1. Definitions
In this Data Processing Agreement ("DPA"):
- "Controller" means the entity that determines the purposes and means of processing
- "Processor" means RapidTriageME/YarlisAISolutions
- "Data Subject" means the individual to whom personal data relates
- "Personal Data" means information relating to an identified or identifiable person
2. Processing of Personal Data
Processor shall:
- Process Personal Data only on documented instructions from Controller
- Ensure persons authorized to process Personal Data are under confidentiality obligations
- Implement appropriate technical and organizational measures
- Assist Controller in responding to Data Subject requests
3. Security Measures
Processor implements:
- Pseudonymization and encryption of Personal Data
- Ongoing confidentiality, integrity, availability, and resilience
- Ability to restore availability and access in timely manner
- Regular testing and evaluation of security measures
4. Sub-processors
Controller authorizes Processor to engage sub-processors, provided:
- Processor maintains a list of sub-processors
- Processor notifies Controller of changes
- Sub-processors are bound by similar obligations
5. Data Subject Rights
Processor shall assist Controller in fulfilling obligations to respond to Data Subject requests for:
- Access to their Personal Data
- Rectification or erasure
- Restriction of processing
- Data portability
6. Data Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach, providing:
- Nature of the breach
- Categories and numbers of Data Subjects affected
- Likely consequences
- Measures taken or proposed
7. Audit Rights
Processor shall make available to Controller all information necessary to demonstrate compliance and allow for audits.
8. Data Deletion
Upon termination, Processor shall, at Controller's choice, delete or return all Personal Data and delete existing copies unless legally required to retain.
9. Liability
Each party's liability arising under this DPA shall be subject to the limitations set forth in the Terms of Service.
10. Governing Law
This DPA is governed by the same law as the Terms of Service.