HealthStream Data Processing Agreement

This Data Processing Agreement (“DPA”) is an agreement between HealthStream, Inc., a Tennessee corporation, having its principal place of business at 500 11th Ave N, Suite 850, Nashville, Tennessee 37203 (“HealthStream”), and Customer. This DPA governs any processing of Personal Information that may occur pursuant to a written agreement between the parties (including the Master Service Agreement and any Order Forms entered into by the Parties) (collectively, the “Underlying Agreement”). Each of HealthStream or Customer may be referred to herein as a “Party” and together are the “Parties.”

This DPA is incorporated into and governed by the Underlying Agreement in all respects.

The Parties agree as follows:

1. Definitions

Capitalized terms used in this DPA have the meanings given below. Terms not defined herein shall have the meanings set forth in the Underlying Agreement.

1.1. “Business,” “Sell,” “Share,” and “Service Provider” shall have the meanings given to them in applicable Data Protection Laws.

1.2. “Controller” means the entity that determines the means and purposes of the Processing of Personal Information.

1.3. “Data Protection Laws” means all applicable legislation relating to data protection and privacy that apply to HealthStream with respect to its Processing of Personal Information on behalf of Customer under the Underlying Agreement, including without limitation the consumer privacy laws of California, Connecticut, Colorado, Delaware, Iowa, Montana, Nevada, Oregon, Tennessee, Texas, Utah, Virginia, and other U.S. states with laws granting similar privacy protections, as amended, superseded, or replaced from time to time.

1.4. “Personal Information” means any information relating to an identified or identifiable individual that is protected as personal information or personally identifiable information under applicable Data Protection Laws and that is Processed by HealthStream on behalf of Customer pursuant to the Underlying Agreement and as permitted under this DPA. This includes, without limitation:
(i) Customer may only disclose or otherwise cause HealthStream to Process Personal Information in compliance with applicable HealthStream documentation, instructions, and terms and conditions for the Services; and
(ii) Customer is prohibited from disclosing Personal Information to HealthStream except as expressly permitted or accepted by HealthStream in writing.

1.5. “Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. This does not include unsuccessful attempts that do not compromise security, such as unsuccessful log‑in attempts, pings, port scans, or denial‑of‑service attacks.

1.6. “Processing” means any operation performed on Personal Information, whether automated or not, including collection, recording, organization, storage, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

1.7. “Processor” means the Party that Processes Personal Information on behalf of the Controller, including any Service Provider as defined by applicable Data Protection Laws.

1.8. “Sub‑Processor” means any entity that provides Processing services to HealthStream in furtherance of HealthStream’s Processing of Personal Information.

2. Nature, Purpose, and Subject Matter

The nature, purpose, and subject matter of HealthStream’s Processing activities are set out in the Underlying Agreement. Personal Information may relate to Customer’s employees, students, providers, or other authorized end users accessing HealthStream Services. Categories of Personal Information may include identifiers, employment information, education information, legally protected information, commercial history, or other Personal Information agreed upon under the Underlying Agreement. HealthStream will Process Personal Information for the duration of this DPA unless otherwise agreed in writing.

3. Parties’ Roles

HealthStream acts as a Processor or Service Provider, and Customer acts as a Controller or Business. The Parties acknowledge their obligations under applicable Data Protection Laws and agree that Customer does not Sell or Share Personal Information with HealthStream.

4. HealthStream as Processor

4.1. Customer appoints HealthStream to Process Personal Information on Customer’s behalf pursuant to Customer’s lawful written instructions. The Underlying Agreement, this DPA, and other written instructions collectively constitute Customer’s complete instructions.

4.2. HealthStream may Process aggregated or de‑identified Personal Information, comply with legal obligations, cooperate with law enforcement, or exercise or defend legal claims.

4.3. HealthStream shall not Sell or Share Personal Information, use it for unauthorized commercial purposes, or Process it outside the business relationship. HealthStream certifies compliance with these restrictions.

5. Customer Responsibilities

Customer shall comply with all applicable Data Protection Laws and is responsible for the legality, accuracy, and collection of Personal Information, including obtaining required consents. Customer acknowledges that HealthStream Services are provided only in the United States and Canada.

6. Sub‑Processors

HealthStream may engage Sub‑Processors under data protection terms providing protections equivalent to this DPA. HealthStream remains responsible for Sub‑Processor compliance and shall provide a list upon request.

7. Privacy Requests

HealthStream shall assist Customer with consumer or authority Privacy Requests upon written request. Customer is responsible for fulfillment and associated costs.

8. Other Processing

HealthStream may Process Transmitted Data as an independent controller where permitted by law and shall remain responsible for compliance obligations related to such Processing.

9. Demonstration of Compliance

HealthStream shall provide reasonable information and audit cooperation upon written request, subject to notice, confidentiality, and operational safeguards.

10. Compliance with Law

Customer shall ensure compliance with applicable laws, notices, consents, and rights. HealthStream is not liable for Customer’s failures.

11. Data Security

HealthStream shall maintain appropriate technical and organizational security measures and provide a summary of security policies upon request.

12. Data Breach

HealthStream will notify Customer within five (5) calendar days of becoming aware of a Data Breach and provide reasonable assistance as required.

13. Effect of Termination

Upon termination and Customer’s request, HealthStream will delete Personal Information unless retention is required by law.

14. Relationship to Underlying Agreement

This DPA is incorporated into and governed by the Underlying Agreement. Liability, indemnification, insurance, and conflict provisions apply as stated.

15. Miscellaneous

This DPA may only be amended in writing signed by both Parties and constitutes the entire agreement regarding its subject matter.

‍