HEADSPACE

DATA PROCESSING ADDENDUM

1.     Introduction

1.1. This Headspace  Data Processing Addendum (“DPA”) is hereby incorporated by reference into and is part of the Master Services Agreement, Pricing and Service Schedule (Order Form), Terms of Service, Terms of Use or any other agreement pertaining to the provision of services (“Agreement”) between the Customer named in such Agreement and Headspace, Inc. including its subsidiaries and affiliates (including Headspace Medical Group (CA), P.C, collectively referred to herein as “Headspace”). This DPA shall be effective as of the effective date of the Agreement.    

1.2. This DPA only applies to the extent that Headspace Processes Personal Data received from the Customer, which shall solely consist of the Personal Data included in Exhibit A, in the course of providing the product or services detailed within the Agreement (“Services”). 

2.     Definitions

2.1. “Applicable Data Protection Laws” means the relevant data protection and data privacy laws, rules and regulations directly applicable to the provision of services under the Service Agreement and this DPA to which the Customer Personal Data are subject. As applicable to the Personal Data in scope, “Applicable Data Protections Law(s)” include, but are not  limited to, the General Data Protection Regulation (EU 2016/679) (“GDPR”), the EU GDPR as incorporated into UK law by section 3 of the United Kingdom’s European (Withdrawal) Act of 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“Swiss FADP”), and US State Privacy Laws. 

2.2. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and includes the meaning assigned to the term under Applicable Data Protection Laws. 

2.3. “Customer’s Personal Data” means the Personal Data provided to Headspace by Customer pursuant to the Agreement as further described in Exhibit A. 

2.4. “Members” means the end-users of Headspace’s software applications and related services.

2.5. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Laws. 

2.6. “Personal Data Breach” means the confirmed breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer’s Personal Data. 

2.7. “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction, and includes the meaning assigned to the term under Applicable Data Protection Laws. 

2.8. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data subject to this DPA, and includes the meaning assigned to the term or a similar term such as “Service Provider” under Applicable Data Protection Laws. 

2.9. “Restricted Transfer” means a direct or onward transfer of Personal Data to a country outside of Europe for which there is no adequacy decision by the European Commission or other appropriate authority. 

2.10. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses (as amended and updated) approved by the European Commission for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission. 

2.11. “Sub-Processor” means a third-party service provider engaged by Headspace who have access to or process Customer’s Personal Data. 

2.12. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under section 119A of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time. 

2.13. “US State Privacy Laws” means applicable privacy laws enacted by US states including the California Consumer Privacy Act (“CCPA”) as updated by the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act, the Minnesota Consumer Data Privacy Act, the Oregon Consumer Privacy Act, and future such laws if applicable to the Services. 

3.     Processing of Personal Data

3.1. The parties acknowledge and agree that Customer is the Controller for Customer’s Personal Data and hereby appoints Headspace as a Processor for the purposes of the Agreement and pursuant to this DPA. The parties further acknowledge and agree that Headspace is an independent Controller for Personal Data collected by Headspace directly from Members and such Personal Data is solely subject to Headspace’s privacy policy and end-user terms and services.

3.2. Headspace shall Process Personal Data pursuant to the Agreement, this DPA, or as instructed by Customer. Headspace will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer’s Personal Data in a manner that is inconsistent with Customer’s instructions. 

3.3. Customer agrees that (i) it shall materially comply with its obligations as Controller under Applicable Data Protection Laws including any instructions it issues to Headspace, and (ii) it has provided notice and obtained (or shall obtain) all necessary consents and rights necessary under Applicable Data Protection Laws for Headspace to Process Customer’s Personal Data pursuant to the Agreement and this DPA. 

3.4. Headspace provides its list of Sub-Processors at https://trust.headspace.com/subprocessors and Customer authorizes the use of the Sub-Processors on that list. Customer may subscribe to updates to Headspace’s list of Sub-Processors by providing contact details through the subscription mechanism on that page.  Customer further authorizes Headspace to engage new third parties as Sub-Processors provided that Headspace: (i) maintains an up-to-date list of its Sub-Processors; (ii) provides notice of the appointment of a new Sub-Processor to Customer, if Customer subscribes to receive updates, at least 10 days prior to such appointment; (iii) imposes data protection requirements substantially similar to the requirements within this DPA; and (iv) remains fully liable to any breach of this DPA caused by its Sub-Processor. Customer may object in writing to the addition or replacement of a Sub-Processor prior to its appointment if it has reasonable grounds connected to the protection of Customer’s Personal Data. In the event of such an objection, Headspace may try to address Customer’s concerns, not engage the Sub-Processor, or allow Customer to terminate this DPA. Absent an objection, the new Sub-Processor shall be considered authorized by Customer. 

3.5. Headspace agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer’s Personal Data granted to them under Applicable Data Protection Laws. At Customer’s request and without undue delay, Headspace agrees to take commercially reasonable efforts to assist Customer in answering or complying with any such request. 

3.6. Headspace will reasonably assist Customer to conduct a data protection impact assessment and consult with its relevant data protection authority when either is required by Applicable Data Protection Laws. 

3.7. US Personal Data. To the extent applicable, the parties acknowledge and agree that Headspace is a “service provider” or the equivalent term as defined under US State Privacy Laws. As such, Headspace shall: (i) use Customer’s Personal Data only as allowed in this DPA or Agreement; (ii) comply with the privacy protections required under the US State Privacy Laws; (iii) grant Customer rights to take reasonable and appropriate steps to ensure that Headspace uses Customer’s Personal Data appropriately; (iv) notify Customer if it makes a determination that it can no longer meet its obligations herein; and (v) grant Customer the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of Customer’s Personal Data by Headspace.

3.7.1. Additionally, Headspace will not (i) “sell” or “share” Customer’s Personal Data as those terms are defined under US State Privacy Laws, (ii) combine Customer’s Personal Data with any other personal information, unless expressly instructed by Customer for a specific purpose, and sole benefit of Customer, in the Service, or (iii) retain, use, or disclose Customer’s Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Headspace’s performance of the Services under the Agreement. Headspace certifies that it understands the preceding restrictions.

4.   International Transfers

4.1.    Customer acknowledges that Headspace is a United States based company resulting in Customer Personal Data to be processed in the United States. To the extent this transfer constitutes a Restricted Transfer, the parties agree that the Restricted Transfer shall be subject to Headspace’s certification under the EU-US Data Privacy Framework including its extensions. The EU-US Data Privacy Framework shall apply to the Restricted Transfer so long as it remains a valid transfer mechanism under applicable law and Headspace maintains its certification. In the event, that the EU-US Data Privacy Framework is invalidated, the parties agree that the Standard Contract Clauses shall immediately apply as incorporated into this DPA as follows:

4.1.1. EU GDPR Transfers: The parties agree that Restricted Transfers governed by the EU GDPR are made pursuant to the SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows: (i) Module Two shall apply; (ii) the optional docking clause in Clause 7 does not apply; (iii) in Clause 9, Option 2 applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in Section 3 of this DPA; (iv) Clause 11’s optional language does not apply; (v) in Clause 17 (Option 1), the SCCs will be governed by Irish law; (vi) in Clause 18(b), disputes will be resolved before the courts of Ireland; (vii) Exhibit A contains the information required in Annex I of the EU SCCs; (viii) Section 3.4 contains the information required in Annex II of the SCCs; and (ix) Exhibit B contains the information required in Annex III of the SCCs.

4.1.2. UK Data Transfers: For Restricted Transfers governed by the UK GDPR, the SCCs shall apply with the following modifications: (i) references to the “GDPR” shall mean the UK GDPR; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Exhibits of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting both “exporter” and “importer”; (iv) references to the “competent supervisory authority” shall be interpreted as references to the Information Commissioner’s Office; and (v) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. 

4.1.3. Switzerland Data Transfers: For Restricted Transfers governed by Swiss Data Protection Laws, the SCCs shall apply with the following modifications: (i) references to the “GDPR” shall mean the Swiss FADP; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts. 

5.     Security

5.1. Headspace agrees to implement appropriate administrative, technical, and organizational measures designed to protect the confidentiality, integrity, and availability of Customer’s Personal Data pursuant to Applicable Data Protection Laws (“Information Security Program”). Headspace agrees to regularly test, assess and evaluate the effectiveness of its Information Security Program. Customer acknowledges that the Information Security Program is subject to change based on Headspace’s internal evaluations, risk assessment, technical progress, changes to best practices, and updates to the Applicable Data Protection Laws. 

5.2. Notwithstanding the above, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer’s Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any of Customer’s Personal Data uploaded to the Services. 

5.3. Headspace agrees to notify Customer in accordance with the Applicable Data Protection Laws and without undue delay, in the event of a Personal Data Breach and take appropriate steps to mitigate potential harm. Such notice or follow-up communication will include all available details required for Customer to comply with its own notification obligations under Applicable Data Protection Laws. Headspace shall provide notice pursuant to this Section 5 via email using the contact information included or referenced in Exhibit A. 

6.     Audits

6.1. Upon Customer’s request once per year, Headspace will furnish documentation reasonably necessary to demonstrate compliance with the requirements herein. Such documentation may include, as available, proof of certifications, summaries of testing, or company policies describing its Information Security Program (“Audit Materials”). Customer shall treat the Audit Materials as confidential information subject to any confidentiality terms between the parties and not further disclose the Audit Materials absent Headspace’s prior written approval. Headspace shall not be required under this provision to disclose any documentation or other information that may threaten the confidentiality, security, or privacy of its users, employees, or other customers.  

7.     Term and Termination

7.1. This DPA shall commence on the Effective Date of the Agreement and terminate upon the earliest of (i) the date of termination or expiration of the Agreement, or (ii) the destruction of Customer’s Personal Data. 

7.2. Within 90 days following termination of this DPA, Headspace shall destroy all of Customer’s Personal Data in Headspace’s possession or control, save that this requirement shall not apply to the extent Headspace is required by applicable law to retain some or all of Customer’s Personal Data, or to Customer’s Personal Data it has archived on back-up systems, which Headspace shall securely isolate and protect from any further processing, except to the extent required by applicable law. 

8.     Miscellaneous

8.1. This DPA is incorporated into and subject to the terms and conditions of the Agreement. In the event of a conflict between the Agreement and this DPA, then this DPA shall control regarding the protection of Customer’s Personal Data. Any ambiguity of the language herein shall be construed to allow the parties to comply with the Applicable Data Protection Laws. 

8.2. This DPA may be amended only through mutual agreement of the parties in writing. The parties will work in good faith to amend this DPA if necessary to comply with an update to Applicable Data Protection Laws and will operate in compliance of such an update regardless of whether an amendment is in place.