DPA: Canadian Personal Health Information Data Processing Addendum

This Canadian Personal Health Information Data Processing Addendum (“DPA“) is applicable to those Canadian Weave subscribers who are custodians or trustees of Personal Health Information under Canadian PHI Laws (as defined below), and who use the Services to process Personal Health Information to which the Canadian PHI Laws apply. This DPA supplements any Agreement made between Weave Communications, Inc. and its subsidiaries, affiliates and other related entities (“Weave“) and a subscriber (“you” or “Subscriber”) which incorporates this DPA by reference or to which this DPA is attached, and specifies certain rights and obligations of the parties relating to the processing by Weave of Personal Health Information. Certain terms used in this DPA have the meanings given to them in the “Definitions” section of this DPA. 

The parties agree as follows:

1. CANADIAN PHI lAWS – INFORMATION MANAGER AGREEMENT
   1. Background, Definitions and Interpretation.  For the purpose of the Canadian PHI Laws, Subscriber is a “custodian”, “health information custodian”, or “trustee” as defined in the applicable Canadian PHI Law, and Weave is an “information manager”, “information management service provider”, and/or “agent” as defined in the applicable Canadian PHI Law. The Canadian PHI Laws may be used as a guide to the interpretation of this DPA. In the event of any inconsistency between a term of the applicable Canadian PHI Laws and a term of this DPA, the term of the Canadian PHI Laws shall prevail.
   2. Information Manager Agreement.
      1. The objectives of this DPA are to ensure that Subscriber and Weave comply with their obligations under applicable Canadian PHI Laws with respect to the provision of Services by Weave to Subscriber under the Agreement. The parties will be guided by the underlying principles of the applicable Canadian PHI Laws.
      2. Each of Weave and Subscriber will at all times comply with applicable Canadian PHI Laws. Without limiting the generality of the foregoing, each of Weave and Subscriber agrees to comply with the provisions of applicable Canadian PHI Laws in the processing, storage, retrieval or disposal of Personal Health Information, including the stripping, encoding and transformation of individually identifying health information to create non-identifying health information, and the provision of information management or information technology services.
      3. Weave is permitted to collect Personal Health Information from your patients and customers during the provision of the Services, to the extent necessary for the provision of Services to you. Any such collection of Personal Health Information by Weave is collection solely for and on your behalf, and you are the controller of the Personal Health Information.
      4. Weave will only use Personal Health Information to provide the Services to Subscriber, except with the prior written consent of Subscriber or as otherwise expressly permitted under the Agreement or this DPA. Weave will not disclose Personal Health Information outside of Weave or its Affiliates except (a) as Subscriber directs or as required to provide the Services, (b) to Subscriber’s third party service providers as directed by Subscriber, (c) to sub-processors as described in the section titled “Sub-Processing”, (d) as otherwise described in the Agreement or this DPA, or (e) as required by Applicable Laws to which Weave is subject.
      5. Weave will, unless prohibited by law, promptly notify Subscriber if (a) Weave receives a request from a data subject for access to the data subject’s own personal data, or for the rectification or erasure of such personal data, (b) Weave receives any other request or query from a data subject relating to the data subject’s own personal data, or (c) a data subject exercises any rights under Applicable Privacy Laws. Weave will assist Subscriber by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Subscriber’s obligations to respond to such requests from a Data Subject. Subscriber will pay for assistance performed by Weave at Weave’s then current fees for such services. 
      6. Weave will implement and maintain appropriate technical and organizational measures, as determined by Weave, designed to protect the security of Personal Health Information, including measures to protect Personal Health Information from unauthorized access, use, modification, deletion, loss or disclosure. Weave will limit access to Personal Health Information to only those subcontractors and personnel who have a need to know. Weave will ensure that its subcontractors and personnel authorized to access Personal Health Information are bound by appropriate obligations of confidentiality.
      7. Personal Health Information provided to Weave will be returned or destroyed as provided under “Return or Deletion of Personal Health Information” and in compliance with applicable Canadian PHI Laws.
      8. If a data subject expresses a wish relating to the disclosure of that data subject’s Personal Health Information, then Weave will refer that request to you as described under section 1.2(e) above. 
      9. Weave will notify you of any loss of individually identifying Personal Health Information or any unauthorized access to or disclosure of individually identifying Personal Health Information in the custody or control of Weave. Weave will provide the notice without undue delay after Weave discovers the loss, unauthorized access or unauthorized disclosure, and in any event within any notice period imposed under the applicable Canadian PHI Laws. Any such notice will comply with the requirements of the applicable Canadian PHI Laws.
      10. You are allowed to monitor and verify Weave’s compliance with the terms of this DPA and the Agreement.
      11. You may provide to Weave any of your administrative, technical and physical safeguards in respect of Personal Health Information that are relevant to the provision of the Services. Weave will comply with such safeguards, to the extent they are reasonable and relevant to the provision of the Services. If Weave is of the opinion that: (i) Weave cannot reasonably comply with the safeguards; (ii) the safeguards may cause Weave to incur unanticipated costs, or (iii) the safeguards may cause Weave to face adverse regulatory action, then Weave may, in its discretion, elect to: (iv) increase the fees under the Agreement by an amount sufficient to allow Weave to recover those costs; or (v) terminate the Agreement and this DPA by notice in writing to you.
      12. You may provide to Weave any policies or procedures that are established or adopted by you to facilitate the implementation of the applicable Canadian PHI Law and that are relevant to Weave’s provision of the Services. Weave will comply with such policies or procedures, to the extent they are reasonable and relevant to the provision of the Services. If Weave is of the opinion that: (i) Weave cannot reasonably comply with the policies and procedures; (ii) the policies and procedures may cause Weave to incur unanticipated costs: or (iii) the policies and procedures may cause Weave to face adverse regulatory action, then Weave may, in its discretion, elect to (iv) increase the fees under the Agreement by an amount sufficient to allow Weave to recover those costs; or (v) terminate the Agreement and this DPA by notice in writing to you.
      13. You consent to Weave’s use of sub-processors as described under “Sub-processors” in the Agreement. Weave will not otherwise subcontract the provision of Services involving Personal Health Information without your prior consent.
      14. You authorize Weave to create non-identifying health information from Personal Health Information. Weave may use and disclose non-identifying information for any purpose.
2. TERMINATION OF THIS DPA
   1. Term. This DPA will continue in force until the later of: (a) the expiry or termination of the Agreement; and (b) the return or destruction of all Personal Health Information as provided under “Return or Deletion of Personal Health Information”.
   2. Material Breach. A material breach of this DPA by either party shall be deemed to be a material breach of the Agreement, and shall entitle the other party to exercise the rights of termination for material breach provided in the Agreement.
   3. Return or Deletion of Personal Health Information. On the expiry or termination of this DPA for any reason, Weave will retain only the Personal Health Information that is necessary for Weave to continue its proper management and administration or to carry out its legal responsibilities, and Weave will return to Subscriber or destroy the remaining Personal Health Information. Weave will continue to comply with the terms of this DPA as to any Personal Health Information that Weave retains for so long as Weave retains that Personal Health Information, and Weave will return to Subscriber or destroy the retained Personal Health Information when it is no longer needed for Weave to continue its proper management and administration or to carry out its legal responsibilities. 
3. GENERAL
   1. Definitions. Terms having a meaning defined in the Agreement or Canadian PHI Laws will have the same meaning when used in this DPA unless the context otherwise requires, and the following terms will have the following meanings:

      “Agreement” means the Services Agreement and/or the Terms of Service between you and Weave for the provision of services by Weave to you, which incorporates this DPA by reference or to which this DPA is attached.

      “Canadian PHI Laws” means: (a) the Health Information Act (Alberta); (b) the Personal Health Information Act (Manitoba); (c) the Personal Health Information Privacy and Access Act (New Brunswick); (d) the Personal Health Information Act (Newfoundland and Labrador); (e) the Health Information Act (Northwest Territories); (f) the Personal Health Information Act (Nova Scotia); (g) the Personal Health Information Protection Act (Ontario); (h) the Health Information Act (Prince Edward Island); (i) the Health Information Protection Act (Saskatchewan); and (i) the Health Information Privacy and Management Act (Yukon), as amended from time to time.

      “data subject” means the individual identified in or identifiable from Personal Health Information.

      “Personal Health Information” has the meaning specified in the applicable Canadian PHI Law.

      “Services” means the services provided by Weave to Subscriber, as described in the Agreement.

   2. Sub-processors. Subscriber agrees that Weave may use sub-processors to provide the Services to Subscriber, to fulfill its contractual obligations under this DPA and the Agreement, or to provide certain services on its behalf. Weave will enter into a written agreement with each sub-processor to which Personal Health Information is provided permitting the sub-processor to access and use Personal Health Information only for the purpose of delivering the services Weave has retained the sub-processor to provide and for no other purpose. Weave will be liable for the acts and omissions of any sub-processors to the same extent as if the acts or omissions were performed by Weave. 
   3. Entire Agreement. This DPA is incorporated into, and is subject to the terms and conditions of, the Agreement. Except as amended by this DPA, the Agreement will remain in full force and effect.
   4. Order of Precedence. In the event of any inconsistency between a term of this DPA and a term of the Agreement, the term of this DPA will take precedence over the term of the Agreement.