Client BAA- DPA Veritas Int Please read this document in full, fill in your details and the details of your company at the bottom of this document and confirm you agree with the Veritas Intercontinental BAA and Data Processing Agreement (DPA). For any questions in relation to this Business Associate Agreement and Data Processing Agreement (DPA), please email dpo@veritasint.com Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement This Business Associate Agreement (the “BAA”) is made and entered into between you, the client requesting the services of Veritas Intercontinental SL , (hereinafter “Customer”), and VERITAS INTERCONTINENTAL SL (hereinafter “Business Associate”). Customer is responsible for ensuring that any additional requirements of Applicable Laws are included in this BAA or otherwise addressed with Business Associate in writing, to ensure Customer is able to meet their obligations under Applicable Laws. Recitals WHEREAS, the Department of Health and Human Services (“HHS”) has promulgated regulations at 45 C.F.R. Parts 160-164, implementing the privacy and electronic security requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as amended by American Recovery and Reinvestment Act of 2009 (P.L. 111-5, ARRA) (“HITECH Act”); WHEREAS, Business Associate acknowledges that certain provisions of HIPAA have been amended in ways that directly regulate Business Associate’s obligations and activities with respect to Protected Health Information (“PHI”);WHEREAS, HIPAA provides, among other things, that Customer is permitted to disclose Protected Health Information (as defined below) to Business Associate and allow Business Associate to obtain and receive Protected Health Information, if Customer obtains satisfactory assurances in the form of a written contract that Business Associate will appropriately safeguard the Protected Health Information; andWHEREAS, Business Associate will create, receive, maintain or transmit certain PHI pursuant to this BAA and related order between the parties pursuant to which Business Associate will be providing services to Customer (“Agreement”), thus necessitating a written BAA that meets the applicable requirements of HIPAA, and with such other provisions as the parties may agree.NOW THEREFORE, Customer and Business Associate agree as follows: Definitions; Applicability.(a) The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.(b) This BAA shall apply only with respect to and to the extent that Business Associate creates, receives, maintains, or transmits PHI for or on behalf of Customer. Obligations and Activities of Business Associate(a) Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this BAA or as permitted or required by applicable law. Business Associate may use Protected Health Information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR Section 164.502(j)(1), so long as Business Associate provides written notice to Customer of such reporting as soon as it is permitted to do so under applicable laws, either in advance or after such reporting. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this BAA. (c) Business Associate shall implement administrative, physical and technical safeguards hat appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information, including all safeguards required by the Security Rule and otherwise required by applicable laws. Business Associate acknowledges and agrees that the requirements of 45 CFR Sections 164.308, 164.310, 164.312, and 164.316 apply to Business Associate, in its role as a Business Associate, in the same manner that such sections apply to Customer. Business Associate shall follow reasonable system security principles consistent with industry standards and shall comply with the relevant requirements of the HITECH Act pertaining to the security of Protected Health Information. (d) Business Associate agrees to report to Customer any Breach of Unsecured PHI of which it becomes aware in accordance with applicable laws. In event of a Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, or subcontractors, Business Associate shall notify Customer in accordance with 45 C.F.R. 164.410 promptly after such Breach and no later than five (5) business days after becoming aware of such breach or potential Breach of Unsecured PHI. (e) Business Associate agrees to ensure that any subcontractors, agents and representatives that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to and complies with substantially similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information. Business Associate shall ensure that any person or entity to whom or which it provides Electronic PHI, agrees to, and does implement appropriate safeguards to protect such information. Business Associate is responsible for the actions and omissions of its subcontractors, agents, and representatives to the same extent as it is responsible for the actions and omissions of its employees. (g) Business Associate agrees to provide access to Protected Health Information in a Designated Record Set, in the time and manner Required by Law, to Customer or, as directed by Customer, to an Individual, in order to meet the requirements under 45 C.F.R. 164.524. Business Associate may impose a reasonable cost-based fee for the provision of copies of PHI in a Designated Record Set in accordance with 45 C.F.R. 164.524(c)(4). (h) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 C.F.R. 164.526 at the request of Customer or an Individual, and in the time and manner Required by Law. (i) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate, on behalf of Customer, available to the Secretary, for purposes of the Secretary determining Customer’s or Business Associate’s compliance with HIPAA, and to any other government agency with jurisdiction over Customer. (j) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. (k) Business Associate agrees to provide to Customer, upon request and in the time and manner Required by Law, an accounting of disclosures of an Individual’s Protected Health Information, collected in accordance with Section 2(i) of this BAA, to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. If Customer requests an accounting of an Individual’s Protected Health Information more than once in any twelve (12) month period, Business Associate may impose a reasonable fee for such accounting in accordance with 45 C.F.R. 164.528(c). (l) Business Associate agrees to comply, where applicable, with 45 CFR Part 164 to maintain the security of the Electronic Protected Health Information and to prevent unauthorized uses or disclosures of such Electronic Protected Health Information. Business Associate shall promptly but in any event within five (5) business days report to the Customer any Security Incident that results in the unauthorized use or disclosure of Protected Health Information of which it becomes aware; provided that this Section is notice of, Business Associate shall not be required to further report, an immaterial incident consisting solely oftrivial incidents that occur on a daily basis, such as scans, “pings,” or an unsuccessful attempt to improperly access Electronic PHI that is stored in an information system under its control; provided that Business Associate shall maintain a log of such trivial incidents and make it available to Customer upon request. In the event of a Breach of Unsecured Protected Health Information, Business Associate shall also meet the requirements in this BAA and applicable Law regarding such Breach. (m) If Business Associate learns of any activity or practice of Customer that Business Associate reasonably believes or should reasonably believe constitutes a violation of Customer’s obligations under HIPAA or other applicable Laws, Business Associate shall promptly inform Customer in writing of such activity or practice. Permitted Uses and Disclosures by Business Associate(a) Business Associate may use or disclose Protected Health Information to perform its obligations and services to Customer under the Services BAA or this BAA, provided that such use or disclosure would not violate HIPAA if done by Customer, and so long as such use or disclosure does not violate applicable Law.(b) Business Associate’s use, disclosure or request of PHI shall utilize a Limited Data Set if practicable. Otherwise, Business Associate will only use the minimum amount of PHI reasonably necessary to accomplish the intended and permitted purpose of the use, disclosure, or request.(c) Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate or as otherwise permitted by HIPAA.(d) Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required or permitted by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached promptly, but in any event within five (5) business days.(e) Business Associate may use Protected Health Information to provide data aggregation services to Customer. Business Associate may de-identify PHI in accordance with the standards set forth in 45 CFR Section 164.514(b). Obligations of Customer.4.1 Provisions for Customer to Inform Business Associate of Privacy Practices and Restrictions(a) If applicable, Customer shall provide Business Associate with the notice of privacy practices that Customer produces in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice.(b) Customer shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures.(c) Customer shall notify Business Associate, in writing, of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 C.F.R. § 164.522.(d) Customer shall provide to, or request from, the Business Associate only the minimum Protected Health Information necessary for Business Associate to perform or fulfill a specific function required or permitted hereunder.4.2 Permissible Requests by Customer. Customer represents that it has the right and authority to disclose Protected Health Information to Business Associate for Business Associate to perform its obligations and provide services to Customer. Customer shall not request Business Associate to use or disclose Protected Health Information in any manner that would violate HIPAA, other applicable Laws or Customer’s privacy notice, if done by Customer. Term and Termination(a) Term. The provisions of this BAA shall take effect as of the earlier of (i) the Date, or (ii) the date Business Associate first receives Protected Health Information from or on behalf of Customer (such date, the “Effective Date”), and shall continue for the term of this BAA or the duration that Business Associate retains any Customer Protected Health Information.(b) Termination for Cause. Upon Customer’s knowledge of a breach by Business Associate of this BAA, Customer may in its discretion (i) provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Customer, or (ii) immediately terminate this BAA.(c) Effect of Termination.(1) Except as provided in paragraph (2) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Customer, or created or received by Business Associate on behalf of Customer, including ensuring the return or destruction of Protected Health Information that is in the possession of subcontractors of Business Associate.(2) In the event that returning or destroying the Protected Health Information is infeasible, Business Associate shall extend the protection of this BAA to such Protected Health Information and limit further uses or disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Miscellaneous(a) Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended, and for which compliance is required.(b) Amendment. Upon the effectiveness of any Law affecting the use or disclosure of Protected Health Information, the parties agree to negotiate in good faith to amend the BAA as necessary to comply with such Law.(c) Survival. The obligations of Business Associate under this BAA shall survive the termination of this BAA. DATA PROTECTION AGREEMENT This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the client requesting the services of Veritas Intercontinental SL (“Controller”), and VERITAS INTERCONTINENTAL SL (the Processor). Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. For any questions in relation to this Data Processing Agreement, please email dpo@veritasint.com In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies whereVeritas Intercontinental SL acts in its capacity as a Data Processor to Controller. General. In performance of the Services, the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller, its affiliates (collectively, the “Controller”) and references herein to the Controller apply with equal force and effect to the Controller’s affiliates as if such affiliate had executed this DPA. Definitions.“Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located.“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.“Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws.“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws.“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information.“Order” means each mutually executed order form or statement of work for Services.“Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor.“Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. PersonalData includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passportnumber, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application.“Processing “Processes” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.“Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data.“Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA.“Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Controller Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not incompliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer.“Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order. “Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose,nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. Compliance. For purposes of this DPA, each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in itsopinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. International transfers. Personal Data may be stored and Processed globally including in the EEA, by the Processor and the Processor’s sub-processors. Where the Controller wishes to transfer Personal Data to a country other than the country in which the Personal Data was first collected, the Controller shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws and that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws, by ensuring that appropriate contractual arrangements are in place with the Processor. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Controller Personal Data knows that the Controller Personal Data is confidential information of the Controller and is subject to the confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall ensure that Process the Controller Personal Data only as necessary for the Purpose. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Controller Personal Data to protect the Controller Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Controller Personal Data. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA. Sub-processing. The Processor shall not engage Sub-processors to Process the Controller Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller hereby provides its general written consent to the Processor for engaging Sub-processors to Process the Controller Personal Data provided that:8.1. The Processor’s criteria for use of a Sub-processor shall require imposing data protection terms that ensure at leastthe same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors.8.2. The Processor’s current Sub-processors are identified at Annex 3. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Controller Personal Data, the Processor shall inform the Controller without undue delay. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties, such audit shall consist of written questionnaires and documentation in relation thereto. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Controller Personal Data Processed by the Processor. This DPA, its Annexes, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, canceled or changed only by written mutual agreement signed by both Parties. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed. Safeguards and restrictions to ensure the protection of this data are set out in this DPA and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data. Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller. Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject. For processing by (sub-) processors, also specify subject matter, nature and duration of the processing As above, for the sole purpose of supporting Processor in delivery of services under this Agreement Annex 2 Technical and Organizational Security Measures including technical and organisational measures to ensure the security of data Veritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: ● Information Security Program Management● Endpoint Protection● Portable Media Security● Mobile Device Security● Wireless Security● Configuration Management● Vulnerability Management● Network Protection● Transmission Protection● Password Management● Access Management● Audit Logging and Monitoring● Education, Training & Awareness● Third Party Assurance (including ensure adequate privacy and security of sub-processors)● Incident Management and Response, including meeting any breach notification reporting obligations● Business Continuity and Disaster Recovery● Risk Management● Physical and Environmental Security Topic areas that our privacy program addresses include (without limitation): ● Workforce Privacy Training and Workshops● Privacy by Design and Default● Maintaining a Record of Data Processing Activities● Privacy Notice and Consent Management● Performing Data Privacy Impact Assessments● Third Party Risk and Contract Management● Cross-border Data Transfers Review and Security● Data Subject Rights Requests Program Management● Incident Management and Response Programs● Breach Notification Procedures Annex 3Potential Sub-processors NameDescription of ProcessingAWSCloud Data StorageMicrosoft AzureCloud Data StorageFulgent GeneticsCarrier genetic testing This DPA and BAA has been pre-signed on behalf of Veritas Intercontinental SL. The Processor: VERITAS INTERCONTINENTAL SL BY: NAME: Thomas Bently TITLE: VP Data Compliance and Privacy, DPODATE: (Date when Controller electronically agrees toDPA and BAA)