---

Animana

IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners
• Employees of referral clinics

ii. Categories of personal data is transferred:

First and Last name (all data subjects) Address (pet owner only) Phone number (all data subjects) Email address (all data subjects) Client ID/code assigned by practice (pet owner) Birth date (pet owner)* *Optional data, included if inputted by clinic

Bank account number (pet owner only)* IP address (customer only)* Customer (clinic) account information, to the extent Customer qualifies as personal data Data regarding the pet (such as species, breed, age, birthdate) Data regarding the treatment of the pet (such as services, diagnosis, products)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction

Activities by IDEXX’s Conversion & Implementation and Customer Support groups:

Collection Organization Structuring Storage Adaptation/Alteration Retrieval Collection

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction

Activities by Training group:

• Use
   

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A:

List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors

System Access Control
Measures to prevent data processing systems from being used without authorization:

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

• written data processing agreements (required)

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)

 

---

ezyVet

 

IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions.

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners Employees of referral clinics
   

ii. Categories of personal data is transferred:

Last name (all data subjects) Address (pet owner only) Phone number (all data subjects) Email address (all data subjects) Gender (pet owner only)

IP address (customer only) Customer (clinic) account information, to the extent Customer qualifies as personal data Data regarding the pet (such as species, breed, age) Data regarding the treatment of the pet (such as services, diagnosis, products)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction

Activities by IDEXX’s Conversion & Implementation and Customer Support groups:

Collection Organization Structuring Storage Adaptation/Alteration Retrieval Collection

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction

Activities by Training group:

• Use

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors

System Access Control
Measures to prevent data processing systems from being used without authorization: 

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

• written data processing agreements (required)

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)

---

Vet Radar

IDEXX Customer Data Processing Agreement Schedule

Vet Radar IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
ezyVet General Terms and Conditions (also covering Vet Radar) .

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners

ii. Categories of personal data is transferred:

• Last name (all data subjects)
• Address (pet owner only)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/troubleshooting Alignment/combination Analysis/Segmentation

Activities by Training and Customer Support groups:

Collection Organization Structuring Storage Adaptation/Alteration Retrieval Collection

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/troubleshooting Analysis/Segmentation

 

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In principle, up to 2 years after termination of the Customer relation, unless a longer minimum statutory retention period applies, such as is the case for data that may be relevant for tax determination, which data is to be retained for at least 7 years.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors

System Access Control
Measures to prevent data processing systems from being used without authorization:

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access Data Access Control Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:
• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

• written data processing agreements (required)

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system
   

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)

---

SmartFlow

IDEXX Customer Data Processing Agreement Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
General Terms and Conditions of IDEXX Practice Management Software Europe (if applicable to your region) .
SmartFlow Terms and Conditions .

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners

ii. Categories of personal data is transferred:

• First and Last name (all data subjects)
• Email address (all data subjects)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer.

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/troubleshooting Alignment/combination Analysis/Segmentation

Activities by IDEXX’s Sales and Medical Consulting groups:

Retrieval Consultation Use

Disclosure by transmission Dissemination Monitoring/troubleshooting

Activities by Training and Customer Support groups:

Collection Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/troubleshooting Analysis/Segmentation

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory
Authority Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors

System Access Control
Measures to prevent data processing systems from being used without authorization:

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

• written data processing agreements (required)

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)

---

VetConnect PLUS

IDEXX Customer Data Processing Addendum Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
VetConnect PLUS Terms of Service .

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners

ii. Categories of personal data is transferred:

• First and Last name (pet owner and customer employee)
• Email address (pet owner and customer employee)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/Troubleshooting Alignment/combination Analysis/segmentation

Activities by IDEXX’s Sales and Medical Consulting groups:

Retrieval Consultation Use Storage Collection

Disclosure by transmission Dissemination Monitoring/Troubleshooting Analysis/segmentation

Activities by Training and Customer Support groups:

Collection Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/Troubleshooting Analysis/segmentation

vi. Purpose(s) of the data transfer and further processing.
To provide the communication functionalities offered in VetConnect PLUS.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A:

List of Parties Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors
   

System Access Control
Measures to prevent data processing systems from being used without authorization:

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access
   

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only
   

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)
   

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions:

• written data processing agreements (required)
   

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)

---

SmartService

IDEXX Customer Data Processing Addendum Schedule

IDEXX takes the protection of your personal data seriously. This DPA Schedule is specific to the above IDEXX service and should be read in conjunction with our IDEXX Customer Data Processing Agreement .

Agreement between IDEXX and Customer into which the DPA and this Schedule is incorporated:
IDEXX SmartService Agreement .

 

A. DESCRIPTION OF THE TRANSFER

i. Categories of data subjects whose personal data is transferred:

• Customer (clinic), to the extent Customer qualifies as personal data
• Customer’s employees
• Pet owners

ii. Categories of personal data is transferred:
First and Last name (pet owner and customer employee)

iii. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved.
None

iv. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis depending on the use of the Services by Customer

v. Nature of the processing.
IDEXX’s activities with regard to Processing of Customer Personal Data are:

Activities by IDEXX’s Software Engineering and Development Operations groups:

Collection Recording Organization Structuring Storage Adaptation/Alteration Retrieval

Consultation Use Disclosure by transmission Dissemination Restriction Erasure/destruction Monitoring/Troubleshooting

Activities by IDEXX’s Sales, Medical Consulting and Customer Service groups:

Retrieval Consultation Use

Disclosure by transmission Dissemination Monitoring/Troubleshooting

vi. Purpose(s) of the data transfer and further processing.
To provide the Services.

vii. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The minimum statutory period applicable to IDEXX’s retention of Personal Data.

viii. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing as described above.

 

B. TRANSBORDER DATA PROCESSING

Pursuant to Section 9.3 of the DPA, the Annexes to the SCCs shall be completed as follows:

Annex I, Part A: List of Parties

Data exporter(s):
Name: The entity identified as “Customer” in the DPA
Address: The address for Customer associated with its IDEXX account.
Contact person’s name, position and contact details: The contact details associated with Customer’s IDEXX account.
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, Customer is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Controller

Data importer(s):
Name: IDEXX Laboratories, Inc.
Address: One IDEXX Drive, Westbrook, Maine, USA 04092
Contact person’s name, position and contact details: chiefprivacyofficer@idexx.com
Activities relevant to the data transferred under these Clauses: See this DPA Schedule, Section A above.
Signature and date: By entering into the DPA, IDEXX is entering into the SCCs pursuant to Section 9.3 of the DPA.
Role (controller/processor): Processor

Annex I, Part B: Description of Transfer
See this DPA Schedule, Section A above.

Annex I, Part C: Competent Supervisory Authority
Dutch Data Protection Authority

Annex II: Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
IDEXX’s foundational technical and organizational measures for data protection within its Services are described in the Technical and Organizational Measures below. The technical and organizational measures that IDEXX will impose on subprocessors are described in the DPA.

 

Technical and Organizational Measures

Physical Access Control
Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• electronic access control system using proximity access cards
• video surveillance (IP cameras)
• security checks for visitors

System Access Control
Measures to prevent data processing systems from being used without authorization:

• password guidelines (including complexity, minimum length, password reuse and minimum password age)
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication and authorization
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access

Data Access Control
Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

Data Transfer Control
Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption (TLS or VPN)

Data Entry Control
Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• Data is essential read only for reporting purposes once stored in the IDEXX data center

Control of Processors
Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the Controller’s instructions: 

• written data processing agreements (required)

Availability Control
Measures to ensure that Personal Data are protected against accidental destruction or loss:

• backup in separate location
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• Dedicated data center generator with multiple fuel supply contracts
• fire protection & suppression system
• water detection
• redundant air conditioning system

Separation of Data
Measures to ensure that data collected for different purposes can be processed separately:

• clear logical separation of data from data of other Controllers (dedicated data universe)