Confidential

Data Processing Agreement

  1. SECTION II - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
    1. Performance of Services. To the extent that the provision of Maven’s services under the Underlying Agreement renders Maven a Business Associate, as defined by HIPAA, Business Associate, its agents and employees (collectively referred to as “Business Associate”) agrees not to use or further disclose PHI other than as permitted or required by this BAA or as Required by Law.
    2. Safeguards for Protection of PHI. In accordance with 45 CFR Part 164, Subpart C, Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI, in any form or media, received from, or created or received by Business Associate on behalf of, Covered Entity, other than as provided for by this BAA. Business Associate shall document and keep such security measures current.
    3. Reporting of Unauthorized Use and/or Security Breach. Business Associate will promptly report to Covered Entity any breach of security or use or disclosure of PHI, including breaches of unsecured PHI, as required by 45 CFR§164.410, upon becoming aware of such breach and in no case later than thirty (30) calendar days after discovery. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a security breach or use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
    4. Responding to and Reporting Security Incidents. Business Associate shall implement policies and procedures to address Security Incidents. Such policies and procedures shall include provisions for identifying and responding to suspected or known Security Incidents, mitigating, to the extent practicable, harmful effects of Security Incidents that are known to the Business Associate, and documenting Security Incidents and their outcomes. Business Associate shall promptly notify Covered Entity of any Security Incident of which it becomes aware, in accordance with 45 CFR §164.314; provided, however, the obligation to report a Security Incident shall not include the reporting of immaterial incidents such as unsuccessful attempts to penetrate Business Associate’s information systems.
    5. Use of Subcontractors. Business Associate agrees to ensure that any agent and/or subcontractor, to whom it provides PHI received from, or created or received by Business Associate, on behalf of Covered Entity, and who creates, maintains, or transmits PHI on behalf of Business Associate, adheres to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
    6. Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set in order to meet the requirements under 45 CFR §164.524. In the event that Business Associate, in connection with the services, uses or maintains an Electronic Health Record of information of or about an Individual, then Business Associate shall upon request by Covered Entity or the Individual provide an electronic copy of the PHI to the Covered Entity or to the Individual or a third party designated by the Individual, all in accordance with 45 CFR §164.524(c)(2)(ii).
    7. Amendments by Business Associate. Business Associate agrees to make available for amendment and incorporate any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526.
    8. Access by DHHS. Business Associate agrees to make its internal practices, books and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for the purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with HIPAA and its implementing regulations.
    9. Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures and to make an accounting of disclosures available to Covered Entity, or take other measures as reasonably necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528.
    10. Carrying Out Obligations of Covered Entity. To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements of such Subpart that apply to the Covered Entity in the performance of such obligations.
    11. Security of Electronic PHI. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the confidentiality, integrity and availability of all electronic PHI received from, or created or received by Business Associate, on behalf of Covered Entity, which pertains to an Individual. Business Associate shall comply with the requirements set forth in 45 CFR §§164.306, 164.308, 164.310, 164.312, 164.314 and 164.316.
    12. Electronic Transactions and Code Set Standards. If Business Associate conducts any Standard Transaction for, or on behalf of, Covered Entity, Business Associate shall comply, and shall require any subcontractor or agent conducting such Standard Transaction to comply, with each applicable requirement of 45 CFR Part 162.
  2. SECTION III - PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
    1. General. Except as otherwise limited in this BAA or as provided in Section 3.2, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity or the “minimum necessary” policies and procedures of the Covered Entity. Except as permitted by this BAA, Covered Entity shall not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
    2. Specific. Except as otherwise limited in this BAA, Business Associate may use PHI if necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI if necessary to carry out the legal responsibilities of the Business Associate, provided that disclosure is required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR§164.502(j)(1).
    3. Except as otherwise limited in this BAA, Business Associate may de-identify PHI provided that the de- identification conforms to the requirements of the Privacy and Security Standards. The parties acknowledge and agree that de-identified data does not constitute PHI and is not subject to the terms of this BAA. Business Associate may use and disclose de-identified health information for any purpose permitted by law.
    4. Minimum Necessary. Business Associate shall request, use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use and/or disclosure.
  3. SECTION IV - OBLIGATIONS OF COVERED ENTITY
    1. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except as permitted by Article 3 of this BAA).
    2. Minimum Necessary. When Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purposes under the Underlying Agreement.
    3. Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use of disclosure of PHI. Covered Entity shall not agree to any restriction on the use of disclosure of PHI under 45 CFR 164.522 that restricts Business Associate’s use or disclosure of PHI under the Underlying Agreement unless such restriction is Required by Law or Business Associate grants its written consent.
    4. Notice of Privacy Practices. Except as Required by Law, with Business Associate’s consent, or this BAA, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under any other agreement between the parties.
  4. SECTION V - TERM/TERMINATION
    1. Term. The term of this BAA shall be effective as of the Effective Date stated below and shall terminate upon the termination of the Underlying Agreement.
    2. Effect of Termination.
      1. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
        1. Retain only that PHI which is necessary to carry out its legal responsibilities;
        2. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the remaining PHI that Business Associate still maintains in any form;
        3. Continue to use appropriate safeguards and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Subsection, for so long as Business Associate retains the PHI;
        4. Not use or disclose PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section 3.2 that applied prior to termination; and
        5. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the PHI retained by Business Associate when it is no longer needed by Business Associate to carry out its legal responsibilities.
      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties in writing that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
  5. SECTION VI - MISCELLANEOUS
    1. Priority of BAA. If any portion of this BAA is inconsistent with the terms of the Underlying Agreement, the terms of this BAA shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement shall remain unchanged.
    2. Documentation. Both parties shall retain all documentation required by HIPAA for six (6) years from the date of its creation or the date when the document was last in effect, whichever is later.
    3. Construction. This BAA shall be construed as broadly as necessary to implement and comply with ARRA and the HIPAA regulations. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with ARRA and HIPAA regulations.
    4. Modification of BAA. The parties recognize that this BAA may need to be modified from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to HIPAA. The parties agree to execute any additional amendments to this BAA reasonably necessary for each Party to comply with HIPAA. This BAA shall not be waived, amended or altered, in whole or in part, except in writing signed by the parties.

This Data Processing Agreement including its schedules (the "DPA") is incorporated into and forms part of the agreement between the Customer and Maven Clinic, Co. ("Maven") under which Maven provides the Services (the "Agreement"). Unless otherwise defined herein, capitalized terms used in this DPA have the same meaning given to them under the Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates permitted to use the Services under the Agreement.


WHEREAS, in connection with providing services to Customer under the Agreement, Maven will have access to and will process for or on behalf of Customer, Personal Data owned and belonging to Customer;


WHEREAS, the Parties wish to enter into this DPA in connection with their respective obligations under Data Protection Laws;


NOW THEREFORE, in consideration of the mutual covenants and promises contained herein, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree that the terms and conditions set forth below shall be added to the Agreement:

  1. DEFINITIONS. For purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used in this DPA but not defined herein shall have the meanings given to them in the Agreement.


    “Applicable Data Protection Laws” means any data protection or privacy laws applicable to Maven’s Processing of Persona Data pursuant to the Agreement, including (as applicable, based on the location of Customer and/or the Data Subject):


    1. the (i) California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), (ii) Virginia Consumer Data Protection Act, (iii) Colorado Privacy Act, (iv) Connecticut Data Privacy Act, (v) Utah Consumer Privacy Act, (vi) Oregon Consumer Privacy Act, (vii) Texas Data Privacy and Security Act, (viii) Montana Consumer Data Privacy Act and (ix) once effective, similar comprehensive privacy laws in other U.S. states (together, “U.S. Data Protection Laws”);
    2. the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and any applicable national implementing laws;
    3. the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (“UK DPA”); and
    4. the Canadian Canada’s Personal Information Protection and Electronic Documents Act 2000 (“PIPEDA”)

    “Personal Data” means any information relating to an identified or identifiable natural person that Maven receives or obtains directly from and processes at the direction of Customer in connection with the Services performed under the Agreement.


    “Personal Data Breach” shall have the meaning as defined under Applicable Data Protection Laws.


    “Processing” shall have the meaning as defined under Applicable Data Protection Laws.


    “SCCs” means the standard contractual clauses for Processors annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj; as may be amended, superseded or replaced.


    “Subprocessor” means any third party that Maven engages to process Personal Data in order to provide the Services.

  2. ROLES AND SCOPE OF PROCESSING.
    1. Scope. This DPA applies to the extent that Maven processes any Personal Data as described in Schedule 1 of this DPA.
    2. Role of the Parties. The Parties agree that, for purposes of this DPA, Client is a controller or business (as applicable) with respect to the processing of the Personal Data, and Maven will process the Personal Data only as a processor or service provider (as applicable) on behalf of and pursuant to the instructions of Client. Each Party will comply with all laws, rules and regulations applicable to it in the performance of this DPA, including any Applicable Data Protection Laws.
    3. Description of Processing. The subject matter of the data processing is the performance of the Services as described in the Agreement. Schedule 1 of this DPA sets out the nature, duration, and purpose of the processing (the “Permitted Purposes”), the types of Personal Data that Maven processes, and the categories of data subjects whose Personal Data is processed.
    4. Customer Obligations. Customer agrees to:
      1. not instruct Maven to use or disclose Personal Data in any manner that would not be permissible under Data Protection Laws if done directly by Customer;
      2. provide to Maven the minimum amount of Personal Data necessary for the accomplishment of the processing purpose;
      3. warrant that it has obtained and will obtain any consents, authorizations, and/or other legal permissions required under Data Protection Laws and other Applicable Law for the disclosure of Personal Data to Maven. Customer will notify Maven of any changes in, or revocation of, the permission by a data subject to use or disclose his or her Personal Data, to the extent that such changes may affect Maven’s use or disclosure of Personal Data; and
      4. not impose any restriction on the use or disclosure of Personal Data that will restrict Maven’s use or disclosure of Personal Data under the Agreement or this DPA unless such restriction is required by Applicable Law or Maven grants its written consent, which consent will not be unreasonably withheld.
  3. DATA SECURITY.
    1. Technical and Organizational Measures. Maven will implement and maintain appropriate technical and organizational measures designed to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, as set forth in Schedule 2.
    2. Personal Data Breach. As required by Applicable Data Protection Laws, Maven will provide notice to Client upon confirming any Personal Data Breach, within the time period required by law but in no event later than 72 hours after confirming such Personal Data Breach. Such notice shall include the information required under Applicable Data Protection Laws to the extent such information is reasonably available to Maven. Maven’s response to, or notice of, a Personal Data Breach is not an acknowledgment by Maven of any fault or liability. Maven agrees to investigate any Personal Data Breach, and use commercially reasonable efforts to identify, prevent, mitigate, and remedy the effects.
    3. Audits. Maven shall, upon Customer’s reasonable request, provide Customer with reports of qualified, independent third-party audits and validation of Maven’s technical and organizational measures (collectively, “Audit Reports”). To the extent Customer’s audit requirements under Applicable Data Protection Laws cannot reasonably be satisfied through the Audit Reports, documentation, or other compliance information generally available to Maven’s Customers, Maven will promptly respond to Customer’s additional reasonable security or audit questionnaires, provided that Customer not exercise this right more than once annually (unless Customer is required to provide this information to a data protection authority, or Maven has experienced a Personal Data Breach).
  4. DATA SUBJECT REQUESTS. Maven will promptly notify Customer if it receives a Data Subject Request. Unless otherwise required by Data Protection Laws, Maven will not respond to a Data Subject Request, other than directing the data subject to Customer. Maven shall provide Customer with reasonable cooperation to assist Customer to fulfill any Data Subjects Requests relating to the processing of Personal Data under this DPA.
  5. DATA TRANSFERS. Customer acknowledges and agrees that Maven may transfer and process Personal Data to and in the United States and anywhere else in the world where Maven operates. Maven shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA, including the provisions of Section 8 below regarding transfers.
  6. SUB-PROCESSORS. Customer provides a general authorization to Maven to engage Subprocessors to provide services on its behalf, including those Subprocessors listed in Schedule 3. Where Maven subcontracts its obligations under the Agreement, Maven must take steps to ensure that each Subprocessor provides sufficient guarantees that it will comply with Data Protection Laws and this DPA. Maven shall enter into a written agreement with the Subprocessor incorporating terms which are no less protective than those set out in this DPA, and Maven will remain responsible for the performance of this DPA by any such Subprocessor.
  7. JURISDICTION-SPECIFIC TERMS.
    1. Europe. In connection with the Services, the Parties anticipate that Maven (and its Subprocessors) may process outside of the European Economic Area (“EEA”) certain Personal Data protected by the GDPR. In such instances, the Parties agree that such processing shall be supported by the following adequacy mechanisms (to the extent still supported and applicable), in order of priority: (a) Maven’s participation in the EU-U.S. Data Privacy Framework; and (b) the SCCs, as detailed below. To the extent that there is any conflict between such mechanisms, the Data Privacy Framework shall prevail, to the extent it is still supported and applicable.
      1. SCCs. To the extent the SCCs apply, they shall apply completed as follows:
        1. Module Two shall apply.
        2. In Clause 7, the optional docking clause shall apply.
        3. In Clause 9, option 2 (General Written Authorization) shall apply.
        4. In Clause 11, the optional independent dispute resolution clause shall apply, as specified in more detail in Maven’s privacy policy.
        5. In Clause 17, option 1 shall apply, using the law of Ireland.
        6. in Clause 18(b), disputes shall be resolved as set forth in the Agreement, or, if that jurisdiction is not an EU Member State, then the courts in Ireland.
        7. Annex 1 shall be deemed completed with the information in Schedule 1 of this DPA, with Customer serving as Data Exporter and Maven as Data Importer.
        8. Annex 2 shall be deemed completed with the information in Schedule 2 of this DPA.
    2. United Kingdom.
      1. In relation to Personal Data that is protected by the UK GDPR, the SCCs, completed as set out above in Section 7.1.1 of this DPA, shall apply to transfers of such Personal Data, except that:
      2. The SCCs shall be deemed amended as specified by the UK Addendum issued by the UK Information Commissioner’s Office, which shall be deemed executed between Customer and Maven;
      3. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
      4. For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in Schedules 1 and 2 of this DPA; and
      5. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”
    3. California. Customer and Maven agree that: (i) Maven shall not retain, use or disclose the Personal Data for any purpose other than the Permitted Purposes; (ii) Personal Data was not “sold” to or “shared” with Maven and Maven will not “sell” or “share” the Personal Data (as defined by the CCPA); and (iii) Maven shall not retain, use or disclose the Personal Data outside of the direct business relationship between Customer and Maven.
  8. LIMITATIONS OF LIABILITY. Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA (including the SCCs) whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.

SCHEDULE 1: DETAILS OF PROCESSING

Categories of Data Subjects:
Customer’s employees and their dependents.


Categories of Personal Data:
Customer’s Eligibility File, which may contain some or all of the following Personal Data, depending on which Maven services are covered:

  • Employee ID number
  • Employee business email address
  • First and last name
  • Date of birth
  • Home address
  • Gender
  • Employee office state location
  • Employee office country location
  • Employee start date
  • Employee eligibility date
  • Medical plan name
  • Insurer name
  • Coverage level
  • Dependent id(s)

Nature and Purpose of Processing:
Customer shall send Maven a file which will contain the information of those Customer employees and their dependents deemed eligible to register for Maven’s services (“Eligibility File”). Maven shall use the Eligibility File to determine whether individual data subjects are eligible for the Services, or otherwise as instructed by Customer.

Duration of Processing:
For the duration of the Services.

SCHEDULE 2: TECHNICAL AND ORGANISATIONAL MEASURES

Maven (the “Data Recipient”) shall at all times implement and maintain the security measures identified below:

  • Minimum Requirements: the pseudonymisation and encryption of the Personal Data where appropriate and feasible; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Backup: the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
  • Testing: a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
  • Physical Access Control: the prevention of unauthorised persons gaining access to data processing systems;
  • Logical Access Control: the prevention of data processing systems being used without authorization;
  • Data Access Control: ensuring that persons entitled to use a data processing system gain access only to such Personal Data as they are entitled to access in accordance with their legitimate access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization;
  • Data Transfer Control: ensuring that the Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of the Personal Data by means of data transmission facilities can be established and verified;
  • Entry Control: ensuring the establishment of an audit trail to document whether and by whom the Personal Data have been entered into, modified in, or removed from data processing systems;
  • Control of Instructions: ensuring that the Personal Data is processed solely in accordance with Customer’s instructions;
  • Cyber security: ensuring measures to secure and defend Personal Data against "hackers" and others who may seek to modify the Services or the data therein without the consent of Data Recipient or Customer, and to correct the Services to its original form in the event that it is modified without Customer’s consent;
  • Audit: Data Recipient shall, upon Customer’s reasonable request, provide Customer, or its representatives, reports of qualified, independent third-party audits and validation of Data Recipient’s privacy and security measures (collectively, “Audit Reports”). Customer will provide Data Recipient with a written report of any non-compliance with this Schedule 2 and Data Recipient agrees to promptly remedy any such non- compliance. To the extent Customer’s audit requirements under Applicable Laws cannot reasonably be satisfied through Audit Reports, documentation or compliance information Data Recipient generally makes available to its customers, Data Recipient will promptly respond to Customer's additional reasonable audit requests. Before the commencement of an audit, Customer and Data Recipient will mutually agree upon the scope, timing, duration, and control and evidence requirements. To the extent needed to perform the audit, Data Recipient will make the processing systems, facilities and supporting documentation relevant to the Processing of Personal Data by Data Recipient available. Customer shall not have access to any data from Data Recipient's other customers or to Data Recipient's systems or facilities not involved in the processing of Customer's Personal Data.
  • Physical Security: Data Recipient must maintain and enforce at Data Recipient’s physical sites safety and physical security procedures that are at least equal to best industry standards and practices for such types of service locations. Specifically:
    1. Physical access granted via badge access at a minimum.
    2. Physical access must be restricted and recorded and access allowed based on a need-to- know basis.
    3. Ensure background check procedure for all personnel accessing data processing systems.
    4. (i) ensure restriction of physical access to the data processing systems (including its information systems, equipment and the respective operating environments) to authorized employees only; (ii) adequately protect the physical plant and contained supporting infrastructure environment for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
    5. Ensure restriction of physical access to (network and server) equipment and other infrastructural systems and devices used for rendering the Services to specified employees only and must adequately monitor these restrictions.
  • Information Protection Policy: Data Recipient must maintain an information protection/security policy and ensure on-going compliance controls are enabled according to SOC2 or NIST security standards.
  • Logging Information: Ensuring Security and Audit logs be retained for 360 days and access to security logs are restricted to authorized persons.
  • External Penetration Testing: Data Recipient must validate their security controls using a third-party auditor at least once a year and after changes to the infrastructure that may impact Confidentiality, Integrity and Availability principles set forth by Art. 32 of GDPR.

SCHEDULE 3: SUBPROCESSORS

LIST OF SUB-PROCESSORS

A current list of Maven Clinic’s sub-processors can be found at: https://www.mavenclinic.com/subprocessors.

Last updated: Aug 01, 2025