Last Updated: 06 August 2025

Terms of Use

Background

  • These “Terms of Standard Software Licence” (Terms) are the standard software licence terms for the licence of our software (Software) referred to on our online order form (Order Form) at the website https://my.singular.health (Website), and form part of the contract between Singular Health Pty Ltd (ABN 49 636 261 919) (Singular Health) and you. These Terms provide a licence agreement and not an agreement for sale.
  • These Terms set out the rights and conditions upon which you may use the Software. Singular Health reserves all rights not expressly granted in these Terms.
  • By ordering and accessing the Software, you acknowledge that you have read and understood these Terms and you accept that they are legally binding upon you.
  • You warrant that you have the authority to accept these Terms and to accept these Terms on behalf of any person on whose behalf you register for use of the Software.
  • If you do not accept and comply with these Terms, you may not use the Software and you must inform us immediately.
  • You should review the entire Terms, including any supplemental licence terms that may accompany the Software. If you do not understand or have any questions regarding the Software or these Terms, then please contact [email protected] before continuing use of the Software.
  • Singular Health may change these Terms or upgrade the Software by advising you by email or providing notification on its Website.
  • Singular Health personnel reserve the right to suspend or terminate your access to the Software at any time if these Terms are breached.
  • Any reference to Singular Health includes a reference to its representatives, directors, officers, employees and contractors.
  • The contract between Singular Health and you is formed upon your acceptance of the Order Form on the Website, and these Terms form part of that contract, if applicable.

Software Licence

By using the Software, you agree:

  • that Singular Health grants you a personal, worldwide, non-exclusive, non-transferable licence (Licence) for your use, and the use of any person employed and/or contracted by you (Authorised Users), to access and use the Software during the agreed term of the Licence as set out in the Order Form;
  • if Singular Health provides any ancillary products to you (Ancillary Products), the Ancillary Products will also be supplied in accordance with these Terms;
  • that it is your responsibility for the security of the equipment from which the Software is accessed;
  • that it is your responsibility to ensure the secured use of the Software and to be informed as to who are the Authorised Users; and
  • you are liable and responsible for the management of your information, and any information that you access or receive through using the Software, such that it is compliant with all relevant legislation in the jurisdiction in which you operate.

Restrictions on Use

You agree that you will:

  • only allow the Software and any Ancillary Products to be used by the Authorised Users in accordance with these Terms, and any documents accompanying the Software, for the purposes of your business and for no other purpose;
  • ensure that the Software and any Ancillary Products are protected at all times from misuse, destruction or any forms of unauthorised use including fully securing any passwords used to access the Software;
  • not allow the Software or any Ancillary Products to be used or accessed by any third party who is not an Authorised User; and
  • not sell, sub-licence, assign or in any other way transfer the Software or any Ancillary Products to any third party, unless specifically authorised by Singular Health in writing and any such use will be subject to these Terms and such other terms as may be specified in writing by Singular Health.

Licence term and termination

Duration and Renewal

The term of the Licence is set out in the Order Form. Any renewal of the term of the Licence must be agreed in writing with Singular Health.

Termination for cause

  • Singular Health may terminate its agreement with you immediately without notice if you or an Authorised User breaches these Terms of fails to make payment in accordance with the Order Form.
  • Unless otherwise agreed by Singular Health, at its discretion and in writing, your right to the License will terminate immediately if you cease business operations, make a general assignment for the benefit of creditors or if you become insolvent.
  • Notwithstanding any term, the usage by you of the Software or any Ancillary Products is subject to fair use as determined by Singular Health in its absolute discretion.
  • If at any time Singular Health deems that you have used the Software and or any Ancillary Products beyond the a fair use standard and or level to which Singular Health determines in its absolute discretion, Singular Health may limit or reduce the capacity and or any aspects of usage by you of the Software and or Ancillary Products and or terminate your license to use such Software and or Ancillary Products, and you shall not be entitled to make any claim of whatsoever nature against Singular Health for any such reduction, amendment and or termination of usage by you.
  • Notwithstanding any term, Singular Health may terminate its agreement with you upon 14 days notice, of any reason outside of a breach by you of any of these Terms, and in such respect, you shall be entitled to a refund of licence fees paid (if any) that relates to any period past the respective termination date.
  • Upon such termination above, you are not entitled to otherwise make any claim of whatsoever nature howsoever arising against Singular Health arising out of or in connection with such termination.

Indemnification and disclaimers

Liability

You agree that Singular Health is not liable to you or any party for any indirect, special or consequential loss or damage including liability for loss of profits, loss of business opportunity, loss of savings or loss of data in connection with these Terms.

Indemnification

You and Authorized Users agree to defend, indemnify and hold harmless Singular Health, its directors, officers, employees and agents, from and against any and all loss, damages, and liability (including attorney’s fees) of any kind arising from your, or an Authorized User’s, breach of these Terms or the use or misuse of the Software.

Disclaimer

  • You acknowledge and agree that the Software and Ancillary Products are supplied for use as an enhancement only, to assist with medical decisions, and must not be solely relied upon when making medical decisions or performing medical procedures. You further agree to procure that the Authorized Users acknowledge and agree to the provisions of this clause. Singular Health is not responsible or liable for any claims whatsoever in relation to the user of the Software and Ancillary Products, to the extent permitted at law in any relevant jurisdiction.
  • You acknowledge and agree that the Authorized Users must make their own judgements and decisions when making medical decisions and performing medical procedures and you hereby release and indemnify Singular Health against any liability caused by the improper use of the Software and/or Ancillary Products.

Access and Availability

  • You and the Authorized Users may access the Software but do not have any right to receive a copy of the object code or source code of the Software.
  • Singular Health may, in its sole discretion, make enhancements, updates or new releases of the Software available from time to time in order to, among other things, enhance or improve the functionality or operation of the Software or to perform other work that Singular Health deems necessary.

Assignment

You must not assign or transfer or purport to assign or transfer any or all of your rights, obligations or liability under these Terms or any contract with Singular Health which incorporates these Terms to any other person without the prior written consent of Singular Health.

Confidentiality

  • You agree to maintain in confidence all Confidential Information concerning the business activities or affairs of Singular Health, including these Terms and details of all of Singular Health’s intellectual property, (Confidential Information) and not to use or disclose Singular Health’s Confidential Information without its express written consent. You will protect any Confidential Information you receive with the same standard of care that you use to protect your own confidential information, but in no event less than a reasonable degree of care. For the purposes of this clause, Confidential Information means all information (including the existence and subject matter of these Terms) of a confidential nature in any form or medium that is not publicly available, and you acknowledge and agree that this includes business and technical information incorporated into the Software or any software or other technology contained therein.
  • Subject to this clause, you may only reproduce or use Confidential Information for the sole reason of performing your obligations under these Terms, and not to Singular Health’s commercial, financial or competitive disadvantage.

Data

  • You are solely responsible and liable for the content and accuracy of your data, and the data of your Authorized Users and clients, including all web information, personal information, documents and records, (collectively Data) and compliance with any applicable laws in respect of management and use of your Data.
  • Your Data belongs to you and Singular Health makes no claim to any right of ownership in it.
  • You warrant that all software, data, materials and information supplied by or on behalf of you or an Authorized User to Singular Health, and all use thereof by Singular Health for the purposes of its contract with you, will not infringe the rights or privacy of any person or breach any law or regulation.
  • You consent to a copy of your data, or information extracted or derived from your Data by Singular Health, to be used by Singular Health for the purposes of marketing, research and analysis and general business operations (“Marketing Use”).
  • You shall not be entitled to make any claim against Singular Health in relation to any matter arising out of or in connection with the Marketing Use.

Intellectual property

  • As between you and Singular Health, you agree that Singular Health at all times remains the owner of all copyright, trademark rights, patent rights, design rights, whether registered or unregistered, and all other rights to intellectual property relating to the Software and Singular Health’s business, including all present and future rights to intellectual property of every kind (Singular Health IP) and that these Terms do not prevent, limit or restrict Singular Health from using or exploiting Singular Health IP.
  • Other than as expressly set forth in these Terms, Singular Health does not grant to you any other rights or licences of any kind and all implied rights and licenses are hereby expressly excluded.

Warranties and consumer rights

  • Singular Health warrants that the Software, when used properly, will perform substantially as described on the Website and any materials that accompany the Software. This limited warranty does not cover problems that you cause, that arise when you fail to follow instructions, or that are caused by events beyond the reasonable control of Singular Health.
  • If the Australian Consumer Law applies to you, the license of the Software comes with guarantees that cannot be excluded under the Australian Consumer Law. For major failures with the service, you are entitled:
  • to cancel your service contract with us; and
  • to a refund for the unused portion, or to compensation for its reduced value.
  • You are also entitled to choose a refund or replacement for major failures with goods. If a failure with the goods or service does not amount to a major failure, you are entitled to have the failure rectified in a reasonable time. If this is not done you are entitled to a refund for the goods and to cancel the contract for the service and obtain a refund of any unused portion. You are also entitled to be compensated for any other reasonably foreseeable loss or damage from a failure in the goods or service.
  • Disclaimer: Other than the limited warranty described above, Singular Health gives no other express warranties, guarantees or conditions and, subject to any obligations implied by law and which cannot be excluded (as applicable in a relevant jurisdiction), Singular Health has no liability to you whatsoever for any losses, damages, liabilities, claims and expenses (including but not limited to legal costs and defence or settlement costs) arising in connection with or out of the use of the Software and or Ancillary Products, any flaws in the software or defects in the Software and or Ancillary Products, and or any restricted usage of the Software and or Ancillary Products, whether such liability arises in contract, tort including negligence, statute or otherwise.
  • If Singular Health breaches its limited warranty it will, at its election, either (i) repair or replace the Software at no charge; or (ii) accept return of the Software for a refund of the amount paid by you, if any. These are your only remedies for breach of warranty, subject to applicable laws.
  • Subject to the provisions of this clause, you agree to indemnify, release, discharge and hold harmless Singular Health, its directors, employees, officers, contractors and overseas agencies from and against any and all losses, liabilities, damages, costs and expenses suffered or incurred by you and any third parties howsoever arising in connection with your use of the Software. Singular Health will not be liable or responsible for the use of the Software by you, any Authorized Users or anybody else.

Disputes

  • You must try and resolve any disputes with Singular Health in relation to these Terms directly for 60 days before taking any further action.
  • Any dispute or difference not resolved directly within 60 days must then be submitted to arbitration in Australia in accordance with, and subject to, the Resolution Institute Arbitration Rules.
  • Unless the parties agree upon an arbitrator, either party may request a nomination from the Chair of Resolution Institute, Australia.

General provisions

GST/VAT

Any prices quoted on our Website are exclusive of GST, VAT or other similar taxes unless otherwise stated. You must pay such additional taxes to Singular Health.

Independent contractors

You and Singular Health are independent contractors and or a customer supplier relationship respectively with respect to each other. Nothing in these Terms will create an employer-employee relationship, a partnership, agency relationship or a joint venture between the parties.

Survival

Any indemnity or any obligation of confidence under these Terms is independent and survives termination of these Terms. Any other term by its nature intended to survive termination of these Terms survives termination of these Terms.

Entire Terms

The Order Form, these Terms and any other terms stated to apply pursuant to the Order Form constitute the entire set of terms that apply to the Licence and use of the Software and supersedes all previous agreements or understandings between the parties in connection with the Licence and the Software.

Exclusivity

The rights granted to an Authorized User to use the Software are personal and non-exclusive, and nothing will prevent Singular Health from providing the Software to any third party.

Severability

A term or part of a term of these Terms that is illegal or unenforceable may be severed from these Terms and the remaining terms or parts of the terms of these Terms continue in force.

Waiver

You and Singular Health do not waive a right, power or remedy if it fails to exercise or delays in exercising the right, power or remedy. A single or partial exercise of a right, power or remedy does not prevent another or further exercise of that or another right, power or remedy. A waiver of a right, power or remedy must be in writing and signed by the party giving the waiver.

Governing Law

These Terms are governed by and construed under the law in the State of Western Australia. You and Singular Health each irrevocably and unconditionally submit to the non-exclusive jurisdiction of any court in Western Australia.

Data Processing Agreement Annex

This section is applicable when you are a data controller (a legal entity) in the European Union. If you are a natural person please consult our Privacy Policy.  

This Data Processing Agreement (hereinafter referred to as “DPA”) has been executed by and between Singular Health and you. 

In this DPA, Singular Health and you shall be referred to as “Party” individually and “Parties” jointly. 

1. Parties

Regarding the processing activities undertaken by the Parties, we will act as Processors, and you will act as Controllers. 

The terms “Controller”, “Data Subject”, “Personal Data”, “Data Breach”, “Process” and “Processor” have the same meanings as described in the General Data Protection Regulation (GDPR) and cognate terms shall be construed accordingly.  

2. Acting upon instructions

We will process personal data (“Personal Data”) on your behalf and shall act as your Processor and undertake to comply with the GDPR and these Clauses in accordance with and for the purposes of Article 28 of the GDPR, upon accepting our Terms of Use and start using our Services. 

We undertake to carry out the Personal Data processing operations in accordance with the obligations imposed by the GDPR, these Clauses and the instructions subsequently issued by the you in writing solely related to the activities pursuant to the Terms of Use.  

We will take reasonable measures to inform you when, in our opinion, we consider that an instruction you may issue violates the GDPR or other legal provisions of national or Union law on data protection. 

These clauses reflect your instructions. You may also issue subsequent instructions during the processing of personal data, but they must always be strictly related to the provisions of the Services under the Terms of Use, documented and kept in writing, including in electronic form, and communicated in advance. 

3. Processing Terms

The instructions shall include at least the following details of the processing: 

  • subject-matter: Performance by the Processor (“us”) of the services covered by the Terms of Use 
  • duration of the processing: Personal Data will be stored only as long as necessary for the performance of the services under the Terms of Use unless there are deletion or return instructions from you before stop using our Service
  • nature and purpose of processing: Carrying out the necessary processing operations with regard to Personal Data in order to achieve the purposes pursued by the execution of the services under the Terms of Use
  • type of personal data: Depending on your actual use of the Service (3DICOM Patient, 3DICOM MD, 3DICOM EDU) provided under the Terms of Use, they may cover data in the following categories: CT, PET & MRI Scans; DICOM tags; Medical Case Studies 
  • categories of data subjects : Patients 

We and any person acting under our authority who has access to personal data shall process them exclusively in accordance with the instructions received from you, solely for the purpose of and not for any other purpose or in any other way, unless we are bound to do so by the applicable laws. 

4. Duty of Confidentiality

 We take the necessary measures to ensure that our employees or collaborators who are authorised to carry out any operation relating to the processing of Personal Data will do so only on a need-to-know basis and in accordance with these clauses.  

We ensure that these authorized persons are subject to confidentiality undertakings or professional or legal obligations of confidentiality and that they are duly trained on the principles and measures relating to the protection of Personal Data. 

5. Security

The Processor shall take and maintain all security measures referred to in Article 32 of the GDPR, as well as any other appropriate preventive measure to ensure the security of the personal data and avoid data processing that is not permitted or that is not by the purposes of the Terms of USE and the provisions of the GDPR.   

6. Data Breach Notification

In the event of a personal data breach affecting the data processed on your behalf, we will take reasonable measures to inform you immediately when we become aware of such a data breach and in any case within 48 hours. We will provide you with all necessary information for to comply with your legal obligations. 

7. Data Subject Requests

We shall assist you in complying with the obligations relating to the handling of requests to exercise data subjects’ rights, the security of personal data, namely those relating to data protection impact assessment and prior consultation, the handling of requests received from public authorities, including the supervisory authority.  

8. Deletion or return

The Processor will return all original documents and will delete or destroy all materials in any medium containing personal data, unless there is a legal obligation for the Processor to store that data. The Processor may continue to retain documents containing personal data where applicable law requires the storage of such personal data (for example, including, but not limited to, legal tax, financial and accounting, archiving obligations). 

9. Accountability and audit rights

The Processor shall provide the Controller with all materials, documents or other information reasonably and necessary to enable the Controller to confirm that the Processor has acted in accordance with its data protection obligations under these Clauses. 

Only by way of exception and only to the extent that the materials, documents and information provided by the Processor to the Controller in accordance with the previous clause would not be sufficient to assess the compliance of the Processor with the data protection obligations under these Clauses, the Controller shall have the right to conduct an inspection at the premises of the Processor. The request for inspection shall be communicated to the Processor by the Controller at least 30 days in advance. 

10. Sub-processors

The Controller shall grant the Processor a general written authorization to engage subcontractors. The list of sub-processors, as well as any subsequent changes to the list, shall be communicated by the Processor to the Data Controller. The Data Controller shall have the right to object to the amendment of the list within 30 days of the communication by the Processor, stating the reasons.     

Where the Processor discloses personal data to its sub-processors, the Processor shall, prior to such disclosure, enter into a valid and enforceable written contract with such sub-processors, which contract shall include terms that (i) are substantially identical to the obligations applicable to personal data as set out in these clauses, (ii) require that such sub-authors comply with the terms and conditions of these clauses with respect to the processing of personal data. 

Cross Border Data Transfer Addendum

(applicable only for EU, UK and Swiss customers)

1. Definitions

For purposes of this Addendum, the terms below shall have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this Addendum shall have the meanings set forth in the Agreement. 

 ”Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following: 

UK International Data Transfer Addendum, or; 

EU 2021 Standard Contractual Clauses (“EU SCCs”) 

“UK International Data Transfer Addendum” means: the UK International Data Transfer Addendum (“IDTA”) to the EU Commission Standard Contractual Clauses (“EU SCCs”) issued by the UK Information Commissioner for Parties making Restricted Transfers (as may be amended, updated, or superseded from time to time). 

“2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914. 

2. Cross Border Data Transfers

2.1. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Service from the European Economic Area, either directly or via onward transfer, to any country or recipient outside the European Economic Area that the European Commission does not recognize as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows: 

2.2.1. Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply when you are the controller of personal data, and we process personal data on your behalf. 

2.2.2. Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where you are a processor of personal data, and we are your sub-processor.   

2.2.3. For each Module, where applicable: 

  • 2.2.3.1. in Clause 7 of the 2021 Standard Contractual Clauses , the optional docking clause will not apply; 
  • 2.2.3.2. in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 “General Written Authorisation” will apply  
  • 2.2.3.3. in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply; 
  • 2.2.3.4. in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Estonian law; 
  • 2.2.3.5. in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Estonia; 
  • 2.2.3.6. in Annex I, Part A (List of Parties) of the 2021 Standard Contractual Clauses: 
  • 2.2.3.6.1. Data Exporter: You 
  • 2.2.3.6.2. Contact details: The email address(es) you used to create an account with us to use our service. 
  • 2.2.3.6.3. Data Exporter Role: The parties acknowledge and agree that, regarding the processing of personal data, you may act either as a controller or processor and us as a processor. We will process personal data in accordance with your instructions as outlined in Section 3, “Processing Terms”, of the Data Protection Agreement. 
  • 2.2.3.6.4. Signature and Date: By accepting the Terms of Service and by using the Service, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes. 
  • 2.2.3.6.5. Data Importer: Singular Health Pty Ltd  
  • 2.2.3.6.6. Address: Newcastle Street, Leederville, WA 6007 
  • 2.2.3.6.8. Data Importer Role: The parties acknowledge and agree that with regard to the processing of personal data, you may act either as a controller or a processor, and we are a processor. We will process personal data in accordance with your Instructions as set forth in Section 3 “Processing Terms” of the Data Protection Agreement. 
  • 2.2.3.6.9. Signature and Date: By providing the service under the Terms of Service, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein. 
  • 2.2.3.7. in Annex I, Part B (Description of Transfer) of the 2021 Standard Contractual Clauses: 
  • 2.2.3.7.1. The categories of data subjects are described in Section 3 “Processing Terms” of the Data Protection Agreement. 
  • 2.2.3.7.2. The categories of personal data transferred are described in the “Processing Terms” Section of the Data Protection Agreement. 
  • 2.2.3.7.3. The parties acknowledge that the data transferred includes sensitive data described in the “Processing Terms” Section of the Data Protection Agreement. 
  • 2.2.3.7.4. Signature and Date: By accepting the Terms of Use and by using the Service, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes. 
  • 2.2.3.7.5. The nature of the processing is described in “Processing Terms” Section of the Data Protection Agreement. 
  • 2.2.3.7.6. The purpose of the processing is described in “Processing Terms” Section of the Data Protection Agreement. 
  • 2.2.3.7.7. The period for which personal data will be retained and the criteria used to determine that period is described in the Return or Deletion Section of the Data Protection Agreement  
  • 2.2.3.7.8. Transfers to Sub-processors are described in the Sub-processors Section of the Data Protection Agreement. 
  • 2.2.3.8. in Annex I,Part C of the 2021 Standard Contractual Clauses: The Data Protection Inspectorate (DPI) will be the competent supervisory authority. 
  • 2.2.3.9. The content of the Security Section of the Data Protection Addendum serves as Annex II of the Standard Contractual Clauses. 

2.3. Switzerland Data Transfers. With respect to any transfer of personal data outside of Switzerland or of Personal Data governed by the Switzerland Federal Act on Data Protection (“FADP”) (and the revised FADP (“revFADP”), when in effect), to a third country (without an adequacy decision or its equivalent issued by the European Commission or the relevant authority in Switzerland), the Parties agree that the EU SCCs in this Addendum shall apply, subject to the following terms and conditions: 

2.3.1. References: The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP and, when applicable, the revFADP. 

2.3.2. Clause 13: Insofar as the Personal Data transfer is only subject to the FADP/revFADP, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland is the exclusive supervisory authority.  Insofar as the transfer of Personal Data is governed by both the GDPR and the FADP/revFADP, the competent supervisory authority with parallel supervision (in accordance with Annex I.C of the EU SCCs) is the FDPIC and insofar as the transfer is governed by the GDPR, the criteria of Clause 13(a) for the selection of the competent authority must be observed. 

2.3.3. Clause 17: The EU SCCs shall be governed by Swiss law, if the transfer is subject solely to FADP/revFADP, or, in other cases, the law of one of the EU Member States, provided such Member State law allows for third-party beneficiary rights. 

2.3.4. Clause 18(b): Any dispute arising from the EU SCCs shall be resolved by the courts of Switzerland, if the transfer is subject solely to FADP/revFADP, or an EU Member State in other cases. 

2.3.5. Clause 18(c): The term “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. 

2.3.6. revFADP: The EU SCCs shall protect the data of legal entities until the entry into force of the revFADP. 

2.4. UK International Data Transfer Addendum. The parties agree that the UK International Data Transfer Addendum will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows: 

2.4.1. Table 1: Parties 

  • 2.4.1.1. The Start Date is the date of the last signature of the Parties on this Addendum or the Agreement. 
  • 2.4.1.2. The Parties are set forth in Annex I.A of the EU SCCs to which this IDTA is appended. 

2.4.2. Table 2: Selected SCCs, Modules and Selected Clauses 

  • 2.4.2.1. Addendum EU SCCs 
  • 2.4.2.1.1. The version of the Approved EU SCCs to which this IDTA is appended, including the Appendix Information, applies. 

2.4.3. Table 3: Appendix Information 

  • 2.4.3.1. Annex 1A: List of Parties 
  • 2.4.3.1.1. The Parties are set forth in Annex I.A of the EU SCCs to which this IDTA is appended. 
  • 2.4.3.2. Annex 1B: Description of Transfer 
  • 2.4.3.2.1. The Description of the Transfer is as set forth in Annex I.B of the EU SCCs to which this IDTA is appended. 
  • 2.4.3.3. Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data 
  • 2.4.3.3.1. The technical and organisational measures are set forth in Annex II of the EU SCCs to which this IDTA is appended. 
  • 2.4.3.4. Annex III: Sub-processors section of the Data Processing Agreement. 
  • 2.4.3.4.1. Not applicable. 

2.4.4. Table 4: Ending this Addendum when the Approved Addendum Changes: 

  • 2.4.4.1. The Exporter and Importer may end this IDTA as set out in Section 19 of the IDTA 

2.4.5. Part 2 of IDTA is incorporated herein by reference. 

2.5. Conflict. To the extent there is any direct conflict between the Standard Contractual Clauses and any other terms in this Data Protection Agreement, the or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail. 

Business Associate Agreement

(HIPPA relevant entities only)

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into as of the date when the Covered Entity has created an account for the use of our Services. 

Covered Entity: You  

Business Associate: Singular Health Pty Ltd (“Business Associate”, in accordance with the meaning given to those terms at 45 CFR § 164.501). In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”. 

BACKGROUND 

I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1986, Public Law 104-191, as amended by the HITECH ACT (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below)l; 

II. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”); 

III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information; 

IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA; 

V. Both Parties are committed to complying with all federal and state laws governing confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and 

VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to this Agreement, HIPAA and other applicable laws. 

AGREEMENT 

NOW, THEREFORE, in consideration of the mutual and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows: 

1. Definitions. For the purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law. 

a.   “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA. 

b.   “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402. 

c.   “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164. 

d.   “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule. 

e. “Designated Record Set” has the meaning given to such term under the Privacy Rule including 45 CFR § 164.501.B. 

f. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b). 

g.   “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR § 160.103 

h.   “Health Care Operations” has the meaning given to that term in 45 CFR § 164.501. 

i.  “HHS” means the U.S. Department of Health and Human Services. 

j. “HITECH Act” means the Health Information Technology for Economic and Clinical Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005. 

k.   “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). 

l. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E. 

m.   “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity. 

n.   “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 

o.   “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C. 

p. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC § 17932(h). 

2. Use and Disclosure of PHI. 

a.   Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. 

b.   Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. 

c.   Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as 42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. 

d.   Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. 

e. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). 

3. Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA. 

4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware, and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within 30 business days from its occurrence.

 5. Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR § 164.410, but in no case later than 30 calendar days after the discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate. 

6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA. 

7. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restriction and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, received, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent received PHI as described in section 1.M of this BAA. Such notification shall occur within 30 calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA. 

8. Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report. 

9. Access to PHI by Individuals

a.   Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524. 

b.   In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within 10 business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.  

10. Amendment of PHI

a.   Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request. 

b.   In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within 10 business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHU or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity. 

11. Accounting of Disclosures

a.   Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure. 

b.   Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within 10 business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request if the Individual, if and to the extent that such accounting is required under the HITECH ACT or under HHS regulations adopted in connection with the HITECH ACT. 

c.   In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will forward such request within 10 business days to Covered Entity. 

12. Availability of Books and Records. Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA. 

13. Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to: 

a.   Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. 

b.   Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. 

c.   Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. 

d.   Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity. 

14. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof. 

15. PHI Acess outside of the USA. Covered Entity acknowledges and agrees that PHI may be accessed by Business Associate and its affiliates and subcontractors from outside of the United States of America in connection with the performance of Services under this Agreement. 

16. Term and Termination

a.   This BAA will become effective on the date first written above and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA. 

b.   Covered Entity may terminate this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible. 

c.   If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to the HHS. 

d.   Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.D. will survive any termination of this BAA.

17. Effect of BAA

a.   This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern. 

b.   Except as expressly stated in this BA or as provided by law, this BAA will not create any rights in favor of any third party. 

18. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time. 

19. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below: 

If to the Covered Entity, to the email address you provided when signing in to use our Services. 

If to the Business Associate, to: [email protected] 

20. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. 

21. HITECH ACT Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach an agreement on such a modification, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party. 

en_AUEnglish
arArabic bn_BDBengali zh_HKChinese fr_FRFrench de_DEGerman hi_INHindi id_IDIndonesian it_ITItalian jaJapanese pt_PTPortuguese es_ESSpanish en_AUEnglish