Master Service Agreement (MSA) of Remotedoc

This Master Service Agreement (“MSA”) is a legal agreement between you (hospitals) and Biometric Technologies OÜ (hereinafter – Parties).

This MSA governs your acquisition and use of our Remotedoc software (“Software”) directly from Biometric Technologies OÜ or indirectly through a Biometric Technologies OÜ authorized reseller or distributor (a “Reseller”).

Please read this MSA carefully before completing the installation process and using the Remotedoc software. It provides a license to use the Remotedoc software and contains warranty information and liability disclaimers.

If you register for a free trial of the Remotedoc software, this MSA will also govern that trial. By clicking “accept” or installing and/or using the Remotedoc software, you are confirming your acceptance of the Software and agreeing to become bound by the terms of this MSA.

If you are entering into this MSA on behalf of a company or other legal entity, you represent that you have the authority to bind such entity and its affiliates to these terms and conditions. If you do not have such authority or if you do not agree with the terms and conditions of this MSA, do not install or use the Software, and you must not accept this MSA.

This MSA shall apply only to the Software supplied by Biometric Technologies OÜ herewith regardless of whether other software is referred to or described herein. The terms also apply to any Biometric Technologies OÜ updates, supplements, Internet-based services, and support services for the Software, unless other terms accompany those items on delivery. If so, those terms apply.

License Grant

Biometric Technologies OÜ hereby grants you a personal, non-transferable, non-exclusive license to use the Remotedoc software on your devices in accordance with the terms of this MSA.

You are permitted to load the Remotedoc software (for example a PC, laptop, mobile or tablet) under your control. You are responsible for ensuring your device meets the minimum requirements of the Remotedoc software.

You are not permitted to:

  1. Edit, alter, modify, adapt, translate or otherwise change the whole or any part of the Software nor permit the whole or any part of the Software to be combined with or become incorporated in any other software, nor decompile, disassemble or reverse engineer the Software or attempt to do any such things.
  2. Reproduce, copy, distribute, resell or otherwise use the Software for any commercial purpose.
  3. Allow any third party to use the Software on behalf of or for the benefit of any third party.
  4. Use the Software in any way which breaches any applicable local, national or international law.
  5. Use the Software for any purpose that Biometric Technologies OÜ considers is a breach of this MSA.

Intellectual Property and Ownership

Biometric Technologies OÜ shall at all times retain ownership of the Software as originally downloaded by you and all subsequent downloads of the Software by you. The Software (and the copyright, and other intellectual property rights of whatever nature in the Software, including any modifications made thereto) are and shall remain the property of Biometric Technologies OÜ.

Biometric Technologies OÜ reserves the right to grant licenses to use the Software to third parties.

Termination

This MSA is effective from the date you first use the Software and shall continue until terminated. You may terminate it at any time upon written notice to Biometric Technologies OÜ.

It will also terminate immediately if you fail to comply with any term of this MSA. Upon such termination, the licenses granted by this MSA will immediately terminate and you agree to stop all access and use of the Software. The provisions that by their nature continue and survive will survive any termination of this MSA.

Governing Law

This MSA, and any dispute arising out of or in connection with this MSA, shall be governed by and construed in accordance with the laws of Estonia.

Data Transfer Agreement (DTA)

Definitions

For the purposes of this Data Transfer Agreement (“DTA”) the Parties apply the following terms and definitions:

  1. personal data means any information relating to a directly or indirectly identified or identifiable natural person (data subjects);
  2. controller means a legal entity arranging (alone or jointly with others) and (or) carrying out personal data processing, as well as defining the purposes of processing, the operations performed on the personal data (types of processing) and the categories of personal data that shall be processed;
  3. transfer of personal data means any act of sending and transmitting personal data by any means (including physical and electronic ones), providing access to personal data, including remote access and saving, inserting personal data in the information system(s);
  4. reasonable time means period of the time that a Party needs to fulfil an obligation under this DTA determined jointly by the Parties on a case-by-case basis considering peculiarities of cooperation / interaction between the Parties, volume of the data transferred by the Parties, technical, organizational and other resources of the respective Party. In cases where compliance with statutory obligations implying mandatory terms/deadlines depends on fulfilment of obligations under this DTA the determined reasonable time shall enable Parties to comply with the said statutory obligations.

Details of the personal data transfer

Data subjects

The personal data transferred concern the following category of data subjects:

  1. patients.

Purposes

The Parties warrant and guarantee transfer of personal data to each other on a lawful basis in accordance with requirements of applicable legislation and due notification of data subjects of such transfer if required by applicable legislation in order to achieve one, several or all of the purposes set out below that are relevant for the relationship between the Parties:

  1. providing a service of the appointment for remote consultations for patients;
  2. the fulfillment of their obligations under agreement that have been concluded between the Parties;
  3. exercising rights, fulfilling obligations and complying with prohibitions / restrictions under applicable laws.

Categories of data

The personal data transferred concern the following personal data:

  1. name, e-mail address, age, sex, data relating health.

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients:

  1. hospitals described in the DTA as the receiving Party;
  2. third parties providing a platform for a chatbot, for a scheduling of virtual appointments, a CRM system for registration of the doctors and organising access to the patients’ data, and a platform for hosting the website.

Sensitive data

Personal Data transferred concern the following categories of sensitive data:

  1. data relating health (patient’s health status, e.g. a fever, cough, dyspnea, rhinorrhea, sore throat, malaise, diarrhea, headache, hyposmia, dysgeusia, COVID risk travel, COVID case contact, chronic diseases, any other symptoms, etc.).

Obligations of the Parties

  1. Each Party acknowledges that it acts in the capacity of an independent controller of personal data received from the transferring Party (which acts as an independent controller as well) and that it, in common (but not jointly) with the other Party, determines the purposes and manner of personal data transfer between the Parties. The Parties ensure the implementation of data processing principles indicated in the Annex A.
  2. The receiving Party undertakes to cease processing of personal data (or ensure that such processing is ceased) received from the transferring Party, upon achievement of the purposes specified in this DTA or where such purposes are no longer relevant as well as in case of failure to ensure the lawful basis of the personal data processing unless otherwise is specified in applicable legislation.
  3. The Parties warrant and guarantee preserve confidentiality and security of the transferred personal data in the course of their processing in accordance with requirements of the applicable laws, as well as agreements between the Parties. The Parties shall take legal, organizational and technical measures that are necessary to protect personal data in the course of their transfer between the Parties via Remotedoc software or otherwise (or ensure that such measures are taken). If warranties or guarantees specified in this paragraph are inaccurate then the receiving Party shall immediately refuse to receive personal data from the transferring Party and (or) shall within a reasonable time stop processing personal data received from the transferring Party prior to that.
  4. The transferring Party shall, within a reasonable time as of receipt of the relevant request from the receiving Party, provide the receiving Party with information and (or) documents confirming that it obtained explicit consents of data subjects to transfer of their sensitive personal data, or that it relies on other legal grounds for the personal data transfer and it duly notified the subjects of the transfer of their personal data.
  5. For the purposes specified in this DTA, the receiving Party has the right to engage third parties to the processing of personal data received from the transferring Party by instructing third parties to process these personal data and (or) by transferring (including cross-border transfer) personal data to third parties without assigning of personal data processing (without giving instruction to process personal data on its own behalf). The engagement of third parties to the processing of personal data can be carried out only if receiving Party ensured appropriate legal grounds and only if the third parties undertake to preserve confidentiality and security of personal data in the course of their processing. The receiving Party shall within a reasonable time as of the date of receipt of the relevant request from the transferring Party, provide information about third parties engaged to personal data processing, as well as information about which categories of personal data were transferred to the third parties, for what purposes and what categories of data subjects these data relate to.
  6. The Parties hereby agree to cooperate in good faith and provide necessary reasonable assistance to each other in order to consider and settle requests (complaints, demands, enforcement notices, claims, lawsuits) concerning personal data transferred between the Parties, received by either Party from data subjects, representatives of data subjects, authorized bodies or third parties. In particular, the Party that received such request shall duly notify the other Party of this fact within a reasonable time as of the date of the request’s receipt.

Warranties and guarantees specified in this DTA are the assurances about circumstances pertinent for conclusion of this Agreement.

The Party that failed to fulfill or improperly fulfilled any obligations under this DTA shall compensate documentarily approved losses caused to the other Party in connection with and limited to amounts of legal actions satisfied by court and (or) to amounts of administrative and other types of fines.

Annex A. Data processing principles

Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in the DTA subsequently authorised by the data subject.

Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the transferring Party.

Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.

Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the transferring Party. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the receiving Party or other organisations dealing with the receiving Party and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the receiving Party, and the data subject may always challenge a refusal before the authority.

Sensitive data: The receiving Party shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data.

Automated decisions: For purposes hereof “automated decision” shall mean a decision by the transferring Party or the receiving Party which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him.

The transferring Party uses the algorithms to provide probabilistic risk scoring of the patient health condition utilizing Bayesian networks which use data provided by the patient answering the chatbot questions based on explicit consent of the data subject.

The receiving Party shall not make any automated decisions concerning data subjects, except when:

  • (a) (i) such decisions are made by the receiving Party in entering into or performing a contract with the data subject, and
  • (ii) the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.
  • or
  • (b) where otherwise provided by the law of the transferring Party.