Skip to content
Professional solutions
Professional solutions Buy Now
Buy Now
Professional solutions Buy Now

GENERAL TERMS AND CONDITIONS OF SALE AND SOFTWARE LICENSE (“Conditions of Sale”)

1. Initial Provisions

1.1. The Products (equipment, service, and software) offered by Heartstream Netherlands B.V. (“Heartstream”) are subject to these Conditions of Sale.
1.2. The purchase prices set out on the quotation are net of all taxes. All taxes on the Products will be borne by the Customer.

2. Quotation, Order, Invoicing, and Payment

2.1. Any quotation on the Products will be open for acceptance within the period indicated therein and may be amended or revoked by Heartstream prior to Customer’s acceptance. Any purchase orders shall be subject to Heartstream’s confirmation in writing. Any terms and conditions set forth on the Customer’s purchase order or otherwise issued by the Customer shall not apply to the Products.
2.2. Unless otherwise agreed in the quotation or elsewhere, Heartstream shall invoice Customer for Products or consumables as follows:

2.2.1. In regard to Products:

i. 25% of the purchase price shall be due for invoicing on receipt of the Customer purchase order;
ii. 80% of the purchase price shall be due for invoicing on delivery of the Products at Customer’s site or Heartstream’s warehouse, subject to Clause 6.2 of these Conditions of Sale;
iii. 100% of the purchase price shall be due for invoicing on completion of installation or signed handover certificate.

2.2.2. In regard to consumables:

i. 80% of the purchase price shall be due for invoicing on receipt of the Customer purchase order;
ii. 100% of the purchase price shall be due for invoicing on delivery of the consumables at Customer’s site or Heartstream’s warehouse, subject to Clause 6.2 of the Conditions of Sale.

2.3. Payment of all invoices shall be due net 30 days of the date of each invoice.
2.4. Where any other amount is payable to Heartstream pursuant to these Conditions of Sales, Heartstream may invoice such amount as when it becomes due.
2.5. Interest will apply to any late payments at the maximum rate permitted by applicable law. If the Customer fails to pay any amounts due or breaches these Conditions of Sale, Heartstream will be entitled to suspend the performance of its obligations and deduct the unpaid amount from any amounts otherwise owed to Customer by Heartstream, in addition to any other rights or remedies available to Heartstream. Heartstream shall be entitled to recover all costs and expenses, including reasonable attorneys’ fees related to the enforcement of its rights or remedies.
2.6. Customer has no right to cancel an order, unless such cancellation right is granted to the Customer by mandatory law in which case the Customer shall pay the costs incurred by Heartstream up to the date of cancellation. In other cases of cancellation, the agreed price shall remain due and payable.
2.7. Heartstream may adjust customer list pricing and (or) net pricing, in accordance with the consumer price index published by the Statistics Netherlands (CBS). Heartstream shall give thirty (30) days prior written notice before implementing any adjustment to pricing, such adjustment shall not be retroactive and cannot start before the first year of contract.

3. Retention of title until full payment

The title to the Products shall remain vested in Heartstream until the payment of the purchase price by the Customer.

4. Technical changes; obsolescence of the Product

Heartstream may make changes to the design or specifications of the Products at any time, provided such change does not adversely affect the performance of the Products. If a Product becomes obsolete before the delivery date, Heartstream shall endeavor to provide equivalent replacement Products at similar prices but shall have no liability whatsoever if no replacement is available.

5. Lease and Trade-In

5.1. If the Customer desires to convert the purchase of any Products to a lease, the Customer shall within ninety (90) days prior to the delivery of the Products provide all relevant rental documents for review and approval by Heartstream. Heartstream may provide the rental agreement at its discretion.
5.2. If Customer will be trading-in equipment (“Trade-In”), then:

5.2.1. Customer must possess good and marketable title to the Trade-In as of the date of the quotation and when Heartstream takes possession of the Trade-in from Customer’s site. If Customer is in breach of this undertaking, Customer shall not be entitled to keep a trade-in credit for such Trade-In and shall promptly refund Heartstream such credited amounts upon receipt of an invoice from Heartstream.
5.2.2. The trade-in value set forth on Heartstream quotation is conditioned upon Customer providing Trade-In no later than the date Heartstream makes the new Product listed on such quotation available for first patient use. Customer shall bear the costs of any reduction in trade-in value arising due to a delay by the Customer causing the trade-in not to occur by the expected date and promptly pay the revised invoice.
5.2.3. If Heartstream receives a Trade-In having a different configuration (including software version) or model number than the Trade- In described on the Heartstream quotation, Heartstream may adjust the trade in value and revise the invoice accordingly and Customer shall pay such revised invoice promptly upon receipt.
5.2.4. Customer must (i) clean and sanitize all components that may be infected and all biological fluids from the Trade-In and (ii) delete all personal data in the Trade-In. Customer will reimburse Heartstream against any out-of-pocket costs incurred by Heartstream arising from Customer’s breach of its obligations herein.

6. Shipment and delivery date

6.1. Heartstream shall deliver the Products in accordance with the Incoterms set forth on the quotation. If Heartstream and the Customer agree any other terms of delivery, additional costs shall be for the account of the Customer.
6.2. Heartstream will make reasonable efforts to meet delivery dates quoted or acknowledged. Failure to deliver by the specified date will not be sufficient cause for cancellation nor will Heartstream be liable for any penalty, loss, or expense due to delay in delivery. If the Customer causes the delay, any reasonable expenses incurred by Heartstream will be for the account of the Customer. If the delay is more than fourteen (14) days, the Customer shall pay the purchase price for the Products immediately to Heartstream.

7. Installation

7.1. If Heartstream has undertaken installation of the Products, the Customer shall be responsible for the following at its sole expense and risk:

7.1.1. The provision of adequate and lockable storage for the Products on or near the installation site. The Customer will repair or replace any lost or damaged item during the storage period.
7.1.2. Heartstream or its (affiliate’s) representative shall have access to the installation site without obstacle or hindrance in due time to start the installation work at the scheduled date.
7.1.3. The timely execution and completion of the preparatory works, in conformity with Heartstream’s installation requirements. The Customer shall ensure that the prepared site shall comply with all safety, electrical and building codes relevant to the Products and installation thereof.
7.1.4. The proper removal and disposal of any hazardous material at the installation site prior to installation by Heartstream.
7.1.5. The timely provision of all visa, entry, exit, residence, work or any other permits and licenses necessary for Heartstream’s or Heartstream’s representatives’ personnel and for the import and export of tools, equipment, Products and materials necessary for the installation works and subsequent testing.
7.1.6. The assistance to Heartstream or Heartstream’s representative for moving the Products from the entrance of the Customer’s premises to the installation site. The Customer shall be responsible, at its expense, for rigging, the removal of partitions or other obstacles, and restoration work.

7.2. If Products are connected to a computer network, the Customer shall be responsible for network security, including but not limited to, using secure administrative passwords, installing the latest security updates of operating software and web browsers, running a Customer firewall and maintaining up-to-date drivers, anti-virus and anti-spyware software.
7.3. If any of the above conditions are not complied with, Heartstream or Heartstream’s representative may interrupt the installation and subsequent testing for reasons not attributable to Heartstream, and the parties shall extend the period for completing the installation. Any additional costs shall be for the Customer’s account and Heartstream shall have no liability for any damage resulting from or in connection with the delayed installation.
7.4. Heartstream shall have no liability for the fitness or adequacy of the premises or the utilities available at the premises for installation or storage of the Products.

8. Acceptance

8.1. Heartstream shall notify the Customer of the completion of the installation to enable the Customer to participate in the tests and confirm, by signing a certificate, the acceptance of the Products and compliance with the agreed specifications.
8.2. In case of absence of the Customer, Heartstream shall start the tests according to Heartstream’s standard testing procedures and on completion, the test certificate shall indicate acceptance.
8.3. In case of rejection of the Products, the Customer shall submit the reasons to Heartstream in a detailed written form within ten (10) days from the completion of the acceptance tests, and Heartstream shall correct such failures by repeating the relevant steps of the acceptance test within a reasonable time.
8.4. If, within ten (10) days from the completion of the acceptance test, Heartstream has not received the signed certificate of acceptance or a rejection report with the justified reasons, the Product shall be considered accepted by the Customer.
8.5. In case the Customer starts making clinical use of the Products, this shall be considered a deemed acceptance by the Customer.
8.6. Minor defects or deviations that do not affect the operational use of the installed Products shall be stated on the certificate of acceptance but shall not prevent acceptance. Heartstream shall be obligated to remedy such defects within a reasonable time.

9. Complaints and returns

The Customer shall notify Heartstream in writing, substantiating its complaints within ten (10) days from its receipt of the Products. If Heartstream accepts the claim as valid, Heartstream shall issue a return authorization notice, and the Customer shall return the Products. Each returned Product shall be packed in its original packaging.

10. Product warranty

10.1. In the absence of any specific Product warranty in the quotation, the following warranty provisions will apply to the Product.
10.2. Hardware Products. Heartstream warrants to Customer that the Product shall materially comply with its product specification on the quotation and the user documentation accompanying the shipment of such Product for a period of one year from the date of acceptance or first clinical use, whichever occurs first, but under any circumstances, no more than fifteen (15) months from the date of shipment, provided the Product has been subject to proper use and maintenance. Any disposable Product intended for single use supplied by Heartstream to the Customer will be of good quality until the expiration date applicable to such Product.
10.3. Service. Heartstream warrants that all services will be carried out with reasonable care and skill. Heartstream’s sole liability for breach of this warranty shall be at its option to give credit for or re-perform the services in question. This warranty shall only extend for a period of ninety (90) days after the completion of the services.
10.4. Customer shall only be entitled to make a Product warranty claim if Heartstream receives written notice of the defect during the warranty period within ten (10) days from the Customer discovering the defect, and, if required, the Product or the defective parts shall be returned to an address stated by Heartstream. Such defective parts shall be the property of Heartstream after their replacement.
10.5. Heartstream’s warranty obligations for the Product shall be limited at Heartstream’s option to the repair or replacement of the Product or any part thereof, in which case the spare parts shall be new or equivalent to new in performance, or to the refund of a pro rata portion of the purchase price paid by the Customer.
10.6. Heartstream’s warranty obligations shall not apply to any defects resulting from:

10.6.1. improper or unsuitable maintenance, configuration or calibration by the Customer or its agents;
10.6.2. use, operation, modification, or maintenance of the Product not in accordance with the Product specification and the applicable written instructions of Heartstream or performed prior to the completion of Heartstream’s validation process;
10.6.3. abuse, negligence, accident, damages (including damage in transit) caused by the Customer;
10.6.4. improper site preparation, including corrosion to Product caused by Customer;
10.6.5. any damage to the Product or any medical data or other data stored, caused by an external source (including viruses or similar software interference) resulting from the connection of the Product to a Customer network, Customer client devices, a third-party product or use of removable devices.

10.7. Heartstream is not responsible for the warranty for the third-party product provided by Heartstream to the Customer. However, if Heartstream, under its license agreement or purchase agreement with such third party, has right to warranties and service solutions, Heartstream shall make reasonable efforts to extend to the Customer the third-party warranty and service solutions for such Products.
10.8. The warranties set forth in this Conditions of Sale and quotation are the sole warranties made by Heartstream in connection with the Product, are expressly in lieu of any other warranties, whether written, oral, statutory, express or implied, including any warranty of non-infringement, quiet enjoyment, merchantability or fitness for a particular purpose. Heartstream expressly disclaims the implied warranties of merchantability and fitness for a particulr purpose. Moreover, Heartstream does not warrant any Product using the cloud to be uninterrupted or error free.

11. Limitation of Liability

11.1. The total liability of Heartstream arising under or in connection with the Product for any breach of contractual obligations, warranty, negligence, unlawful act, or otherwise in connection with the Product is limited to the actual purchase price received for the Product that gave rise to the claim.
11.2. Heartstream shall not be liable for any indirect, punitive, incidental, exemplary, special or consequential damages and/or for any damages including, loss of data, profits, revenue, business interruption or use in connection with or arising out of these Conditions of Sale, regardless of whether they are foreseeable or not and whether the claim is made in tort (including negligence), breach of contract, at law or in equity. Neither Heartstream nor its suppliers shall be liable for any loss or inability to use medical or other data stored on or by the Product.
11.3. The exclusion of liability in these Conditions of Sale shall only apply to the extent allowed under the applicable law.

12. Infringement of Intellectual Property Rights to the Products

12.1. Customer shall promptly give Heartstream written notice of any third-party claim alleging that the Product or the use thereof constitutes infringement of third-party intellectual property rights.
12.2. Heartstream shall have the exclusive authority to defend and settle such claim. Customer shall not make any admission or conclude any settlement in relation to such claim without Heartstream’s prior written consent. Customer shall provide Heartstream with all information and assistance required to defend such claim.
12.3. Subject to Customer’s compliance with clauses 12.1 and 12.2, and subject to clause 12.4, Heartstream will, at its option and expense, either: (i) procure for Customer the right to continue using the Product; (ii) replace the Product with an equivalent non-infringing product; (iii) modify the Product such that it becomes non-infringing; (iv) repurchase the Products held in stock by Customer for the purchase price less reasonable depreciation; or (v) defend or settle such claim brought against Customer.
12.4. Heartstream shall have no liability or obligation under this clause 12 if the claim of infringement concerns a Product:

i. designed and manufactured in accordance with Customer’s specifications or instructions;
ii. modified by Customer or its end user or used not in accordance with its intended purpose;
iii. not updated by Customer in accordance with Heartstream’s instructions (e.g. software updates);
iv. combined by Customer or its end user with devices, software, methods, systems, or processes not supplied by Heartstream, where the third-party claim is based on such combination; or
v. in respect of which the alleged infringement occurs in a country other than the Territory.

12.5. In no event shall Heartstream be liable for any indirect or consequential losses or damages, suffered or incurred by Customer or any of its affiliates or its/their customers in connection with the infringement of any third party IPR.
12.6. Clauses 12.1 up to an including to 12.5 represent Heartstream’s sole and entire liability and Customer’s exclusive remedy in respect of third-party intellectual property claims.
12.7. If Heartstream receives a notice either from Customer or from a third party claiming that the Product or the use thereof infringes any third-party intellectual property rights, Heartstream may, to limit or avoid liability, suspend or discontinue supplies of the Products to Customer and shall not be liable to Customer by virtue of such suspension or discontinuation.

13. Use and exclusivity of Product documents

All documents and manuals including technical information related to the Products and its maintenance as delivered by Heartstream is the proprietary information of Heartstream, covered by Heartstream’s copyright, and remains the property of Heartstream, and as such, it shall not be copied, reproduced, transmitted or disclosed to or used by third parties without the prior written consent of Heartstream.

14. Export Control and Product Resale

14.1. The supply, export, or transfer of Products or the provision of installation, maintenance, technical assistance, training, investment, financing or brokering services related thereto may be subject to export control laws and sanction regulations, including but not limited to those of the UN, the EU, the UK and the USA, which prohibit or restrict export or diversion of certain products, technology, and services to certain countries (the “Export Regulations”). If the delivery of Products or services to designated destinations or persons is subject to the granting of an export or import license by a government or otherwise restricted or prohibited due to Export Regulations, Heartstream may suspend its obligations to Customer until such license is granted or for the duration of the restriction or prohibition.
14.2. No export license. If no license can be obtained, or if the restriction of prohibition continues, Heartstream may decide, in its discretion, to terminate the relevant order without incurring any liability towards Customer. Customer shall comply in all respects with the Export Regulations and with any export license applicable for the supply of Products, Software, Technology or the provision of services.
14.3. Excluded territories. Customer shall not sell, export, re-export or transfer, directly or indirectly, any and all Products for the use in Russia, Belarus, Cuba, Iran, North Korea, Sudan, Syria, Crimea, Donetsk and Luhansk regions of Ukraine.
14.4. Re-export. Customer shall impose all applicable export control and sanction restrictions to any third party if the Products are transferred or re-exported to third parties. Customer shall take all actions that may be reasonably necessary to ensure that no purchaser violates the Export Regulations. Customer shall indemnify Heartstream against any and all direct, indirect and punitive damages, loss, costs (including attorney’s fees and costs) and other liability resulting from breach or non-compliance with this Section. Customer agrees that re-export of certain products, technology, and services or to certain countries, limited or restricted by the Export Regulations, is prohibited, and must not be executed without first obtaining approval from relevant government authorities. Customer shall inform Heartstream in writing of any resale or (re-) export of the Products to comply with export control and sanction regulations and any other regulatory responsibilities governing the sale of the Products, including but not limited to, requirements on traceability of medical devices, that may apply to Heartstream.
14.5. The parties agree that failure to comply with Section 14.1, 14.2, or 14.3 is a sufficient reason for immediate suspension of the performance of any obligation under these Conditions of Sale and/or termination of order by Heartstream without any prior notification. In the event of such suspension or termination, (i) Heartstream shall be under no obligation to supply any Products to Customer nor under any further obligation resulting from these Conditions of Sale, (ii) Customer shall hold harmless and indemnify Heartstream of and for any damages, claims, penalties or other losses (including attorneys’ fees) that may be asserted against or incurred by Heartstream as a result of Customer’s breach of this Section; and (iii) Heartstream shall be entitled to any other remedies available at law or in equity. The provisions of this Section shall survive any termination or expiry of these Conditions of Sale.

15. License Software Terms

15.1. Subject to any usage limitations set forth on the quotation, Heartstream grants to Customer a non-exclusive, non-transferable license, without the right to grant sub-licenses, to incorporate and use the Licensed Software (as specified on the quotation, whether embedded or stand-alone) in Licensed Products and the permitted use (as referenced in the quotation) in accordance with these Conditions of Sale.
15.2. The Licensed Software is licensed and not sold. All intellectual property rights in the Licensed Software shall remain with Heartstream.
15.3. Customer may make one copy of the Licensed Software in machine-readable form solely for backup purposes. Heartstream may charge for backup copies created by Heartstream. Customer may not reproduce, sell, assign, transfer or sublicense the Licensed Software. Customer shall preserve the confidential nature of the Licensed Software and shall not disclose or transfer any portion of the Licensed Software to any third party.
15.4. Customer shall maintain Heartstream’s copyright notice or other proprietary legends on any copies of the Licensed Software. Customer shall not (and shall not allow any third party to) decompile, disassemble, or reverse engineer the Licensed Software.
15.5. The Licensed Software may only be used in relation to Licensed Products or systems certified by Heartstream. If Customer modifies the Licensed Software in any manner, all warranties associated with the Licensed Software and the Products shall become null and void. Customer installation of Heartstream’s issued patches or updates shall not be deemed to be a modification.
15.6. Heartstream and its affiliates shall be free to use any feedback or suggestions for modification or enhancement of the Licensed Software provided by Customer, for the purpose of modifying or enhancing the Licensed Software as well as for licensing such enhancements to third parties.
15.7. With respect to any third-party licensed software, the Customer will comply with the terms applicable to such licensed software. Customer shall indemnify Heartstream for any damage arising from its failure to comply with such terms. If the third-party licensor terminates the third-party license, Heartstream may terminate the third party license with the Customer and make reasonable effort to procure a solution.

16. Confidentiality

If any of the parties have access to confidential information of the other party, it shall keep this information confidential. Such information shall only be used if and to the extent that it is necessary to carry out the concerned transactions. This obligation does not extend to public domain information and/or information that is disclosed by operation of law or court order.

17. Compliance with Laws

Each party shall comply with all laws, rules, and regulations applicable to the party in connection with these Conditions of Sale, including, but not limited to, privacy, health and safety, anti-bribery, and corruption laws.

18. Force majeure

18.1. Each party shall not be liable in respect of the non-performance of any of its obligations to the extent such performance is prevented by any circumstances beyond its reasonable control, including, but not limited to, acts of God, war, civil war, insurrection, fire, flood, labor disputes, epidemics, pandemic, cyber-attack, act of terrorism, governmental regulations and/or similar acts, embargoes, export control sanctions or restrictions, Heartstream’s unavailability regarding any required permits, licenses and/or authorizations, default or force majeure of suppliers or subcontractors.
18.2. If force majeure prevents Heartstream from fulfilling any order from the Customer or otherwise performing any obligation arising out of the sale, Heartstream shall not be liable to the Customer for any compensation, reimbursement, or damages.

19. Miscellaneous

19.1. Any newly manufactured Product provided may contain selected remanufactured parts equivalent to new in terms of performance.
19.2. If the Customer becomes insolvent, unable to pay its debts as they fall due, files for bankruptcy or is subject to it, has appointed a recipient, is subject to a late fee on payments (temporary or permanent), or has its assets assigned or frozen, Heartstream may cancel any unfulfilled obligations or suspend its performance; provided that, however, the Customer’s financial obligations to Heartstream shall remain in full force and effect.
19.3. If any provision of these Conditions of Sale is found to be unlawful, unenforceable, or invalid, in whole or in part, the validity and enforceability of the remaining provisions shall remain in full force and effect. In lieu of any provision deemed to be unlawful, unenforceable or invalid, in whole or in part, a provision reflecting the original intent of these Conditions of Sale, to the extent permitted by the applicable law, shall be deemed to be a substitute for that provision.
19.4. Notices or other communications shall be given in writing and shall be deemed effective if they are delivered in person or if they are sent by courier or mail to the relevant party.
19.5. The failure by the Customer or Heartstream at any time to require compliance with any obligation shall not affect the right to require its enforcement at any time thereafter.
19.6. Heartstream may assign or novate its rights and obligations in whole or in part, to any of its affiliates or may assign any of its accounts receivable to any party without Customer’s consent. Customer agrees to execute any documents that may be necessary to complete Heartstream’s assignment or novation. The Customer shall not, without the prior written consent of Heartstream, transfer or assign any of its rights or obligations.
19.7. The Customer’s obligations do not depend on any other obligations it may have under any other agreement or arrangement with Heartstream. The Customer shall not exercise any offset right in the quotation or sale in relation to any other agreement or arrangement with Heartstream.
19.8. These Conditions of Sale shall be governed by the laws of the country or state wherein the Heartstream legal entity identified in the quotation is situated, and the parties submit to the exclusive jurisdiction of the courts of that country or state, provided that Heartstream will be entitled to start legal proceedings against the Customer in any other court of competent jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods is expressly excluded.

20. Product specific terms

Product specific schedules are incorporated herein as they apply to the Products listed in the quotation and their additional terms shall apply solely to the Products specified therein. If any terms set forth in the Product specific schedules conflict with terms set forth in these Conditions of Sale, the terms set forth in the Product specific schedule shall take precedence.

21. Privacy and data protection

21.1. Where Heartstream independently processes personal data originating from the Customer (such as personal data relating to Customer’s personnel or other natural persons processed to manage the commercial relationship with the Customer and/or to comply with applicable laws), Heartstream will process such personal data in accordance with the Heartstream Privacy Notice (a copy of which will be provided upon request).
21.2. Customer acknowledges and agrees that Heartstream will process information related to the safety and performance of the Products such as log files or device parameters in order to provide the Products and related services and, where strictly necessary, to enable its compliance with and performance of its task as manufacturer of (medical) devices under the applicable regulations and standards (including but not limited to the performance of vigilance, post market surveillance and clinical evaluation related activities).
21.3. Where Heartstream – for the provision of the Products – processes personal data on behalf and under the instructions of the Customer (such as personal data relating to Customer’s patients or other natural persons) the data processing addendum (DPA) incorporated in Annex 1 of these Conditions of Sale applies.

ANNEX 1 TO THE CONDITIONS OF SALE
Data Processing Addendum

1. This data processing addendum (“DPA”) is agreed between Heartstream and the Customer. This DPA forms part of the Conditions of Sale between Heartstream and the Customer for the provision of the Products. Customer enters into the DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Affiliates.

2. This DPA applies when Customer Data is Processed by Heartstream for the provision of the Products and related services. Parties acknowledge and agree that with regards to the Processing of Customer Data, Heartstream will act as Processor for the Customer, who acts as Controller (or Processor). If Customer is a Processor, Customer warrants that its instructions and actions with respect to the Customer Data have been authorized by the Original Controller.

3. The subject-matter of the Processing of Customer Data is the provision of the Products, as described in the Conditions of Sales. The nature of the Processing of Customer Data includes: hosting of Personal Data (e.g. cloud offerings); and/or administration, management, installation, configuration, migration, maintenance and support or any other Products and related services requiring processing (e.g. remote access to) of Customer Data stored in the cloud or on Customer’s IT systems (e.g. service offerings).

4. The purpose of the data processing under this DPA is the provision of the Products initiated by Customer or the Original Controller from time to time.

5. The categories of Individuals whose Personal Data will be subject to Processing include any individuals whose Personal Data is provided by Customer or its Original Controllers to Heartstream via the Products or for the provision of the Products, such as patients or Customer’s personnel, suppliers, business partners, and end-users.

6. The categories of Customer Data Processed/transferred may include any Personal Data provided to Heartstream for the provision of the Products such as: contact and user information, such as name and email address; system log-files containing Personal Data; health-related data; other application specific Personal Data which users enter into the Products.

7. As between Heartstream and Customer, the duration of the data processing under this DPA is determined by the Customer. Subject to the termination clause of this DPA, Heartstream will Process Customer Data for the duration of the Conditions of Sale, unless otherwise agreed upon in writing. Further information on the processing of Customer Data may be provided to Customer, upon request.

8. Customer shall Process Customer Data in compliance with Applicable Data Protection Law, including when acquiring Customer Data and when instructing Heartstream to Process Customer Data.

9. Heartstream will Process Customer Data only: (i) on behalf and for the benefit of Customer; (ii) in accordance with the instructions of the Customer as documented in this DPA; (iii) for the provision of the Products; and (iv) to the extent required by the Applicable Data Protection Law that Heartstream is subject to. The parties agree that this DPA and the Conditions of Sales (including Customer providing instructions via the relevant tools used to operate the Products) constitute Customer’s documented instructions regarding Heartstream’s processing of Customer Data. Any additional or alternative instructions on the Processing of Customer Data must be agreed in writing between the Parties. Taking into account the nature of the processing, Customer agrees that it is unlikely that Heartstream can form an opinion on whether Customer’s documented instructions regarding Heartstream’s processing of Customer Data infringe Applicable Data Protection Law. If Heartstream forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its instructions.

10. Heartstream will ensure that its employees and any other person authorized to Process Customer Data: (i) are informed of the confidential nature of the Customer Data; (ii) will have access to Customer Data only to the extent necessary to provide the Products; and (iii) have committed themselves to relevant contractual obligations regarding confidentiality, data protection and security.

11. Heartstream shall maintain appropriate technical and organizational measures to safeguard security (including protection against unauthorized or unlawful Processing and Personal Data Breaches), confidentiality and integrity of Customer Data, as set forth in the relevant security documentation provided by Heartstream in relation to the Products or as otherwise agreed between the Parties.

12. Heartstream shall notify Customer, without undue delay, after becoming aware of a Personal Data Breach. Such notification may be delivered to one or more of Customer’s representatives by any means Heartstream selects, including via email. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. In any case, Heartstream shall (i) reasonably assist the Customer in ensuring compliance with its Personal Data Breach obligations pursuant to Applicable Data Protection Law, and (ii) initiate respective and reasonable remedy measures. Customer agrees that unsuccessful security incidents that results in no destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data or to any of Heartstream’s equipment or facilities storing Customer Data, will not be subject to this Personal data breach clause.

13. Taking into account the nature of the processing and the information available to Heartstream, Heartstream shall take reasonable steps to assist Customer with appropriate technical and organizational measures, insofar as reasonably possible, in the fulfilment of Customer’s obligation to respond to requests from an Individual to exercise the privacy and data protection rights as set forth by the Applicable data Protection Law.

14. Heartstream shall make available to Customer all information necessary to demonstrate compliance with its obligations under Applicable Data Protection Law. Provided that an audit right is required by Applicable Data Protection Law, Customer shall have the right to audit, by appropriate means and in accordance with this clause, Heartstream’s compliance with the data protection obligations included in this DPA, unless additional audits are necessary under Applicable Data Protection Law. Such audits shall be limited to Customer Data and data processing systems that are relevant for the provision of the Products provided to Customer. Heartstream may provide to Customer a certification or report issued by a qualified independent third-party assessor that Heartstream’s business processes and procedures involving the Processing of Customer Data comply with this DPA. Customer agrees that these certification or reports shall first be used to address Customer’s audit rights under these DPA. If required under Applicable Data Protection Law, and at Customer’s costs, Heartstream will allow for additional audits, including onsite audits at Heartstream facilities used for the processing of Customer Data, by Customer or an independent, accredited third party audit firm provided they have executed a written confidentiality agreement acceptable to Heartstream. Audits shall be conducted no more than once per year, during regular business hours and with minimal disruption to Heartstream’s business and shall be subject to six weeks’ prior notice to Heartstream.

15. Customer hereby grants to Heartstream a specific authorization for those entities listed on its privacy notice as sub-processors (“Sub-Processors”) to Process Customer Data. In addition, Customer grants Heartstream a general authorization to engage other Sub-processors. This authorization constitutes Customer’s prior written consent to the outsourcing of the Processing of Customer Data by Heartstream subject to such outsourcing meeting the requirements in the below clause “Objection to Sub-processors”. Heartstream may remove or add new Sub-processors at any time as long as the requirements in the clause “Objection to Sub-processors” are met.

16. If required under Applicable Data Protection Law, Heartstream shall inform Customer of any changes to the Sub-Processors listed on the URL specified in the above clause (“Consent to Sub-Processors’ engagement”). Customer may object to Heartstream’s use of a new Sub-Processor in case of reasonable and substantiated concerns regarding the protection of Customer Data, by notifying Heartstream in writing within ten (10) business days after Heartstream’s notification to Customer. If Customer does not inform Heartstream of any objections within the stipulated period, the new Sub-Processor will be deemed accepted by Customer. If Customer objects to a new Sub-Processor, Heartstream will undertake reasonable efforts to find a mutually acceptable solution and if not found within sixty (60) days, Customer may terminate the Conditions of Sales for those Products that cannot be provided without the use of the objected-to new Sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any Sub-Processor. If Customer does not terminate the affected Products, this shall be taken as an approval of the Sub-Processor by Customer.

17. When Heartstream engages a new Sub-Processor, Heartstream: (a) shall enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this DPA; and (b) subject to the terms set forth in the Conditions of Sales, shall be liable for the acts and omissions of its Sub-Processors regarding the Processing of Customer Data to the same extent Heartstream would be liable when performing the services of each Sub-Processor itself under the terms of this DPA.

18. Without prejudice to any applicable data restrictions specified in the Conditions of Sales and in the DPA, Customer instructs Heartstream to process Customer Data in any country in which Heartstream or its Sub-Processors maintain facilities, as necessary to provide the Products and related services.

19. Heartstream will not disclose Customer Data to any third party except where such disclosure is necessary to: (i) provide the Products; (ii) comply with the law; or (iii) comply with a valid and binding order of a governmental body or court (such as a subpoena or court order). If Heartstream receives an order from a governmental for disclosure of Customer Data, Heartstream will use every reasonable effort to redirect the governmental body to request data directly from the Customer. If compelled to disclose Customer Data to a governmental body, Heartstream will notify the Customer, unless prohibited under appliable law, and, if prohibited from notifying the Customer, Heartstream will use all reasonable lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under any appliable laws.

20. The DPA shall have the same term as the Conditions of Sales. Unless differently agreed in writing by the Parties and unless Heartstream is required by applicable law to retain certain data, upon termination of the provision of the relevant Products and related services, Customer instructs Heartstream to delete or anonymize Customer Data.

21. Additional country terms

EEA, Switzerland
If, for the provision of the Products, Customer Data originating from a Customer (or Original Controller) located within the European Economic Area or Switzerland are transferred or made available by Heartstream or directly by the Customer to a Heartstream’s Sub-Processor located outside the EEA or outside a country recognized by the European Commission as providing an adequate level of data protection, such transfers shall be subject to the transfer mechanisms listed below (which can be directly enforced by the Parties):
• the Heartstream Processor Binding Corporate Rules (also known as “Heartstream Privacy Rules – Processor”), a copy which will be provided upon request, and which is incorporated herein by reference);
• the EU Standard Contractual Clauses. In particular, when Customer is acting as a Controller the Controller-to-Processor module of the EU Standard Contractual Clauses will apply; when Customer is acting as a Processor, the Processor-to-Sub-Processor module of the EU Standard Contractual Clauses will apply. In any case, Heartstream shall be responsible – and Customer hereby gives a mandate to Heartstream – to conclude the EU Standard Contractual Clauses covering the relevant Processing activities with its Sub-processors.

If, for the provision of the Products, Customer Data originating from a Customer (or Original Controller) located in Switzerland and the EU Standard Contractual Clauses are used, any reference in the EU Standard Contractual Clauses to the EU General Data Protection Regulation (EU) 2016/679 shall be understood as reference to Applicable Data Protection Law in Switzerland and references to the “competent supervisory authority” shall be interpreted as references to the competent data protection authority in Switzerland. The Parties further agree that the Standard Contractual Clauses shall be governed by the laws of Switzerland.

United Kingdom
If, for the provision of the Products, Customer Data originating from a Customer (or Original Controller) located in the United Kingdom are transferred or made available by Heartstream or directly by the Customer to a Heartstream’s Sub-Processor located outside the UK, the EEA or outside a country recognized by the UK as providing an adequate level of data protection, such transfers shall be subject to the respective provisions of the UK Standard Contractual Clauses, which can be directly enforced by the Parties. Heartstream shall be responsible – and Customer hereby gives a mandate to Heartstream – to conclude the UK Standard Contractual Clauses covering the relevant Processing activities with its Sub-processors.
The above provision is valid, unless an alternative appropriate safeguard (such as the UK Binding Corporate Rules Processor) applies.

10. Definitions

For the purposes of the DPA, the following terms are defined:
Affiliate: means (in relation to either Party) any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable Data Protection Law: means all applicable law pertaining to the Processing of Personal Data hereunder.
Customer Data: means Personal Data provided to Heartstream by the Customer or any Original Controller and Processed by Heartstream on behalf and under the instruction of Customer for the provision of the Products.
Controller: means the legal entity or natural person which alone or jointly with others determines the purposes and means of Processing of Personal Data.
Customer: means the customer’s entity that executed the Conditions of Sales together with its Affiliates (for so long as they remain Affiliates) which have signed order forms.
Individual: means any natural person whose Personal Data are Processed by Heartstream on behalf and under the instructions of Customer.
Original Controller: means any third party (such as an Affiliate of the Customer) acting as Controller which is entitled to use or receive Products under the terms of the Conditions of Sales.
Personal Data: means any information relating to an identified or identifiable Individual.
Personal Data Breach: means a breach of Heartstream’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to use, Processing of, or access to Customer Data.
Processing: means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to, collecting, viewing, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processed” are to be construed accordingly.
Products: means the relevant Heartstream Products and related services (as identified in the Product specific schedules) purchased by the Customer under the Conditions of sale and provided by Heartstream acting in its role as Processor.
Processor: means the legal entity or natural person which Processes Personal Data on behalf and under the instructions of a Controller.
Sub-Processor: means any further Processor engaged by Heartstream to Process Customer Data.

© 2025 Heartstream Holding Company LLC. All rights reserved.

Hearstream and other trademarks are the property of Heartstream Holding Company LLC or their respective owners.