Last Updated: 5/8/2023

At VIDA Diagnostics, Inc. (together with any affiliates henceforth referred to as “VIDA,” “Us,” and “We”), we value and respect individual privacy and are strongly committed to safeguarding personal data, including health data. VIDA provides software and services that are routinely used by health care providers and others in clinical practice, along with academic, device, and pharmaceutical clinical trials. In conjunction with our software and services, we may receive, transmit, store, and otherwise use personal data from our customers. VIDA may process the personal data to provide the software or services, to correct and address technical or service problems, and to otherwise fulfill the instructions of the customer who submitted the data.

To facilitate compliance by us and our customers based in the European Union (EU) and European Economic Area (EEA) with the applicable privacy laws, VIDA offers its customers Standard Contractual Clauses (henceforth referred to as “The Model Clauses”) to incorporate into our written agreements. The Model Clauses make specific commitments about the ways in which VIDA will process personal data transferred to VIDA for in-scope VIDA services and cannot be modified. The Model Clauses are issued by the EU Commission to provide EU controllers a framework for ensuring adequate safeguards that are consistent with EU data protection laws are established for personal data transfers outside the EU, in compliance with Regulation (EU) 2016/679 of the European Parliament (the “Regulation”).

The Model Clauses are applicable only to the Personal Data of EU data subjects sent to VIDA from its customers for processing in conjunction with VIDA software and services.

VIDA has invested in the operational processes necessary to meet the requirements of The Model Clauses.

The following sets forth VIDAs privacy policy within the framework of The Model Clauses.

DEFINITIONS

  • (a) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  • (b) ‘data exporter’ means the controller or processor who transfers the personal data to a third country;

  • (c) ‘data importer’ means the controller or processor residing in a third country who receives the personal data from the data exporter;

  • (d) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • (e) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

    Source: EU Data Protection Directive (95/46/EC).

POLICY COMMITMENTS

It is VIDA’s policy to:

  1. Data transfer. Safeguard transfers of personal data to VIDA as mutually agreed to by all relevant parties in The Model Clauses.
  2. Data processing. Process the personal data only on behalf of the customer and in compliance with its instructions and the Model Clauses.
  3. Notification. Promptly inform the customer of:

    a. Its inability to comply with its instructions or The Model Clauses and agree to suspend the data transfer activities and/or terminate the agreement at the customer’s request;

    b. Any legally binding request for disclosure of the personal data by a law enforcement authority unless the notification is lawfully prohibited;

    c. Any instances of accidental or unauthorized access to personal data covered by The Model Clauses;

    d. Any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so.

    4. Responsiveness and Cooperation With Authorities. Promptly address inquiries from the customer relating to its processing of transferred personal data and abide by the advice of relevant EU authorities with regard to the processing of the transferred data.

    5. Technical and Organizational Security Measures. Apply the technical and organizational security measures specific in the Model Clauses to the personal data before processing the personal data. The technical and organizational security measures that are agreed to will provide at least the same level of protection for the personal data and the rights of EU data subjects as the customer. Sensitive data is usually pseudonymized prior to transmission. Pseudonymization is typically performed by VIDA systems. Whether the data will be pseudonymized by VIDA or the customer is determined during the contracting process.

    6. Audit Rights. Submit its processing activities (and those of its subprocessors) covered by the Model Clauses to audit by the customer, its agent, or an inspection body operating on behalf of a relevant EU authority.

    7. Data Subject Requests and Disputes. Make available to data subjects upon their request a copy of the Model Clauses, or any existing contract that governs subprocessing activities. With the exception of information about technical and organizational security measures specified in The Model Clauses, elements of the Model Clauses that contain sensitive commercial information may be redacted. In the event of a dispute about VIDA’s processing activities, VIDA shall accomodate any requests by the EU data subject to refer the dispute to mediation by an independent body or the supervisory authority or to the courts in the Member State in which the data exporter resides.

    8. Third Parties. Obtain written permission from or provide written notice to customers before engaging subcontractors to process personal data covered by the Model Clauses. VIDA enters into written agreements with its subcontractors and the agreements impose the same obligations under the Model Clauses that apply to VIDA.

    9. Termination of Services. Upon termination of the services provided to a customer, return or destroy the transferred personal data and the copies thereof that had not been destroyed previously in the normal course of the service, and certify to the customer that it has done so.

    10. Additional Obligations. Observe the requirements of any other Model Clauses entered into with customers not explicitly mentioned in this statement.

    11. Compelled disclosure: VIDA may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. VIDA will apply best efforts to notifying our customers of any lawful disclosure requests involving their data and will challenge any requests when there are reasonable grounds to consider that the request is unlawful.

CHANGES TO THIS PRIVACY POLICY

We may periodically update this EU Privacy Policy. We encourage you to check back in from time-to-time for updates.

CONTACT

If you have questions about our privacy practices or our treatment of the personal information you provide us, contact us at:

VIDA Diagnostics Inc.
2500 Crosspark Road
W250 BioVentures Center
Coralville, IA 52241
Email: info@vidalung.ai
Toll free: 1.855.900.VIDA (8432)
Fax: 610.602.5941