Terms and Conditions of Use last updated: May 10, 2023

IMPORTANT: PAR®iConnect™ is provided by Psychological Assessment Resources, Inc. ("PAR"), a Florida corporation. Please carefully read these Terms and Conditions of Use (the "Terms") before using PARiConnect.

By registering a PARiConnect account ("Account") and using PARiConnect, you agree to be bound by these Terms, which contain important legal information about your rights and obligations and constitute a contract between you and PAR.

PAR may update or modify these Terms at any time. By continuing to use PARiConnect after such changes, you agree to be bound by the changes. You can tell when the Terms were last modified by viewing the "Last updated" date at the top. We encourage you to periodically review these Terms.

Additional Documents

The following documents are incorporated by reference into these Terms to the extent they apply to you or your use of PARiConnect:

General information

PAR is an independent publisher of psychological assessments and resources. PAR makes the PARiConnect online testing platform available to qualified clinicians and practitioners (each a "Qualified User") for use with selected PAR assessment tools. Using PARiConnect, Qualified Users can remotely test clients, test clients in an office setting using online assessments, and generate reports on responses gathered from remotely located clients using the PAR desktop software application.

By registering an Account to use PARiConnect as a PAR customer (a "PAR Customer") and providing your e-mail address, you consent to receive e-mail, including commercial electronic mail messages, from PAR to the e-mail address provided, unless you expressly revoke your consent in writing or by e-mail.

No clinical advice

PAR does not provide clinical advice; diagnose conditions; or recommend or endorse any specific health care providers, procedures, or opinions. The PARiConnect platform and the assessments, tests, interpretive reports, scores and/or results obtained through the PARiConnect platform (collectively, the "PARiConnect Materials") are provided only to Qualified Users and only for professional informational purposes.

The PARiConnect Materials do not constitute clinical advice and are not intended to be a substitute for professional psychological, psychiatric, or medical advice or diagnosis. The PARiConnect Materials must not be relied on for diagnosis, treatment, or other recommended course of action for any medical, psychiatric, or other health-related condition. PAR Customers remain solely and exclusively responsible for all diagnostic, care, and/or treatment decisions for their clients.

Capacity of use

Entity or organization use

All PAR Customers affiliated with or employed by an entity, group, business, or organization of any kind (an "Organization") must agree to the following:

• You represent and warrant that you have the authority to legally bind the Organization to these Terms;
• You acknowledge and agree that both you and the Organization are jointly and severally bound by these Terms;
• The term "Supervisor/Account Manager" shall mean you as the individual registering the account of behalf of the Organization; and
• All references in these Terms to "PAR Customer" or "you" will include both you and the Organization.

Individual use

PAR Customers who are not affiliated with or employed by an Organization must agree to the following:

• You warrant and represent that you are not employed by or affiliated with or otherwise acting on behalf of any Organization of any kind;
• You acknowledge and agree that these Terms are binding on you in your individual capacity; and
• References in these Terms to "PAR Customer" or "you" shall mean you in your individual capacity.

PAR Customer responsibilities

You assume full responsibility for all use of PARiConnect under your Account including, if applicable, use by others within your Organization. You agree that any person who accesses, uses, or misuses PARiConnect under your Account does so on your behalf and that you are responsible for all such activity under your Account, including, without limitation, any activity in violation of these Terms.

You acknowledge and agree that you are responsible for ensuring that all access and use of the PARiConnect Materials under your Account complies with all of the Terms, including the restrictions and requirements that follow. You agree to follow all reasonable instructions of PAR in the use of the PARiConnect Materials.

Qualifications

PAR Customers are required to submit qualification information to establish professional credentials to acquire access to PAR tests. Specifically, you must provide accurate and current information pertaining to your identification, education, training, or other professional credentials ("Qualifications") required for the relevant tests to be acquired. You warrant and agree that you have not misrepresented any Qualifications for any reason, including to obtain access to tests for which you are not qualified.

You warrant and agree that any individual who accesses or uses any PARiConnect Materials (including the PARiConnect platform) under your Account:

• Will be at least 18 years old or older than the legal age of majority in the relevant jurisdiction; and
• Will possess the training, education, and expertise appropriate to use the relevant PAR test acquired through PARiConnect.

You agree not to allow anyone to access or use the PARiConnect Materials or to conduct or interpret the results of any PAR assessment who has not had appropriate training.

Remote testing restrictions

Remote testing of adolescents and children aged 13 years and younger is prohibited. Assessment instruments may be administered to adolescents and children aged 13 years and younger only within your physical presence or that of another Qualified User in the Organization.

Connectivity

PAR will reasonably endeavor to ensure that PARiConnect is available at all times but does not guarantee 24/7 uptime. You agree and acknowledge that PARiConnect will function as intended only where you maintain a sufficiently fast and reliable Internet connection and use a browser environment that complies with any PARiConnect guidelines published from time to time at https://www.pariconnect.com. In particular, this may require the downloading of additional browser plug-ins to enable access to the content. PAR is not responsible for such third-party plug-ins, and you are responsible for complying with any license agreements that may apply to such plug-ins.

Privacy and security

You are solely and exclusively responsible for implementing and communicating reasonable and appropriate privacy policies with respect to your clients.

You agree to submit reasonable and appropriate documentation as requested by PAR to change critical security-related Account information for PARiConnect access and use.

You acknowledge and agree that you are solely and exclusively responsible for implementing and applying reasonable safeguards to protect the security of your Account, including maintaining the privacy of your password ("Password") and not sharing it with others and modifying or requesting modification of your Password when necessary; for example, if an authorized user leaves your employ or Organization. PAR does not have access to Passwords, and, if you lose or forget your Password, you will have to create a new unique Password.

You are responsible for all activities under your Account, and you accept all risks for any unauthorized use of the Account. You agree to notify PAR immediately if you suspect that a Password or an Account has been compromised or breached to enable PAR in its discretion to investigate the circumstances and take such further action as required by law or as PAR in its discretion deems appropriate.

Data retention and backup

You agree and acknowledge that you are solely and exclusively responsible for backing up and maintaining backups of your data submitted to or generated by PARiConnect, including client records, reports, and assessment results, and that you will not to rely on PARiConnect for storage of such data or records.

PAR reserves the right to delete a PARiConnect Account, including all associated client records and data, after a period of 36 months of inactivity on the Account.

Prohibited uses

You agree to comply with all applicable law governing your use of PARiConnect Materials, including the PARiConnect platform and any products or services provided by or made available through PARiConnect, and not to use any PARiConnect Materials for unlawful purposes.

You agree not to access or attempt to access the PARiConnect Materials other than through the uniform resource locator ("URL") supplied by PAR and not to access any API providing access to the PARiConnect Materials except where such API access has been explicitly granted by PAR and subject to the interface specifications supplied by PAR.

You agree not to use any device, software, or routine to interfere or attempt to interfere with the proper working of PARiConnect or any activity being conducted on PARiConnect or take any actions that otherwise may cause damage to PARiConnect.

Paper documentation

PAR may provide you with assessment documentation on paper. In such event, you agree not to make copies of any such documentation and only to use the originals provided by PAR. Once submitted to PAR, any client data provided via paper documentation is treated in the same manner as client data directly entered via PARiConnect.

Indemnity obligation

You agree to indemnify, protect, save, and hold harmless PAR and its officers, directors, employees, agents, servants, representatives, and contractors (collectively, "PAR Indemnitees") from and against any loss, injury, damage, or expense (including, but not limited to, reasonable attorneys' fees) that arises out of or is related in any way to your use of PARiConnect or the use of PARiConnect under your Account by any employee or other individual under your control and/or supervision, including any such use in violation of these Terms, and including claims by third parties.

Proprietary rights

The PARiConnect platform and its content (including, but not limited to, all site design; text; data; interfaces; logos; button icons; legends; images; photographs; music; audio and/or video clips; titles; page headers; graphics; software; and the selection, arrangement, coordination, enhancement, and presentation of said elements) is the proprietary property of PAR or its licensors or suppliers and is protected as to copyrights, trade dress, trademarks, and/or other intellectual property under United States law, or foreign law, or both.

PAR grants you a limited, nonexclusive, and revocable license ("License") to use (and, if applicable, to permit employees or individuals acting on your behalf and under your control and/or supervision to use) PARiConnect and its tools to conduct assessments based on the tests acquired for use. This License does not authorize you to copy, reproduce, distribute, publish, transmit, modify, display, or create derivative or collective works from, or exploit any assessment tools, scores, results, information, or other content contained within or available on or through PARiConnect for any purpose.

Reservation of rights

Except for the limited License described above, you do not acquire any right, title, or interest in or to any intellectual property in PARiConnect or any assessment tools, information or other content contained within or available on or through PARiConnect. All rights not expressly granted to you by these Terms are reserved by PAR. Any access or use of PARiConnect except as expressly granted by these Terms is prohibited and may result in legal action.

Electronic medical records

Electronic medical record (EMR)/electronic health record (EHR) technology and digital storage of records is increasingly used in health care practice. Medicare and Medicaid reimbursements are reduced for practitioners who do not use and incorporate EMR/EHR technology in their practice. And, increasingly, assessments and their results are administered and scored on digital platforms. As noted above, PAR's tests and test materials (e.g., test items, stimulus materials, normative and validity data, interpretive statements generated from PAR software code), including those made available on PARiConnect, are PAR's intellectual property and are protected by United States copyright law. Failure to follow best practices and appropriate security measures can also affect the future utility of such assessment materials.

PAR's policy with respect to the inclusion of such items within an EMR/EHR, or in an electronic storage format, is the following:

• When paper-based tests are scanned and entered into electronic medical records, care must be taken to ensure that the record is complete, that data quality is not comprised, and that paper forms are properly destroyed in a controlled environment
• Test materials retained in an electronic format must be stored in a secure manner, with secure backup. The EMR/EHR or electronic digital storage system in use must have appropriate security levels in place to limit access to such information. Any system in use shall utilize access controls, such as passwords and/or PINs, to restrict access. Additionally, sensitive data and information should be encrypted. Finally, the system should have a mechanism to record who has accessed information, including capturing if changes were made, who made such changes, and when.
• Qualified Users utilizing the assessment must ensure, through inquiry, observation, and representation from information technology professionals, that the digital storage or EMR/EHR selected and applied can provide the necessary level of security.
• Nonprofessional staff must be informed of the requirement for the protection of psychological test materials and the stipulation that access to such materials is restricted to Qualified Users only.
• Test results and/or reports that are generated from either web-based or desktop computerized test administration and/or scoring should be downloaded, filed, and stored with the client's record that is retained within the EMR/EHR system or other digital storage method employed by the professional.

Essentially, each PAR Customer or Qualified User who uses a digital storage method is charged with applying and employing the same safeguards that one would use with sensitive paper files and ensuring that additional security measures are in place to protect electronically stored records to reduce the threat of unauthorized access. For additional information on PAR's position regarding the disclosure of test materials to comply with the Privacy Rule of the Health Insurance Portability and Accountability Act ("HIPAA"), please click here.

Modification or termination

PAR reserves the right, in its sole and absolute discretion at any time and without notice, (a) to suspend or terminate access to PARiConnect or any Accounts or registrations for any or no reason and (b) to modify (in whole or in part) PARiConnect, any products or services provided or available on PARiConnect, and their respective features and functionality. PAR will not be liable to you or any third party for any modification, suspension, or termination of access to PARiConnect or other PARiConnect Materials or for loss of related information or other content.

Limitations on liability

Disclaimer of warranties

YOU USE PARICONNECT AT YOUR OWN RISK. PARiConnect is provided "as is," "with all faults," and without warranty of any kind. Except and to the extent required by law, PAR does not represent, warrant, or guarantee that (a) any PARiConnect Materials or any content available on or through PARiConnect will be reliable, available, timely, error-free, uninterrupted, accurate, complete, or suitable for any purpose or otherwise meet your requirements or expectations and (b) that any defects or errors will be corrected even if PAR is aware of them.

Without limiting the generality of the foregoing and to the maximum extent permitted by law, PAR disclaims all warranties relating to any PARiConnect Materials, whether express or implied, arising under statute, common law, custom, course of dealing, course of performance, usage of trade, or otherwise. This disclaimer includes, without limitation, all warranties and conditions of merchantability, merchantable quality, fitness for a particular purpose, title, lack of viruses and non-infringement.

Some jurisdictions do not allow the exclusion of certain warranties, so the above limitations or exclusions may not apply to you.

Exclusion of certain damages

To the maximum extent permitted by law, PAR will not be liable to you or any other person for any special, incidental, indirect, collateral, consequential, exemplary, or punitive damages, whether in contract (including breach of warranty), equity, strict liability, negligence or other tort, failure to meet any duty (including, without limitation, any duty to act in good faith; to exercise commercially reasonable care; or arising out of any course of dealing, performance, usage, trade, or otherwise), or any other theory of liability arising out of or related in any way to (a) the use, misuse, inability to use, or performance of PARiConnect; (b) any error, omission, or inaccuracy contained within or any data, information, record, or results obtained through or resulting from the use of PARiConnect; or (c) any modification, corruption, or loss of data, records, or other information.

You further agree that this exclusion shall apply even if PAR was advised of the possibility of such damages or such possibility was reasonably foreseeable and that this exclusion includes damages of any kind, including, without limitation, damages caused by delayed or lost use, loss of actual or potential business, good will, revenue, profits or savings, damages resulting from business interruption, loss of privacy, and liability to third parties. Some jurisdictions do not allow the exclusion of certain warranties or limitation of incidental or consequential damages, so the above limitations or exclusions may not apply to you.

Maximum damages

To the maximum extent permitted by law, you agree that (a) PAR's total aggregated liability arising out or related to your use or inability to use PARiConnect, or to the PARiConnect Materials generally, will not in any event exceed one hundred U.S. dollars ($100.00 USD), and (b) this limitation applies regardless of whether liability is based on contract, warranty, negligence or other tort, strict liability, or any other theory. Some jurisdictions do not permit caps on damages, so the above limitation may not apply to you.

Application of limitations and exclusions

Except where otherwise prohibited, you agree that this section ("Limitations on liability"), including all subsections, will apply notwithstanding any failure of essential purpose of any remedy.

Waiver of class action or class arbitration

Except where prohibited, you agree that you will not bring, request, join, or participate in a class action or class arbitration proceeding as to any claim, demand, suit, or cause of action you may have against PAR arising out of, relating to, or in any way connected with any PARiConnect Materials, and you waive and relinquish any right you may now or in the future have to bring, request, join, or participate in any lawsuit or arbitration or other proceeding on a class action or consolidated basis or to participate as a representative or member of any class of claimants pertaining to any claim, demand, suit, or cause of action arising out of, relating to, or in any way connected with your use of any PARiConnect Materials. This provision does not constitute a waiver of any of your rights and remedies to pursue a claim individually and not on a class action, class arbitration, or consolidated basis or as a representative or member of any class of claimants.

Severability

Each provision, part, or paragraph in these Terms is severable. If any provision in these Terms is determined by a court of competent jurisdiction to be illegal, invalid, or unenforceable under applicable law, the parties intend that the court shall modify the Terms (and the Terms shall be deemed to have been so modified), to the minimum extent necessary to conform to that law while preserving the parties' original intent as much as possible. Such modification will apply only to the operation of the modified provision in the jurisdiction where the adjudication or determination was made.

Survival

The following sections will survive the termination of these Terms or your right to use PARiConnect: Indemnity obligation, Proprietary rights, Reservation of rights, Limitations on liability (including all subsections), Waiver of class action or class arbitration, Severability, and Governing law and venue.

Governing law and venue

Any dispute arising under these Terms or relating to your use of PARiConnect will be governed exclusively by the substantive laws of the State of Florida (without application of its conflict of laws principles) and controlling federal law of the United States of America and resolved exclusively in the state or federal courts located in Hillsborough County, Florida, United States. Each party irrevocably (a) consents to and submits to the mandatory jurisdiction of those courts; (b) waives any objection which such party now or hereafter may have to the institution or defense of any such suit, action, or proceeding in those courts; and (c) waives any defense or claim of inconvenient forum or improper venue. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the validity, construction, interpretation, or enforcement of these Terms.

PARiConnect Supervisor/Account Manager/User Agreement

Supervisor/Account Manager/User Agreement last updated: May 10, 2023

PAR®iConnect™ is made available by Psychological Assessment Resources, Inc. (PAR) and provides an online testing platform for selected PAR assessment tools, providing clinicians and practitioners with the capability for remote testing of clients. PARiConnect also provides a method for licensed users of select PAR software products to purchase online administrations and use existing PC-based desktop software to complete scoring and/or interpretation. As the Supervisor/Account Manager of the PARiConnect connection and account that will be used for online testing by me and other users within my organization, I hereby understand and acknowledge the following:

1. I possess the appropriate training, education, and expertise to use tests acquired for use by me and/or my organization. I understand the professional testing standards as promulgated by the American Psychological Association (APA), the National Council on Measurement in Education (NCME), and the American Educational Research Association (AERA) and will comply with such standards and policies.
2. I have previously submitted user qualification information to PAR and have established my professional credentials to acquire access to tests. I have not misrepresented my identification, education, training, or other professional credentials to obtain access to tests for which I am not qualified. I understand that my access to tests is conditioned on my user qualifications being current and in good standing at all times.
3. I have read and thoroughly understand the rights provided to me and my obligations as the Supervisor/Account Manager.
4. I will supervise all users of PARiConnect that I may now or in the future establish or authorize on this account (each an "Additional User"), and I assume full responsibility for assigning the appropriate level of test access to each Additional User. I also assume full responsibility for adding new Additional Users and deleting Additional Users who are no longer qualified for access to various rights and privileges on PARiConnect.
5. Before I assign rights through my PARiConnect account to any Additional Users within my organization, I will read and thoroughly understand the rights and obligations that apply to such Additional Users. If I have any questions concerning such rights or obligations within PARiConnect, I will contact PAR Customer Support at 1.855.856.4266 to resolve my question prior to assigning such rights.
6. I hereby acknowledge that my account may contain client data for a number of clinicians and practitioners, and I assume full responsibility for establishing the account hierarchy to provide appropriate access to such client data.
7. I will instruct all Additional Users on the appropriate acquisition process required for PARiConnect uses as well as for other PAR print and software products and will ensure that adequate safeguards are instituted such that all acquisitions will have the approval of me or my institution or other organization, and I will follow the acquisition procedure implemented within my organization.
8. I will instruct all Additional Users that remote administration of assessment instruments to adolescents and children 13 years of age and younger is prohibited. In addition, I understand that many jurisdictions ("Local Laws") restrict data collection from minors and that the relevant ages may vary. If applicable, I will instruct all Additional Users that the remote administration of assessment instruments to any children or adolescents younger than the age established by such Local Law (for example, 16 years of age and younger) is prohibited. I acknowledge and agree that I am solely responsible for identifying and complying with such additional restrictions applicable under Local Law. I accept full responsibility for ensuring that administration of assessment instruments to adolescents and children 13 years and younger (or such age as established by Local Law) will occur within the physical presence of either me or a qualified user in my organization.
9. I will indemnify, protect, save, and hold harmless PAR and its officers, directors, employees, agents, servants, representatives, and contractors of, from, and against any loss, injury, damage, or expense (including reasonable attorneys' fees) that PAR or any of its officers, directors, employees, agents, servants, representatives, or contractors may incur that shall arise out of, be connected with, or be in any manner related to my use or misuse of PARiConnect, the use or misuse of PARiConnect by any person in my organization, or the use or misuse of PARiConnect by any person provided access to PARiConnect by me or any person in my organization.

Business Associate Agreement

Business Associate Agreement last updated: May 10, 2023

Introduction

Psychological Assessment Resources, Inc. ("PAR"), a duly registered Florida corporation authorized to do business in Florida and located at 16204 North Florida Avenue, Lutz, FL, 33549, provides PARiConnect (defined below) for use by PAR customers (each a "Customer") who have registered accounts to use PARiConnect in various ways, including to enter Customer client data that may contain PHI (defined below).

The Customer enters this Business Associate Agreement ("Agreement") with PAR to satisfy the Customer's obligations as a Covered Entity (defined below) under HIPAA, the DHHS Regulations, and the HITECH Act, as amended from time to time, to obtain reasonable assurances from PAR that PAR, as the Customer's Business Associate, will comply with those laws and regulations made applicable to the Business Associate by the HITECH Act.

The Customer and PAR (each a "Party" and together, the "Parties") will accomplish the Customer's need for access to online assessments available within PARiConnect as described by this Agreement by electronically transmitting and receiving data in agreed formats and assuring that such transactions comply with relevant laws and regulations.

NOW, THEREFORE, the Parties agree as follows:

Definitions

As used in this Agreement, the following terms will have the corresponding meanings:

1. "Breach" has the meaning specified in § 17921 of the HITECH Act;
2. "Business Associate" has the meaning specified in the Privacy Rule, the Security Rule, § 27938 of the HITECH Act, and 45 C.F.R. § 160.103;
3. "Individual" has the meaning specified in 45 C.F.R. § 160.103;
4. "Client" means an Individual whose PHI is processed via PARiConnect on behalf of the Customer, whether such Individual is a client, patient, or student;
5. "Covered Entity" has the meaning specified in 45 C.F.R. § 160.103;
6. "Customer" means a PAR customer who has registered to use PARiConnect;
7. "Designated Record Set" has the meaning specified in 45 C.F.R. § 160.501;
8. "DHHS" means the United States Department of Health and Human Services;
9. "DHHS Regulations" means the administrative regulations issued by DHHS and set for the in 45 C.F.R. Parts 160 through 164;
10. "Electronic Health Record" has the meaning specified in § 17921 of the HITECH Act;
11. "Electronic Protected Health Information" or "ePHI" has the meaning specified in 45 C.F.R. § 160.103;
12. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996;
13. "Privacy & Security Simplification Rules" means the privacy and security regulations promulgated under Title II, Subtitle F, §§ 261-264 of HIPAA;
14. "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-005;
15. "PARiConnect" means the online, automated computer assessment platform with web-based access located at https://www.pariconnect.com;
16. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E;
17. "Protected Health Information" or "PHI" has the meaning specified in 45 C.F.R. § 160.103;
18. "Required by Law" has the meaning specified in 45 C.F.R. § 164.501;
19. "Security Rule" means the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E;
20. "Secretary" means the Secretary of the United States Department of Health and Human Services and those employees or agents designated to act on the Secretary's behalf;
21. "Security" or "Security Measures" means the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule; and
22. "Unsecured PHI" has the meaning specified in § 17932 of the HITECH Act and 45 C.F.R. 164.402.

Business Associate obligations

1. If and to the extent and so long as required by the HIPAA provisions of 42 U.S.C. §§ 1171 et seq. and regulations promulgated thereunder, and any additional security requirements contained in Subtitle D of Title IV of the HITECH Act that apply to Customer, but not otherwise, PAR assures Customer that PAR will: a. implement appropriate safeguards, including, without limitation, administrative, physical, and technical safeguards and documentation satisfying the requirements of the Security Rule, to protect the confidentiality, integrity, and availability of any Client ePHI that it may indirectly receive, maintain, or transmit; and b. appropriately safeguard all Client PHI regardless of form or format.
2. PAR will mitigate, to the extent practicable, any harmful effect known to PAR of a use or disclosure of Client PHI by PAR in violation of this Agreement.
3. PAR will report to the Customer any use or disclosure of Client PHI not authorized in this Agreement or any security incident involving Client PHI of which PAR becomes aware.
4. PAR will ensure that any subcontractors or agents to whom PAR provides Client PHI agree to the same restrictions and conditions applicable to PAR with respect to such Client PHI.
5. PAR will make available Client PHI in accordance with applicable law.
6. PAR will provide Individuals who are the subject of Client PHI their rights as required of Business Associates.
7. PAR will maintain records pursuant to this Agreement and provide such records and other necessary information to the Customer or to the Secretary as requested or required in writing and as permitted by law. All records kept in connection with this Agreement will be subject to the Customer's review and audit upon reasonable notice and written request by the Customer.
8. On termination of this Agreement for any reason (see "Term and termination" below), PAR will destroy all Client PHI that PAR still maintains in any form (including all copies thereof), will not retain copies or files of such Client PHI, and will remain obligated not to use, disclose, or provide such Client PHI to third parties.
9. PAR shall incorporate any amendments or corrections to Client PHI when notified by the Customer pursuant to applicable law, in the event that the Customer cannot access such Client PHI.
10. "Unsecured PHI" has the meaning specified in § 17932 of the HITECH Act and 45 C.F.R. 164.402.

Permitted uses and disclosures

If PAR inadvertently obtains Client PHI, PAR may use or disclose such Client PHI only if such use or disclosure complies with all applicable requirements of 45 C.F.R. § 164.504(e). Specifically, and except as otherwise restricted by this Agreement:

1. PAR may use or disclose Client PHI to perform functions, activities, or services for, or on behalf of, the Customer, provided that any such use or disclosure (a) would not violate the Privacy or Security Rules if done by the Customer; and (b) is disclosed to both the Customer and Clients.
2. PAR may use or disclose Client PHI for PAR's proper management and administration or to carry out PAR's legal responsibilities only if and to the extent that (a) such use or disclosure is required by law; or (b) PAR obtains reasonable assurances from the person(s) to whom the Client PHI is disclosed ("Recipient") that such Client PHI will be maintained in confidence and used or further disclosed only for the purpose for which PAR disclosed to the Recipient or as required by law and that the Recipient will notify the Customer on learning of breach of confidentiality of such Client PHI.

De-identification/anonymization

The Customer agrees that PAR shall be entitled to de-identify and aggregate data provided to PAR for internal analytical purposes so long as PAR ensures that such data ("De-identified Aggregated Data") are effectively and irreversibly anonymized and de-identified prior to such internal use and that no individual will be identifiable from such data once anonymized and aggregated such that the De-identified Aggregated Data will not constitute "protected health information" or "individually identifiable health information" as defined by 45 C.F.R. §160.103. PAR may use De-identified Aggregated Data internally to improve our products and services. PAR has never and will never deliberately disclose Client ePHI to outside parties.

Application of civil and criminal penalties

1. PAR acknowledges that 42 U.S.C. §§ 1320d-5 and 1320d-6 shall apply to PAR if it violates any security provision specified above or §§ 1176 and 1177 of the Social Security Act in the same manner that such sections would apply to the Customer.
2. PAR will be subject to audit of its security measures by the Office of the Inspector General ("OIG") of DHHS.

Breach notification requirements

1. PAR recognizes that the Customer has certain reporting and disclosure obligations to the Secretary of DHHS and others, including affected Individuals, in case of a Breach of Unsecured Client PHI. If PAR discovers a Breach with respect to Unsecured Client PHI accessed, maintained, retained, modified, recorded, stored, destroyed, used, or disclosed by PAR, PAR will notify Customer of such Breach without unreasonable delay and in no event later than 60 days following PAR's discovery of the Breach. Such notice will include the identification of any Individual whose Unsecured Client PHI has been or is reasonably believed to have been accessed, acquired, or disclosed during the Breach.
2. PAR will be liable for the costs associated with any Breach caused by the negligent or willful acts or omissions of PAR or its agents, officers, employees, or subcontractors.

Insurance

1. PAR will maintain comprehensive general liability insurance throughout the Term (as defined below) of this Agreement in minimum limits of $1,000,000 USD per occurrence or per claim and $3,000,000 USD in the aggregate.
2. If PAR secures claims insurance coverage, it will purchase an unlimited reporting endorsement on the cancellation or termination of said coverage.
3. If requested, PAR will provide the Customer a certificate of insurance evidencing such coverage before the Effective Date (defined below) of this Agreement and any renewals thereof.

Business Associate indemnity

1. PAR will indemnify and hold the Customer and its directors, officers, agents, employees, and personnel (collectively "Indemnified Parties") harmless from and against all claims, demands, suits, losses, causes of action, or liability sustained by Indemnified Parties as a result of PAR's breach of this Agreement or the Customer's vicarious liability for any act or conduct of PAR adjudged to constitute fraud, misrepresentation, or violation of any law, statute, or regulation applicable to the conduct of PAR provided pursuant to this Agreement.
2. This indemnification will include reasonable expenses, including attorney's fees incurred by defending such claims; damages incurred because of PAR's failure to comply with applicable laws, ordinances, and regulations; or damages otherwise caused by PAR.

Document transmission

Third-party service providers

1. Transmission.Either Party may transmit documents (each a "Document") electronically to the other Party, either directly or through any third-party service provider with which either Party may contract. Either Party may modify its election to use, not use, or change a third-party service provider with 30 days' prior written notice to the other Party.
2. Costs of third-party service providers.Each Party shall be responsible for the costs of any third-party service provider with which it contracts unless otherwise set forth via written (i.e., e-mailed, faxed, or letter) communication between the Parties.
3. Liability for acts of third-party service providers.Each Party shall be liable for the acts or omissions of its third-party service provider while transmitting, receiving, storing, or handling Documents or performing related activities for, with, to, or from such Party, provided that, if both Parties use the same third-party service provider to effect the transmission and receipt of a Document, the originating Party shall be liable for the acts or omissions of such third-party service provider as to such Document.

System operations

Each Party, at its own expense, shall provide and maintain the equipment, software, services, and testing necessary to effectively, reliably, and confidentially transmit and receive Documents.

Signatures

Each Party shall adopt as its signature ("Signature") an electronic identification consisting of symbol(s) or code(s) that are to be affixed to or contained in each Document transmitted by such Party. Each Party agrees that any Signature of such Party affixed to or contained in any transmitted Document shall be sufficient to verify that such Party originated such Document. Neither Party shall disclose to any unauthorized person the Signature of the other Party. Such Signature may be represented by the combination of the e-mail address and password of the Customer.

Proper receipt

No Document will be deemed to have been properly received or give rise to any obligation until accessible to the receiving Party at such Party's e-mail address as used for PARiConnect registration.

Verification

On proper receipt of any Document, the receiving Party shall promptly and properly transmit a functional acknowledgment in return. A functional acknowledgment shall constitute conclusive evidence that the receiving Party has properly received a Document.

Integrity

The Parties will take reasonable measures to protect the integrity of all Documents and data. Neither Party will insert any virus, key locks, or other programs into the system, regardless of whether a dispute exists between the Parties. The receiving Party will return all information in usable form on request or on termination of the Agreement.

Amendment

PAR may amend this Agreement from time to time to the extent required to ensure consistency with the provisions of 42 U.S.C. §§ 1171 et seq., HIPAA, the HITECH Act, and regulations promulgated thereunder.

Term and termination

1. This Agreement will be effective as of the date when the Agreement has been electronically accepted by the Customer ("Effective Date") and remain in effect (the "Term") until terminated as set forth below.
2. This Agreement may be terminated:
   1. On written notice by the Customer;
   2. By the Customer in the event of PAR's material breach of this Agreement, which has not been cured to the Customer's satisfaction, in the Customer's sole discretion, without penalty or recourse to the Customer and without limiting any other rights and remedies available to the Customer under this Agreement or applicable law; or
   3. By PAR after 36 months of inactivity on the Customer's PARiConnect account, at which time PAR may presumptively determine that the Customer has terminated its use of PARiConnect.
3. On termination of this Agreement for any reason:
   1. PAR will delete all Customer data and return or destroy all Client PHI received or created on behalf of the Customer, including Client PHI that is in the possession of any PAR subcontractors or agents, and will retain no copies of the Client PHI, unless PAR determines that the return or destruction of any or all Client PHI is not feasible;
   2. If PAR determines that the return or destruction of any or all Client PHI is not feasible, PAR will so notify the Customer in writing. If the Parties mutually agree that such return or destruction is not feasible, PAR will extend the protections of this Agreement to, and limit further uses and disclosures of, such Client PHI to those purposes that make the return or destruction not feasible so long as PAR maintains the Client PHI.

Additional stipulations

This Agreement also contains a number of stipulations that are specific to the use of PARiConnect by the Customer ("Additional Stipulations"), which have been included in the PARiConnect Terms and Conditions of Use and/or additional disclosures contained in this Agreement. By accepting this Agreement, the Customer also agrees to be bound by the Additional Stipulations.

California Confidentiality of Medical Information Act Notice

You can find data breaches reported pursuant to California Civil Code § 1798.82 on the California Attorney General’s website at https://oag.ca.gov/privacy/databreach/list

Data Processing Addendum

Data Processing Agreement last updated: May 10, 2023

1.Scope

1.1The following Data Processing Addendum (“DPA”) applies to all transfers of Personal Information (defined below) by and between Psychological Assessment Resources, Inc., PARiConnect, PAR InVista, and/or the Self-Directed Search (collectively, “PAR,” “we,” “us,” or “our”) and any entities that provide the Personal Information of their patients, clients, students, or customers to PAR for PAR's provision of services (these entities are herein referred to as “Customer”). This DPA is effectively incorporated into the agreement (“Agreement”) entered into between PAR and Customer (each a “Party” and collectively the “Parties”). This DPA is effective as of the date of the Agreement. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control.

1.2PAR acknowledges that Customer and/or the data it discloses to PAR may be subject to consumer privacy laws and regulations, as well as common law restrictions and/or obligations (the “Consumer Privacy Laws”). Consumer Privacy Laws may include, but it is not limited to, laws, and associated regulations or guidance, such as pursuant to the Health Insurance Portability and Accountability Act, General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), U.K. General Data Protection Regulation, California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (“CPRA”), as codified in California Civil Code sections 1798.100, et seq. (collectively, “CCPA/CPRA”), and other similar foreign or domestic, federal, state, or local privacy statutes, regulations, rules, or guidance, laws currently in effect or that may come into effect during the term of the Agreement, all as applicable and as may be amended from time to time.

2.Definitions

2.1Based on Customer's relationship with PAR, PAR is considered a “service provider,” “contractor,” or “processor” (collectively, “Processor”) under the Consumer Privacy Laws. As a Processor, PAR may process and/or receive “personal information” or “personal data,” as such terms are defined in applicable Consumer Privacy Laws, from, or on behalf of, Customer (such personal information or personal data is herein referred to as “Personal Information”).

2.2The term “security incident” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by PAR that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of PAR or a breach or alleged breach of this DPA. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information.

2.3The term “Model Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

2.4The term “U.K. Addendum” means the template U.K. Information Commissioner's Office Addendum to the Model Clauses for international data transfers, issued under Section 119A of the U.K. Data Protection Act 2018, and including both tables and mandatory clauses.

3.PAR Commitments

3.1PAR will comply with Customer's instructions regarding the processing of Personal Information, including but not limited to instructions regarding amending, transferring, or deleting Personal Information.

3.2PAR shall not “sell” or “share” Personal Information it collects pursuant to the Agreement, as those terms are defined by applicable Consumer Privacy Laws.

3.3Customer is providing PAR access to Personal Information for the limited and specific purposes provided in the Agreement, as described in section 5 herein, and/or as otherwise expressly permitted by Consumer Privacy Laws. PAR shall not retain, use, or disclose Personal Information for any purpose(s) other than those specified in section 5 herein or otherwise permitted by the Consumer Privacy Laws. Such purposes are incorporated by reference herein.

3.4PAR shall not retain, use, or disclose Personal Information that it collects pursuant to the Agreement for any “commercial purpose,” as defined by applicable Consumer Privacy Laws, other than the business purposes specified in section 5 herein, including in the servicing of any entity other than Customer.

3.5PAR shall not retain, use, or disclose Personal Information it collects pursuant to the Agreement outside of the direct business relationship between PAR and Customer.

3.6PAR shall not combine or update Personal Information with any other information, except to perform a business purpose defined in Consumer Privacy Laws, such as regulations adopted pursuant to Cal. Civ. Code § 1798.185(a)(10), except as provided by Consumer Privacy Laws.

3.7PAR shall comply with all applicable laws and obligations regarding the use and protection of Personal Information, including all Consumer Privacy Laws, as applicable. PAR certifies that it understands these restrictions, including pursuant to the CCPA/CPRA, and shall comply with them.

3.8PAR shall provide the same level of privacy protection as required by Customer, and shall assist the Customer in meeting the Customer's obligations in relation to the Personal Information. These privacy protections and obligations include, but are not limited to:

1. collecting and processing Personal Information solely to the extent the processing is necessary, reasonable, and proportionate to the specific purpose(s) listed in section 5 herein or otherwise permitted by Consumer Privacy Laws.
2. cooperating with Customer in responding to and complying with consumer requests made pursuant to Consumer Privacy Laws. PAR shall without undue delay notify Customer, and provide Customer with copies, of all communications from, or requests made by (i) consumers in relation to their rights under any Consumer Privacy Laws; and (ii) any state or government regulators related to Personal Information.
3. implementing reasonable security procedures and practices to protect the Personal Information from unauthorized or illegal processing, access, copying, storage, reproduction, display, loss, destruction, damage, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5 and other Consumer Privacy Laws' similar requirements, including but not limited to technical and organizational measures appropriate to the nature of the Personal Information and risk to the same. PAR shall be responsible for implementing and maintaining such measures on systems PAR uses for processing Personal Information.
4. providing notification of any security incident related to any system, platform, or process that PAR, its employees, agents, subprocessors, or representatives use to process Personal Information. PAR shall report any such security incident to Customer without undue delay. PAR shall follow Customer's instructions regarding security incidents to enable Customer to perform a thorough investigation into the incident, formulate a response, and take further steps in respect to the incident.

3.9PAR shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to such Personal Information. The termination or expiration of this DPA shall not discharge PAR from its confidentiality obligations pursuant to the Agreement and this paragraph. PAR shall process Personal Information until the date of expiration or termination of the Agreement, unless instructed otherwise by Customer, or until such data is returned, de-identified, or destroyed on instruction of Customer.

3.10If PAR engages any other person or entity to assist it in processing Personal Information for purposes of providing the services enumerated in the Agreement, PAR shall:

1. notify Customer of that proposed engagement in advance;
2. provide Customer at least five (5) business days to object to such engagement; and
3. ensure that the engagement complies with all Consumer Privacy Laws and is pursuant to a written contract binding such party to observe all material requirements regarding Personal Information and Customer's rights in relation to the same, as laid out herein. PAR remains responsible for any acts or omissions committed by itself, its representatives, agents, employees, officers, subcontractors, or any person or entity to which it or they provide access to Personal Information.

3.11To the extent PAR processes or receives any deidentified personal information, as defined by applicable Consumer Privacy Laws, from, or on behalf of, Customer (“Deidentified Information”), PAR shall comply with all Consumer Privacy Laws concerning the Deidentified Information, including maintaining the information as deidentified personal information. PAR shall take reasonable measures to ensure the Deidentified Information cannot be associated with a consumer or household, publicly commit to maintain and use the Deidentified Information in deidentified form, not attempt to reidentify the information unless solely for the purpose of determining whether the data is deidentified, and contractually obligate any recipient of the Deidentified Information to comply with this DPA and all Consumer Privacy Laws regarding the processing of such Deidentified Information.

3.12Unless PAR is otherwise required by law, or if Customer sooner requests PAR return Personal Information to Customer instead, PAR will delete and destroy Personal Information and all copies of the same once the Personal Information is no longer needed to complete the transaction or services requested.

3.13Upon the reasonable request of Customer, PAR shall make available to Customer all information in its possession, custody, or control that is necessary to demonstrate PAR's compliance with all Consumer Privacy Laws and the requirements of this DPA or to enable Customer to conduct and document any required data protection assessments.

3.14PAR shall notify Customer if PAR determines it can no longer meet its Consumer Privacy Laws obligations.

3.15To the extent PAR processes any Personal Information from the European Economic Area (“EEA”) or United Kingdom (“U.K.”), Customer as “data exporter” and PAR as “data importer” hereby enter into the Model Clauses and U.K. Addendum. If required by law or by any agency or regulatory body with jurisdiction, the Parties agree to re-execute the Model Clauses and U.K. Addendum (including Annexes hereto) as a document separate from this DPA. For purposes of the Model Clauses and U.K. Addendum, the Parties hereby agree that:

1. Module Two of the Model Clauses and the U.K. Addendum are incorporated by reference into this DPA.
2. Signatures applied to the Agreement will be taken as equally signing and effectuating the Model Clauses and U.K. Addendum where applicable to the underlying Personal Information processed by PAR.
3. Clause 7 and the optional provision in clause 11 of the Model Clauses are excluded.
4. With respect to clause 9 of the Model Clauses, the Parties select Option 2. The applicable time period for changes to the sub-processor list shall be at least five (5) business days' written notice prior to the engagement of the sub-processor. The list of sub-processors already authorized by Customer can be found at Annex III.
5. With respect to clause 17 of the Model Clauses, the Parties select Option 1 and the governing law is that of Ireland for Model Clause purposes and England and Wales for U.K. Addendum purposes.
6. With respect to clause 18 of the Model Clauses, the courts of Ireland shall resolve any disputes arising from the Model Clauses; the courts of England and Wales may resolve disputes arising from the U.K. Addendum.
7. If there is any conflict between the DPA and the Model Clauses and U.K. Addendum, the Model Clauses shall prevail to the extent applicable to the processing at issue. (h) The Parties agree to the U.K. Addendum Tables provided at Annex IV. 4.

4.Additional Rights and Obligations

4.1PAR grants Customer the right to take, and PAR shall allow and contribute to, appropriate and reasonable steps to monitor PAR and ensure PAR's use of Personal Information is consistent with all applicable privacy rights and obligations, whether statutory, regulatory, based in common law, contractual, or otherwise. These steps may include, but are not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other policy review or technical and operational testing at least once every 12 months. As an alternative to a Customer-requested review, assessment, audit, or testing, PAR may arrange for a qualified and independent assessor, using an appropriate and accepted control standard or framework and assessment procedure, to conduct such review, scan, assessment, audit, or other policy review and testing of PAR's policies and technical and organizational measures to satisfy its obligations under this DPA. PAR shall provide a report of all such reviews, scans, assessments, audits, or tests to Customer upon request.

4.2PAR grants Customer the right, upon notice, to take reasonable and appropriate steps to stop, mitigate, and remediate any and all unauthorized use of Personal Information.

4.3Customer is responsible for providing any required privacy notice to data subjects and securing any required consent for PAR's processing of Personal Information in accordance with Customer's instructions.

4.4Customer agrees that PAR may aggregate data and use such data for analytical purposes. In those instances, PAR will ensure that the data is effectively anonymized prior to such use and that no individual is reasonably identifiable from the data once anonymized and aggregated.

4.5PAR shall enable Customer to comply with any consumer privacy request made pursuant to Consumer Privacy Laws.

4.6The parties will work and communicate with each other in good faith to comply with Consumer Privacy Laws.

1. From time to time, the parties may amend this DPA to clarify the understanding of the relationship of the parties and to clarify the obligations of each party with respect to current or future privacy laws. Such modifications are effective upon signature by all parties.
2. Upon the request of a Party (“Requesting Party”), either voluntarily or upon reasonable request, the other Party (“Receiving Party”) shall promptly provide to the Requesting Party relevant and accurate information to facilitate updates to the Requesting Party's privacy policy or other notice obligation under applicable Consumer Privacy Laws.

4.7Indemnification.

1. Separate and apart from any indemnification provided for in the Agreement, each party to this Agreement (an “Indemnifying Party”) will defend, indemnify and hold the other Party, its parent, subsidiaries and affiliates, and its current and former officers, directors, employees, contractors, agents and representatives (collectively, the “Indemnified Party”) harmless from and against any and all liabilities, losses, damages and costs, including reasonable attorneys' fees (collectively, “Losses”), resulting from a third party claim connected with (a) any breach by an Indemnifying Party of any commitment contained herein, (b) the failure by an Indemnifying Party or any of its agents, employees or subcontractors to perform its duties or obligations hereunder, or (c) the negligent, wilful, wrongful, or illegal acts or omissions of an Indemnifying Party or any of its agents, employees or subcontractors.
2. It will be an ongoing condition of the foregoing indemnity that the Indemnified Party give the Indemnifying Party prompt written notice of any actual or threatened claim, and provide the Indemnifying Party with all reasonably accessible information regarding such claims in the Indemnified Party's possession. The Indemnified Party will promptly notify the Indemnifying Party of any claim, demand, suit or proceeding for which the Indemnifying Party has agreed to indemnify and hold the Indemnified Party harmless, and the Indemnifying Party, upon written request by the Indemnified Party, will promptly defend and continue the defense of such claim, demand, suit or proceeding at the Indemnifying Party's expense. If the Indemnifying Party fails to undertake and continue such defense, the Indemnified Party will have the right (but not the obligation) to make and continue such defense as it considers appropriate, and the expenses and costs thereof, including but not limited to attorneys' fees, out-of-pocket expenses and the costs of an appeal and bond thereof, together with the amounts of any judgment rendered against the Indemnified Party, will be paid by the Indemnifying Party. The Indemnifying Party shall not enter into any settlement of an indemnified claim for which the Indemnified Party does not receive a general release without the prior written approval of the Indemnified Party. Nothing herein will prevent the Indemnified Party from defending, if it so desires in its own discretion, any such claim, demand, suit or proceeding at its own expense through its own counsel, notwithstanding that the defense thereof may have been undertaken by the Indemnifying Party.

4.8Limitation of Liability.

EXCEPT WITH RESPECT TO EACH PARTY'S OBLIGATIONS AS TO CONFIDENTIALITY AND INDEMNIFICATION, OR LOSSES ARISING FROM A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT:

1. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY TO THIS AGREEMENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR PUNITIVE DAMAGES WHETHER ARISING OUT OF BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE; AND
2. IN NO EVENT SHALL EITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF AGREEMENT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE AMOUNT OF THE TOTAL FEES ACTUALLY PAID TO CONTRACTOR PURSUANT TO THIS AGREEMENT.

5.Description of Processing

1. Nature and Purpose of Processing. PAR processes Personal Information provided by individuals about themselves to provide psychological and career assessments used by individuals and/or their psychologists, career advisors, or similar professionals to evaluate, diagnose, or otherwise provide guidance or advice to the particular individual.
2. Type of Data Involved in Processing. This Agreement may involve the processing of the following types of Personal Information: name, demographic data, assessment responses, contact information, and medical information.

6.Disputes

Any disputes arising from or in connection with this DPA shall be brought as set forth in the Agreement.

 

MODEL CLAUSES ANNEX I

A.List of Parties

Data Exporter

Data Exporter is: Customer.

Address: See Agreement.

Contact person's name, position, and contact details:

See Agreement.

Activities relevant to the data transferred under these Clauses:

Data Exporter is a professional seeking PAR's assistance evaluating an individual for purposes of Data Exporter advising the data subject.

Data Exporter is the Controller.

 

Data Importer

Data Importer is: PAR.

Address: 16204 N Florida Ave, Lutz, FL 33549.

Contact person's name, position, and contact details:

Travis White, PhD, President and Chief Operating Officer

twhite@parinc.com

1.800.331.8378

Activities relevant to the data transferred under these Clauses:

Data Importer processes the data provided to assist Data Exporter in providing professional services to the data subject.

Data Importer is the Processor.

B.Description of Transfer

1. Categories of data subjects whose personal data is transferred: consumers.
2. Categories of personal data transferred: see Section 5.
3. Restrictions and safeguards: see full DPA.
4. Frequency of transfer: ongoing.
5. Nature and purpose of processing: see Section 5.
6. Data retention period: Length of Agreement.
7. Transfers to sub-processors: [If applicable, input subject matter, nature, and duration of processing.]

C.Competent Supervisory Authority

The competent supervisory authority for purposes of the Model Clauses is the Irish Supervisory Authority. The competent supervisory authority for purposes of the U.K. Addendum is the U.K. Information Commissioner's Office.

 

MODEL CLAUSES ANNEX II

Description of the technical and organizational measures implemented by the data importer(s)

PARiConnect IT Controls

PAR employs and applies a variety of information technology tools, strategies, devices, and methodologies to protect both PAR Customer data and patient/client data and item responses that are captured and stored on PARiConnect. Below is information pertaining to these various IT controls.

Hosting and Storage Controls

• Servers utilized by PARiConnect are located at a professionally managed data hosting facility located in the central southeast region of the U.S. This is the primary facility for PARiConnect servers and is connected via a dedicated circuit to a backup facility at PAR in Florida, U.S.
• The hosting facility data centers have been evaluated against ISO 27001 and have undergone a SAS 70 Type II or SSAE 16 review.
• A third party has performed penetration testing using established guidelines/methodology.
• All sites housing PARiConnect applications and data have secure firewalls and current antivirus software installed.
• A third party has performed an external vulnerability scan.
• Sensitive application data is encrypted in transit using at least HTTPS TLS 1.2.
• Sensitive application data is encrypted at rest using the encryption algorithm AES-256.
• Database tables/fields are protected using FIPS-140-compliant encryption for all tables/fields containing sensitive data.

Application Controls

• Applications log security-relevant events. Each log entry must contain, at minimum, the following: user or process ID of the user or process causing the event, failure of the attempt to access security file, date/time of the event, type of event, success or failure of the event, and seriousness of event violation.
• Application logs are retained for at least 30 days.
• The application process runs only with least privileges necessary for proper operation (for example, root or administrator privileges are used only for specifically required operations, whereas in normal mode the application runs as a user without administrative privileges).
• A disaster recovery and backup/restore plan are in place. If applicable, data are destroyed using a NIST 800-88 compliant method.
• PAR has a Secure Software Development Life Cycle (SSDLC) in place that includes peer code review and developer security training, and a code promotion/release management strategy is in place.
• PAR does NOT store assessment scores and/or results—only item responses are stored, and such item responses are stored separately from the patient/client personal data and
• Separately from the assessment items. This data, along with many other elements including personal data and demographics, are encrypted.

General Security Controls

• PARiConnect has a team designated with overall responsibility for the application, its controls, design, security, etc.
• PAR regularly monitors vulnerabilities in underlying products (e.g., Microsoft, Linux, databases) and patches all critical vulnerabilities within 30 days, unless overridden by Senior Leadership which is documented as an exception (example: patching would break application until the patch vendor or internal staff resolve the issues causing the failure).
• PAR and its hosting vendor maintain and monitor security appliances such as intrusion protection systems (IPS) to detect abnormal system, malware, and user behavior.
• No vendor has access to PARiConnect data and/or applications.
• All PAR employees are subject to pre-employment background checks.
• All PAR employees must complete annual security awareness training with testing. A record of each employee's compliance status is retained.
• Passwords are accessible only to select IT employees and require oversight by the Chief Technology Officer.
• Payment information related to purchases by PAR Customers is NOT maintained or stored on PARiConnect.

Disaster Recovery/Business Continuity Strategy (DR/BC)

• PAR employs an active/passive strategy with respect to DR/BC. The primary PARiConnect production servers act as the active installation, with real-time replication occurring to a fail-over (passive) server structure that remains ready and available to take over processing. Fail-over for Customer-facing systems is generally accomplished in approximately two minutes or less.
• PAR effectively creates backups in real time. Additionally, further backups are retained at a secure third-party location, as well as on-site for at least 30 days to facilitate any unlikely, but potential, need to restore data from a prior date(s).
• PAR retains electronic logs regarding the digital backup process, as well as logs regarding off-site storage.

MODEL CLAUSES ANNEX III

Approved list of sub-processors

Infrastructure Sub-Processors

Sub-Processor	Location	Purpose/Services	Website
Flexential	United States	Data center services	https://www.flexential.com/
Microsoft Azure	United States	Cloud Hosting	https://azure.microsoft.com/

 

General Sub-Processors

Sub-Processor	Location	Purpose/Services	Website
Microsoft	United States	Business administration, delivery, support, and related services	https://www.microsoft.com/
Microsoft D365	United States	Cloud based accounting and customer support services	https://dynamics.microsoft.com
SK Global	United States	Payment Processing	https://www.sksoft.com/
Pay Fabric	United States	Payment Gateway	https://www.payfabric.com/
EVO	United States	Payment Processor	https://www.nodus.com/
Avalara	United States	Tax solutions	https://www.avalara.com/
Pacejet	United States	Shipping Software solutions	https://www.pacejet.com/
CIO Tech	United States	IT Support services	https://www.ciotech.us/
Quisitive	United States	IT Support services	https://www.quisitive.com/
Click Dimensions	United States	Marketing Email services	https://www.clickdimensions.com/
Google Analytics	United States	Analytics	https://analytics.google.com/
Pendo.io, Inc.	United States	Analytics	https://www.pendo.io/
Altaro	United States	Cloud based backup solutions	https://www.altaro.com/

 

MODEL CLAUSES ANNEX IV

Table 1:Parties

Start date	Date of the Agreement
The Parties	Exporter (Customer)	Importer (PAR)
Parties' details	Full legal name: See Agreement Trading name (if different): N/A Main address (if a company registered address): See Agreement Official registration number (if any) (company number or similar identifier): See Agreement (if applicable)	Full legal name: See Agreement Trading name (if different): N/A Main address (if a company registered address): See Agreement Official registration number (if any) (company number or similar identifier): See Agreement (if applicable)
Key Contact	Full Name (optional): See Agreement Job Title: See Agreement Contact details including email: See Agreement	Full Name (optional): See Agreement Job Title: See Agreement Contact details including email: See Agreement

 

Table 2:Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☐The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date:          Reference (if any):                                 Other identifier (if any):                                 Or ☒the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2	X	No	No	General Authorisation	5 business days	No
3
4

 

Table 3:Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Annex I

---

Annex 1B: Description of Transfer: See Annex I

---

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data

---

Annex III: List of Sub processors (Modules 2 and 3 only)

---

 

Table 4:Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19: ☐Importer ☐Exporter ☒neither Party