Get in touch

PART 1: BUSINESS ASSOCIATE AGREEMENT (BAA)

(Applicable to U.S. healthcare customers that qualify as a “Covered Entity” or engage Leopoly Next Inc. as a Business Associate under HIPAA)

This Business Associate Agreement (“BAA”) is entered into by and between [Subscriber / Clinic Name] (“Covered Entity”) and Leopoly Next Inc., a Delaware corporation (“Business Associate”), and is effective as of the date the Covered Entity accepts the LeoShape Terms of Service.

BACKGROUND The Covered Entity receives services from the Business Associate (via LeoShape, OMS, and LeoCapture software) that involve the Business Associate creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of the Covered Entity, including 3D body part scans, orthotic/prosthetic order details, and patient notes. This BAA ensures such processing complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act.

1. DEFINITIONS

Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

  • “PHI” shall mean Protected Health Information, as defined in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to: (a) Non-Use and Non-Disclosure: Not use or disclose PHI other than as permitted or required by the Agreement or as required by law. (b) Safeguards: Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement. (c) Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR § 164.410, and any security incident of which it becomes aware, without unreasonable delay and, in the case of a breach of unsecured PHI, in no event later than sixty (60) days after discovery, unless applicable law requires a shorter period. (d) Subcontractors: In accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate. (e) Access to PHI: Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524. The Parties acknowledge that, because Leopoly is a SaaS platform, the Covered Entity generally maintains direct access to PHI in the OMS and can itself fulfill most individual access requests, with technical support from the Business Associate as reasonably needed. (f) Amendment of PHI: Make any amendment(s) to PHI in a designated record set as directed by the Covered Entity pursuant to 45 CFR § 164.526. (g) Accounting of Disclosures: Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. (h) HHS Audits: Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining compliance with the HIPAA Rules.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

(a) Provision of Services: Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service (e.g., storing 3D anatomical scans, processing CAD data for orthotics/prosthetics, managing order workflows). (b) Management and Administration: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities. (c) Data Aggregation: Business Associate may use PHI to provide data aggregation services relating to the health care operations of the Covered Entity. (d) De-identification: Business Associate may use PHI to create de-identified data in accordance with 45 CFR § 164.514(a)-(c). Once de-identified, the data is no longer PHI and not subject to this BAA. Business Associate may use and disclose such de‑identified data for any lawful purpose, including analytics, research, and improvement of its services, provided that the data remains de‑identified in accordance with 45 CFR § 164.514 and cannot reasonably be used to identify an individual.

4. OBLIGATIONS OF COVERED ENTITY

(a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices, changes in patient consent, or patient restrictions on PHI use, to the extent that such changes affect Business Associate’s permitted uses. (b) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. (c) Covered Entity shall promptly notify Business Associate of any privacy or security incident, breach of unsecured PHI, or other event related to PHI maintained in the Services that may require the assistance of Business Associate to investigate, mitigate, or fulfill any legal notification obligations.

5. TERM AND TERMINATION

(a) Term: The Term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate is destroyed or returned to Covered Entity. (b) Termination for Cause: Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach within thirty (30) days. If cure is not possible or achieved, Covered Entity may terminate this BAA and the underlying Terms of Service. (c) Obligations upon Termination: Upon termination of this Agreement for any reason, Business Associate shall at Covered Entity’s option and subject to Applicable Law, return to Covered Entity or securely destroy all PHI received from Covered Entity that Business Associate still maintains in its active systems. Business Associate may retain copies of PHI solely to the extent required by law or for backup and archival purposes, provided that any such retained PHI remains subject to the protections of this BAA for as long as it is maintained.

IN WITNESS WHEREOF, this BAA is deemed executed and effective as of the date on which the Subscriber, acting as Covered Entity, accepts the LeoShape SaaS Terms of Service (including this BAA) by electronic means, click‑through, or other online acceptance mechanism.

PART 2: DATA PROCESSING AGREEMENT (DPA)

(For customers subject to the GDPR and, where applicable, similar data protection laws such as the UK GDPR.)

This Data Processing Agreement (“DPA”) forms part of the LeoShape Terms of Service between [Subscriber / Clinic Name] (the “Data Controller”) and Leopoly Ltd. (the “Data Processor”).

1. DEFINITIONS

  • “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and any applicable national implementing legislation, as well as any other data protection laws applicable to the Controller’s use of the Services
  • “Personal Data”, “Data Subject”, “Processing” shall have the meanings given to them in the GDPR.

2. ROLE OF THE PARTIES

The Parties acknowledge and agree that with regard to the Processing of Personal Data (including, for example,  patient scans, orthotic geometries, medical notes and user account data), the Subscriber is the Data Controller, and Leopoly is the Data Processor acting on behalf of the Controller.

3. PROCESSOR'S OBLIGATIONS

3.1 Documented Instructions: The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law. 3.2 Confidentiality: The Processor shall ensure that persons authorized to process the Personal Data (e.g., Leopoly employees and developers) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3.3 Security: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required pursuant to Article 32 of the GDPR (including encryption of 3D scans and patient data at rest and in transit). The Parties acknowledge that the Controller also has obligations under Article 32 GDPR and is responsible for implementing appropriate measures within its own systems and environment.

4. SUB-PROCESSING

4.1 General Authorization: The Controller provides a general authorization for the Processor to engage sub-processors (such as Amazon Web Services for cloud hosting). 4.2 Notification of Changes: The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller a reasonable period of time (no less than 10 days from notice) to object to such changes. 4.3 Sub-processor Obligations: The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor.

5. DATA SUBJECT RIGHTS

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR (e.g., right to deletion, right to access). The Processor shall promptly ( within 10 business days) notify the Controller if it receives a request directly from a Data Subject.

6. DATA BREACH NOTIFICATION

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Controller’s data. The Processor shall provide reasonable assistance to the Controller in investigating and mitigating the breach.

7. RETURN OR DELETION OF DATA

Upon termination of the provision of services (Terms of Service), the Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies from its active systems, unless applicable EU or Member State law requires storage of the Personal Data. The Processor may retain Personal Data in backup or archival systems to the minimum extent and for the minimum period required for legal, regulatory, or legitimate business continuity purposes, provided that such data remains subject to the confidentiality and security obligations of this DPA and is no longer actively processed.

8. INTERNATIONAL TRANSFERS

Any transfer of Personal Data outside the European Economic Area (EEA) to countries which do not ensure an adequate level of data protection shall be carried out only on the basis of the Controller’s documented instructions and shall be subject to appropriate safeguards, such as the Standard Contractual Clauses (SCCs) adopted by the European Commission, or the EU-U.S. Data Privacy Framework.

ANNEX 1: DETAILS OF PROCESSING

(This annex is intended to address the requirements of GDPR Article 28(3))

A. Nature and Purpose of Processing: Processing of personal data to provide the LeoShape, OMS, and LeoCapture software services. This includes storing 3D anatomical scans, designing custom orthotic/prosthetic devices (CAD), and managing order workflows for manufacturing (3D printing/CNC).

B. Duration of Processing: For the duration of the Terms of Service between the Data Controller and Data Processor, until data is deleted or returned.

C. Categories of Data Subjects:

  • Patients of the Data Controller (the Clinic/Lab).
  • Employees, clinicians, and technicians of the Data Controller.

D. Types of Personal Data:

  • Patient Data: Name, contact details, shipping address, order identifiers.
  • Special Categories of Data (Health Data): 3D scans and captures of limbs/body parts, orthosis/prosthesis geometries, clinical notes, diagnosis indicators relevant to device design,
  • User / Professional Data: Treating clinician details (name, professional contact details, role), usernames, business email addresses, application usage logs.

 

IN WITNESS WHEREOF, this DPA is deemed executed and effective as of the date on which the Subscriber, acting as Data Controller, accepts the LeoShape SaaS Terms of Service (including this DPA) by electronic means, click‑through, or other online acceptance mechanism.