This Data Processing Addendum (this “DPA”) forms part of the Wellable Terms and Conditions, or other agreement governing the use of Wellable’s services (“Agreement” and “Services”, respectively) entered by and between you (“you”, “your”, “Customer”) and Wellable, LLC (Wellable”). Wellable and Customer are referred to individually as a “Party” and together as the “Parties.” This DPA sets out the terms that apply with regard to the Processing of Personal Data (as defined below) by Wellable, on behalf of Customer, in the course of providing the Wellable Services to Customer under the Agreement.

The terms used in this Addendum have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below will be incorporated into the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

  1. Definitions

    1. Affiliate means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. Control for the purposes of this definition means direct or indirect ownership or control of at least 50%.

    2. Applicable Law(s) means all applicable data protection, privacy and electronic marketing legislation, including (as applicable) the GDPR, UK’s Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003, Australian Privacy Act 1988 and the Australian Privacy Principles enshrined therein, CCPA, as well as any equivalent laws anywhere in the world, to the extent any such laws apply to Personal Data to be processed hereunder by Processor.

    3. CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.

    4. The terms, Commission, Data Subject, Member State, Personal Data Breach, Process/Processing, Controller, Processor, and Supervisory Authority shall have the same meanings given to them in the GDPR. The terms Business, Business Purpose, Consumer and Service Provider shall have the same meaning as in the CCPA.

    5. GDPR means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements.

    6. Personal Data means any Personal Data processed by Wellable on behalf of Customer pursuant to or in connection with the Wellable Services (defined below).

    7. Data Privacy Framework Principles means the EU-US and Swiss-US Data Privacy Framework Principles issued by the US Department of Commerce and approved by the European Commission, and any subsequent amendments, replacements or supplements.

    8. Sub Processor means any third party engaged directly by Wellable to Process any Personal Data pursuant to or in connection with Wellable Services. The term shall not include employees or contractors of Wellable.

    9. Wellable Services means any services provided by Wellable to Customer, including, without limitation, any software or platform services, pursuant to an agreement, purchase order, license or subscription.

  2. Scope of Processing

    1. Wellable shall Process Personal Data as described hereto:

      1. Nature and purpose of the processing: Access to Wellable’s Wellness Platform for management of employee wellness challenges and data aggregation for Customer.

      2. Duration of the processing: as long as Wellable Services are provided.

      3. Types of personal data processed: Employee First Name, Last Name, and Email Address are the only data fields that are required to create a Wellable User Account. Employees have the option to identify their year of birth, gender, height, and weight. Other data being processed will be determined by Customer. Wellable is an employee well-being company, so Customer may limit their program to just steps but may also expand into tracking distance traveled, other physical activities, nutrition, and other well-being metrics. Employees may connect third-party apps and devices that track fitness and nutrition data. For avoidance of doubt, no clinical data or personal health information, such as heart rate or blood pressure, is captured or stored in Wellable.

    2. Wellable shall Process Personal Data as a Processor acting on behalf of Customer as the Controller of such Personal Data. For the purposes of the CCPA (and to the extent applicable), Wellable is the “Service Provider” and Customer is the “Business”. With respect to Processing of Personal Data described in this Section 2.2, the terms “Controller” and “Processor” below hereby signify Customer and Wellable, respectively.

    3. Customer hereby agrees that Wellable Process Personal Data only for the limited purposes of providing Wellable Services and solely for the benefit of Customer.

    4. Wellable shall only Process the Personal Data in accordance with, (i) the terms of this DPA, (ii) the terms of the existing Agreement between the Parties, (iii) solely on Customer’s documented instructions, unless Processing is required by Applicable Laws, and (iv) in compliance with all Applicable Laws.

    5. Wellable shall notify Customer without undue delay if Wellable determines that it can no longer meet Customer’s instructions or its obligations under this DPA.

  3. Subprocessing

    1. Wellable shall not subcontract any Processing of Personal Data to any third party without prior written consent of Customer regarding each such subcontracting activity and third party. Notwithstanding the foregoing, Customer authorizes Wellable to engage a Sub Processor for the limited purposes of Processing Personal Data as strictly necessary for the fulfillment of Wellable’s obligations under the Agreement, provided that Wellable:

      1. Conducts the level of due diligence necessary to ensure that such Sub Processor is capable of meeting the requirements of this DPA and any Applicable Laws; and

      2. Ensures that the arrangement between the Wellable and the Sub Processor is governed by a written contract binding on the Sub Processor, which requires a Sub Processor to Process Personal Data in accordance with this DPA or standards that are no less onerous than this DPA.

    2. Wellable shall remain fully liable to Customer at all times for the performance of that Sub Processor’s obligations.

    3. Customer herewith agrees to the following subprocessors:

      Processing Location
      Amazon Web Services
      On-demand cloud services (hosting and data warehouses)
      Project management application to address development-related support requests
      Microsoft Corporation
      Internal communications platform via Microsoft Teams and Microsoft Outlook
      Sendbird, Inc.
      Chat/Messaging application for user communication
      SendGrid, Inc.
      E-mail delivery service (sending transactional emails related to program communications)
      Zendesk, Inc.
      User support platform (receiving and tracking customer support tickets)
      Zoom Video Communications, Inc.
      Teleconferencing platform to stream webinars and other well-being events for customers
  4. Security

    1. Wellable shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the Processing of Personal Data including, without limitation:

      1. The pseudonymization and/or encryption of Personal Data, in transit and at rest;

      2. The ability to ensure the on-going confidentiality, integrity, availability, and resilience of Processing systems and services;

      3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

      4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

    2. In assessing the appropriate level of technical and organizational measures, Wellable shall take into account the risks that are presented by the Processing, including the risks of a Personal Data Breach, through accidental or unlawful loss, destruction, alteration, unauthorized disclosure of or access to Personal Data.

    3. Wellable shall keep records of its Processing activities performed on behalf of Customer, which shall include at least:

      1. The details of the Wellable as Personal Data Processor, any representatives, Sub Processors, data protection officers and Wellable Personnel having access to Personal Data;

      2. The categories of Processing activities performed;

      3. Information regarding Cross-Border Data Transfers (as further specified in Section 11 of this DPA), if any; and

      4. Description of the appropriate technical and organizational security measures implemented in respect of the Processed Personal Data.

    4. Without derogating from Customer’s Audit Rights under Section 10, Customer reserves the rights to inspect the records maintained by Wellable under this Section 4 at any time.

  5. Data Subject Rights

    1. Wellable shall reasonably assist Customer in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the Processing of Personal Data) under Applicable Laws, including, without limitation, EU Data Protection Laws, CCPA and Data Privacy Framework Principles (“Data Subject Request(s)”).

    2. Wellable shall:

      1. Promptly, and in any event, within 48 hours, notify Customer if it receives a Data Subject Request in respect of Personal Data;

      2. Provide full cooperation and assistance in relation to any Data Subject Request;

      3. Ensure that it does not respond to Data Subject Requests except on the documented instructions of Customer or as strictly required by Applicable Laws to which Wellable is subject; and

      4. Maintain electronic records of Data Subject Requests (under Applicable Laws).

  6. Legal Disclosure and Personal Data Breach

    1. Wellable shall notify Customer within 24 hours of Wellable becoming aware of:

      1. Any request for disclosure of Personal Data by the Supervisory Authority and/or any other law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

      2. Any actual or suspected Personal Data Breach affecting Personal Data. Wellable shall provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects or data protection authorities of the Personal Data Breach under the Applicable Laws.

    2. Wellable shall provide Customer with the following details, as possible:

      1. The nature of the Personal Data Breach, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned;

      2. The measures proposed or taken by Wellable in cooperation with Customer to address the Personal Data Breach; and

      3. The measures Customer could take to mitigate the possible adverse effects of the Personal Data Breach.

    3. Wellable shall take any actions necessary to investigate any suspected or actual Personal Data Breach and mitigate any related damages.

    4. Wellable shall cooperate with Customer and take steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

  7. Deletion or Return of Personal Data

    1. Upon expiration or termination of the provision of Wellable Services, Wellable shall promptly delete all copies of Personal Data, except as required to be retained in accordance with Applicable Laws.

  8. Provision of Information and Assistance

    1. Wellable shall cooperate and reasonably assist Customer with any data protection impact assessments, prior consultations regarding relevant competent data protection authorities and with any other assistance related to compliance with Customer’s obligations pursuant to the GDPR, CCPA and other Applicable Laws. The scope of such assistance shall be limited to the Processing of the Personal Data by Wellable.

  9. Customer Obligations

    1. Customer shall provide all Instructions pursuant to this DPA to Wellable in written or electronic form.

    2. Customer may issue Instructions at any time as to the type, scope and procedures of the processing to the extent this is so provided in the Customer Agreement or necessary for complying with statutorily granted requests of data subjects. Verbal Instructions shall be confirmed in written form immediately thereafter. Customer shall notify Wellable in writing of the names of the persons who are entitled to issue Instructions to Vendor. Any consequential costs incurred resulting from Customer’s failure to comply with the preceding sentence shall be borne by Customer.

    3. Customer shall inform Wellable immediately if processing by Wellable might lead to a violation of data protection regulations.

    4. In the case claims based on Art. 82 GDPR are raised against Wellable, Customer shall reasonably support Wellable with its defense.

    5. Customer shall name a person responsible for dealing with questions relating to applicable data protection law and data security in the context of performing this DPA.

  10. Audit Rights

    1. Wellable shall allow for and contribute to audits, including inspections, by Customer and/or an auditor mandated by Customer. In any event, a third-party auditor shall be subject to confidentiality obligations. Wellable may object to the selection of the auditor if it reasonably believes that the auditor does not guarantee confidentiality, security or otherwise puts at risk Wellable’s business. Customer will bear the costs of any related audits.

  11. Cross-Border Data Transfer

    1. Personal Data may be transferred from EU Member States and EEA member countries (Norway, Liechtenstein and Iceland), collectively, "EEA" (i) to countries that offer adequate levels of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, Member States or the European Commission, without any further safeguard being necessary or; (ii) to the United States, solely for Processing by Wellable or Sub Processor on its behalf which has self-certified and complies with the Data Privacy Framework Principles, to the extent permitted under Applicable Laws.

    2. In the event that Wellable intends to transfer Personal Data from the EEA to any locations that are not permitted in Section 11.1, Wellable must (i) inform Customer in writing of said transfers, their purposes and the designated recipients of such Personal Data in such locations, and (ii) execute and abide by the Standard Contractual Clauses (“SCC”), which shall apply to the Processing of Personal Data in countries outside the EEA that do not provide the aforementioned adequate levels of data protection.

    3. Where and to the extent that the SCC are executed by and between the Parties, if there is any conflict between this DPA and the SCC, the SCC shall prevail.

    4. The UK International Data Transfer Addendum (“IDTA”) will apply to Personal Data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data.

    5. For data transfers originating from any other countries outside of the EEA, Wellable shall abide by all Applicable Laws of the territory of origin of the Personal Data. In particular, and without derogating from the foregoing, Personal Data originating in Australia may only be transferred to other countries, including to any Sub Processors located outside of Australia, in strict accordance with Principle 8 to the Australian Privacy Principles (i.e. to an entity that has undertaken to comply with the Australian Privacy Principles, or in circumstances in which the Data Subject has provided their explicit consent to the transfer). For transfers from Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”), optional clauses and language accepted in the SCC shall be deemed accepted. DIFC law will be the governing law for DIFC transfers and the DIFC Data Protection Commissioner acts as the DIFC Supervisory Authority ADGM law will be the governing law for ADGM transfers and the ADGM Commissioner of Data Protection acts as the ADGM Supervisory Authority.

    6. In any event, Wellable shall provide Customer with all relevant information to enable Customer to comply with its obligations in case of Cross-Border Data Transfers.

  12. CCPA Standard of Care

    1. Wellable acknowledges and confirms that it does not receive or process any Personal Information (as such term is defined under the CCPA) as consideration for any services or other items that Wellable provides to Customer under the Agreement. Wellable shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Wellable represents and warrants that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed, without Wellable’s prior written consent, nor taking any action that would cause any transfer of Personal Information to or from Wellable under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.

  13. Indemnification

    1. Wellable shall indemnify, defend, and hold harmless Customer, its Affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Wellable’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; and/or (ii) Wellable’s failure to comply with its obligations under this DPA, the existing Agreement or any further instructions as to such Processing given in writing by Customer in accordance to this DPA.

  14. Miscellaneous

    1. Severance: Should any provision of this DPA be determined invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

    2. Order of Precedence: In the event of any conflict between the terms of this DPA and other documents binding on Parties, the terms of these documents will be interpreted according to the following order of precedence: (i) this DPA; (ii) any terms of agreement, purchase orders, license or subscription, pursuant to which Wellable Services are provided.