Data Processing Agreement

1. Definitions

In this DPA, unless the context requires otherwise:

"Applicable Data Protection Law" means all laws and regulations relating to the processing of personal data applicable to the processing activities under this DPA, including but not limited to the GDPR (EU) 2016/679, UK GDPR, Swiss Federal Act on Data Protection (FADP), HIPAA, PIPL (China), and applicable U.S. state privacy laws (e.g., CCPA/CPRA).

"Data Subject" means the identified or identifiable natural person to whom personal data relates, including clinical trial participants, investigators, site staff, and other individuals whose data is processed through the Platform.

"Personal Data" means any information relating to a Data Subject that is processed by Clincove on behalf of the Customer through the Platform. For the avoidance of doubt, this includes Protected Health Information (PHI) as defined under HIPAA where applicable.

"Processing" means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by Clincove.

"Sub-Processor" means any third party engaged by Clincove to process Personal Data on behalf of the Customer.

Terms not defined herein shall have the meanings ascribed to them in the Agreement, the GDPR, or HIPAA, as applicable.

2. Scope and Roles

2.1 Roles of the Parties

The Customer is the Controller (under GDPR) and/or Covered Entity or Business Associate (under HIPAA) that determines the purposes and means of processing Personal Data. Clincove is the Processor (under GDPR) and/or Business Associate (under HIPAA) that processes Personal Data on behalf of the Customer pursuant to the Customer's documented instructions.

2.2 Scope of Processing

3. Obligations of the Processor

3.1 Processing Instructions

Clincove shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organization. If Clincove is required by Applicable Data Protection Law to process Personal Data other than on the Customer's instructions, Clincove shall inform the Customer of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

Clincove shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Clincove shall limit access to Personal Data to those personnel who require such access for the purposes of performing Clincove's obligations under the Agreement.

3.3 Security Measures

Clincove shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures include, as a minimum:

1. Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+);
2. Multi-factor authentication for all platform access;
3. Role-based access controls with least-privilege enforcement;
4. Pseudonymization of clinical trial subject identifiers where technically feasible;
5. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
6. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
7. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures through independent security assessments; and
8. Immutable, computer-generated audit trails recording all data access and modifications with timestamps and user identifiers.

3.4 Sub-Processing

The Customer grants Clincove general written authorization to engage Sub-Processors to process Personal Data on behalf of the Customer. Clincove shall:

1. Maintain and make available to the Customer a current list of Sub-Processors;
2. Notify the Customer of any intended changes to Sub-Processors (additions or replacements) at least thirty (30) days before the change takes effect;
3. Enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA;
4. Remain fully liable to the Customer for the performance of each Sub-Processor's obligations; and
5. Conduct appropriate due diligence on Sub-Processors' data protection and security practices before engagement.

If the Customer objects to a new Sub-Processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution can be reached within thirty (30) days, the Customer may terminate the affected services without penalty.

3.5 Data Subject Rights

Clincove shall assist the Customer in fulfilling its obligation to respond to Data Subject requests, taking into account the nature of the processing. This includes providing the Customer with the ability to access, rectify, erase, restrict, or port Personal Data through Platform functionality or upon reasonable request. Clincove shall promptly notify the Customer if Clincove receives a request directly from a Data Subject and shall not respond to the request without the Customer's prior authorization, unless required by law.

3.6 Data Protection Impact Assessments

Clincove shall provide reasonable assistance to the Customer with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Clincove.

3.7 Security Incident Notification

Clincove shall notify the Customer of any Security Incident without undue delay after becoming aware of the incident, and in no event later than seventy-two (72) hours. The notification shall include:

1. A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;
2. The name and contact details of Clincove's point of contact for further information;
3. A description of the likely consequences of the Security Incident;
4. A description of the measures taken or proposed to address the Security Incident, including measures to mitigate possible adverse effects; and
5. All information reasonably necessary for the Customer to fulfill its own breach notification obligations under Applicable Data Protection Law.

3.8 Derived Data Carve-Out

The Customer acknowledges and agrees that Clincove may create Derived Data (as defined in the Agreement) by aggregating, de-identifying, and anonymizing Personal Data and Platform usage data. Derived Data is not Personal Data and is not subject to the processing restrictions or data subject rights provisions of this DPA. Clincove shall own all right, title, and interest in Derived Data and may use, commercialize, license, sell, and otherwise exploit Derived Data without restriction, as described in Section 5.4 of the Terms and Conditions. The Customer confirms that:

1. It has the authority and all necessary consents to permit Clincove's creation and use of Derived Data;
2. It has informed Data Subjects, through appropriate privacy notices and informed consent processes, that their data may be de-identified and used in aggregate form for commercial and research purposes; and
3. Clincove's creation and use of Derived Data constitutes a documented instruction from the Customer within the meaning of Article 28(3)(a) of the GDPR.

All de-identification shall comply with HIPAA Safe Harbor (45 CFR § 164.514(b)) or Expert Determination (45 CFR § 164.514(a)) methods and GDPR anonymization standards (Recital 26). Clincove's rights to Derived Data survive termination of this DPA and the Agreement.

3.9 Return and Deletion of Data

Upon termination or expiration of the Agreement, and at the Customer's choice, Clincove shall either return all Personal Data to the Customer in a standard, machine-readable format or securely delete all Personal Data (including copies) within thirty (30) days following the data export period specified in the Agreement. Clincove shall provide written certification of deletion upon request. This obligation does not apply to: (a) Derived Data, which Clincove retains permanently; or (b) Personal Data that Clincove is required by Applicable Data Protection Law or clinical trial regulations to retain.

4. Obligations of the Controller

4.1 Lawful Processing

The Customer warrants that it has a lawful basis for the processing of all Personal Data provided to Clincove, including obtaining necessary consents, ethics committee approvals, and regulatory authorizations required for the collection and processing of clinical trial data.

4.2 Instructions

The Customer shall ensure that its processing instructions to Clincove comply with Applicable Data Protection Law. The Customer acknowledges that Clincove is not responsible for determining whether the Customer's instructions are lawful.

4.3 Data Subject Communication

The Customer is responsible for providing Data Subjects with all required privacy notices and for managing Data Subject rights requests, engaging Clincove's assistance as provided in Section 3.5.

5. Audits and Inspections

5.1 Audit Rights

Clincove shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Audit rights include:

1. Documentation Audits: The Customer may request copies of Clincove's current security assessment reports, penetration test summaries, and other compliance documentation at any time.
2. On-Site Audits: The Customer may conduct on-site audits of Clincove's data processing facilities with at least thirty (30) days' prior written notice, during normal business hours, and subject to reasonable confidentiality obligations. On-site audits are limited to one per year unless required by a supervisory authority or in response to a Security Incident.
3. Regulatory Inspections: Clincove shall cooperate fully with regulatory authority inspections (e.g., FDA, EMA, MHRA, NMPA, data protection supervisory authorities) that relate to the Customer's use of the Platform or the processing of Personal Data.

5.2 Audit Costs

Documentation audits are provided at no additional cost. Costs for on-site audits (including Clincove personnel time beyond four (4) business hours) shall be borne by the Customer, unless the audit reveals material non-compliance by Clincove, in which case Clincove shall bear all reasonable audit costs.

6. HIPAA Business Associate Provisions

6.1 Permitted Uses and Disclosures

Clincove shall not use or disclose PHI other than as permitted or required by this DPA, the Agreement, or as required by law. Clincove shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by the Customer.

6.2 Safeguards

Clincove shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI, in accordance with 45 CFR § 164.308, § 164.310, and § 164.312.

6.3 Reporting

Clincove shall report to the Customer any use or disclosure of PHI not provided for by this DPA of which Clincove becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410.

6.4 Sub-Contractors

Clincove shall ensure that any agent or sub-contractor to whom it provides PHI agrees to the same restrictions and conditions that apply to Clincove under this DPA.

6.5 Access to PHI

Clincove shall make PHI available to the Customer as necessary to satisfy the Customer's obligations under 45 CFR § 164.524 (individual right of access).

6.6 Amendment of PHI

Clincove shall make PHI available for amendment and incorporate amendments to PHI as directed by the Customer, in accordance with 45 CFR § 164.526.

6.7 Accounting of Disclosures

Clincove shall maintain and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

6.8 Government Access

Clincove shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

6.9 Termination

Upon termination of the Agreement, Clincove shall, if feasible, return or destroy all PHI received from or created on behalf of the Customer. If return or destruction is not feasible, Clincove shall extend the protections of this DPA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

7. International Data Transfers

Where the processing involves the transfer of Personal Data to a country outside the EEA, UK, or Switzerland that has not been recognized as providing an adequate level of data protection, the parties shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. The parties hereby incorporate by reference the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission Decision 2021/914, as supplemented by the International Data Transfers Addendum.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement, except that: (a) the limitations shall not apply to either party's breach of its obligations under Applicable Data Protection Law that results in regulatory fines or penalties; and (b) each party shall be liable for its own violations of Applicable Data Protection Law. Nothing in this DPA limits either party's liability for damages resulting from its breach of Applicable Data Protection Law to the extent such limitation is prohibited by law.

9. Term and Termination

This DPA shall take effect on the date the Customer first provides Personal Data to Clincove through the Platform and shall remain in effect for as long as Clincove processes Personal Data on behalf of the Customer. Upon termination of the Agreement, Clincove shall fulfill its obligations under Section 3.9 (Return and Deletion of Data). Sections of this DPA that by their nature should survive termination (including confidentiality, liability, and regulatory retention obligations) shall survive.

10. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

11. Governing Law

This DPA shall be governed by the same law that governs the Agreement, except to the extent that Applicable Data Protection Law requires the application of a different law (in which case, that law shall apply to the extent required).

12. Signatures

This DPA is entered into and becomes a binding part of the Agreement as of the date last signed below.