Subscription Terms and Conditions
Last Updated: December 7, 2020
Article 1. Preamble
The Provider offers an IT Solution called EasyMedStat designed for biomedical research industry professionals.
Based on a SaaS (Software as a Service) model, the Solution allows you to create pseudonymised data series, produce statistics, and share the series with several Users.
To benefit from the functionalities of the Solution, two types of offers are available:
- a Freemium offer giving free access to free functionalities after creating a user account;
- a Premium offer giving access to additional paid features after subscribing to these Subscription Terms.
After reading this Agreement, you acknowledge that you have received all the information required to subscribe to the Services at the time of acceptance of this Agreement.
The following terms shall have for the Parties the meaning set forth below:
- “Agreement”: means contractual set formed by these Subscription Terms and their appendices, price sheets and subscription forms;
- “Client” or “You”: means a natural or legal person who enters into the Agreement with the Provider for a professional research, study or analysis activity in the biomedical field only;
- “Free Services”: means set of free features provided by the Provider to all Users creating an account on the Solution;
- “Parties”: means the Client and the Provider;
- “Personal Data”: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “Premium Services”: means set of paid features provided by the Provider, as described in Appendix “Description of the Premium Services”;
- “Processing”: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Provider”: means Easymadestat, a société par actions simplifiée, registered in the Trade and Companies Register of Nanterre under number 824 727 648, with registered office located at Levallois-Perret, 17 rue Louise Michel - Phone: 01 77 50 09 05 – email: contact@easymedstat.com – EU VAT number: FR76824727648;
- “Services”: means both the Free Services and the Premium Services;
- “Solution”: means the IT solution enabling access to and use of the Services, available at the address https://easymedstat.com/;
- “User”: means any natural person who is entitled to access the Services under this Agreement. Users include:
- professionals authorised by the Client; and
- the Client, where the Client has subscribed to this Agreement as an individual professional.
The purpose of this Agreement is to set out:
- the terms and conditions under which the Client subscribes to the Premium Services provided by the Provider; and
- the rights and obligations of the Parties under the subscription to the Premium Services.
It is supplemented by Terms of Use governing the use of the Services by Users.
Article 4. Contractual documents
The contractual documents are listed below in decreasing order of precedence:
- any amendments to the Agreement;
- the Agreement;
- the Terms of Use of the Solution;
- the price sheets and information sheets;
- the subscription form.
These contractual documents explain each other. However, in case of discrepancy between documents of different nature or rank, the Parties expressly agree that the provisions contained in the document with the higher rank in the order of precedence shall prevail with regard to the conflicting obligations. In case of discrepancy between documents of the same rank, the most recent documents shall prevail.
Notwithstanding the rules for the interpretation of contracts laid down by the Civil Code, the following order of precedence shall apply:
- obligation per obligation;
- or, failing that, paragraph per paragraph;
- or, failing that, article per article.
You acknowledge that you have the full legal capacity, competence and necessary means to subscribe to the Services.
5.2 Use of the Services in the context of a professional activity
You acknowledge that the Services are for a professional research, study or analysis activity in the biomedical field only and must strictly be used in such context.
At the time of the subscription (understood as the conclusion hereof), and at any time during the contractual relationship, the Provider may request that you provide such documentary evidence as the Provider may deem relevant to prove your identity and means of payment (such as bank details, SEPA mandate duly completed).
At the time of the creation of the user accounts, and at any time during the contractual relationship, you acknowledge and agree that the Provider may request that any User provides such documentary evidence as the Provider may deem relevant to prove their medical profession.
In case of failure by the Client or the Users to provide any of such information within one month, the Provider may terminate the Agreement pursuant to Article 22 “Termination” of the Subscription Terms or terminate the user account concerned.
Services may be accessed from a computer (desktop or laptop, Mac or PC).
You are invited to check that the hardware and computer configuration of the User(s) are compatible with the Solution. You must ensure that they meet the following minimum configuration requirements: from a computer, a User must at least have one of the latest versions of these browsers: Internet Explorer, Edge, Firefox, Chrome, Safari, Opera.
You are solely responsible for the use and security of the terminals and information systems used, and for electronic communication costs (including Internet access).
Article 6. Premium Services subscription
Use of the Premium Services first requires the creation of a user account and the taking out of a subscription directly on the website at the following address: https://easymedstat.com/.
You fill in the various fields of the online subscription form; mandatory fields are marked with an asterisk.
You select the subscription plan desired, with the understanding that the subscription agreement will be tacitly renewable:
- Plan for an individual professional, with an annual or monthly subscription, for one premium User;
- Plan for a legal entity, with an annual or monthly subscription, for several premium Users.
You read the Agreement and accept it by checking the ‘I have read the Subscription Terms and expressly accept them’ checkbox. If you do not accept the Subscription Terms, the subscription procedure will be stopped.
You choose a method of payment. You are then directed to a secure page where to enter your banking information.
You are invited to check all the information entered. In the event of an error, you change the information directly in the relevant fields of the subscription form. You validate your subscription to the selected subscription plan.
You receive a subscription confirmation email at the address provided in the online subscription form.
You undertake to check that your information is accurate and complete and to update it regularly.
Article 7. Effective date — Term
The Agreement shall be effective on the day the subscription is taken out by the Client.
The Agreement is entered into for an initial term of one (1) month (monthly subscription) or one (1) year (annual subscription) and will be tacitly renewed by monthly or annual periods, as the case may be according to the subscription plan selected, unless terminated by either of the Parties in accordance with Article “Termination” of this Agreement.
Article 8. Enforceability – Changes to the Agreement
By taking out a subscription, you irrevocably agree to the Agreement, which then becomes enforceable against you.
You can access the Subscription Terms in force at any time at the address https://easymedstat.com/subscription-terms. You can save and print these Subscription Terms by using the standard features of your browser.
In the event of a change to the Agreement, you will be notified of the new Subscription Terms and they will come into force one (1) month after the notification of the new provisions. If you refuse substantial modifications, you may terminate the Agreement early at no cost by simply sending a registered letter with acknowledgement of receipt within thirty (30) days of notification of the substantial modifications. In such case, you undertake to pay the Provider the sums corresponding to the Services used up to the effective date of termination, which will where applicable be prorated to commitment for the period that has elapsed.
Article 9. Provision of the Premium Services
The specifications of the Premium Services are described in Appendix “Description of the Premium Services”.
You undertake to test the Premium Services that are the subject of this document before any professional use. By using the Premium Services, you signify your final acceptance of the said Premium Services
9.3 Access and use of the Services
The Services can be accessed at the following address: https://easymedstat.com/
The User(s)’s connection to the Solution is carried out by means of authentication with a username and a password via a user account that must be created for each User.
9.4 Suspension of the Services
The Provider reserves the right to totally or partially restrict access to the Services in order to carry out the maintenance of its computer configuration and the infrastructures implemented for the provision of the Services, in the context of scheduled operations.
The Provider reserves the right to take and implement any technical decision aimed at improving the Services, subject to ensuring their continuity and upward compatibility.
Article 10. Client’s obligations
10.1 Obligations when using Premium Services
You undertake to:
- use the Services fairly and in compliance with this Agreement and the applicable laws and regulations;
- collaborate with the Provider and, in particular, to inform the Provider of any failure in the Services and any manifestly unlawful content that you may detect.
You further undertake to comply with all of the obligations set out in Appendix “Description of the Premium Services”.
You are responsible for authorising other Users in accordance with your authorisation procedure and/or policy.
In this context, you undertake:
- to require the creation of an individual user account for each User, as the sharing of one and the same account is not allowed;
- to update the authorisations to reflect any changes in your relationship with the authorised Users. A notice is available at the following URL: https://help.easymedstat.com/en/support/solutions/articles/77000146092.
In any event, you undertake to prevent any sharing of the same user account between several Users.
The Provider reserves the right to carry out any checks it deems necessary in order to verify your compliance or non-compliance with these obligations, including audits to detect any abnormal or unauthorised use of the Premium Services. You undertake to immediately provide the Provider with all the information necessary to demonstrate compliance with the obligations of the Agreement.
You guarantee that each authorised User will abide by the aforementioned commitments.
10.2 Enhancement of the Solution and Services
Users may contribute to the improvement of the Solution and the Services by reporting any malfunctions and, where appropriate, by proposing any improvements. To this end, Users are invited to contact:
- by email: support@easymedstat.com.
Users undertake to collaborate with the Provider and, in particular, to inform the Provider of any failure in the Services and any manifestly unlawful content that they may detect.
10.3 Compliance with the rights of patients
The Client, who is the data controller for the Processing of Personal Data related to research, study and analysis participants, is solely responsible for:
providing information related to the research, studies and analyses;
- providing information related to the Processing of Personal Data, in particular regarding the recipients authorised to access the Personal Data;
- providing information relating to the hosting of Personal Data; and
- obtaining consent from each participant, where required.
The Client is also required to comply with all applicable participant rights arising from data protection laws.
The Client further undertakes:
- not to enter any data that could directly identify the research, study and analysis participants;
- not to upload to the Solution images containing data directly identifying the participants (such as surname, first name).
The Client guarantees that each authorised User will abide by the aforementioned commitments.
All the items composing the Solution, including the interfaces made available to the Client and/or the Users under the Agreement, and the information provided to the Client by the Provider, are and remain the exclusive property of the Provider or its partners.
Accordingly, you must not act or conduct in any manner that may directly or indirectly infringe the intellectual property rights in the Services and generally any related trademarks.
The Provider grants you, and you agree to be granted, a non-exclusive and non-transferable right to access and use the Premium Services, for the entire duration of the Agreement, for:
- the Client, where the Client is the User.
- the User(s) identified by the Client and authorised by the Client.
Any access and use not expressly authorised by the Provider under the Agreement is unlawful, in accordance with the provisions of Article L. 122-6 of the Intellectual Property Code.
In particular, you agree that you are prohibited from performing the following:
- any performance, dissemination or distribution of the Services, including any networking not provided for under the Agreement Terms, whether or not for consideration;
- any form of use of the Services, in any way whatsoever, for the purpose of designing, creating, disseminating or marketing similar, equivalent or substitute services;
- any adaptation, modification, transformation, arrangement of the Services, for any reason whatsoever, including to correct errors;
- any direct or indirect transcription, any translation into other languages of the Solution and the Services;
- any use for Processing not authorised by the Provider;
- any modification or bypass of protection codes such as passwords or usernames.
Article 12. Maintenance of Premium Services
The Client and/or Users may report any difficulties and questions concerning the operation of the Premium Services. To do so, a ticketing tool is made available by the Provider, the terms and conditions of which are set out in Appendix “Description of the Premium Services” to this Agreement.
The cost of telephone calls will be borne by the Client.
Answers will be provided by the Provider via the means by which it was contacted.
The corrective maintenance service consists in correcting any reproducible error that appears in the use of the remote access of the Premium Services, in accordance with the terms and conditions set out in Appendix “Description of the Premium Services”.
You are responsible for referring to the Provider’s instructions before making any correction request in order to be able to describe the problems encountered accurately and completely.
Any error must be identified by you and reported to the Provider via the appropriate means with sufficient accuracy so that the Provider may take action. In case of incomplete or unfounded notification, the Provider will be released of its obligations.
Pending a definitive solution, the Provider may recommend a temporary workaround.
Updates to the Solution and Services may be made by the Provider as they become available.
Such updates, which are decided unilaterally by the Provider, will be made available to the Client by remote access from its server, with the understanding that certain functionalities could be subject to an additional paid subscription.
You are informed that certain updates may require additional services to be carried out.
Maintenance will not be provided in the following cases:
- the Services are used in a manner not compliant with the Agreement;
- any unauthorised action from the Client or a third party;
- the error is caused by the Client’s or User’s hardware, software, or access equipment.
In such cases, the Client will not be entitled to any compensation.
The Services are hosted by a third party service provider, referred to in Appendix “Data Hosting”.
Article 14. Protection of Personal Data
As part of their contractual relationships, the Parties undertake to comply with the personal data protection laws, including the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as “GDPR”, and any subsequent regulation.
With regard to the Personal Data of research, study and analysis participants, the Client acts as the controller, and the Provider as the processor within the meaning of personal data protection laws.
As such, the Provider undertakes to process the Personal Data entrusted within the framework of the Agreement in accordance with the Client’s written instructions as set out in Appendix “Data Protection”.
14.2 Data related to the subscription
The Provider processes Personal Data.
The legal bases for such Processing of Personal Data are:
- the taking of steps prior to entering into a contract or the performance of the contract when the Provider carries out Processing for the purpose of:
- the production, management and follow-up of its clients’ files;
- debt collection.
- the legitimate interests pursued by the Provider when the Provider pursues the following purposes:
- direct marketing and management;
- management of relationships with its customers and prospects;
- compliance with legal and regulatory obligations when the Provider carries out Processing for the purpose of:
- invoicing;
- accounting.
Otherwise, the subscription may not be taken out, except for Processing related to direct marketing and management and customer relationship management.
The Provider will keep the data only for the period necessary to carry out the operations for which they were collected and in compliance with the applicable laws.
- data concerning the Client or its personnel (such as contacts, officers) will be kept for the duration of the contractual relationships and for 3 years thereafter for management and direct marketing purposes, without prejudice to retention requirements or limitation periods.
The data processed is intended for the authorised personnel of the Provider, and its service providers.
Under the conditions defined by the French Data Protection Act and the GDPR, natural person have a right of access, a right to rectification, a right to erasure, a right to data portability as well as a right to restriction of Processing in respect of data concerning them.
Data subjects also have the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them which is based, in particular, on the legitimate interests of the Provider, and the right to object to direct marketing.
They also have the right to give general and specific guidelines on how they intend the above-mentioned rights to be exercised after their death.
These rights may be exercised by contacting Jordan Chelli:
- by email to: contact@easymedstat.com
- by mail to: Jordan Chelli – 17 rue Louise Michel, 92300 Levallois-Perret, France
Data subjects have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés.
Article 15. Consideration of the Premium Services
In consideration of the performance of the Premium Services, you undertake to pay the price corresponding to the subscription taken out. The prices are those which appear on the https://easymedstat.com/ website on the day of your order.
The prices stated are exclusive of taxes and will be increased by the taxes, including VAT, applicable on the date of invoicing.
The Provider is free to change the prices of its Services. Changes in price will be applicable to all subscriptions, including those already in progress. In this case, you will be informed by any means one (1) month before the new rates come into force.
If you refuse the price increase applied to the Services, you may terminate your subscription at any time by registered letter with acknowledgement of receipt sent to the Provider within thirty (30) days from the date on which you are informed of the price change.
15.3 Payment terms and conditions
Invoices will be issued on a monthly or annual basis and must paid in euros (all taxes included) by credit card online or by monthly direct debit on the date of the subscription for the month or year to come.
When payment is made by direct debit, you must inform the Provider immediately of any change to your bank details.
In the event of a payment incident, you will be responsible for any relating bank charges.
If you fail to pay all or part of an invoice issued within the time period specified above, the Provider may as of right apply the following late payment penalties, without prejudice to its right to claim compensation for the harm caused by the late payment.
In the event of default of payment and pursuant to article L. 441-10 of the Commercial Code, penalties for late payment will be applied; the interest rate will be equal to the rate applied by the European Central Bank to its most recent refinancing operation, increased by 10 percentage points.
Pursuant to Article D 441-5 of the Commercial Code, “The amount of fixed indemnity for recovery costs […] shall be set at 40 euros”.
The Provider warrants the Client that it has the necessary rights to grant the right to use the Premium Services.
The Provider will indemnify the Client for all damages that may be awarded against the Client exclusively by a final court decision finding an infringement.
Such indemnity is subject to the following express conditions:
the Client must promptly notify in writing the infringement claim or the declaration issued prior to such claim;
- the Provider must be given the opportunity to defend its own interests and those of the Client; to this end, the Client must faithfully cooperate in such defence by providing all the requisite elements, information and assistance for a successful defence.
The above provisions set forth the entire liability of the Provider for infringement, patents, and copyright as a result of the use of the Premium Services.
You warrant the Provider that you have all the rights attached to your data.
You shall indemnify and hold the Provider harmless from and against any action, claim, proceedings or opposition from anyone alleging that the performance of this Agreement would infringe a right of any nature in relation to the data communicated by you.
In such case, you shall pay any compensation and costs of any nature incurred by the Provider for its defence, including attorney’s costs, and any damages that may be awarded against the Provider.
As from the provision, the Provider warrants that the Client will have the possibility to remotely access the Premium Services, subject to maintenance operations affecting the availability of the Services. The Provider will endeavour as far as possible to carry out maintenance operations outside working days and hours.
The Parties jointly agree that the Provider may be held liable by the Client only in case of proven fault and that the Provider will use commercially reasonable efforts to perform its obligations under the Agreement as the Provider’s obligation is an obligation of means within the meaning of French law.
The Provider shall not be liable for any disruption or damage inherent to the internet or having the characteristics of an event of force majeure.
The Parties jointly agree that the Provider may be held liable only for the consequences of direct damage and that compensation for indirect damage shall be excluded.
Indirect damage shall mean loss of data, loss of time, loss of funding, loss of revenues, loss of patients, loss of actions, as well as harm to reputation, loss of expected results and third party action.
By mutual agreement, the Provider’s liability for the Services shall not exceed the amount of the sums actually paid by the Client for the Services for the year in which the damage occurred.
The Parties acknowledge that this clause is neither derisory nor excessive and reflect their express will.
This clause shall survive in case the Agreement is cancelled, rescinded, terminated or annulled.
You undertake to use the Services under your exclusive responsibility. You are solely responsible for ensuring that each User is using the Services in compliance with the provisions of the Agreement.
You are further solely responsible for ensuring that:
- the Premium Services meet your own needs, in particular on the basis of the indications provided by the Provider or on its website;
- the hardware and software environment used by each User are compatible with the Services.
You indemnify and hold the Provider harmless from and against an action by a User or a third party, in particular by a research, study or analysis participant, based on the use of the Services.
In case of a force majeure event, the performance of the Agreement will at first be suspended.
If a force majeure event lasts for more than two months, the Agreement will be automatically terminated, unless otherwise agreed by the Parties.
It is expressly agreed that force majeure events, acts of God or fortuitous events will be those usually accepted under the case law of French courts and tribunals, as well as the events below:
- war, riot, fire, internal or external strikes, lock out, occupation of the Provider’s premises, bad weather, earthquake, flood, water damage, statutory or governmental restrictions, statutory or regulatory modifications of the means of marketing, accidents of any nature, epidemics, pandemics, illness affecting more than 10% of the Provider’s employees in a period of two consecutive months, absence of energy supply, partial or total failure of the Internet network and more generally of the private or public telecommunications networks, road blockage and impossibility to obtain supplies and any other event beyond the reasonable control of the Parties preventing the normal performance of this Agreement.
The Provider represents that it has taken out an insurance policy with a financially sound and reputable insurance company covering all the financial consequences of its professional civil liability, tort liability and/or contractual liability as a result of bodily injury, property damage and consequential loss caused to the Client and any third party in the course of the performance of this Agreement.
This Agreement may be subcontracted by the Provider in accordance with the terms and conditions set out in Appendix “Data Protection”.
For the purposes of this Agreement, the following shall be deemed confidential: the Provider’s Premium Services, their functionalities, computer applications, data models, graphic interfaces, as well as the ideas, principles, know-how, methods underlying the Services, the algorithms, data organisation, navigation, and any other element included in the Services (“Confidential Information”).
You agree that Confidential Information must:
- be protected and kept strictly confidential;
- be treated with the same degree of protection that you use for your own confidential information;
- be neither disclosed nor likely to be disclosed, whether directly or indirectly, to any third parties;
- be disclosed only internally to your staff members on a need-to-know basis;
- be used only for the objective stated in the preamble of the Agreement and exclusively for the purpose of performing this Agreement, and in particular must never be used to create a competitive or similar service;
- not be copied, reproduced or otherwise duplicated, in whole or in part.
You further agree:
- not to infringe in any manner intellectual property rights;
- to maintain the copyright notices and other property notices affixed to the various elements and documents disclosed, whether originals or copies.
The Provider agrees to comply with the confidentiality of your data in the conditions provided for in this Agreement.
If either Party breaches any of the obligations stated in this Agreement, in particular those set out below, and fails to remedy such breach within eight days of the sending of the registered letter with acknowledgment of receipt giving notice of the breach at issue, the other Party may terminate or rescind as of right this Agreement without prejudice to any damages it may be entitled to claim hereunder:
- failure to comply with Article “Client’s obligations” of the Agreement;
- failure to comply with the rules for using user accounts;
- failure to comply with the information or rights of research, study and analysis participants;
- failure by the Client to pay the price;
- failure to comply with the prerequisites listed in the Agreement.
22.2 Termination of the subscription
For monthly subscriptions, the subscription agreement may be terminated directly by the Client from the Client’s account, subject to giving two (2) days’ notice before the monthly due date.
For annual subscriptions, the subscription agreement may be terminated directly by the Client from the Client’s account:
- (i) at any time during the first thirty (30) days;
- (ii) by giving one (1) month’s notice before the annual expiry date.
The Agreement will be terminated at the end of the then current period.
Any payment for the current subscription period (current month or year) will remain due. As an exception, in the event of termination during the first thirty (30) days of the annual subscription, only the first month of subscription is due.
Article 23. Effects of the termination of the Agreement
Each of the Parties may use the name of the other Party as a business reference in accordance with business practices.
The computer logs kept in the Provider’s information systems in reasonable security conditions will be considered as proving communications, the registration forms, and any other information and data sent by the Client to the Provider for carrying out the Processing desired by the Client.
In case of conflict between the computer logs of the Provider and any written document or electronic file of the Client, the Parties expressly agreed that the Provider’s computer logs will prevail over the Client’s documents and shall be the only ones admitted as evidence.
The Parties mutually agree that any tolerance of a situation by one party shall not grant the other party any rights in that respect.
Moreover, such a tolerance shall not be construed as a waiver of the rights in question.
The Parties represent that the commitments taken herein are sincere.
Each Party thus represents that it does not know any elements which, had it been disclosed, would have modified the consent of the other Party.
The Parties acknowledge that they are each acting on their own behalf as parties independent of each other and expressly represent that they are and will remain, for the duration of the Agreement, independent business and professional partners.
Nothing in the Agreement is intended to constitute an association, a franchise, or a mandate given by one of the Parties to the other Party and shall in no way be interpreted as a commercial agency or representation contract of any kind.
Unless otherwise agreed by the Parties, neither Party may contract for and on behalf of the other.
Furthermore, each Party remains solely responsible for its acts, assertions, commitments, services, products and personnel.
In the case of a difficulty of interpretation arising out of a contradiction between any of the headings of the clauses and the content of any of the clauses, the headings shall be deemed to be non-existent
If one or several provisions of the Agreement were to be held invalid or declared as such by a law, a regulation or a final decision which has become res judicata rendered by a court having proper jurisdiction, the other provisions shall remain in full force and effect.
The Agreement cancels and supersedes all quasi-contracts, implicit and explicit commitments, promises having the same subject-matter as the subject-matter hereof.
However, this clause is not intended to prevent the use of the said documents but to evaluate legally the quality of the consents exchanged during the formation of the Agreement.
For purposes of the Agreement and unless otherwise stated, the Parties agree to send all correspondence to their respective registered offices.
You undertake to update your data in your account without delay in the event of a change of address, and the Provider undertakes to update its contact details under the Agreement.
The Agreement shall be governed by the laws of France.
French law shall apply to both form and substance, notwithstanding the place of performance of principal or ancillary obligations.
The Agreement form an indivisible whole so that one of the legal operations cannot take place without the simultaneous fulfilment of the obligations referred to under the Agreement.
Unless otherwise stated by public order provisions, all legal actions between the Parties shall be time-barred if not commenced within two years after the first complaint has been notified by registered letter with acknowledgement of receipt.
ALL DISPUTES OF A CONTRACTUAL OR NON-CONTRACTUAL NATURE ARISING OUT OF OR IN CONNECTION WITH ALL OF THE CONTRACTUAL RELATIONSHIPS SHALL BE EXPRESSLY SUBMITTED TO THE JUDICIAL COURT (TRIBUNAL JUDICIAIRE) OF PARIS (FRANCE), EVEN IN THE EVENT OF MULTIPLE DEFENDANTS OR THIRD-PARTY PROCEEDINGS, INCLUDING IN CASE OF URGENT PROCEEDINGS, PROTECTIVE MEASURES, SUMMARY PROCEEDINGS OR EX PARTE APPLICATIONS.
Article 25. List of appendices
The following appendices are attached to this Agreement:
- Appendix 1: Description of the Premium Services
- Appendix 2: Data Protection
- Appendix 3: Data Hosting
APPENDIX 1 DESCRIPTION OF THE PREMIUM SERVICES
1. Premium Features
The premium features are described in the “Pricing” page of the www.easymedstat.com website.
2. Support
Support is provided by the Provider in the form of email responses. The Provider will make its best efforts to respond to the User within a reasonable time.
All notifications and complaints must be made in writing and sent to the support department:
- by mail to: EasyMadeStat – 17 rue Louise Michel, 92300 Levallois-Perret, France;
- by email to: support@easymedstat.com.
No onsite support is included under the Agreement and no support will be provided on the User’s site.
APPENDIX 2 DATA PROTECTION
1. Preamble
In applying the Terms of Use and performing the Services, the Provider may access the Personal Data of research, study or analysis participants and of the User(s); such access constitutes Processing of Personal Data within the meaning of personal data protection laws.
The Provider acknowledges that all of the personal data it may access in that context is strictly confidential. The Provider therefore acknowledges that all data processed in connection with the performance of the Terms of Use:
- is subject to the laws applicable in France and in the European Union regarding the protection of personal data (hereafter, “personal data protection laws”);
- is subject to privacy and professional secrecy.
2. Purpose
This Appendix is an integral part of the Terms of Use and sets out the terms and conditions under which the Provider undertakes to carry out personal data Processing operations on behalf of the User under the Terms of Use.
3. Description of the Processing entrusted to the Processor
Under the Terms of Use, the Provider is authorised to process the personal data necessary to provide the following services for the duration of the Terms of Use: export, analysis, monitoring, maintenance, support, hosting, deletion.
The operations carried out on the personal data are the following:
- data flow management;
- data uploading and downloading;
- data transformation;
- data analysis;
- data sharing;
- data hosting;
- data deletion.
The purposes of the Processing are the following: to allow the creation of pseudonymised data series, to produce statistics and to share series between several Users.
The Personal Data processed are the following:
- the data of the participants in the research, studies and analyses described in the Solution;
- the data relating to the identity, authentication, and actions of Users.
The categories of data subjects are the following:
- research, study and analysis participants whose data is included in the Solution;
- Users.
The persons authorised to process the Personal Data under the Agreement are the following:
- the Provider’s personnel (technicians, engineers);
- the Provider’s processors as listed in section “Processors” of this Appendix.
4. Obligations of the Provider to the User
The Provider will make its best efforts to ensure compliance with its statutory and regulatory obligations, in particular those under the personal data protection laws, and with its obligations under the Terms of Use.
Consequently, the Provider will make its best efforts to:
- Process the Personal Data solely for the purposes that are subject to the Processing operations referred to above;
- Process the Personal Data in accordance with the documented instructions from the User, including with regard to transfers of Personal Data to a third country or an international organisation. The Provider will immediately inform the User if, in its opinion, an instruction infringes the personal data protection laws. If the Provider is required to transfer Personal Data to a third country or an international organisation by a mandatory rule resulting from European Union or EU Member State law to which the processor is subject, the Provider will inform the User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
- Guarantee the confidentiality of the Personal Data processed. The Provider will take all measures to help prevent abusive, malicious or fraudulent use of the Personal Data;
- Refrain from:
- processing and/or consulting the Personal Data for purposes other than the performance of the services it carries out for the User under the Terms of Use (even if access to such data is technically possible);
- disclosing, in any form whatsoever, all or part of the Personal Data processed;
- copying or storing, in whatever form and for whatever purpose, all or part of the information or Personal Data contained on the media or documents entrusted to it or collected by it in the course of the performance of the Agreement, except in cases provided for herein.
- Ensure that the persons authorised to process Personal Data under the Agreement:
- are committed themselves to confidentiality or are under an appropriate legal obligation of confidentiality;
- receive the necessary data protection training.
- Take into account the principles of data protection by design and by default under Article 25 of the GDPR with respect to its tools, products, applications or services.
The Parties agree that an instruction shall be deemed to be given where the Provider acts within the framework of the Terms of Use.
5. Sub-processors
The User authorises the Provider to sub-process, within the meaning of personal data protection laws, all or part of the services, including to a country that is not located in the European Union, subject to the reservations set out in section “Transborder flows of Personal Data” of this Appendix.
In all cases, the Provider will use its best efforts to:
- inform and sign with its sub-processor a written agreement that imposes on its sub-processor the same data protection obligations as set out in this Appendix;
- impose on its sub-processor all obligations necessary to ensure that the confidentiality, security and integrity of the data are respected and that the said data can neither be transferred or leased to a third party, whether free of charge or for consideration, nor used for purposes other than those defined in this Appendix;
- inform the User of any intended changes concerning the addition or replacement of sub-processors, via a web space available directly on the Solution. It is up to the User to refer to such web space.
Where its sub-processors fail to fulfil their data protection obligations, the Provider shall remain fully liable to the User for the performance of such sub-processors’ obligations.
In particular, the User authorises the Provider to sub-process the Processing and, where applicable, to transfer the Personal Data to a country outside the European Union, to the sub-processors listed at the following address: http://easymedstat.com/list-of-subprocessors, including a description of their role, location, and, where applicable, the legal basis allowing the transfer to a country outside the European Union.
6. Rights of data subjects
The User is responsible for providing information (in compliance with the requirements of personal data protection laws, and in particular Articles 13 and 14 of the GDPR) to the data subjects concerned by the Processing (research participants) at the time of collection of their Personal Data and for obtaining their consent for the Processing of their data.
The Provider may assist the User, insofar as this is possible, in providing the above-mentioned information and in fulfilling the User’s obligation to respond to requests for exercising the data subject’s rights.
7. Notification of Personal Data breaches
The Provider will notify the User without undue delay after becoming aware of a personal data breach, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data transmitted, processed or stored in a manner that does not comply with the User’s instructions and the personal data protection laws, or the unauthorised access to such Personal Data by any means.
8. Provider’s assistance for compliance with the User’s obligations
The Provider will assist the User, insofar as this is possible, in complying with its obligations under the personal data protection laws, including:
- its obligations to notify a personal data breach to the CNIL or to communicate a personal data breach to the data subject;
- its obligation to carry out a prior consultation of the CNIL under Article 36 of the GDPR.
Moreover, where the User decides or is required to carry out a data protection impact assessment for one or more of the Processing operations it carries out, the Provider will make its best efforts to assist the User in carrying out this assessment or these assessments. Such services will be subject to a separate quotation from the Provider.
In the event of an audit by the CNIL, the Parties undertake to cooperate with each other and with the CNIL. More specifically, where the audit is carried out at the Provider’s and relates to the Processing carried out for and on behalf of the User, the Provider undertakes not to make any commitment on the User’s behalf.
Where the audit is carried out by the CNIL at the User’s and relates in particular to the services provided by the Provider, the Provider will cooperate with the User and provide it with any information which the latter may require or which would be necessary
9. Security measures
9.1. General security measures applicable to all Processing
In accordance with the personal data protection laws, the Provider will make its best efforts to take all useful precautions, in particular with regard to the nature of the Personal Data and the risks of the processing, to preserve the security and confidentiality of the Personal Data transmitted, processed or stored and to prevent their distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by third parties not previously authorised.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider will make its best efforts to implement all appropriate technical and organisational measures to protect personal data and ensure a level of security appropriate to the risk.
In this respect, the Provider will make its best efforts to carry out the Processing entrusted by the User hereunder and, where required, to implement the following measures which tend towards the state of the art, if necessary on the basis of the rules resulting from the general security policy for health information systems, published by the Agence du Numérique en Santé:
- the pseudonymisation and encryption of Personal Data;
- the information and awareness-raising of its staff, including the signature by each person acting on behalf of the Provider of:
- an individual confidentiality agreement limiting their actions solely to the tasks entrusted to them;
- the access to personal data by means of authentication consistent with the recommendations issued by the CNIL;
- the definition of authorisation profiles, the removal of obsolete access permissions and the restriction of access to tools and administration interface only to qualified individuals;
- the implementation of automatic traceability systems (logs);
- the definition of a security policy appropriate to the risks of the Processing and including the security objectives as well as the physical, logical and organisational security measures to fulfil them;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the solution and Processing services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
9.2 Specific security measures for health data hosting
The means implemented by the Provider to ensure the security and confidentiality of the data are in accordance with the state of the art and include the hosting of data in compliance with Article L. 1111-8 of the Public Health Code and the decree relating to the hosting of personal health data.
9.3. Specific security measures for remote services
Where the Provider remotely intervenes on data for the purposes of remote monitoring, remote maintenance and remote assistance services, it will make its best efforts to comply with the main rules resulting from the general security policy for health information systems (hereafter “PGSSI-S”) published by the Agence du Numérique en Santé and in particular those resulting from the reference framework on rules for remote interventions on health information systems.
10. Fate of Personal Data
The Personal Data used for research, studies and analyses carried out on a series will be deleted when the User Account of the User who created the said series is closed.
For Freemium Services, the connection and usage data related to the Services will be kept for a sliding period that cannot exceed six months. If the Premium Services have been subscribed to, the connection and usage data related to the Services that are necessary for research, studies and analyses will follow the same rules than for the series data.
The Provider will destroy the Personal Data within the aforementioned time limits, unless otherwise required by a mandatory rule resulting from European Union or EU Member State law applicable to the Processing operations described herein.
11. Data Protection Officer
Upon request, the Provider will communicate to the User the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.
12. Record of Processing activities
The Provider will maintain a record of all categories of Processing activities carried out on behalf of the User, in accordance with Article 30 the GDPR.
13. Transborder flows of Personal Data
In particular, the User authorises the Provider to sub-process the Processing and, where applicable, to transfer the personal data to a country outside the European Union, to the sub-processors listed at the following address: http://easymedstat.com/list-of-subprocessors, including a description of their role, location, and, where applicable, the legal basis allowing the transfer to a country outside the European Union.
The Provider will make its best efforts to cooperate with the User to ensure:
- compliance with the procedures for complying with the personal data protection laws;
- where applicable, the signature of one or more agreements to regulate such transborder flows of personal data. Where possible, the Provider particularly undertakes, where necessary, to sign such agreements with the User and/or to obtain the signature of such agreements from its sub-processors. To this end, the Parties agree that the standard contractual clauses published by the European Commission will be used to provide a framework to transborder flows of personal data.
14. Documentation
The Provider will make available to the User the documentation necessary to demonstrate compliance with all of its obligations laid down in the Terms of Use and the personal data protection laws and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.
15. Obligations of the User to the Provider
The User warrants the Provider that it will comply with its legal and regulatory obligations, in particular those under the European regulations on the protection of Personal Data, and with its obligations under this Agreement.
The User undertakes to:
- give the Provider access to the Personal Data concerned by the Terms of Use;
- document in writing any instruction concerning the Processing of Personal Data by the Provider under the Terms of Use;
- ensure, before and throughout the Processing, that the Provider complies with the obligations set out in the personal data protection laws and the Terms of Use;
- supervise the Processing, including by conducting audits and inspections with the Provider.
APPENDIX 3 DATA HOSTING
1. Hosting of data from patients participating in research, studies and analyses
The hosting of the Solution is carried out by (.), a certified health data hosting provider in compliance with Article L. 1111-8 of the Public Health Code.
2. Clauses from Article R 1111-11 of the Public Health Code
In accordance with the provisions of Article R.1111-11 of the Public Health Code, “where the health data controller [...] uses a provider who himself uses a certified hosting provider to host the data, the contract between the data controller and his provider shall include the clauses mentioned in I as set out in the contract between the provider and the certified hosting provider.”
Such clauses are identified below.
2.1 Scope of certification or approval
The hosting provider is certified as a health data hosting provider:
- for the following scope:
- 1) Provision and maintenance in operational condition of the physical sites used to host the physical infrastructure of the information system used for the processing of health data
- 2) Provision and maintenance in operational condition of the physical infrastructure of the information system used for the processing of health data
- 3) Provision and maintenance in operational condition of the information system application hosting platform
- 4) Provision and maintenance in operational condition of the virtual infrastructure of the information system used for the processing of health data
- 6) Outsourced backups of health data
- date of issue or renewal of the approval or certificate: June 2018.
2.2 Description of the services provided, including the content of the services and expected results, in particular to ensure the availability, integrity, confidentiality and auditability of the hosted data.
The following services are provided by the hosting provider:
- the hosting of the solution and the associated data;
- the management of the project for setting up the hosting service;
- the implementation of the remote secure access;
- the implementation of technical monitoring procedures in the production environment;
- the implementation of the backup and restore system.
2.3 Hosting locations
The infrastructure of the hosting provider is based on:
- the data centre located in Strasbourg
2.4 Measures implemented to ensure compliance with the rights of data subjects to whom the health data relate and in particular the rights to data portability
Where the hosting provider receives a request from a data subject, the hosting provider is not allowed to answer it.
The “procedure for exercising the rights to data portability,” the “procedure for reporting personal data breaches to the controller” and the “procedure for the conduct of audits by the Data Protection Officer” are defined in Appendix “Data Protection” to the Agreement.
2.5 Provider’s contact point to be contacted for incidents having an impact on the hosted health data
- name of the contact point: Jordan Chelli
- contact details of the contact point: contact@easymedstat.com
2.6 Quality and performance indicators
The quality and performance indicators allowing to verify the level of service announced, the level guaranteed and the frequency of their measurement are the following:
- monthly availability greater than 99.99%;
The OVH Service Level Agreement is available at this link.
There is no penalty to be paid by the Provider.
2.7 Sub-processing
The conditions for engaging external technical service providers and the hosting provider’s commitments to ensure that such engagement provides an equivalent level of protection with regard to its obligations are the following: the Provider guarantees that the external service providers will comply with its obligations.
2.8 Data access
The method chosen to control access to the hosted personal health data is the following: access by authorisation, then identification and authentication to services.
2.9 Obligations in the event of technical changes or developments introduced by the hosting provider or imposed by the applicable legal framework
The hosting provider will make its best efforts to ensure the continuity of the hosting services during major changes.
2.10 Guarantees
The guarantees and procedures put in place by the hosting provider to cover any possible failure on its part are the following:
- guarantees in accordance with the state of the art;
- insurance.
2.11 Prohibition for the hosting provider to use health data for purposes other than the performance of the hosting activity
The hosting provider will use the hosted personal health data only for the purpose of providing the hosting service.
2.12 Fate of health data
After the end of the service, the hosting provider will return and delete the personal health data without keeping a copy.
