Data processing details
Last Modified September 15, 2022 / Previous Versions
The following processing details are provided for the associated Services and tools:
- Cloud IVR
- Conversational AI
- Dragon Anywhere
- Dragon Legal Anywhere
- Dragon Medical Direct (DMD) (aka SpeechKit)
- Dragon Medical One (aka SpeechKit)
- Dragon Medical Workflow Edition (DMWE)
- Dragon Medical Workflow Manager (DMWM)
- Dragon Professional Anywhere
- Dragon TV
- Gatekeeper
- Live Chat
- MIX
- mPower
- Nuance Experience Studio
- Nuance Winscribe Dictation
- PowerMic Mobile
- PowerScribe One
- PowerScribe 360 with Mobile Radiologist
- PowerScribe 360 with Quality Check
- PowerShare
- Proactive Engagement
- Professional Services
- Surgical CAPD
- Virtual Assistant
Cloud IVR Services Data Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to facilitate automated conversations between Company’s customers/prospects and Company’s IVR applications, employees, or contingent workers and to operate, maintain, tune, enhance, improve, and provide technical support for the Services. These conversations can include general Company information or requests and transactions specific to an individual Data Subject;
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company (who are natural persons) and (2) individuals identified through the use of the Services;
(c) The subject matter of the Processing is the automated conversations related to a specific request by the Data Subject, to answer a question or make updates to the Company services provided to the Data Subject;
(d) The types of Personal Data Processed involve information necessary to enable communications between Company and Data Subject and provided by the Data Subject in order to gain the information or update Company services, including but not limited to the following types:
Device/Client Identifier – Identifier that enables the communication between Company and user, such as customer’s phone number
Automated Conversation Content – Recording or logging of the conversation between Company and user, including personal information normally exchanged during an automated conversation such as name, address, or email address
Meta Data – Specific personal information requested by the Data Subject or Company necessary to fulfill the customer service request, such as customer id, verification information such as mother’s maiden name, date of birth, or social security number, credit card number, or information related to Data Subject’s account with Company;
(e) The categories of Personal Data may include special categories of personal data. Nuance’s technical and organization measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
The Processing will comprise of collecting data during the automated conversation or collecting from Company’s backend systems. This data will be retained in a hosted database (with the exception of data that is masked according to predefined forms, automatic pattern matching, or manual overrides) and made available to authorized users of Nuance data APIs or reporting web tools.
(f) Hosting of Personal Data will be conducted in the locations specified in the Company´s order. The locations available are:
• USA
• Ireland and The Netherlands
• The U.K. (as agreed upon);
(g) The retention period will be: (i) 13 months for Services, and (ii) 3 years to maintain, tune, enhance, improve and provide technical support or such other period agreed in documented instructions by Company, but in no event the retention period will be longer than 90 days following the duration of the Main Agreement.
(h) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
Dragon Anywhere and Dragon Professional Anywhere and Dragon Legal Anywhere Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is the delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for users. Dragon Professional Anywhere is a cloud‑based platform that helps to produce documentation through voice recognition services to translate voice dictation to text. The software and service is an application that permits users to dictate documents and reports that may include proprietary terminology. The application supports voice-based correction, formatting and navigation. Dictated text can be shared via email or saved as documents. To fully optimize the voice recognition abilities of these programs, Company instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) clients who receive services from Company and who are the subject of reports Processed by the Services, and (2) Company personnel and other authorized individuals who use the Services.
(c) The types of Personal Data Processed are under the control of Company as Controller and will depend on the categories of Personal Data Processed by Company using the Services. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings.
(d) The categories of Personal Data involved and transferred may include special categories of personal data, namely health data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data. Hosting of Personal Data will be conducted in the following locations:
United States of America
(e) The retention period is the duration specified in the Main Agreement, or by law (or, if no specific data retention period is specified in the Main Agreement, the data retention period specified by Nuance data retention and destruction policy).
(f) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
Dragon Medical Direct (DMD) (aka SpeechKit) and Dragon Medical Workflow Edition (DMWE) Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services in support of Dragon Medical Direct, an on‑premise product in accordance with
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors,
as described in Nuance’s published product and service documentation, including voice recognition services to translate voice dictation to text for healthcare providers. Company or Distributor, depending on whether Nuance uses a Distributor, also instructs Nuance for an initial 12 month period to provide a Customer Support Package, whereby data from Company’s system will be sent to Nuance’s CSO team to be placed into a dashboard of user metrics utilizing Microsoft’s Power BI tools. Dashboards are shared with Company to demonstrate how the license is being used, including, but not limited to, license activity, throughput or volumes dictated, the number of minutes the license is active, what efficiencies are being utilized.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from Company and who are the subject of reports Processed by the products, and (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services.
(c) The types of Personal Data Processed are under the control of Company as Controller and will depend on the categories of Personal Data Processed by Company using the Service, but will likely include name, date of birth, medical record number, other identification numbers, age, description of medical treatment and diagnosis, or financial information about patients or clients of Company. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings.
(d) The categories of Personal Data Processed may include sensitive personal data, namely health data. Nuance’s technical and organizational measures are designed from ground‑up to ensure appropriate handling and protection of sensitive personal data.
(e) The healthcare records created with Dragon Medical Direct are maintained on Company’s on‑premise platform and the retention of those records is at the discretion of Company. The retention period is the duration of the Main Agreement, Terms of Service, or Agreement respectively, and any data retention period specified therein or by law (or, if no specific data retention period is specified in the Product Agreement, the data retention period specified by Nuance data retention and destruction policy). Records pertaining to Nuance's account management, accounting and customer relationship management system are maintained for the duration of the relationship and for a period thereafter consistent with Nuance’s data retention and destruction policy.
(f) Processing of Personal Data will be conducted in the following locations: Austria, Spain, Ireland, and the United States.
(g) The recurrence of the transfer of Personal Data depends on the frequency of support and maintenance required by Company or the Service.
Dragon Medical One (DMO) (aka SpeechKit) and including PowerMic Mobile Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for healthcare providers. Dragon Medical One is a cloud-based platform that helps to produce clinical documentation for medical professionals, through voice recognition services to translate voice dictation to text. To fully optimize the voice recognition abilities of these programs, Company or Distributor, depending on whether Nuance uses a Distributor, instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from Company and who are the subject of reports Processed by the Services, (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services, (3) employees, agents, and contingent workers of Resellers (who are natural persons), and (4) employees, agents, or contingent workers of Distributor (who are natural persons).
(c) The types of Personal Data Processed are under the control of Company as Controller, and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include name, date of birth, medical record number, other identification numbers, age, description of medical treatment and diagnosis, or financial information about patients or clients of Company. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings. Further, Personal Data of Distributor and Reseller personnel, including name and contact information, will also be Processed in the provision of third level service support and data analytics.
(d) The categories of Personal Data involved and transferred may include sensitive personal data, namely health data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of such sensitive personal data.
(e) Hosting of Personal Data will be conducted in the following locations:
North America: in the US for US Companies and in Canada for Canadian Companies;
EMEA: in Germany for German and Austrian Companies, United Kingdom for UK Companies, and in France for all other EMEA Companies;
LATAM: in the US for LATAM Companies;
APAC: in Australia for Australian and New Zealand Companies.
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors; and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy).
(g) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
Dragon Medical Workflow Manager (“DMWM”) Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for healthcare providers. Dragon Medical Workflow Manager is an end-to-end cloud-based clinical documentation creation solution that manages all steps in the clinical documentation process from creation to distribution and every step in between. Through DMWM letters and patient reports can be dictated using a microphone, digital recorder, or mobile device. Medical Professionals can also utilize Nuance’s AI-based speech recognition functionality to further enhance the documentation process and reduce the need for transcription, allowing clinicians to quickly and accurately create and electronically sign documents for immediate distribution by using voice recognition services to transcribe audio to text. To fully optimize the voice recognition abilities of these programs, Company or Distributor, depending on whether Nuance uses a Distributor instructs Nuance and its service providers/sub‑processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from Company and who are the subject of reports Processed by the Services, and (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services.
(c) The types of Personal Data Processed are under the control of Company as Controller and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include contact information, name, date of birth, medical record number, patient account number or other identification numbers, age, description and diagnosis of medical treatment, metadata, financial information, browsing information and other data about patients or clients of Company contained in letters. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings.
(d) The categories of Personal Data involved and transferred may include sensitive personal data, namely health data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of such sensitive personal data.
(e) Hosting of Personal Data will be conducted in the following locations:
United Kingdom for United Kingdom
Australia for APAC
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance-Distributors; and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy).
(g) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
Dragon TV Data Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to facilitate television user experience enhancements by means of voice services between Company’s customers/prospects and Company’s television delivery services, SmartSpeaker support services, employees, or contingent workers and to operate, maintain, tune, enhance, improve, and provide technical support for the Services.
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals authorized by Company to use the Services (for example, customers and prospective customers of Company);
(c) The subject matter of the Processing is the audio and resulting transcription related to each specific request by the Data Subject, to answer a question or make updates to the Company services provided to the Data Subject;
(d) The types of Personal Data Processed involve information necessary to enable communications between Company and Data Subject and provided by the Data Subject in order to gain the information or update Company services, including but not limited to:
Device/Client Identifier – Identifier that enables the communication between Company and user, such as a unique identifier allocated to the device by the OEM.
Audio Command/Query Content – Incoming audio captured from microphones on Device or a Remote Control Unit (RCU) and the transcription of that audio.
User identifier – Specific personal information requested by the Data Subject or Company necessary to fulfil the customer service request, such as userID;
(e) The categories of Personal Data may include special categories of personal data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(f) The Processing will comprise of receiving speech requests from the Data Subject via the Device or RCU on their premises during the transaction conversation or collecting from Company’s backend systems. This data will be retained in a hosted database (with the exception of data that is masked according to predefined forms, automatic pattern matching, or manual overrides) and made available to authorized users of Nuance data APIs or reporting web tools;
(g) Hosting of Personal Data will be conducted in the following locations:
For Companies in EMEA:
• In the EU (Ireland and The Netherlands) for DTV (based on NCS)
• In UK for DTVaaS (based on Core Tech SaaS);
For Companies in Rest of World: in the USA;
(h) The retention period will be 120 days for Services, and 3 years to maintain, tune, enhance, improve and provide technical support or the duration specified in documented instructions by Company, but in no event longer than 90 days following the duration of the Main Agreement.
(i) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
Gatekeeper Data Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to facilitate chat conversations between Company’s customers/prospects and Company’s employees, agents, or contingent workers and to operate, maintain, tune, enhance, improve, and provide technical support for the Services. These conversations can include general Company information or requests and transactions specific to an individual Data Subject. This conversation could also include dialog with a virtual assistant;
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals authorized by Company to use the Services (for example customers and prospective customers of Company);
(c) The subject matter of the Processing is the chat conversations related to a specific request by the Data Subject, to answer a question or make updates to the Company services provided to the Data Subject;
(d) The types of Personal Data Processed involve information necessary to enable communications between Company and Data Subject and provided by the Data Subject in order to gain the information or update Company services, including but not limited to:
Device/Client Identifier – Identifier that enables communication between Company and user, such as telephone number, CLI, other telephony data, socket id or IP Address;
Biometric Data – VoicePrints, ConversationPrint™, behavioral biometrics and other biometric identifiers and biometric information;
Call Center Conversation – audio recording of the Data Subject/user speaking with a Company representative. Although not explicitly requested, unstructured conversation can contain personal information including, but not limited to: name, address, credit card number;
Chat Message Content – Transcript of the chat message between Company and user, including personal information normally exchanged during a customer service conversation such as name, address, or email address;
Meta Data – Specific personal information requested by the Data Subject or Company necessary to fulfil the customer service request, such as date of birth, account id, customer id or CLI;
(e) The categories of Personal Data involved and transferred include special categories of personal data, including but not limited to biometric data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data;
(f) The Processing will comprise of collecting data from Company’s call center, IVR, or digital channels such as mobile apps or web (e.g. live chat). This data will be retained in a hosted database (with the exception of data that is masked according to predefined forms, automatic pattern matching, or manual overrides) and made available to authorized users of Nuance data APIs or reporting web tools;
(g) Processing of Personal Data will be conducted in the following locations:
For Companies in North America in the USA and Canada;
For Companies in EMEA in UK, Ireland, and The Netherlands;
For Companies in APAC in Australia;
(h) The retention period will be 18 months for Services, and 3 years to maintain, tune, enhance, improve and provide technical support or the duration specified in documented instructions by Company, but in no event longer than 90 days following the duration of the Main Agreement.
(i) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
MIX, Conversational AI and Nuance Experience Studio Data Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to facilitate chat conversations between Company’s customers/prospects and Company’s employees, agents, or contingent workers and to operate, maintain, tune, enhance, improve, and provide technical support for the Services. These conversations can include general Company information or requests and transactions specific to an individual Data Subject. This conversation could also include dialog with a virtual assistant;
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals authorized by Company to use the Services (for example customers and prospective customers of Company);
(c) The subject matter of the Processing is the chat conversations related to a specific request by the Data Subject, to answer a question or make updates to the Company services provided to the Data Subject;
(d) The types of Personal Data Processed involve information necessary to enable communications between Company and Data Subject and provided by the Data Subject in order to gain the information or update Company services, including but not limited to:
Device/Client Identifier – Identifier that enables communication between Company and user, such as a socket id or IP Address;
Chat Message Content – Transcript of the chat message between Company and user, including personal information normally exchanged during a customer service conversation such as name, address, or email address;
Meta Data – Specific personal information requested by the Data Subject or Company necessary to fulfill the customer service request, such as customer id, verification information such as mother’s maiden name, data of birth, or social security number, credit card number, or information related to Data Subject’s account with Company;
(e) The categories of Personal Data involved and transferred may include special categories of personal data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(f) The Processing will comprise of collecting data from Company’s web site, mobile app, or via a messaging channel (such as SMS), sending it to Company’s employee, agent, or contingent worker via an HTML-based agent desktop application. This data will be retained in a hosted database (with the exception of data that is masked according to predefined forms, automatic pattern matching, or manual overrides) and made available to authorized users of Nuance data APIs or reporting web tools;
(g) Hosting of Personal Data will be conducted in the following locations:
For Companies in North America in the USA;
For Companies in EMEA in UK, Ireland, France, and The Netherlands;
For Companies in APAC in Australia;
For Companies in LATAM in the USA;
(h) The retention period will be 18 months for Services, and 3 years to maintain, tune, enhance, improve and provide technical support or the duration specified in documented instructions by Company, but in no event longer than 90 days following the duration of the Main Agreement.
(i) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
mPower Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for the radiology domain. mPower is a cloud-based analytics platform providing access to actionable insights to help radiologists and their teams to optimize radiology performance, drive adoption of valuable AI technologies, reduce risk of failed follow-ups, reduce costs, and increase revenues. Company gives Nuance the right to anonymize the personal data in accordance with applicable law and/or to de-identify the personal data in accordance with 45 C.F.R. §164.514 or other applicable law. Company or Distributor, depending on whether Nuance uses a Distributor, instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the personal data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from the Company, (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services, (3) employees, agents, and contingent workers of Resellers (who are natural persons), and (4) employees, agents, or contingent workers of Distributor (who are natural persons).
(c) The types of Personal Data Processed are under the control of Company as Controller and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include name, date of birth, medical record number, other identification numbers, age, and the basic elements of the radiology report. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings. Further, Personal Data of Distributor and Reseller personnel, including name and contact information, will also be Processed in the provision of third level service support and data analytics.
(d) The categories and types of Personal Data involved and transferred may include sensitive personal data, which may include but is not limited to health data. Nuance’s technical and organization measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(e) Data Centers for Processing of Personal Data will be in the following locations:
All counties (excluding Australia and New Zealand) – United States
Australia and New Zealand - Australia
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors; and
Any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy.
(g) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
Nuance Winscribe Dictation (“Winscribe DD”) Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for healthcare providers. Nuance Winscribe Dictation is a cloud-based platform that enables business professionals to automate their dictation-to-transcription workflow and remove manual steps from the process. Winscribe DD automatically collects and delivers dictations, assesses information about each job and delivers work to the appropriate transcriptionist or support team. Users can choose between sending dictated work to support staff for transcription, sending it to Dragon Speech Recognition engine for automatic voice-to-text transcription or sending it to an outsourcing agency for completion. To fully optimize the voice recognition abilities of these programs, Company or Distributor, depending on whether Nuance uses a Distributor, instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) clients who receive services from Company and who are the subject of reports Processed by the Services, and (2) Company personnel, including business professionals and all other authorized individuals who use the Services.
(c) The types of Personal Data Processed are under the control of Company as Controller and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include contact information (address, phone number, email address), name, date of birth, medical record number or other identification numbers, age, gender, description of medical treatment and diagnosis, appointment data, test results, financial information, metadata, IP Address, browsing time, cookie information, website history, sensitive data (genetic data, health data, sex life, sexual orientation, racial or ethnic origin, religion or religious beliefs) and other data contained in the dictations (audio files). Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings.
(d) The categories of Personal Data involved and transferred may include sensitive personal data. Nuance’s technical and organizational measures are designed from ground‑up to ensure appropriate handling and protection of sensitive personal data.
(e) Hosting of Personal Data will be conducted in the following locations:
United Kingdom for United Kingdom
Australia for APAC
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors; and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy).
(g) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
PowerScribe One including PowerScribe 360 with Quality Check PowerScribe 360 with Mobile Radiologist Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including voice recognition services to translate voice dictation to text for the radiology domain. PowerScribe One is a cloud‑based platform for diagnostic imaging workflow management where uses can create reports with a variety of dictation styles. Company gives Nuance the right to anonymize the personal data in accordance with applicable law and/or to de-identify the personal data in accordance with 45 C.F.R. §164.514 or other applicable law. Company or Distributor, depending on whether Nuance uses a Distributor, instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the personal data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from the Company and who are the subject of reports Processed by the Services, (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services, (3) employees, agents, and contingent workers of Resellers (who are natural persons), and (4) employees, agents, or contingent workers of Distributor (who are natural persons).
(c) The types of Personal Data involved are under the control of Company as Controller, and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include name, date of birth, medical record number, other identification numbers, age, and the basic elements of the radiology report. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings. Further, Personal Data of Distributor and Reseller personnel, including name and contact information, will also be Processed in the provision of third level service support and data analytics.
(d) The categories of Personal Data Processed and transferred may include sensitive personal data, which may include but is not limited to health data. Nuance’s technical and organization measures are designed from ground‑up to ensure appropriate handling and protection of sensitive personal data.
(e) Data Centers for Processing of Personal Data will be in the following locations:
All counties (excluding Canada, Australia and New Zealand) – United States
Canada - Canada
Australia and New Zealand - Australia
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors; and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy
(g) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
PowerShare Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question. PowerShare is a cloud-based platform for uploading, storing, and copying studies, and for transmitting studies with patients, providers, potential patients, and other facilities.
(b) The categories of Data Subjects may include (1) potential patients of Company, (2) patients who receive medical care from Company and who are the subject of studies Processed by the Services, (3) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services, (4) employees, agents, and contingent workers of Resellers (who are natural persons), and (5) employees, agents, or contingent workers of Distributor (who are natural persons).
(c) The types of Personal Data Processed will likely include name, date of birth, medical record number, other identification numbers, age, and health information of (potential) patients, including medical images. Additionally, Personal Data of Company personnel will also be Processed, including name and contact information. Further, Personal Data of Distributor and Reseller personnel, including name and contact information, will also be Processed in the provision of third level service support and data analytics.
(d) The categories of Personal Data involved and transferred may include sensitive personal data, including but not limited to health data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(e) Data Centers for Processing of Personal Data will be in the following locations:
United States
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors, and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy).
(g) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
Proactive Engagement Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question, including outbound Voice, SMS and Email notifications. The Proactive Engagement Platform is a Nuance hosted platform that sends consumers notifications on behalf of Company. Flight cancelation/delay messages, fraud on a credit card, payment reminders, utility outages, appointment reminders.
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals authorized by Company to use the Services (for example, customers and prospective customers of Company);
(c) The nature and purpose of the data transfer and Processing is to facilitate personalized automated outbound notifications to Company’s customers who have opted on to receive outbound Voice, SMS or Email notifications related to Company’s products or services.
(d) The subject matter of the Processing is the data used to create the outbound notification.
(e) The types of Personal Data Processed involve information necessary to enable outbound notifications to the Data Subject, including but not limited to:
The list of individuals to be notified, their phone number, email address, first and last name, and additional data related to the use case, flight numbers, overdue payment amounts, credit card transactions, or appointment details.
Data related to the specific use case – Specific Personal Data related to the notification necessary to personalize the message, such as customer id, verification information such date of birth, or last 4 social security number, last 4 credit card number, or other information related to Data Subject’s account with Company.
(f) The categories of Personal Data involved and transferred may include special categories of personal data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(g) The Processing will comprise of collecting data during the automated conversation or collecting from Company’s backend systems. This data will be retained in a hosted database and made available to authorized users of Nuance data APIs or reporting web tools.
(h) Processing of Personal Data will be conducted in the following locations: United States of America.
(i) The retention period will be 13 months for detailed data related to the notification.
(j) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
Professional Services Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to provide professional services including to design, develop, migrate, deploy, and unit test the Services and to operate, maintain, tune, enhance, improve and provide technical support for the Services.
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals identified through the use of the Services.
(c) The subject matter of the Processing is the provision of the agreed upon professional service(s) to Company that involves the processing of Personal Data.
(d) The types of Personal Data Processed involve information necessary to provide the Services, including but not limited to the following types:
Business contact details – name, email address, phone number;
Device/Client Identifier – Identifier that enables communication between Company and user, such as telephone number, calling line identification (CLI), primary account number (PAN) data, other telephony data, socket id or IP Address;
Biometric Data – VoicePrints, ConversationPrint™, behavioral biometrics and other biometric identifiers and biometric information;
Interactive Voice Response (IVR) and Call Center Conversation – audio recording of the Data Subject/user interacting with an IVR through DTMF data capture and spoken data capture and speaking with a Company representative or system. Although not explicitly requested, unstructured conversation can contain personal information including, but not limited to: name, address, credit card number;
Chat Message Content – Transcript of the chat message between Company or system and user, including personal information normally exchanged during a customer service conversation such as name, address, or email address;
Meta Data – Specific personal information requested by the Data Subject or Company necessary to fulfil the customer service request, such as date of birth, account id, customer id or CLI;
(e) The categories of Personal Data may include Special Categories of Personal Data: biometric data.
(f) The Processing will comprise of the collection, use, storage, disclosure, recording and deletion of Personal Data.
(g) Hosting of Personal Data will be conducted in the following locations:
USA, Canada, UK, and The Netherlands;
(h) The retention period will be 18 months for Services, and 3 years to maintain, tune, enhance, improve and provide technical support or the duration specified in documented instructions by Company, but in no event longer than 90 days following the duration of the Main Agreement.
(i) The frequency of the transfer depends on the frequency that the professional service is required and/or requested by Company.
Surgical CAPD Data Processing Details
(a) The subject matter, nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is delivery of the Services to Company in accordance with Nuance’s published product documentation for the product in question. Surgical CAPD is a cloud‑based platform for surgical note documentation. Company gives Nuance the right to anonymize the personal data in accordance with applicable law and/or to de-identify the personal data in accordance with 45 C.F.R. §164.514 or other applicable law. Company or Distributor, depending on whether Nuance uses a Distributor, instructs Nuance and its service providers/sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the Personal Data to develop, train, tune, enhance and improve the speech recognition, natural language understanding and other components of Nuance’s software and technologies embodied in the Services.
(b) The categories of Data Subjects may include (1) patients or clients who receive medical care from the Company and who are the subject of reports Processed by the Services, (2) Company personnel, including doctors, nurses, administrators, medical personnel and other authorized individuals who use the Services, (3) employees, agents, and contingent workers of Resellers (who are natural persons), and (4) employees, agents, or contingent workers of Distributor (who are natural persons).
(c) The types of Personal Data involved are under the control of Company as Controller, and will depend on the categories of Personal Data Processed by Company using the Services, but will likely include name, date of birth, medical record number, other identification numbers, age, and the basic elements of the surgical report. Additionally, Personal Data of Company personnel will also be Processed, including name, contact information and voice recordings. Further, Personal Data of Distributor and Reseller personnel, including name and contact information, will also be Processed in the provision of third level service support and data analytics.
(d) The categories of Personal Data Processed and transferred may include sensitive Personal Data, which may include but is not limited to health data. Nuance’s technical and organization measures are designed from ground-up to ensure appropriate handling and protection of sensitive Personal Data.
(e) Data Centers for Processing of Personal Data will be in the following locations:
United States
(f) The retention period is the duration of
(i) the Main Agreement in case of a DPA for End Users;
(ii) the Terms of Service in case of a DPA for Nuance Services;
(iii) the Agreement in case of a DPA for Nuance Distributors; and
any data retention period specified in the above terms, as applicable, or by law (or, if no specific data retention period is specified in the above terms, the data retention period specified by Nuance data retention and destruction policy).
(g) The frequency of the transfer depends on the frequency the Service is used by Company and will likely be recurrent.
Virtual Assistant and Live Chat Data Processing Details
(a) The nature and purpose of the Processing, including any transfer of Personal Data outside the EEA, is to facilitate chat conversations between Company’s customers/prospects and Company’s employees, agents, or contingent workers and to operate, maintain, tune, enhance, improve, and provide technical support for the Services. These conversations can include general Company information or requests and transactions specific to an individual Data Subject. These conversations could also include dialog with a virtual assistant;
(b) The categories of Data Subjects may include (1) employees, agents, or contingent workers of Company and (2) individuals authorized by Company to use the Services (for example customers and prospective customers of Company);
(c) The subject matter of the Processing is the chat conversations related to a specific request by the Data Subject, to answer a question or make updates to the Company services provided to the Data Subject;
(d) The types of Personal Data Processed involve information necessary to enable communications between Company and Data Subject and provided by the Data Subject in order to gain the information or update Company services, including but not limited to:
Web Device/Client Identifier – Identifier that enables Nuance to persist chat services with a user as they move through Company’s site. The identifier is generated using random elements and without using any device or client information. The identifier is stored by the user’s browser, can be cleared by removing cookies and local storage, and cannot be used to identify the user on sites not owned by Company. The identifier is only shared with Company and is shared exclusively through Nuance‑owned reporting tools and APIs;
Web Device/Client Information – Information about the device including browser user agent string and IP information. Nuance collects the IP address for the purpose of generating an approximate region code (using an offline, internal database) but does not retain the IP addresses of users. This information is used only for reporting purposes and is not used to track site visitors. The user agent string and region code are only shared with Company and are shared exclusively through Nuance‑owned reporting tools and APIs;
Chat Message Content – Transcript of the chat message between Company and user, including personal information normally exchanged during a customer service conversation such as name, address, or email address;
Meta Data – Specific personal information requested by the Data Subject or Company necessary to fulfil the customer service request, such as customer id, verification information such as mother’s maiden name, data of birth, or social security number, credit card number, or information related to Data Subject’s account with Company;
(e) The categories of Personal Data involved and transferred include sensitive personal data. Nuance’s technical and organizational measures are designed from ground-up to ensure appropriate handling and protection of sensitive personal data.
(f) The Processing will comprise of collecting data from Company’s web site, mobile app, or via a messaging channel (such as SMS), sending it to Company’s employee, agent, or contingent worker via an HTML‑based agent desktop application. This data will be retained in a hosted database (with the exception of data that is masked according to predefined forms, automatic pattern matching, or manual overrides) and made available to authorized users of Nuance data APIs or reporting web tools;
(g) Hosting of Personal Data will be conducted in the following locations:
For Companies in North America in the USA;
For Companies in EMEA in UK, Ireland, and The Netherlands;
For Companies in APAC in Australia;
For Companies in LATAM in the USA;
(h) The retention period will be 13 months for Services, and 3 years to maintain, tune, enhance, improve and provide technical support or the duration specified in documented instructions by Company, but in no event longer than 90 days following the duration of the Main Agreement.
(i) The recurrence of the transfer of data depends on the frequency of support and maintenance required by Company or the Service.
Previous versions
- June 12, 2018(Open a new window)
- February 2, 2020(Open a new window)
- April 24, 2020(Open a new window)
- June 25, 2020(Open a new window)
- October 1, 2020(Open a new window)
- March 1, 2021(Open a new window)
- May 15, 2021(Open a new window)
- September 15, 2021(Open a new window)
- April 30, 2022(Open a new window)
- July 12, 2022(Open a new window)