Data Protection Agreement

This Data Processing Agreement and its Annexes (“Labviva DPA”) form part of the Agreemententered into between You (“Customer”) and Labviva, Inc., 239 Causeway St., Suite 500,Boston, MA 02114, United States of America, (“Labviva”) (collectively, the “Parties”) and setsforth the terms and conditions under which the Parties may process Personal Data. In the eventof a conflict in relation to the processing of Personal Data between this DPA, and any otheragreement, this DPA shall prevail. Unless otherwise specified, capitalized terms used but notdefined in this DPA shall have the meaning set forth elsewhere in the Terms. This DPA iseffective on the date the Agreement is entered into and will continue in force until the expirationor termination of the Agreement in accordance with its terms

1. Definitions

The following definitions shall apply for the purposes of this DPA:

“Agreement” means the Labviva DPA together with any document related to theCustomer’s subscription to the Services including SaaS Agreements and Order Forms butnot limited to any statements of work, contracts and/or any other agreements executed orapproved by the Customer with respect to Customer’s subscription to the Labviva Services.

"Contact Data" means Personal Data provided by the Customer to Labviva including names, usernames (Labviva login details, and other communication software other usernames), business email addresses, business phone numbers, job titles, and such otherinformation as is specified in the Agreement.

“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”,“Processing”, “Processor” and “Supervisory Authority” shall have the meanings setout in the GDPR (and related terms such as “Process” have corresponding meanings).

“Customer” means legal entities and businesses, excluding any natural persons, withwhich Labviva engages into an Agreement.

“Data Protection Laws” is defined as all legislation and regulations relating to theprotection of Personal Data, including (without limitation), the Data Protection Acts1988-2018, the GDPR, and all other statutory instruments, industry guidelines (whetherstatutory or non-statutory) or codes of practice or guidance issued by a relevant Supervisory Authority relating to the processing of Personal Data or privacy, each asamended, revised, modified or replaced from time to time.

“Documented Instructions” includes and are limited to statements of work, contractsand/or any other agreements executed or approved by the Customer.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protectionof natural persons regarding the Processing of Personal Data and on the free movement ofsuch data.

“Security Event” means an incident which results in (or may result in) the accidental orunlawful destruction, loss, alteration or unauthorized disclosure of, or access to,Customer’s Personal Data while in the custody or control of Labviva or a Sub-Processor.

“Services” means the service(s) and/or product(s) between Labviva and the Customer asdefined in the respective Agreement between the named Parties.

“Standard Contractual Clauses” means (a) in respect of any Personal Data subject tothe GDPR, the standard contractual clauses for the transfer of Personal Data to thirdcountries pursuant to the GDPR between (i) controllers and processors (Module 2)("Controller to Processor") and/or (ii) processors and (sub-)processors (Module 3)("Processor to Processor") as approved by the European Commission ImplementingDecision (EU) 2021/914 of 4 June 2021 available athttp://data.europa.eu/eli/dec_impl/2021/914/oj and the Addendum B.1.0 issued by theInformation Commissioner's Office and laid before Parliament in accordance with s119Aof the Data Protection Act 2018 on 2 February 2022 (incorporating the MandatoryClauses of that Addendum) appended to the Standard Contractual Clauses.

“Sub-Processor” means the third party sub-processors set out in Annex 3 to this DPAengaged by Labviva to process Personal Data as authorized by Customer in accordancewith this DPA.

“Third Country” means all countries that are not members of the European EconomicArea (“EEA”) or which have not been recognized by the European Commission asproviding an adequate level of protection for Personal Data.

"Transfer Solution" means the Standard Contractual Clauses or any other means or basisfor permitting the transfer of Personal Data in accordance with applicable Data ProtectionLaws.

“TOMs” means technical and organizational measures.

“Labviva Terms” means Labviva’s terms and conditions defined in the respectiveagreement between the Parties.

2. Data Protection Roles

The Parties acknowledge that:

In the context of Labviva’s Services, Labviva will act as a Processor to the Customer who caneither act as a Controller or Processor of Contact Data.

3. Customer Obligations

Customer represents and warrants that it will only use the Contact Data to process Personal Dataif such processing is in compliance with the applicable Data Protection Laws.

4. Labviva Obligations

4.1. Compliance with instructions

The parties agree that the Labviva DPA and the Agreement (including Customer providing instructions via configuration tools) constitute Customer’s documented instructions provided in the Agreements regarding Labviva’s processing of Customer Data (“Documented Instructions”) Labviva, as the Processor, will process the Contact Data only in accordance withDocumented Instructions by the Customer.

Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Labviva and Customer, including agreement on any additional fees payable by Customer to Labviva for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Labviva declines to follow instructions requested byCustomer that are outside the scope of, or changed from, those given or agreed to be given in thisDPA. Considering the nature of the processing, Customer agrees that it is unlikely Labviva can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law.If Labviva forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions. Labviva, as the Processor, willalso immediately inform the Customer whether it is obliged, under EU or EU Member State law,to process data contrary to the instructions of the Customer or without the instructions of theCustomer (if such notification is permissible).

4.2. Confidentiality

The parties agree that the Labviva DPA and the Agreement (including Customer providinginstructions via configuration tools) constitute Customer’s documented instructions provided inthe Agreements regarding Labviva’s processing of Customer Data (“DocumentedInstructions”) Labviva, as the Processor, will process the Contact Data only in accordance withDocumented Instructions by the Customer.

Additional instructions outside the scope of the Documented Instructions (if any) require priorwritten agreement between Labviva and Customer, including agreement on any additional feespayable by Customer to Labviva for carrying out such instructions. Customer is entitled toterminate this DPA and the Agreement if Labviva declines to follow instructions requested byCustomer that are outside the scope of, or changed from, those given or agreed to be given in thisDPA. Considering the nature of the processing, Customer agrees that it is unlikely Labviva canform an opinion on whether Documented Instructions infringe Applicable Data Protection Law.If Labviva forms such an opinion, it will immediately inform Customer, in which case, Customeris entitled to withdraw or modify its Documented Instructions. Labviva, as the Processor, willalso immediately inform the Customer whether it is obliged, under EU or EU Member State law,to process data contrary to the instructions of the Customer or without the instructions of theCustomer (if such notification is permissible).

4.3. Return of Personal Data

At the choice of the Customer, all Contact Data held by Labviva shall be deleted or returned to the Contact upon the termination of the Agreement, unless EU or Member State law otherwise requires such Contact Data to be retained by Labviva for a prescribed period.

If the Customer chooses to have the data returned, the Labviva shall transmit the data to theCustomer in a reusable and common electronic data format, which the Customer may freely choose.

4.4. Data Security

Labviva shall implement and maintain appropriate TOMs designed to meet the requirements ofArticle 32 GDPR to protect Data Subjects and Personal Data against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

Labviva shall without undue delay , notify Customer of a Security Event. Where, and insofar as,it is not possible to provide all information at the same time, the initial notification of a SecurityEvent shall contain the information then available and further information shall be provided as it becomes available without undue delay.

Labviva will provide Customer with information about:

● the details of a contact point where more information concerning the Security Event canbe obtained;
● the nature of the Security Event including the categories and approximate number of DataSubjects and Personal Data records concerned;
● the likely consequences of the Security Event; and
● the steps Labviva has taken to address the Security Event.

Labviva shall take all necessary steps to mitigate the effects and to minimize any damage resulting from the Security Event and to prevent a recurrence of such Security Event; and provide such assistance and cooperation as Customer requires in responding to the SecurityEvent including in relation to notifying any relevant regulatory authority and/or Data Subject ofthe Security Event.

5. Sub-Processors

Customer agrees that Labviva may share Personal Data with the Sub-Processors listed in AnnexIII. Labviva may remove or replace the current Sub-Processors from time to time as necessary to provide the Services and will notify You of any such changes.

Labviva must ensure that a written contract is entered into with each Sub-Processor that is compliant with the same data protection obligations as those to which the Labviva itself is subject under the applicable Data Protection Laws.

Labviva shall be responsible and liable for any acts or omissions of the Sub-Processor.Instructions given by Labviva to any Sub-Processor must be within the scope of this DPA.

6. Third Country Transfer of Personal Data

The Parties acknowledge and agree Labviva may transfer Contact Data outside of the EEA.

Therefore, the Parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of this DPA as follows: Customer shall be the “data exporter” and Labviva shall be the “data importer”.

In relation to Customer’s Contact Data as well as data extracted using Labviva Services, the following modules shall apply:

• Module 2 (Controller to Processor)
• Module 3 (Processor to Processor)

The Parties acknowledge that the Customer may either act as a Processor (and Labviva as a Sub-Processor) or as a Controller (and Labviva as a Processor),depending on the specific data at issue.

In Clause 7, the optional docking clause shall not apply

In Clause 9, Option 2 shall apply with at least 7 days prior notice (including email).

In Clause 11, the optional language shall not apply.

In Clause 17, the law of the Republic of Ireland shall apply

In Clause 18, the courts of the Republic of Ireland shall have jurisdiction.

the Annex I and II to the Standard Contractual Clauses are set out in the Annex I and II to this DPA.

In the event of a change in any applicable Data Protection Laws relating to the country/countries where an adequate level of data protection exists requiring an alternative Transfer Solution to be implemented to permit the continued transfers of Personal Data anticipated in the Agreement, theParties each agree to act reasonably to seek to agree an alternative Transfer Solution permitting the relevant Party to continue Processing the Personal Data in the relevant country/countries and the relevant international transfer(s) to continue.

In the event the European Commission issues any replacement or substitution of the StandardContractual Clauses, upon receipt of written notice from a Party requiring the same, the StandardContractual Clauses incorporated into this DPA pursuant to this clause shall be deemed to be deleted and replaced with such replacement or substitution which each Party agrees shall be deemed to be incorporated into this Agreement in place of the Standard Contractual Clauses (and all references in this DPA shall be deemed to refer to such replacement or substitutions clauses accordingly). To the extent necessary, each Party agrees to co-operate taking such other measures as may be necessary to give effect to such replacement or substitution of the StandardContractual Clauses in order to comply with applicable Data Protection Laws and/or otherwise satisfy any administrative or documentary requirements relating to the same.

7. Liability

The liability of either Party under or in connection with this agreement shall be limited to 200%of the contact volume between Labviva and the Customer and, in case of a contact with an unlimited term, 200% of the yearly contract volume between Labviva and the Customer.

8. General

Nothing in this DPA reduces the Customer's obligations under the Agreement in relation to the protection of Personal Data.

This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed, in accordance with, the laws of Ireland.

The Parties irrevocably agree that in relation to any dispute or claim that arises out of or in connection with the DPA or its subject matter or formation (including non-contractual disputes or claims) the courts of Ireland shall have jurisdiction.

Amendments to this agreement shall be made exclusively in writing. This shall also apply to thisrequirement of written form. Notwithstanding the above, Labviva may propose amendments tothis Agreement by sending the proposed amendment to the primary contact email addressprovided by the Customer and such proposal shall be deemed accepted by the Customer if theCustomer does not object to the proposal by response email within 14 days of receiving theproposal. Should any provision of this agreement be invalid or ineffective, it shall, to the extentpermitted by law, be replaced by that provision which comes closest in economic terms to theinvalid or ineffective provision.

ANNEX I

A. List of Parties

Data Importer:

Name:

Labviva, Inc.

Address:

164 Canal St., Suite 401, Boston, MA 02114, United States of America

Contact person's name, position and contact details:

Cyrus Rostami, Sr. Manager of Legal Operations & DPO, crostami@labviva.com

Activities relevant to the data transferred under these Clauses:

Providing Software Services to Businesses

Role (controller/processor):

Module 2 Processor in relation to Contact Data.

Data Exporter:

Name:

Customer's name as set out in the Agreement

Address:

Customer's address as set out in Agreement

Contact person's name, position and contact details:

As set out in an Agreement or as otherwise agreed with Labviva

Activities relevant to the data transferred under these Clauses:

Using Labviva's Services

B. Description of Transfer

Categories of data subjects whose Personal Data is transferred:

Customer staff information; other information as determined by Customer

Categories of personal data transferred:

Names, usernames (Labviva login details, Slack and other communication software other user names), business email addresses, postal addresses, business phone numbers, job titles,and other information as specified in the Labviva Terms.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

As specified in the Labviva Terms

Purpose(s) of the data transfer and further processing

Labviva will process the Personal Data as necessary to provide the Services

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As specified in the Labviva Terms

For transfers to (sub) processors, also specify subject matter, nature and duration of the processing

As described in in Annex III

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

Irish Data Protection Commission

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Security Measure

Description of Labviva Process

Ensuring physical security of locations at which Personal Data is processed

Labviva services are hosted on data servers hosted by highly secure cloud providers. All of Labviva's hosting providers are ISO 27001 certified.

Ensuring system event logging

Labviva uses centralized log management, which logs system events. Labviva shall monitor these logs for success rates, availability, and response time.

Protection of data during transmission

All data in transit is encrypted using Transport Layer Security (TLSv1.2) using RSA256 bit key signed using the algorithm SHA256withRSA.

Managing vulnerabilities on production environment

Labviva has a vulnerability management program and performs advanced vulnerability scans using leading technology scanners on a daily basis.

Ensuring password security

Strong passwords are implemented on all applicable systems. Labviva has a password management policy following NIST standard security requirements.

Ensuring system configuration

Setup on servers is automated using a configuration management and orchestration tool to provide the same configurations per role on all servers.

B. Description of Transfer

Security Measure

Description of Labviva Process

Ensuring physical security of locations at which Personal Data is processed

Labviva services are hosted on data servers hosted by highly secure cloud providers. All of Labviva's hosting providers are ISO 27001 certified.

Ensuring system event logging

Labviva uses centralized log management, which logs system events. Labviva shall monitor these logs for success rates, availability, and response time.

Protection of data during transmission

All data in transit is encrypted using Transport Layer Security (TLSv1.2) using RSA256 bit key signed using the algorithm SHA256withRSA.

Managing vulnerabilities on production environment

Labviva has a vulnerability management program and performs advanced vulnerability scans using leading technology scanners on a daily basis.

Ensuring password security

Strong passwords are implemented on all applicable systems. Labviva has a password management policy following NIST standard security requirements.

Ensuring system configuration

Setup on servers is automated using a configuration management and orchestration tool to provide the same configurations per role on all servers.

User identification and authorisation

Administrative privileges are restricted based on the concept of least privilege and defined roles-level access. Only very limited staff at Labviva have administrator access to Labviva systems.

Governance and risk management

Labviva has a risk management program in accordance with the NIST Risk Management Framework.

Managing incidents that affect confidentiality, integrity, and availability

An Information Technology Infrastructure Library is used to manage the lifecycle of an incident. Labviva has an incident response progress and guide for escalation based on the severity of an incident.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors (including a clear delimitation of responsibilities in case several sub-processors are authorized) :

Name

Address

Description of processing

Amazon Web Services

410 Terry Avenue North, Seattle, WA USA

Hosting provider

Atlassian

350 Bush Street Floor 13 San Francisco, CA 94104, USA

Project management

Auth0

10900 Northeast 8th Street, Bellevue, WA 98004, USA

Identity Management

Confluent

899 West Evelyn Ave.Mountain View, CA 94041, USA

Cloud data store

DataDog

620 8th Avenue, 45th Floor, New York, NY 10018, USA

Logging and Reporting

Gitlab

268 Bush Street #350, San Francisco, CA 94104, USA

Code Management

Google

1600 Amphitheatre Parkway Mountain View, CA 94043 USA

Documents and Workspace

Google Analytics

1600 Amphitheatre Parkway Mountain View, CA 94043 USA

Analytics service

Hubspot

25 First Street, 2nd Floor Cambridge, MA 02141 USA

Customer relationship management tool

Intercom

3rd Floor, Stephens Ct., 18-21 St. Stephen's Green, Dublin 2, Ireland

Customer support channel

MailJet

4 rue Jules Lefebvre, 75009 Paris, France

Email Distribution System

Microsoft

1 Microsoft Way Redmond WA 98052

Email, Documents, Workspace

Okta

100 First Street, 6th Floor, San Francisco, CA 94105, USA

Identity Management

Quickbooks

2700 Coast Ave

Mountain View, CA 94043

Financial System

SAP

3999 West Chester Pike Newtown Square, PA 19073 USA

Financial System

Slack

60 R801, North Dock Dublin

Ireland

Chat and Coordination

Tableau

1621 North 34th Street Seattle, WA 98103 USA

Reporting

Zoom

55 Almaden Boulevard, Suite 600, San Jose, CA 95113

Conferences