Personal Data Protection Addendum

This Personal Data Protection Addendum (together with all Schedules, "Addendum") establishes the Parties' commitments for Processing Personal Data in connection with the services under this Agreement. In the event of a conflict between the terms of this Addendum and the rest of the Agreement, this Addendum shall control.

1. Definitions

Capitalized terms not defined herein have the same meaning as in the Agreement.

• "Controller" means the entity that determines the purposes and means of Processing.
• "Cross-border Transfer Contracts" means clauses or contracts governing the transfer of Personal Data adopted pursuant to section 7 below, including the Standard Contractual Clauses and UK Addendum.
• "Data Protection Laws" means any applicable law, regulation, rule, ordinance, directive, judgment, order, decision, national standard or guidance, or code of conduct or agreement with any governmental authority applicable to the Processing of Personal Data under the Agreement. Examples include: GDPR (EEA); UK GDPR; Federal Act on Data Protection (Switzerland); Cybersecurity Law, Data Security Law, Personal Information Protection Law (PRC); Personal Information Protection Act (South Korea); Privacy Act 1988 (Australia); PIPEDA (Canada); LGPD (Brazil); CCPA/CPRA (California).
• "Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is processed by Pi Health under the Agreement, including names, contact details, financial information, health data, resumes, government IDs, medical records, and biometric materials.
• "Processing" (and "Process") means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Standard Contractual Clauses" means the standard contractual clauses approved by the European Commission.
• "Sub-processor" means any Processor engaged by Pi Health to process Personal Data.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.

2. Relationship of the Parties

Customer is the Controller and Pi Health is the Processor. Pi Health shall process Personal Data solely for the purpose of the provision of the Services in accordance with the Agreement.

3. Pi Health Responsibilities

Pi Health shall:

• Process Personal Data only as necessary for service provision and per Customer instructions
• Notify Customer if unable to comply with Data Protection Laws
• Ensure staff maintaining confidentiality commitments
• Assist with data protection compliance requests
• Delete or return Personal Data within 60 days of contract termination
• Notify Customer within 5 business days of data subject requests or third-party inquiries
• Respond to law enforcement requests while protecting Customer interests where legally permitted

4. Deletion of Personal Data

Pi Health will permanently delete Personal Data within 60 days of termination unless retention is required by applicable law. Deletion shall render data unrecoverable by commercially reasonable means.

5. Security

Pi Health shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

6. Sub-processors

Pi Health may engage Sub-processors to process Personal Data. Pi Health will notify Customer of any intended changes regarding addition or replacement of Sub-processors, giving Customer the opportunity to object. Pi Health shall ensure Sub-processors are bound by data protection obligations no less protective than those in this Addendum.

7. Cross-border Data Transfers

Where Personal Data is transferred outside the jurisdiction of origin, Pi Health will ensure adequate safeguards are in place, including Standard Contractual Clauses or the UK Addendum as applicable.

8. Data Protection Impact Assessments

Pi Health shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws.

9. Audits

Pi Health shall make available to Customer all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer.

10. Data Breach Notification

Pi Health shall notify Customer without undue delay upon becoming aware of a Personal Data breach. Such notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.