Data Processing Agreement

Article 1. Definitions and Interpretation

1.1 In this DPA, unless the context otherwise requires, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings ascribed to them in the GDPR or the Principal Agreement.

1.2 "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including but not limited to: (a) Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"); (b) the GDPR as incorporated into United Kingdom law ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the French Loi Informatique et Libertés; and (e) any other applicable data protection legislation in the jurisdictions in which the Controller or Processor operate.

1.3 "Authorized Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller, as listed in Annex 2 of this DPA.

1.4 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor on behalf of the Controller.

1.5 "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.

1.6 "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Platform Services, as further described in Annex 1.

1.7 "Platform Services" means the ArcaScience benefit-risk analysis platform and related services provided to the Controller pursuant to the Principal Agreement.

1.8 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.9 "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

1.10 "Technical and Organizational Measures" ("TOMs") means the security measures implemented by the Processor as described in Annex 1 of this DPA.

1.11 In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data. The recitals to this DPA form an integral part of the agreement.

Article 2. Scope and Purpose of Processing

2.1 This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Platform Services under the Principal Agreement.

2.2 The subject matter, duration, nature, and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in the following table and further detailed in Annex 1:

Element	Description
Subject matter	Processing of Personal Data in connection with the Controller's use of the ArcaScience benefit-risk analysis platform for pharmaceutical and clinical data analysis
Duration	For the term of the Principal Agreement, plus such additional period as is necessary for the Processor to delete or return all Personal Data in accordance with Article 11
Nature of Processing	Collection, storage, organization, structuring, retrieval, consultation, use (including AI/ML-based analysis), alignment, combination, pseudonymization, and erasure
Purpose of Processing	To provide the Platform Services as described in the Principal Agreement, including: benefit-risk analysis modeling, pharmacovigilance signal management, clinical data analysis, report generation, and regulatory submission support
Types of Personal Data	Pseudonymized clinical trial participant data; adverse event reporter information; healthcare professional identifiers; Controller employee account data (names, email addresses, roles); usage data and access logs
Special categories of data	Health data (clinical and pharmacovigilance data) processed in pseudonymized form; genetic data only if explicitly included by Controller in datasets uploaded to the Platform
Categories of Data Subjects	Clinical trial participants (pseudonymized); adverse event reporters; healthcare professionals; Controller's employees and authorized users

2.3 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

Article 3. Controller's Obligations

3.1 The Controller warrants and undertakes that:

• (a) it has a lawful basis for Processing the Personal Data and for instructing the Processor to process the Personal Data on its behalf, in accordance with Applicable Data Protection Law;
• (b) it has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects or other relevant parties as required by Applicable Data Protection Law;
• (c) it shall ensure that its instructions to the Processor comply with Applicable Data Protection Law and that the Processing of Personal Data in accordance with such instructions will not cause the Processor to violate any Applicable Data Protection Law;
• (d) it has conducted, and shall maintain, a data protection impact assessment where required by Article 35 of the GDPR in connection with the Processing activities covered by this DPA;
• (e) it shall implement appropriate technical and organizational measures to ensure the security of Personal Data before transmitting it to the Processor, including encryption of data in transit;
• (f) it shall ensure that Personal Data uploaded to the Platform has been pseudonymized or anonymized to the greatest extent practicable, consistent with the purposes of Processing;
• (g) it shall promptly inform the Processor if it becomes aware of any circumstances that may affect the Processor's ability to fulfill its obligations under this DPA.

3.2 The Controller acknowledges that the Processor's ability to fulfill certain obligations under this DPA (including those related to data subject rights and data breach notification) depends on the Controller providing accurate and timely information and responding to the Processor's communications without undue delay.

Article 4. Processor's Obligations

4.1 The Processor warrants and undertakes that it shall:

• (a) process Personal Data only on documented instructions from the Controller, as set out in this DPA, the Principal Agreement, and any subsequent written instructions agreed by the Parties, unless required to do so by applicable law;
• (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such obligations survive the termination of the individual's employment or engagement;
• (c) implement and maintain the Technical and Organizational Measures described in Annex 1, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects;
• (d) not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, in accordance with Article 5 of this DPA;
• (e) taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subjects' rights;
• (f) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor;
• (g) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
• (h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
• (i) immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other Applicable Data Protection Law.

4.2 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR, and shall make such records available to the Controller and supervisory authorities upon request.

4.3 The Processor shall designate a Data Protection Officer (DPO) and shall provide the DPO's contact details to the Controller upon request. As of the Effective Date, the DPO can be contacted at dpo@arcascience.ai.

Article 5. Sub-processors

5.1 The Controller provides general written authorization for the Processor to engage Sub-processors for the Processing of Personal Data, subject to the conditions set forth in this Article. The list of currently Authorized Sub-processors is set out in Annex 2 of this DPA.

5.2 The Processor shall inform the Controller in writing (including by email to the Controller's designated contact) of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller with a reasonable opportunity to object to such changes. The Processor shall provide at least thirty (30) calendar days' prior notice before engaging a new Sub-processor or changing an existing Sub-processor.

5.3 If the Controller objects to a new or replacement Sub-processor on reasonable grounds relating to the protection of Personal Data, the Processor shall use commercially reasonable efforts to make available to the Controller an alternative arrangement that avoids the use of the objected-to Sub-processor. If the Processor is unable to provide such alternative arrangement within thirty (30) calendar days of receipt of the Controller's objection, either Party may terminate the affected portion of the Platform Services by providing written notice to the other Party.

5.4 Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, the Processor shall impose on such Sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate Technical and Organizational Measures such that the Processing meets the requirements of the GDPR.

5.5 The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under the relevant sub-processing agreement. Where a Sub-processor fails to fulfill its data protection obligations, the Processor shall be liable to the Controller for the performance of that Sub-processor's obligations.

5.6 The Processor shall maintain an up-to-date list of Sub-processors on its website at https://arcascience.ai/legal/sub-processors and shall provide a mechanism for the Controller to subscribe to notifications of changes to the Sub-processor list.

Article 6. International Data Transfers

6.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland ("Third Country") unless one of the following conditions is met:

• (a) the European Commission has issued an adequacy decision for the Third Country pursuant to Article 45(3) of the GDPR;
• (b) appropriate safeguards have been provided in accordance with Article 46 of the GDPR, including the Standard Contractual Clauses adopted by the European Commission;
• (c) the transfer falls within a recognized derogation under Article 49 of the GDPR; or
• (d) the Controller has provided explicit prior written authorization for the transfer, having been informed of the risks.

6.2 Where the Standard Contractual Clauses are relied upon as the transfer mechanism, the Parties agree that the SCCs (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference into this DPA and shall apply as follows:

• (a) Module Two (Controller to Processor) shall apply where the Controller transfers Personal Data to the Processor in a Third Country;
• (b) Module Three (Processor to Sub-processor) shall apply where the Processor transfers Personal Data to a Sub-processor in a Third Country;
• (c) For Clause 7, the optional docking clause shall apply;
• (d) For Clause 9, Option 2 (general written authorization) shall apply with a notification period of thirty (30) calendar days;
• (e) For Clause 11, the optional language shall not apply;
• (f) For Clause 17, the SCCs shall be governed by the laws of [Member State of Controller];
• (g) For Clause 18(b), disputes shall be resolved before the courts of [Member State of Controller].

6.3 The Processor shall conduct a Transfer Impact Assessment for each transfer of Personal Data to a Third Country that relies on the SCCs, evaluating the laws and practices of the Third Country of destination, and shall implement supplementary technical measures (such as encryption with Controller-held keys) where the assessment indicates that the SCCs alone cannot ensure an essentially equivalent level of protection.

6.4 The Processor shall promptly notify the Controller if it becomes aware of any change in the laws or practices of a Third Country that may affect the level of protection afforded to transferred Personal Data, including any government access requests or disclosure orders.

6.5 For the United Kingdom, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) is incorporated into this DPA and applies to transfers of Personal Data subject to the UK GDPR. For Switzerland, the applicable version of the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner shall apply.

Article 7. Data Subject Rights

7.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• (a) Right of access (Article 15)
• (b) Right to rectification (Article 16)
• (c) Right to erasure ("right to be forgotten") (Article 17)
• (d) Right to restriction of processing (Article 18)
• (e) Right to data portability (Article 20)
• (f) Right to object (Article 21)
• (g) Rights related to automated decision-making and profiling (Article 22)

7.2 If the Processor receives a request from a Data Subject directly, the Processor shall promptly (and in any event within two (2) business days) forward such request to the Controller without responding to the Data Subject, unless otherwise instructed by the Controller or required by Applicable Data Protection Law.

7.3 The Processor shall provide the Controller with self-service tools within the Platform to facilitate responses to Data Subject requests, including the ability to: (a) search for and export Personal Data associated with a Data Subject; (b) rectify Personal Data; (c) delete Personal Data; and (d) restrict Processing of Personal Data. Where self-service tools are insufficient, the Processor shall provide manual assistance within five (5) business days of the Controller's written request.

7.4 The Processor shall maintain technical capabilities to support the Controller in fulfilling data portability requests, including the ability to export Personal Data in structured, commonly used, and machine-readable formats (JSON, CSV, XML).

Article 8. Security Measures

8.1 The Processor shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

8.2 Without prejudice to the generality of clause 8.1, the Processor shall implement at a minimum the Technical and Organizational Measures set out in Annex 1 of this DPA, which include measures for:

• (a) the pseudonymization and encryption of Personal Data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing, and evaluating the effectiveness of the Technical and Organizational Measures.

8.3 The Processor shall not materially decrease the overall level of security of the Platform Services during the term of this DPA. The Processor may update or modify the Technical and Organizational Measures from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Personal Data.

8.4 The Processor shall ensure that any natural person acting under its authority who has access to Personal Data does not process that data except on instructions from the Controller, unless required to do so by applicable law.

Article 9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay, and in any event within thirty-six (36) hours after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

9.2 The notification shall include, at a minimum, the following information (to the extent known at the time of notification):

• (a) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• (b) the name and contact details of the Processor's data protection officer or other contact point where more information can be obtained;
• (c) a description of the likely consequences of the Data Breach;
• (d) a description of the measures taken or proposed to be taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Where it is not possible to provide all information at the time of the initial notification, the information may be provided in phases without undue further delay. The Processor shall provide regular updates (at least every twenty-four (24) hours during the initial investigation phase) until the Data Breach has been fully resolved.

9.4 The Processor shall cooperate with the Controller and take all commercially reasonable steps directed by the Controller to assist in the investigation, mitigation, and remediation of any Data Breach, including preserving forensic evidence, providing log data, and facilitating communications with supervisory authorities.

9.5 The Processor shall not make any public statements regarding a Data Breach affecting the Controller's Personal Data without the Controller's prior written consent, except where required by applicable law.

9.6 The Processor shall maintain a comprehensive incident response plan that is tested at least annually. A summary of the incident response plan shall be made available to the Controller upon request.

Article 10. Audit Rights

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 of the GDPR.

10.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

• (a) The Controller shall provide at least thirty (30) calendar days' prior written notice of any audit request (except in cases where a supervisory authority orders or requests an audit on a shorter timeline);
• (b) Audits shall be conducted during normal business hours with minimal disruption to the Processor's operations;
• (c) The Controller (or its mandated auditor) shall comply with the Processor's reasonable security and confidentiality requirements during any on-site inspection;
• (d) The Controller shall bear its own costs associated with the audit. If the audit requires more than two (2) person-days of the Processor's staff time per calendar year, the Processor may charge a reasonable fee for additional time based on its then-current professional services rates;
• (e) Audit findings and reports shall be treated as Confidential Information of the Processor.

10.3 As an alternative to on-site audits, the Processor shall make available the following compliance evidence, which the Controller may accept in satisfaction of its audit rights:

• (a) The most recent SOC 2 Type II audit report, issued by an independent third-party auditor;
• (b) The most recent penetration test executive summary;
• (c) ISO 27001 certification (when obtained) or the current Statement of Applicability;
• (d) Responses to the Controller's security questionnaire (SIG, CAIQ, or custom);
• (e) Any other certifications, attestations, or audit reports relevant to the Processing activities.

10.4 The Processor shall promptly inform the Controller if, in the Processor's opinion, an audit instruction or request from the Controller infringes Applicable Data Protection Law or exceeds the scope of the Controller's audit rights under this DPA.

Article 11. Term and Termination

11.1 This DPA shall come into effect on the Effective Date and shall remain in force for the duration of the Principal Agreement. In the event that the Principal Agreement is terminated or expires, this DPA shall continue in force until the Processor has ceased all Processing of Personal Data on behalf of the Controller and has deleted or returned all Personal Data in accordance with this Article.

11.2 Upon termination or expiry of the Principal Agreement, or upon the Controller's written request at any time during the term, the Processor shall, at the Controller's choice:

• (a) Return: Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON, CSV, or as otherwise agreed), including all metadata and audit trail records; or
• (b) Delete: Securely delete all Personal Data, including all copies, backups, and archived data, using methods that render the data unrecoverable (e.g., cryptographic erasure or NIST SP 800-88 compliant media sanitization).

11.3 The Processor shall complete the return or deletion of Personal Data within sixty (60) calendar days of receiving the Controller's written instruction. The Processor shall provide written certification of deletion upon completion.

11.4 The Processor may retain Personal Data to the extent required by applicable law (e.g., for tax, accounting, or regulatory compliance purposes), provided that such retention is limited to the minimum data necessary and for the minimum period required. The Processor shall inform the Controller of any such legal retention requirement and shall continue to protect any retained Personal Data in accordance with this DPA.

11.5 The Controller shall have a period of thirty (30) calendar days from the date of termination or expiry of the Principal Agreement to provide instructions regarding the return or deletion of Personal Data. If no instructions are received within this period, the Processor shall securely delete all Personal Data in accordance with clause 11.2(b).

Article 12. Liability

12.1 Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, except that nothing in this DPA or the Principal Agreement shall limit either Party's liability for:

• (a) breaches of Applicable Data Protection Law where such limitation would be prohibited by law;
• (b) the Processor's processing of Personal Data outside or contrary to the Controller's lawful instructions, where such processing is not required by applicable law;
• (c) either Party's indemnification obligations with respect to third-party claims by Data Subjects or supervisory authorities arising from a breach of this DPA.

12.2 The Processor shall indemnify the Controller against all costs, claims, damages, and expenses (including reasonable legal fees) incurred by the Controller arising from the Processor's breach of this DPA or Applicable Data Protection Law, provided that the Controller has given the Processor prompt notice of any claim, reasonable cooperation, and sole authority to defend or settle the claim.

12.3 Without prejudice to the rights of Data Subjects under Articles 79 and 82 of the GDPR, the Processor shall be liable for the damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

The following Technical and Organizational Measures are implemented by the Processor to protect Personal Data processed on behalf of the Controller. These measures are subject to continuous improvement and may be updated from time to time in accordance with Article 8.3 of this DPA.

A1.1 Encryption and Pseudonymization

Measure	Implementation
Encryption at rest	AES-256-GCM encryption for all data stores (databases, object storage, backups, logs) using AWS KMS with per-tenant Customer Master Keys
Encryption in transit	TLS 1.3 enforced for all external communications; mutual TLS (mTLS) for inter-service communications via Istio service mesh
Application-level encryption	Field-level encryption for high-sensitivity data elements (patient identifiers, credentials, electronic signatures) using per-tenant derived keys
Key management	FIPS 140-2 Level 3 HSMs; automatic key rotation every 90 days; Bring Your Own Key (BYOK) option for enterprise customers
Pseudonymization	Platform supports automated pseudonymization of patient data upon ingestion; re-identification keys stored separately with restricted access

A1.2 Access Control

Measure	Implementation
Authentication	Mandatory multi-factor authentication for all users; support for TOTP, WebAuthn/FIDO2 hardware keys
Single Sign-On	SAML 2.0 and OpenID Connect integration with customer identity providers; SCIM 2.0 automated provisioning
Authorization	Role-based access control (RBAC) with five standard roles and custom role support; enforced segregation of duties for regulated workflows
Session management	30-minute idle timeout; 12-hour absolute timeout; session binding to IP and User-Agent; secure, HttpOnly, SameSite cookies
Privileged access	Just-in-time access for administrative operations; bastion host with session recording; quarterly access reviews

A1.3 Data Integrity and Availability

Measure	Implementation
Audit trail	ALCOA+ compliant immutable audit logs with SHA-256 hash chaining; append-only storage with S3 Object Lock
Backup	Continuous replication; hourly incremental; daily full; geo-redundant storage; automated restore testing
Disaster recovery	Active-passive cross-region DR; RTO 4 hours; RPO 1 hour; semi-annual failover testing
Availability	Multi-AZ deployment; 99.95% uptime SLA; automated failover; real-time health monitoring
Input validation	Server-side schema validation; parameterized queries; output encoding; Content Security Policy headers

A1.4 Physical and Environmental Security

Physical security is provided by AWS's data center infrastructure, which maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and ISO 27701 certifications. AWS data centers feature multi-layered physical access controls including biometric access, 24/7 security staff, video surveillance, and environmental controls (fire suppression, climate control, power redundancy).

A1.5 Personnel Security

Measure	Implementation
Background checks	All employees with access to Personal Data undergo background verification checks prior to onboarding
Confidentiality agreements	All employees sign confidentiality and data protection agreements as part of employment contracts
Security training	Mandatory annual security awareness training; role-specific training for developers and operations staff; phishing simulation exercises
Offboarding	Immediate revocation of all system access upon termination; return of all company equipment and data; exit interview including security obligations reminder

A1.6 Vulnerability Management and Testing

Measure	Implementation
Penetration testing	Annual comprehensive pen test by CREST-accredited firm; quarterly targeted assessments; pre-release security testing
Vulnerability scanning	Continuous SAST (Semgrep, CodeQL), nightly DAST (OWASP ZAP), SCA (Snyk, Dependabot), IaC scanning (Checkov)
Patch management	Critical patches within 24 hours; high-severity within 7 days; routine patches monthly
Bug bounty	Private bug bounty program via HackerOne; rewards up to $15,000 for critical findings

The following Sub-processors are authorized by the Controller as of the Effective Date of this DPA. The Processor shall notify the Controller of any changes to this list in accordance with Article 5 of this DPA.

Sub-processor	Purpose of Processing	Location of Processing	Transfer Mechanism
Amazon Web Services (AWS) Amazon Web Services EMEA SARL	Cloud infrastructure hosting, data storage, compute, database, and related managed services	EU (Ireland, Frankfurt), US (Virginia, Oregon), or AP (Singapore, Tokyo) per customer data residency selection	Adequacy decision (EU-US DPF) / SCCs
Datadog Datadog, Inc.	Infrastructure monitoring, application performance monitoring, and log management (anonymized/aggregated operational metrics only; no Personal Data in normal operation)	United States (Virginia)	EU-US Data Privacy Framework / SCCs
SendGrid (Twilio) Twilio Inc.	Transactional email delivery (user notifications, password resets, system alerts)	United States	EU-US Data Privacy Framework / SCCs
HackerOne HackerOne, Inc.	Security vulnerability disclosure management (no customer Personal Data processed)	United States	Not applicable (no Personal Data)
Stripe Stripe Payments Europe, Ltd.	Payment processing for Platform Services subscriptions (billing contact data only)	Ireland / United States	Adequacy decision (Ireland) / EU-US DPF

Execution

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their duly authorized representatives as of the Effective Date.