DATA PROTECTION AGREEMENT Data Protection Agreement This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the ordering healthcare provider (“Controller”) associated with the Jeffrey Model Foundation, and VERITAS INTERCONTINENTAL SL (the Processor). Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. For any questions in relation to this Data Processing Agreement, please email dpo@veritasint.com. HOW TO EXECUTE THIS DPA: 1. This DPA consists of two parts: the main body of the DPA and Annexes 1, 2 and 3. 2. This DPA has been pre-signed on behalf of Veritas Intercontinental SL. 3. To complete this DPA, the Controller must click on the ‘I agree’ button at the bottom of this document. This DPA will become legally binding upon the Controller selecting ‘I agree’ on the bottom of this document and for the avoidance of doubt, shall be deemed to constitute signature and acceptance of Annexes 1, 2 and 3. In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies where Veritas Intercontinental SL acts in its capacity as a Data Processor to Controller. 1. General. In performance of the Services, the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller, its affiliates (collectively, the “Controller”) and references herein to the Controller apply with equal force and effect to the Controller’s affiliates as if such affiliate had executed this DPA. 2. Definitions. “Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information. “Order” means each mutually executed order form or statement of work for Services. “Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor. “Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. Personal Data includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application. “Processing “Processes” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data. “Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA. “Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Controller Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not in compliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer. “Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order. “Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller 3. Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose, nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. 4. Compliance. For purposes of this DPA, each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in its opinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. 5. International transfers. Personal Data may be stored and Processed globally including in the EEA, by the Processor and the Processor’s sub-processors. Where the Controller wishes to transfer Personal Data to a country other than the country in which the Personal Data was first collected, the Controller shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws and that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws, by ensuring that appropriate contractual arrangements are in place with the Processor. 6. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Controller Personal Data knows that the Controller Personal Data is confidential information of the Controller and is subject to the confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall ensure that Process the Controller Personal Data only as necessary for the Purpose. 7. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Controller Personal Data to protect the Controller Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Controller Personal Data. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA. 8. Sub-processing. The Processor shall not engage Sub-processors to Process the Controller Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller hereby provides its general written consent to the Processor for engaging Sub-processors to Process the Controller Personal Data provided that: 8.1. The Processor’s criteria for use of a Sub-processor shall require imposing data protection terms that ensure at least the same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors. 8.2. The Processor’s current Sub-processors are identified at Annex 3. 9. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Controller Personal Data, the Processor shall inform the Controller without undue delay. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties, such audit shall consist of written questionnaires and documentation in relation thereto. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. 10. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. 11. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Controller Personal Data Processed by the Processor. This DPA, its Annexes, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, canceled or changed only by written mutual agreement signed by both Parties. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed.Safeguards and restrictions to ensure the protection of this data are set out in this DPA and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller.Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject.For processing by (sub-) processors, also specify subject matter, nature and duration of the processingAs above, for the sole purpose of supporting Processor in delivery of services under this Agreement Annex 2 Technical and Organizational Security Measures including technical and organisational measures to ensure the security of data Veritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: Information Security Program ManagementEndpoint ProtectionPortable Media SecurityMobile Device SecurityWireless SecurityConfiguration ManagementVulnerability ManagementNetwork ProtectionTransmission ProtectionPassword ManagementAccess ManagementAudit Logging and MonitoringEducation, Training & AwarenessThird Party Assurance (including ensure adequate privacy and security of sub-processors)Incident Management and Response, including meeting any breach notification reporting obligationsBusiness Continuity and Disaster RecoveryRisk ManagementPhysical and Environmental Security Topic areas that our privacy program addresses include (without limitation): Workforce Privacy Training and WorkshopsPrivacy by Design and DefaultMaintaining a Record of Data Processing ActivitiesPrivacy Notice and Consent ManagementPerforming Data Privacy Impact AssessmentsThird Party Risk and Contract Management Cross-border Data Transfers Review and SecurityData Subject Rights Requests Program ManagementIncident Management and Response ProgramsBreach Notification Procedures Annex 3 Potential Sub-processors NameDescription of ProcessingAWSCloud Data StorageMicrosoft AzureCloud Data StorageFulgent GeneticsCarrier genetic testing Action for Controller: Please click on the below ‘I agree’ button to confirm you have read and agree to this Data Protection Agreement. The Controller: THE ORDERING HEALTHCARE PROVIDER ASSOCIATED WITH THE JEFFREY MODEL FOUNDATIONThe Processor: VERITAS INTERCONTINENTAL SL BY: NAME: Thomas BentlyTITLE: VP Data Compliance and Privacy, DPODATE: (As per date when Controller electronically agrees to DPA) DATE: (As per date when Controller electronically agrees to DPA) BAA/DPA Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement This Business Associate Agreement (the “BAA”) is made and entered into between you, the ordering healthcare provider associated with the Jeffrey Model Foundation, (hereinafter “Customer”), and VERITAS INTERCONTINENTAL SL (hereinafter “Business Associate”). Customer is responsible for ensuring that any additional requirements of Applicable Laws are included in this BAA or otherwise addressed with Business Associate in writing, to ensure Customer is able to meet their obligations under Applicable Laws. For any questions in relation to this Business Associate Agreement, please email dpo@veritasint.com. HOW TO EXECUTE THIS BAA: 1. This BAA has been pre-signed on behalf of Veritas Intercontinental SL. 2. To complete this BAA, the Customer must click on the ‘I agree’ button at the bottom of this document. This BAA will become legally binding upon the Customer selecting ‘I agree’ at the bottom of this document. Recitals WHEREAS, the Department of Health and Human Services (“HHS”) has promulgated regulations at 45 C.F.R. Parts 160-164, implementing the privacy and electronic security requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as amended by American Recovery and Reinvestment Act of 2009 (P.L. 111-5, ARRA) (“HITECH Act”); WHEREAS, Business Associate acknowledges that certain provisions of HIPAA have been amended in ways that directly regulate Business Associate’s obligations and activities with respect to Protected Health Information (“PHI”); WHEREAS, HIPAA provides, among other things, that Customer is permitted to disclose Protected Health Information (as defined below) to Business Associate and allow Business Associate to obtain and receive Protected Health Information, if Customer obtains satisfactory assurances in the form of a written contract that Business Associate will appropriately safeguard the Protected Health Information; and WHEREAS, Business Associate will create, receive, maintain or transmit certain PHI pursuant to this BAA and related order between the parties pursuant to which Business Associate will be providing services to Customer (“Agreement”), thus necessitating a written BAA that meets the applicable requirements of HIPAA, and with such other provisions as the parties may agree. NOW THEREFORE, Customer and Business Associate agree as follows: 1. Definitions; Applicability. (a) The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. (b) This BAA shall apply only with respect to and to the extent that Business Associate creates, receives, maintains, or transmits PHI for or on behalf of Customer. 2. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this BAA or as permitted or required by applicable law. Business Associate may use Protected Health Information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR Section 164.502(j)(1), so long as Business Associate provides written notice to Customer of such reporting as soon as it is permitted to do so under applicable laws, either in advance or after such reporting. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this BAA. (c) Business Associate shall implement administrative, physical and technical safeguards that appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information, including all safeguards required by the Security Rule and otherwise required by applicable laws. Business Associate acknowledges and agrees that the requirements of 45 CFR Sections 164.308, 164.310, 164.312, and 164.316 apply to Business Associate, in its role as a Business Associate, in the same manner that such sections apply to Customer. Business Associate shall follow reasonable system security principles consistent with industry standards and shall comply with the relevant requirements of the HITECH Act pertaining to the security of Protected Health Information. (d) Business Associate agrees to report to Customer any Breach of Unsecured PHI of which it becomes aware in accordance with applicable laws. In event of a Breach of Unsecured PHI by Business Associate or any of its officers, directors, employees, or subcontractors, Business Associate shall notify Customer in accordance with 45 C.F.R. 164.410 promptly after such Breach and no later than five (5) business days after becoming aware of such breach or potential Breach of Unsecured PHI. (e) Business Associate agrees to ensure that any subcontractors, agents and representatives that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to and complies with substantially similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information. Business Associate shall ensure that any person or entity to whom or which it provides Electronic PHI, agrees to, and does implement appropriate safeguards to protect such information. Business Associate is responsible for the actions and omissions of its subcontractors, agents, and representatives to the same extent as it is responsible for the actions and omissions of its employees. (g) Business Associate agrees to provide access to Protected Health Information in a Designated Record Set, in the time and manner Required by Law, to Customer or, as directed by Customer, to an Individual, in order to meet the requirements under 45 C.F.R. 164.524. Business Associate may impose a reasonable cost-based fee for the provision of copies of PHI in a Designated Record Set in accordance with 45 C.F.R. 164.524(c)(4). (h) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set pursuant to 45 C.F.R. 164.526 at the request of Customer or an Individual, and in the time and manner Required by Law. (i) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate, on behalf of Customer, available to the Secretary, for purposes of the Secretary determining Customer’s or Business Associate’s compliance with HIPAA, and to any other government agency with jurisdiction over Customer. (j) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. (k) Business Associate agrees to provide to Customer, upon request and in the time and manner Required by Law, an accounting of disclosures of an Individual’s Protected Health Information, collected in accordance with Section 2(i) of this BAA, to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. If Customer requests an accounting of an Individual’s Protected Health Information more than once in any twelve (12) month period, Business Associate may impose a reasonable fee for such accounting in accordance with 45 C.F.R. 164.528(c). (l) Business Associate agrees to comply, where applicable, with 45 CFR Part 164 to maintain the security of the Electronic Protected Health Information and to prevent unauthorized uses or disclosures of such Electronic Protected Health Information. Business Associate shall promptly but in any event within five (5) business days report to the Customer any Security Incident that results in the unauthorized use or disclosure of Protected Health Information of which it becomes aware; provided that this Section is notice of, Business Associate shall not be required to further report, an immaterial incident consisting solely of trivial incidents that occur on a daily basis, such as scans, “pings,” or an unsuccessful attempt to improperly access Electronic PHI that is stored in an information system under its control; provided that Business Associate shall maintain a log of such trivial incidents and make it available to Customer upon request. In the event of a Breach of Unsecured Protected Health Information, Business Associate shall also meet the requirements in this BAA and applicable Law regarding such Breach. (m) If Business Associate learns of any activity or practice of Customer that Business Associate reasonably believes or should reasonably believe constitutes a violation of Customer’s obligations under HIPAA or other applicable Laws, Business Associate shall promptly inform Customer in writing of such activity or practice. 3. Permitted Uses and Disclosures by Business Associate (a) Business Associate may use or disclose Protected Health Information to perform its obligations and services to Customer under the Services BAA or this BAA, provided that such use or disclosure would not violate HIPAA if done by Customer, and so long as such use or disclosure does not violate applicable Law. (b) Business Associate’s use, disclosure or request of PHI shall utilize a Limited Data Set if practicable. Otherwise, Business Associate will only use the minimum amount of PHI reasonably necessary to accomplish the intended and permitted purpose of the use, disclosure, or request. (c) Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate or as otherwise permitted by HIPAA. (d) Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required or permitted by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached promptly, but in any event within five (5) business days. (e) Business Associate may use Protected Health Information to provide data aggregation services to Customer. Business Associate may de-identify PHI in accordance with the standards set forth in 45 CFR Section 164.514(b). 4. Obligations of Customer. 4.1 Provisions for Customer to Inform Business Associate of Privacy Practices and Restrictions (a) If applicable, Customer shall provide Business Associate with the notice of privacy practices that Customer produces in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice. (b) Customer shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures. (c) Customer shall notify Business Associate, in writing, of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 C.F.R. § 164.522. (d) Customer shall provide to, or request from, the Business Associate only the minimum Protected Health Information necessary for Business Associate to perform or fulfill a specific function required or permitted hereunder. 4.2 Permissible Requests by Customer. Customer represents that it has the right and authority to disclose Protected Health Information to Business Associate for Business Associate to perform its obligations and provide services to Customer. Customer shall not request Business Associate to use or disclose Protected Health Information in any manner that would violate HIPAA, other applicable Laws or Customer’s privacy notice, if done by Customer. Term and Termination (a) Term. The provisions of this BAA shall take effect as of the earlier of (i) the Date, or (ii) the date Business Associate first receives Protected Health Information from or on behalf of Customer (such date, the “Effective Date”), and shall continue for the term of this BAA or the duration that Business Associate retains any Customer Protected Health Information.. (b) Termination for Cause. Upon Customer’s knowledge of a breach by Business Associate of this BAA, Customer may in its discretion (i) provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Customer, or (ii) immediately terminate this BAA. (c) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Customer, or created or received by Business Associate on behalf of Customer, including ensuring the return or destruction of Protected Health Information that is in the possession of subcontractors of Business Associate. (2) In the event that returning or destroying the Protected Health Information is infeasible, Business Associate shall extend the protection of this BAA to such Protected Health Information and limit further uses or disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 6. Miscellaneous (a) Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended, and for which compliance is required. (b) Amendment. Upon the effectiveness of any Law affecting the use or disclosure of Protected Health Information, the parties agree to negotiate in good faith to amend the BAA as necessary to comply with such Law. (c) Survival. The obligations of Business Associate under this BAA shall survive the termination of this BAA. DATA PROTECTION AGREEMENT This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the ordering healthcare provider (“Controller”) associated with the Jeffrey Model Foundation, and VERITAS INTERCONTINENTAL SL (the Processor). Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. For any questions in relation to this Data Processing Agreement, please email dpo@veritasint.com. HOW TO EXECUTE THIS DPA: 1. This DPA consists of two parts: the main body of the DPA and Annexes 1, 2 and 3. 2. This DPA has been pre-signed on behalf of Veritas Intercontinental SL. 3. To complete this DPA, the Controller must click on the ‘I agree’ button at the bottom of this document. This DPA will become legally binding upon the Controller selecting ‘I agree’ on the bottom of this document and for the avoidance of doubt, shall be deemed to constitute signature and acceptance of Annexes 1, 2 and 3. In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies where Veritas Intercontinental SL acts in its capacity as a Data Processor to Controller. 1. General. In performance of the Services, the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller, its affiliates (collectively, the “Controller”) and references herein to the Controller apply with equal force and effect to the Controller’s affiliates as if such affiliate had executed this DPA. 2. Definitions. “Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information. “Order” means each mutually executed order form or statement of work for Services. “Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor. “Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. Personal Data includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application. “Processing “Processes” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data. “Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA. “Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Controller Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not in compliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer. “Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order. “Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller 3. Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose, nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. 4. Compliance. For purposes of this DPA, each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in its opinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. 5. International transfers. Personal Data may be stored and Processed globally including in the EEA, by the Processor and the Processor’s sub-processors. Where the Controller wishes to transfer Personal Data to a country other than the country in which the Personal Data was first collected, the Controller shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws and that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws, by ensuring that appropriate contractual arrangements are in place with the Processor. 6. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Controller Personal Data knows that the Controller Personal Data is confidential information of the Controller and is subject to the confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall ensure that Process the Controller Personal Data only as necessary for the Purpose. 7. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Controller Personal Data to protect the Controller Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Controller Personal Data. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA. 8. Sub-processing. The Processor shall not engage Sub-processors to Process the Controller Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller hereby provides its general written consent to the Processor for engaging Sub-processors to Process the Controller Personal Data provided that: 8.1. The Processor’s criteria for use of a Sub-processor shall require imposing data protection terms that ensure at least the same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors. 8.2. The Processor’s current Sub-processors are identified at Annex 3. 9. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Controller Personal Data, the Processor shall inform the Controller without undue delay. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties, such audit shall consist of written questionnaires and documentation in relation thereto. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. 10. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. 11. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Controller Personal Data Processed by the Processor. This DPA, its Annexes, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, canceled or changed only by written mutual agreement signed by both Parties. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed.Safeguards and restrictions to ensure the protection of this data are set out in this DPA and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller.Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject.For processing by (sub-) processors, also specify subject matter, nature and duration of the processingAs above, for the sole purpose of supporting Processor in delivery of services under this Agreement Annex 2 Technical and Organizational Security Measures including technical and organisational measures to ensure the security of data Veritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: Information Security Program ManagementEndpoint ProtectionPortable Media SecurityMobile Device SecurityWireless SecurityConfiguration ManagementVulnerability ManagementNetwork ProtectionTransmission ProtectionPassword ManagementAccess ManagementAudit Logging and MonitoringEducation, Training & AwarenessThird Party Assurance (including ensure adequate privacy and security of sub-processors)Incident Management and Response, including meeting any breach notification reporting obligationsBusiness Continuity and Disaster RecoveryRisk ManagementPhysical and Environmental Security Topic areas that our privacy program addresses include (without limitation): Workforce Privacy Training and WorkshopsPrivacy by Design and DefaultMaintaining a Record of Data Processing ActivitiesPrivacy Notice and Consent ManagementPerforming Data Privacy Impact AssessmentsThird Party Risk and Contract Management Cross-border Data Transfers Review and SecurityData Subject Rights Requests Program ManagementIncident Management and Response ProgramsBreach Notification Procedures Annex 3 Potential Sub-processors NameDescription of ProcessingAWSCloud Data StorageMicrosoft AzureCloud Data StorageFulgent GeneticsCarrier genetic testing EU&UK DPA – Veritas Int This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the ordering healthcare provider (“Controller”) associated with the Jeffrey Model Foundation, and VERITAS INTERCONTINENTAL SL (the Processor). Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. For any questions in relation to this Data Processing Agreement, please email dpo@veritasint.com. HOW TO EXECUTE THIS DPA: 1. This DPA consists of three parts: the main body of the DPA, Annexes 1, 2 and 3, and the UK Addendum. 2. This DPA has been pre-signed on behalf of Veritas Intercontinental SL. 3. To complete this DPA, the Controller must click on the ‘I agree’ button on the bottom of this document. This DPA will become legally binding upon the Controller selecting ‘I agree’ on the bottom of this page and for the avoidance of doubt, shall be deemed to constitute signature and acceptance of Annexes 1, 2 and 3 and the UK Addendum. In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies where Veritas Intercontinental SL acts in its capacity as a Data Processor to Controller. 1. General. In performance of the Services (as set out in Annex 1), the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller and its Affiliates and references herein to the Controller apply with equal force and effect to the Controller’s Affiliates as if such Affiliate had executed this DPA. Where the concepts of Data Controller and Data Processor are not expressly contemplated by Applicable Privacy Laws, the Parties’ obligations in connection with this DPA shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws. 2. Definitions. “Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located. This includes, where applicable, but is not limited to European Privacy Laws. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws. “European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (iv) any EU Member State or UK law made under or pursuant to items (i) – (iii); in each case as amended, superseded or replaced from time to time. “Order” means each mutually executed order form or statement of work for Services. “Permitted Transfer” means that the European Privacy Laws do not require the SCCs or an alternative transfer solution in order to Process Controller Personal Data in or transfer it to an adequate country. “Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. Personal Data includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application. “Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor. “Processing “Processes” or “Process”” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data. “Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA. “Restricted Transfers” means that the transfer of Controller Personal Data is not a Permitted Transfer, and the European Privacy Laws applies to those transfers. “SCCs” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); in each case as may be amended, superseded, or replaced from time to time. “Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not in compliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer. “Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order. “Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller 3. Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose, nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. 4. Compliance. Each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in its opinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. 5. International transfers. Personal Data may be stored and Processed in the EEA by the Processor and the Processor’s sub-processors. Where the Processor wishes to transfer to and Process in a country other than the country in which the Personal Data was first collected, the Processor shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Personal Data to a recipient that has executed applicable SCCs or transferring the Personal Data to a recipient that has executed a contract with the Processor that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws. 6. Standard Contractual Clauses. To the extent that the transfer of Personal Data from the Controller to the Processor involves a Restricted Transfer, the parties agree to be subject to the appropriate Standard Contractual Clauses as follows: a) in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows: (i) Module Two will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 9.1 of this DPA; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by applicable member state law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA; and (viii) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA; b) in relation to Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows: (i) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to Processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the Controller and the Processor on the following basis: Appendix 1 shall be completed with the relevant information set out in Annex 1 to this DPA;Appendix 2 shall be completed with the relevant information set out in Annex 2 to this DPA; andthe optional illustrative indemnification Clause will not apply. (ii) Where sub-clause (b)(i) above does not apply, but the Controller and the Processor are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then: The EU SCCs shall also apply to transfers of such Data, subject to sub-clause (B) below;The UK Addendum shall be deemed executed between the transferring Controller and the Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Data. If neither sub-clause (b)(i) or sub-clause (b)(ii) applies, then the Controller and the Processor shall cooperate in good faith to implement appropriate safeguards for transfers of such Data as required or permitted by the UK GDPR without undue delay. c) in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 7. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Personal Data knows that the Personal Data is confidential information of the Controller and is subject to any confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall Process the Controller Personal Data only as necessary for the purposes of delivering Services. 8. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Personal Data to protect the Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Personal Data, whose policies, practices and procedures shall comply with all Applicable Privacy Laws. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA and Applicable Privacy Laws. The Processor’s group members shall have implemented appropriate technical and organizational measures and be subject to the same data protection obligations as the Processor. 9. Sub-processing. The Processor shall not engage Sub-processors to Process the Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller consents and hereby provides its general written authorization to the Processor for engaging Sub-processors to Process the Personal Data for the Purpose provided that:9.1. The Processor provides reasonable prior notice at least 30 days before the proposed addition or replacement of any Sub-processor, in order to allow the Controller to raise any reasonable objections on grounds of data protection; and 9.2. The Processor imposes data protection terms on any Sub-processor it engages that ensure at least the same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors. 9.3. The Processor’s current Sub-processors are identified at Annex 3. The Controller may object to the addition or replacement of any Sub processor on reasonable grounds relating to data protection and the Processor will act in good faith to resolve such objection, including honoring any of the Controller’s rights under Applicable Privacy Laws. 10. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Personal Data of the Data Subjects, the Processor shall notify the Controller without undue delay. The Processor shall cooperate with and assist the Controller to allow the Controller to comply with its obligations under all Applicable Privacy Laws, including with respect to notification requirements. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties or required by Applicable Privacy Laws, such audit response shall consist of written documentation in relation thereto, including information regarding any independent, third-party audit of the Processor, the Processor’s group members ‘s or Sub-processors’ systems, processes, policies, practices and procedures. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. 11. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. 12. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Personal Data Processed by the Processor. The Parties’ relationship is and shall remain that of independent contractors and nothing herein shall be deemed or construed to create an employer/employee, joint venture, agency, trust, fiduciary, or other relationship between the Parties. This DPA, its Annexes, the SCCs, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, cancelled or changed only by written mutual agreement signed by both Parties. Each of the Parties acknowledges that there are no other promises, representations, or warranties whatsoever, whether by a Party, its Affiliate, its Sub-processors, and each of their employees, contractors, officers, directors, and agents or attorneys of such Party, and acknowledges that it has not executed or authorized the execution of this DPA in reliance upon any such promise, representation or warranty, that is not expressly contained in this DPA. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed.Safeguards and restrictions to ensure the protection of this data are set out in this Agreement and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller.Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject.For processing by (sub-) processors, also specify subject matter, nature and duration of the processingAs above, for the sole purpose of supporting Processor in delivery of services under this Agreement Annex 2 Technical and Organizational Security Measures including technical and organisational measures to ensure the security of data Veritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: Information Security Program ManagementEndpoint ProtectionPortable Media SecurityMobile Device SecurityWireless SecurityConfiguration ManagementVulnerability ManagementNetwork ProtectionTransmission ProtectionPassword ManagementAccess ManagementAudit Logging and MonitoringEducation, Training & AwarenessThird Party Assurance (including ensure adequate privacy and security of sub-processors)Incident Management and Response, including meeting any breach notification reporting obligationsBusiness Continuity and Disaster RecoveryRisk ManagementPhysical and Environmental Security Topic areas that our privacy program addresses include (without limitation): Workforce Privacy Training and WorkshopsPrivacy by Design and DefaultMaintaining a Record of Data Processing ActivitiesPrivacy Notice and Consent ManagementPerforming Data Privacy Impact AssessmentsThird Party Risk and Contract Management Cross-border Data Transfers Review and SecurityData Subject Rights Requests Program ManagementIncident Management and Response ProgramsBreach Notification Procedures These measures ensure the security and compliant processing of Personal Data under this Agreement. Annex 3 Sub-processors Entity NameDescription of ProcessingLocationAWSCloud Data StorageEU Microsoft AzureCloud Data StorageEU Fulgent GeneticsCarrier genetic testingEU UK Addendum Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022 This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract. Part 1: Tables Table 1: Parties Start dateAs per the start date of this Data Protection AgreementThe PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)Parties’ detailsSee DPA aboveFull legal name: VERITAS INTERCONTINENTAL SL Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier): Key ContactSee DPA aboveVP Data Compliance and PrivacyContact details including email: DPO@veritasint.com Signature (if required for the purposes of Section 2)See DPA aboveThomas Bently, VP Data Compliance and Privacy Table 2: Selected SCCs, Modules and Selected Clauses Addendum EU SCCs☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:Date: EU SCCs version published on 4th June 2021Reference (if any): Controller to Processor EU SCCs implemented as part of the Agreement for services between Data Exporter and Data Importer. Other identifier (if any): Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council implemented between Data Importer and Data Exporter. Table 3: Appendix Information “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: Annex 1A: List of Parties: Data Importer and Data Exporter referenced in Table 1Annex 1B: Description of Transfer: As described in Annex 1 of the version of the Approved EU SCCs which this Addendum is appended to.Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 2 of the version of the Approved EU SCCs which this Addendum is appended to.Annex III: List of Sub processors (Modules 2 and 3 only): As described in Annex 3 of the version of the Approved EU SCCs which this Addendum is appended to. Table 4: Ending this Addendum when the Approved Addendum Changes Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:☐ Importer☒ Exporter☐ neither Party Part 2: Mandatory Clauses Entering into this Addendum Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs. Interpretation of this Addendum Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings: Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.Addendum EU SCCsThe version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.Appendix InformationAs set out in Table 3.Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.ICOThe Information Commissioner.Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.UK The United Kingdom of Great Britain and Northern Ireland.UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.UK GDPR As defined in section 3 of the Data Protection Act 2018. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. Hierarchy Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs. Incorporation of and changes to the EU SCCs This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; andthis Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made: References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”; Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”; Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”; Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;” References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;References to Regulation (EU) 2018/1725 are removed;References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;Clause 13(a) and Part C of Annex I are not used; The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”; Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”; Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11. Amendments to this Addendum The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.From time to time, the ICO may issue a revised Approved Addendum which: makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/orreflects changes to UK Data Protection Laws; The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: its direct costs of performing its obligations under the Addendum; and/or its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms. Alternative Part 2 Mandatory Clauses: Mandatory ClausesPart 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.