.
15.3. In all cases not provided for in this Agreement, the Parties will decide in mutual consultation.
15.4. This Agreement is governed by the laws of the Netherlands.
15.5. Parties will endeavor to resolve conflicts by mutual agreement. This includes the option to end the dispute by means of mediation or arbitration to be determined in mutual consultation.
15.6. Disputes about or in connection with this Agreement will only be submitted to the court or arbitrator(s) designated for that purpose in the Agreement.
Appendix 1: Specification of Personal Data and Data Subjects
Personal data of users of Covered Entity
The Business Associate will, in the context of Article 1.1 of the Business Associate Agreement, process the Personal Data shown below on behalf of the Covered Entity.
This Agreement is an annex to the following agreements and relates to the following processing of Personal Data:
Appendix 2: Description of further security measures
Information provision and privacy are essential for the continuity of the business operations of Business Associate and its customers. In our daily work we depend on the availability of reliable information. Our organization and our information provision are exposed to threats, whether deliberate or not. These threats make it necessary to take targeted measures to reduce the risks to an acceptable level. The sections below list some of the measures we have taken.
Zaurus B.V. is certified by BSI for the ISO 27001: 2013 (and the Dutch NEN 7510: 2017) standard. Our statement of applicability and our certificates are available on request from our Chief Information Security Officer via firstname.lastname@example.org
1. Description of the measures to ensure that processes and systems are designed in such a way that the collection and processing of Personal Data (including use, provision, retention, transfer and erasure) is limited to what is necessary for the purposes of the processing (‘ privacy by design ‘and’ privacy by default ‘).
- Policy “Developing safely”.
- Performing DPIAs prior to new projects and new features that have a significant impact on the processing of Personal Data.
- Appointment of a Data Protection Officer who is also included in discussions about new features to be developed.
- Testing policy where developers check each other’s work (i.e. peer review) and provide constructive feedback.
- Pen tests that extensively test the system on how Business Associate handles the processing of Personal Data.
- Business associate agreements with covered entities in which agreements are made with regard to the processing.
- Business associate agreements with sub-processors in which Business Associate makes agreements under which conditions Personal data may be processed.
2. Description of the measures to ensure that only authorized personnel have access to the processing of Personal Data.
- Business Associate has set up user profiles that determine who has which rights in which position.
- Changes in rights are assessed by management via change forms and go through a formal approval process.
- The CISO checks the allocation of rights several times a year.
- Business Associate adheres to the principle that no one should be authorized to control an entire cycle of actions in an information system such that availability, integrity or confidentiality can be compromised. If this is nevertheless necessary, all actions and times in the process are recorded by means of an audit trail.
- Administrative tasks are performed only when logged in as an administrator, normal usage tasks only when logged in as a user.
- During the year, Business Associate pays a lot of attention to transferring knowledge to Employees in the areas of privacy and information security.
- Backups are made every day and stored redundantly in two different locations.
- DTAP development street, where a distinction is made between environments with and without Personal Data.
3. Description of the measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure.
- Information is classified. The necessary security measures are determined on the basis of the classification.
- Incidents procedure: there is an incident procedure for actively reporting potential and current risks with regard to personal data and its security and privacy.
- Business Associate uses Microsoft OneDrive to store organizational data, so that this data is not stored locally, but is stored on a secure server.
- Password manager: we use a password manager to store our passwords securely.
- Virus Scanner: Virus scanner is mandatory on all company property and BYODs.
- HD Encryption: All corporate-owned hard drives and BYODs are encrypted, so data cannot be retrieved from the hard drive if the devices are lost.
- Logging: Log data is frequently checked for irregularities and details.
- Pentest: Business Associate frequently undergoes a pentest by leading parties (such as Deloitte) to test it for information security and privacy.
4. Description of the measures to identify vulnerabilities with regard to the Processing of Personal Data in the systems that are used to provide services to the Covered Entity.
- A Data Protection Impact Assessment (DPIA) is performed periodically. We also periodically inform our Employees about data security and the handling of privacy-sensitive information.
- Business Associate periodically reports to the Covered Entity on the measures taken by Business Associate with regard to the technical and organizational security measures taken and any points for attention therein.
- Logging: Log data is frequently checked for irregularities and details.
- Pentest: Business Associate frequently undergoes a pentest by leading parties (such as Deloitte) to test it for information security and privacy.
Appendix 3: Specification of rates
Consultancy: 150,- euro per hour
- Advice and project support;
Support: 125,- euro per hour
- Implementation support;
- Integration support;
- Chatbot development.
Appendix 4: Contact details
This appendix contains the contact details of the Data Protection Officer of Zaurus B.V. who can be contacted with any questions/comments regarding privacy.
Primary point of contact
Data Protection Officer – Zaurus B.V.
Telephone: +31 (0)72-2029123
Secondary point of contact
CEO – Zaurus B.V.
Telephone: +31 (0)72-2029123