Terms of Use

Last Updated: May 11, 2020

Article 1. Preamble


The Services are published by Easymadestat, a société par actions simplifiée, registered in the Trade and Companies Register of Nanterre under number 824 727 648, with registered office located at Levallois-Perret, 17 rue Louise Michel - Phone: 09 81 78 91 14 – email: contact@easymedstat.com – EU VAT number: FR76824727648 (hereafter the “Provider”).


The publication director is Jordan Chelli, in his capacity as president.


The service provider in charge of hosting and providing direct and permanent storage is OVH SAS, with registered office located at 2, rue Kellermann, 59100 Roubaix (France).


The IT Solution called EasyMedStat is designed for biomedical research industry professionals.


Based on a SaaS (Software as a Service) model, the Solution allows you to create pseudonymised data series, produce statistics, and share the series with several Users.


To benefit from the functionalities of the Solution, two types of offers are available: 

 

  • a Freemium offer giving free access to free functionalities after creating a user account;
  • a Premium offer giving access to additional paid features after subscribing to Subscription Terms and Conditions.

 

You acknowledge that the use of the Services requires that you read and agree to these Terms of use and comply with all the provisions of these Terms of Use.



Article 2. Definitions


The following terms shall have for the Parties the meaning set forth below:

 

  • “Client”: means a natural or legal person who has subscribed to the Premium Services from the Provider;
  • “Free Services”: means set of free features provided by the Provider to all Users creating an account on the Solution, as described in Appendix “Description of the Services”;
  • “Parties”: means the User and the Provider;
  • “Personal Data”: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “Premium Services”: means set of paid features provided by the Provider, as described in the Appendix “Description of the Services,” and subscribed to by the Client after acceptance of specific subscription terms and conditions;
  • “Processing”: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • “Provider”: means Easymadestat, a société par actions simplifiée, registered in the Trade and Companies Register of Nanterre under number 824 727 648, with registered office located at Asnières-sur-Seine, 163 quai du Docteur Dervaux - Phone: 01 77 50 09 05 – email: contact@easymedstat.com – EU VAT number: FR76824727648;
  • “Services”: means both the Free Services and the Premium Services;
  • “Solution”: means the IT solution enabling access to and use of the Services, available at the address https://easymedstat.com/;
  • “Terms of Use”: means these general terms and conditions applicable to Users for using the Services;
  • “User” or “You”: means any natural person who is a professional, who is entitled to access the Services, and who has a User Account;
  • “User Account”: means an area dedicated to the User allowing access and use of the Services.

 


Article 3. Purpose


The purpose of the Terms of Use is to set out the terms and conditions applicable to Users for accessing the Solution and using the Services.


By accessing and using the Services, you acknowledge that you have read the Terms of Use and expressly accept and agree to be bound by them.



Article 4. Prerequisites


4.1 Legal capacity

You acknowledge that you have the full legal capacity, competence and necessary means to use the Services.


4.2 Use of the Services in the context of a professional activity 

You acknowledge that the Services are for a professional research, study or analysis activity in the biomedical field only and must strictly be used in such context.


4.3 Verifications

At the time of the creation of the User Account, and at any time during the contractual relationship, the Provider may request that you provide such documentary evidence as the Provider may deem relevant to prove your medical profession and/or your legitimacy and rights to access medical data.


In you fail to provide this information within thirty (30) days of acceptance of the Terms of Use, the Provider may terminate the Terms of Use pursuant to Article 7 “Term - Suspension and termination of access to the Services.”


4.4 Hardware compatibility 

Services may be accessed from a computer (desktop or laptop, Mac or PC). 


You are invited to check that your hardware and computer configuration is compatible with the Solution. You must ensure that you meet the following minimum configuration requirements: from a computer, you must at least have one of the latest versions of these browsers: Internet Explorer, Edge, Firefox, Chrome, Safari, Opera.


You are solely responsible for the use and security of the terminals and information systems used, and for electronic communication costs (including Internet access).



Article 5. Acceptance and enforceability of the Terms of Use


5.1 Acceptance

To use the Services, you must first agree to these Terms of Use.


You acknowledge that you have obtained from the Provider all the necessary information about the Services and that you fully accept these Terms of Use.


You can save and print these Terms of Use by using the standard features of your browser.


You are informed that by checking the box associated with the text “I have read the Terms of Use and accept them” and clicking on the validation button that appears during the creation of the User Account, you agree to the Terms of Use and that no handwritten or electronic signature is required. 


Such agreement constitutes proof that you have read the said provisions and constitutes your acceptance of the Terms of Use.


5.2 Enforceability

The Terms of Use are binding upon and enforceable against you upon acceptance before you first use the Services.


You may stop using the Services, but you will remain responsible for any previous use.


5.3 Change

The Terms of Use may be changed or amended by the Provider at any time, particularly to reflect changes to the Solution or the Services.


If Terms of Use are changed, you will be notified of the new Terms of Use and will have to accept them again.



Article 6. Access to the Services


Access to the Solution and the Services requires the creation of a User Account: 

 

  • access to the Free Services is granted to all Users who have created a User Account; 
  • access to the Premium Services is reserved only for Users:
  • who have subscribed to the paid Premium offer, after acceptance of specific subscription terms and conditions; or
  • who have been authorised to use the Premium offer by a Client who subscribed to the paid Premium offer, after acceptance of a contract or specific subscription terms and conditions.

 

You undertake to access the Services only in the course of your professional practice and only for professional purposes that are strictly necessary to carry out research, studies and analyses in the biomedical field.


6.1 Access procedure

The creation of the User Account is made through the Solution. It includes the following steps: 

 

  • You give your email address and choose a password that must meet the requirements indicated; 
  • You read the Terms of Use and accept them by checking the checkbox provided for this purpose and clicking on the acceptance button. If you do not accept the Terms of Use, the registration procedure will be stopped.

 

You undertake to check that your information is accurate and complete and to update it regularly. You may change your personal information in your User Account at any time.


Accessing the Services requires that you enter your email address and password.


6.2 Password management

In accordance with the recommendations of the Commission Nationale de l’Informatique et Libertés, the password chosen by you must be at least eight characters long, contain three different types of characters among the four existing types of characters (upper case, lower case, number and special character) and have no link with you), (name, date of birth).


Regarding the management of passwords, you are informed that:

 

  • if you enter three successive incorrect passwords, your access to the User Account will be locked temporarily;
  • if you enter ten successive incorrect passwords, your access to the User Account will be locked. You will be prompted to contact the Provider;

 

You are solely responsible for the protection and confidentiality of your username and password, and for the security and confidentiality of the channel (email or telephone line) chosen by him to receive his one-time use code. The User undertakes to take all useful measures to keep these means of authentication in conditions that guarantee their security and complete confidentiality.


You are solely responsible for protecting and maintaining the confidentiality of your username and password and for the security and confidentiality of the channel (email or telephone line) chosen by you to receive your single-use code. You undertake to take all useful measures to keep these means of authentication in conditions that guarantee their security and complete confidentiality.


Any use of the Services with your password and means of authentication will be presumed to be made by you.


You undertake to change your password without delay if your password is lost, forgotten, or voluntary or involuntary disclosed to third parties.


The Provider cannot be held liable for any use of your username and/or means of authentication that is fraudulent or improper or caused by their voluntary or involuntary disclosure to anyone.


6.3 Availability

Access to the Solution and the Services is reserved for Users with internet access who meet the requirements of these Terms of Use.


All costs relating to the access, whether for hardware, software or internet access, are the sole responsibility of the Users. Users are solely responsible for the proper functioning of their computer equipment and internet access.


The Solution and the Services are accessible 24 hours a day and 7 days a week, except for periods where they may be suspended for maintenance reasons or otherwise.


The Provider reserves the right to temporarily interrupt the Solution and the Services to perform some operations such as maintenance, updates, changes or amendments in relation to the operational procedures, servers and hours of access. The Provider will make its best efforts to perform these operations during the periods that would least adversely affect User access to the Solution and the Services.


No guarantee is given under the Terms of Use as to the performance, availability and accessibility of the Solution and/or the Services.


The Provider reserves the right to enhance or modify the Solution and the Services available thereon at any time according to technological developments.



Article 7. Term - Suspension and termination of access to the Services


7.1 Term of the Terms of use

The User will have access to the Premium Services from the subscription of the paid Premium offer until the end of the subscription to the Premium Services or until the Client who has subscribed to the Premium offer decides to terminate the User’s access to the Premium Services.


The User will have access to the Free Services from the acceptance of these Terms of Use until the occurrence of the elements provided for below.


7.2 Suspension or termination 

The User will have access to the Free Services until the User Account is closed by the User or, given the fact that it is free, by the Provider.


In particular: 

 

  • In case of suspicion of fraudulent use of the User Account, the Provider reserves the right, without notice or compensation, to suspend or terminate the User’s access to the Services;
  • in the event of a breach of the obligations under the Terms of Use, the Provider reserves the right, without notice or compensation, to suspend access to all or part of the Services by the User until the reason for such suspension has disappeared, or to terminate such access depending on the seriousness of the breach, including: 
  • failure to comply with the rules for using User Accounts, 
  • failure to comply with the information or rights of research, study and analysis participants;
  • failure to comply with the prerequisites listed in the Terms of Use, including those relating to verifications.

 

The User acknowledges that the Provider will not be liable to the User or to any third parties for the consequences of such termination or suspension of access to the Services.


7.3 Effects of the suspension or termination of access to the Services

In the event of suspension, the User will not be able to access the Services until access to the account is restored.


In the event of termination, the User will not be able to access the Services permanently.


In any case, the User remains responsible for any use of the Services prior to the termination or suspension.


The User is responsible for extracting data sets before the termination of the User Account. 


The termination of access to the Services will automatically result in the termination of these Terms of Use.



Article 8. Description of the Services


The specifications of the Services are available directly on the Solution concerned or specified in Appendix “Description of the Services”.


8.1 Compliance

You undertake to test the Services that are the subject of this document before any professional use. By using the Services, you signify your final acceptance of the said Services.


8.2 Changes to the Services

The Provider reserves the right to take and implement any technical decision aimed at improving the Services.


8.3 Hosting

The Services are hosted by a third party service provider, referred to in Appendix “Data Hosting.



Article 9. Your Obligations


9.1 Principles

You acknowledge that you use the Services under your sole responsibility. You undertake to immediately notify the Provider of any fraudulent use of your User Account of which you may be aware. 


You are responsible for providing accurate and updated information and content when validating your access to the Services and when using the Services.


You agree that you must use the Services and the information to which you may have access only for reasons that are strictly necessary to carry out research, studies and analyses. The Services are not intended to be used in a personal context. 


You agree that you must refrain from any action, behaviour or comment that may, without limitation, infringe applicable laws, morality, third party rights, the normal operation of the Solution and the Services, and these Terms of Use.


You undertake to collaborate with the Provider and, in particular, to inform the Provider of any failure in the Services and any manifestly unlawful content that you may detect.


You agree that you must not unlawfully access or attempt to access other networks or information systems connected to the Solution, interfere in the use and enjoyment of the Solution by other Users and introduce viruses, malicious code or any other technology harmful to the Solution or the Services it offers. 


You undertake to comply with all the obligations that may be referred to in Appendix “Description of the Services.”


You are responsible for authorizing other Users to access and share the series of data you create.


In this context, you undertake: 

 

  • to never share your individual User Account, as the sharing of one and the same account is not allowed;
  • to update the access and sharing authorisations you give to reflect any changes in your relationship with the authorised Users. A notice is available at the following URL: http://help.easymedstat.com/en/support/solutions/articles/77000146092

 

The Provider reserves the right to carry out any checks it deems necessary in order to verify your compliance or non-compliance with these obligations, including audits to detect any abnormal or unauthorised use of the Services. You undertake to provide the Provider with all the information necessary to demonstrate compliance with the obligations of these Terms of Use.


9.2 Information on your situation

You undertake to inform the Provider without delay of any change in the professional situation you declared at the time you created your User Account.


9.3 Research, studies and analysis

You acknowledge and agree that the User and/or the Client are responsible for: 

 

  • the level of management, competence, accuracy, efficiency and use of the Solution and the Services in carrying out research, studies and analyses in the biomedical field;
  • compliance with the laws, regulations and obligations concerning the carrying out of research, studies and analyses in the biomedical field, in particular all formalities to be carried out prior to these activities, and generally the applicable good practices.

 

9.4 Enhancement of the Services

You may contribute to the improvement of the Solution and the Services by reporting any malfunctions and, where appropriate, by proposing any improvements. To this end, you are invited to contact  by email: support@easymedstat.com.


You undertake to collaborate with the Provider and, in particular, to inform the Provider of any failure in the Services and any manifestly unlawful content that you may detect.


9.5 Compliance with the rights of participants

The User and, where applicable, the Client, who are the data controllers for the Processing of Personal Data related to research, study and analysis participants, are solely responsible for:

 

  • providing information related to the research, studies and analyses;
  • providing information related to the Processing of Personal Data, in particular regarding the recipients authorised to access the Personal Data; 
  • providing information relating to the hosting of Personal Data; and 
  • obtaining consent from each participant, where required.

 

The User undertakes: 

 

  • not to enter any data that could directly identify the research, study and analysis participants;
  • not to upload to the Solution images containing data directly identifying the participants (such as surname, first name).

 


Article 10. Protection of Personal Data


The Provider will make its best efforts to process the Personal Data in compliance with personal data protection laws, including General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 known as “GDPR” and the French Data Protection Act No. 78-17 of 6 January 1978.


The main categories of data collected within the framework of the Services are the following:

 

  • data relating to research, study and analysis participants carried out using the Services: pseudonymised data entered by the User. 
  • data relating to the User: surname, first name, email address, telephone number where applicable, password, connection data and data on actions related to the Services.

 

Pursuant to the personal data protection laws, the Provider acts as:

 

  • the controller, for the Processing of data related to the management of User Accounts;
  • the processor of the User, for the Processing of data of research, study and analysis participants or any other data used for research, studies and analyses.

 

10.1 Data related to the management of User Accounts

The Provider processes Personal Data.


The use of the Services implies the Processing of Personal Data concerning the User including:

 

  • identity and identification data of the User (surname, first name, password, telephone number where applicable, email address);
  • data concerning the User’s profession;
  • traceability data related to connections and actions on the site (IP address, date and time of connection, type of action performed, etc.);
  • cookies.

 

The legal bases for such Processing of Personal Data are:

 

  • the performance of the service agreement when the Provider carries out Processing for the purpose of:
  • the creation of User Accounts and the provision of Services;
  • the legitimate interests pursued by the Provider when it pursues the following purposes: 
  • the production of statistics on the use of the Services;
  • the User’s consent when the Provider carries out Processing for the purpose of: 
  • the performance of marketing operations during which the Provider sends advertisements by email to the User concerning the offers that the Provider proposes.

 

Otherwise, the Services cannot be provided to the User or the quality of the Services cannot be optimal.


The Provider will keep the data only for the period necessary to carry out the operations for which they were collected and in compliance with the applicable laws.

 

  • the Personal Data will be kept throughout the contractual relationship and deleted at the end of the relationship; 
  • the logs that are not used for the reliability of research, studies and analyses will be deleted after a period of six months;
  • the Personal Data necessary to carry out loyalty and direct marketing actions will be kept for the entire duration of the commercial relationship and three (3) years from the last purchase; 
  • the Data concerning the objection to receive direct marketing will be kept for three (3) years from the objection; 
  • longer retention periods may be determined to ensure compliance with legal or regulatory obligations.

 

The Data processed is intended for the authorised personnel of the Provider, and its service providers, which may be located outside the European Union. Such data transfers are subject to appropriate legal safeguards provided by the Provider. For more information, you may refer to the list of the Provider’s processors available at the following address: http://easymedstat.com/info/list-of-subprocessors .


The traceability data of connections and actions on the series are also accessible by other users authorised to access the data series.


Under the conditions defined by the French Data Protection Act and the GDPR, Users who are natural person have a right of access, a right to rectification, a right to erasure, a right of data portability as well as a right to restriction of Processing in respect of data concerning them.


Users, who are the data subjects of the Processing carried out, also have the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them which is based on the legitimate interests of the Provider, and the right to object to direct marketing. 


If you no longer wish to receive offers from the Provider by email, you can manage your consents and objections directly on the Solution. 


Users also have the right to give general and specific guidelines on how they intend the above-mentioned rights to be exercised after their death.


These rights may be exercised by contacting Jordan Chelli:

 

  • by email to: contact@easymedstat.com
  • by mail to: Jordan Chelli - 163 Quai du Docteur Dervaux 92600 Asnières-sur-Seine France 

 

Data subjects have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés.


10.2 Cookies

The Provider uses cookies, as described at: http://easymedstat.com/info/cookies-policy.


10.3 Provider acting as a processor

With regard to the Personal Data of research, study and analysis participants, the User or the Client acts as the controller(s), and the Provider as the processor within the meaning of personal data protection laws. 


As such, the Provider undertakes to process the Personal Data entrusted within the framework of the Services in accordance with the User’s written instructions as set out in Appendix “Data Protection”.



Article 11. Liability


11.1 Provider’s liability

The Parties jointly agree that the Provider may be held liable by the User only in case of proven fault and that the Provider will use commercially reasonable efforts to perform its obligations under the Terms of Use as the Provider’s obligation is an obligation of means within the meaning of French law.


The Parties jointly agree that the Provider may be held liable only for the consequences of direct damage and that compensation for indirect damage shall be excluded.


Indirect damage shall mean loss of data, loss of time, loss of funding, loss of revenues, loss of patients, loss of actions, as well as harm to reputation, loss of expected results and third party action.


For the use of Premium Services, the Provider’s liability shall, by mutual agreement, not exceed the amount of the sums actually paid by the Client for the Services for the year in which the damage occurred.


For the use of Free Services, given the fact that they are free, the Provider shall have no liability to the User under these Terms of Use.


The Parties acknowledge that this clause is neither derisory nor excessive and reflect their express will.


In any case, while the Provider will make its best efforts to offer Users quality information or Services, it cannot be held responsible for any direct or indirect damage or prejudice resulting from:

 

  • the interruption or malfunction of the Solution and Services caused by the User’s or Client’s information system and network;
  • the propagation of computer viruses or malicious programs in any form whatsoever;
  • the incompatibility of the configuration of the User’s computer equipment with the Services;
  • a fraudulent or abusive use or a use caused by the voluntary or involuntary disclosure of the User’s username and/or password to anyone;
  • errors, inaccuracies or omissions in the data provided by the User when creating the User Account;
  • a non-performance or poor performance of the Terms of Use attributable to the User; 
  • a force majeure event or fortuitous events.

 


The Provider cannot be held liable for actions performed by the User in the context of research, studies and analyses, as the User is not acting on behalf of the Provider. 


Any damage, losses, costs and expenses resulting from a breach by the User of one or more of its obligations under the Terms of Use shall not give rise to compensation.


This clause shall survive in case these Terms of Use are cancelled, rescinded, terminated or annulled,


11.2 Your liability

You undertake to use the Services under your exclusive responsibility. You are solely responsible for using the Services in compliance with the provisions of the Terms of Use.


You are further solely responsible for ensuring that:

 

  • the Services meet your own needs, in particular on the basis of the indications provided by the Provider or on the Solution;
  • the hardware and software environment used is compatible with the Services.

 

You indemnify and hold the Provider harmless from and against an action by you or a third party, in particular by a participant in a research, study or analysis, based on the use of the Services.


Article 12. Force majeure

In case of a force majeure event, the performance of these Terms of Use will at first be suspended.


If a force majeure event lasts for more than two months, these Terms of Use will be automatically terminated, unless otherwise agreed by the Parties.


It is expressly agreed that force majeure events, acts of God or fortuitous events will be those usually accepted under the case law of French courts and tribunals, as well as the events below:

 

  • war, riot, fire, internal or external strikes, lock out, occupation of the Provider’s premises, bad weather, earthquake, flood, water damage, statutory or governmental restrictions, statutory or regulatory modifications of the means of marketing, accidents of any nature, epidemics, pandemics, illness affecting more than 10% of the Provider’s employees in a period of two consecutive months, absence of energy supply, partial or total failure of the Internet network and more generally of the private or public telecommunications networks, road blockage and impossibility to obtain supplies and any other event beyond the reasonable control of the Parties preventing the normal performance of these Terms of Use.

 



Article 13. Ownership


The Services are the property of the Provider or of the right holders from which it holds its rights, in accordance with the provisions of the French Intellectual Property Code.


All the items composing the Solution, including the interfaces made available to you under these Terms of Use, and the information provided to you by the Provider are and remain the exclusive property of the Provider or its partners.


Accordingly, you must not act or conduct in any manner that may directly or indirectly infringe the intellectual property rights in the Services and generally any related trademarks.


In particular, you agree that you are prohibited from performing the following:

 

  • any performance, dissemination or distribution of the Services, including any networking not provided for under these Terms of Use, whether or not for consideration;
  • any form of use of the Services, in any way whatsoever, for the purpose of designing, creating, disseminating or marketing similar, equivalent or substitute services;
  • any adaptation, modification, transformation, arrangement of the Services, for any reason whatsoever, including to correct errors;
  • any direct or indirect transcription, any translation into other languages of the Solution and the Services;
  • any use for Processing not authorised by the Provider;
  • any modification or bypass of protection codes such as passwords or usernames.

 



Article 14. Hyperlinks


The Solution may contain hyperlinks giving access to third party websites.


You are formally informed that the websites you can access via hyperlinks do not belong to the Provider.


The Provider accepts no responsibility for the content of the information provided on such websites via the activation of the hyperlinks and for the privacy policy of such websites. You may not hold the Provider liable in the event of loss or damage of any kind whatsoever resulting from the activation of these hyperlinks.



Article 15. Insurance


The Provider represents that it has taken out an insurance policy with a financially sound and reputable insurance company covering all the financial consequences of its professional civil liability, tort liability and/or contractual liability as a result of bodily injury, property damage and consequential loss caused to the User and any third party in the course of the performance of the Terms of Use.



Article 16. Miscellaneous


16.1 Evidence

The computer logs kept in the Provider’s information systems in reasonable security conditions will be considered as proving communications, the registration forms, and any other information and data sent by the User to the Provider for carrying out the Processing desired by the User.


In case of conflict between the computer logs of the Provider and any written document or electronic file of the User, the Parties expressly agreed that the Provider’s computer logs will prevail over the User’s documents and shall be the only ones admitted as evidence.


16.2 Waiver

The Parties mutually agree that any tolerance of a situation by one party shall not grant the other party any rights in that respect.


Moreover, such a tolerance shall not be construed as a waiver of the rights in question.


16.3 Headings

In the case of a difficulty of interpretation arising out of a contradiction between any of the headings of the clauses and the content of any of the clauses, the headings shall be deemed to be non-existent.


16.4 Severability

If one or several provisions of the Terms of Use were to be held invalid or declared as such by a law, a regulation or a final decision which has become res judicata rendered by a court having proper jurisdiction, the other provisions shall remain in full force and effect.


16.5 Assignment of the agreement

This agreement may not be assigned by one of the Parties, in whole or in part, whether or not for consideration, without the prior written consent of the other Party.


16.6 Governing law

This agreement shall be governed by the laws of France.


French law shall apply to both form and substance, notwithstanding the place of performance of principal or ancillary obligations.


16.7 Indivisibility

This agreement forms an indivisible whole so that one of the legal operations cannot take place without the simultaneous fulfilment of the obligations referred to under the agreement.


16.8 Jurisdiction

ALL DISPUTES OF A CONTRACTUAL OR NON-CONTRACTUAL NATURE ARISING OUT OF OR IN CONNECTION WITH ALL OF THE CONTRACTUAL RELATIONSHIPS SHALL BE EXPRESLY SUBMITTED TO THE JUDICIAL COURT OF PARIS (FRANCE), EVEN IN THE EVENT OF MULTIPLE DEFENDANTS OR THIRD-PARTY PROCEEDINGS, INCLUDING IN CASE OF URGENT PROCEEDINGS, PROTECTIVE MEASURES, SUMMARY PROCEEDINGS OR EX PARTE APPLICATIONS.


Article 17. List of appendices


The following appendices are attached to these Terms of Use:

 

  • Appendix 1: Description of the Services 
  • Appendix 2: Data Protection 
  • Appendix 3: Data Hosting

 

APPENDIX 1 DESCRIPTION OF THE PREMIUM SERVICES

1. Free Features

The free features include: 
  • creation of data series; 
  • production of statistics allowed by the free offer on the data series created by the User.
2. Premium Features

The premium features include:
  • the production of premium statistics on the data series created by the User.
  • the sharing of series with other Users of the Free Services and/or Premium Services.

3. Support

Support is provided by the Provider in the form of email responses. The Provider will make its best efforts to respond to the User within a reasonable time. 

All notifications and complaints must be made in writing and sent to the support department:
  • by mail to: EasyMadeStat - 163 Quai du Docteur Dervaux, 92600 Asnières-sur-Seine, France;
  • by email to: support@easymedstat.com.
No onsite support is included under the Terms of Use and no support will be provided on the User’s site.

APPENDIX 2 DATA PROTECTION

1. Preamble

In applying the Terms of Use and performing the Services, the Provider may access the Personal Data of research, study or analysis participants and of the User(s); such access constitutes Processing of Personal Data within the meaning of personal data protection laws.

The Provider acknowledges that all of the personal data it may access in that context is strictly confidential. The Provider therefore acknowledges that all data processed in connection with the performance of the Terms of Use:
  • is subject to the laws applicable in France and in the European Union regarding the protection of personal data (hereafter, “personal data protection laws”);
  • is subject to privacy and professional secrecy.

2. Purpose

This Appendix is an integral part of the Terms of Use and sets out the terms and conditions under which the Provider undertakes to carry out personal data Processing operations on behalf of the User under the Terms of Use.


3. Description of the Processing entrusted to the Processor

Under the Terms of Use, the Provider is authorised to process the personal data necessary to provide the following services for the duration of the Terms of Use: export, analysis, monitoring, maintenance, support, hosting, deletion.

The operations carried out on the personal data are the following:
  • data flow management;
  • data uploading and downloading;
  • data transformation;
  • data analysis;
  • data sharing; 
  • data hosting;
  • data deletion.
The purposes of the Processing are the following: to allow the creation of pseudonymised data series, to produce statistics and to share series between several Users.

The Personal Data processed are the following:
  • the data of the participants in the research, studies and analyses described in the Solution;
  • the data relating to the identity, authentication, and actions of Users.
The categories of data subjects are the following:
  • research, study and analysis participants whose data is included in the Solution;
  • Users.
The persons authorised to process the Personal Data under the Agreement are the following:
  • the Provider’s personnel (technicians, engineers);
  • the Provider’s processors as listed in section “Processors” of this Appendix.


4. Obligations of the Provider to the User

The Provider will make its best efforts to ensure compliance with its statutory and regulatory obligations, in particular those under the personal data protection laws, and with its obligations under the Terms of Use.

Consequently, the Provider will make its best efforts to:
  • Process the Personal Data solely for the purposes that are subject to the Processing operations referred to above;
  • Process the Personal Data in accordance with the documented instructions from the User, including with regard to transfers of Personal Data to a third country or an international organisation. The Provider will immediately inform the User if, in its opinion, an instruction infringes the personal data protection laws. If the Provider is required to transfer Personal Data to a third country or an international organisation by a mandatory rule resulting from European Union or EU Member State law to which the processor is subject, the Provider will inform the User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
  • Guarantee the confidentiality of the Personal Data processed. The Provider will take all measures to help prevent abusive, malicious or fraudulent use of the Personal Data;
  • Refrain from:
    • processing and/or consulting the Personal Data for purposes other than the performance of the services it carries out for the User under the Terms of Use (even if access to such data is technically possible);
    • disclosing, in any form whatsoever, all or part of the Personal Data processed;
    • copying or storing, in whatever form and for whatever purpose, all or part of the information or Personal Data contained on the media or documents entrusted to it or collected by it in the course of the performance of the Agreement, except in cases provided for herein.
  • Ensure that the persons authorised to process Personal Data under the Agreement:
    • are committed themselves to confidentiality or are under an appropriate legal obligation of confidentiality;
    • receive the necessary data protection training.
  • Take into account the principles of data protection by design and by default under Article 25 of the GDPR with respect to its tools, products, applications or services.

The Parties agree that an instruction shall be deemed to be given where the Provider acts within the framework of the Terms of Use.


5. Sub-processors

The User authorises the Provider to sub-process, within the meaning of personal data protection laws, all or part of the services, including to a country that is not located in the European Union, subject to the reservations set out in section “Transborder flows of Personal Data” of this Appendix.

In all cases, the Provider will use its best efforts to:
  • inform and sign with its sub-processor a written agreement that imposes on its sub-processor the same data protection obligations as set out in this Appendix;
  • impose on its sub-processor all obligations necessary to ensure that the confidentiality, security and integrity of the data are respected and that the said data can neither be transferred or leased to a third party, whether free of charge or for consideration, nor used for purposes other than those defined in this Appendix;
  • inform the User of any intended changes concerning the addition or replacement of sub-processors, via a web space available directly on the Solution. It is up to the User to refer to such web space.
Where its sub-processors fail to fulfil their data protection obligations, the Provider shall remain fully liable to the User for the performance of such sub-processors’ obligations.

In particular, the User authorises the Provider to sub-process the Processing and, where applicable, to transfer the Personal Data to a country outside the European Union, to the sub-processors listed at the following address: http://easymedstat.com//info/list-of-subprocessors, including a description of their role, location, and, where applicable, the legal basis allowing the transfer to a country outside the European Union.


6. Rights of data subjects

The User is responsible for providing information (in compliance with the requirements of personal data protection laws, and in particular Articles 13 and 14 of the GDPR) to the data subjects concerned by the Processing (research participants) at the time of collection of their Personal Data and for obtaining their consent for the Processing of their data.

The Provider may assist the User, insofar as this is possible, in providing the above-mentioned information and in fulfilling the User’s obligation to respond to requests for exercising the data subject’s rights.


7. Notification of Personal Data breaches

The Provider will notify the User without undue delay after becoming aware of a personal data breach, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data transmitted, processed or stored in a manner that does not comply with the User’s instructions and the personal data protection laws, or the unauthorised access to such Personal Data by any means.


8. Provider’s assistance for compliance with the User’s obligations

The Provider will assist the User, insofar as this is possible, in complying with its obligations under the personal data protection laws, including:
  • its obligations to notify a personal data breach to the CNIL or to communicate a personal data breach to the data subject;
  • its obligation to carry out a prior consultation of the CNIL under Article 36 of the GDPR.
Moreover, where the User decides or is required to carry out a data protection impact assessment for one or more of the Processing operations it carries out, the Provider will make its best efforts to assist the User in carrying out this assessment or these assessments. Such services will be subject to a separate quotation from the Provider.

In the event of an audit by the CNIL, the Parties undertake to cooperate with each other and with the CNIL. More specifically, where the audit is carried out at the Provider’s and relates to the Processing carried out for and on behalf of the User, the Provider undertakes not to make any commitment on the User’s behalf.

Where the audit is carried out by the CNIL at the User’s and relates in particular to the services provided by the Provider, the Provider will cooperate with the User and provide it with any information which the latter may require or which would be necessary 


9. Security measures

9.1. General security measures applicable to all Processing
In accordance with the personal data protection laws, the Provider will make its best efforts to take all useful precautions, in particular with regard to the nature of the Personal Data and the risks of the processing, to preserve the security and confidentiality of the Personal Data transmitted, processed or stored and to prevent their distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by third parties not previously authorised.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider will make its best efforts to implement all appropriate technical and organisational measures to protect personal data and ensure a level of security appropriate to the risk.

In this respect, the Provider will make its best efforts to carry out the Processing entrusted by the User hereunder and, where required, to implement the following measures which tend towards the state of the art, if necessary on the basis of the rules resulting from the general security policy for health information systems, published by the Agence du Numérique en Santé:
  • the pseudonymisation and encryption of Personal Data;
  • the information and awareness-raising of its staff, including the signature by each person acting on behalf of the Provider of:
    • an individual confidentiality agreement limiting their actions solely to the tasks entrusted to them;
  • the access to personal data by means of authentication consistent with the recommendations issued by the CNIL;
  • the definition of authorisation profiles, the removal of obsolete access permissions and the restriction of access to tools and administration interface only to qualified individuals;
  • the implementation of automatic traceability systems (logs); 
  • the definition of a security policy appropriate to the risks of the Processing and including the security objectives as well as the physical, logical and organisational security measures to fulfil them;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the solution and Processing services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
9.2 Specific security measures for health data hosting
The means implemented by the Provider to ensure the security and confidentiality of the data are in accordance with the state of the art and include the hosting of data in compliance with Article L. 1111-8 of the Public Health Code and the decree relating to the hosting of personal health data.

9.3. Specific security measures for remote services
Where the Provider remotely intervenes on data for the purposes of remote monitoring, remote maintenance and remote assistance services, it will make its best efforts to comply with the main rules resulting from the general security policy for health information systems (hereafter “PGSSI-S”) published by the Agence du Numérique en Santé and in particular those resulting from the reference framework on rules for remote interventions on health information systems.


10. Fate of Personal Data

The Personal Data used for research, studies and analyses carried out on a series will be deleted when the User Account of the User who created the said series is closed.

For Freemium Services, the connection and usage data related to the Services will be kept for a sliding period that cannot exceed six months. If the Premium Services have been subscribed to, the connection and usage data related to the Services that are necessary for research, studies and analyses will follow the same rules than for the series data.

The Provider will destroy the Personal Data within the aforementioned time limits, unless otherwise required by a mandatory rule resulting from European Union or EU Member State law applicable to the Processing operations described herein.


11. Data Protection Officer

Upon request, the Provider will communicate to the User the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.


12. Record of Processing activities

The Provider will maintain a record of all categories of Processing activities carried out on behalf of the User, in accordance with Article 30 the GDPR.


13. Transborder flows of Personal Data 

In particular, the User authorises the Provider to sub-process the Processing and, where applicable, to transfer the personal data to a country outside the European Union, to the sub-processors listed at the following address: http://easymedstat.com/info/list-of-subprocessors, including a description of their role, location, and, where applicable, the legal basis allowing the transfer to a country outside the European Union.

The Provider will make its best efforts to cooperate with the User to ensure:
  • compliance with the procedures for complying with the personal data protection laws;
  • where applicable, the signature of one or more agreements to regulate such transborder flows of personal data. Where possible, the Provider particularly undertakes, where necessary, to sign such agreements with the User and/or to obtain the signature of such agreements from its sub-processors. To this end, the Parties agree that the standard contractual clauses published by the European Commission will be used to provide a framework to transborder flows of personal data.

14. Documentation

The Provider will make available to the User the documentation necessary to demonstrate compliance with all of its obligations laid down in the Terms of Use and the personal data protection laws and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.


15. Obligations of the User to the Provider

The User warrants the Provider that it will comply with its legal and regulatory obligations, in particular those under the European regulations on the protection of Personal Data, and with its obligations under this Agreement.

The User undertakes to:
  • give the Provider access to the Personal Data concerned by the Terms of Use;
  • document in writing any instruction concerning the Processing of Personal Data by the Provider under the Terms of Use;
  • ensure, before and throughout the Processing, that the Provider complies with the obligations set out in the personal data protection laws and the Terms of Use;
  • supervise the Processing, including by conducting audits and inspections with the Provider.

APPENDIX 3 DATA HOSTING

1. Hosting of data from patients participating in research, studies and analyses


The hosting of the Solution is carried out by (.), a certified health data hosting provider in compliance with Article L. 1111-8 of the Public Health Code. 



2. Clauses from Article R 1111-11 of the Public Health Code


In accordance with the provisions of Article R.1111-11 of the Public Health Code, “where the health data controller [...] uses a provider who himself uses a certified hosting provider to host the data, the contract between the data controller and his provider shall include the clauses mentioned in I as set out in the contract between the provider and the certified hosting provider.”


Such clauses are identified below.


2.1 Scope of certification or approval

The hosting provider is certified as a health data hosting provider:

 

  • for the following scope:
  • 1) Provision and maintenance in operational condition of the physical sites used to host the physical infrastructure of the information system used for the processing of health data
  • 2) Provision and maintenance in operational condition of the physical infrastructure of the information system used for the processing of health data
  • 3) Provision and maintenance in operational condition of the information system application hosting platform
  • 4) Provision and maintenance in operational condition of the virtual infrastructure of the information system used for the processing of health data
  • 6) Outsourced backups of health data

 

 

  • date of issue or renewal of the approval or certificate: June 2018.

 

2.2 Description of the services provided, including the content of the services and expected results, in particular to ensure the availability, integrity, confidentiality and auditability of the hosted data.

The following services are provided by the hosting provider: 

  • the hosting of the solution and the associated data; 
  • the management of the project for setting up the hosting service; 
  • the implementation of the remote secure access; 
  • the implementation of technical monitoring procedures in the production environment;
  • the implementation of the backup and restore system. 

 

2.3 Hosting locations

The infrastructure of the hosting provider is based on:

 

  • the data centre located in Strasbourg.

 

2.4 Measures implemented to ensure compliance with the rights of data subjects to whom the health data relate and in particular the rights to data portability 

Where the hosting provider receives a request from a data subject, the hosting provider is not allowed to answer it.


The “procedure for exercising the rights to data portability,” the “procedure for reporting personal data breaches to the controller” and the “procedure for the conduct of audits by the Data Protection Officer” are defined in Appendix “Data Protection” to the Agreement. 


2.5 Provider’s contact point to be contacted for incidents having an impact on the hosted health data

 

  • name of the contact point: Jordan Chelli
  • contact details of the contact point: contact@easymedstat.com

 

2.6 Quality and performance indicators

The quality and performance indicators allowing to verify the level of service announced, the level guaranteed and the frequency of their measurement are the following: 

 

  • monthly availability greater than 99.99%; 

 

The OVH Service Level Agreement is available at this link .

There is no penalty to be paid by the Provider.


2.7 Sub-processing

The conditions for engaging external technical service providers and the hosting provider’s commitments to ensure that such engagement provides an equivalent level of protection with regard to its obligations are the following: the Provider guarantees that the external service providers will comply with its obligations.


2.8 Data access

The method chosen to control access to the hosted personal health data is the following: access by authorisation, then identification and authentication to services.


2.9 Obligations in the event of technical changes or developments introduced by the hosting provider or imposed by the applicable legal framework 

The hosting provider will make its best efforts to ensure the continuity of the hosting services during major changes.


2.10 Guarantees

The guarantees and procedures put in place by the hosting provider to cover any possible failure on its part are the following: 

 

  • guarantees in accordance with the state of the art;
  • insurance.

 

2.11 Prohibition for the hosting provider to use health data for purposes other than the performance of the hosting activity  

The hosting provider will use the hosted personal health data only for the purpose of providing the hosting service.


2.12 Fate of health data

After the end of the service, the hosting provider will return and delete the personal health data without keeping a copy.

Share by: