Data Processing Addendum

---

This Data Processing Addendum (DPA) forms a part of the Claimable Terms of Service found at https://www.claimable.com/terms-of-service.

With effect from 25th May 2018 the terms of this Data Processing Addendum shall apply to the relationship between the parties.

General

Both parties warrant that they will comply with their respective obligations under the privacy and data protection laws, including the GDPR when applicable, and the terms of this Data Processing Addendum.

For the purpose of this Data Processing Addendum the Customer is the “data Controller” and Claimable is the “data Processor”.

1. Definitions

   1. In this Addendum, the following terms shall have the meanings set out below:
      1. ‘Controller’: The natural or legal person, public authority or any other body which determines the purposes and means of the processing of Customer Data.
      2. ‘Customer Data’: Any Personal data provided to Claimable for processing by the Customer.
      3. ‘Data Subject’: An identifiable natural person about whom the Controller hold the data.
      4. ‘GDPR’: General Data Protection Regulation 2016/679.
      5. ‘Personal Data’: Any information relating to a Data Subject who can be identified directly or indirectly.
      6. ‘Processor’: A natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
      7. ‘Sub-processor’: A natural or legal person, public authority, agency or any other body contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity.
      8. ‘Supervisory Authority’: An independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

2. Controller Obligations in Relation to Customer Data

   1. 1.1 The Customer warrants that all instructions provided to Claimable in relation to the processing of Customer Data are lawful and shall include:
      1. Nature and purpose of processing.
      2. Type of Personal Data to be processed.
      3. Categories of Data Subjects.
   2. The Customer shall only provide instructions to Claimable that are in accordance with the Term of Services and this Data Processing Addendum.
   3. The Customer acknowledges that as Controller is solely responsible for determining the lawful processing condition.
   4. It is the obligation of the Customer as Controller to get consent from the Data Subject. If your legal counsel determines you need to obtain consent before using Claimable, make sure you only enter data of those customers who provided the required consent.
   5. The Customer should not share classes of data (e.g. sexual orientation, religion-related information) that are not relevant to the management of claims.
   6. The parties acknowledge that processing of EEA resident Personal Data shall be lawful and only if at least one of the following conditions applies:
      1. The Data Subject has given consent.
      2. Processing is necessary for the performance of a contract to which the data subject is party.
      3. Processing is necessary in order to protect the vital interests of the Data Subject.
      4. Processing is necessary for the performance of a task carried out in the public interest.
      5. Processing is necessary for the purposes of the legitimate interests of the Controller or a third party, provided such interests are not overridden by the interests or fundamental rights of the Data Subject.

3. Processor Obligations in Relation to Customer Data

   1. Claimable acting as the Processor shall:
      1. Only carry out processing of Customer Data in accordance with the Controller documented instructions.
      2. Notify the Customer without undue delay of any requests received by a Data Subject and assist the Customer with fulfilling the request by taking appropriate technical and organisational measures when possible.
      3. Take appropriate security measures for the protection of the security, confidentiality and integrity of Customer Data and resilience of the Service.
      4. Inform the customer without undue delay when becoming aware of a breach of security that can result in a risk to the rights and freedom of natural persons. The obligations herein shall not apply to incidents that are caused by the Customer, Authorized Users and/or any Non- Claimable Products.
      5. Detect and report Personal Data breaches in a timely manner.
      6. Ensure that persons authorised to access Customer Data have committed themselves to confidentiality.
      7. Make available to the Customer all information necessary to demonstrate compliance with the GDPR.
      8. Assist the Customer with keeping Personal Data secure.
      9. At the end of the provision of service, at the choice of the Controller, delete or return all Personal Data to the Controller and delete extisting copies unless the Union or Member State law require storage of data.
      10. Ensure the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident.

4. Processing Operations

   1. 1.1 The personal data submitted to Claimable will be processed in accordance with the Customer instructions and may be subject to the following processing activities:
      1. Storage and other processing necessary to provide, maintain and improve the Services provided to the Customer.
      2. Provide technical support to the Customer.
      3. Disclosures in accordance with the Term of Service, as compelled by law.

5. Use of Sub-processors

   1. The Customer provides their consent for Claimable to use Sub-processors.
   2. Where required by law Claimable shall inform the Customer of any changes concerning the addition or replacement of a Sub-processor.
   3. The Customer may reasonably object to a new Sub-processor.

6. Transfers of EEA Resident Personal Data to Third Countries

   1. Claimable shall not cause or permit any Customer Data belonging to an EEA resident to be transferred outside of the EEA unless this is necessary for Claimable carrying out its obligations.
   2. A transfer of personal data to a third country or an international organisation shall take place only in case of the following specific condition. In such circumstances, the Customers as Controller shall determine and is solely liable for ensuring that one of these exceptions (Article 49 GDPR) apply:
      1. The Data Subject has consented to the transfer after having been informed of the risks.
      2. The transfer is necessary for the conclusion or performance of a contract between the Data Subject and the Customer.
      3. Transfer is necessary for reasons of public interest.
      4. The transfer is necessary for the defence of legal claims.
      5. The transfer is necessary to protect the vital interests of the Data Subject.