PERSONAL DATA PROTECTION ADDENDUM

This Personal Data Protection Addendum (together with all Schedules, “Addendum”) establishes the Parties’ commitments for Processing Personal Data in connection with the services under this Agreement. In the event of a conflict between the terms of this Addendum and the rest of the Agreement, this Addendum shall control.

1. Definitions

Capitalized terms not defined herein have the same meaning as in the Agreement

• "Controller" means the entity that determines the purposes and means of Processing.
• "Cross-border Transfer Contracts" means clauses or contracts governing the transfer of Personal Data adopted pursuant to section 7 below, including the Standard Contractual Clauses and UK Addendum.
• "Data Protection Laws" means any applicable law, regulation, rule, ordinance, directive, judgment, order, decision, national standard or guidance, or code of conduct or agreement with any governmental authority applicable to the Processing of Personal Data under the Agreement. Depending on the scope of services, examples of Data Protection Laws that may apply include, but are not limited to: the General Data Protection Regulation (European Economic Area “EEA”); UK General Data Protection Regulation (United Kingdom); the Federal Act on Data Protection (Switzerland); the Cybersecurity Law, Data Security Law, Personal Information Protection Law (People's Republic of China (“PRC”)); Personal Information Protection Act (South Korea); the Privacy Act 1988 (Australia); the Personal Information Protection and Electronic Documents Act (Canada); the General Data Protection Law (Brazil) and the California Consumer Privacy Act (California), as amended by the California Privacy Rights Act (California).
• "Data Subject" means an identified or identifiable natural person.
• "Data Subject Request" means a communication from a Data Subject or their representative regarding the exercise of rights pursuant to Data Protection Laws that relates to that Data Subject's Personal Data.
• "Personal Data" means any personal data or sensitive personal data, as defined in the Data Protection Laws, which may be reasonably linked to a Data Subject, that is Processed by Pi Health or a Sub-Processor on behalf of Customer, in each case in the course of Pi Health providing Services under the Agreement. Personal Data includes, without limitation: names, contact details, financial information, health data, curriculum vitae, resumes, any particular number assigned to individuals (e.g., government identification numbers, medical license numbers, medical record numbers, or key-coded patient identification numbers), audio/video recordings, tissues, blood or other biological samples or materials collected from a Data Subject, and any x-rays, photographs, recordings or other scans or images of a Data Subject, in whole or in part.
• "Process" or "Processing" means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to, access, collection, recording, organization, storage, adaptation, alteration, use, transfer, disclosure, making available, combination, blocking, deletion, erasure, or destruction.
• "Processor" means a person or entity that Processes Personal Data on behalf of the Controller.
• "Security Incident" means, in connection with the Services, any unauthorized or accidental access to, use, disclosure, alteration, loss, or destruction of Personal Data.
• "Standard Contractual Clauses" means the clauses adopted by the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as amended.
• "Sub-Processor" means a Pi Health Affiliate, or a qualified non-Affiliate third-party engaged by Pi Health that Processes Personal Data in connection with this Agreement on behalf of Customer.

2. Relationship of the Parties and Description of Processing

• Relationship of the Parties. The Parties acknowledge that Customer is a “Controller” and Pi Health is a “Processor” with respect to Personal Data. Pi Health and Customer agree to comply with Data Protection Laws applicable to each in such capacities.
• Description of Processing. The Parties agree that:
  
  
  • (i) the subject matter, purpose, and nature of the Processing by Pi Health is solely for the purpose of the provision of the Services in accordance with the Agreement;
  • (ii) the duration of the Processing shall be the term of the Agreement and until all Personal Data has been deleted or returned in accordance with Section 3(e) below; and
  • (iii) to the extent required by Data Protection Laws, a further description of Processing for the Services shall be included in the applicable Statement of Work, in Customer’s instructions, and in other documentation associated with the Services, which, in the case of clinical Services, shall include associated study protocols and study manuals.

3. Pi Health Responsibilities

• Pi Health shall Process Personal Data only: (i) as reasonably necessary for the provision of the Services in accordance with the Agreement; (ii) in accordance with any other reasonable instructions provided by Customer; and (iii) as required or permitted by applicable law.
• Pi Health shall notify Customer if, in its reasonable opinion, (i) it is unable to comply with any Data Protection Laws applicable to the Services, this Addendum, or any of Customer's instructions or requests or (ii) it reasonably believes such instructions or requests violate Data Protection Laws.
• Pi Health shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Pi Health shall assist Customer, at Customer's reasonable written request, in complying with its obligations under Data Protection Laws, including with respect to the protection of Personal Data, Security Incident notifications, data protection impact assessments and consultations with supervisory authorities or regulators.
• Unless longer retention is contemplated by the Services, Pi Health shall, within sixty (60) calendar days after termination or expiration of the Agreement or of Customer's written request, at Customer's choice, either: (i) permanently delete or destroy the Personal Data, in accordance with Section 4 below, or (ii) return, in an agreed format, to Customer the Personal Data, unless in either case applicable law requires Pi Health to maintain a copy of the Personal Data, in which case Pi Health agrees to maintain such copy in compliance with this Addendum and Data Protection Laws. Pi Health shall notify Customer in writing when said return and/or destruction is complete.
• Pi Health shall notify Customer within five (5) business days if Pi Health receives (i) a Data Subject Request or (ii) any complaint, request, or other communication (such as a subpoena or court order) from a third-party (e.g., a government authority or Data Subject) relating to the Processing of Personal Data (collectively “Third-Party Inquiry”), unless prohibited by applicable law.
  1. Pi Health shall not respond to any such Data Subject Request or Third-Party Inquiry unless expressly instructed to do so by Customer or otherwise required by applicable law. Notwithstanding the forgoing, a Third-Party Inquiry may be responded to without Customer’s permission, provided the response does not reveal which Personal Data Pi Health is Processing or utilize Customer’s name without consent from Customer.
  2. Pi Health shall assist Customer in responding to any such Data Subject Request or Third-Party Inquiry without undue delay, and in any event respond within five (5) business days of Customer's reasonable written request for assistance/information.
• Pi Health shall, in response to any subpoena, judicial order, administrative order, or other request from law enforcement or governmental authority seeking disclosure of Personal Data:
  1. where permitted by law, notify Customer of the request and give Customer the option, at Customer's own expense, to challenge the request or seek a protective order with respect to Personal Data; or
  2. where not permitted by law to notify Customer of said request or where Customer is not allowed to challenge the request or seek a protective order:
     1. review the legality of the request and, if Pi Health determines there are reasonable grounds to challenge the request in whole or part, challenge the request;
     2. when challenging the request, Pi Health shall reasonably seek to suspend or delay the effects of the request until a competent judicial authority has considered the merits;
     3. not disclose the Personal Data requested until required to do so under applicable law, including applicable procedural rules; and
     4. if ultimately required to disclose any Personal Data under applicable law, provide the minimum amount of Personal Data possible based on a reasonable interpretation of the request and seek to ensure that any Personal Data disclosed is treated as confidential by those receiving it.
• To the extent Pi Health is directly collecting Personal Data from third-party Data Subjects, Pi Health shall assist Customer, at Customer’s reasonable written request, in providing any necessary privacy notices to and/or obtaining necessary consents from said third-party Data Subjects (e.g., patients, customers, website users, etc.) as directed and instructed by Customer. Customer shall ensure that any Personal Data it provides to Pi Health for purposes of the Services pursuant to this Agreement has been obtained in compliance with Data Protection Laws
• Pi Health shall take reasonable steps designed to ensure that Personal Data directly collected by Pi Health is:
  1. adequate, relevant, and limited to what is necessary in relation to the purpose(s) of Processing; and
  2. accurate and, where necessary, kept up to date, and inform Customer if it becomes aware of inaccurate and outdated Personal Data and, upon Customer’s written request, erase or correct such Personal Data.
• Pi Health and Customer shall work together in good faith to implement those measures required under the applicable Data Protection Laws that govern the cross-border transfer and/or localization of Personal Data in accordance with section 7 below.

4. Security Measures

Pi Health shall:

• implement reasonable and appropriate administrative, technical, and physical safeguards designed to: (a) ensure the confidentiality, security, integrity, and availability of Personal Data; (b) protect against threats or hazards to Personal Data; and (c) provide for the appropriate transfer, disposal, and destruction of Personal Data;
• protect Personal Data in accordance with the Information Security Safeguards set forth in Exhibit 2 to the Agreement; and
• assess the appropriateness of the security measures based on the state of the art, cost of implementation and the characteristics of the Personal Data and Processing.

5. Security Incident Response and Management

• If Pi Health discovers a Security Incident that impacts Personal Data covered by this Addendum, Pi Health shall notify Customer without undue delay, but in no event later than thirty-six (36) hours after initial detection. At Customer’s request, Pi Health shall provide reasonable assistance and cooperation as requested by Customer, including investigating and remediating any Security Incident and mitigating any potential damage.

6. Sub-Processors

Notwithstanding any obligations with respect to subcontractors in the Agreement, Customer authorizes Pi Health to appoint Sub-Processors to Process Personal Data, provided that Pi Health: (a) enters into a written agreement with the Sub-Processor incorporating terms which are no less protective than those set out in this Addendum; (b) provides notice to Customer of the appointment or removal of any non-Affiliate Sub-Processor; and (c) remains fully liable for all acts or omissions of any Sub-Processor.

7. Cross-Border Data Transfers

• The Parties agree to comply with Data Protection Laws with respect to any cross-border transfers of Personal Data, including any onward transfers of Personal Data initiated by Pi Health necessary for performance of the Services.
• Each Party agrees it will, as required by Data Protection Laws, cooperate with the other Party to implement and maintain valid data transfer mechanisms to govern the cross-border transfer of Personal Data associated with the Services, including completing any required transfer assessments and implementing any additional security measures needed to allow for the transfer of the data.
• Transfers of Personal Data out of the EEA, the UK or Switzerland to Jurisdictions Without an Adequacy Decision. For any transfers of Personal Data from the EEA, the UK, or Switzerland to any jurisdiction that has not been deemed to ensure an adequate level of data protection within the meaning of Data Protection Laws, unless otherwise agreed, the Parties shall rely upon the Standard Contractual Clauses (or any updates or replacements supplanting such clauses), which are incorporated herein by reference, inclusive of the Addendum for Completion of the Standard Contractual Clauses set forth in Schedule 1 to this Addendum, which is attached hereto and incorporated herein by reference, and the Information Security Safeguards set forth in Exhibit 2 to the Agreement, as well as any additional descriptions or safeguards (that may be appended hereto, either now or in the future) that may be required under Data Protection Laws to validate the use of the Standard Contractual Clauses and/or the transfer of Personal Data.
• Transfers of Personal Data Out of the UK. For any transfers of Personal Data from the UK, unless the Parties execute a UK specific International Transfer Agreement, the Parties agree to rely on the Standard Contractual Clauses entered into by the Parties as modified by the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (“UK Addendum”). In such cases, the Parties agree that: (a) Table 1 of the UK Addendum, the names of the Parties, their roles and their details shall be considered populated by the information set out in Annex I.A of the Standard Contractual Clauses; (b) Tables 2 and 3 of the UK Addendum shall be considered populated by the applicable version of the Standard Contractual Clauses as described in Section 7(c), including the information set out in the Annexes of the Standard Contractual Clauses; and (c) for the purposes of Table 4 of the UK Addendum, neither Party may end the UK Addendum. Notwithstanding the foregoing, the UK Addendum will not apply to the extent the transfer is covered by a decision adopted by a competent authority with jurisdiction over the Parties declaring that a jurisdiction meets an adequate level of protection of Personal Data.
• Transfers of Personal Data Out of or Through Switzerland. Transfers of Personal Data out of Switzerland, which (i) originated in Switzerland or (ii) originated in the EEA and are subject to GDPR, but were transferred through Switzerland, may be subject to the Swiss Federal Act on Data Protection of 19 June 1992 (“FADP”) or, as of 1 January 2023, the revised FADP of 25 September 2020. The Swiss Federal Data Protection and Information Commissioner (FDPIC) has approved the use of the Standard Contractual Clauses for such transfers, provided that the Standard Contractual Clauses are adapted to cover those situations. To that effect, unless the Parties execute Swiss specific standard contractual clauses or a Swiss specific addendum to the Standard Contractual Clauses in accordance with section 7(g) below, the Parties agree as follows:

Standard Contractual Clauses Text	Data that Originated in Switzerland	Data, subject to GDPR, that was transferred through Switzerland
Competent supervisory authority in Annex I.C under Clause 13.	The Supervisory Authority shall be the FDPIC.	The FDPIC shall have parallel supervision to the EU authority to the extent the data transfer is governed by FADP.
Applicable law for contractual claims under Clause 17.	The applicable law shall be Swiss law.	No adjustment needed.
Place of jurisdiction for actions between the Parties pursuant to Clause 18 b.	The courts of Basel Switzerland.	No adjustment needed.
Adjustments or additions concerning the place of jurisdiction for actions brought by data subjects.	“Member State” shall mean Switzerland and all Swiss data subjects shall have the right to sue in the courts of Switzerland.	No adjustment needed.
Adjustments or additions regarding references to the GDPR.	References to “GDPR” are to be understood as references to the “FADP”.	No adjustment needed.
Supplement until the entry into force of the revised FADP.	It is specified that the clauses also protect the data of legal entities until the entry into force of the revised FADP.	It is specified that the clauses also protect the data of legal entities until the entry into force of the revised FADP.

6. Transfers of Personal Data from the PRC or Other Countries with Mandatory Localization Requirements. The Parties shall discuss in advance whether any Services involve Processing of Personal Data collected and/or, if applicable, generated within countries with mandatory localization requirements and whether transfer to other countries is planned as part of the Services. To the extent that the Personal Data being Processed by Pi Health is subject to localization requirements under applicable local laws and regulations, Pi Health shall, at Customer’s reasonable written request, cooperate with Customer to address any local regulatory requirements applicable to the transfer of Personal Data to another country.
7. If any country issues its own Cross-border Transfer Contracts or the EU or UK issue updated Cross-border Transfer Contracts that are applicable to the Services, the Parties shall work in good faith to implement and, if required by Data Protection Law, execute said Cross-border Transfer Contracts separately. Any such additional Cross-border Transfer Contracts implemented or executed by the Parties, including any updates or replacements issued thereto, are hereby incorporated into the Agreement by reference.
8. (h) In the event of a conflict between (i) the Agreement and this Addendum, this Addendum shall prevail, and (ii) this Addendum and the Cross-border Transfer Contracts, the Cross-border Transfer Contracts shall prevail.

8. Audits and Inspections

Pi Health shall:

• be able to demonstrate upon Customer’s reasonable written request its compliance with this Addendum and Data Protection Laws, in particular by keeping appropriate documentation on the Processing activities carried out on Customer’s behalf; and
• allow for and contribute to privacy/data protection audits conducted by Customer or an auditor appointed by Customer. Such audits shall be at Customer’s sole cost and expense and with at least ninety (90) calendar day’s advance written notice to Pi Health and during Pi Health’s normal business hours, no more frequently than one time in any twelve (12) month period.

9. Compliance with the Agreement

Pi Health shall promptly notify Customer if it has reason to believe that it is or has become subject to laws or practices preventing it from fulfilling its obligations under this Agreement, including the Addendum, any applicable Cross-border Transfer Contracts, and the associated Information Security Addendum, and shall cooperate with Customer in identifying appropriate measures to address any impediments arising from such laws and practices. If Customer believes that the issues cannot be addressed through such measures, it shall be entitled, upon providing reasonable notice to Pi Health, to suspend the transfer of Personal Data. In the event that this Addendum, or any actions to be taken or contemplated to be taken in performance of this Addendum, do not or would not satisfy either party’s obligations under the Data Protection Laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this Addendum.