Data Processing Agreement

This Data Processing Agreement ("Agreement") serves to provide optimal privacy protections for our members' data and to address the myriad of privacy laws that apply to BetterHelp, Inc. ("BetterHelp"). The Agreement is designed to give protections consistent with and in addition to those required in a Business Associate Agreement and/or requirements as a Processor and Subprocessor under the applicable laws. This Agreement is effective upon the date of Your acceptance of the Counselor Terms and Conditions between BetterHelp and You, as an independent contractor providing services through the BetterHelp platforms ("You" or "Therapist"). BetterHelp and You are each referred to herein as "Party" and together the "Parties".

  1. Definitions

    1. In this Agreement, unless otherwise defined or the context otherwise requires, the following expressions shall have the following meanings: "Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data, including but not limited to General Data Protection Regulation (GDPR), and accompanying local regulations. "Processing" means anything done to or with Personal Data including, but not limited to, collecting, storing, analyzing, or deleting. "Controller" means the person or entity that determines how data should be processed. "Members" means individuals using BetterHelp platforms. "Processor" means the person or entity Processing information on the behalf of the Controller. "Personal Data" means any information that is connected or can be connected with the use of additional information to an identifiable individual or household. Personal Data includes, among other things, sensitive personal data: identifiers; medical information; racial, ethnic, religious, sexual, or relationship information; geographic locations; contact information; employment information; and therapy history. "Services" means the therapy and other services provided on BetterHelp platforms.
    2. Definitions imparting the singular number shall include the plural and vice versa and all various tenses.

  2. Application

    1. This Agreement shall continue in force indefinitely, subject to termination under this Agreement.
    2. This Agreement is supplemental to any other separate agreement entered into between the Parties and introduces further contractual provisions to ensure the protection and security of data passed through BetterHelp to You for Processing.
    3. If there is a conflict between this Agreement and any other agreement entered into between the Parties, then this Agreement shall take precedence for any matter related to Processing.
    4. Any breach of this Agreement shall be deemed a breach of any other agreement entered into between the Parties.
    5. By entering into this Agreement, You represent that you understand and will comply with all applicable Data Protection Laws.

  3. Subject-Matter of the Processing Agreement

    1. This Agreement authorizes You to Process Personal Data on behalf of BetterHelp. You may only Process the Personal Data that you receive for the purpose of providing Services and complying with the law. As applicable to your location, you are processing this data as a Processor and SubProcessor of BetterHelp, who is the Controller of the Personal Information.
    2. Under this Agreement BetterHelp will provide you with Personal Data of Members. This Personal Data will include communications from Members, onboarding and enrollment information, data that Members request that we share with You, and other information gathered on the platforms. You will also receive limited Personal Data related to BetterHelp employees to allow BetterHelp to provide You with support.

  4. Obligations of the Data Importer

    1. You shall:
      1. Process Personal Data only to provide the Services or as needed to comply with legal obligations. In no event shall You use any of this Personal Data for purposes other than providing Services, complying with the law, or for any other purposes authorized by BetterHelp.
      2. Process Personal Data on the documented instructions of BetterHelp, including with regards to any transfer of data to third countries or international organizations unless required to do so by Data Protection Law or other law to which the You are subject; in such a case, You shall inform BetterHelp of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
      3. Not permit any other persons to have access to Personal Data for Services, without express consent from BetterHelp to ensure that they are subject to a duty of confidentiality and in accordance with this Agreement.
      4. At all times, considering the nature of the Processing, implement technical and organizational measures appropriate to the level of risk that shall provide:
        1. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
        2. Security against unauthorized or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data,
        3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,
        4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing,
        5. The requirements of the HIPAA Security Rule or GDPR with regard to electronic protected health information where relevant, as applicable.
      5. Ensure that the security of Personal Data in your possession is backed up by robust policies and procedures and reliable, well-trained staff.
      6. Ensure that each of its employees, agents, subcontractors, or any other persons acting under Your authority are made aware of Your obligations and duties under this Agreement with regard to the confidentiality, integrity and availability of the Personal Data and shall require that they enter into binding obligations with You in order to maintain the levels of confidentiality, security, and protection provided for in this Agreement.
      7. Not divulge the Personal Data whether directly or indirectly to any third party without the express documented consent of BetterHelp. This includes, you shall not disclose Personal Data to "ChatGPT" or other AI or machine learning algorithms. Under this Agreement you have express permission to disclose Personal Data as required to meet your legal obligations.
      8. Not engage another sub-processor without prior specific or general written authorisation of BetterHelp. In the case of general written authorisation, You shall inform BetterHelp of any intended changes concerning the addition or replacement of other sub-processors, thereby giving BetterHelp the opportunity to object to such changes.
      9. Ensure where You engage another sub-processor for carrying out specific Processing activities on behalf BetterHelp, the same data protection obligations herein shall be imposed on that sub-processor by way of a contract or other legal act under Data Protection Law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Articles 32 and 28 of the General Data Protection Regulation for Personal Data of Members from the European Union and United Kingdom. Where that other sub-processor fails to fulfill its data protection obligations, You shall remain fully liable to BetterHelp for the performance of that other sub-processor's obligations.
      10. Assist BetterHelp by technical and organizational measures, insofar as this is possible, for the fulfillment of BetterHelp's obligation to respond to requests for exercising the data subject's rights under Data Protection Law.
      11. Assist BetterHelp in ensuring compliance with BetterHelp's obligations in respect of security of processing, notification of Personal Data breaches to the appropriate supervisory authority or regulator, communication of Personal Data breaches to the Member, Data Protection impact assessments and prior consultation with the appropriate supervisory authority or regulatory agency where appropriate.
      12. Immediately and without undue delay notify BetterHelp if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable, or if there is any accidental, unauthorized, or unlawful processing of Personal Data, or of any Personal Data breach.
      13. Make available to BetterHelp all information necessary to demonstrate compliance with the Data Protection Laws and the obligations of this Agreement and allow for and contribute to audits, including inspections, conducted by BetterHelp or another auditor mandated by BetterHelp.
      14. Immediately and without undue delay notify BetterHelp if in its opinion, it is asked to do something that infringes the Data Protection Laws.
      15. To the extent applicable for therapists supporting members in the European Union and United Kingdom, maintain a record of all categories of processing activities carried out on behalf of BetterHelp that is compliant with Article 30 of the General Data Protection Regulation.
      16. To the extent applicable, maintain a record of internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by You on behalf of BetterHelp for purposes of HHS and other regulatory agencies determining compliance with the Data Protection Laws and make such documentation available to regulators as needed.
      17. Where applicable cooperate with the appropriate supervising authority or regulator in the performance of its tasks.
      18. At the choice of BetterHelp, delete or return all Personal Data to BetterHelp after the end of the provision of services in clause 3.2 relating to the Processing and delete existing copies unless Data Protection Law or other law requires storage of the Personal Data.
      19. Not sell Personal Data or aggregate or de-identity Personal Data for any purpose other than providing Services.
    2. You represent and warrant that You shall comply with the terms of this Agreement and all applicable Data Protection Law.

  5. Obligations of BetterHelp

    1. BetterHelp represents and warrants that it shall comply with the terms of this Agreement and all applicable Data Protection Law and that it has obtained any and all necessary authorisation to provide the Personal Data to You.
    2. BetterHelp shall implement appropriate technical and organizational measures that shall provide:
      1. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
      2. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,
      3. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
    3. BetterHelp shall take steps to ensure any natural person acting under the authority of BetterHelp who has access to the Personal Data only processes the Personal Data on documented instructions of BetterHelp.
    4. BetterHelp may provide the You with the Personal Data to which clause 3 of this Agreement refers.

  6. Personal Data Transfers

    1. BetterHelp hereby authorizes You to make the following transfers of the Personal Data:
      1. You may transfer the Personal Data internally to your own members of staff, offices, and facilities.
      2. You may transfer the Personal Data to Your sub-processors provided that such transfers are for the purposes of providing the Services.
      3. You may transfer the Personal Data to third countries or international organizations acting as sub-processors provided that such transfers comply with applicable Data Protection Laws.

  7. Liability

    1. You shall be liable for and shall indemnify BetterHelp in respect of all action, proceeding, liability, cost, claim, loss, or expense suffered or incurred by, awarded against, or agreed to be paid by, BetterHelp arising directly or in connection with:
      1. Your failure, or failure by sub-processors engaged by You to carry out Processing activities on behalf of BetterHelp in compliance with Data Protection Laws and this Agreement, and
      2. Any breach by You of its obligations under this Agreement.

  8. Termination

    1. You may terminate this Agreement upon giving 30 days prior written notice to BetterHelp. Upon giving written notice of termination to BetterHelp, You shall return any data received from BetterHelp to BetterHelp forthwith.
    2. BetterHelp may terminate this Agreement at any time with 30 days prior written notice and immediately if You violate a term of this Agreement.
    3. Notwithstanding termination the provisions of clause 4 shall survive the termination of this Agreement and shall continue in full force and effect until all data is returned to BetterHelp and in respect of assisting BetterHelp to comply with any of its data protection duties and obligations outlined in clause 4.

  9. Assignment

    1. This Agreement shall not be transferred or assigned by either Party except with the prior written consent of the other.

  10. Jurisdiction

    1. This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by and construed in accordance with the laws of Delaware with respect to the Personal Data of Members in all other jurisdictions and any dispute, proceedings, or claim between the Parties relating to this Agreement shall submit to the exclusive jurisdiction of those courts.
Each of the Parties hereto has caused the Agreement to be executed by its duly authorized representative by proceeding with providing the Service.