ORMCO CUSTOMER TERMS AND CONDITIONS 

INTRODUCTION 

UNLESS OTHERWISE EXPRESSLY AGREED IN WRITING, THESE TERMS AND CONDITIONS SHALL APPLY TO ALL SALES BETWEEN ORMCO CORPORATION (AND/OR ITS AFFILIATES AS APPLICABLE) (“ORMCO”) AND ANY CUSTOMER OF ITS PRODUCTS AND/OR SERVICES (“CUSTOMER”) AS WELL AS THE USE OF THE ORMCO DTX PLATFORM (“ORMCO PORTAL”). THE FOLLOWING TERMS AND CONDITIONS OF SALE ARE HEREBY INCORPORATED BY THIS REFERENCE INTO ANY INVOICE ISSUED BY ORMCO TO CUSTOMER AND SHALL GOVERN THE RIGHTS AND OBLIGATIONS OF THE PARTIES WITH RESPECT TO ALL SALES OF PRODUCTS BY ORMCO TO CUSTOMER. CUSTOMER, BY USING THE ORMCO PORTAL OR ACCEPTING DELIVERY OF THE PRODUCTS DESCRIBED IN INVOICE (THE "PRODUCTS") PRESENTED BY ORMCO, ACCEPTS AND AGREES TO ABIDE BY THE TERMS AND CONDITIONS CONTAINED HEREIN. THESE TERMS AND CONDITIONS TAKE PRECEDENCE OVER CUSTOMER'S ADDITIONAL OR DIFFERENT TERMS AND CONDITIONS, TO WHICH NOTICE OF OBJECTION IS HEREBY GIVEN. ACCEPTANCE BY CUSTOMER IS LIMITED TO THESE TERMS AND CONDITIONS. NEITHER ORMCO'S COMMENCEMENT OF PERFORMANCE NOR DELIVERY SHALL BE DEEMED OR CONSTITUTED AS ACCEPTANCE OF CUSTOMER'S ADDITIONAL OR DIFFERENT TERMS AND CONDITIONS, INCLUDING ANY TERMS AND CONDITIONS CONTAINED IN CUSTOMER'S PURCHASE ORDER. 

IDENTIFICATION OF CUSTOMER 

Subject to the provisions in this paragraph set out below, Ormco’s Customer is the licensed doctor whose username and password are used to access the Ormco Portal (“Customer Doctor”.) If a practice, partnership, dental services organization or other legal entity for or with which the Customer Doctor works (“Practice”) is named on Ormco’s invoice(s) and/or the Practice is responsible for payment of Ormco’s invoices then Ormco will assume that the Customer Doctor places orders with the authorization of and on behalf of such Practice and that under these circumstances the Practice is also Ormco’s Customer (“Customer Practice”). The Customer Doctor represents and warrants that they have the authorization to act on behalf of the Customer Practice including to place orders and will communicate the contents of these terms and conditions to the Customer Practice. The Customer Practice will be bound by these terms jointly and severally with the Customer Doctor for all obligations which are obligations of the Customer. Furthermore, Ormco will assume that the Customer Practice is responsible for the patient information or other personal information that is uploaded to the Ormco Portal (“Data Owner”) and where applicable under data protection laws is a controller for the purposes of the Data Processing Addendum set out in the Annexes to these Terms and Conditions. 

CREATION OF SPARK AND/OR ORMCO DIGITAL BONDING ACCOUNT AND USE OF ORMCO PORTAL 

All Customers must have an active account on the Ormco Portal and all Spark Clear Aligner and Ormco Digital Bonding (“ODB”) cases must be submitted through the Ormco Portal. The Ormco Portal is for use by licensed medical professionals and their staff only and only for the purpose of treating patients with Ormco’s products and services. Each Customer Doctor must be a licensed doctor providing services in the jurisdiction in which they are licensed. Each Customer must be in good standing with Ormco. Ormco reserves the right to remove any Customer’s access to the Ormco Portal or to its goods and services if such Customer is in violation of these Terms and Conditions.

INACTIVE CASES AND/OR ACCOUNT

 In the event a Customer has not accessed their Portal account for more than 24 months, Ormco reserves the right to delete such account and any data contained in such account, subject to applicable legal and regulatory requirements. 

CASE TRANSFER 

In the event Customer wishes to transfer any pending Spark or ODB case to another doctor or practice (“Transfer”), it shall notify Ormco and, together with the transferee, shall complete Ormco’s Spark Case Transfer Authorization Form, available upon request. Where the Customer is a Customer Practice, the Customer Practice as Data Owner will need to authorize the Transfer. 

PRICING AND REFINEMENTS 

The pricing for each product shall be specified in Ormco’s invoice to Customer. The pricing on Spark Clear Aligners includes the following number of refinements: 

  • Spark 10: one (1) refinement within five (5) years from delivery of the primary Spark Clear Aligners.
  • Spark 20: two (2) refinements within five (5) years from delivery of the primary Spark Clear Aligners.
  • Spark Advanced: unlimited refinements within five (5) years from delivery of the primary Spark Clear Aligners, unless Customer elects to Transition to Ormco Brackets (see below).
  • Transition to Ormco Brackets: in regions where available, Customer may elect to transition Spark Advanced patients to Ormco brackets and wires (“Ormco Brackets”) for completion of treatment. By doing so, Customer acknowledges and agrees that the Spark Advanced treatment is ending. Customers that elect to transition a Spark Advanced patient to Ormco Brackets will no longer be eligible for Spark refinements.
  • Spark On Demand: no refinements are included. Any additional orders, such as refinements or reorders, will be subject to an additional fee. 

PROMOTIONS 

Promotions may be offered from time to time on the terms and conditions specified in such promotional offer. Promotions may not be combined with any other offers. Promotions are subject to change or cancellation without notice. Promotions are void where prohibited by law. 

PAYMENT INFORMATION 

Payment is due thirty (30) days after the date of the invoice unless otherwise specified on the front of the invoice. Ormco reserves the right to establish and /or change payment terms extended to Customer when, in Ormco's sole opinion, Customer's financial condition or previous payment record warrants that action. 

In the event Customer is sixty (60) days past due, Ormco reserves right to restrict Customer’s purchase of Ormco product and/or initiation of a new Spark or ODB case. 

Security Interest: Ormco retains a security interest in the Products delivered to the Customer, and in their accessories, replacements, accessions, proceeds and products, including accounts receivable (collectively, the "Collateral") to secure payments of amounts and performance due under this invoice. Customer acknowledges that this document or copies of this document may be filed with the appropriate authorities as a financing statement and agrees to execute and deliver such other documents as we may request in order to evidence or perfect our security interest. 

Statutory Interest: For products sold in the European Union, any invoice or other outstanding balance not paid within thirty (30) days after the date of the invoice will be subject to a flat fee plus statutory interest payment due pursuant to directive 2011/7/EU in the amount of the sum of the specific EU Members reference rate plus 8%.For products sold anywhere else in the world, any invoice or other outstanding balance not paid within thirty (30) days after the date of the invoice will be subject to a carrying charge of 1 ½% per month, an amount equal to 18% annum or the maximum rate permitted by law, whichever is less. 

SHIPMENT: TITLE TO GOODS 

For all shipments from the United States

DOMESTIC. All domestic shipments will be made FCA (Incoterms 2020) Ormco's facility. Delivery will be deemed complete and legal title and all risk of loss or damage to the Products will pass to Customer, upon delivery to the carrier. All shipments to Canada will be made DDP. 

INTERNATIONAL. All international shipments will be made FCA (lncoterms 2020) Ormco’s Facility. Delivery will be deemed complete and all risk of loss or damage to the Products will pass to Customer when the Products enter international water or airspace or upon delivery to the Customer's designated freight forwarder. Legal title will transfer when products enter international water or airspace.  

International waters are defined as twelve (12) nautical miles from the last port of US export. 

International air space entry is defined at the time of aircraft departure/wheels up from the last US port of export. Land shipments (rail and truck) will be deemed complete and legal title passed to Customer once the shipment crosses out of the US. 

In the event of a dispute, these terms will supersede any terms reflected on shipping documents. 

For all shipments from all other locations

All shipments will be made FCA (Incoterms 2020) Ormco’s Facility. Delivery will be deemed complete and all risk of loss or damage to the Products will pass to Customer upon delivery to the carrier or, in the case of international shipments, when the Products enter international water or airspace or upon delivery to Customer’s designated freight forwarder. Legal title will transfer when products enter international water or airspace. 

International waters are defined as twelve (12) nautical miles from the last port of export by Ormco. 

International airspace entry is defined at the time of aircraft departure/wheels up from the last port of export by Ormco. Land shipments (rail and truck) will be deemed complete and legal title passed to Customer once the shipment crosses the border out of country of residence of Ormco or Ormco’s affiliate. 

In the event of a dispute, these terms will supersede any terms reflected on shipping documents. 

RETURNS 

Subject to the below, Ormco's non-custom product(s) that are not defective in material or workmanship may be returned at Customer's expense for full credit within thirty (30) days of shipment. 

Subject to the below, Ormco's non-custom product(s) that are not defective in material or workmanship being returned within thirty-one to ninety (31-90) days of shipment will receive a full exchange to a product of equal value (as determined by the Ormco) and will be subject to a 20% restocking fee. 

Product will not be approved for return later than ninety (90) days after shipment. 

The foregoing does not apply to the sale of DEXIS scanners. All sales of DEXIS scanners are final and non-refundable. 

All returned products must meet the following conditions for credit to be issued: 

  • (a) Products must be unused, in the original unopened package and in resalable condition;
  • (b) Products must be packaged so as to arrive at Ormco's facility undamaged;
  • (c) Products must be shipped prepaid and insured for full invoice value;
  • (d) Products must be of current design;
  • (e) A copy of original invoice must accompany the products along with a note explaining the reason for this return;
  • (f) Returns must be accompanied by a Return Material Authorization (RMA) that can be obtained from the Customer Care Department (800- 854-1741). 

Once Product has been returned and processed, the exchange Product will be issued. 

NONRETURNABLE GOODS. 

The following products are not returnable: (a) Any custom-made products; (b) Chemical or refrigerated products, (c) DEXIS scanners and training. An order for a custom-made product cannot be cancelled after the Customer has approved the product for manufacture. 

INTERNATIONAL RETURNS. 

For all international returns approval must be obtained from Customer Care prior to returning product to the United States. In addition to providing a copy of the invoice, the Customer must issue a new pro forma invoice in English to the Import-Export Department to include: 

  • (a) date of return shipment, Customer name and address; Ormco ship to address; plus the following for each product: product name, part number, quantity, value, country of origin, and schedule B number (all found on Ormco's invoice);
  • (b) Statement: "Returned merchandise: value declared for customs purposes only."
  • (c) Customers must send a shipment pre-alert to Import-Export Department to include the invoice, air bill, flight details and/or arrival information. 

Ormco's Customer Returns Department's evaluation of the condition of products and count are final. When returning all or part of an order to the U.S., enclose a copy of the invoice, and return via a trackable, insurable shipping method to Customer Service Representative for local address. 

PRODUCT INQUIRIES 

In the event of any Customer inquiry related to a Spark product or service, please contact: gln.CreditReturns@ormco.com. Additionally, you are welcome to contact our global headquarters at: 200 S. Kraemer Blvd, Brea, CA 92821 or contact your Customer Service Representative. 

LIMITED WARRANTY 

CUSTOMER MUST ASSUME FULL RESPONSIBILITY FOR THE SELECTION OF THE PRODUCT TO ACHIEVE CUSTOMER'S INTENDED PURPOSES, FOR THE PROPER INSTALLATIONS AND USE OF THE PRODUCT AND FOR VERIFYING THE RESULTS OBTAINED FROM ITS USE. 

Ormco assumes no responsibility for, and does not warrant the installation work of others nor does Ormco assume responsibility for overseeing or supervising the work of any person other than its own agents or personnel. All products manufactured are warranted to be free of defects in materials and manufacture for one year from date of delivery, except for Prezurv Plus, whose warranty period is six (6) months from delivery. Any material or manufacture defect covered by this limited warranty which occurs during normal use and is reported to Ormco in writing during the period of one (1) year from the date such product is shipped to the Customer. Ormco's obligation hereunder, upon verification of the defect or error, shall be to provide one of the following: (i) replacement at no charge to Customer; (ii) repair at no charge to Customer; or (iii) credit the purchase price to Customer. Customer must return the original appliance (ensure that the appliance is sterilized and sent in a sterilized bag), original working models (if applicable), along with, in the case of Prezurv Plus, a new prescription sheet detailing the problem encountered. If, upon the inspection of any Ormco product to which this warranty applies, Ormco determines that a claimed defect was not due to its manufacture or materials, Ormco will proceed to service the Ormco product at Customer's expense and approval. This warranty shall be null and void upon service, repair or replacement of any portion of the Ormco product or any modification performed by anyone other than an authorized Ormco service representative, or under the direction of Ormco. Customer must use the Ormco approved hardware with the prescribed Ormco software and must use the Ormco software with the prescribed Ormco hardware. Usage of any Ormco component with any non-prescribed component will render warranty coverage for the Ormco product null and void. Any modification of any Ormco product will also render warranty coverage for the Ormco product null and void. Customer's remedies under this limited warranty are exclusive of all others. Ormco's warranty obligation with respect to all components, equipment and accessories which are integrated into a Ormco product and not manufactured by Ormco shall be limited to those express written warranties made to Ormco by manufacturer which Ormco hereby assigns and transfers to Customer. 

THE FOREGOING WARRANTY IS MADE IN LIEU OF ALL OTHER WARRANTIES WHATSOEVER WITH RESPECT TO PRODUCT OR SERVICES SOLD HEREUNDER, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILTY OR FITNESS FOR A PARTICULAR PURPOSE. ALL WARRANTIES SHALL TERMINATE ONE YEAR FROM DATE OF DELIVERY OF PRODUCT TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM STATE TO STATE.

 LIMITATION OF LIABILITY 

IN NO EVENT SHALL ORMCO BE LIABLE AND CUSTOMER WAIVES ALL CLAIMS AGAINST ORMCO FOR CONSEQUENTIAL OR SPECIAL DAMAGES, WHETHER OR NOT BASED UPON ORMCO'S NEGLIGENCE OR BREACH OF WARRANTY OR STRICT LIABILTY IN TORT OR ANY OTHER CAUSE OF ACTION ARISING, DIRECTLY OR INDIRECTLY, IN RESPECT TO THE ORMCO PRODUCT OR SERVICES COVERED HEREUNDER, OR THE USE OR FAILURE THEREOF, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOST PROFITS, LOSS OF PRODUCTION OR INJURY TO PERSONS OR PROPERTY. IN ANY EVENT, ORMCO'S MAXIMUM LIABILITY SHALL NOT EXCEED THE PURCHASE PRICE OF THE PRODUCT FURNISHED BY ORMCO WHICH IS THE BASIS OF SUCH A CLAIM.

ORMCO PATENTS

PATENT INDEMNIFICATION 

Ormco shall defend any suit or proceeding brought against Customer so far as the same is based on a claim that any product of Ormco's design furnished hereunder or any part thereof, constitutes an infringement of any United States patents, if notified promptly in writing and given authority, information and assistance (at Ormco's expense) for the sole defense and settlement of the same and if such alleged infringement is not the result of a design or other special requirement specified by Customer or the result of the application or use to which such product is put by Customer or others. Ormco will pay all damages and costs awarded in such suit or proceeding against Customer. In case such product or part thereof are in such suit held to infringe any such patent and the use thereof is enjoined, Ormco shall, at its expense and option, either (a) obtain for Customer the right to continue using such product or part thereof, (b) replace the same with non-infringing product, or (c) modify the same so it becomes non-infringing, or (d) remove said product and refund the purchase price, less applicable depreciation, and the transportation and installation cost thereof. The foregoing states the entire liability of Ormco to Customer for patent infringement. 

TRADEMARK 

Ormco owns certain trademarks, slogans, trade names, service marks and logos (collectively the “Ormco’s Marks”). Customer shall not, without the written permission of Ormco, use Ormco’s Marks; associate its business with any Ormco Marks; register, maintain or use any Internet domain based on, containing, or similar to, Ormco’s Marks; or create or maintain any social media. 

DATA PRIVACY 

Ormco may transfer personal information to or store it in the United States or other destination outside of the country where it was collected. It may also be processed by staff outside of the country where it was collected who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. Where we transfer personal information to these countries, we will use appropriate approved safeguards or we will seek your explicit consent. For further information, please do not hesitate to contact us at privacy@ormco.com. 

Ormco may collect personal information including name, email address, telephone number, profession or other information in relation to purchases and services that Customer orders from the Ormco. Such personal information may be used for business purposes, including to communicate with Customer, fulfil the order, customer service, commercial business analysis and other services such as sending Customer postal or e- mail marketing communications about other products or services that the Ormco believes may be of interest. If Customer does not wish to receive such marketing communications please inform Ormco by emailing privacy@ormco.com. Ormco (including its direct and indirect subsidiaries and affiliated companies) acts as a data controller with respect to the collection, use, and other processing of certain data about Customers relating to the relationship between the Customer and Ormco. To the extent permitted under applicable data protection and local employment laws, Ormco collects, uses, and processes personal information for (a) the performance and the administration of the contract agreement between the Customer and Ormco, (b) Ormco’s compliance with its legal obligations, or (c) Ormco’s legitimate business interests. 

Ormco does not sell or disclose your personal information to third parties without your consent, except: 

  • To affiliates and third-party service providers to provide services and information on our sites, including online marketing and advertising, and to support our business operations. We require these parties to handle personal information accordance with this Privacy Notice.
  • To affiliates to offer and provide information about related products and services. We do not share personal data from countries that require consent unless consent has been obtained in advance to sharing with related affiliates. We require these parties to handle personal data in accordance with this Privacy Notice.
  • To another company in connection with the sale or transfer of one of our product lines or divisions, which includes the services provided through one or more of Ormco’s affiliates.
  • To governing regulatory authorities, including the US Food and Drug Administration, or as may otherwise be necessary for Ormco to comply with a legal obligation or demand.
  • Customers have the right to access, transfer, object, cancel, review, update, correct and request the deletion or restriction of their own personal information in accordance with applicable law. These rights may be limited in some situations; for example if it is determined not to be feasible to fulfill your request due to a legal requirement. Also, Customers are responsible for informing Ormco if there are any changes or inaccuracies to their personal information. The entire data privacy notice can be accessed online at www.ormco.com. Where Customer provides Ormco with health information or other personal information relating to the Customer’s patients to process on its behalf the paragraph below PATIENT DATA shall apply. 

PATIENT DATA 

Ormco offers certain products and services, including Insignia™, Spark™, ClearGuide Express™, and Digicast™ where the Customer may provide Ormco with personal information (including protected health information) of Customer’s patients (“Patient Data”). 

Customer may be subject to the laws and regulations of one or more jurisdictions, including but not limited to, laws and regulations that may apply to your use, collection, disclosure, storage, transmission, retention of personal information, including health information (together, to “Process” or “Processing”). It is Customer’s responsibility to comply fully with all such applicable laws and regulations including but not limited to laws and regulations that require that Customer obtains and maintain the prior express, informed, written consent of the patient before conducting any personal data processing activity, including transmitting the patient’s data to third parties or to a destination outside the country where it was collected. 

By sharing personal information with us to Process on your behalf Customer represents and warrants that (i) they have obtained all such information (including any protected health information and/or patient data) lawfully and, with the patient’s written consent, if necessary (ii) they have obtained the prior written approval, as required, of every patient for sharing the respective Patient Data with Ormco to Process in accordance with the Data Processing Addendum set out in Annex 2 or Annex 3 as applicable, (iii) they use such Patient Data only for lawful purposes and within the course of dental practice,(iv) they are allowed to transfer such Patient Data to a destination outside the country, province or territory where it was collected, including to Ormco to process on the Customer’s behalf in accordance with the terms of the data processing or business associate agreement set out in the Annex to these terms and conditions and (v) they are compliant with applicable patient rights regulation and legislation, and data protection laws. 

Customer will indemnify and hold Ormco harmless against any claim arising out of or related to the processing of personal information on your behalf including the sharing of any Patient Data or cross-border transfer of data that originates from Customer’s instructions. 

To comply with applicable laws and to safeguard Patient Data, Ormco has implemented information policies to protect this information, including providing training to personnel with access to this information and conducting background checks on those personnel, implementing building access controls, security procedures as well as computer server security procedures and designed certain products and software with features such as encryption, anti-virus and intrusion detection as well as other measure to assist Customer and vendors in protecting Patient Data. 

If the Customer Doctor or Customer Practice is a Covered Entity (as defined in the Health Insurance Portability and Accountability Act (HIPAA), by accepting these terms, the Customer agrees to be bound by our business associate agreement set out in Annex 1 to this Agreement (HIPAA Business Associate Agreement) which shall form part of this Agreement. This business associate agreement covers Ormco’s relationship to the Customer with regards to certain protected health information, in accordance with the Health Insurance Portability and Accountability Act (HIPAA). 

If the Customer is practicing in a country of the European Union, United Kingdom, Norway, Lichtenstein, Iceland, Switzerland, Thailand, India, Japan, Ukraine Argentina, Saudi Arabia, Chile, Brazil, Columbia, Costa Rica, Taiwan, Mexico, Canada or Australia or Russia by accepting these terms, the Customer agrees to be bound by our data processing agreement at Annex 2 of this Agreement or Annex 3 (if Customer is practicing in Russia) (Data Processing Addendum), which shall form part of this Agreement. This agreement covers our relationship when we act as a processor of the personal data for which the Customer is a controller or a joint controller, in accordance with the EU General Data Protection Regulation or other applicable data protection laws. 

EXPORT CONTROLS AND SANCTIONS COMPLIANCE 

In connection with this Agreement, Customer shall comply with all economic sanctions and export controls laws and regulations applicable to the Customer or Ormco, including those of the United States, European Union, and Switzerland. Customer will not export, share, or use the products or services or the Ormco Portal in connection with or involving any patients or other persons (i) located or resident in countries subject to comprehensive U.S. sanctions (at the time of this Agreement, Iran, Syria, Cuba, North Korea, and Crimea and the so-called Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine); or (ii) targeted or blocked under applicable economic sanctions, including but not limited to persons listed on sanctioned party lists maintained by the United States, European Union, or Switzerland. 

GENERAL 

Force Majeure. Ormco shall not be liable for delay in performance or for failure to render any performance, and any such delay or failure shall for all purposes be excused, when such delay or failure is caused by governmental regulation, fire, flood, wind, strike, labor disputes, accidents, embargo, riot, act of God, or any other causes or causes, whether of like or different nature., beyond the reasonable control of Ormco. Customer shall bear any costs incidental to Customer's delay or failure in accepting the Ormco's product or any other performance. Established Business Relationship. By purchasing Ormco's product, you have entered into an established business relationship with Ormco formed by the Customer of Ormco's product, and hereby consent to receiving email and facsimile communications from Ormco concerning products and services. 

Patented Products. Brackets, molar assemblies and archwires covered by Ormco patents are sold with license for single-use only. 

Product Changes. Ormco reserves the right in its sole discretion, to change, update and enhance the products at any time including to add functionality or features, or to remove them from the products. Ormco may also, in its sole discretion, suspend the sale or production of any product. 

Governing Law. These terms and conditions shall be governed by and construed in accordance with the laws of the state of California, without regard to conflict of laws principles and Customer hereby submits to the exclusive jurisdiction of the courts located in Orange, California. The parties agree that the UN Convention on Contract for International Sale of Goods will not apply. 

Waiver. No failure of either party to exercise any power or right hereunder or to insist upon strict compliance with these Terms and Conditions of Sale, and no custom or practice of the parties at variance with the terms hereof, will constitute a waiver of either party’s right to demand compliance with these Terms and Conditions. 

Termination for Default. Ormco may terminate an order, in whole or in part, if Customer is in breach of any term contained in these Terms and Conditions of Sale and fails to remedy within ten (10) of Ormco’s notice. 

Effect of Invalidity. The invalidity of any part of any section of the Terms and Conditions of Sale contained herein shall not affect the validity of any other section in whole or in part. Statute of Limitation. Any action resulting from the breach on the part of Ormco as to any Ormco product delivered hereunder must be commenced within one year after the cause of action has accrued. 

MEDICAL JUDGMENT 

Use of the Products is subject to the sole responsibility, discretion, and medical judgment of Customer. Customer agrees to indemnify, defend, and hold harmless Ormco from any claims related to Customer’s treatment planning, selection and use of the Products. While Ormco may publish certain protocols in the Ormco Portal, these protocols are only a starting point option for Customer in treatment planning and are not in any way a substitute for Customer’s own exercise of judgment. These published protocols should not be relied upon in place of your own medical judgment. Treatment planning remains within your sole and exclusive discretion as the medical provider. 

DISCOUNT & REBATE DISCLOSURE 

Federal, state or local law may require the disclosure by Customer of discounts, rebates, or other reductions in price received, directly or indirectly, in claims, charges, or reports made to federal healthcare programs, including Medicare and Medicaid. Customer hereby acknowledges this obligation and warrants and represents that it will properly report and disclose, and appropriately reflect all reduction in price received and all amounts paid hereunder (including all rebates) as discounts to the extent required by applicable state and federal laws and regulations, including the Physician Payments Transparency Requirements of the Patient Protection and Affordable Care Act of 2010, 42 U.S.C. 1320a-7h, and implementing regulations, and the discount “safe harbor” regulations, published at 42 C.F.R. Section 101.952(h). 

TERMS SUBJECT TO CHANGE 

Ormco may amend any of these Terms and Conditions at its sole discretion by providing notice by posting the revised terms on the Ormco Portal. Your continued use of the Ormco Portal after the effective date of the revised Terms and Conditions constitutes your acceptance of the terms.

 

ANNEX 1 

HIPAA BUSINESS ASSOCIATE AGREEMENT 

(only applicable to US customers) 

This Business Associate Agreement (“Agreement”) is entered into by and between the Customer Doctor (where applicable on behalf of the Customer Practice ) (“Covered Entity”) and Ormco Corporation (“‘Ormco”) and/or any other affiliated company of our group from which you received Spark Approver Software (collectively “Business Associate”) (collectively referred to herein as the “Parties”), effective as of the date Ormco’s Customer terms and conditions (“Terms and Conditions) are accepted by the Covered Entity. 

WHEREAS, the Business Associate performs certain functions, activities, or services for or on behalf of Covered Entity that involve the use or disclosure of Protected Health Information (as defined herein) and Electronic Protected Health Information (as defined herein) in connection with the products ordered by the Customer (such as Spark Clear Aligner and ODB Cases) under the Terms and Conditions; and 

WHEREAS, this Agreement is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and implementing regulations, the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), and the privacy, security and Breach Notification regulations of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the HIPAA Omnibus final rule (collectively, the “HIPAA Rules”), as amended from time to time. 

NOW, THEREFORE, in consideration of the Parties’ continuing obligations under the Terms and Conditions between the Parties, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows: 

1. DEFINITIONS 

Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the Privacy Rule or the Security Rule. 

  • (A) Breach has the meaning given to such term in 45 C.F.R. § 164.402.
  • (B) Business Associate has the meaning set forth above.
  • (C) “Covered Entity” has the meaning set forth above.
  • (D) “Designated Record Set” has the same meaning as the term “designated record set” in 45 C.F.R. § 164.501 of the Privacy Rule.
  • (E) “Electronic Protected Health Information” (“EPHI”) has the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103 of the Security Rule, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  • (F) “Health Information Technology for Economic and Clinical Health (“HITECH”) Act” has the meaning set forth above.
  • (G) “HIPAA” has the meaning set forth above.
  • (H) “Individual” has the same meaning as the term “individual” in 45 C.F.R. § 160.103 of the Privacy Rule.
  • (I) “Privacy Rule” has the meaning set forth above.
  • (J) “Protected Health Information (“PHI”)” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 of the Privacy Rule (including, without limitation, Electronic Protected Health Information), limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  • (K) “Required by Law” has the same meaning as the term “required by law” in 45 C.F.R. § 164.103 of the Privacy Rule.
  • (L) “Secretary” means the Secretary of the Department of Health and Human Services or his or her designee.
  • (M) “Security Incident” has the same meaning as the term “security incident” in 45 C.F.R. § 164.304 of the Security Rule.
  • (N) “Security Rule” has the meaning set forth above.
  • (O) “Unsecured PHI” has the meaning given to such phrase in the Breach Notification Rule at 45 C.F.R. § 164.402. 

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE 

(A) Business Associate acknowledges and agrees that all PHI that is created or received by Covered Entity and used by or disclosed to Business Associate or created or received by Business Associate on Covered Entity’s behalf shall be subject to this Agreement. 

(B) Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. 

(C) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. 

(D) Business Associate agrees to notify Covered Entity promptly following discovery of any Breach of Unsecured PHI. Business Associate will provide such information to Covered Entity as required in the Breach Notification Rule. 

(E) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement or any Security Incident of which it becomes aware. 

(F) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate for, or on behalf of, Covered Entity agrees in writing to substantially similar restrictions and conditions that apply through this agreement to Business Associate with respect to such information. 

(G) To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make such PHI available to Covered Entity within thirty (30) business days of a request by Covered Entity for access to such PHI. For avoidance of doubt, Covered Entity understands and agrees that Business Associate does not maintain any PHI in a Designated Record Set. If an Individual makes a request for access directly to Business Associate, Business Associate will within thirty (30) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request, unless Covered Entity directs Business Associate to do so. 

(H) To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will provide such PHI to Covered Entity for amendment within thirty (30) business days of receiving a request from Covered Entity to amend an Individual’s PHI. For avoidance of doubt, Covered Entity understands and agrees that Business Associate does not maintain any PHI in a Designated Record Set. If an Individual makes a request for amendment directly to Business Associate, Business Associate will within thirty (30) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding amendments to PHI and Business Associate will make no such determinations unless Covered Entity directs Business Associate to do so. 

(I) Within thirty (30) days of receiving a written request from Covered Entity, Business Associate shall provide to Covered Entity an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528. If an Individual requests an accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its record of Disclosures to Covered Entity within thirty (30) business days of Business Associate’s receipt of the Individual’s request. Covered Entity will be responsible for preparing and delivering the accounting to the Individual. Business Associate will not provide an accounting of its Disclosures directly to any Individual, unless directed by Covered Entity to do so. 

(J) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. 

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE 

(A) Except as otherwise limited by this Agreement, Business Associate may use or disclose PHI to perform functions, activities or services for or on behalf of Covered Entity as contemplated by the Terms of Sale as well as where applicable disclosing PHI to the Customer’s dental services organization for health care operations purposes provided that such use or disclosure does not violate the Privacy Rule or the HITECH Act if done by Covered Entity.

(B) Except as otherwise limited by this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the present and/or future legal responsibilities of Business Associate. 

(C) Except as otherwise limited by this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any breaches in the confidentiality of the PHI. 

(D) Business Associate may use PHI to report violations of law or other conduct to appropriate federal and state authorities or other designated officials, consistent with 45 C.F.R. § 164.502(j)(1). 

(E) Business Associate may use PHI to aggregate data as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). 

(F) Business Associate may use PHI to create de-identified information in accordance with 45 CFR § 164.514. 

4. OBLIGATIONS OF COVERED ENTITY ON BEHALF OF BUSINESS ASSOCIATE 

(A) Covered Entity warrants and represents that it has obtained all necessary authorizations and consents necessary for the Business Associate to carry out the functions contemplated by this Agreement. 

(B) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices within fifteen (15) business days of Covered Entity’s receipt of the Individual’s request in accordance with 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate’s use or disclosure of PHI. 

(C) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI within fifteen (15) business days of Covered Entity’s receipt of the Individual’s request, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. 

(D) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that it has agreed to within fifteen (15) business days of Covered Entity agreeing to such restriction in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. 

(E) Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a business associate). 

(F) Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA. 

5. SECURITY RULE AND HITECH ACT RESPONSIBILITIES OF THE BUSINESS ASSOCIATE. 

With regard to its use and/or disclosure of ePHI, Business Associate hereby agrees to do the following: 

(A) Comply with the applicable requirements of the Security Rule. 

(B) Require all of its subcontractors and agents that create, receive, maintain, or transmit ePHI on behalf of Business Associate to agree, in writing, to adhere to substantially similar restrictions and conditions concerning ePHI that apply to Business Associate pursuant to Section 5 of this Agreement. 

(C) Report to Covered Entity any Security Incident of which it becomes aware. Specifically, Business Associate will report to Covered Entity any successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI of which Business Associate becomes aware within thirty (30) business days of Business Associate learning of such Security Incident. The parties agree that this Section serves as notice by Business Associate to Covered Entity of the ongoing existence of attempted but Unsuccessful Security Incidents (as defined below), for which no additional reporting is required. For purposes of this Agreement, “Unsuccessful Security Incidents” include but are not limited to activity such as “pings” and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any other attempts to penetrate such computer networks or systems that do not result in unauthorized access, use or disclosure of ePHI. 

6. TERM AND TERMINATION

(A) The Term of this Agreement shall in effect as of the Effective Date set forth above, and shall terminate when all the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate for or on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy the PHI, protections are extended to such information, in accordance with the termination provisions in this Section 6. 

(B) If Covered Entity or Business Associate knows of a material breach or violation by the other party of any provision of this Agreement, then the non-breaching party shall provide written notice of the breach or violation to the other party that specifies the nature of the breach or violation. The breaching party must cure the breach or end the violation within thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching party, then the non-breaching party may terminate this Agreement between the parties. 

(C) Effect of Termination. 

  • (i) Except as provided in paragraph (ii) of this Section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate for or on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.  
  • (ii) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 

7. NOTIFICATION 

(A) With respect to notices pursuant to paragraph 2(D) above, notice shall be made by telephone to the telephone number associated with Covered Entity’s account, followed promptly by a written notice as described below. 

(B) Any notices required or provided for under this Agreement shall be made in writing and shall be either personally delivered, mailed by first class mail or sent via facsimile or electronic mail to the appropriate individual identified below: 

  • For Covered Entity: Your address
  • For Business Associate: 200 S Kraemer Blvd, Brea, CA 92821, United States or privacy@ormco.com 

Either Party may designate a different address in writing to the other. 

8. REGULATORY REFERENCES 

A reference in this Agreement to a section in the Privacy Rule, the Security Rule or the HITECH Act means the section as in effect or as amended. 

9. SURVIVAL 

The respective rights and obligations of the Business Associate under Section 6 of this Agreement shall survive the termination of this Agreement. 

10. INTERPRETATION 

Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules. Any conflict between the terms of this Agreement and any other agreement relating to the same subject matter shall be resolved so that the terms of this Agreement supersede and replace the relevant terms of any such other agreement. 

11. COUNTERPARTS

This Agreement may be executed in counterparts which, when all signatures are assembled, shall have the same effect as a single, fully-executed agreement. Facsimile and photocopy signatures shall have the same binding effect as manual signatures.

12. SEVERABILITY 

The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. 

13. GOVERNING LAW 

Except to the extent that the HIPAA Rules or other federal law applies, this Agreement and the obligations of the Parties hereunder will be governed by interpreted in accordance with the laws of the State of California. 

14. EFFECT 

This Agreement amends, restates and replaces in its entirety any prior business associate agreement between the parties. This Agreement supersedes all prior or contemporaneous written or oral contracts or understandings between the parties relating to their compliance with health information confidentiality laws and regulations, including HIPAA and HITECH. 

15. NO AGENCY RELATIONSHIP

It is not intended that an agency relationship (as defined under the federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Business Associate an agent of Covered Entity.

ANNEX 2 

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) is made by and between the Customer Doctor (where applicable on behalf of the Customer Practice) (“Customer”) and Ormco Corporation and/or any other affiliated company of our group from which you received the Spark Approver Software of 200 S Kraemer Blvd, Brea, CA 92821, United States (“Company”). For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Customer and Company agree as follows: 

1. This Addendum shall apply to all Processing of Personal Data by the Company on behalf of the Customer, as described in Appendix 1 and Appendix 2 of this Addendum and which are an integrated part of this Addendum. In case of any direct conflict between this Addendum and the terms and conditions of sale, the terms of this Addendum shall prevail. In this Addendum Company will act as Processor to the Customer who can act either as Controller or Processor of Personal Data depending on whether the Customer Doctor or the Customer Practice is Ormco’s Customer. This DPA constitutes Customer’s documented instructions regarding Company’s processing of Personal Data (which if Customer Doctor is acting as a processor, could be based on the instructions of the Customer Practice.) 

Unless the context dictates otherwise, all terms which are not defined in this Addendum shall have the meaning ascribed to them in the Agreement. For the purpose of this Addendum, Data Processor, Data Subject, Personal Data Breach, and Processing (or equivalent terms used in Applicable Data Protection Laws) have the meanings ascribed to them or to the equivalent terms in the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and in Applicable Data Protection Laws. Applicable Data Protection Laws means all applicable UK, Swiss, EEA, EU, EU Member State laws, Ukraine, Thailand, Taiwan, Japan, Indian, Mexican, Argentina, Saudi Arabia, Chile, Brazil, Colombia, Costa Rica Australian or Canadian laws and regulations relating to the privacy, confidentiality, security or protection of Personal Data as replaced from time to time, including, without limitation, (i) the GDPR and EU Member State laws supplementing the GDPR, (ii) the EU Directive 2002/58/EC (e-Privacy Directive), and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking technologies and (iii) the Federal Law of the Protection of Personal Data Held by Private Parties (“LFPDPPP”) in Mexico, (iv) the Act on the Protection of Personal Information (“APPI”) in Japan, (v) the Personal Data Protection Act 2019 (“PDPA”) in Thailand, (vi) the Personal Data Protection Law No. 25,326 (“PDPL”) in Argentina, (vii) the Personal Data Protection Law (“PDPL”) in Saudi Arabia, (viii) Law No. 19,628, on the Protection of Private Life (“Data Protection Law” or “DPL”) in Chile, (ix) General Data Protection Law in Brazil (“LGPD"), (x) in Colombia Law 1581 of 2012 regulates the general dispositions for the protection of personal data, and Decree 1377 of 2013 partially regulates Law 1581 of 2012, which establishes general provisions for the protection of personal data, (xi) Law on the Protection of Persons Regarding the Processing of their Personal Data (“CR Data Protection Law”) in Costa Rica and (xii) the Personal Data Protection Act in Taiwan (“Taiwan PDPA”) (xiii) the Privacy Act 1988 (Cth) including the Australian Privacy Principles other than Australian Privacy Principle 1 and (xiv) the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar private sector and public sector laws, as well as provincial laws regarding the protection of personal health information in Canada (the “Canadian Data Protection Laws”) and (xv) the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("Data Privacy Rules") and the Digital Personal Data Protection Act, 2023 and any rules/ regulations prescribed under it (together, "DPDPA") in India. Personal Data means any information relating to an identified or identifiable natural person that is obtained or accessed by Company as contemplated by the Agreement and references to "personal data" should be read as references to "personal information" under the Privacy Act 1988 (Cth) or other Applicable Data Protection Laws as necessary. 

2. In circumstances in which Company Processes Personal Data as a Data Processor under the Agreement, Company shall:

 (A) Process, use or apply the Personal Data only in accordance with the documented instructions of Customer, unless Company is required to do otherwise by applicable law, in which case Company shall inform Customer of the relevant legal requirement before Processing the Personal Data unless informing Customer is prohibited by applicable law on important grounds of public interest; 

(B) Comply with the Applicable Data Protection Laws in connection with the processing of Personal Data pursuant to this Agreement; 

(C) Ensure that Company’s employees or subcontractors authorized to Process the Personal Data have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality and do not transfer Personal Data to unauthorized third-parties; 

(D) Take and maintain written technical, physical and organizational security measures necessary to ensure the protection of the Personal Data and that are appropriate to (i) the size, scope and type of Company’s business; (ii) the type and sensitivity level of Personal Data; and (iii) the need for security and confidentiality of such Personal Data; 

(E) Taking into account the nature of the Processing, assist Customer, by appropriate technical, physical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to Data Subjects’ requests for exercising their rights under Applicable Data Protection Laws; 

(F) where required to do so by Applicable Data Protection Law notify the Customer promptly upon becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed under this Agreement; 

(G) Assist Customer in complying with its obligations relating to data security, Personal Data Breaches (including promptly notifying Customer in accordance with Applicable Data Protection Laws) and data protection impact assessments, taking into account the nature of the Processing and the information available to Company; 

(H) At Customer’s choice, delete or return all Personal Data to Customer after the end of the term of the Agreement, and delete existing copies, unless applicable law requires storage of the Personal Data; 

(I) Make available to Customer, for inspection on Company’s premises only, the information necessary to demonstrate compliance with the obligations set out in this Addendum and allow for and contribute to audits conducted by Customer or another auditor mandated by Customer and approved by Company, provided that Customer gives Company at least 30 days’ prior written notice of its intention to carry out an audit. This notice shall include a detailed work plan for the audit. Any third party involved in the audit must agree to Company’s confidentiality undertakings and Customer will bear all costs and expenses incurred by Company in connection with the audit; 

(J) Company shall immediately inform Customer if, in Company’s opinion, an instruction provided by Customer infringes Applicable Law; and 

(K) Company shall produce and keep written records for any processing activities relating to Personal Data. 

3. Customer agrees that Company may subcontract its Processing operations performed on behalf of Customer under the Agreement. Prior to providing any subcontractor access to Personal Data, Company shall require such subprocessor to enter into a written agreement that imposes the same data protection obligations as set out in this Addendum. Upon Customer’s request, Company shall provide Customer with the list of subprocessors authorized to access Personal Data in connection with the Agreement. Company shall inform Customer of any intended changes concerning the addition or replacement of other subprocessors, thereby giving Customers the opportunity to object to such changes. Company will notify Customer of any intended changes concerning the addition or replacement of its subprocessors and provide Customer with the opportunity to object to such changes. If Customer reasonably objects to a subprocessor, Customer must inform Company within seven (7) days. If Company is unable to resolve Customer’s objection, either party may, upon notice and without liability, terminate the Processing operations that use the objected-to subprocessor. 

4. Customer agrees that Company may transfer Personal Data outside of the European Economic Area or Switzerland or the United Kingdom for the purpose of fulfilling its obligations to Customer under the Agreement and on the condition that Company has implemented appropriate safeguards for the transfer of the Personal Data in accordance with Applicable Law Data Protection Laws. Customer (as "data exporter") and ORMCO (as "data importer"), with effect from the commencement of any relevant transfer, hereby enter into the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, with Module Two (Transfer controller to processor selected including its annexes) as the same are revised or updated from time to time by the European Commission ("SCCs") in respect of any transfer to ORMCO where such transfer would otherwise be prohibited by the GDPR in the absence of the SCCs. The SCCs are incorporated by reference as if set out fully within this Addendum. Clauses 17 and 18 to the SCCs shall be deemed to be pre-filled with the information on data processing described in this Addendum and in particular Appendix 1. The information on supervisory authorities in Section C shall be deemed to be pre-filled with the competent supervisory authority for the respective Contracting Party and the Customer agrees that the Company may engage Sub-Processors in accordance with Option 2 of SCC Clause 9(a). Annex II to the SCC shall be deemed to be pre-filled with the following wording: "Taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing, as well as the varying likely risks to the rights and freedoms of natural persons, the Processor shall ensure a level of security appropriate to the risk, including, where relevant, the specific controls described in Article 32(1)(a) to (d) of the GDPR and including any other controls required under applicable data protection laws". Annex III to the SCC shall be deemed to be pre-filled with the information on data processing described in Appendix 1. 

5. For Japan only, when Japanese data protection laws apply, Customer agrees that Company may transfer Personal Data outside of Japan in accordance with Appendix 1. Please refer to the brief summary of data protection laws in the US disclosed by the Personal Information Protection Commission in Japan at: https://www.ppc.go.jp/files/pdf/USA_report.pdf. 

6. For Canada only, Customer shall be solely responsible for ensuring that Personal Data can be lawfully transferred to Company and transferred by Company to its sub-processors, including by providing adequate notice of such transfers and obtaining Data Subjects' meaningful consent, using the Company’s privacy policy and patient consent form, as applicable. Customer shall be solely responsible for any transfer of Personal Data to third party recipients initiated by its authorized users and/or representatives using the Spark Approver Software and other applicable services under the Agreement. Finally, unless prohibited from doing so under Applicable Law, Company shall promptly notify Customer about any legally binding request for disclosure of Personal Data by a law enforcement authority, a governmental or other regulatory authority and shall refrain from disclosing same until instructed in writing to do so by Customer. 

7. For Brazil only, the parties undertake to perform the international transfer of Personal Data according to one of the mechanisms foreseen in article 33, provided by LGPD, and in accordance with future regulations issued by the Brazilian Data Protection Authority (ANPD) 

8. For India only, Customer agrees that the Company may transfer personal data outside of India in accordance with the Data Privacy Rules and only to an entity that ensures the same level of data protection provided for under the Data Privacy Rules. 

9. For Australia, where the Privacy Act 1988 (Cth) applies, the Customer agrees that Company may transfer Personal Data outside of Australia in accordance with Appendix 1 where the Company agrees that any such Personal Data will be processed by the Company as though the Company is bound by, the Australian Privacy Principles (other than Australian Privacy Principle 1) set out in the Privacy Act 1988 (Cth). 

10. This Addendum shall come into effect upon the effective date of the Agreement and shall expire or terminate concurrently therewith. Termination or expiration of this Addendum shall not discharge Company from its confidentiality and data protection obligations until Personal Data is anonymized, returned to Customer or destroyed. 

APPENDIX 1 

This Appendix constitutes the Customer’s instruction to Ormco in connection with Ormco’s Data Processing for the Customer and is an integrated part of the Data Processing Addendum. 

The processing of Personal Data 

1. Purpose and nature of the processing 

  • To provide the Customer the use of the Spark Portal cloud storage and organization of patient’s dental data and treatment plans for the purposes of designing, manufacturing and delivering aligners.
  • To facilitate the functionality and use of the Spark Approver Software and for storage.
  • To anonymize in accordance with Applicable Data Protection Laws, personal data for further use for research, development or improvement of the software or the design and manufacturing of aligners.
  • To facilitate providing support to the Customer in relation to the use of the Spark Approver Software, Spark Portal or the design or manufacturing of the aligners.
  • To analyse performance and usage of the Spark Portal for statistical and improvement purposes.
  • As applicable to provide business reports on the Customer Doctor’s Spark Clear Aligners and ODB cases to the Customer Practice 

2. Categories of Data Subjects 

  • Dentists or employees of the Customer
  • Patients treated by the Customer 

3. Categories of Personal Data 

  • Name, date of birth, address, case treatment number
  • IP address, software usage 

4. Special categories of data (sensitive personal information) 

  • Dental treatment plan 

5. Locations of data processing 

  • Europe, United States, Costa Rica, Mexico, China, Russia, India or as detailed in the Customer Agreement 

6. Duration of processing • As set out in the customer terms and conditions, which shall not exceed the expiration of the termination of the Agreement.  

APPENDIX 2 

SUB-PROCESSORS 

United States: Amazon Web Services 

United Kingdom: HCL Technologies Corporate Services Limited 

India: HCL Technologies Limited 

Netherlands: Ormco BV 

Mexico: SDS de Mexico, S. de R.L. de C.V. 

Costa Rica: EH Dental Services 

Costa Rica Sociedad de Responsabilidad Limitada 

China: Kavo Kerr Dental (Suzhou) Co., Ltd. Kavo (SiChuan) Medical Co, Ltd. 

Russia: Ormco LLC 

Finland: PaloDex Group OY 

ANNEX 3: RUSSIA: DATA PROCESSING ADDENDUM 

This Data Processing Addendum (“Addendum”) is made by and between Customer Doctor (where applicable on behalf of the Customer Practice) (“Customer”) and Ormco Corporation and/or any other affiliated company of our group from which you received access to the Ormco Portal or the Spark Approver Software, 200 S Kraemer Blvd, Brea, CA 92821, United States (“Company”). For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Customer and Company agree as follows: 

1. This Addendum shall apply to all Processing of Personal Data by the Company as described in Appendix 1. Company will act as Processor to the Customer who can act either as Controller or Processor of Personal Data depending on whether the Customer Doctor or the Customer Practice is Ormco’s Customer. This DPA constitutes Customer’s documented instructions regarding Company’s processing of Personal Data (which if Customer Doctor is acting as a processor, could be based on the instructions of the Customer Practice.)In case of any direct conflict between this Addendum and the Agreement, the terms of this Addendum shall prevail. 

2. For the purpose of this Addendum, Data Controller, Data Processor (entity acting on behalf of the Data Controller), Data Subject, and Processing have the meanings ascribed to them in Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006 (“Personal Data Law”). Applicable Law means (i) all applicable laws and regulations of the Russian Federation relating to the privacy, confidentiality, security or protection of Personal Data, including, without limitation, Personal Data Law, (ii) to the extent applicable, the GDPR and EU Member State laws supplementing the GDPR, (iii) to the extent applicable, the EU Directive 2002/58/EC (e-Privacy Directive), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking technologies, and (iv) other laws and regulations applicable to the Company relating to the privacy, confidentiality, security or protection of Personal Data. Personal Data means any information relating to an identified or identifiable natural person that is obtained or accessed by Company as contemplated by the Agreement. 

3. The purpose of Personal Data Processing is prescribed by Appendix 1 to this Addendum. 

4. In circumstances in which Company Processes Personal Data as a Data Processor under the Agreement, Company shall: 

(A) Observe rules and principles of Personal Data Processing under Personal Data Law. 

(B) Process Personal Data only to fulfil its obligations to the Customer under the Agreement and in accordance with the documented instructions of Customer, unless Company is required to do otherwise by Applicable Law, in which case Company shall inform Customer of the relevant legal requirement before Processing Personal Data unless informing Customer is prohibited by law on important grounds of public interest. 

(C) Perform the following list of actions (operations) in relation to the processing of Personal Data under this Addendum: collect, record, systematize, accumulate, store, clarify (update, amend), extract, use, provide, depersonalize, block, delete, and destroy Personal Data. 

(D) Ensure that Company’s employees or subcontractors authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

(E) Take security measures required pursuant to Article 19 of the Personal Data Law depending on the applicable circumstances and appropriate level of protection of Personal Data, in particular: 

  • Identifying threats to the safety of the Personal Data when Processing the Personal Data in Personal Data processing systems.
  • Utilizing organizational and technical measures to ensure the safety of the Personal Data when Processing the Personal Data, said measures being required to comply with the requirements for the protection of Personal Data, the fulfilment of which guarantees reaching the required levels of protection of Personal Data.
  • Identifying instances of unsanctioned access to the Personal Data and implementing measures.
  • Restoring Personal Data that has been modified or destroyed as a result of unsanctioned access to the Personal Data
  • Establishing rules for accessing the Personal Data being processed in a Personal Data information system, as well as by registering and recording all actions performed with the Personal Data in the Personal Data information system.
  • Control over the measures implemented to ensure the safety of the Personal Data and the levels of protection of Personal Data information systems.
  • Other measures which are necessary for the protection of Personal Data. 

(F) Take security measures required under the Decree of the Government of the Russian Federation No. 687 dated 15 September 2008 “On Approval of the Regulations on the specifics of the processing of Personal Data carried out without the use of automation” in case of Personal Data Processing carried out without the use of automation (for example, paper documents) in particular: 

  • The Company must carry out the hardcopy Processing of Personal Data in such a manner which allows for the location of where each category of Personal Data is stored to be tracked/determinable, and the Company must establish a list of individuals who process/will process the Personal Data or that have access to the Personal Data.
  • The Company shall ensure the separate storage of Personal Data that is processed for different purposes.
  • The Company shall ensure the safety of the Personal Data stored by the Company. In particular, the Company shall ensure that there is no unsanctioned access to the Personal Data. 

(G) Taking into account the nature of the Processing, assist Customer, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to Data Subjects’ requests for exercising their rights under the Personal Data Law with respect to their Personal Data; 

(H) Assist Customer in complying with its obligations according to the Personal Data Law, taking into account the nature of the Processing and the information available to Company. 

(I) At Customer’s choice, delete or return all Personal Data to Customer after the end of the term of the Agreement, and delete existing copies, unless Applicable Law requires storage of Personal Data. 

(J) Make available to Customer, for inspection on Company’s premises only, the information necessary to demonstrate compliance with the obligations set out in this Addendum and allow for and contribute to audits conducted by Customer or another auditor mandated by Customer and approved by Company, provided that Customer gives Company at least 30 days’ prior written notice of its intention to carry out an audit. This notice shall include a detailed work plan for the audit. Any third party involved in the audit must agree to Company’s confidentiality undertakings and Customer will bear all costs and expenses incurred by Company in connection with the audit; and 

(K) Company shall immediately inform Customer if, in Company’s opinion, an instruction provided by Customer infringes Applicable Law. 

(1) In circumstances in which the Customer acts as a Data Controller under this Addendum, the Customer shall: 

(a) ensure compliance with localization requirements, i.e., performing initial collection, recording, systematizing, accumulating, storing, clarifying (updating, amending) and extracting Personal Data of Russian citizens using databases located on the territory of the Russian Federation; 

(b) be solely responsible for the accuracy, quality, integrity and legality of Personal Data and of the means by which it acquired the Personal Data and shall ensure that all instructions given by it to the Company in respect to the Personal Data will be in compliance with Applicable Law; and 

(c) warrants that, in accordance with the effective legislation, it has received all necessary consent from the Data Subjects or has other grounds to process their Personal Data and transfer them to the Company/subcontractors, and the Data Subjects are aware that the Company/subcontractors will process their Personal Data. 

2. Customer agrees that Company may subcontract its Processing operations performed on behalf of Customer under the Agreement. Prior to providing any subcontractor access to Personal Data, Company shall require such subcontractor to enter into a written agreement that imposes the same data protection obligations as set out in this Addendum. Upon Customer’s request, Company shall provide Customer with the list of subcontractors authorized to access Personal Data in connection with the Agreement. 

3. Customer agrees that Company may transfer Personal Data outside of Russia for the purpose of fulfilling its obligations to Customer under the Agreement and on the condition that Company has implemented appropriate safeguards for the transfer of the Personal Data in accordance with Applicable Law.  

APPENDIX 1 

This Annex constitutes the Customer’s instruction to Ormco in connection with Ormco’s Data Processing for the Customer and is an integrated part of the Russia Data Processing Addendum. 

The processing of Personal Data 

1. Purpose and nature of the processing

  • To provide the Customer the use of the Ormco Portal and cloud storage and organization of patient’s dental data and treatment plans for the purposes of designing, manufacturing and delivering aligners.
  • To facilitate the functionality and use of the Spark Approver Software as well as for the purpose of storage
  • To anonymize the personal data for further use for research, development or improvement of the software or the design and manufacturing of aligners
  • To facilitate providing support to the Customer in relation to the use of the Spark Approver Software or the design or manufacturing of the aligners.
  • To analyze performance and usage of the software for statistical and improvement purposes.
  • As applicable to provide business reports on the Customer Doctor’s Spark Clear Aligners and ODB cases to the Customer Practice. 

2. Categories of Data Subjects 

  • Dentists or employees of the Customer Patients treated by the Customer 

3. Categories of Personal Data 

  • Name, date of birth, address, case treatment number IP address, software usage 

4. Special categories of data Dental 

  • Treatment plan 

5. Locations of data processing:

  • Europe, United States, Costa Rica, Mexico, China, Russia, India or as detailed in the Customer Agreement 

6. Duration of processing 

  • Per Ormco Customer Terms and Conditions