AtoMx™ SaaS Agreement

NANOSTRING TECHNOLOGIES, INC.

AtoMx Spatial Informatics Platform Software as a Service Agreement

Last Updated: September 14, 2022

The terms and conditions of this AtoMx™ Spatial Informatics Platform Software as a Service Agreement, together with Company’s quotation to Customer for the applicable Services as defined below and set forth therein, constitute a binding legal agreement (“Agreement”) by and between NanoString Technologies, Inc, with offices at 530 Fairview Ave N, Seattle, WA 98109 (“Company”) and the customer identified on the Order (defined below) (“Customer”) and governs Company’s provision of and Customer’s access to and use of the Services identified in the Order. By placing an order for the Services, Customer accepts and agrees to be bound by the terms and conditions in this Agreement.  There will be no force or effect to any different terms of any related purchase order or similar form

1. DEFINITIONS

1.1 “Customer Systems” means the systems and devices that Customer uses to access the Hosted Service.

1.2 “Documentation” means any manuals, instructions or other documents or materials that Company provides or makes available to Customer that describe the functionality, features or requirements of the Services. 

1.3 “Hosted Service” means Company’s proprietary software-as-a-service application platform to be provided under this Agreement pursuant to an Order. 

1.4 “Materials” means the Services and the Documentation.

1.5 “Order” means Customer’s order in response to sales quote from Company for Services hereunder, once such order has been confirmed by Company. 

1.6 “Personal Data” means any information that, individually or in combination, does or can identify a specific individual or by from which a specific individual may be identified, contacted or located. 

1.7 “Professional Services” means the implementation and training services, if any, identified in an Order.

1.8 “Services” means the Hosted Service, Support Services, and Professional Services, collectively, to be provided under this Agreement pursuant to an Order.

1.9 “Submitted Data” means data submitted by Customer to the Hosted Service’s web-accessible user interfaces, or any derivative data or results arising in connection with Customer’s processing or analysis of such data.

1.0 “Subscription Term” means the subscription term(s) for the Services as set forth in the applicable Order.

1.11 “Support Services” means the technical support services specified in Section 3.1 with respect to the Hosted Service.

1.12 “Third Party Content” means all text, files, images, graphics, illustrations, information, data, audio, video, photographs and other content and material that are obtained or derived from third party sources outside of Company and made available to Customer through or in conjunction with Customer’s use of the Materials.

2. SERVICES

2.1 Hosted Services. Subject to Customer’s ongoing compliance with the terms of this Agreement (including any additional limitations or restrictions set forth in the applicable Order and timely payment of all applicable fees), Company hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable, internal right during the applicable Subscription Term to allow its employee-personnel and contractors (in each case who have expressly agreed to be bound by the terms of this Agreement) (“Authorized Users”) in the quantities specified in the applicable Order to access and use the Hosted Service, solely for Customer’s research purposes (the “Authorized Purpose”), and in any event, in accordance with and not to exceed in the aggregate during each period of the Subscription Term the applicable usage cap set forth on the Order (“Usage Cap”).  Customer recognizes that excess usage beyond the Usage Cap will result in additional fees charged by Company.  Customer and Company agree to cooperate in good faith to review Customer’s use of the Hosted Service in compliance with this section and Customer will promptly pay any additional reasonable fees charged in connection with such excess usage.  Customer will promptly notify Company in the event that Customer undergoes any changes that could lead to a material increase in its use of the Hosted Service (including as a result of any merger, acquisition or similar event affecting Customer).  Company has and will retain sole control over the operation, provision, maintenance and management of the Hosted Service.

2.2 Authorized Users.  Customer is responsible for: (a) identifying and authenticating all Authorized Users, (b) approving access by such Authorized Users to the Services, (c) controlling against unauthorized access by Authorized Users, (d) maintaining the confidentiality of usernames, passwords and account information, and (e) all activities that occur under its and its Authorized Users’ usernames, passwords or accounts as a result of Customer’s or Customer’s Authorized Users’ access to the Materials.  By associating Customer and its Authorized Users’ usernames, passwords, and accounts with Company, Customer accepts responsibility for the timely and proper termination of user records in the Customer Systems.  Company is not responsible for any harm caused by Customer’s Authorized Users, including individuals who were not authorized to have access to the Materials but who were able to gain access because usernames, passwords or accounts were not terminated on a timely basis in Customer Systems.  Customer will notify Company immediately of any unauthorized use.

2.3 Documentation.  Company grants customer a non-exclusive, non-sublicenseable, nontransferable license to use the Documentation during the Subscription Term solely for Customer’s internal purposes in connection with its use of the Services.

2.4 Professional Services. Subject to Customer’s timely payment of all applicable fees, Company will use commercially reasonable efforts to provide to Customer the Professional Services, if any, set forth in each Order.  Company will own and retain all right, title and interest, including all intellectual property and proprietary rights, in and to any work product or deliverables created in connection with the Professional Services. Nothing in this Agreement or any Order or attachment to this Agreement may be understood to prevent Company from developing similar work product or deliverables for other customers. 

2.5 Restrictions. Customer may not, directly or indirectly, and may not authorize any third party to: (a) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code, structure, ideas, algorithms, or associated know-how of, the Hosted Service, or reconstruct, or discover, any hidden or non-public elements of the Hosted Service or results provided in connection with Professional Services (except to the extent expressly permitted by applicable law notwithstanding this restriction); (b) translate, adapt, or modify the Hosted Service, any results of any Professional Services, or any portion of any of the foregoing; (c) write or develop any program based upon the Hosted Service, or any portion or software applications thereof, or otherwise use the Services in any manner for the purpose of developing, distributing or making accessible products or services that compete with any or all of the Services; (d) sell, sublicense, transfer, assign, lease, rent, distribute, or grant a security interest in the Services or any rights thereto; (e) use the Services, or export, sell or distribute any content or other portion thereof, for the benefit of, or allow access to the Services (or any content or other portion thereof) by, any third parties; (f) use the Services for any purpose other than the Authorized Purpose; (g) permit the Services to be used by any persons other than Authorized Users; (h) transmit unlawful, infringing, harmful, or other data or code to which Customer is no authorized to transmit, either to or from the Hosted Service; (i) alter or remove any trademarks or proprietary notices contained in or on the Hosted Services; (j) circumvent or otherwise interfere with any authentication or security measures of the Hosted Service, or otherwise interfere with or disrupt the integrity or performance thereof; or (k) otherwise use the Services or any Company IP (defined below) except as expressly permitted in this Agreement.  Customer acknowledges that Company may, but is under no obligation to, monitor Customer’s use of the Hosted Service.  Company may suspend Customer’s access to the Hosted Service for any period during which Customer is, or Company has a reasonable basis for alleging Customer is, in noncompliance with any of the prohibited actions in this Section.

2.6 Third-Party Components. Customer is solely responsible for obtaining all third-party technologies and connectivity necessary to access and use the Hosted Services.  In particular, Customer acknowledges that a high-speed Internet connection is required at all times in order to use the Hosted Service properly, and Customer agrees that it will maintain such a high-speed connection throughout the Subscription Term and that Company may not be obligated to provide  certain services to the extent that such high-speed connection is not in operation.  Customer acknowledges that Company engages third party solutions and services in connection with the hosting and operating of the Hosted Service and Company will have no warranty or other obligation with respect to such third party solutions and services.

3. SERVICE LEVELS; SUPPORT SERVICE

3.1 Service Levels.  Company will use commercially reasonable efforts to (i) provide the Hosted Service in accordance with industry standard service levels and support policies; (ii) maintain a disaster recovery plan; and (iii) implement commercially reasonable measures to secure the Hosted Service against unauthorized access to or alteration of Submitted Data (defined below); provided that Customer is solely responsible for maintaining the security and operability of the Customer Systems and ensuring timely transmission of, and the accuracy, quality, integrity, and reliability of, all Submitted Data.  

3.2 Support Services. Subject to Customer’s ongoing compliance with the terms of this Agreement (including timely payment of all applicable fees), Company agrees to (a) provide reasonable technical support to Customer, by email or telephone, during the hours of 9 a.m. to 5 p.m. Monday through Friday, excluding holidays; (b) use commercially reasonable efforts to respond to support requests in a timely manner, and to resolve such issues by providing updates and/or workarounds to Customer, consistent with Company’s assigned severity level to the issues identified in such requests and their impact on Customer’s business operations, in Company’s reasonable discretion; and/or (c) provide such other support services as are specified in the applicable Order (if any). 

3.3 Fixes. Customer is required to accept all patches, bug fixes, updates, maintenance and service packs (collectively, “Fixes”) necessary for the proper function and security of the Services, as such Fixes are generally released by Company.    

4. FEES; PAYMENT

4.1 Fees. For each Subscription Term, Customer will pay Company all fees of the type, amount and payment schedule set forth in the applicable Order (“Fees”), which may include, without limitation, fees for Hosted Services (“Subscription Fees”), and fees for Professional Services (“Professional Services Fees”). If Customer’s actual use of the Services exceeds the number of Authorized Users, Usage Cap, or other license or service units for which Subscription Fees have been paid under the applicable Order, then Customer must pay for such additional use at Company’s then-current rates. If fees for Professional Services are not set forth on an Order, such fees will be paid for Professional Services to be rendered at Company’s then prevailing time and material rates.  Except as otherwise expressly set forth in an applicable Order, all Fees are non-cancellable and non-refundable and non-recoupable.

4.2 Payment Terms. Unless otherwise set forth in the applicable Order, all Subscription Fees will be billed annually in advance, and all invoices for Fees are due and payable in United States dollars within 30 days after the invoice date, without deduction or setoff.  Interest accrues from the due date at the lesser of 1.5% per month or the highest rate allowed by law.

4.3 Taxes. Customer is responsible for all federal, state, local, sales, use, value added, excise, or other taxes, fees, or duties arising out of this Agreement or the transactions contemplated by this Agreement (other than taxes based on Company’s net income). 

5. PROPRIETARY RIGHTS

5.1 Reservation of Rights.  Customer acknowledges that Company owns and retains all rights, title and interest, including all intellectual property rights, in and to all technology, software, algorithms, user interfaces, trade secrets, techniques, designs, inventions, works of authorship and other tangible and intangible material and information pertaining to the Services (“Company IP”), and nothing in this Agreement will preclude or restrict Company from using or exploiting any concepts, ideas, techniques or know-how of or related to the Company IP or otherwise arising in connection with Company’s provision of the Services.  Other than as expressly set forth in this Agreement, no license or other rights in or to the Company IP are granted to Customer, and all such rights are expressly reserved to Company.  

5.2 Third Party Content.  As part of the Services, Company may provide Customer with access to Third Party Content.  The third party owner, author or provider of any such Third Party Content retains all ownership and intellectual property rights in and to that content, and Customer’s rights to use such Third Party Content are subject to, and governed by, the terms applicable to such content as specified by such third party owner, author or provider. All Third Party Content is provided on an “as is” and “as available” basis without any warranty of any kind. Company is not responsible for, and under no obligation to control, monitor, or correct Third Party Content, and may remove any Third Party Content in its discretion. 

6. TERM AND TERMINATION

6.1 Term. This Agreement will start on the first day of the Subscription Term for the applicable Services, unless terminated earlier in accordance with this Agreement, will continue until all Orders have expired or been terminated.  The term of each Order will begin on the date specified in such Order and continue, unless otherwise terminated in accordance with this Agreement, until the end of the last-to-expire Subscription Term of such Order.  Each Subscription Term will automatically renew for successive 12-month periods unless either party gives the other party notice of non-renewal at least 30 days before the current Subscription Term ends.

6.2 Termination. Either party may terminate this Agreement or any Order by written notice if the other party is in material breach of this Agreement or such Order, where such material breach is not cured within 30 days after written notice of such breach from the non-breaching party.  If Customer fails to pay within 15 days after written notice of nonpayment of any amounts owed to Company, such nonpayment will be deemed a material breach.  For the avoidance of doubt, Customer’s noncompliance with Section 2.5 is deemed a material breach of this Agreement.  This Agreement may be terminated by either party upon written notice with immediate effect upon the occurrence of a Bankruptcy Event regarding the other party.  “Bankruptcy Event” means the occurrence of any one or more of the following events in respect of such party: (a) it ceases to carry on its business; (b) a receiver or similar officer is appointed for its business, property, affairs or revenues and such proceedings continue for 45 days; (c) it becomes insolvent, admits in writing its inability to pay debts generally as they come due, is adjudicated bankrupt, or enters composition proceedings, makes an assignment for the benefit of its creditors or another arrangement of similar import; or (d) proceedings under bankruptcy or insolvency laws are commenced by or against it and are not dismissed with prejudice within 45 days.

6.3 Effect of Termination. Upon the effective date of expiration or termination of this Agreement for any reason: (a) all outstanding Orders and access to the Services will automatically terminate; (b) all outstanding payment obligations of Customer will become due and payable immediately; (c) Company will permit Customer to export its Submitted Data from the Hosted Service using the export features described in the Documentation for at least 45 days following such termination or expiration (after which time, Company has no further obligation to store or permit retrieval of such data).  Solely in the event of Customer’s termination of the Agreement for Company’s uncured material breach of the Agreement, Company will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term.  The following provisions will survive the expiration or termination of this Agreement for any reason: Sections 1, 2.5, 4 (with respect to Fee amounts due), 5, 6.3, 7, 9, 10, 11, and 13.

7. CONFIDENTIALITY

7.1 Definition. “Confidential Information” means (a) any information disclosed, directly or indirectly, by or on behalf of one party (“Discloser”) to the other party (“Recipient”) pursuant to this Agreement that is designated as “confidential,” or in some other manner to indicate its confidential nature, and (b) any information that otherwise should reasonably be expected to be treated in a confidential manner based on the circumstances of its disclosure or the nature of the information itself.  Without limiting the foregoing, the Company IP is Company’s Confidential Information, and Submitted Data is Customer’s Confidential Information.  However, Confidential Information does not include any information which (i) is or becomes generally known and available to the public through no act of the Recipient; (ii) was already in the Recipient’s possession without a duty of confidentiality at the time of the Discloser’s disclosure, as shown by the Recipient’s contemporaneous records; (iii) is lawfully obtained by the Recipient from a third party who has the express right to make such disclosure; or (iv) is independently developed by the Recipient without breach of an obligation owned to the Discloser and without use of or reference to Discloser’s Confidential Information.

7.2 Use; Maintenance. Neither party may use the other party’s Confidential Information for any purpose except to exercise its rights and perform its obligations under this Agreement.  Neither party may  disclose, or permit to be disclosed, either directly or indirectly, any Confidential Information of the other party, except: (a) to its advisors, or prospective investors or purchasers, in each case subject to written obligations of confidentiality, or (b) where the Recipient becomes legally compelled to disclose Confidential Information, notwithstanding the Recipient’s having given the Discloser’s prior notice of such legally compelled disclosure and a reasonable opportunity to seek a protective order or other confidential treatment for such Confidential information (if permitted by applicable law). Each party will take at least reasonable measures and care to protect the secrecy of, and avoid disclosure and unauthorized use of, the Confidential Information of the other party, and will take at least those measures that it takes to protect its own most highly confidential information. Notwithstanding anything to the contrary in this Section 7.2, Company’s sole and exclusive obligations with respect to the disclosure and protection of Submitted Data are as set forth in Sections 7.3 and 8. The Recipient acknowledges that a breach of this Section could cause irreparable harm to the Discloser for which monetary damages may not be ascertainable or an adequate remedy, and agrees that the Discloser will have the right, in addition to its other rights and remedies, to seek injunctive or other equitable relief in any court of competent jurisdiction.

7.3 Submitted Data. Submitted Data is considered Customer’s Confidential Information.  Submitted Data does not include any data or other routines generated by Company through any automated data analysis, processing or other normal operations of the Hosted Service.  Company may remove or restrict access to Submitted Data, including if Company believes such data may violate applicable law, if the source of such data becomes unavailable, or if a third party brings or threatens legal action against Company or a third party.  Customer represents that it has obtained necessary permissions or approvals as may be necessary for Customer to submit such Submitted Data to Company in connection with the delivery of the Services, that there is no software or materials subject to an “open source license” (as that term is commonly understood) included in the Submitted Data, and to comply with all laws applicable to Customer’s performance under this Agreement.  Customer agrees that Company may use on a worldwide, perpetual, revocable, royalty-free basis any Submitted Data, and other data made available to Company by or on behalf of Customer, in order for Company to make available the Hosted Service, and to perform its obligations with respect to the Services, to perform quality control activities, to conduct data analysis, to operate and improve Company’s products and services, to develop and offer new products and services, and to market, promote or publish general information about the Services. Customer may revoke its consent for Company to use as described above any Submitted Data and other data made available to Company by or on behalf of Customer at any time by emailing legal@nanostring.com with such revocation. 

7.4 Feedback. To the extent that Customer provides Company with any suggestions, requests or other feedback related to the Services or any of Company’s Confidential Information (collectively, “Feedback”), Customer hereby grants to Company a worldwide, perpetual, irrevocable, royalty-free, fully paid up license to use, modify, distribute, prepare derivative works of, or otherwise commercialize such Feedback including to improve the Services or to develop or offer new products and services.    

8. DATA PROTECTION

8.1 In performing the Services, Company will comply with the Data Security Policy attached in Exhibit A and the Data Processing Exhibit attached thereto as Addendum 1.

8.2 The Documentation specifies the administrative, physical, technical and other safeguards applied to Submitted Data on the Services, and describes other aspects of system management applicable to the Services.  Customer is responsible for any security vulnerabilities and the consequences of such vulnerabilities, arising from Submitted Data, including any viruses, Trojan horses, worms or other programming routines in Submitted Data that could limit or harm the functionality of a computer or that could damage, intercept or expropriate data.  Customer agrees that it will not upload, transmit, or otherwise provide any Customer Personal Data (as defined below) to the Hosted Service unless (i) specifically requested by Company (for example, when Company requests information about Customer to create an account) or (ii) otherwise agreed to by Company in writing. For example, Customer agrees not to provide the name, date of birth, address, identification number, or any other information that could directly or indirectly identify an individual to the Hosted Service. “Customer Personal Data” means any Submitted Data that constitutes Personal Data, including but not limited to: (i) protected health information as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) personal data as defined by the GDPR (as defined in Exhibit A); or (iii) personal information as defined by the CCPA (as defined in Exhibit A). Notwithstanding the foregoing, Customer Personal Data does not include images of biological samples. In the event Customer inadvertently uploads, transmits, or otherwise provides Customer Personal Data to the Hosted Service, the parties shall work together in good faith to effectuate the return or destruction of such Customer Personal Data; provided, however, that Company shall not be liable for any harm or loss arising from or related to Customer’s disclosure of such Customer Personal Data. To the extent Company Processes Customer Personal Data on behalf of Customer in the context of the provision of the Services, the parties agree to comply with the terms of Addendum 1 to Exhibit A. In such case, Customer acknowledges and agrees that Customer, and not Company, is the Controller of all Customer Personal Data for purposes of the GDPR (as defined in Exhibit A) and similar Data Protection Laws (as defined in Exhibit A).  In cases where Customer is a Processor of Customer Personal Data, then Company shall Process such Submitted Data only as a subprocessor acting on behalf of Customer. 

8.3 Customer has and will retain sole responsibility for all Submitted Data, all information, instructions and material provided by or on behalf on Customer or any Authorized User in connection with the Services, Customer’s Systems.

8.4 The parties acknowledge and agree that Company does not create, receive, maintain, transmit, or otherwise process any protected health information as a business associate pursuant to the Services, as such terms are defined by HIPAA. 

9. REPRESENTATIONS AND WARRANTIES

9.1 Mutual.  Each party represents and warrants to the other party that: (a) it is duly organized, validly existing, and in good standing as a corporation or other entity under the laws of the jurisdiction of its incorporation or other organization; (b) it has the full right, power, and authority to enter into and perform its obligations and grant the rights, licenses, consents, and authorizations it grants or is required to grant under this Agreement; (c) the execution of this Agreement by its representative whose signature is set forth on the Order has been duly authorized by all necessary corporate or organizational action of such party; and (d) when executed and delivered by both parties, this Agreement will constitute the legal, valid, and binding obligation of such party, enforceable against such party in accordance with its terms.

9.2 By Customer.  Customer represents, warrants and covenants to Company that Customer owns or otherwise has and will have the necessary rights and consents in and relating to the Submitted Data so that, as received by Company and used in accordance with this Agreement, it does not and will not infringe, misappropriate, or otherwise violate any intellectual property rights or privacy rights of any third party or violate any applicable laws.  

10. INDEMNIFICATION

10.1 By Company. Company may (a) defend, or at its option settle, any claim brought against Customer by a third party to the extent it alleges that Customer’s use (as authorized in this Agreement) of a Service for which there is an active Subscription Term at the time of the claim constitutes a direct infringement of any intellectual property or proprietary rights of any third party (a “Claim”), and (b) pay any damages awarded in a final judgment (or amounts agreed in a monetary settlement) in any such Claim defended by Company; provided that Customer provides Company (i) prompt written notice of, (ii) sole control over the defense and settlement of, and (iii) all information and assistance reasonably requested by Company in connection with the defense or settlement of, any such Claim.  If any such Claim is brought or threatened, Company may, at its sole option and expense: (w) procure for Customer the right to continue to use the applicable Service; (x) modify the Service to make it non-infringing; (y) replace the affected aspect of the Service with non-infringing technology having substantially similar capabilities; or (z) if none of the foregoing is commercially practicable, terminate the Orders related to the applicable Service or this Agreement. Notwithstanding the foregoing, Company will have no liability to Customer (1) for any use of the Services in combination with software, products or services not provided by Company; to the extent that the Services would not be infringing but for such combination or modification; (2) for Customer’s failure to use the Services in accordance with this Agreement; or (3) for any claims related to Submitted Data.

10.2 Disclaimer. SECTION 10.1 STATES THE ENTIRE LIABILITY OF COMPANY, AND THE EXCLUSIVE REMEDY OF CUSTOMER, WITH RESPECT TO ANY ACTUAL OR ALLEGED INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHTS BY COMPANY, THE SERVICE OR OTHER COMPANY IP, OR ANY PART THEREOF.

10.3 By Customer. Notwithstanding anything to the contrary in Section 10.1, Customer will defend or, at its option, settle, any claim brought against Company by a third party alleging that the use by or on behalf of Company of the Submitted Data and/or any Company data obtained pursuant to a request from Customer in accordance with this Agreement infringes or misappropriates any third party’s rights or violates any laws; provided, that Company provides Customer with (1) prompt written notice of; (2) sole control over the defense and settlement of; and (3) all information and assistance reasonably requested by Customer in connection with the defense or settlement of, any such claim. Customer will not consent to the entry of judgment for or settlement of any such claim without Company’s prior written consent. Customer will pay all damages finally awarded against Company (or the amount of any settlement Customer enters into) with respect to such claim defended by Customer.  Company may participate in the defense and settlement of any such claim at its own expense, through counsel of its own choosing.

11. DISCLAIMER; LIMITATION OF LIABILITY

11.1 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT (INCLUDING ANY ORDERS STILL IN EFFECT), COMPANY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY AND ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, LOSS OF DATA, ACCURACY OF RESULTS, OR OTHERWISE ARISING FROM A COURSE OF DEALING OR RELIANCE. COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE ERROR-FREE OR UNINTERRUPTED, THAT THE SERVICES WILL BE COMPATIBLE WITH ANY PARTICULAR DEVICE, THAT ANY DATA PROVIDED BY COMPANY THROUGH THE SERVICE WILL BE ACCURATE, OR THAT ITS SECURITY MEASURES WILL BE SUFFICIENT TO PREVENT THIRD PARTY ACCESS TO SUBMITTED DATA OR CUSTOMER’S DEVICES. COMPANY SPECIFICALLY DISCLAIMS ALL RESPONSIBILITY FOR ANY THIRD-PARTY SOFTWARE, PRODUCTS, OR SERVICES PROVIDED WITH THE COMPANY SERVICES AND FOR THE AVAILABILITY OR CUSTOMER’S USE OF ANY DATA OR INFORMATION STORED ON THE SERVICE.

11.2 Limitation of Liability. EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS OR A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE, TREBLE, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, GOODWILL, DATA, OR ECONOMIC ADVANTAGE, AND COSTS OF SUBSTITUTE GOODS OR SERVICES) ARISING OUT OF OR RELATING TO THIS AGREEMENT OR ITS TERMINATION, HOWEVER CAUSED, AND BASED ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE, EVEN IF THE OTHER PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS, OR THE CUSTOMER’S PAYMENT OBLIGATIONS, NEITHER PARTY’S TOTAL LIABILITY (INCLUDING ATTORNEYS’ FEES) ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL EXCEED THE AMOUNT PAID BY CUSTOMER UNDER THE ORDERS GIVING RISE TO THE CLAIM DURING THE 12-MONTH PERIOD PRIOR TO THE DATE THE CLAIM AROSE.  THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED OR EXCLUSIVE REMEDY.

12. TOOLS; ANALYSES

12.1 Company may use tools, scripts, software, and utilities (“Tools”) to monitor and administer the Services and help resolve any service requests.  The Tools will not collect or store any Submitted Data on the Services, except as necessary to provide the Services or troubleshoot service requests or other problems in the Services.  Information collected by the Tools (excluding Submitted Data) may also be used to assist in managing Company’s product and service portfolio, to help Company address deficiencies in its product and service offerings, and for license and Services management.

12.2 Company may audit Customer’s use of the Services to assess whether Customer’s use of the Services is in accordance with the Order.  Customer agrees to cooperate fully with Company’s audit and provide reasonable assistance and access to information as reasonably requested by Company in connection with any such audit.  Any such audit will not unreasonably interfere with Customer’s normal business operations.   Customer will pay within 30 days of written notification any fees applicable to Customer’s use of the Services in excess of its rights.  If Customer does not pay, then Company may end the Services and/or cancel Customer’s Order.  Company will have no responsibility for any costs incurred by Customer in cooperating with the audit.

13. GENERAL PROVISIONS

13.1 Changes. Company may make changes or updates to the Services during the Subscription Term, including to reflect changes in technology, industry practices, patterns of system use, and availability of Third Party Content; however any such changes will not result in a material reduction in the level of performance or availability of the applicable Services provided to Customer during the Subscription Term.

13.2 Assignment. Neither party may assign this Agreement or any of its rights or obligations under this Agreement without the prior written consent of the other party, except that either party may assign this Agreement without the consent of the other party upon written notice to the other party as part of a corporate reorganization, or upon a change of control, consolidation, merger, acquisition, sale of all or substantially all of its business or assets related to this Agreement, or a similar transaction or series of transactions.  Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.

13.3 Force Majeure; Delays. Except for the obligation to pay money, neither party will be liable for any failure or delay in its performance under this Agreement due to any cause beyond its reasonable control, including without limitation an act of war, terrorism, act of God, earthquake, flood, embargo, riot, sabotage, labor shortage or dispute, pandemic, epidemic or other public health crisis, governmental act or failure or degradation of the Internet.  The delayed party must give the other party notice of such cause and use commercially reasonable efforts to correct such failure or delay in performance. Company is not responsible or liable for any delay or failure of performance caused in whole or in part by Customer’s delay in performing, or failure to perform any of its obligations under the Agreement.

13.4 Governing Law. This Agreement will be governed by and construed under the laws of the State of Delaware without reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. The parties hereby irrevocably consent to the personal jurisdiction and venue of the courts located in New Castle County, Delaware in connection with any claim or action arising out of or in connection with this Agreement.

13.5 Publicity.  Company may use Customer’s name as a reference for marketing or promotional purposes on Company’s website and in other communication with existing or potential Company customers, subject to any written trademark policies Customer may provide Company in writing, with reasonable advanced notice.  Neither party will issue any press release or publish or disseminate any white papers, case studies describing the activities taking place under this Agreement without the other party’s prior written consent, not to be unreasonably withheld.   

13.6 Miscellaneous. Each Order and all Exhibits attached to this Agreement are incorporated by reference into this Agreement. In the event of a conflict between the terms of this Agreement and an Order, the terms of this Agreement will prevail. This Agreement (together with any Orders) is the sole agreement of the parties concerning the subject matter hereof, and supersedes all prior and contemporaneous agreements and understandings with respect to said subject matter. This Agreement may not be modified or amended other than by a writing signed by authorized representatives of both parties. No preprinted or other terms of any purchase order, acknowledgement, or other form provided by Customer will modify this Agreement, regardless of any failure of Company to object to such terms.  Any ambiguity in this Agreement will be interpreted without regard to which party drafted this Agreement or any part thereof.  There are no third party beneficiaries to this Agreement, and Customer acknowledges that Company will have no obligations or liability whatsoever with any third parties with which Customer does business.  The headings in this Agreement are inserted for convenience and are not intended to affect the interpretation of this Agreement.  Customer agrees to comply with all applicable export control laws and regulations related to its use of Company IP.  Any required notice will be given in writing by customary means with receipt confirmed at the address of each party set forth above or on the Order, as applicable, or to such other address as either party may substitute by written notice to the other, and, with respect to notices to the Company, shall include a courtesy copy via email (not constituting formal notice) to legal@nanostring.com.  Notices will be deemed to have been given at the time of actual delivery in person, 1 day after delivery to an overnight courier service, or 3 days after deposit in certified mail.  The relationship between the parties is that of independent contractors.  Waiver of any term of this Agreement or forbearance to enforce any term by either party shall not constitute a waiver as to any subsequent breach or failure of the same term or a waiver of any other term of this Agreement.  Any provision found to be unlawful, unenforceable or void shall be severed from the remainder of this Agreement, and the remainder of this Agreement will continue in full force and effect without said provision. 

Exhibit A
Data Security Policy

  1. Definitions. Company and Customer will each comply with their respective obligations under applicable Data Protection Laws (as defined below) and regulations relating to the processing of Personal Data and to the Data Processing Exhibit set forth in Addendum 1 hereto, including the Standard Contractual Clauses. 
  2. Subcontractors. If Company subcontracts any portion of the Hosted Service or support, training or configuration services to a third party, Company (a) will cause the subcontractor to agree in writing to comply with obligations not materially less protective than those contained in the Agreement and this Exhibit A if and to the extent the subcontractor processes Customer’s Personal Data; and (b) remains responsible for any acts or omissions of its subcontractors in the same manner as for its own acts and omissions. 
  3. Data Processing Guidelines. If Submitted Data is supplied or released by Customer to Company under the Agreement and constitutes or contains any Personal Data, then the following guidelines will apply:
    1. Company will process such Personal Data only in accordance with the Data Processing Exhibit, including the Standard Contractual Clauses, and Customer’s lawful and reasonable instructions.
    2. Company has taken and will, on a continuing basis, take appropriate technical and organizational measures to keep such Personal Data secure and protect such Personal Data against unauthorized or unlawful processing and accidental loss, destruction or damage, as further set forth in Section 4 below, with Company ensuring a level of security appropriate to: (i) the harm that might result from the unauthorized or unlawful processing of or accidental loss, destruction or damage to such Personal Data; and (ii) the nature of the Personal Data to be protected.
    3. Company will use commercially reasonable efforts to ensure that those employees to whom it grants access to such Personal Data are appropriately trained.
    4. Company will, upon Customer’s reasonable request, provide such information and documentation as may be necessary for Customer to reasonably satisfy itself of Company’s compliance with this Exhibit A.
    5. Company will notify Customer without delay in relation to any contact or communication it receives from any regulatory authority (if permissible) or any subject of the Personal Data related to any data processing activities it conducts on Customer’s behalf.  Company will not attempt to respond to such a request without the Customer’s prior written consent.
  4. Technical and Organizational Measures. Company will implement and maintain measures with respect to the hosting of Submitted Data (including any Personal Data) that are not materially less than those described in this Exhibit by applying industry standard security practices in accordance with Company’s then current security policies. These include:
    1. Control of use and access to Submitted Data, which aims to protect data processing systems from unauthorized use, including: 
      1. User control that may include measures comparable to the following:
        1. identification of the terminal and/or the terminal user to the system of Company,
        2. automatic turn-off of user IDs when several erroneous passwords are entered, log file of events, (monitoring of break-in-attempts),
        3. issuing and safeguarding of identification codes,
        4. dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions;
        5. Monitoring capability with respect to individuals who delete, add or modify the exported data;
        6. Automatic, system-driven reminders of the restrictions to accessing the exported data appearing upon each attempt to access system data and permanent reminders of the same on each screen from which the exported data may be accessed;
        7. Effective and measured disciplinary action against individuals who access data without authorization.
    2. Control of data transmission, which aims to ensure that Submitted Data cannot be read, copied, modified or removed without authorization during transmission or transport (whether electronic or not). In addition, it should be possible to check and establish to whom the Submitted Data will be transmitted (for example, by keeping logs of data transfers and mobile data carriers, the encryption of electronic data and the control of remote access to databases).  This may include measures implemented by Customer and Company comparable to the following:
      1. Documentation of the retrieval and transmission programs;
      2. Documentation of the remote locations/destinations to which a transmission is intended, and of the transmission paths (logical paths);
      3. Transmission of data over private lines within firewalls of the network of the data importer, use of encrypted transport protocols or by means of data carriers (tapes and cartridges);
      4. Monitoring of the completeness and correctness of the transfer of data (end-to-end check).
    3. Input control, which aims to ensure that it is possible to check and establish whether and by whom Submitted Data has been input into data processing systems, modified or removed.  This may include measures comparable to the following:
      1. Proof established within Company’s organization of the input authorization; 
      2. Electronic recording of entries.
    4. Availability control, which aims to ensure that Submitted Data is protected from accidental destruction or loss.  This may include measures comparable to the following:
      1. Virus protection;
      2. Regular backups;
      3. The implementation, regular testing and maintenance of a business continuity and disaster recovery plan.

Addendum 1 to Exhibit A
Data Processing Exhibit

This Data Processing Exhibit is an addendum to Exhibit A to the Agreement between Company and Customer and sets forth the obligations of the parties with regard to the Processing of Personal Data pursuant to such Agreement.

1. Definitions

In this Data Processing Exhibit:

Controller”, “Data Subject”, “Personal Data Breach”, “Processing”/”Process”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Laws. 

CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations. 

DPE” means this Data Processing Exhibit including any appendices, annexures, documents, or schedules incorporated by reference. 

Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPE, including local, state, national and/or foreign laws, treaties, and/or regulations, including without limitation the GDPR, the e-Privacy Directive 2002/58/EC (as amended by Directive 200+/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union (“EU”), and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland;  and the CCPA, in each case as may be amended or superseded from time to time.

Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Laws.

GDPR” means either or both the General Data Protection Regulation (EU) 2016/679 (“EU GDPR“) and the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) as the context may require.

International Data Transfer” means any disclosure of Personal Data by an organization subject to Data Protection Laws to another organization located outside the EEA, the UK, or Switzerland. 

Standard Contractual Clauses” or (“SCCs”) means the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time .

Subprocessor” means a Company affiliate or third-party entity engaged by Company or a Company affiliate as a Processor under this DPE.

Subprocessor List” means the subprocessor list identifying the Subprocessors that are authorized to Process Customer Personal Data, accessible through Company’s website (located at nanostring.com).

Third-Party Controller” means a Controller for which Customer is a Processor.

UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Processing Customer Personal Data 

2.1 Scope and Role of the Parties. This DPE applies to the Processing of Customer Personal Data by Company subject to Data Protection Laws to provide the Services. For the purposes of this DPE, Customer is the Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers. If Customer if a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Company, must obtain all necessary authorizations from such Third-Party Controller; undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller; and is responsible for compliance with the requirements of Data Protection Laws applicable to Processors. Customer acknowledges that Company may Process Customer Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Laws.

2.2 Instructions for Processing. Company shall Process Customer Personal Data to provide the Services in accordance with Customer’s documented instructions. Customer instructs Company to Process Customer Personal Data to provide the Service in accordance with the Agreement (including this DPE) and any applicable Order. Customer may reasonably provide additional instructions to Company to Process Customer Personal Data, however, Company shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this DPE; and Company may charge a reasonable fee to comply with any additional instructions. To the extent the CCPA applies to Customer Personal Data, Company will not (i) Sell Customer Personal Data, nor (ii) retain, use or disclose Customer Personal Data for any purpose other than to provide the Covered Service in accordance with the Agreement. The term “Sell” shall have the meaning set forth in the CCPA. 

2.3 Compliance with Laws. Customer obtain all necessary consents, and provide all necessary notices to Data Subjects to enable Company to carry out lawfully the Processing contemplated by this DPE. Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions. 

3. Subprocessors 

3.1 Use of Subprocessors. Customer hereby agrees and authorizes Company and Company’s affiliates to engage Subprocessors. Company or the relevant Company’s affiliate shall ensure that such Subprocessor has entered into a written agreement that is no less protective than this DPE. Company shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by Company. 

3.2 Notification of New Subprocessors. Company shall make available to Customer a Subprocessor List and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. At least thirty (30) days prior to authorizing any new Subprocessor to Process Customer Personal Data, Company shall provide notice to Customer by updating the Subprocessor List.

3.3 Subprocessor Objection Right. This Section 3.3 shall apply only where and to the extent that Customer is established within the EEA, the UK or Switzerland or where otherwise required by Data Protection Laws applicable to Customer. In such event, Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days. 

4. Assistance

4.1 Assistance. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Laws to comply with requests to exercise Data Subject Rights (“Data Subject Requests”). Company may charge a reasonable fee for assistance under this section 4.1. If Company is at fault, Company and Customer shall each bear their own costs related to such assistance. 

4.2 Handling of Data Subject Requests. For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If Company receives a Data Subject Request or other complaint from a Data Subject regarding the Processing of Customer Personal Data, Company will promptly forward such request or complaint to Customer, provided the Data Subject has given sufficient information for Company to identify Customer. 

5. Company Personnel

Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

6. Personal Data Breach

Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay. 

7. Security of Processing 

7.1 Taking into account the state of the arts, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data as described in Schedule 2 to this Addendum. 

7.2 Customer acknowledges that the security measures in Schedule 2 are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate. 

8. Audit 

Customer agrees that, to the extent applicable, Company’s then-current audit reports (reflecting customary industry-standards, as may be updated from time-to-time by the Company in its sole discretion) will be used to satisfy any audit or inspection requests by or on behalf of Customer, and Company shall make such reports available to Customer.

9. Return and Deletion of Customer Personal Data 

Upon termination of the Services, Company shall return and delete Customer Personal Data in accordance with the relevant provisions of the Agreement. 

10. Transfers of European Customer Personal Data 

10.1 Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Laws; or pursuant to the SCCs referred to in Sections 10.2 and 10.3.

10.2 By signing this DPA, Company and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of the Netherlands; the courts in Clause 18(b) are the Courts of the Netherlands, Amsterdam; Annex I and II to Module 2 of the SCCs are Annex I and II to this DPE respectively. For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Customer Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020.

10.3 By signing this DPE, Company and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Company, their details are set forth in this DPE, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 10.2 of this DPE; (iii) in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are  Annex I, and II to this DPE respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

10.4 If Company’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Company’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Company reserves the right to amend the Agreement and this DPE by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.

11. Additional European Terms 

11.1 Description of Processing. The agreed subject-matter, the nature, purpose and duration of Processing, the types of Personal Data and categories of Data Subjects are set forth in Schedule 1 to this DPE. 

11.2 Data Protection Impact Assessments and Prior Consultations. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Laws to: conduct Data Protection Impact Assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach. Company may charge a reasonable fee for assistance under this Section 11.2. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.

12. General Provisions 

12.1 Customer Affiliates. Customer is responsible for coordinating all communication with Company on behalf of its affiliates with regard to this DPE. Customer represents that it is authorized to enter into this DPE and any Standard Contractual Clauses entered into under this DPE (and to the addition of other affiliates to such Standard Contractual Clauses, as applicable), issue instructions, and make and receive any communications or notifications in relation to this DPE on behalf of its affiliates.

12.2 Termination. The term of this DPE will end simultaneously and automatically at the later of (i) the termination of the Agreement or, (ii) when all Customer Personal Data is deleted from Company’s systems. 

12.3 Conflict. This DPE is subject to the non-conflicting terms of the Agreement. With regard to the subject matter of this DPE, if inconsistencies between the provisions of this DPE and the Agreement, including any of its Exhibits, arise, the provisions of this DPE shall prevail. 

12.4 Remedies. Customer’s remedies (including those of its affiliates) with respect to any breach by Company, its affiliates and Subprocessors of the applicable terms of this DPE, and the overall aggregate liability of Company and its affiliates arising out of, or in connection with the Agreement (including this DPE) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement. 

ANNEX 1
DESCRIPTION OF PROCESSING

A. LIST OF PARTIES

Data Exporter(s): Customer

  • Name and Address: As set forth in the introduction paragraph of the Agreement 
  • Contact details: The individuals designated as named contacts by Customer in Customer’s account
  • Relevant Activities: Use of the Company’s Services pursuant to the Agreement.
  • Role (controller/processor): controller and/or processor 

Data importer(s): Company

  • Name and Address: As set forth in the introduction paragraph of the Agreement
  • Contact details: legal@nanostring.com  
  • Relevant Activities: Provision and support of the Services pursuant to the Agreement.
  • Role (controller/processor): processor 

B. DESCRIPTION OF TRANSFER

  • See Schedule 1 for details of processing of Customer Personal Data.

COMPETENT SUPERVISORY AUTHORITY 

  • For purposes of Clause 13, Customer agrees the competent supervisory authority will be the Dutch Data Protection Authority.

ANNEX 2
TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

  • The description of technical and organizational measures designed to ensure the security of Customer Personal Data is described more fully in Schedule 2 to the Addendum. 

For transfers to Subprocessors, also describe the specific technical and organizational measures to be taken by the Subprocessor to be able to provide assistance to the controller and, for transfers from a processor to a Subprocessor, to the data exporter.

  • The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Schedule 2 to the Addendum.

Schedule 1 to the Addendum
Details of Processing of Personal Data

1.1 Subject Matter of ProcessingThe subject matter of Processing is the provision of the Services pursuant to the Agreement.
1.2 Duration of ProcessingThe Processing will continue until the expiration or termination of the Agreement. 
1.3 Categories of Data SubjectsCustomers/clients or end-users Customer’s employees, personnel, staff and contractors Customer’s patients or study subjects Physicians or staff affiliated with Customer’s patients or study subjects 
1.4 Nature and Purpose of ProcessingIncludes the following: The purpose of Processing of Customer Personal Data by Company is the performance of the Services pursuant to the Agreement.
1.5 Types of Customer Personal DataIncludes the following:
Name, email address, postal address, electronic data such as geolocation, IP address and analytics. 
1.6 Sensitive Personal Data TransferredIncludes the following: To the extent submitted by Customer: study/research data, genetic and biometric data, and clinical data. Applied restrictions or safeguards to protect sensitive personal data are as provided in Schedule 2 to the Addendum.
1.7 Frequency of Transfer of DataUpon transfer by Customer of Customer Personal Data to Company in connection with its utilization of the Services pursuant to the Agreement.
1.8 Period for which Customer Personal Data will be retainedThe period for which the Customer Personal Data will be retained, to the extent it may be retained, is more fully described in the Agreement, Addendum, and accompanying applicable Orders.
1.9 Obligations and Rights of CustomerThe obligations and rights of Customer as a controller are set out in the Agreement and this Addendum.

Schedule 2 to the Addendum
Information Security Controls

Measures For:Descriptions
pseudonymization and encryption of personal dataImplement and maintain modern and industry standard encryption mechanism and pseudonymize data as applicable to the Services provided.
ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesImplement and maintain a formal information security program that considers the ongoing confidentiality, integrity, availability, and processing of systems.
ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentImplement and maintain measures to ensure the availability of data according to industry standards. Measures should include backup procedures, geographical separation, and redundancy.
regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processingImplement a review program for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures using a risk-based approach (risk assessment and internal audit) and periodically by a qualified third party (external and penetration test). Mitigation and remediation actions required based on the results of such testing, should be documented and executed in a timely manner.
user identification and authorization Implement and maintain mechanisms for establishing identity and accountability including unique ID, strong password, and multifactor authentication. 
the protection of data during transmissionImplement and maintain industry standard encryption protocols for encrypting data in transit, including but not limited to logins and sensitive data transfers.
the protection of data during storageImplement and maintain industry standard encryption protocols for encrypting data at rest.
ensuring physical security of locations at which personal data are processed Implement and maintain physical security measures for locations used for data processing and storage.
ensuring events loggingImplement and maintain controls around logging, monitoring, and alerting based on pre-defined thresholds. 
ensuring system configuration, including default configuration Implement and maintain a formal hardening standard to ensure that configurations of system align with NIST, ISO, or equivalent guidance.
internal IT and IT security governance and managementImplement and maintain measures to ensure that IT policy and control are established and communicated, understood, and acknowledged throughout the organization.
certification/assurance of processes and productsImplement and maintain external certification and attestation of systems and controls used to secure the process information relevant to the services provided (SSAE 18/SOC 2, ISO 27701, ISO 27001, External Pen test, etc.)
ensuring data minimizationImplement and maintain controls to limit data collected through the Services provided and limit the use of data to the agreed upon uses or for providing the Services.
ensuring data qualityImplement and maintain controls to maintain the accuracy, completeness, and consistency of data over its life cycle.
ensuring limited data retentionImplement and maintain controls for deleting data according to request or agreed upon terms of retention post termination of the agreement.
ensuring accountabilityImplement and maintain measures to ensure accountability and responsibility for security, privacy, and breach notification.
allowing data portability and ensuring erasureImplement and maintain measures to allow for portability of data and ensuring complete erasure upon request or contract term. 
transfers to processors or subprocessors, also describe the specific technical and organizational measures to be taken by the processor or subprocessor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter:
Company remains committed to provide commercially reasonable cooperation and assistance to controllers. As set forth in the Addendum, Company will delete or return Customer Personal Data in accordance with the prior written instructions of the Customer. In addition, upon request, Company will, to the extent not prohibited by law, reasonably assist the Customer in responding to any data subject request. Further, if Company engages a subprocessor pursuant to the Addendum, Company is required to first enter into an agreement with such subprocessor that contains data processing obligations substantially similar to those contained in the Addendum.

Jump to terms and conditions for: