Come meet with us at AWS re:Invent!

Data Processing Addendum

Effective: November 3, 2025

If you purchased incident.io Services with Order Form Effective Date before November 3, 2025, your use of the incident.io Services is governed by our legacy terms.

INTRODUCTION

(A) In providing the Services for the Customer under the Terms and Conditions (“Terms”), incident.io will process certain personal data on behalf of the Customer. This Data Processing Addendum including the data processing terms set out below and its Appendices (“DPA”) forms an integral part of the Terms.

(B) The Customer is either the controller or a processor in respect of that personal data and incident.io is a processor or sub-processor, as applicable.

DATA PROCESSING TERMS

NOW IT IS AGREED:

  1. Definitions

    • 1.1. In this DPA, all capitalised terms used without definition have the meanings ascribed to them: first, in the Data Protection Laws; second, as applicable in Appendix 3 (Jurisdiction Specific Terms); and third, in the Terms.

    • 1.2. The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      • 1.2.1. “controller”, “data subject”, “personal data”, “process(ing)” and “processor” all have the meanings given to them in Data Protection Laws;

      • 1.2.2. “Data Protection Laws” means any and all applicable laws relating to the processing, privacy, and use of personal data, that applies to the Customer, incident.io and/or the Services, from time to time, including: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), (ii) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), (iii) the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (iv) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and implemented in national legislation, and (v) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;

      • 1.2.3. “Personal Data Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Protected Data;

      • 1.2.4. “Protected Data” means personal data processed for and on behalf of the Customer, under the instructions of the Customer, in connection with the performance of incident.io’s obligations under the Terms; and

      • 1.2.5. “Services” means any and all services to be provided by incident.io under the Terms.

  2. Processor/Controller

    • The parties agree that, in respect of: (i) any and all personal data each party processes for its own purposes, each party shall be an independent controller; and (ii) any and all Protected Data, the Customer shall be either the controller or a processor and incident.io shall be a processor or sub-processor, as applicable.

  3. Compliance

    • 3.1. Each party shall comply with Data Protection Laws and their respective obligations under this DPA.

    • 3.2. The Customer warrants that:

      • 3.2.1. it will be solely responsible for ensuring the lawfulness of processing the personal data of its data subjects in order for incident.io to process the Protected Data;

      • 3.2.2. incident.io will have no liability for failure to obtain any consents or authorizations prior to the processing of Protected Data in connection with this DPA and/or performance of the Services;

      • 3.2.3. it has provided each data subject with appropriate information as to how incident.io will process the Protected Data; and

      • 3.2.4. that it has reviewed the technical and organizational security measures incident.io applies when it processes personal data and that it deems them appropriate and has taken steps to ensure that any data it or its affiliates and agents pass to incident.io are transferred securely.

  4. Processing Instructions

    • 4.1. The details of the Protected Data processing carried out by incident.io are set out in Paragraph B of Appendix 1 to this DPA.

    • 4.2. incident.io shall:

      • 4.2.1. process the Protected Data only in accordance with the Customer’s written instructions and only as required to perform its obligations under this DPA, unless otherwise required under Applicable Law incident.io is subject to;

      • 4.2.2. inform the Customer in accordance with Data Protection Laws:

        • a. of any requirement under Data Protection Laws that would require incident.io to process the Protected Data other than on the Customer’s written instructions unless such Data Protection Laws prohibit such information on important grounds of public interest; or

        • b. if the Customer’s written instructions are either unlawful or do not comply with the Data Protection Laws;

      • 4.2.3. implement and maintain appropriate technical and organizational measures as set out in Appendix 2 to this DPA in relation to its processing of Protected Data so as to ensure a proportionate level of security in respect of the possible risk posed to the Protected Data;

      • 4.2.4. not engage any sub-processor for carrying out any processing activities in respect of the Protected Data without written specific or general authorization from the Customer. The Customer hereby provides written general authorization for the appointment of the sub-processors set out at incident.io/legal/sub-processors from time to time. incident.io shall inform the Customer of any intended changes concerning the addition or replacement sub-processors, thereby giving the Customer the opportunity to object to such changes. Specifically, following the Effective Date, any change to the sub-processors will be notified to the Customer by an announcement at incident.io/legal/sub-processors fifteen (15) days in advance of the change coming into effect and the Customer may object in writing to such change within ten (10) days of such an announcement. If the Customer does not object during such period it shall be deemed to have approved the change;

      • 4.2.5. incident.io shall appoint sub-processors under binding written contracts which impose data protection obligations which are no less onerous than those set out in this DPA on the sub-processor;

      • 4.2.6. remain fully liable for the acts and omissions of its sub-processors to the extent that incident.io would be liable if performing the services of each sub-processor directly under this DPA;

      • 4.2.7. ensure that its personnel processing Protected Data have committed themselves to confidentiality obligations;

      • 4.2.8. at all times take reasonable steps to ensure the reliability of those of its personnel who have access to the Protected Data and shall use reasonable endeavours to ensure their compliance with the obligations set out in this DPA;

      • 4.2.9. provide reasonable assistance as the Customer reasonably requires, information and cooperation to the Customer to ensure compliance with its obligations under the Data Protection Laws, including with respect to (a) security of processing; (b) Personal Data Breach notification as controller to the appropriate supervisory authority or data subjects; (c) data protection impact assessments and prior consultation with the appropriate supervisory authority regarding high risk processing; and (d) handling of data subject rights requests.

      • 4.2.10. refer any communications, requests or queries from data subjects or a competent regulatory authority relating to the Protected Data to the Customer within 5 business days of receipt;

      • 4.2.11. not transfer any Protected Data to any country outside the United Kingdom or the European Economic Area other than in accordance with Data Protection Laws;

      • 4.2.12. maintain, in accordance with Data Protection Laws, written records of all categories of processing activities carried out on behalf of the Customer;

      • 4.2.13. make available to the Customer the information necessary to demonstrate its compliance with the Data Protection Laws to the extent such information is not already available to the Customer;

      • 4.2.14. allow for and contribute to audits, at the Customer’s cost, including inspections, carried out by or on behalf of the Customer (subject to reasonable confidentiality undertakings) to determine incident.io’s compliance with its obligations under Data Protection Laws insofar as such processing relates to Protected Data and provided that: (a) such audits/inspections shall be carried out no more than once per calendar year unless otherwise directed by a regulatory authority; (b) shall require at least one calendar month’s advance written notice and shall be carried out during normal working hours on a business day in a manner that does not unreasonably disrupt the incident.io’s operations; and (c) shall not entail access to information concerning other clients of incident.io or information that incident.io is legally prohibited from disclosing;

      • 4.2.15. notify the Customer of any Personal Data Breach (and provide the Customer with details of such breach) without undue delay; and

      • 4.2.16. at the choice of the Customer, delete or return all the Protected Data to the Customer after the termination of this DPA, unless Data Protection Laws require continued storage of the Protected Data.

    • 4.3. If a transfer of Protected Data between the parties (including providing access to Protected Data) constitutes a transfer for which an appropriate transfer safeguard is required under the Data Protection Laws:

      • 4.3.1. under the GDPR, the Parties agree that module 4 of the standard contractual clauses included within the European Commission's decision of 4 June 2021 (EU) 2021/914 ("EU SCCs"), is hereby incorporated by reference and, in respect of such transfers, incident.io is acting as exporter and processor, and the Customer is acting as importer and controller, and the necessary information for module 4 of the EU SCCs is set out in paragraphs A-C of Appendix 1 to this DPA, the parties shall comply with their applicable obligations under the EU SCCs and, to the extent relevant, execution of the Order Form shall be deemed to also amount to execution of the EU SCCs; and

      • 4.3.2. under the UK GDPR, the international transfer addendum to the EU SCCs which came into force on 21 March 2022 (“UK Addendum”), is hereby incorporated by reference and the necessary information for purposes of the UK Addendum is set out in paragraph D of Appendix 1 to this DPA and the parties shall comply with their applicable obligations under the UK Addendum.

    • 4.4. For purposes of this DPA and any transfer under clause 4.3, incident.io’s contact point is the Head of Legal (legal@incident.io) and, unless otherwise notified to incident.io in writing, the Customer’s contact point shall be deemed to be the primary contact point as set out in the Order Form.

  5. Term

    • 5.1. This DPA shall continue in full force and effect until the later of:

      • 5.1.1. the termination or expiration of the Terms; or

      • 5.1.2. the termination of the last of the Services to be performed pursuant to the Terms.

    • 5.2. Clauses 4.2.16 and 5.2 of this DPA will remain in full force and effect following termination or expiry of this DPA.

Appendix 1

DATA PROCESSING DETAILS AND, IF APPLICABLE, INTERNATIONAL DATA TRANSFER DETAILS

A. List of Parties

DetailsData exporterData importer
Name:incident.ioCustomer
Address:66 City Road, London, England, EC1Y 2ALAs set out in the Order Form
Company number or equivalent:13093357As set out in the Order Form
Activities relevant to the data transferred under these Clauses:Disclosure of information for purposes of facilitating the provision of the Services to the Customer.Receipt of information for purposes of facilitating the provision of the Services to the Customer.
Role (controller/processor):Processor and data exporterController and data importer
Details of the representative in the European Union:N/ANot relevant

B. Description of processing activities and, if applicable, transfer

Nature and description of processing and further processing:As necessary for the provision of a product to facilitate incident management within the applicable Communications Platform.
Duration of processing/period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:Subject to clause 4.2.16 of this DPA, the Protected Data will be processed by incident.io for the period in which services are provided by incident.io to the Customer. As controller, the Customer will retain the Protected Data in accordance with the Customer’s internal data retention policies.
Frequency of the transfer:Continuous for the Term.
Subject matter and purpose of processing:Providing a product to facilitate incident management within the applicable Communications Platform including showing user names and profile pictures in the app and enabling the functionality of the app.
Types of personal data being processed/transferred: Basic information, such as:
  • The name of your company, and the applicable Communications Platform Team ID of your Communications Platform workspace. We use the installation to store an access token that grants us the permissions necessary to deliver the functionality of the app (for an up-to-date list of permission, please see our Security FAQ).
  • The name, applicable Communications Platform user ID, profile pictures and avatar URL of users who interact with the web app, or the bot.
Information that enables user functionality, such as:
  • A description of an action (a task that you would like someone to do during or after an incident), the current state of that action (outstanding, or completed), and who is assigned to be the owner of that action.
  • Any personal data in the name of an incident, the summary description of the incident or other free text entries, the URL of any document that you set to be associated with an incident, and the URL of any video conferencing call you set to be associated with an incident. We cannot view this document, or the call, as they are URLs: they should be internal to your organization.
Information regarding usage or exposure to messages related to our app, such as:
  • Who and when people joined or left incident channels (so we can determine who was involved in the incident at a particular time);
  • Who and when people sent messages in incident channels (so we can determine who is participating in the incident);
  • Who and when someone pinned a message within the applicable Communications Platform; and
  • Who and when someone posted a message containing a link to a third party of interest (such as GitHub, or Sentry).

Call recordings, including information of who and when people were in the call, and information discussed in the call.

incident.io also generates auto generated IDs that link all of entities together. incident.io may anonymize usage data and use the anonymized data for its own purposes.

Types of data subjects whose data is processed/transferred:Customer personnel / employees who have an account with the applicable Communications Platform and any other individuals involved in an incident, including in the commencement of an incident and incident response process.
Sensitive data processed/transferred and applied restrictions or safeguards:Subject to the provisions of the BAA, if applicable, sensitive data processed under this DPA is expected to be limited but may include any sensitive data provided to the customer to incident.io as part of using the Services. The applied safeguards implemented by incident.io are as set out in Appendix 2 below.
For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing:N/A
Additional instructions:incident.io takes user names and profile pictures of employees from the applicable Communications Platform, and shows them in the incident.io app. incident.io stores them in a managed database and storage buckets, in Google Cloud Platform, both of which are encrypted at rest. Access to Google Cloud Platform is limited to incident.io staff, and all accounts are password protected, and protected by 2FA (two factor authentication). For sub-processors located outside the United Kingdom and European Economic Area, the transfer of personal data shall be done according to the regulation on transfers to third countries in Article 45 to 47 and 49 of the GDPR or the UK GDPR (as applicable).

C. Information required for international data transfers under the GDPR

  • Clauses 7 and 11 (optional docking and independent dispute resolution clauses): Not included

  • Clause 17: These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The parties agree that this shall be the law of Ireland.

  • Clause 18: Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

D. Information required for international data transfers under the UK GDPR

  • Table 1 (Parties) - Start date: Date of this DPA. Parties’ details and key contact: See paragraph A above. Signature (if required for the purposes of Section 2): The UK Addendum is hereby deemed to be executed by the parties by virtue of the parties having executed the EU SCCs pursuant to clause 4.3.1.

  • Table 2 (Selected SCCs, Modules and Selected Clauses) - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Date of this DPA. Reference (if any): Module 4 of the EU SCCs. Other identifier (if any): N/A.

  • Table 3 (Appendix Information) - "Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the parties), and which for this DPA is set out in paragraphs A-C above.

  • Table 4 (Ending this Addendum when the Approved Addendum Changes) - Neither party may end this Addendum as set out in Section 19 of the UK International Transfer Addendum.

Appendix 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, incident.io shall implement measures to ensure an appropriate level of security for the provision of the Services. These measures shall include but are not limited to the following:

  • Ensuring incident.io’s production systems can only be remotely access by authorized employees via an approved encrypted connection;

  • Encryption of data at incident.io’s datastores;

  • Logging of system activity;

  • Regular pen testing of the Services; and

  • SOC2 type II compliance.

Appendix 3

JURISDICTION SPECIFIC TERMS

1. Australia:

1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

1.3 The definition of “Sensitive Information” includes “Sensitive Information” as defined under Data Protection Laws.

2. Brazil:

2.1 The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).

2.2 The definition of “Personal Data Breach” includes a security incident that may result in any relevant risk or damage to data subjects.

2.3 The definition of “processor” includes “operator” as defined under Data Protection Laws.

3. United States:

3.1 The definition of “Data Protection Laws” includes the California Consumer Privacy Act (CCPA).

3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Personal Data, and Customer Usage Data.

3.3 The definition of “data subject” includes “Consumer” as defined under the Data Protection Laws. Any data subject rights, as described in Section 4 (Processing Instructions) of this DPA, apply to Consumer rights. In regards to data subject requests, incident.io can only verify a request from the Customer and not from the Customer’s end user or any third party.

3.4 The definition of “controller” includes “Business” as defined under the Data Protection Laws.

3.5 The definition of “processor” includes “Service Provider” as defined under the Data Protection Laws.

3.6 incident.io will process, retain, use, and disclose personal data only as necessary to provide the Services under the Terms, which constitutes a business purpose. incident.io agrees not to (a) sell (as defined by the CCPA) the Customer’s Personal Data or the Customer end users’ personal data; (b) retain, use, or disclose the Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose the Customer’s personal data outside of the scope of the Terms. incident.io understands its obligations under Data Protection Laws and will comply with them.

3.7 incident.io certifies that its sub-processors appointed under clause 4.2 of this DPA, are Service Providers under Data Protection Laws, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io conducts appropriate due diligence on its sub-processors.

3.8 incident.io will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 4 (Processing Instructions)) of this DPA.

3.9 If and to the extent the Customer is a “Covered Entity” and the Personal Data Processed by incident.io constitutes “Protected Health Information” the BAA attached hereto as Appendix 4 (BAA) shall govern such Processing. The terms in quotation marks in this clause 3.9 shall have the meaning given to them in the BAA. In the event that Customer requests incident.io to Process Protected Health Information, the Customer shall promptly notify incident.io and the terms of the BAA shall apply. Customer shall not provide or otherwise cause incident.io to Process Protected Health Information unless the BAA applies.

4. Canada:

4.1 The definition of “Data Protection Laws” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

4.2 incident.io’s sub-processors, as described in Section 4 (Processing Instructions)) of this DPA, are third parties under Data Protection Laws, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io has conducted appropriate due diligence on its sub-processors.

4.3 incident.io will implement technical and organizational measures as set forth in Section 4 (Processing Instructions) of this DPA.

5.  Israel:

5.1 The definition of “Data Protection Laws” includes the Protection of Privacy Law (PPL).

5.2 The definition of “controller” includes “Database Owner” as defined under Data Protection Laws.

5.3 The definition of “processor” includes “Holder” as defined under Data Protection Laws.

5.4 incident.io will require that any personnel authorized to process personal data comply with the principle of data secrecy and have been duly instructed about Data Protection Laws. Such personnel sign confidentiality agreements with incident.io in accordance with Section 4 (Processing Instructions) of this DPA.

5.5 incident.io must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Terms.

5.6 incident.io must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with incident.io pursuant to Section 4 (Processing Instructions) of this DPA.

6. Japan:

6.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

6.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

6.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, incident.io is responsible for the handling of Personal Data in its possession.

6.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of Personal Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, incident.io will ensure that the use of the entrusted Personal Data is securely controlled.

7. Mexico:

7.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

7.2 When acting as a processor, incident.io will:

(a) treat personal data in accordance with the Customer’s instructions set forth in Section 4 (Processing Instructions) of this DPA;

(b) process personal data only to the extent necessary to provide the Services;

(c) implement security measures in accordance with Data Protection Laws and Section 4 (Processing Instructions) of this DPA;

(d) keep confidentiality regarding the personal data processed in accordance with the Terms;

(e) delete all Personal Data upon termination of the Terms; and

(f) only transfer Personal Data to sub-processors in accordance with Appendix 1 (Data Processing Details) of this DPA.

8. Singapore:

8.1 The definition of “Data Protection Laws” includes the Personal Data Protection Act 2012 (PDPA).

8.2 incident.io will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Terms.

9. Switzerland:

9.1 The definition of “Data Protection Laws” includes the Swiss Federal Act on Data Protection.

Appendix 4

BAA

BACKGROUND

  • I. “Covered Entity” is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1986, Public Law 104-191, as amended by the HITECH ACT (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

  • II. Business Associate: Pineapple Technology Ltd dba incident.io, a limited company with registered address 66 City Road, London, EC1Y 2AL (“Business Associate”, in accordance with the meaning given to those terms at 45 CFR § 164.501);

  • III. In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”;

  • IV. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”. In providing Services pursuant to the Terms, Business Associate may have access to Protected Health Information. By providing the Services pursuant to the Agreement and Processing Protected Health Information, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;

  • V. Both Parties are committed to complying with all federal and state laws governing confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and

  • VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to this Agreement, HIPAA and other applicable laws.

AGREEMENT

NOW, THEREFORE, in consideration of the mutual and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions. For the purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law, the DPA, or the Terms.

  • A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.

  • B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.

  • C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

  • D. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.

  • E. “Designated Record Set” has the meaning given to such term under the Privacy Rule including 45 CFR § 164.501.B.

  • F. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).

  • G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR § 160.103

  • H. “Health Care Operations” has the meaning given to that term in 45 CFR § 164.501.

  • I. “HHS” means the U.S. Department of Health and Human Services.

  • J. “HITECH Act” means the Health Information Technology for Economic and Clinical Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

  • K. “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

  • L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

  • M. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.

  • N. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

  • O. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

  • P. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC § 17932(h).

2. Use and Disclosure of PHI.

  • A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.

  • B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.

  • C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.

  • D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession.

  • E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

3. Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.

4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within 30 business days becoming aware of the event.

5. Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR § 164.410, but in no case later than 30 calendar days after the discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.

6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

7. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restriction and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, received, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent received PHI as described in section 1.M of this BAA. Such notification shall occur within 30 calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.

8. Exclusion of Support Communications and Webhooks The Parties acknowledge and agree that any information, data, or content submitted by Covered Entity or its users to Business Associate for the purpose of receiving technical support, customer service, or similar assistance ("Support Communications") is not intended to include PHI and shall not be subject to the terms of this Agreement. Covered Entity agrees not to transmit or disclose PHI in any Support Communications. Business Associate shall have no obligations under this Agreement with respect to any PHI that may be incidentally or inadvertently included in such Support Communications. Similarly, Covered Entity agrees not to transmit or disclose PHI via the webhooks feature. The webhooks feature is not intended for the transmission of PHI, and Business Associate shall have no obligations under this Agreement with respect to any PHI that may be incidentally or inadvertently included in webhook data. Business Associate agrees that any additional features, functionalities, or services that are not intended to support or transmit PHI, and are therefore excluded from the scope of this BAA, will be clearly identified and such exclusions will be made available to the Covered Entity.

9. Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate's audit report.

10. Access to PHI by Individuals.

  • A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.

  • B. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within 10 business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.

11. Amendment of PHI.

  • A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.

  • B. In the event that any Individual requests that Business Associate amend such Individual's PHI or record in a Designated Record Set, Business Associate within 10 business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual's right to request an amendment of PHI will be the sole responsibility of Covered Entity.

12. Accounting of Disclosures.

  • A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.

  • B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 12, within 10 business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request if the Individual, if and to the extent that such accounting is required under the HITECH ACT or under HHS regulations adopted in connection with the HITECH ACT.

  • C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within 10 business days forward such request to Covered Entity.

13. Availability of Books and Records. Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA, and this BAA.

14. Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:

  • A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

  • B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

  • C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

  • D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

15. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.

16. Term and Termination.

  • A. This BAA will become effective on the date first written above and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.

  • B. Covered Entity may terminate this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.

  • C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to the HHS.

  • D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 16.D. will survive any termination of this BAA.

17. Effect of BAA.

  • A. This BAA is made a part of and incorporated by reference into the terms of the DPA. In the event that any terms of this BAA relating to the subject matter of the BAA conflict with any term of the DPA or the Terms, the terms of this BAA will govern.

  • B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.

18. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

19. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below:

  • A. If to Covered Entity, to:
    Contact details of primary Customer Contact as set out in the Order Form

  • B. If to Business Associate, to:
    Address: 66 City Road, London, EC1Y 2AL
    Tel: +44 (0)20 4579 0310
    Email: legal@incident.io

20. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

21. HITECH ACT Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach an agreement on such a modification, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party.

In light of the mutual agreement and understanding described above, this BAA shall be effective as of the Order Form Effective Date.