<img alt="" src="https://secure.plan2twin.com/219004.png" style="display:none;">

Data Processing Terms

Effective date: 24th of February 2023

These are the Data Processing Terms which form part of your Agreement with us and apply to all processing of personal data by us in the course of providing the Services under the Agreement.

These Data Processing Terms enable us to comply with data protection law applicable to the processing by us of personal data as your processor when providing the Services, and you to comply with data protection law applicable to your procurement of the Services. The way you use the Provet Cloud Service and Your Data may be subject to laws, including data protection laws, which do not apply to us as the provider of the Services and so are not dealt with by these Data Processing Terms. It is your responsibility to comply with those additional laws.

  1. Interpretation

Words and phrases which are defined in the Glossary of the Provet Cloud Terms of Service have the same meaning in these Data Processing Terms, and the following definitions apply:

Controller means, in relation to the processing of Relevant Personal Data, you or any of your Affiliates on whose behalf the processing is conducted.

Data Protection Regulations means Regulations relating to data protection and information privacy relating to, in our case, the provision of the Services and, in the case of the Controller, to the procurement of the Services, including use by the Controller of the Provet Cloud to process Relevant Personal Data, but excluding other processing of Your Data in your business, including the GDPR (as appropriate).

Data Protection Termination Event means any of the following, namely: (i) the Controller objects or is deemed to object to the appointment of a Sub-processor under paragraph 5.3; (ii) an instruction from the Controller is necessary to enable the Controller to meet mandatory legal requirements and a Sub-processor is not able to accommodate the requested changes, or (iii) we cannot comply with these Data Processing Terms in relation to the processing of Relevant Personal Data due to terms having effect between us and our Sub-processors (other than our Affiliates) or the cessation of services provided by any Sub-processor (other than due to the act or omission of ours or our Affiliates).

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Infrastructure Services means services supporting the Provet Platform by way of software-as-a-service, platform-as-a-service, or infrastructure-as-a-service (as those expressions are defined by The National Institute of Standards and Technology in the USA or any replacement body).

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Relevant Personal Data means Your Data that is personal data processed by us in the course of the Services, more particularly described in Appendix 1 (Description of Processing).

Relevant Personnel means Consultants who have access to Relevant Personal Data.

Sub-processor means any legal or natural person proposed to be authorised or authorised (as appropriate) to process Relevant Personal Data from time to time, including a sub-contractor of ours and any other third-party which is a party to a contract under which such processing is authorised to take place.

In these Data Processing Terms, references to words and phrases that are defined in the GDPR, including personal data, processing, controller, and processor, have the meaning given to them in the GDPR.

  1. Our respective roles under Data Protection Regulations
    • Where we process personal data as part of the Services to provide you or your Affiliates with the means of processing personal data, including by hosting personal data on the Provet Cloud, we do so as your or your Affiliate’s processor, and any other processing by us is done as a controller for our own business. Where you or your Affiliates process personal data while using the Provet Cloud Service, you and they do so as controllers.
    • Neither you nor we intend for our Consultants to access any personal data processed by a Controller other than as may be strictly necessary for the provision of maintenance and support of the Provet Cloud, and any such access will be purely incidental and ad hoc and therefore very limited in practice; in those circumstances, we are neither a processor nor a controller in our own right in relation to any such processing that may take place.

  2. Scope of the Processing of Relevant Personal Data
    • The processing that we will undertake on behalf of the Controller is described in Appendix 1 (Description of Processing), which we will perform in accordance with the documented instructions from the Controller, except (i) where and to the extent an instruction is contrary to processing which we (or any person doing so under our authority) must perform under Regulations, of which reasonable prior notice has been given to the Controller, unless and to the extent Regulations prevent or restrict the giving of the notice on important grounds of public interest, or (ii) the instruction gives rise to a Data Protection Termination Event, in which case we are excused from complying with the instruction until both of us have resolved the issue giving rise to the Data Protection Termination Event, the Agreement terminates, or our right to terminate the Agreement under paragraph 11 (Data Protection Termination Events) lapses.
    • All processing of Relevant Personal Data in accordance with the Agreement is deemed to be on the documented instructions of the Controller.
    • We shall inform the Controller if, in our opinion, any of the Controller’s instructions would breach Data Protection Regulations having regard to the information in our possession.
    • You, on your own behalf, and as agent for other Controllers, authorise us, Relevant Personnel, and Sub-processors appointed at the Commencement Data and thereafter in accordance with paragraph 5 (Sub-processors), to process Relevant Personal Data as part of the Services in accordance with the Agreement.

  3. Deletion or Returning of Data

After the expiry of the Agreement, we shall return or delete, according to the instructions of the Controller, all Relevant Personal Data, unless Regulations require the retention of the Relevant Personal Data, except that this paragraph does not affect your responsibilities under the Agreement to retrieve and delete all Your Data from the Provet Cloud.

  1. Sub-processors
    • A list of the Sub-processors and a description of the Infrastructure Services on which we rely is set out at https://www.provet.cloud/sub-processors/.
    • No authority to process Relevant Personal Data may be conferred on (i) a Sub-processor who is or is to be a sub-contractor of ours without (if we have not done so) our first entering a contract with the Sub-processor under which the Sub-processor agrees to comply with obligations that are substantially the same as these Data Processing Terms so far as material in relation to the processing of Relevant Personal Data, or (ii) any other Sub-processor except directly or indirectly under such a sub-contract.
    • Where we authorise a new Sub-processor to process Relevant Personal Data, whether as a sub-contractor or directly or indirectly under such a sub-contract, we shall update the list at https://www.provet.cloud/sub-processors/; we may inform you (on your own behalf and on behalf of other Controllers) of the change via a link or other reference on the Provet Cloud, or the Website. You may object to the appointment of the Sub-processor and if you do not consent within twenty (20) Business Days after notice of the proposed appointment is given, the Controller is deemed to have objected to the appointment.
    • Where and to the extent the Provet Cloud Service, including the processing of Relevant Personal Data, relies on Infrastructure Services (i) the policies and procedures of the Sub-processors providing the Infrastructure Services, and the terms having effect from time to time between us or our Affiliates and such Sub-processors, in relation to the processing of Relevant Personal Data as part of the Infrastructure Services (Relevant Sub-processing), which are available for inspection from us on request, shall be included in the Agreement (with such changes as are necessary being deemed to be made) (Additional Data Processing Terms), and shall apply to any Relevant Sub-processing of Relevant Personal Data to the exclusion of any provisions to the contrary in the Agreement, and (ii) the manner in which and the extent to which the Controller exercises or is entitled to exercise rights under the Agreement in respect of Relevant Personal Data that are the subject of the Relevant Sub-processing shall be subject to the Additional Data Processing Terms.

  2. Our Obligation to Provide Assistance
    • We shall without undue delay, and in any event no later than reasonably required to enable the Controller to fulfil its duties under Data Protection Regulations provide such information as the Controller may reasonably require in relation to Relevant Personal Data or its processing. Where this requires work which is not covered by the Provet Cloud Service, we will do so by way of Professional Services under an agreed Statement of Work.
    • We shall immediately forward to the Controller all requests to inspect, rectify, erase, or object to the processing of Relevant Personal Data or other requests received from data subjects. If requested by the Controller, as part of the Provet Cloud Service, we shall support the Controller in fulfilling those requests and, where this requires work which is not covered by the Provet Cloud Services, we will do so by way of Professional Services under an agreed Statement of Work.
    • We will, taking into account the nature of the processing of Relevant Personal Data and the data available, assist the Controller as part of the Provet Cloud Services in ensuring that the Controller complies with Data Protection Regulations, which may include requirements related to data security, notifying of data breaches and data protection impact assessments, provided that, and, where the work required is not covered by the Provet Cloud Service, we will do so by way of Professional Services under an agreed Statement of Work.
    • We shall forward all inquiries made by data protection authorities directly to the relevant Controller and shall await further guidance from the Controller. Unless otherwise agreed, we are not not authorized to represent the Controller or act on behalf of the Controller in relation to the authorities supervising the Controller.

  3. Processing Taking Place Outside EU/EEA
    • Except on documented instructions from the Controller or otherwise in the ordinary course of providing the Services in accordance with the Agreement (which may then only take place in accordance with Data Protection Regulations), we shall not transfer any Relevant Personal Data from the location in which the Relevant Personal Data are stored to another country or territory or to any international organisation without the Controller’s prior written consent unless we are required to do so in accordance with Regulations which are in accordance with Data Protection Regulations (any such transfer being a Restricted Transfer).
    • A Restricted Transfer may be made to any member of the European Economic Area or to the United Kingdom or other countries for the time being subject to an EU Commission’s adequacy decision in accordance with Article 45 of the General Data Protection Regulation 2016/679 or pursuant to any other mechanism approved under Data Protection Regulations, including standard contractual clauses.

  4. Auditing
    • The Controller or an auditor authorized by the Controller, who is not a competitor of ours, is entitled to audit the processing of Relevant Personal Data. We must agree on the time of the audit and other details ahead of time and at latest 14 days before the audit. The audit shall be carried out in a way that does not impede our obligations or its subcontractors with regard to third parties. The representatives of the Controller and the auditor must sign conventional non-disclosure commitments.
    • The Controller is responsible for our expenses caused by the audit. If notable defects are perceived during audit, we shall be liable for the costs incurred from the audit.

  5. Data Security
    • We shall implement appropriate technical and organizational measures to protect Relevant Personal Data in accordance with Good Industry Practice, taking into account risks of the processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Relevant Personal Data, more particularly described in Appendix 2 (Description of Organisational and Technical Measures). When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the processing at hand and the sensitivity of the Relevant Personal Data. We will regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing.
    • It is your responsibility to be sure that the measures we take are appropriate for the processing of Your Data in the context of your business.
    • We shall ensure that Relevant Personnel have committed themselves to be bound by duties of confidentiality.

  6. Personal Data Breaches
    • We will notify the Controller of Personal Data Breaches without undue delay after receiving information of the breach.
    • If requested by the Controller, we shall, without undue delay provide all relevant information concerning a Personal Data Breach. In so far as the information in question is available to us, we shall inform the Controller of (i) the Personal Data Breach that has occurred, (ii) the types of data subjects, the categories of personal data, and estimated numbers, (iii) a description of the likely consequences of the Personal Data Breach, and (iv) a description of reparative measures we have implemented or will implement to prevent Personal Data Breaches in the future, and if necessary, the measures to minimize the harmful effects of the Personal Data Breach.
    • We shall document and report the results of the inquiry into the Personal Data Breach and the implemented measures to the Controller.
    • The Controller is responsible for the necessary notifications to the data protection authorities.

  7. Data Protection Termination Events
    • Where a Data Protection Termination Event occurs, either party is entitled to terminate the Agreement by giving not less than sixty (60) days’ notice to the other, in which case we shall refund any Charges prepaid in respect of the unexpired term of the Agreement.
    • The right of either of us to terminate the Agreement under the previous paragraph lapses if the right is not exercised within twenty (20) Business Days after you or we (as appropriate) first become aware of it.

  8. Controller rights

As soon as reasonably practicable after a request from your to do so, we shall enter into subscription agreement with a Controller (other than your) in order to give effect to the provisions of these Data Processing Terms and to enable the Controller to comply with Data Protection Regulations.

Description of Processing

The Provet Cloud is a practice management system intended for use in veterinary practices and businesses. The following table describes the subject-matter and duration of the processing conducted under the Agreement, the nature and purpose of that processing, the type of personal data and categories of data subjects.

 

Subject-matter of the processing

The Provet Cloud Service is made available for your use to operate, manage, and administer your veterinary practice, including for on-boarding clients and their animals, arranging appointments, diagnosing, and treating medical conditions of your client’s animals, invoicing and collecting fees, and all associated tasks.

The data are hosted by us and accessed by our Consultants from time to time where strictly necessary for the maintenance of the Provet Cloud and support of your use of the Provet Cloud Service.

Subcontractors

Please see https://www.provet.cloud/sub-processors/ for list of Sub-processors.

Geographical Location of Personal Data

EU (Ireland eu-west-1, Stockholm eu-north-1), United Kingdom (London eu-west-2), US (North Virginia us-east-1, Northern California us-west-1) /MS

Categories of data subjects

Past, current, and prospective clients, employees, suppliers, directors, and other officers of the Controller.

Types of Personal Data

 

 

 

 

 

Names and contact information of clients and contacts of the client relevant for the management of the client’s relationship with the Controller, financial information, appointments, medical conditions, and treatment of a client’s animal.

 

Special sets of Personal Data:

None

Duration of the processing

The data are processed for so long as the Provet Cloud Services are provided and thereafter for a temporary period until the personal data are deleted by you or us in accordance with the Agreement.

 

 

Description of Organisational and Technical Measures

Measures of pseudonymisation and encryption of personal data

Your Data is encrypted in transit over public networks, including the internet, from us to you, between instances of the Provet Cloud, and when Your Data is stored at rest in the Provet Cloud.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

The Provet Cloud allows the creation of different user permissions, using default templates and customisation for specific users, and users to be allocated to specific services, cost centres and enables defaults to be set for users requiring multiple permissions.

Access to Your Data by users is under your administration and you may make use of the administration features of the Provet Cloud to do so.

There is no standing access to Your Data by our personnel or those of our Sub-processors, and any access that may take place for maintenance and support is strictly limited to that purpose by Consultants authorized and trained to do so.

We have established and maintain disaster recovery and business planning capabilities designed to enable us to resume provision of the Provet Cloud Service as soon as reasonably practicable after they are disrupted by a disaster or other material business interruption.

The Provet Cloud is protected from illegal or unauthorised physical or electronic intrusion, malicious damage, denial of service attacks, and other vulnerabilities, and against physical damage by storm, fire, damage by water, and other similar events.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

The security of the Provet Cloud is tested not less than once annually, and corrective action plans are drawn up and implemented under management supervision to remediate any shortfalls in the security that are identified.

Measures for user identification and authorisation

Please see above Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Measures for the protection of data during transmission

Your Data is encrypted in transit over public networks, including the internet, from us to you, between instances of the Provet Cloud.

Measures for the protection of data during storage

Your Data is encrypted when stored at rest in the Provet Cloud, which contains role-based security to seek to prevent unauthorised access.

Measures for ensuring physical security of locations at which personal data are processed

All our offices have physical security and protocols to ensure access is made by authorised personnel and permitted visitors only.

Instances of the Provet Cloud are hosted on our behalf by Amazon Web Services EMEA SARL and is therefore subject to the security policies of AWS, more information on which can be found here https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

Measures for internal IT and IT security governance and management

We take reasonable steps to ensure the reliability and honesty of Relevant Personnel, and that they process Relevant Personal Data as part of the Services in accordance with the Agreement only.

Only those Relevant Personnel who need access to Relevant Personal Data are permitted to access the Relevant Personal Data, and then as necessary for the performance of their duties only.

We provide training for Relevant Personnel so that they are aware of our obligations under Data Protection Regulations and are informed of the importance of the need to avoid Personal Data Breaches.

We have in place disciplinary procedures in respect of non-compliance with data protection requirements and standards.

We have appointed a person to be responsible for security and data protection matters and will provide the name of the person on request.

Measures for ensuring data minimisation

Responsibility for data minimisation rests with you during the course of your use of the Provet Cloud Service, for which you may use the many security features of the Provet Cloud where appropriate.

Measures for ensuring data quality

Data quality is your responsibility using the many security features of the Provet Cloud where appropriate.

Measures for ensuring limited data retention

Data retention is your responsibility using the many security features of the Provet Cloud where appropriate.

Measures for allowing data portability and ensuring erasure

The exit management arrangements are set out in the Provet Cloud Terms of Service.