PHIPA DATA PROCESSING AGREEMENT
This Data Processing Agreement (“Agreement“), forms part of the SAAS SERVICES ORDER AGREEMENT, (hereinafter referred to as the “Principal Agreement“) between Fairtility Ltd. (hereinafter referred as the “Fairtility“) acting on its own behalf and the legal entity that has entered into the Principal Agreement with Fairtility for the provision of Fairtility’s Services (hereinafter referred as the “Customer“) acting on its own behalf.
The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein, shall take the meaning ascribed to them by PHIPA. The terms of this Agreement will apply only to the extent that they are required under PHIPA. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
1. Definitions
In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Subcontractor” means any subcontractor (including any third party) appointed by Fairtility to process Customer PHI on behalf of the Customer.
“PHIPA” means Ontario’s Personal Health Information Protection Act, 2004, and its regulations, as amended.
“PHI” means as defined under PHIPA, including any information about an identifiable individual that relates to their health, health care and related identifying information. In the context of this Agreement, this term shall pertain to PHI provided by or on behalf of the Customer as part of the Services.
“De-identified Data” means data derived from PHI that has undergone the de-identification process outlined in Annex 2 of this Agreement.
“Services” means the services to be supplied by Fairtility to the Customer pursuant to the Principal Agreement.
“Processing” means any operation performed on PHI, including collection, use, storage, disclosure, or disposal.
2. Roles of the Parties
In the course of providing the Services to the Customer pursuant to the Principal Agreement, Fairtility shall process PHI on behalf of the Customer as per the terms of this Agreement. The Parties hereby acknowledge and agree that, in relation to the processing of PHI, the Customer shall be deemed the Health Information Custodian (HIC) under PHIPA, and Fairtility shall be deemed the Agent.
The Parties agree to comply with PHIPA in relation to the processing of PHI.
3. Customer Obligations
The Customer represents and warrants that it has obtained all necessary consents, permissions, authorizations, or other valid legal bases under PHIPA to allow for the lawful collection, processing, and transfer of PHI to Fairtility (or any subcontractors) in accordance with this Agreement and the Principal Agreement.
4. Customer’s Processing Instructions
Customer hereby instructs Fairtility to process PHI for the purpose of providing the Services as described in the Principal Agreement. Fairtility shall process PHI only pursuant to Customer’s lawful documented instructions, including the Principal Agreement and other instructions communicated in writing directly to Fairtility and in accordance with the Description of Processing, attached hereto as Annex 2.
Fairtility may also process PHI where required by applicable laws to which Fairtility is subject, in which case Fairtility shall inform Customer of that legal requirement before the relevant processing of that PHI, unless prohibited from doing so by law.
Notwithstanding anything to the contrary in this Agreement or the above processing instructions, Customer hereby authorizes Fairtility to process De-identified Data derived from PHI for Fairtility’s legitimate business purposes, which may include among others product development and improvement (e.g., statistics, data annotation for machine learning and artificial intelligence model training), research and regulatory submissions.
5. Reliability and Non–Disclosure
Fairtility shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the PHI, ensuring in each case that access is strictly limited to those individuals who require access to the relevant PHI.
Fairtility must ensure that all individuals which have a duty to process PHI:
- Are informed of the confidential nature of the PHI and are aware of Fairtility’s obligations under this Agreement and the Principal Agreement in relation to the PHI;
- Have undertaken appropriate training in relation to data protection;
- Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
- Are subject to user authentication and login processes when accessing the PHI in accordance with this Agreement, the Principal Agreement and Data Protection Laws.
6. PHI Security
Fairtility shall implement appropriate safeguards to protection PHI from unauthorised access, loss or theft. Details of Fairtility’s security measures are outlined in Annex 1.
7. Subcontractors
Fairtility may engage subcontractors to process PHI, provided that:
a) Fairtility ensures that the subcontractor is bound by written obligations substantially equivalent to those imposed on Fairtility under this Agreement;
b) The subcontractor implements adequate safeguards to protect PHI in compliance with PHIPA; and
c) Fairtility remains fully liable to Customer for the acts and omissions of any subcontractor engaged in the processing of PHI.
Fairtility will provide a list of subcontractors involved in processing PHI upon request by the Customer.
8. Data Subject Rights
Fairtility acknowledges that Customer is the Health Information Custodian (HIC) under PHIPA and is responsible for fulfilling data subject rights requests, including access, correction, and withdrawal of consent related to PHI.
In the event that Fairtility receives a request from an individual exercising their rights under PHIPA (including, but not limited to, requests for access to, correction of, or deletion of their PHI), Fairtility shall promptly notify Customer and provide all reasonable assistance to enable Customer to respond to the request within the timelines set out by PHIPA, including:
(a) Providing Customer with information in its possession that is necessary to comply with data subject requests;
(b) Implementing any necessary technical or organizational measures to facilitate the exercise of data subject rights;
(c)Assisting in the correction or deletion of PHI if required by the Customer, in compliance with PHIPA.
Fairtility shall not respond to any direct requests from individuals regarding their PHI unless explicitly authorized to do so by Customer.
9. PHI Breach
In the event of a privacy breach involving PHI, Fairtility shall:
(a) Notify Customer within 48 hours of discovering the breach;
(b) Provide detailed information about the nature, cause, and potential impact of the breach, including:
(i) The date and time the breach was discovered;
(ii) The PHI affected;
(iii) Actions taken to contain the breach and mitigate risks;
(c) Take reasonable steps to cooperate with Customer to assess the breach, mitigate any harm, and fulfill reporting obligations under PHIPA.
In the event of a PHI Breach, Fairtility shall not inform any third party without first obtaining the Customer’s prior written consent, unless notification is required by applicable law to which Fairtility is subject, in which case Fairtility shall, to the extent permitted by such law, inform the Customer of that legal requirement and provide a copy of the proposed notification.
10. Destruction or Return of PHI
Upon request from Customer and/or upon expiration or termination of the Principal Agreement, within ninety (90) calendar days of receipt of the request or expiration or termination of the Principal Agreement, Fairtility will securely destroy or, if directed in writing by Customer, return and not retain, all or any PHI in its possession or control. Fairtility may temporarily retain one copy made for backup purposes in the ordinary course of business, provided that such an archive copy will be subject to the ongoing obligations contained herein and shall be destroyed upon the normal expiration of backup files in accordance with Fairtility’s backup procedures. Fairtility shall provide any such returned PHI in the format and media reasonably specified by Customer, together with information sufficient for Customer to interpret such information. Upon request, Fairtility will certify in writing that it has destroyed the PHI.
If any law, regulation, or government or regulatory authority requires Fairtility to retain any PHI that Fairtility would otherwise be required to return or destroy, Fairtility will notify Customer in writing of such retention requirement, to the extent legally permitted. In such an event, Fairtility shall retain such data in compliance with all applicable data protection laws, including PHIPA.
Notwithstanding the foregoing, Fairtility may retain and use anonymized data derived from PHI for as long as it is necessary for Fairtility’s internal legitimate business purposes at its own discretion, provided that: (i) Fairtility ensures that such data does not in any way identify and cannot be reasonably associated with a particular individual; (ii) Fairtility implements appropriate technical and organizational measures to safeguard the anonymization process and prevent any reasonably potential re-identification; and, (iii) Fairtility maintains and uses such data without attempting to re-identify it.
11. Audit rights
Fairtility shall make available to the Customer, upon request, all information necessary to demonstrate compliance with this Agreement and allow for, and contribute to audits, including inspections by the Customer or another auditor mandated by the Customer of any premises where the Processing of PHI takes place. Fairtility shall permit the Customer or another auditor mandated by the Customer to inspect and audit in order that the Customer may satisfy itself that the provisions of this Agreement are being complied with. Fairtility shall provide cooperation to the Customer with respect to any such audit. Audits will take place during normal business hours and will not unreasonably interfere with or damage Fairtility’s business activities and information and network systems. Any audit performed by Customer or another auditor mandated by the Customer shall be subject to Fairtility’s confidentially obligations and shall not be more frequent than annually, unless a PHI Breach occurs or there is a reasonably suspected breach of data protection laws or this Agreement by Fairtility. Customer shall bear the costs and expenses of audits, unless they are conducted as a result of a PHI Breach.
12. International Transfers of PHI
Fairtility acknowledges that Customer is the Health Information Custodian (HIC) under PHIPA and retains responsibility for the protection of PHI, regardless of where it is processed or stored.
Fairtility may transfer or store PHI outside of Canada only as authorized under this Agreement, and such transfers shall be subject to:
(a) Adequate safeguards to ensure compliance with PHIPA and equivalent levels of protection as required under Canadian law;
(b) Technical and organizational measures to protect PHI from unauthorized access, loss, or disclosure.
Fairtility shall provide Customer with information about the jurisdictions where PHI may be stored or accessed upon request.
If required by applicable law, Fairtility shall assist Customer in ensuring compliance with transparency obligations related to international transfers, including providing information to enable Customer to notify affected individuals.
13. Authorized User Data
Fairtility may collect and process personal information of authorized users of its Services (“Authorized Users”) (e.g., names, contact details, roles, login credentials and login and usage activity) for the purpose of providing the Services, maintaining system security, providing support and improving functionality and quality of the Services.
Depending on the scope of the Services, Fairtility may also collect and process personal information of staff members of Customer’s clinic (“Staff KPI Data”) (e.g., names, clinic activity logs, and performance insights), for the purpose of generating Key Performance Indicators (“KPIs”), as outlined in the Principal Agreement.
Data related to Authorized Users and Staff KPI Data shall not be considered PHI under this Agreement but will be processed in accordance with applicable privacy laws, including Ontario privacy legislation where relevant. Fairtility shall implement appropriate safeguards to protect such data, consistent with the standards outlined in Annex 1.
Customer is responsible for ensuring that all Authorized Users comply with this Agreement and relevant privacy and security requirements when using Fairtility’s platform.
14. General Terms
Subject to this section, the Parties agree that this Agreement shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by Fairtility with the Customer, pursuant to the Principal Agreement, whichever is later.
Any obligation imposed on Fairtility under this Agreement in relation to the Processing of PHI shall survive any termination or expiration of this Agreement.
This Agreement shall be governed by the governing law of Israel.
With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the Principal Agreement, the provisions of this Agreement shall prevail with regard to the PHI shared between the Parties.
Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Agreement forms an integral part of the Principal Agreement between the Parties and is effective and binding upon execution of the Principal Agreement. Signature of this Agreement is not mandatory for its validity.
ANNEX 1: ORGANISATIONAL AND TECHNICAL MEASURES
- Organizational security measures
Security Management
- Security policy and procedures: Fairtility to document a security policy with regard to the processing of PHI.
- Roles and responsibilities:
- Roles and responsibilities related to the processing of PHI to be clearly defined and allocated in accordance with the security policy.
- During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
- Access Control Policy: Specific access control rights are allocated to each role involved in the processing of PHI, following the need-to-know principle.
- Resource/asset management: Fairtility has a register of the IT resources used for the processing of PHI (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).
- Change management: Fairtility makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.
Incident response and business continuity
- Incidents handling / PHI breaches:
- An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining PHI.
- Fairtility will report without undue delay to Customer any security incident that has resulted in a loss, misuse or unauthorized acquisition of any PHI.
- Business continuity: Fairtility establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing PHI (in the event of an incident/PHI breach).
Human resources
- Confidentiality of personnel: Fairtility ensures that all employees understand their responsibilities and obligations related to the processing of PHI. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
- Training: Fairtility ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of PHI are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
- Technical security measures
Access control and authentication
- An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.
- The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
- When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to PHI only to those who require it for achieving Fairtility’s processing purposes.
- Where authentication mechanisms are based on passwords, Fairtility requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
- The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
Logging and monitoring: Log files are activated for each system/application used for the processing of PHI. They include all types of access to data (view, modification, deletion).
Security of data at rest
- Server/Database security
- Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
- Database and applications servers only process the PHI that are actually needed to process in order to achieve its processing purposes.
- Workstation security:
- Users are not able to deactivate or bypass security settings.
- Anti-virus applications and detection signatures is configured on a regular basis.
- Users don’t have privileges to install or deactivate unauthorized software applications.
- The system has session time-outs when the user has not been active for a certain time period.
- Critical security updates released by the operating system developer is installed regularly.
Network/Communication security:
- Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
- Traffic to and from the IT system is monitored and controlled through Firewalls and Intrusion Detection Systems.
Data Back-ups:
- Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.
- Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
- Execution of backups is monitored to ensure completeness.
Mobile/Portable devices:
- Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.
- Mobile devices that are allowed to access the information system is pre-registered and pre-authorized.
Application lifecycle security: During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards is followed.
Data deletion/disposal:
- Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction will be performed.
- Shredding of paper and portable media used to store PHI is carried out.
Physical security: The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) or organizational measures (e.g., security guard) shall be set in place to protect security areas and their access points against entry by unauthorized persons.
ANNEX 2: DETAILS OF THE DATA PROCESSING
The categories of data subjects to whom the PHI relates |
Patients of the Customer: IVF treatment patients at the Customer’s clinic who are the subject of data processing.
|
The types of PHI |
1. |
Pseudonymized Patient Data:
a. Embryo and Oocyte Images and Videos
b. Patient Metadata and Related Clinical Information: Collected automatically through the clinics’ Time Lapse Incubator (TLI) devices or provided by the Customer, including but not limited to:
· Fertility Treatment Clinical Data: clinic name/ID, country, TLI (device) ID, slide ID, patient ID, well ID, image/video ID, treatment ID, cycle ID, other IDs used by the clinic, date of treatment, date of fertilization, date of oocyte retrieval, date of transfer.
· Patient and Donor Age: age of the patient (by month and year), age of the oocyte, age of the ovum donor (by month and year), where applicable.
· Insemination and Embryo Details.
· Clinical and Diagnostic Data: unidentified clinical information, medical results and demographics as determined by the Customer.
c. Embryo and Oocyte AI Insights: data produced through Fairtility’s Services, including, but not limited to, cell division events (by hour), AI-based predictions, abnormalities, embryo and oocyte ranks and scores, and blastocyst formation status.
d. Additional Pseudonymized Patient Data: Any other pseudonymized patient data required for the provision of Services.
2. Optional Data – Patient Direct Identifiers:
For clarification, the processing of any/all of the following data optional, and is not enabled unless actively requested by the Customer:
a. Name: First and last name, stored by default only in abbreviated form (first name and first letter of last name), or stored in full form per Customer’s active request;
b. E-mail address.
The nature and purpose of the processing |
Pseudonymized Patient Data is processed for the following purposes:
- Providing the Core Services: collection, storage and analysis of data through Fairtility’s artificial intelligence tools, to deliver embryo and oocyte quality assessments and other IVF related insights and predictions. These insights aim to improve the efficiency and outcomes of IVF procedures or support additional purposes as outlined in the Principal Agreement.
- Providing KPI Services: In addition, for customers using CHLOE KPI™, data will be aggregated and analysed for the generation of Key Performance Indicators (“KPIs”), intended to provide health care professionals with analytical insights into their lab and clinic operation, as outlined in the Principal Agreement.
- De-identification for Fairtility’s Legitimate Business Purposes: Pseudonymized Patient Data undergoes an additional de-identification process, as outlined below, after which such data is used for Fairtility’s legitimate business purposes, including without limitation product development and improvement (e.g., data annotation for machine learning and artificial intelligence model training) and regulatory submissions.
De-identification Process (“De-identified Data”):
De-identified Data is Patient Data that undergoes a de-identification process which involves the following steps:
a. Full removal of direct identifiers (name and email address, to the extent Customer chose to share such data).
b. One-way hashing of pseudonymous patient identifiers used by the clinic to ensure irreversibility, including the hashing of: Slide ID; Patient ID; Well ID; Device ID; Clinic name/ID; Image/video name; Treatment ID; Cycle ID and any other internal ID that may be used by the clinic.
c. Rounding down to full years of the date-based data points to further protect privacy, such as:
· Patient age
· Oocyte age
· Treatment date
· Oocyte retrieval date
· Fertilization date
· Transfer date
Safeguards Applied to De-identified Data
- Secure Data Storage: De-identified Data will be stored and accessed within a dedicated, fully secured environment to ensure data isolation and protection.
- Hash Key Security: One-way hashing keys will be safeguarded using industry-standard security measures to prevent unauthorized access.
- Irreversible Hashing: Hashing is strictly one-way, preventing any reversal from De-identified Data back to the original pseudonymized data, thereby ensuring data protection and privacy.
- Non-Identifiable Data Points: Inherently non-identifiable data points, such as fertilization type, country-level location, and hours post-insemination, will remain unchanged to preserve data utility without compromising privacy.
- Restricted Data Usage: Following the de-identification process, De-identified Data will be used solely for Fairtility’s legitimate business purposes.
- Key Deletion Upon Contract Termination: Upon contract termination, the one-way hashing key will be permanently deleted.
Patient Direct Identifiers (to the extent enabled by Customer) are processed for the following purposes:
- Identification and Usability: The patient’s name is processed to ensure that Platform Users can accurately associate data and insights with the correct patient, thereby minimizing errors and enhancing platform usability. To uphold data minimization principles and promote privacy, this name is displayed in abbreviated form unless otherwise specified by the Customer.
- Secure Data Sharing with Patient: The patient’s email address is processed to enable Platform Users to share Patient Data securely with the patient via the Platform’s data-sharing feature.
|