DPA Schedules
(Revision May 18, 2023)
Animana
IDEXX Customer Data Processing Agreement Schedule
IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement.
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners
- Employees of referral clinics
ii. Categories of personal data is transferred:
|
|
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by IDEXX’s Conversion & Implementation and Customer Support groups:
|
|
Activities by Training group:
- Use
vi. Purpose(s) of the data transfer and further processing.
To provide the Services.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A:
List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access
Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)
ezyVet
IDEXX Customer Data Processing Agreement Schedule
IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions.
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners Employees of referral clinics
ii. Categories of personal data is transferred:
|
|
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by IDEXX’s Conversion & Implementation and Customer Support groups:
|
|
Activities by Training group:
- Use
vi. Purpose(s) of the data transfer and further processing.
To provide the Services.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A: List of Parties
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access
Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)
Vet Radar
IDEXX Customer Data Processing Agreement Schedule
Vet Radar IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement.
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions (also covering Vet Radar).
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners
ii. Categories of personal data is transferred:
- Last name (all data subjects)
- Address (pet owner only)
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by Training and Customer Support groups:
|
|
vi. Purpose(s) of the data transfer and further processing.
To provide the Services.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A: List of Parties
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access Data Access Control Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)
SmartFlow
IDEXX Customer Data Processing Agreement Schedule
IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement.
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe (if applicable to your region).
SmartFlow Terms and Conditions.
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners
ii. Categories of personal data is transferred:
- First and Last name (all data subjects)
- Email address (all data subjects)
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer.
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by IDEXX’s Sales and Medical Consulting groups:
|
|
Activities by Training and Customer Support groups:
|
|
vi. Purpose(s) of the data transfer and further processing.
To provide the Services.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A: List of Parties
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access
Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)
VetConnect PLUS
IDEXX Customer Data Processing Addendum Schedule
IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement.
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
VetConnect PLUS Terms of Service.
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners
ii. Categories of personal data is transferred:
- First and Last name (pet owner and customer employee)
- Email address (pet owner and customer employee)
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by IDEXX’s Sales and Medical Consulting groups:
|
|
Activities by Training and Customer Support groups:
|
|
vi. Purpose(s) of the data transfer and further processing.
To provide the communication functionalities offered in VetConnect PLUS.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A:
List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access
Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)
SmartService
IDEXX Customer Data Processing Addendum Schedule
IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement.
Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
IDEXX SmartService Agreement.
A. DESCRIPTION OF THE TRANSFER
i. Categories of data subjects whose personal data is transferred:
- Customer (clinic), to the extent Customer qualifies as personal data
- Customer’s employees
- Pet owners
ii. Categories of personal data is transferred:
First and Last name (pet owner and customer employee)
iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None
iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer
v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:
Activities by IDEXX’s Software Engineering and Development Operations groups:
|
|
Activities by IDEXX’s Sales, Medical Consulting and Customer Service groups:
|
|
vi. Purpose(s) of the data transfer and further processing.
To provide the Services.
vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.
viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.
B. TRANSBORDER DATA PROCESSING
Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:
Annex I, Part A: List of Parties
Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller
Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor
Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.
Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority
Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.
Technical and Organizational Measures
Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.
- security guards, doormen
- electronic access control system using proximity access cards
- video surveillance (IP cameras)
- security checks for visitors
System Access Control
Measures to prevent data processing systems from being used without authorization:
- password guidelines (including complexity, minimum length, password reuse and minimum password age)
- automatic log-out or password-protected screensaver after certain time period without user activity
- access authentication and authorization
- firewall, anti-virus protection
- intrusion detection/intrusion prevention
- logging of access
Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
- access control concept (access rights limited by profiles and roles)
- documentation of access rights
- approval and assignment of access rights through authorized personnel only
Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:
- transport encryption (TLS or VPN)
Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
- Data is essential read only for reporting purposes once stored in the IDEXX data center
Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:
- written data processing agreements (required)
Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:
- backup in separate location
- business continuity/disaster recovery concept
- uninterruptable power supply (UPS)
- Dedicated data center generator with multiple fuel supply contracts
- fire protection & suppression system
- water detection
- redundant air conditioning system
Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:
- clear logical separation of data from data of other Controllers (dedicated data universe)