Data Processing and Business Associate Agreement
(“DP-BAA” or “Agreement”)

This Agreement is entered into by and between:

• You (the “Data Controller” under GDPR and the “Covered Entity” under HIPAA); and
• Medit Corp., a company organized under the laws of the Republic of Korea, with offices at 8 Yangpyeong-ro 25-gil, Yeongdeungpo-gu, Seoul, Republic of Korea (the “Data Processor” under GDPR and “Business Associate” under HIPAA).

This Agreement is effective upon acceptance via clickwrap or electronic signature and is entered into to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and other applicable data protection regulations.

 

1. Purpose and Scope

This Agreement governs the Processing of Personal Data and Protected Health Information (“PHI”) by Medit on behalf of the Data Controller (Covered Entity) in connection with the use of Medit’s cloud-based services, including the Medit Link platform and associated applications.

2. Definitions

Unless otherwise defined in this Agreement, capitalized terms shall have the meanings set forth in the GDPR or HIPAA, as applicable.

(a) PHI: Protected Health Information as defined in 45 CFR 160.103.

(b) Personal Data: Any information relating to an identified or identifiable natural person under GDPR.

(c)Sub-processor/  Subcontractor: Any third party engaged by Medit to further process Personal Data or PHI on behalf of Medit, including cloud providers, vendors, or service providers.

(d)Supervisory Authority: The competent data protection authority under GDPR.

(e)SCCs: Standard Contractual Clauses approved by the European Commission for cross-border transfers of Personal Data.

(f)Services Medit’s provision of the Medit Link platform and related services..

3. Obligations of Medit

Medit agrees to:

(a) Process PHI and Personal Data only on documented instructions from the Controller,  including those set forth in this Agreement and the Medit Terms of Service (the “Terms”);

(b) Implement appropriate technical and organizational measures to protect PHI and Personal Data in accordance with HIPAA Security Rule and GDPR Article 32;

(c) Ensure all persons authorized to process such data are bound by confidentiality obligations;

(d) Notify the Controller  without undue delay of any personal data breach or security incident;

(e) Assist the Controller in responding to:

 - Data subject requests under GDPR (e.g., access, rectification, erasure, restriction, portability, objection);

- Individual access or amendment requests under HIPAA;

(f) Provide access to internal practices, policies, and documentation as necessary for the Controller, the U.S. Department of Health and Human Services (HHS), and EU Supervisory Authorities to assess compliance;

(g) Not engage any Sub-processor without prior notice to the Controller and an opportunity for the Controller to object, which may be satisfied by maintaining and publishing a list of approved Sub-processors and providing updates of any changes. Sub-processors will be bound by obligations equivalent to this Agreement, including HIPAA and GDPR requirements where applicable;

(h) Maintain a record of all categories of processing activities carried out in accordance with GDPR Article 30(2) and Assist with Data Protection Impact Assessments in accordance with GDPR Article 35.

4. Cross-border Transfers

MEDIT may transfer Personal Data outside the EEA or U.S. only with implementation of appropriate safeguards under GDPR, including Standard Contractual Clauses (SCCs) or adequacy decisions and, where required by applicable law, with prior notice to the Controller. Where such transfers involve Sub-processors located abroad, MEDIT shall provide information regarding such transfers to the Controller upon request.

5. Responsibilities of the Controller (Dental Provider)

The Controller agrees to:

(a) Obtain all required patient consents, authorizations, and notices under HIPAA and GDPR prior to uploading data to Medit Link;

(b) Notify Medit of any changes in consent, access restrictions, or privacy practices;

(c) Ensure its use of Medit services is compliant with applicable law;

(d) Indemnify Medit from liabilities arising from failure to obtain valid consents or authorizations.

6. Audit and Inspection

MEDIT shall allow reasonable audits by the Controller or appointed third party, no more than once annually unless required by law or a verified security incident.

7. Return or Deletion of Data

Upon termination or expiration of the Services or upon Controller’s written request, MEDIT shall, at Controller’s option, delete or return all Personal Data and PHI and certify in writing the completion of such deletion, unless retention is required by law. Secure deletion shall be performed using industry-standard methods to ensure non-recoverability.

8. Term and Termination

This Agreement shall remain in effect for as long as MEDIT processes Personal Data or PHI on behalf of the Controller. Either Party may terminate this Agreement with immediate effect upon knowledge of a material breach. The provisions of Sections 3(c) (Confidentiality), 7 (Return or Deletion of Data), 6 (Audit and Inspection), 10 (Governing Law), and 5(d) (Indemnification) shall survive termination of this Agreement, together with any other provisions which by their nature are intended to survive.

9. Limitation of Liability

Except to the extent prohibited by applicable law, Medit’s aggregate liability under this Agreement shall be subject to the limitations of liability set forth in the Medit Terms of Service.
Nothing in this Agreement shall limit Medit’s liability for:
(a) willful misconduct or gross negligence;
(b) breach of confidentiality obligations;
(c) failure to comply with its data return or deletion obligations under Section 7; or
(d) violations of applicable data protection laws to the extent such liability cannot be limited under law.
The Controller’s indemnification obligations under Section 5(d) shall not be limited by this Section.

10. Governing Law

This Agreement shall be governed by and construed in accordance with the laws applicable to Medit's role as a Processor and Business Associate, including the GDPR, HIPAA, and relevant implementing laws in the U.S. and EEA. Any ambiguity shall be resolved in favor of a meaning that ensures compliance with applicable privacy laws.

11. Miscellaneous

This Agreement forms an integral part of the main service agreement(s) between the Parties. In case of conflict, this Agreement shall prevail with respect to data protection and privacy matters. Any amendments must be in writing and signed by authorized representatives of both Parties.

12. Acceptance
By checking the box or clicking “I Agree” (whether during the registration process or through any other clickwrap mechanism provided within the Services), the Controller acknowledges and agrees to be bound by the terms of this Data Processing and Business Associate Agreement (DP-BAA). No physical signature is required, and such electronic acceptance shall have the same legal force and effect as a handwritten signature.