Disior Software - License Agreement
This License Agreement (“Agreement”) governs the use of Disior Services.
You shall read this Agreement with due care. By accepting this Agreement after downloading the Disior Software (e.g. by clicking “I agree”), the Customer will be bound by this Agreement with Disior Oy (Business ID: 2787587-8, address Rantapolku 1 A 5, 00330 Helsinki, Finland) (“Disior”). This Agreement applies to any use of the Disior Services. If you do not agree to the terms of this Agreement, do not use the Disior Services. The End-User accepting this Agreement represents that it has the authority to bind the Customer to the Agreement.
1. Definitions
As used in this Agreement, the following capitalized terms shall have the meaning set out below.
“Customer” shall mean the entity having ordered the Disior Services hereunder.
“Customer Data” shall mean all Customer’s data that an End-User generates in or submits to the Disior Services. Customer Data shall not include Disior Data.
“Disior Data” shall mean all data Disior generates from the Customer Data or from other applicable data.
“Disior Software” shall mean the “Bonelogic”, or any other Disior software tool, access to which is provided to End-User for the purposes of analyzing the Customer Data.
“Disior Services” shall mean the Disior Software, as well as any associated services and tools provided to the Customer by Disior under this Agreement, including Disior Data.
“End-User” or “you” shall mean the representative of the Customer, such as its employees, authorized to use the Disior Services on behalf of the Customer.
“Intellectual Property Rights” shall mean copyrights and related rights (including database and catalogue rights and photography rights), patents, utility models, design rights, trademarks, tradenames, trade secrets, know-how and any other form of registered or unregistered intellectual property rights.
“Party” shall mean the Customer or Disior (jointly the “Parties”).
“License Period” shall mean the fixed term during which the Customer is entitled to use and has access to the Disior Software as agreed separately between the Parties.
2. Use of Disior Services
2.1. Grant of license
Subject to the terms and conditions of this Agreement, Disior hereby grants to the Customer and the Customer hereby accepts a limited, non-exclusive, non-transferable, and non-sublicensable right to use the Disior Services during the License Period. Disior shall have the right to deny the Customer's use of the Disior Services without any prior notice to the Customer, if Disior suspects that the Customer uses the Disior Services in violation of the terms of this Agreement.
2.2. Usage restrictions
During the License Period, the Disior Services and the Disior Data obtained from the Disior Services shall only be used for research purposes prior to certification by local authorities. After official certification, the Disior Services and the Disior Data can be used in clinical set-up (subject to any special requirements or limitations set out in the official certification documentation). In addition, the Customer and the End-Users are not permitted and not entitled to permit third parties to do any of the following:
2.3. General obligations of Customer
The Customer is responsible for acquiring any and all network connections and all technical equipment required for using the Disior Services and is liable for any costs thereof. The Customer shall use all reasonable endeavours to prevent unauthorised access to, or use of, the Disior Software and Disior Services.
The Customer agrees that it shall indemnify and hold Disior harmless from and against any and all liabilities, losses, damages, costs, and expenses (including reasonable legal fees and expenses) associated with any claim or action brought against Disior that may arise from the Customer's use of the Disior Services in breach of this Agreement, including claims that the Customer Data infringes the Intellectual Property Rights or privacy rights of third parties.
3. Customer Data
The Intellectual Property Rights and the title to the Customer Data shall belong to the Customer. Disior and its subcontractors (subject to applicable data protection laws) may use, copy, store, and modify Customer Data during the term of this Agreement for the purposes of providing the Disior Services to Customer as well as analyzing the use of the Disior Services.
Disior Software shall not be used as a storage service. Customer shall be solely responsible for storing appropriate backup copies of the Customer Data. The Customer shall be responsible for its Customer Data and shall be liable for ensuring that Customer Data does not infringe any third party rights or violate applicable legislation, and that the Customer and End-Users possess such necessary licences and permissions from third parties as may be required in order to use the Customer Data as set out herein. The Disior Services may not be used to store patient data or documents or any personal data identifying any natural person.
Disior shall have the right to generate anonymous Disior Data from the Customer Data. The Intellectual Property Rights and the title to the Disior Data shall belong to Disior. For clarity, Disior Data shall not in any event be used by Disior or any third party in a manner that identifies the Customer, End-User or any natural person.
4. Provision of Disior Services
The Customer understands that the Disior Services may be inaccessible, unavailable or inoperable for any reason including maintenance. Disior shall at all times have the right to temporarily suspend the provision of the Disior Services. The Customer acknowledges that interruptions to the availability of the Disior Services may also occur, for example, in the event of data connection or network disruptions or in case of interruptions in third-party services. Disior shall in no event be liable for such interruptions.
Disior may under its sole discretion at any time modify and update the Disior Services or a part thereof and may cease to provide the same. Disior reserves the right to implement new versions of the Disior Services.
Disior provides technical support to the Customer relating to the use of the Disior Services in accordance with Disior’s price list in force from time to time.
5. Confidentiality
Either Party shall not disclose to third parties any material or information received from the other Party and marked as confidential or which should be understood to be confidential and shall not use such material or information for any other purposes than those stated in this Agreement.
The confidentiality obligation shall, however, not be applied to material and information, (a) which is generally available or otherwise public; or (b) which the Party has received from a third party without any obligation of confidentiality as verified by the written records of such Party; or (c) which a Party has independently developed without using material or information received from the other Party as verified by the written records of such Party; (d) which a Party is obligated to disclose due to applicable mandatory laws, public authority regulations or court orders. In case of disclosure due to (d), the Party much promptly inform the other Party of such disclosure.
The rights and responsibilities under this Section 5 shall survive the expiry or termination of this Agreement.
6. Intellectual Property Rights
All Intellectual Property Rights in or related to the Disior Services and thereto related documentation and all parts and copies thereof shall remain exclusively vested with and be the sole and exclusive property of Disior and/or its subcontractors/licensors. Except as expressly stated herein, this Agreement does not grant the Customer any other Intellectual Property Rights in the Disior Services and all rights not expressly granted hereunder are reserved by Disior and its subcontractors/licensors.
The Customer and its End-Users shall have the right to use the Disior Data provided by Disior to End-User in scientific or other publications on the condition that Disior’s name is stated in the publication.
7. No Warranty and Limitation of Liability
To the extent permitted by applicable law, the Disior Services are provided "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose, or accuracy or reliability of results from use of the Disior Services, that the Disior Services will meet specific requirements, that the Disior Services will be uninterrupted, completely secure, free of software errors, defects and failures.
To the maximum extent permitted by applicable law, Disior is not liable to the Customer for any lost profits, or for indirect or consequential damages. For the sake of clarity, it is stated that Disior is not liable to the Customer for any damages that result from the use of the Disior Services or from the results obtained from the use of the Disior Services. These limitations of liability shall not apply in cases of intentional misconduct or gross negligence.
8. Term and Termination
This Agreement shall enter into force as of the acceptance of this Agreement (e.g. by clicking “I agree”). The Agreement shall remain in force for the term of the License Period and shall automatically terminate at the end of License Period. A Party may terminate this Agreement with immediate effect if the other Party substantially breaches the provisions of this Agreement. Upon termination of this Agreement, Customer and End-user shall delete the Disior Software and all portions thereof from Customer’s and End-Users’ computers.
The provisions of this Agreement which by their nature reasonably should survive the termination or other expiration of this Agreement/License Period shall survive any expiration or termination of this Agreement/License Period.
9. Miscellaneous
Disior shall be entitled to use subcontractors, including third party software suppliers, for the provision of the Disior Services. Disior shall be liable for the subcontractors’ work and services in the same manner as for its own work and services.
Customer agrees that Disior may use the Customer’s name and logo to identify the Customer as a customer of Disior as part of a general list of Disior’s customers for use and reference in Disior’s promotional and marketing materials.
The Customer agrees to comply with any export restrictions in force in any jurisdiction that may be applied to the provision of the Disior Services hereunder.
This Agreement supersedes all prior agreements, arrangements, and understandings between the Parties relating to the subject matter hereof and constitutes the entire agreement between the Parties relating to the subject matter hereof. If any provision of this Agreement is declared by any judicial or other competent authority to be void, illegal or otherwise unenforceable, the remaining provisions of this Agreement shall remain in full force and effect.
Disior shall be entitled to assign all or any of its rights or obligations hereunder in whole or part to an affiliate or successor or to a purchaser or acquirer of its business assets relating to the Disior Services without the Customer’s prior consent. The Customer shall not be entitled to assign any of its rights or obligations hereunder in whole or part without the prior written consent of Disior.
Disior is entitled to amend this Agreement by providing the Customer with at least 30 days prior notice. If the Customer does not accept the change made by Disior to this Agreement, the Customer has the right to terminate the Agreement by notifying Disior thereof in writing prior to the effective date of such change.
This Agreement shall be governed by and construed in accordance with the laws of Finland, except for its provisions on choice of law. Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The number of arbitrators shall be one. The seat of arbitration shall be Helsinki, Finland. The language of the arbitration shall be English. However, evidence may be submitted also in Finnish.
10. Disior Data Processing Addendum (“DPA”)
This DPA and its schedule apply to the processing of personal data by Disior on behalf of the Customer under applicable data protection regulations, including the European Union General Data Protection Regulation 2016/679 (“GDPR”) in order to provide the Disior Services pursuant to the License Agreement between Disior and the Customer.
The Customer is the controller of personal data or acting as a processor on behalf of other controllers and has been instructed by and obtained the authorization of the relevant controller to agree to the processing of personal data by Disior as the Customer’s subprocessor in accordance with this DPA.
As specified in the schedule attached hereto, Disior may gain incidental access to personal data when performing the Disior Services. With respect to any such personal data processed by Disior, the following terms shall apply:
a. The Customer is responsible for having a legal ground for processing of the personal data on behalf of the Customer. Further, the Customer is responsible for the lawful collection, processing and use of the personal data, and for the accuracy thereof, as well as for preserving the rights of the individuals concerned. The Customer shall ensure that the relevant data subjects have been informed of the processing as required by applicable data protection regulations.
b. Disior processes the personal data only in accordance with the terms of this DPA and the Customer’s lawful and documented instructions. Disior has the right to charge a reasonable fee for complying with such instructions if the instructions require additional work to be performed by Disior.
c. Disior shall ensure that Disior’s employees or other persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
d. In order for the Customer to be able to respond to requests from individuals exercising their rights as foreseen in applicable data protection regulations, such as the right of access and the right to rectification or erasure, Disior shall assist the Customer in responding to such requests, without undue delay, taking into account the nature of the processing. Disior has the right to charge a reasonable fee for handling such assistance requests if the assistance obligations require additional work to be performed by Disior.
e. Taking into account the nature of processing and the information available to Disior, Disior reasonably assists the Customer in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, including controller’s obligations to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority. Disior has the right to charge a reasonable fee for providing such assistance if the assistance obligations require additional work to be performed by Disior.
f. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Disior’s processing, Disior shall implement and maintain appropriate technical and organizational security measures in order to safeguard the personal data processed on behalf of the Customer against unauthorized or unlawful processing and damage, and in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data. Disior makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR
g. The Customer gives a general authorization to Disior to use subprocessors for the processing of the personal data for the provision of Disior Services. Disior ensures that the involved subprocessors are properly qualified, are under a written data processing agreement with Disior and comply with the same data protection obligations under this DPA. Disior may change its subprocessors by prior written notice. The Customer may object to such change, provided that if Disior cannot change the subprocessor the Customer has objected to, then each party shall have the right to terminate the License Agreement with immediate effect and the Customer shall cease using the Disior Services.
h. Disior may process personal data outside the Customer’s country of domicile or the EEA to provide the Disior Services. If the processing is subject to the GDPR and personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Disior to enter, on behalf of the Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or alternatively Disior shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
i. The Customer or an auditor appointed by the Customer shall have the right to audit and inspect Disior’s activities relating to processing of personal data on behalf of the Customer under this DPA to examine the compliance of Disior with this DPA and applicable data protection regulations. The Customer shall bear all costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Disior or threaten intellectual property rights of Disior, the Customer shall use an independent auditor, which is not a competitor of Disior, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Disior’s benefit.
j. Disior shall, without undue delay after having become aware of it, inform the Customer in writing of any data breach relating to personal data processed on behalf of the Customer. Disior’s notification about the data breach to the Customer shall include at least the following: (i) description of the nature of the data breach; (ii) name and contact details of Disior’s contact point where more information can be obtained; (iii) description of the likely consequences of the data breach; (iv) description of the measures taken by Disior to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Disior shall process the personal data on behalf of the Customer only for the duration as agreed between the Customer and Disior, as further specified in the schedule attached hereto. All personal data processed by Disior on behalf of the Customer under this DPA shall be returned or deleted without undue delay after the termination of this DPA, unless otherwise required by applicable law.
Schedule to DPA: Specification of processing of personal data
Subject matter and nature of processing: Disior Services support functions, including but not limited to software training, installation, quality assurance, technical support, software updates and system integration services cover the life cycle of Disior software products. The Disior Services are performed on sight or by phone, email, webinar or with remote connection monitored by the data controller’s representative. The primary function of the support functions is not to handle personal data that is stored in any registers or otherwise processed by the controller, but incidental processing of personal data by Disior is possible if the nature of the service requires handling such data.
Purpose of Processing: To provide support functions as part of Disior Services. The purpose of the support functions is to train and support the users of Disior software products, and to help to solve problems.
Duration of processing and retention period: During the term of the License Agreement and DPA and only as long as necessary for the provision of the Disior Services. Personal data is removed or anonymized on a case by case basis as stated below.
Processor Contact Information: Disior Ltd, Rantapolku 1 A 5, 00330 Helsinki, Finland, +358 504836433
Processor’s representative & Contact information: [email protected]
Data Subject Categories: Patient, Customer
Data Category – Personal Data: Patient-Health Data, Patient – Personal Identification, Customers - User Account Information, Customers- Professional Experience and Affiliations, Patient – Patient Appointment, Patient – Caregiving, Customers- Contact Information, Customers – Professional Information, Customers – Education and Skills, Customers – Personal Identification, Customers – Employment Information, Patient – Contact Information
Classification – Personal Data: PII, Special Categories of Data
Parties who Access/Use Data: Disior’s Customer Service Department, Product Development, Clinical Department, After Sales Department
Technical and Organizational Security Measures – Overview: The secured handling of the personal data is ensured with appropriate organizational and technical measures. All personal data is stored in servers and data storage systems accessible only for named and authorized personnel. The servers and data storage systems are secured with appropriate firewalls and other technical measures. All personal data is accessible only with specific authorization and password, and access is granted based on need-to-know basis only. Patient data is removed or anonymized within 30 days of case closure.
11. HIPAA Business Associate Agreement amendment
This HIPAA Business Associate Agreement is between the Customer ("Covered Entity"), a health care provider, and Disior Oy. The terms of this Business Associate Agreement apply only if and to the extent Covered Entity licenses the Disior software for use in the United States and Disior Oy is a Business Associate of Covered Entity because of its access to information covered by applicable provisions of HIPAA Rules (45 CFR Part 160 and Part 164).
Obligations, Permitted Uses and Disclosures by Business Associate:
a) Disior may only use or disclose protected health information as necessary to perform the services set forth in the License Agreement. Disior is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c) so that the data is no longer PHI and may be used or disclosed by Disior for any lawful purpose.
b) Disior will not use or further disclose the information other than as permitted or required by the Agreement or as required by law.
c) Disior agrees to Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement.
d) Disior agrees to report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
a) Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.
Last updated: October 2023
You shall read this Agreement with due care. By accepting this Agreement after downloading the Disior Software (e.g. by clicking “I agree”), the Customer will be bound by this Agreement with Disior Oy (Business ID: 2787587-8, address Rantapolku 1 A 5, 00330 Helsinki, Finland) (“Disior”). This Agreement applies to any use of the Disior Services. If you do not agree to the terms of this Agreement, do not use the Disior Services. The End-User accepting this Agreement represents that it has the authority to bind the Customer to the Agreement.
1. Definitions
As used in this Agreement, the following capitalized terms shall have the meaning set out below.
“Customer” shall mean the entity having ordered the Disior Services hereunder.
“Customer Data” shall mean all Customer’s data that an End-User generates in or submits to the Disior Services. Customer Data shall not include Disior Data.
“Disior Data” shall mean all data Disior generates from the Customer Data or from other applicable data.
“Disior Software” shall mean the “Bonelogic”, or any other Disior software tool, access to which is provided to End-User for the purposes of analyzing the Customer Data.
“Disior Services” shall mean the Disior Software, as well as any associated services and tools provided to the Customer by Disior under this Agreement, including Disior Data.
“End-User” or “you” shall mean the representative of the Customer, such as its employees, authorized to use the Disior Services on behalf of the Customer.
“Intellectual Property Rights” shall mean copyrights and related rights (including database and catalogue rights and photography rights), patents, utility models, design rights, trademarks, tradenames, trade secrets, know-how and any other form of registered or unregistered intellectual property rights.
“Party” shall mean the Customer or Disior (jointly the “Parties”).
“License Period” shall mean the fixed term during which the Customer is entitled to use and has access to the Disior Software as agreed separately between the Parties.
2. Use of Disior Services
2.1. Grant of license
Subject to the terms and conditions of this Agreement, Disior hereby grants to the Customer and the Customer hereby accepts a limited, non-exclusive, non-transferable, and non-sublicensable right to use the Disior Services during the License Period. Disior shall have the right to deny the Customer's use of the Disior Services without any prior notice to the Customer, if Disior suspects that the Customer uses the Disior Services in violation of the terms of this Agreement.
2.2. Usage restrictions
During the License Period, the Disior Services and the Disior Data obtained from the Disior Services shall only be used for research purposes prior to certification by local authorities. After official certification, the Disior Services and the Disior Data can be used in clinical set-up (subject to any special requirements or limitations set out in the official certification documentation). In addition, the Customer and the End-Users are not permitted and not entitled to permit third parties to do any of the following:
- copy, modify, distribute, rent, sub-license, lease the Disior Services or otherwise make them available to or grant access to them to third parties without the prior written consent of Disior;
- circumvent or try to circumvent any usage control or anti-copy functionalities of the Disior Services;
- reverse engineer or decompile the Disior Services or access the source code thereof, except as permitted by law;
- probe, scan or test the vulnerability of the Disior Services;
- use the Disior Services in violation of applicable law;
- use the Disior Services in ways that violate Intellectual Property Rights, business secrets, or privacy rights of third parties;
- use the Disior Services for the purposes of developing a product, program or service that would compete with the Disior Services; and/or
- artificially inflate traffic using software, tools, bots, spiders or other means to manipulate the Disior Services.
2.3. General obligations of Customer
The Customer is responsible for acquiring any and all network connections and all technical equipment required for using the Disior Services and is liable for any costs thereof. The Customer shall use all reasonable endeavours to prevent unauthorised access to, or use of, the Disior Software and Disior Services.
The Customer agrees that it shall indemnify and hold Disior harmless from and against any and all liabilities, losses, damages, costs, and expenses (including reasonable legal fees and expenses) associated with any claim or action brought against Disior that may arise from the Customer's use of the Disior Services in breach of this Agreement, including claims that the Customer Data infringes the Intellectual Property Rights or privacy rights of third parties.
3. Customer Data
The Intellectual Property Rights and the title to the Customer Data shall belong to the Customer. Disior and its subcontractors (subject to applicable data protection laws) may use, copy, store, and modify Customer Data during the term of this Agreement for the purposes of providing the Disior Services to Customer as well as analyzing the use of the Disior Services.
Disior Software shall not be used as a storage service. Customer shall be solely responsible for storing appropriate backup copies of the Customer Data. The Customer shall be responsible for its Customer Data and shall be liable for ensuring that Customer Data does not infringe any third party rights or violate applicable legislation, and that the Customer and End-Users possess such necessary licences and permissions from third parties as may be required in order to use the Customer Data as set out herein. The Disior Services may not be used to store patient data or documents or any personal data identifying any natural person.
Disior shall have the right to generate anonymous Disior Data from the Customer Data. The Intellectual Property Rights and the title to the Disior Data shall belong to Disior. For clarity, Disior Data shall not in any event be used by Disior or any third party in a manner that identifies the Customer, End-User or any natural person.
4. Provision of Disior Services
The Customer understands that the Disior Services may be inaccessible, unavailable or inoperable for any reason including maintenance. Disior shall at all times have the right to temporarily suspend the provision of the Disior Services. The Customer acknowledges that interruptions to the availability of the Disior Services may also occur, for example, in the event of data connection or network disruptions or in case of interruptions in third-party services. Disior shall in no event be liable for such interruptions.
Disior may under its sole discretion at any time modify and update the Disior Services or a part thereof and may cease to provide the same. Disior reserves the right to implement new versions of the Disior Services.
Disior provides technical support to the Customer relating to the use of the Disior Services in accordance with Disior’s price list in force from time to time.
5. Confidentiality
Either Party shall not disclose to third parties any material or information received from the other Party and marked as confidential or which should be understood to be confidential and shall not use such material or information for any other purposes than those stated in this Agreement.
The confidentiality obligation shall, however, not be applied to material and information, (a) which is generally available or otherwise public; or (b) which the Party has received from a third party without any obligation of confidentiality as verified by the written records of such Party; or (c) which a Party has independently developed without using material or information received from the other Party as verified by the written records of such Party; (d) which a Party is obligated to disclose due to applicable mandatory laws, public authority regulations or court orders. In case of disclosure due to (d), the Party much promptly inform the other Party of such disclosure.
The rights and responsibilities under this Section 5 shall survive the expiry or termination of this Agreement.
6. Intellectual Property Rights
All Intellectual Property Rights in or related to the Disior Services and thereto related documentation and all parts and copies thereof shall remain exclusively vested with and be the sole and exclusive property of Disior and/or its subcontractors/licensors. Except as expressly stated herein, this Agreement does not grant the Customer any other Intellectual Property Rights in the Disior Services and all rights not expressly granted hereunder are reserved by Disior and its subcontractors/licensors.
The Customer and its End-Users shall have the right to use the Disior Data provided by Disior to End-User in scientific or other publications on the condition that Disior’s name is stated in the publication.
7. No Warranty and Limitation of Liability
To the extent permitted by applicable law, the Disior Services are provided "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose, or accuracy or reliability of results from use of the Disior Services, that the Disior Services will meet specific requirements, that the Disior Services will be uninterrupted, completely secure, free of software errors, defects and failures.
To the maximum extent permitted by applicable law, Disior is not liable to the Customer for any lost profits, or for indirect or consequential damages. For the sake of clarity, it is stated that Disior is not liable to the Customer for any damages that result from the use of the Disior Services or from the results obtained from the use of the Disior Services. These limitations of liability shall not apply in cases of intentional misconduct or gross negligence.
8. Term and Termination
This Agreement shall enter into force as of the acceptance of this Agreement (e.g. by clicking “I agree”). The Agreement shall remain in force for the term of the License Period and shall automatically terminate at the end of License Period. A Party may terminate this Agreement with immediate effect if the other Party substantially breaches the provisions of this Agreement. Upon termination of this Agreement, Customer and End-user shall delete the Disior Software and all portions thereof from Customer’s and End-Users’ computers.
The provisions of this Agreement which by their nature reasonably should survive the termination or other expiration of this Agreement/License Period shall survive any expiration or termination of this Agreement/License Period.
9. Miscellaneous
Disior shall be entitled to use subcontractors, including third party software suppliers, for the provision of the Disior Services. Disior shall be liable for the subcontractors’ work and services in the same manner as for its own work and services.
Customer agrees that Disior may use the Customer’s name and logo to identify the Customer as a customer of Disior as part of a general list of Disior’s customers for use and reference in Disior’s promotional and marketing materials.
The Customer agrees to comply with any export restrictions in force in any jurisdiction that may be applied to the provision of the Disior Services hereunder.
This Agreement supersedes all prior agreements, arrangements, and understandings between the Parties relating to the subject matter hereof and constitutes the entire agreement between the Parties relating to the subject matter hereof. If any provision of this Agreement is declared by any judicial or other competent authority to be void, illegal or otherwise unenforceable, the remaining provisions of this Agreement shall remain in full force and effect.
Disior shall be entitled to assign all or any of its rights or obligations hereunder in whole or part to an affiliate or successor or to a purchaser or acquirer of its business assets relating to the Disior Services without the Customer’s prior consent. The Customer shall not be entitled to assign any of its rights or obligations hereunder in whole or part without the prior written consent of Disior.
Disior is entitled to amend this Agreement by providing the Customer with at least 30 days prior notice. If the Customer does not accept the change made by Disior to this Agreement, the Customer has the right to terminate the Agreement by notifying Disior thereof in writing prior to the effective date of such change.
This Agreement shall be governed by and construed in accordance with the laws of Finland, except for its provisions on choice of law. Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The number of arbitrators shall be one. The seat of arbitration shall be Helsinki, Finland. The language of the arbitration shall be English. However, evidence may be submitted also in Finnish.
10. Disior Data Processing Addendum (“DPA”)
This DPA and its schedule apply to the processing of personal data by Disior on behalf of the Customer under applicable data protection regulations, including the European Union General Data Protection Regulation 2016/679 (“GDPR”) in order to provide the Disior Services pursuant to the License Agreement between Disior and the Customer.
The Customer is the controller of personal data or acting as a processor on behalf of other controllers and has been instructed by and obtained the authorization of the relevant controller to agree to the processing of personal data by Disior as the Customer’s subprocessor in accordance with this DPA.
As specified in the schedule attached hereto, Disior may gain incidental access to personal data when performing the Disior Services. With respect to any such personal data processed by Disior, the following terms shall apply:
a. The Customer is responsible for having a legal ground for processing of the personal data on behalf of the Customer. Further, the Customer is responsible for the lawful collection, processing and use of the personal data, and for the accuracy thereof, as well as for preserving the rights of the individuals concerned. The Customer shall ensure that the relevant data subjects have been informed of the processing as required by applicable data protection regulations.
b. Disior processes the personal data only in accordance with the terms of this DPA and the Customer’s lawful and documented instructions. Disior has the right to charge a reasonable fee for complying with such instructions if the instructions require additional work to be performed by Disior.
c. Disior shall ensure that Disior’s employees or other persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
d. In order for the Customer to be able to respond to requests from individuals exercising their rights as foreseen in applicable data protection regulations, such as the right of access and the right to rectification or erasure, Disior shall assist the Customer in responding to such requests, without undue delay, taking into account the nature of the processing. Disior has the right to charge a reasonable fee for handling such assistance requests if the assistance obligations require additional work to be performed by Disior.
e. Taking into account the nature of processing and the information available to Disior, Disior reasonably assists the Customer in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, including controller’s obligations to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority. Disior has the right to charge a reasonable fee for providing such assistance if the assistance obligations require additional work to be performed by Disior.
f. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Disior’s processing, Disior shall implement and maintain appropriate technical and organizational security measures in order to safeguard the personal data processed on behalf of the Customer against unauthorized or unlawful processing and damage, and in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data. Disior makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR
g. The Customer gives a general authorization to Disior to use subprocessors for the processing of the personal data for the provision of Disior Services. Disior ensures that the involved subprocessors are properly qualified, are under a written data processing agreement with Disior and comply with the same data protection obligations under this DPA. Disior may change its subprocessors by prior written notice. The Customer may object to such change, provided that if Disior cannot change the subprocessor the Customer has objected to, then each party shall have the right to terminate the License Agreement with immediate effect and the Customer shall cease using the Disior Services.
h. Disior may process personal data outside the Customer’s country of domicile or the EEA to provide the Disior Services. If the processing is subject to the GDPR and personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Disior to enter, on behalf of the Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or alternatively Disior shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
i. The Customer or an auditor appointed by the Customer shall have the right to audit and inspect Disior’s activities relating to processing of personal data on behalf of the Customer under this DPA to examine the compliance of Disior with this DPA and applicable data protection regulations. The Customer shall bear all costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Disior or threaten intellectual property rights of Disior, the Customer shall use an independent auditor, which is not a competitor of Disior, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Disior’s benefit.
j. Disior shall, without undue delay after having become aware of it, inform the Customer in writing of any data breach relating to personal data processed on behalf of the Customer. Disior’s notification about the data breach to the Customer shall include at least the following: (i) description of the nature of the data breach; (ii) name and contact details of Disior’s contact point where more information can be obtained; (iii) description of the likely consequences of the data breach; (iv) description of the measures taken by Disior to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Disior shall process the personal data on behalf of the Customer only for the duration as agreed between the Customer and Disior, as further specified in the schedule attached hereto. All personal data processed by Disior on behalf of the Customer under this DPA shall be returned or deleted without undue delay after the termination of this DPA, unless otherwise required by applicable law.
Schedule to DPA: Specification of processing of personal data
Subject matter and nature of processing: Disior Services support functions, including but not limited to software training, installation, quality assurance, technical support, software updates and system integration services cover the life cycle of Disior software products. The Disior Services are performed on sight or by phone, email, webinar or with remote connection monitored by the data controller’s representative. The primary function of the support functions is not to handle personal data that is stored in any registers or otherwise processed by the controller, but incidental processing of personal data by Disior is possible if the nature of the service requires handling such data.
Purpose of Processing: To provide support functions as part of Disior Services. The purpose of the support functions is to train and support the users of Disior software products, and to help to solve problems.
Duration of processing and retention period: During the term of the License Agreement and DPA and only as long as necessary for the provision of the Disior Services. Personal data is removed or anonymized on a case by case basis as stated below.
Processor Contact Information: Disior Ltd, Rantapolku 1 A 5, 00330 Helsinki, Finland, +358 504836433
Processor’s representative & Contact information: [email protected]
Data Subject Categories: Patient, Customer
Data Category – Personal Data: Patient-Health Data, Patient – Personal Identification, Customers - User Account Information, Customers- Professional Experience and Affiliations, Patient – Patient Appointment, Patient – Caregiving, Customers- Contact Information, Customers – Professional Information, Customers – Education and Skills, Customers – Personal Identification, Customers – Employment Information, Patient – Contact Information
Classification – Personal Data: PII, Special Categories of Data
Parties who Access/Use Data: Disior’s Customer Service Department, Product Development, Clinical Department, After Sales Department
Technical and Organizational Security Measures – Overview: The secured handling of the personal data is ensured with appropriate organizational and technical measures. All personal data is stored in servers and data storage systems accessible only for named and authorized personnel. The servers and data storage systems are secured with appropriate firewalls and other technical measures. All personal data is accessible only with specific authorization and password, and access is granted based on need-to-know basis only. Patient data is removed or anonymized within 30 days of case closure.
11. HIPAA Business Associate Agreement amendment
This HIPAA Business Associate Agreement is between the Customer ("Covered Entity"), a health care provider, and Disior Oy. The terms of this Business Associate Agreement apply only if and to the extent Covered Entity licenses the Disior software for use in the United States and Disior Oy is a Business Associate of Covered Entity because of its access to information covered by applicable provisions of HIPAA Rules (45 CFR Part 160 and Part 164).
Obligations, Permitted Uses and Disclosures by Business Associate:
a) Disior may only use or disclose protected health information as necessary to perform the services set forth in the License Agreement. Disior is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c) so that the data is no longer PHI and may be used or disclosed by Disior for any lawful purpose.
b) Disior will not use or further disclose the information other than as permitted or required by the Agreement or as required by law.
c) Disior agrees to Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement.
d) Disior agrees to report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
a) Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.
Last updated: October 2023