CANADIAN SERVICE ADDENDUM
THESE ADDITIONAL TERMS PERTAIN TO CUSTOMERS IN CANADA (“CANADIAN SERVICE ADDENDUM”). THIS CANADIAN SERVICE ADDENDUM IS INCORPORATED INTO SERVICE AGREEMENTS WITH CUSTOMERS WHO RESIDE IN CANADA. YOUR EXECUTION OF A CUSTOMER ORDER FOR SERVICES CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THESE ADDITIONAL TERMS. YOU ACKNOWLEDGE AND AGREE THAT CENTALREACH HAS THE RIGHT TO ESTABLISH TERMS FOR THE CONTINUED USE OF OUR SERVICES. ACCORDINGLY, CENTRALREACH RESERVES THE RIGHT TO MODIFY THESE TERMS FROM TIME TO TIME WITH OR WITHOUT NOTICE TO YOU. YOU AGREE THAT YOUR USE OF THE SERVICES CONSTITUTES YOUR AGREEMENT TO ANY SUCH MODIFICATION. IN THE EVENT OF ANY CONFLICT BETWEEN YOUR SERVICE AGREEMENT AND THIS CANADIAN SERVICE ADDENDUM, THE TERMS OF THIS EUROPEAN SERVICE ADDENDUM SHALL CONTROL.
Terms not defined herein shall have the meaning set for forth in the Terms of Service or Additional Agreements, as applicable.
2. DATA PROTECTION SCHEDULE
For all Customers located in Canada, references in the Terms of Service or Additional Agreements to the “Business Associate Agreement” shall be deemed to be references to the Data Protection Schedule attached as Appendix A to this Canadian Service Addendum.
3. APPLICABLE PRIVACY LAW
All references in the Service Agreement, including within this Canadian Service Addendum, to “applicable privacy laws” shall include the Personal Information Protection and Electronic Documents Act (Canada) or applicable provincial privacy laws that govern the collection, use, or disclosure of personal information or personal health information.
4. TRANSFER OF DATA
Customer Information may be transferred to and stored in the United States for the purposes of providing the Services in accordance with the Terms of Service. When Customer Information is stored or processed in jurisdictions outside of Canada, it may be subject to the laws of and be accessible by legal authorities in such other jurisdictions, including in the United States. CentralReach has taken appropriate technical, organizational, and legal steps to secure this information. Customer warrants and represents it has all legal authority to transfer Customer Information to CentralReach in accordance with the terms of the Service Agreement.
The parties have requested that the Service Agreement, including this Canadian Service Addendum, and all communications and documents relating thereto be expressed in the English language. Les parties ont exigé que la présente convention ainsi que tous les documents s'y rattachant soient rédigés dans la langue anglaise.
Data Protection Schedule
1. Compliance with Laws
CentralReach hereby agrees that in order to carry out its duties and obligations under the Service Agreement, CentralReach may have access to personal information or personal health information as defined in applicable privacy laws (collectively “PI”), and that at all times during the term of the Service Agreement, CentralReach, in dealing with PI, will comply with the requirements of applicable privacy laws, as amended from time to time, relating to PI.
2. Control of and Rights in PI
Control of PI shall at all times remain with Customer. CentralReach acknowledges and agrees that nothing gives CentralReach any right, title or interest in any PI.
3. Access to and Use of PI
CentralReach shall only access and use PI on a need to know basis for the purposes contemplated in the Service Agreement.
4. Return or Destruction of PI
Upon the written request of Customer at any time and for any reason whatsoever, CentralReach will promptly return to Customer all PI in CentralReach's possession and confirm delivery to Customer in writing. Alternatively, if specifically instructed by the Customer in writing, CentralReach shall at any time and for any reason securely dispose of any PI in its possession and confirm such destruction in writing to Customer. If for any reason PI in CentralReach's possession pursuant to the Service Agreement is not returned to Customer or disposed of, as applicable, CentralReach's obligations under this Schedule will continue in force notwithstanding any termination or expiration of the Service Agreement.
5. Disclosure to Third Parties
Except as specifically permitted by the Service Agreement (including, without limitation, pursuant to section 6 of this Schedule below), CentralReach shall not disclose (and will not allow any of its employees, agents or representatives to disclose) in any manner whatsoever any PI to any third party without the prior written consent of Customer and CentralReach hereby acknowledges that such consent will only be provided if: (a) such disclosure is required in order for CentralReach to perform its service obligations pursuant to the Service Agreement; (b) such disclosure is permitted under applicable privacy laws; (c) the third party agrees, in writing, to protect the confidentiality and security of the PI to at least the extent provided by this Schedule; and (d) Customer is otherwise satisfied, in its discretion, with the status, quality and reputation of the third party.
If CentralReach becomes legally compelled to disclose any of the PI, it will to the extent permitted by law provide Customer with prompt written notice thereof prior to disclosure.
6. Employees of CentralReach and CentralReach's Subcontractors Bound
CentralReach and Customer hereby further acknowledge and agree that, in order for CentralReach to fulfill its service obligations under the Service Agreement, CentralReach shall be permitted to grant its employees (or employees of CentralReach's subcontractors) access to PI. CentralReach hereby agrees that:
- it will only make PI available to its employees (or employees of CentralReach's subcontractors) to the minimum extent necessary for the purpose of fulfilling CentralReach's obligations under the Service Agreement; and
- it will cause, or has caused, each of its employees (or employees of CentralReach's subcontractors) providing services on behalf of CentralReach under the Service Agreement to agree, in writing, to protect the confidentiality and security of the PI to at least the extent provided by this Schedule.
CentralReach will properly advise and train each of its employees (or employees of CentralReach's subcontractors) providing services under the Service Agreement of the requirements of CentralReach under this Schedule and applicable privacy laws. CentralReach specifically assumes all responsibility for its employees (or employees of CentralReach's subcontractors) for the breach by any of them of any provisions of this Schedule or such laws. For further clarification, CentralReach will ensure each CentralReach subcontractor signs an agreement to protect and maintain the confidentiality of the PI to the same extent provided for in this Schedule and the Service Agreement.
CentralReach will provide (a) Customer's internal auditor; and/or (b) a nationally recognized Canadian audit firm appointed by Customer, upon fifteen (15) days' prior written notice, with reasonable access to relevant books, records and facilities related to the Service Agreement in order to conduct appropriate audits, examinations and inspections to ensure CentralReach's compliance with this Schedule. Except as otherwise provided below, such audits, examinations and inspections will be conducted at Customer's expense and may be conducted periodically during the term of the Service Agreement, at a frequency as mutually agreed in writing by Customer and CentralReach, but not more than once per year. CentralReach will provide access to information reasonably required by CentralReach's auditors to perform such audits.
CentralReach agrees that, in addition to any other rights or remedies Customer may have for breach of this Schedule, Customer has the right to an injunction or other equitable relief in any court of competent jurisdiction enjoining a threatened or actual material breach of this Schedule by CentralReach.
9. No Withholding
CentralReach shall not be entitled to, and hereby waives forever any and all right to withhold any PI from Customer to enforce any alleged payment obligation or in connection with any dispute relating to the terms of the Service Agreement or any other matter between Customer and CentralReach.
10. Location of the PI
CentralReach may possess and maintain the PI only in Canada or, where permitted by applicable privacy laws, the United States. The PI may not be possessed, stored or maintained at any other location without the prior written consent of Customer. At the written request of Customer, CentralReach shall provide Customer with prompt assistance with the retrieval of PI (for example, to assist with access requests).
11. Security and Segregation of PI
CentralReach shall have in place reasonable policies, procedures and safeguards to protect the confidentiality and security of the PI. CentralReach shall ensure the physical security of the PI by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, disposal, loss or modification. Such security arrangements shall include, without limitation, reasonable technical, physical and administrative safeguards. Without limiting the generality of the foregoing, CentralReach shall take reasonable steps to: (a) ensure that all PI is securely segregated from any information owned by CentralReach or third parties, including access barriers, physical segregation and password authorization; and (b) ensure that procedures are in place to authenticate the identity of individuals and of those persons to whom PI is disclosed.
12. Compliance with Access Requests
If CentralReach receives a request for access to, amendment or correction to, or disclosure of any PI from any person (other than Customer), CentralReach shall promptly advise the applicant to make the request to the Customer and, if Customer has advised CentralReach of the name or title and contact information of a specific official of Customer to whom such requests are to be made, CentralReach shall also promptly provide that official's name or title and contact information to the applicant.
13. Breach Notification
CentralReach shall promptly notify Customer in writing in the event CentralReach becomes aware of, or reasonably suspects, any unauthorized or improper access to, use of or disclosure of any PI. CentralReach agrees to comply with all reasonable requests from Customer in relation to such breach and, in consultation with Customer and subject to any directions from Customer, take all reasonable steps to mitigate any harmful effect resulting from any such unauthorized access to, use or disclosure of PI.
14. Assistance with Complaints/Investigations
CentralReach shall co-operate with, and assist in, any investigation of a complaint that any PI has been collected, used or disclosed contrary to applicable privacy laws, whether such investigation is conducted by Customer or a body having the legal authority to conduct the investigation. For greater certainty, the foregoing shall apply in respect of any formal or informal review or investigation conducted by an Information and/or Privacy Commissioner.
15. Privacy Representative
CentralReach has appointed a representative to be responsible for its compliance with this Schedule, Perry Pappas, the Chief Compliance Office of CentralReach (the "Privacy Representative"). The Privacy Representative may be reached out email@example.com. CentralReach may designate an alternative individual to serve as the Privacy Representative by updating this section of this Schedule or by providing written notice to the Customer.