Last Updated: February 12, 2026
This Data Processing Addendum (this DPA) forms part of the Terms of Service, Master Services Agreement, Order Form, or other service agreement (the Agreement) between CustomerLabs Inc (CustomerLabs, Processor, Business Associate, we, us) and the customer accepting this DPA (Customer, Controller, Covered Entity or Business Associate as applicable, you). This DPA applies to the Processing of Customer Data by CustomerLabs on behalf of Customer in connection with the Services.
Acceptance and Effective Date (Clickwrap).
This DPA becomes effective on the date Customer: (a) clicks "I agree" (or similar) to the Agreement and/or this DPA, (b) executes an Order Form that incorporates this DPA by reference, or (c) otherwise accesses or uses the Services (the Effective Date).
Order of Precedence.
1) If there is any conflict between this DPA and the Agreement, this DPA controls only with respect to the parties' data protection, privacy, security obligations, and Processing terms.
2) If there is any conflict between Annex B (International Transfers) and any other provision of the Agreement or this DPA, Annex B prevails for restricted transfers.
3) If there is any conflict between Annex F (HIPAA Business Associate Agreement) and any other provision of the Agreement or this DPA, Annex F prevails with respect to PHI and HIPAA obligations.
Contact for DPA Notices: support@customerlabs.co
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
1.1 Applicable Data Protection Laws means all data protection, privacy, and security laws applicable to the Processing of Personal Data under this DPA, including where applicable: the GDPR, UK GDPR, the Data Protection Act 2018, Swiss FADP, and applicable US state privacy laws (including the CCPA as amended by the CPRA and similar state laws), and other local privacy laws.
1.2 Customer Data means Personal Data, and where applicable PHI, submitted to, stored in, transmitted through, or otherwise made available to the Services by or on behalf of Customer, including Personal Data contained in event payloads, identifiers, and custom properties.
1.3 Customer Controlled Destinations means third party services, platforms, endpoints, integrations, data partners, or systems that Customer (or its authorized users) configures or authorizes to receive Customer Data from the Services, including advertising platforms, analytics platforms, CRMs, warehouses, cloud storage destinations, and Customer's own systems.
1.4 Personal Data means any information relating to an identified or identifiable natural person, or equivalent concept under Applicable Data Protection Laws.
1.5 Processing means any operation or set of operations performed on Personal Data, as defined in Applicable Data Protection Laws.
1.6 Special Category Data means special categories of personal data under GDPR Article 9 and analogous sensitive data under other Applicable Data Protection Laws.
1.7 Subprocessor means a third party engaged by CustomerLabs to Process Customer Data on CustomerLabs' behalf.
1.8 Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
1.9 Becomes Aware means CustomerLabs becomes aware of a Personal Data Breach when CustomerLabs' security team confirms that an incident has resulted in unauthorized access to, or unauthorized disclosure of, Customer Data. CustomerLabs will investigate suspected incidents promptly and in good faith.
1.10 Government Request means any legally binding request, demand, order, subpoena, warrant, national security request, or other legal process issued by a government authority (including law enforcement) seeking access to or disclosure of Customer Data.
1.11 EU SCCs means the EU Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.
1.12 UK Addendum means the UK International Data Transfer Addendum to the EU SCCs issued by the UK ICO under section 119A of the Data Protection Act 2018, as updated from time to time.
1.13 HIPAA Terms. The terms Business Associate, Covered Entity, Protected Health Information, PHI, ePHI, Breach, Unsecured PHI, and Security Incident have the meanings set forth in HIPAA or, if not defined therein, in 45 CFR Parts 160 and 164.
2.1 Customer as Controller. Customer is the Controller of Customer Data and determines the purposesand means of Processing.
2.2 CustomerLabs as Processor. CustomerLabs acts as a Processor of Customer Data and will Process Customer Data only on documented instructions from Customer and only as necessary to provide the Services, except where Processing is required by applicable law or expressly permitted under this DPA.
2.3 No joint control. CustomerLabs is not a joint controller of Customer Data and does not determine the purposes or means of Processing Customer Data.
2.4 HIPAA roles (when applicable). If Customer is a Covered Entity or Business Associate and Customer Data includes PHI, then CustomerLabs acts as a Business Associate (or subcontractor Business Associate as applicable) and Annex F applies to the parties' handling of PHI.
3.1 Documented instructions. Customer instructs CustomerLabs to Process Customer Data to: (a) provide, maintain, secure, and support the Services, (b) perform CustomerLabs' obligations and exercise CustomerLabs' rights under the Agreement, (c) process Customer Data as configured and used by Customer through the Services, including via APIs, SDKs, and settings, and (d) where Customer Data includes PHI and HIPAA applies, Process PHI as permitted under Annex F.
3.2 Compliance with Applicable Data Protection Laws. Customer represents and warrants that its instructions and its use of the Services comply with Applicable Data Protection Laws, including transparency obligations, lawful basis, and where applicable requirements for Special Category Data and PHI. CustomerLabs represents and warrants that it will Process Customer Data in accordance with Applicable Data Protection Laws applicable to CustomerLabs in its role as a Processor and, where applicable, a Business Associate or service provider/contractor, and in accordance with this DPA.
3.3 Illegal instructions. CustomerLabs will inform Customer if CustomerLabs reasonably believes an instruction infringes Applicable Data Protection Laws.
3.4 Customer configuration. Customer is responsible for configuring the Services appropriately, including deciding which fields and event properties to transmit, applying data minimization, and using any available configuration controls.
3.5 Data activation and Customer Controlled Destinations
(a) Customer may configure the Services to transmit Customer Data to Customer Controlled Destinations. Customer instructs CustomerLabs to transmit Customer Data to such Customer Controlled Destinations as configured by Customer.
(b) Customer Controlled Destinations are not Subprocessors of CustomerLabs for purposes of this DPA. CustomerLabs acts as a Processor in transmitting Customer Data to Customer Controlled Destinations on Customer's instructions and does not determine the purposes or means of Processing performed by such Customer Controlled Destinations.
(c) Customer is solely responsible for its relationship with and configuration of Customer Controlled Destinations, including ensuring it has provided required notices, obtained required consents, and established a valid lawful basis for disclosures or transfers of Customer Data to such destinations.
(d) Customer is responsible for ensuring it does not transmit data to Customer Controlled Destinations in violation of Applicable Data Protection Laws or the destination's terms and policies, including by excluding fields or properties that should not be shared.
(e) CustomerLabs is responsible for protecting Customer Data while it is processed within the Services and during transmission to Customer Controlled Destinations using the security measures described in Annex C. CustomerLabs is not responsible for the privacy, security, or Processing practices of Customer Controlled Destinations after receipt of Customer Data.
(f) PHI restriction for activation. Customer will not configure the Services to transmit PHI to advertising or marketing platforms, ad networks, social media platforms, or other recipients that are not permitted to receive PHI under HIPAA. Customer is responsible for excluding PHI from outbound payloads and destinations.
3.6 AI and automated processing
CustomerLabs may use automated processing, including rules and machine assisted techniques, to provide and operate the Services and to improve the performance, reliability, functionality, and security of the Services (for example deduplication, matching, routing, quality checks, fraud or abuse prevention, and debugging). Unless expressly agreed in writing, CustomerLabs will not use Customer Data to train general purpose machine learning or AI models that are made available to third parties.
4.1 Regional hosting. Customer Data is hosted on Google Cloud Platform (GCP) infrastructure in the region selected by Customer (as available in the Services). Processing primarily occurs in the selected region.
4.2 Available regions. Regions may include, as made available by CustomerLabs from time to time: US Multi Region, EU Multi Region, London (Europe West2), Australia (Australia Southeast1), India (Asia South1), Singapore (Asia Southeast1), Middle East (ME Central1), and Saudi Arabia (ME Central2).
4.3 Remote access. Customer acknowledges and agrees that authorized CustomerLabs personnel may access Customer Data remotely from jurisdictions outside the selected hosting region, including India, for support, maintenance, incident response, and security operations. Such access is restricted by safeguards including role based controls, allowlisting where implemented, logging, and audit monitoring (Annex C).
4.4 Regional hosting vs access restrictions. Regional hosting relates to data storage and primary Processing location and does not, by itself, restrict remote access by authorized CustomerLabs personnel from other jurisdictions for support, maintenance, security operations, and incident response, subject to this DPA. Any additional restrictions on remote access or personnel location apply only if expressly agreed in an Order Form or written addendum.
5.1 Platform capability. The Services may allow Customer to transmit and store Special Category Data and PHI through Customer's configuration and use of the Services.
5.2 Processing on instruction only. CustomerLabs will Process Special Category Data and PHI solely on Customer's documented instructions and solely for providing the Services, and for PHI as permitted by Annex F, applying the safeguards set forth in Annex C.
5.3 Customer responsibility. Customer is solely responsible for: (a) establishing a lawful basis and conditions for processing Special Category Data, (b) obtaining any required consents and providing required notices, (c) conducting any required DPIA or assessments, and (d) ensuring the categories of Customer Data it submits comply with Applicable Data Protection Laws, including HIPAA where applicable.
5.4 No independent classification. CustomerLabs does not independently review, monitor, or determine whether Customer transmits Special Category Data or PHI. Customer controls what it submits.
CustomerLabs will ensure persons authorized to Process Customer Data are bound by confidentiality obligations and Process Customer Data only on Customer's documented instructions unless required by applicable law.
7.1 Technical and organizational measures. CustomerLabs will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, as described in Annex C.
7.2 Encryption. CustomerLabs uses encryption in transit (TLS) and encryption at rest using GCP managed encryption (default key management), as described in Annex C.
7.3 Customer security responsibilities. Customer is responsible for configuring the Services appropriately, including selecting destinations and integrations, controlling user access, and applying data minimization.
8.1 Authorized Subprocessors. Customer authorizes CustomerLabs to engage the Subprocessors listed in Annex D.
8.2 Subprocessor obligations. CustomerLabs will enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA. Where Customer Data includes PHI and HIPAA applies, CustomerLabs will ensure Subprocessors that create, receive, maintain, or transmit PHI on CustomerLabs' behalf agree to the same restrictions and conditions that apply to CustomerLabs with respect to PHI, as required by HIPAA.
8.3 Subprocessor changes and notice. CustomerLabs will provide at least thirty (30) days' prior notice of any intended addition or replacement of a Subprocessor by email notice to Customer's designated account owner email address (or other email address provided by Customer for legal or privacy notices). Customer may object in writing on reasonable data protection grounds within the notice period by emailing support@customerlabs.co. If the parties cannot resolve the objection, Customer may terminate the affected Services in accordance with the Agreement.
8.4 Liability for Subprocessors. CustomerLabs remains responsible for Subprocessors' acts and omissions to the extent required under Applicable Data Protection Laws.
9.1 Data subject requests. To the extent Customer cannot fulfill data subject requests through the Services, CustomerLabs will provide reasonable assistance to Customer to respond to requests to exercise data subject rights, to the extent required by Applicable Data Protection Laws.
9.2 Security and DPIA assistance. CustomerLabs will provide reasonable assistance with security information, DPIAs, and regulator consultations to the extent required by Applicable Data Protection Laws. CustomerLabs may charge reasonable fees for assistance that exceeds legal requirements or standard support.
9.3 Requests received directly. If CustomerLabs receives a request directly from a data subject relating to Customer Data, CustomerLabs will direct the data subject to Customer where appropriate and/or notify Customer, unless legally prohibited.
10.1 Notification. CustomerLabs will notify Customer without undue delay and in any event no later than seventy two (72) hours after Becomes Aware of a Personal Data Breach affecting Customer Data. Where HIPAA applies and the incident constitutes a Breach of Unsecured PHI, CustomerLabs will notify Customer in accordance with Annex F.
10.2 Information. Notifications will include, to the extent available: the nature of the incident, categories and approximate volume of data affected, likely consequences, and measures taken or proposed to mitigate adverse effects.
10.3 Customer notifications. Customer is responsible for regulatory notifications and notifications to affected individuals unless Applicable Data Protection Laws require CustomerLabs to do so.
11.1 No voluntary disclosure. CustomerLabs will not disclose Customer Data to any government authority, including law enforcement, except as required by applicable law.
11.2 Redirect where possible. Where CustomerLabs is legally permitted, CustomerLabs will: (a) inform the requesting authority that CustomerLabs processes Customer Data on Customer's behalf, and (b) direct the authority to seek the data from Customer.
11.3 Notice to Customer. Unless legally prohibited, CustomerLabs will notify Customer without undue delay after receiving a Government Request seeking access to Customer Data and will provide available details reasonably necessary for Customer to seek a protective order or other remedy.
11.4 Challenge and minimization. Where CustomerLabs is legally permitted and reasonably able to do so, CustomerLabs will use commercially reasonable efforts to: (a) challenge Government Requests it reasonably believes are unlawful or overbroad, and (b) disclose only the minimum Customer Data legally required.
11.5 If prohibited from notice. If CustomerLabs is prohibited from notifying Customer, CustomerLabs will use commercially reasonable efforts to seek a waiver of the prohibition to enable notice as soon as legally permitted.
11.6 Emergency exception. CustomerLabs may disclose Customer Data without prior notice where it has a good faith belief that urgent disclosure is necessary to prevent an imminent risk of death or serious physical harm. CustomerLabs will notify Customer as soon as legally permitted thereafter.
11.7 Transparency (limited). Upon Customer's written request no more than once per twelve (12) months, CustomerLabs will provide a high level summary of the types of Government Requests received, if any, relating to Customer Data, to the extent permitted by law.
12.1 Audit rights. Customer may audit CustomerLabs' compliance with this DPA no more than once per twelve (12) months, on at least thirty (30) days' prior written notice, and subject to reasonable confidentiality and security requirements.
12.2 Alternative evidence. CustomerLabs may satisfy audit requests by providing reasonable documentation, security summaries, and/or independent third party audit reports where available, to the extent such evidence reasonably addresses Customer's audit request. CustomerLabs will not unreasonably refuse a limited on site audit where documentary evidence is insufficient, subject to reasonable scope, scheduling, confidentiality, and security requirements.
12.3 Costs. Customer bears its audit costs. CustomerLabs may charge reasonable fees for time and resources spent supporting audits beyond standard assistance.
13.1 Retention after termination. Upon termination or expiry of the Services, CustomerLabs will retain Customer Data for up to ninety (90) days, unless Customer requests deletion earlier, to the extent deletion is feasible and not prohibited by law.
13.2 Deletion. After the retention period, CustomerLabs will securely delete Customer Data from production systems. Backup copies are deleted in accordance with reasonable backup retention schedules and automated lifecycle policies.
13.3 Legal retention. CustomerLabs may retain Customer Data to the extent required by applicable law, provided it maintains confidentiality and restricts Processing to the legal requirement.
13.4 PHI return or destroy. To the extent Customer Data includes PHI and HIPAA applies, return and destruction of PHI is addressed in Annex F and will be performed consistent with this Section 13.
13.5 Data export. During the term, Customer may export Customer Data using the Service functionality and APIs. Upon termination, during the retention period in Section 13.1, Customer may request a reasonable export of Customer Data. CustomerLabs will provide reasonable assistance. Assistance beyond standard export functionality may be subject to reasonable fees.
14.1 Transfer mechanism. Where Processing involves a restricted transfer, including by remote access, of Customer Data from the EEA, UK, or Switzerland to a jurisdiction not recognized as providing adequate protection, the transfer will be governed by: (a) the EU SCCs, Modules as applicable, and (b) for the UK, the UK Addendum, or other UK approved mechanism as applicable.
14.2 Precedence. If there is any conflict between this DPA and Annex B, Annex B will prevail with respect to restricted transfers.
14.3 Remote access as a transfer. Customer acknowledges that remote access to Customer Data by CustomerLabs personnel located outside the Customer selected hosting region, including India, may constitute a restricted transfer under Applicable Data Protection Laws and is safeguarded by the EU SCCs and/or UK Addendum as applicable.
14.4 No DPF reliance. CustomerLabs is not currently certified under the EU US Data Privacy Framework and does not rely on it as a transfer mechanism under this DPA.
The terms in Annex E apply to the extent Customer Data includes personal information or personal data regulated by US state privacy laws, including CCPA and CPRA.
The terms in Annex F apply automatically to the extent Customer is a Covered Entity or Business Associate and Customer Data includes PHI.
17.1 Agreement controls. Liability under this DPA, including all Annexes (including Annex F), is subject to the limitations and exclusions of liability in the Agreement.
17.2 No additional HIPAA indemnity. CustomerLabs does not provide any separate indemnity under this DPA or Annex F for HIPAA related claims, unless expressly stated in the Agreement.
17.3 Customer responsibility. CustomerLabs will not be liable for claims arising from Customer's instructions or Customer's decision to submit certain categories of data, including Special Category Data and PHI, except to the extent the claim results from CustomerLabs' breach of this DPA or Applicable Data Protection Laws, and subject in all cases to the Agreement's limitations and exclusions.
17.4 Exclusion of special damages. To the maximum extent permitted by law, CustomerLabs will not be liable under this DPA or Annex F for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, business, or goodwill, in each case to the extent excluded by the Agreement. Nothing in this DPA excludes or limits liability to the extent such exclusion or limitation is prohibited by Applicable Data Protection Laws.
Customer may send notices relating to this DPA, including security, privacy, audit requests, objections to Subprocessors, and data subject requests, to support@customerlabs.co. CustomerLabs will send notices under this DPA to Customer via email to Customer's designated account owner email address or other email address provided by Customer for legal or privacy notices. If Customer reasonably believes CustomerLabs is in material breach of this DPA, Customer will provide written notice describing the alleged breach and allow CustomerLabs a reasonable opportunity to cure before exercising any termination right for cause in relation to this DPA, to the extent cure is feasible and not prohibited by law or regulatory direction.
19.1 Updates. CustomerLabs may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, industry standards, security practices, or the Services.
19.2 Notice of material changes. If an update materially reduces CustomerLabs' obligations under this DPA, CustomerLabs will provide at least thirty (30) days' prior notice by email and/or within the Services.
19.3 Customer objection and termination. If Customer reasonably objects to a material update that materially reduces CustomerLabs' obligations, Customer may terminate the affected Services by providing written notice before the effective date of the update. This termination right applies only to the affected Services.
19.4 Effective date. Non material updates become effective as of the Last Updated date. Material updates become effective on the date stated in the notice and not earlier than thirty (30) days after notice.
19.5 No material degradation. CustomerLabs will not materially decrease its obligations under this DPA as compared to those in effect as of the Effective Date, unless required to comply with law or regulatory requirements.
Annex A: Description of Processing
Annex B: International Transfers (EU SCCs and UK Addendum elections)
Annex C: Technical and Organizational Measures (TOMs)
Annex D: Subprocessors
Annex E: US State Privacy Addendum (CCPA, CPRA, and other US state privacy laws)
Annex F: HIPAA Business Associate Agreement (BAA)
Subject matter: Provision of data activation and data operations Services, including ingestion, storage, management, transformation, and delivery of Customer Data as configured by Customer.
Duration: Term of the Agreement plus up to 90 days post termination (unless earlier deletion requested), subject to Section 13 and Annex F for PHI.
Nature of Processing: Collection or receipt, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to Customer Controlled Destinations, alignment or combination, restriction, erasure, and destruction.
Purpose: Providing the Services, support and maintenance, security operations, incident response, troubleshooting, and where applicable permitted Business Associate activities under Annex F for PHI.
Categories of data subjects: Customer's end users, visitors, leads, customers, employees (where Customer submits such data), and other individuals whose data Customer submits.
Categories of Personal Data: Determined by Customer and may include identifiers (such as email), device or network data (such as IP), transactional data (such as order value), event data (such as event name), product identifiers, and custom properties.
Special Category Data: May be processed if Customer transmits it, solely on Customer's instructions.
PHI: May be processed if Customer transmits it, solely on Customer's instructions and in accordance with Annex F.
Categories of recipients: Customer Controlled Destinations selected or configured by Customer, which may include advertising platforms, analytics platforms, CRMs, warehouses, cloud storage destinations, Customer's internal systems, and other third party endpoints designated by Customer.
Processing location: Primarily in the hosting region selected by Customer on GCP. Remote access may occur from other jurisdictions including India under the safeguards in this DPA.
This Annex B applies only to the extent Processing involves a restricted transfer under Applicable Data Protection Laws.
1.1 EEA Transfers: EU SCCs (2021/914). For restricted transfers from the EEA, the parties incorporate by reference the EU SCCs.
Module selection (as applicable): (a) Module Two (Controller to Processor) applies where Customer is a Controller and CustomerLabs is a Processor. (b) Module Three (Processor to Processor) applies where Customer is a Processor and CustomerLabs is a Subprocessor.
1.2 UK Transfers: UK Addendum. For restricted transfers from the UK, the parties incorporate by reference the UK Addendum.
1.3 Switzerland Transfers. For restricted transfers from Switzerland, the EU SCCs apply with modifications required under Swiss law, including where applicable references to the GDPR interpreted as references to the Swiss FADP and the competent supervisory authority as the Swiss FDPIC.
The parties agree that the information required in the EU SCC Annexes is set out in this DPA as follows: (a) Annex I(A) and I(B) is satisfied by Section 2 and Annex A. (b) Annex I(C) is the supervisory authority applicable to the data exporter (Customer). (c) Annex II is satisfied by Annex C. (d) Annex III is satisfied by Annex D.
(a) Clause 7 (Docking clause): does not apply.
(b) Clause 9(a) (Use of subprocessors): Option 2 (General written authorisation) applies, with a 30 day notice period as set out in Section 8.3.
(c) Clause 11 (Independent dispute resolution): does not apply.
(d) Clause 17 (Governing law): Irish law. This election applies only to the EU SCCs and does not change the governing law or jurisdiction provisions of the Agreement.
(e) Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
Table 1 (Parties): Start date: Effective Date. Exporter: Customer. Importer: CustomerLabs. Key contact: as set out in the Agreement and/or Customer account profile. DPA notices to support@customerlabs.co.
Table 2 (Selected SCCs, Modules and Selected Clauses): Approved EU SCCs: Commission Implementing Decision (EU) 2021/914. Modules: Module Two and/or Module Three as applicable. Clause 7: excluded. Clause 11: excluded. Clause 9(a): general written authorisation. Clause 9(a) time period: 30 days.
Table 3 (Appendix Information): Annex A (Description of Processing), Annex C (TOMs), Annex D (Subprocessors).
Table 4 (Ending this Addendum when the Approved Addendum changes): Importer and Exporter.
Remote access to Customer Data by CustomerLabs personnel outside the Customer selected hosting region, including India, may constitute a restricted transfer and is safeguarded by the EU SCCs and/or UK Addendum as applicable.
If there is any conflict between this Annex B and any other provision of the Agreement or this DPA, this Annex B prevails solely with respect to restricted transfers.
CustomerLabs is not currently certified under the EU US Data Privacy Framework and does not rely on it as a transfer mechanism.
CustomerLabs maintains technical and organizational measures designed to protect Customer Data, including:
1. Security policies and procedures reviewed periodically.
2. Personnel confidentiality commitments and acceptable use policies.
3. Security awareness training for personnel with access to production systems.
1. In transit: TLS 1.2 or higher for data transmitted to and from the Services.
2. At rest: encryption at rest using cloud provider managed encryption (default key management).
3. Key management: Keys are managed using the cloud provider's key management services. Customer managed keys may be available for certain deployments by written agreement.
1. Role based access controls following least privilege principles.
2. Unique credentials for authorized personnel.
3. Access provisioning and deprovisioning procedures.
4. Administrative access restricted to authorized personnel and reviewed periodically.
5. Allowlisting may be applied for support access where implemented.
6. Administrative access requires strong authentication. Privileged access is restricted by least privilege and is logged.
1. Audit logs for administrative and support access to systems processing or storing Customer Data.
2. Monitoring and alerting for suspicious activity and security events.
3. Administrative and support access logs are retained for a reasonable period for security monitoring and investigation.
4. Investigation and response workflows for detected events.
1. Secure SDLC practices.
2. Vulnerability identification and remediation practices, including patch management.
3. Change management controls for production changes.
1. Incident response procedures including escalation, investigation, containment, remediation, and post incident review.
1. Backups and disaster recovery practices designed to maintain availability and integrity.
2. Backup retention and deletion consistent with Section 13 and Annex A.
CustomerLabs uses cloud infrastructure and relies on the cloud provider physical and environmental security controls for data center security.
1. Customer configurable collection and ingestion to support minimization.
2. Logical separation controls appropriate to a multi tenant SaaS architecture.
Administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements for ePHI, as described in Annex F.
Customer authorizes CustomerLabs to engage the following Subprocessors for Processing of Customer Data:
1) Google Cloud Platform (GCP): cloud infrastructure, hosting, and data storage (regions as selected or configured by Customer in the Services).
2) Amazon Web Services (AWS): cloud infrastructure services used for certain components of the Services and supporting operations, as applicable.
3) SendGrid: email delivery services for service communications as applicable. Service communications are not intended to include PHI. Customer will not include PHI in any email content, subject lines, or other fields transmitted to email delivery services through or in connection with the Services. CustomerLabs does not authorize SendGrid to Process PHI on CustomerLabs' behalf.
4) CustomerLabs Digital Solutions Pvt Ltd (India): support and engineering services. Remote access may occur under access controls and audit logging.
CustomerLabs will provide notice of new or replacement Subprocessors via email in accordance with Section 8.3.
This Annex E applies to the extent Customer Data is subject to US state privacy laws, including the CCPA as amended by the CPRA and similar state privacy statutes (US State Privacy Laws).
Where Customer is a business or controller and CustomerLabs is processing Customer Data on Customer's behalf: (a) CustomerLabs acts as a service provider and/or contractor under CCPA and CPRA, and as a processor under other US State Privacy Laws, as applicable.
CustomerLabs will: (a) process Customer Data only to provide the Services, perform its obligations, and exercise its rights under the Agreement and this DPA, (b) not sell or share Customer Data as those terms are defined under CCPA and CPRA, (c) not retain, use, or disclose Customer Data outside the direct business relationship with Customer except as permitted by US State Privacy Laws, including for permitted business purposes such as security, debugging, and service improvement to the extent allowed, and (d) not combine Customer Data with personal information obtained from other sources except as permitted by CCPA and CPRA, including for security purposes and to prevent fraud or illegal activity.
Customer may direct CustomerLabs to disclose Customer Data to Customer Controlled Destinations. Such disclosures are made at Customer's instruction for the purpose of providing the Services and do not constitute a sale or share of Customer Data by CustomerLabs.
CustomerLabs will impose written restrictions on Subprocessors consistent with this Annex E and applicable US State Privacy Laws.
CustomerLabs will provide reasonable assistance to Customer to respond to verified consumer requests, to the extent required by US State Privacy Laws and to the extent Customer cannot fulfill the request through the Services.
CustomerLabs will delete or return Customer Data as provided in Section 13, subject to permitted retention under US State Privacy Laws.
This Annex F applies only to the extent: (a) Customer is a Covered Entity or Business Associate, and (b) Customer Data includes PHI.
1.1 HIPAA means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 CFR Parts 160 and 164, as amended, including by the HITECH Act.
1.2 Terms. Business Associate, Covered Entity, PHI, ePHI, Breach, Unsecured PHI, and Security Incident have the meanings set forth in HIPAA.
1.3 "Becomes Aware" has the meaning set forth in Section 1.9.
2.1 Roles. Customer is a Covered Entity and/or Business Associate as applicable. CustomerLabs is a Business Associate or subcontractor Business Associate as applicable with respect to PHI.
2.2 Scope. Customer authorizes CustomerLabs to create, receive, maintain, and transmit PHI only as necessary to provide the Services and as otherwise permitted by this Annex F.
2.3 Minimum necessary. Customer will limit PHI provided to CustomerLabs to the minimum necessary for Customer's purposes and will configure the Services accordingly. CustomerLabs will Process PHI only in accordance with this Annex F and Customer's documented instructions.
2.4 No separate BAA. This Annex F is the parties' complete and exclusive HIPAA business associate agreement for the Services. Any additional or different BAA terms proposed by Customer apply only if expressly agreed in a written addendum signed by both parties.
CustomerLabs may use and disclose PHI:
3.1 Service delivery. To perform the Services and its obligations under the Agreement, DPA, and this Annex F.
3.2 Management and administration. For CustomerLabs proper management and administration or to carry out CustomerLabs legal responsibilities, provided disclosures for such purposes are required by law or made with reasonable assurances of confidentiality consistent with HIPAA requirements.
3.3 Required by law. As required by law.
3.4 Data aggregation and de identification. To provide data aggregation services relating to Customer health care operations where applicable and configured by Customer, and to create de identified information in accordance with 45 CFR 164.514, provided such de identified information is not PHI.
CustomerLabs will not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as expressly permitted above.
CustomerLabs will:
4.1 Safeguards. Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by this Annex F.
4.2 Security Rule. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, consistent with the HIPAA Security Rule, taking into account CustomerLabs size, complexity, capabilities, and the nature and scope of the Services.
4.3 Reporting of improper use or disclosure. Report to Customer without undue delay and in any event no later than 72 hours after Becomes Aware of any use or disclosure of PHI not permitted by this Annex F.
4.4 Breach notification. Report to Customer without undue delay and in any event no later than 72 hours after Becomes Aware of a Breach of Unsecured PHI. The notice will include, to the extent available, information reasonably required for Customer to meet its obligations under 45 CFR 164.404, 164.406, and 164.408.
4.5 Security Incidents. Report to Customer any Security Incident that results in successful unauthorized access to ePHI. Customer acknowledges that electronic systems may experience unsuccessful access attempts that do not result in unauthorized access to ePHI. CustomerLabs will make information about such unsuccessful attempts available upon Customer's written request in a reasonable and aggregated manner and not more than once per quarter unless legally required.
4.6 Subcontractors. Ensure any subcontractor that creates, receives, maintains, or transmits PHI on CustomerLabs behalf agrees in writing to the same restrictions and conditions that apply to CustomerLabs with respect to PHI.
4.7 Access. Make PHI available to Customer as necessary to satisfy Customer obligations under 45 CFR 164.524, to the extent PHI is maintained within the Services and Customer cannot reasonably access it without CustomerLabs assistance.
4.8 Amendment. Make PHI available for amendment and incorporate amendments as necessary to satisfy Customer obligations under 45 CFR 164.526, to the extent PHI is maintained within the Services and Customer cannot reasonably effect amendment without CustomerLabs assistance.
4.9 Accounting of disclosures. Make available information required to provide an accounting of disclosures under 45 CFR 164.528, to the extent such information is within CustomerLabs control and maintained in its records.
4.10 Secretary access. Make CustomerLabs internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with HIPAA, as required by 45 CFR 164.504(e)(2)(ii)(I).
4.11 Mitigation. Mitigate to the extent practicable any harmful effect known to CustomerLabs of a use or disclosure of PHI by CustomerLabs in violation of this Annex F.
Customer is responsible for:
5.1 Status. Determining whether it is a Covered Entity and/or Business Associate.
5.2 Notices and permissions. Providing required notices and obtaining required consents, authorizations, and permissions for PHI provided to CustomerLabs.
5.3 Restrictions. Notifying CustomerLabs of any restrictions on use or disclosure of PHI that Customer has agreed to under 45 CFR 164.522 to the extent applicable to CustomerLabs Processing under the Services.
5.4 No PHI in email content. Not including PHI in service communications or email content routed to email delivery services, as stated in Annex D.
5.5 No PHI to marketing platforms. Not transmitting PHI to advertising or marketing platforms, as stated in Section 3.5(f).
6.1 Term. This Annex F remains effective for so long as CustomerLabs creates, receives, maintains, or transmits PHI on Customer behalf.
6.2 Termination for cause. If Customer determines CustomerLabs has violated a material term of this Annex F, Customer may provide written notice and an opportunity to cure where feasible. If cure is not feasible or is unsuccessful within a reasonable time, Customer may terminate the affected Services in accordance with the Agreement.
Upon termination of the Services, CustomerLabs will return or destroy PHI that CustomerLabs still maintains in any form if feasible consistent with Section 13. If return or destruction is not feasible, CustomerLabs will extend the protections of this Annex F to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
CustomerLabs will provide assistance required by HIPAA and this Annex F as part of the Services. If Customer requests support that goes beyond what is required by HIPAA or beyond standard support for the Services, including extensive questionnaires, custom reporting, on site assessments, or customer specific security attestations, CustomerLabs may charge reasonable fees for such additional assistance.
Nothing in this Annex F confers any rights, remedies, or benefits on any person other than the parties and their permitted successors and assigns.
This Annex F will be interpreted to comply with HIPAA. In the event of conflict between this Annex F and the Agreement or this DPA, this Annex F controls only with respect to PHI and HIPAA obligations. All liability remains subject to Section 17 and the Agreement's limitations and exclusions.