This Agreement for the supply of EIDO Inform Digital is made between Specialists Management Services Pty Ltd as Trustee for the Specialist Management Services Unit Trust ABN 79338248625 whose registered office is at Level 1, 257 Auburn Road, Hawthorn Victoria 3122 (the Supplier) and you (the Customer) on the terms set out herein.
(A) The Supplier holds the Australian and New Zealand licence to supply EIDO’s software application and platform which assists healthcare providers in obtaining informed consent from patients.
(B) The Customer wishes to use the Supplier’s service.
(C) The Supplier has agreed to provide and the Customer has agreed to take and pay for the Supplier’s service subject to the terms and conditions of this Agreement.
1.1 The definitions and rules of interpretation in this clause apply in this Agreement.
Annual Subscription Fee the Annual Subscription Fee payable by the Customer to the Supplier for each Subscription Term.
Authorised User those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, as further described in clause 2.1.
Business Day a day other than a Saturday, Sunday or public holiday in Australia.
Commencement Date the date the Customer is granted access to the Services.
Confidential Information means information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 9.5 or clause 9.5.
Documentation the Functional Specification, the Training and Support Materials and any other materials relating to the Services made available by the Supplier to the Customer online via https://support.eidohealthcare.com or such other web address notified by the Supplier to the Customer from time to time.
EIDO EIDO Systems International Limited, incorporated and registered in England and Wales with company number 09485836 whose registered office is at 29 Bridgford Road, West Bridgford, Nottingham, Nottinghamshire, United Kingdom, NG2 6AU
Functional Specification the functional specification of the Software made available by the Supplier to the Customer online via https://support.eidohealthcare.com as the same may be updated from time to time to take account of any new version of the Software provided to the Customer pursuant to clause 3.2.
Normal Business Hours 9.00 am to 6.00 pm AEST, each Business Day.
Personal Information as defined in Schedule 2.
Services the provision of the Software and the other services provided by the Supplier to the Customer under this Agreement via https://australia.eidodigital.com or any other website notified to the Customer by the Supplier from time to time.
Software the online software applications comprising the licenced articles provided by the Supplier as part of the Services.
Subscription Term means the twelve month period from the Commencement Date and each subsequent twelve month periods from the anniversaries of the Commencement Date.
Support Policy the Supplier’s policy for providing support as advised from time to time.
Training and Support Materials the training and support materials made available from time to time by the Supplier via https://support.eidohealthcare.com or such other web address notified by the Supplier to the Customer.
Virus any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
1.2 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.
1.3 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.4 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.5 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this Agreement under that statute or statutory provision.
2. Use of the Services and Documentation
2.1 The Supplier hereby grants to the Customer a non-exclusive, non-transferable right, without the right to grant sublicences, to permit from the Commencement Date the Authorised User to use the Services and the Documentation during the Subscription Term solely in connection with the Customer’s informed consent procedures in relation to treatment being provided to a patient. The Customer shall not otherwise make the Services or the Documentation available for use by any person.
2.2 The rights provided under this clause 2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer.
3.1 The Supplier shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of this Agreement.
3.2 The Supplier will provide the Customer with all new versions of the Software generally made available to its customers.
3.3 The Supplier will, as part of the Services and at no additional cost to the Customer, provide the Customer with Support Services during Normal Business Hours in accordance with the Support Policy in effect at the time that the Support Services are provided.
4. Customer data
4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not Personal Information and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data, provided always that the Supplier may use such data in the manner referred to in paragraph 13 of Schedule 2.
4.2 In respect of Personal Information, the parties agree as set out in Schedule 2.
5. Supplier’s obligations
The Supplier undertakes that the Services will be performed substantially in accordance with the Documentation and with reasonable skill and care.
6. Customer’s obligations
6.1 The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services and the Supplier reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches this clause.
6.2 The Customer shall not:
6.2.1 attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or
6.2.2 attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software;
6.2.3 introduce or permit the introduction of, any Virus into the Supplier’s network and information systems.
6.3 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify the Supplier.
6.4 The Customer shall
6.4.1 provide the Supplier with all necessary co-operation and access to such information as may be required by the Supplier in order to provide the Services;
6.4.2 be, to the extent permitted by law and except as otherwise expressly provided in this Agreement, solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to the Supplier’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.
7. Charges and payment
7.1 The Customer shall pay the Annual Subscription Fee in advance to the Supplier for each Subscription Term.
7.2 If the Supplier has not received payment of any instalment of any Annual Subscription Fee within 7 days after the due date for payment, and without prejudice to any other rights and remedies of the Supplier the Supplier may, without liability to the Customer, disable the Customer’s password, account and access to all or part of the Services and the Supplier shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and interest shall accrue on a daily basis on such due amounts at the annual rate of 8% per annum equal, commencing on the due date and continuing until fully paid, whether before or after judgment.
8. Proprietary rights
8.1 The Customer acknowledges and agrees that the Supplier and/or its licensors own all intellectual property rights in the Services and the Documentation.
9.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party’s Confidential Information shall not be deemed to include information that:
9.1.1 is or becomes publicly known other than through any act or omission of the receiving party;
9.1.2 was in the other party’s lawful possession before the disclosure;
9.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or
9.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence.
9.2 Subject to clause 9.4, each party shall hold the other’s Confidential Information in confidence and not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this Agreement.
9.3 Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
9.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 9.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure.
9.5 The above provisions of this clause 9 shall survive termination of this Agreement, however arising.
10.1 Except as expressly and specifically provided in this Agreement:
10.1.1 the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use. Neither the Supplier nor EIDO shall have any liability for any damage caused by errors or omissions in any information or instructions provided to the Supplier by the Customer in connection with the Services, or any actions taken by the Supplier at the Customer’s written request; and
10.1.2 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement.
10.2 Nothing in this Agreement excludes the liability of the Supplier:
10.2.1 for death or personal injury caused by the Supplier’s negligence; or
10.2.2 for fraud or fraudulent misrepresentation.
10.3 Subject to clause 10.1 and clause 10.2:
10.3.1 Neither the Supplier nor EIDO shall be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and
10.3.2 the total aggregate liability of the Supplier and EIDO in contract (including in respect of the indemnity at clause 10), tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited to the Annual Subscription Fee paid for the Subscription Term during which the event(s) giving rise to the relevant claim arose.
11. Term and termination
11.1 This Agreement shall, unless otherwise terminated as provided in this clause 11, automatically renew on the anniversaries of the Commencement Date unless written notice is given by either of the parties.
11.2 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:
11.2.1 the other party fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than seven days after being notified in writing to make such payment;
11.2.2 the other party commits a material breach of any other term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of fourteen days after being notified in writing to do so;
11.2.3 the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of the Corporations Act 2001
11.3 On termination of this Agreement for any reason:
11.3.1 all licences granted under this Agreement shall immediately terminate and the Customer shall immediately cease all use of the Services and/or the Documentation;
11.3.2 each party shall return and make no further use of any, property, Documentation and other items belonging to the other party;
11.3.3 the Supplier may destroy or otherwise dispose of any of the Customer Data in its possession, unless the Supplier receives, no later than ten days after the effective date of the termination of this Agreement, a written request for the delivery to the Customer of the then most recent back-up. The Supplier shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Supplier in providing the back up; and
11.3.4 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.
12. Force majeure
The Supplier shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Supplier or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Customer is notified of such an event and its expected duration.
Any variation of this deed must be in writing and signed by the parties.
No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
15. Rights and remedies
Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
17. Entire agreement
17.1 This Agreement constitutes the entire agreement between the parties relating to its subject matter.
18.1 The Customer shall not, without the prior written consent of the Supplier, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
18.2 The Supplier may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
Any notice or other communication including, but not limited to, any request, demand, consent or approval, to or by a party to this deed must be in legible writing and in English and addressed to the parties address.
20. Governing law and Jurisdiction
This deed is governed by the laws of Victoria and the parties irrevocably submit to the non-exclusive jurisdiction of the courts of Victoria.
DATA PROTECTION ADDENDUM
The parties acknowledge and agree that this DPA: forms part of the services agreement entered between the Supplier and Customer (the Agreement);
2.1 Capitalised terms used but not defined in this DPA shall have the meaning set forth in the Agreement.
2.2 The following terms have the following meanings when used in this DPA:
Australian Privacy Principles means the data protection principles that all organisations handling personal data must comply with as set out in the Privacy Act.
Customer has the meaning given to it in the Agreement.
Personal Information means any information relating to an identified or identifiable natural person processed by the Supplier pursuant to the Agreement.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed in connection with the Services.
Processing, Processed or Process means any operation or set of operations which is performed by either party as part of, or in connection with, the Services.
Privacy Act the Australia Federal Privacy Act 1988.
Regulator means the Australian Information Commissioner.
Services means all the services performed under the Agreement.
3. Relationship with the Agreement
3.1 In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail.
4.1 Customer’s general obligations
(a) In respect of the parties’ Processing, the Customer agrees to comply with the Australian Privacy Principles and the Privacy Act; and
(b) Customer warrants that:
(a) the disclosure of Personal Information is limited to what is necessary for the Supplier to perform the Services; and
(b) such Personal Information is accurate and up to date at the time that it is provided to the Supplier.
4.2 Supplier’s General Obligations
(a) The Supplier shall, in providing the Services comply with the Australian Privacy Principles and the Privacy Act.
4.3 Purpose of Processing
The Supplier shall Process the Personal Information for the purposes of performing the Services and, save as set out in this Agreement, no other purposes whatsoever. The details of the Processing are specified in Attachment 1 to this DPA.
5. Consumer Rights, complaints and other requests
5.1 Consumer Requests
If Supplier receives a request from a consumer to access their personal information it will fulfil its obligations under the Data Protection Principles to respond to such requests.
6. Cooperation with Regulators
6.1 Supplier shall notify the Customer of all enquiries from a Regulator relating to the Processing of the Personal Information, unless prohibited from doing so at law or by the Regulator.
7.1 Supplier shall have in place and maintain the technical and organisational measures set out in Attachment 2 (Security Measures) to protect the confidentiality, integrity, availability and resilience of the systems which are involved in Processing the Personal Information.
7.2 Customer confirms that it has assessed the level of security appropriate to the Processing in the context of its obligations under Data Protection Principles and agrees that the security measures set out in Attachment 2 (Security Measures) are consistent with such assessment.
7.3 Customer shall take appropriate technical and organisational measures to protect the security of the Personal Information, including ensuring that Personal Data is securely transferred to the Supplier.
8. Personal Information Breach
8.1 The Supplier shall without undue delay notify the Customer in the event of Personal Information Breach and the parties agree to co-operate in good faith on managing and resolving the impact of any such Personal Information Breach.
The Customer acknowledges and agrees that the Supplier may engage subcontractors in connection with the provision of the Services.
10.1 Each party will be individually responsible for assessing the need to undertake, and the completion of, any privacy impact assessment, in respect of its use or provision of the Services.
10.2 Where requested by the Customer the Supplier shall, at the Customer’s cost, provide the Customer with such assistance and information as may be reasonably required for the Customer to comply with any obligation to carry out a privacy impact assessment.
11.1 The Customer acknowledges and agrees that the Supplier may use any information it collects and uses in connection with the Services, together with information from its other clients, for data analytics purposes, including to create insights, reports and other analytics to improve the quality of and market its products and services.
12. Termination and General
12.1 This DPA will terminate when the Supplier ceases to Process Personal Information, unless otherwise agreed in writing between the parties.
13. Governing Law
13.1 This DPA shall be governed by the laws of Victoria, Australia and the parties submit to the exclusive jurisdiction of the courts of Victoria, Australia in relation to any complaint or dispute arising hereafter.
Data Processing Details
Individuals whose personal information will be processed
The Personal Information Processed may concern the following categories of individual:
[Patients and clinicians of the Customer]
Categories of Personal Information
The Personal Information Processed may concern the following categories of data:
For patients this includes name, address, date of birth, contact details, hospital number
For clinicians this includes name, email address and contact details
Special categories of data (if appropriate)
The Personal Information Processed may concern the following special categories of data:
[Information processed will include details relating to physical or mental health conditions and could also include information relating to religious beliefs and sexual orientation]
The Personal Information Processed will be subject to the following basic Processing activities:
Personal Information will be processed in order to make the Services available to the Customer.
In satisfaction of its obligation under clause 7.1 of this DPA, EIDO shall implement the following:
1. Organisational management and dedicated staff responsible for the development, implementation and maintenance of EIDO’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to EIDO’s organisation, monitoring and maintaining compliance with EIDO’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Personal Data that is:
(a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
(b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that EIDO’s passwords that are assigned to its employees. Passwords must be complex, regularly changed, they should not be stored in a readable format, or written down.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
7. Management of our IT infrastructure and facilities is paramount and all sub processors involved are carefully selected, monitored and subject to robust data processor and security obligations which form part of binding written contracts.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from EIDO’s possession.
9. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to EIDO’s technology and information assets.
10. Incident / problem management procedures designed to allow EIDO to investigate, respond to, mitigate and notify of events related to EIDO’s technology and information assets.
11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
EIDO reserves the right to revise the security measures set out in this Attachment 2 at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that EIDO Processes while providing the Services.