Data Processing Agreement

Last updated: January 15, 2024

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

  • "Controller" means the customer who determines the purposes and means of processing Personal Data
  • "Processor" means EBUS Edge, which processes Personal Data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any third party engaged by EBUS Edge to process Personal Data

2. Scope and Applicability

This DPA applies to all processing of Personal Data by EBUS Edge on behalf of the Controller in connection with the provision of our services. This DPA supplements and forms part of the Terms of Service.

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Controller shall:

  • Ensure it has all necessary rights to provide Personal Data to EBUS Edge for processing
  • Comply with all applicable data protection laws
  • Provide clear instructions for processing Personal Data
  • Ensure the accuracy and adequacy of Personal Data

3.2 Processor Responsibilities

EBUS Edge shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller of any Personal Data breaches

4. Data Processing Details

4.1 Nature and Purpose of Processing

EBUS Edge processes Personal Data for the purpose of providing our services as described in the Terms of Service, including but not limited to:

  • Account management and authentication
  • Service delivery and support
  • Analytics and service improvement
  • Communication and notifications

4.2 Types of Personal Data

The Personal Data processed may include:

  • Contact information (name, email, phone number)
  • Account credentials
  • Usage data and analytics
  • Payment information
  • Health data (for OmniRapha services only)
  • Other data provided by the Controller

4.3 Categories of Data Subjects

Data Subjects may include:

  • Customers and end-users
  • Employees and contractors of the Controller
  • Patients (for OmniRapha services)
  • Other individuals whose data is provided by the Controller

5. Security Measures

EBUS Edge implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery plans

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for EBUS Edge to engage Sub-processors. EBUS Edge maintains a list of current Sub-processors available upon request.

6.2 Sub-processor Requirements

EBUS Edge ensures that Sub-processors:

  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate security measures
  • Process Personal Data only as instructed

6.3 Changes to Sub-processors

EBUS Edge will notify the Controller of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes within 30 days.

7. Data Subject Rights

EBUS Edge shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

8. Data Breach Notification

In the event of a Personal Data breach, EBUS Edge shall:

  • Notify the Controller without undue delay and within 72 hours of becoming aware
  • Provide details of the breach, affected Data Subjects, and potential consequences
  • Describe measures taken or proposed to address the breach
  • Cooperate with the Controller in investigating and remediating the breach

9. Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). EBUS Edge ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by relevant authorities
  • Other legally recognized transfer mechanisms

10. Audits and Compliance

EBUS Edge shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an authorized auditor.

11. Data Retention and Deletion

Upon termination of services, EBUS Edge shall:

  • Return all Personal Data to the Controller, or
  • Delete all Personal Data, unless required to retain by law
  • Provide certification of deletion upon request

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Term and Termination

This DPA shall remain in effect for as long as EBUS Edge processes Personal Data on behalf of the Controller. Upon termination, the data deletion provisions in Section 11 shall apply.

14. Governing Law

This DPA shall be governed by the same law as the Terms of Service, except where data protection laws require otherwise.

15. Contact Information

For questions regarding this DPA or data processing practices, please contact:

Data Protection Officer
Email: dpo@ebusholding.com
Address: M 137/2, NEAR UPSA, MADINA, La Nkwantanang-Madina, GREATER ACCRA, Ghana