Data Processing Agreement

This Data Processing Agreement (this “DPA”) is entered into as of the Effective Date by and between Reify Health, Inc., Delaware corporation, having its principal place of business at 33 Arch St., 17th Floor, Boston, MA 02110, USA (together with its subsidiaries and Affiliates, “Reify”) and the party accepting this DPA, as evidenced by such party’s click-through acceptance or signature, or by such party’s registration for, access to, or use of the Services (together with its subsidiaries and Affiliates, “Customer”), each a “Party,” and collectively, the “Parties.”

This DPA is incorporated by reference into and forms part of the StudyTeam® for Sites Terms of Service or other master agreement between the Parties governing Customer’s use of Reify’s products and services (the “Agreement”), or, where no such agreement is in effect, applies to Customer’s use of the Services pursuant to a sponsor-granted license, and sets forth the Parties’ rights and obligations with respect to data relating to identified or identifiable individuals processed by Reify on Customer’s behalf in connection with the Services. The effective date of this DPA shall be the Effective Date of the Agreement, or, where no Agreement is in effect, the date Customer first accesses or uses the Services.

The Parties agree as follows:

1.  Definitions

Capitalized terms used but not otherwise defined in this DPA shall have the meaning assigned to such terms in the Agreement.

1. “Data Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Reify in connection with the Services.
2. “Data Protection Laws” means all laws and regulations relating to privacy, data protection, or the processing of data relating to individuals that are applicable to the processing of Personal Data under this DPA.
3. “Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
4. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, or any equivalent concept under Data Protection Laws.
5. “Personal Data” means any information relating to an identified or identifiable natural person, or any equivalent concept under applicable Data Protection Laws.
6. “process” and “processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, use, disclosure, storage, modification, or deletion.
7. “Processor” means any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of a Controller, including any equivalent role or concept under Data Protection Laws.
8. “Sub-processor” means any third party engaged by Reify to process Personal Data on Reify’s behalf in connection with the Services.

2. Data Processing

1. Roles. As between the Parties, Customer acts as the Controller and Reify acts as the Processor with respect to Personal Data processed under this DPA, except where Reify independently determines the purposes and means of processing, in which case Reify acts as a Controller to that extent.
2. Scope of Processing. Reify shall process Personal Data solely in connection with the provision, maintenance, development, and improvement of the Services, in accordance with this DPA, the Agreement, and Customer’s documented instructions, and in compliance with Data Protection Laws. Customer shall ensure that Reify’s processing of Personal Data, when done in accordance with Customer’s instructions, shall not cause Reify to violate any Data Protection Laws, and Reify shall, to the extent permitted by law, promptly notify Customer in writing prior to carrying out any such instruction it reasonably believes would result in violation of Data Protection Laws.
3. Purpose Limitation. Personal Data processed under this DPA shall be processed solely to the extent necessary to provide, maintain, develop, and improve the Services in accordance with the Agreement and this DPA, and shall not be used, accessed, or otherwise processed for any other purpose, except with the prior written authorization of the Customer or as required by applicable law.
4. Data Confidentiality. Reify shall not disclose Personal Data to any third party except as expressly permitted by this DPA or as required by Data Protection Laws. Where disclosure is required by law, Reify shall provide prompt notice to Customer, to the extent permitted by law, to allow Customer to seek protective measures. Reify shall ensure that its personnel with access to Personal Data are subject to confidentiality obligations no less protective than those set forth in this DPA.
5. Data Minimization and Retention. Reify shall process and retain Personal Data for so long as reasonably necessary in connection with the Services and in accordance with applicable Data Protection Laws. For clarity, retention may include storage and use necessary to support the ongoing operation, security, integrity, and enhancement of the Services, subject to appropriate technical and organizational safeguards.
6. Prohibition on Sale or Monetization of Personal Data. Reify shall not sell, rent, lease, market, disclose for valuable consideration, or otherwise directly or indirectly monetize any Personal Data.
7. Security Measures. Reify shall implement and maintain appropriate technical and organizational measures, based on the relative risk of the Personal Data, intended to protect the confidentiality, integrity, and availability of Personal Data, and to prevent the unauthorized processing or disclosure of Personal Data. Reify’s technical and organizational measures are detailed in Schedule I.
8. Data Breach. Upon discovery of a Data Breach, Reify shall notify Customer in writing, without undue delay and, to the extent possible, include a detailed narrative of all relevant information then known to Reify, updated in phases as it becomes available. Reify shall not be required to notify Customer of unsuccessful or attempted security incidents that do not result in unauthorized access to or disclosure of Personal Data. Reify shall not be required to notify Customer of any attempted or unsuccessful security incidents that do not result in unauthorized access to, use of, or disclosure of Personal Data. This DPA constitutes notice that Reify may experience such incidents from time to time. In the event of a Data Breach, Reify shall provide Customer with all reasonable assistance, including assistance with notifications to Data Subjects and any applicable supervisory authority.
9. Audit. Upon reasonable prior written notice and subject to reasonable confidentiality obligations, Reify shall make available to Customer information reasonably necessary to demonstrate compliance with Data Protection Laws and shall permit audits of its processing of Personal Data by Customer or an independent auditor appointed by Customer and reasonably acceptable to Reify. Audits shall be conducted during normal business hours, shall not unreasonably interfere with Reify’s operations, and shall occur no more than once annually unless required by Data Protection Laws or following a Data Breach.
10. International Transfers. Where Personal Data is transferred outside the country of origin in connection with the provision of Services, Reify shall ensure that such transfers are conducted in compliance with Data Protection Laws and, where required, subject to appropriate transfer mechanisms recognized under such laws.
11. Data Subject Requests. Reify shall promptly notify Customer of any Data Subject request received in connection with the Services and shall not respond to such request except as instructed in writing by Customer. Reify shall provide reasonable assistance, within its legal and technical capabilities, to enable Customer to respond to the request.

3. Controller Obligations

1. Notification of Changes. Customer shall notify Reify of any limitations or changes to its privacy practices to the extent such limitations or changes may affect Reify’s processing of Personal Data in connection with the Services.
2. Responsibility for Data Accuracy and Compliance. As between the Parties, Customer shall be solely responsible for the accuracy, quality, and legality of Personal Data.
3. Consent and Legal Basis. Customer shall have sole responsibility for ensuring that a valid legal basis exists for all processing activities performed under this DPA, including obtaining all required authorizations and consents from Data Subjects and ensuring compliance with all applicable data transfer obligations for Personal Data.

4. Sub-Processors

1. General Authorization. Customer grants Reify a general authorization to engage third-party Sub-processors to process Personal Data in connection with the Services. This authorization shall be considered as expressly given by Customer in relation to any Sub-processor already engaged by Reify as of the Effective Date.
2. Requirements for Sub-processor Engagement. Prior to the engagement of any Sub-processor, Reify shall conduct reasonable due diligence to ensure that such Sub-processor is capable of performing the delegated processing activities in compliance with Data Protection Laws and the obligations set forth in this DPA. Reify shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less restrictive than those set forth in this DPA.
3. Notification of New Sub-Processing Activity. Reify shall provide Customer advance written notice prior to the engagement of any new Sub-processor, which notice shall be provided to Customer’s designated recipient, whom Customer may designate by visiting: https://www.studyteamapp.com/Subprocessors.html and following the subscription prompt. Notification of new Sub-processing shall include sufficient information to enable Customer to reasonably assess the Sub-processor’s data protection practices. Authorization for a new Sub-processor shall be deemed to be given if no objection is received from Customer within the notice period set forth in the notice.

5. Jurisdiction-Specific Attachments

To the extent Reify processes Personal Data originating from a jurisdiction identified below, the corresponding Attachment listed in this Section shall apply to such processing.

1. Attachment A: Brazil. To the extent Personal Data originating from Brazil is processed by Reify, either directly or via onward transfer to the United States, the Parties shall comply with Attachment A.
2. Attachment B: Canada. To the extent Personal Data originating from Canada is processed by Reify, either directly or via onward transfer to the United States, the Parties shall comply with Attachment B.
3. Attachment C: European Economic Area. To the extent Personal Data originating from the European Economic Area is processed by Reify, either directly or via onward transfer to the United States, the Parties shall comply with Attachment C.
4. Attachment D: Switzerland. To the extent Personal Data originating from Switzerland is processed by Reify, either directly or via onward transfer to the United States, the Parties shall comply with Attachment D.
5. Attachment E: United Kingdom. To the extent Personal Data originating from the United Kingdom is processed by Reify, either directly or via onward transfer to the United States, the Parties shall comply with Attachment E.
6. Attachment F: United States. To the extent Personal Data originating from the United States is processed by Reify, the Parties shall comply with Attachment F.

6. Term and Termination

1. Term. This DPA shall commence on the Effective Date and shall remain in effect for the duration of Reify’s processing of Personal Data, and shall continue thereafter for any additional period necessary to fulfil post-termination obligations as required by Data Protection Laws or this DPA.
2. Termination. Upon Customer’s written instructions, Reify shall promptly return or securely destroy all Personal Data processed on Customer’s behalf, in a form and format determined by Reify in its sole discretion. This obligation shall also apply to Personal Data in the possession of any Sub-processor. Upon completion of the return or destruction, Reify shall provide Customer with written confirmation of such return or destruction, as applicable. Reify shall not retain copies of Personal Data except to the extent retention is required by applicable law or a competent authority, and any such retained Personal Data shall remain subject to the protections set forth in this DPA for the duration of the retention period.

7. General

Order of Precedence. In the event of a conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail solely to the extent of such conflict and only with respect to the processing of Personal Data and the Parties’ obligations under Data Protection Laws.

SCHEDULE I: DETAILS OF PROCESSING

A. Personal Data Processed by Reify as Processor for Data Subjects

B. Personal Data Processed by Reify as Controller for Authorized Users:

C. Technical and Organizational Measures:

1. Security Policies. Reify maintains, updates and follows its own written information technology (IT) security policies at all times. Compliance with Reify’s IT policies and procedures are mandatory for all Reify personnel, including subcontractors as relevant. IT security policies are reviewed periodically and amended as Reify deems reasonably necessary to maintain an adequate level of protection of personal data. Reify personnel complete mandatory security and privacy training at the time of onboarding and on an annual basis thereafter.
2. Corrective Action. Reify implements a problem-correction and disciplinary process for violations of company policies or procedures. Non-compliance by Reify personnel is met with appropriate disciplinary action, up to and including the possibility of termination.
3. Security Incident Management. Reify maintains internal policies and procedures addressing incident response and notification. These policies are overseen by Reify’s Compliance and Information Security teams and subject to regular review. Reify’s established procedures for notifying Reify customer(s) are at all times subject to the terms of Reify’s customer contracts and applicable law.
4. Access Control. Reify maintains appropriate security controls for requesting, approving, granting, modifying, revoking, and revalidating user access to systems, networks and applications containing personal data. Reify grants access to personal data only when there is a clear business need for such access, and access is granted in accordance with the principle of least privilege. Access authorisations and provisioning are segregated among two or more individuals. Access authorisations are reviewed on a regular basis for business need and scope, including removal within 24 hours of the conclusion of an Reify user’s employment relationship. Reify monitors and logs system access, including access for privileged accounts. When technologically feasible, privileged access is limited in duration. Reify prohibits the sharing or insecure storage of access credentials, provides tools to detect and prevent such use, and maintains written policies and procedures requiring corrective action upon any personnel violating these policies.
5. Application and Network Security. Reify employs encrypted and authenticated connectivity to all Reify-controlled network environments. Reify denies access to networks at the firewall and virtual private networks layers, except where explicitly allowed. Reify implements network segmentation and utilizes security logging and monitoring designed to detect unauthorised or malicious application and network activity monitoring. Reify implements Web Application Firewalls to protect the confidentiality and integrity of applications and associated personal data. Reify implements denial of service protection mechanisms designed to ensure the availability of access to applications and personal data.
6. Business Continuity and Disaster Recovery. Reify ensures the availability of personal data through written business continuity policies and procedures, disaster recovery planning, and playbooks which include recovery time and recovery point objectives. Disaster recovery plans and playbooks are updated and tested on a regular basis, at least annually. Access to backup data requires multi-factor authentication and backups are encrypted at rest and in transit.
7. Data Transfer and Storage. Reify protects personal data through encryption in transit and at rest. Authentication is required to access personal data processed by Reify. Only systems developed by Reify or third-party systems vetted and approved under Reify’s established supplier qualification procedures are permitted to transfer Personal Data to Reify. Reify’s supplier qualification procedures include a mandatory review and approval by Reify’s Information Security team to ensure the third party offers sufficient protections and to identify security controls appropriate to the scope of data processing and the specific processing activity involved. A privacy impact assessment is also conducted as part of the vendor qualification process.
   
   Data storage locations may vary depending on the particular services utilized by Reify’s customer; however, at all times Reify processes personal data in accordance with data protection law, including data residency requirements where applicable. All cross-border transfers of personal data are lawfully facilitated, including where applicable through the use of data transfer agreements and, in the case of data pertaining to individuals protected by the General Data Protection Regulation (GDPR), the use of Standard Contractual Clauses. Data is retained in accordance with Reify’s internal data retention schedule, customer agreements, and applicable law.
8. Vulnerability Management. Reify implements and maintains measures to identify, manage, mitigate and remediate vulnerabilities in its computing environment. These measures include (but are not limited to): patch management, anti-virus/anti-malware, mobile device management, application blocking, vulnerability scanning, annual penetration testing. Vulnerabilities are remediated in accordance with risk and criticality.
9. Risk Management. Reify regularly assesses risks related to processing of personal data and creates action plans as required to mitigate identified risks.
10. Change Management. Reify implements a change management procedure to identify, categorize, assess, and track changes to systems impacting personal data. The procedure includes segregation among two or more individuals who propose and approve changes. Significant changes that may impact personal data undergo a risk assessment.
11. Secure Software Development. Reify adheres to secure software development practices including, but not limited to: code review; change control; developer training; security assessments; and iterative review and updates as required. Source code changes are documented and reviewed prior to production deployment. Source code is further controlled through ​​branch protection and code ownership. Developers are trained in secure development best practices for web applications. Products impacting personal data are penetration tested at least annually. Included libraries are scanned for vulnerabilities. Identified vulnerabilities are remediated in accordance with risk and criticality.
12. Physical and Device Security. Reify-controlled systems and networks are hosted in Amazon Web Services with appropriate physical access controls designed to protect personal data. Workstations are encrypted and protected from theft or malicious user action by mobile device management software. Anti-virus/anti-malware controls are in place and continuously updated. Workstations are password-protected, utilize password management software, and have inactivity timeouts requiring reauthentication. Operating systems and related software are updated on a regular basis.

ATTACHMENT A

BRAZIL ADDENDUM

To the extent Personal Data originating from Brazil is processed by Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with the Brazilian Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais), as amended by Law No. 13,853/2019, and its corresponding ordinances as amended, supplemented, or replaced from time to time (collectively, “LGPD”), and the International Data Transfer Regulation and Standard Contractual Clauses, CD/ANDP Resolution No. 19 of August 23, 2024 (Resolução CD/ANPD nº 19, de 23 de agosto de 2024) or such alternative as may be approved by the National Data Protection Authority from time to time (“Brazil Standard Contractual Clauses”), throughout the period that Reify processes Personal Data pursuant to the DPA.

The Brazil Standard Contractual Clauses are incorporated by reference into this Attachment A and form part of the DPA. Acceptance of the DPA constitutes acceptance of the Brazil Standard Contractual Clauses to the extent applicable.

The Brazil Standard Contractual Clauses shall be deemed completed as follows:

1. Clause 1 (Identification of Parties). As set forth in Schedule 1 of the DPA. For the avoidance of doubt, Reify is the Importer/Operator and Customer is the Exporter/Controller.
2. Clause 2 (Purpose and Description of International Data Transfer). As set forth in Schedule 1 of the DPA.
3. Clause 3.1A (Subsequent Transfers). The Importer may not carry out a Subsequent Transfer of Personal Data except in the cases provided for in item 18.3.
4. Clause 4 (Responsibilities of the Parties). The Partes agree that Reify pursuant to: (i) Clause 14, shall be responsible for providing notice of data processing to Data Subjects; (ii) Clause 15, shall be responsible for fulfilling Data Subject Access Requests; and (iii) Clause 16 shall be responsible for notifying the ANDP and Data Subjects in the event of a security incident.
5. Clause 24 (Choice of Forum and Jurisdiction). The Parties agree that this Brazil Addendum shall be governed by the law of Brazil, and any dispute arising hereunder shall be resolved by the courts of Brazil.

ATTACHMENT B

CANADA ADDENDUM

To the extent Personal Data originating from Canada is Processed by Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and where applicable, substantially similar provincial and provincial health legislation, including Alberta’s Personal Information Protection Act, SA 2003, c P-6.5 (“Alberta PIPA”), British Columbia’s Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (“Quebec Act”), Ontario’s Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A (“PHIPA”), and Nova Scotia’s Personal Health Information Act, S.N.S. 2010, c.41 (“PHIA”), each as amended, supplemented, or replaced from time to time (collectively, “Canadian Privacy Laws”), throughout the period that Reify processes Personal Data pursuant to the DPA.

This Canada Addendum is incorporated by reference into and forms part of the DPA. Acceptance of the DPA constitutes acceptance of this Attachment B.

The Parties agree as follows:

1. Definitions. Capitalized terms used but not otherwise defined in this Attachment B shall have the meanings assigned to such terms under the applicable Canadian Privacy Laws, as reasonably interpreted to effectuate the purposes of this Attachment B.
   1. “Personal Data” shall be construed to include, as applicable, “Personal Information” and “Personal Health Information,” as those terms are defined under applicable Canadian Privacy Laws.
   2. “Controller” shall be construed to include, as applicable, “Custodian,” “Health Information Custodian,” or “Organization” as those words are defined under applicable Canadian Privacy Laws.
   3. “Processor,” “Supervisory Authority,” and “Data Subject” shall be construed to include, as applicable, “Agent,” “Commissioner,” and “Individual,” respectively, as those terms are defined under applicable Canadian Privacy Laws.
2. Compliance with Canadian Privacy Laws. Each Party shall comply with all applicable requirements of Canadian Privacy Laws as they apply to such Party’s role under this DPA, including the Fair Information Principles under PIPEDA and similar Canadian Privacy Laws.
3. Identification of Parties. As between the Parties, Reify is the Processor and Customer is the Controller.
4. Privacy Representative. Reify’s Data Protection Officer is set forth in Schedule 1 of the DPA.
5. Certification. Reify certifies that it understands and agrees to comply with the requirements of this Attachment B.

ATTACHMENT C

EUROPEAN ECONOMIC AREA ADDENDUM

To the extent Personal Data originating from the European Economic Area is processed by Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended, supplemented, or replaced from time to time (“GDPR”), and Regulation (EU) 2016/679 of the European Parliament and the Council, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, (Model Two: Controller to Processor), or such alternative as may be approved by the European Commission from time to time (the “Standard Contractual Clauses”), throughout the period that Reify processes Personal Data pursuant to the DPA.

This Attachment C is incorporated by reference into and forms part of the DPA. Acceptance of the DPA constitutes acceptance of this Attachment C and the Standard Contractual Clauses, to the extent applicable.

The Standard Contractual Clauses are deemed completed as follows:

1. Identification of Parties. As between the Parties, Customer is the Data Exporter and Reify is the Data Importer.
2. Clause 7 (Docking Clause). The Parties agree to Clause 7 of the Standard Contractual Clauses.
3. Clause 9a (General Authorisation). The Data Importer has the Data Exporter’s general authorisation for the engagement of Sub-processor(s) from an agreed list. The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). The Data Importer shall provide the data exporter with the information necessary to enable the Data Exporter to exercise its right to object.
4. Clause 11 (Redress). The Data Importer shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a Data Subject.
5. Clause 17 (Governing Law). These Standard Contractual Clauses shall be governed by the law of Ireland.
6. Clause 18 (Choice of Forum and Jurisdiction). Any dispute arising hereunder shall be resolved by the courts of Ireland.
7. Annex IA (List of Parties). As set forth in Schedule I of the DPA.
8. Annex IB (Description of Transfer). As set forth in Schedule I of the DPA.
9. Annex IC (Competent Supervisory Authority). The competent Supervisory Authority is the Data Protection Commission of Ireland.

ATTACHMENT D

SWISS ADDENDUM

To the extent Personal Data originating from Switzerland is processed by Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with the Swiss Federal Act on Data Protection of 19 June 1992, the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and, when in force, the Swiss Federal Data Protection Act of 25 September 2020, and its corresponding ordinances as amended, supplemented, or replaced from time to time (collectively, “Swiss Data Protection Laws”), and Regulation (EU) 2016/679 of the European Parliament and the Council, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Model Two: Controller to Processor), or such alternative as may be approved by the European Commission from time to time (the “Standard Contractual Clauses”), as supplemented and amended by the FADP, throughout the period that Reify processes Personal Data pursuant to the DPA.

This Attachment D is incorporated by reference into and forms part of the DPA. Acceptance of the DPA constitutes acceptance of this Attachment D and the Standard Contractual Clauses incorporated into this DPA, to the extent applicable.

The Standard Contractual Clauses shall be deemed completed as follows:

1. Identification of Parties. As between the Parties, Customer is the Data Exporter and Reify is the Data Importer.
2. References. References in the Standard Contractual Clauses to: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) must be understood and interpreted as references to the Swiss Data Protection Laws; and (ii) “European Union;” “Union;” “EU;” “EU Member State,” or “Member State” shall be deemed to include Switzerland.
3. Clause 7 (Docking Clause). The Parties agree to Clause 7 of the Standard Contractual Clauses.
4. Clause 9a (Sub-processor Authorisation). The Data Importer has the Data Exporter’s general authorisation for the engagement of Sub-processor(s) from an agreed list. The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). The Data Importer shall provide the data exporter with the information necessary to enable the Data Exporter to exercise its right to object.
5. Clause 11 (Redress). The Data Importer shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a Data Subject.
6. Clause 17 (Governing Law). This Swiss Addendum shall be governed by the law of Switzerland.
7. Clause 18 (Choice of Forum and Jurisdiction). Any dispute arising hereunder shall be resolved by the courts of Switzerland.
8. Annex IA (List of Parties). As set forth in Schedule I of the DPA.
9. Annex IB (Description of Transfer). As set forth in Schedule I of the DPA.
10. Annex IC (Supervisory Authority). The competent Supervisory Authority is The Swiss Federal Data Protection and Information Commissioner (FDPIC).

ATTACHMENT E

UNITED KINGDOM: INTERNATIONAL DATA TRANSFER ADDENDUM

To the extent Personal Data originating from the United Kingdom is Processed by Reify, either directly or via onward transfer to the United States, Reify and Customer shall comply with UK GDPR, as defined in section 3(10) of the Data Protection Act 2018, the Data Protection Act 2018, the Data (Use and Access) Act 2025, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other applicable laws or regulations relating to the processing of personal data, privacy, or electronic communications in force in the United Kingdom, in each case as amended, supplemented, or replaced from time to time (collectively, “UK Data Protection Laws”), the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) as may be amended, superseded, or replaced from time to time (the “IDTA”), and Regulation (EU) 2016/679 of the European Parliament and the Council, approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Model Two: Controller to Processor), or such alternative as may be approved by the European Commission from time to time (the “Standard Contractual Clauses”), as supplemented and amended by UK Data Protection Laws, throughout the period that Reify processes Personal Data pursuant to the DPA.

This Attachment E is incorporated by reference into and forms part of the DPA. Acceptance of the DPA constitutes acceptance of this Attachment E and the IDTA and Standard Contractual Clauses incorporated into this DPA, to the extent applicable.

The IDTA is deemed completed as follows:

1. Table 1. As between the Parties, Customer is the Exporter and Reify is the Importer.
2. Table 2. The Parties agree that this IDTA is appended to the Standard Contractual Clauses as follows:
   1. Clause 7 (Docking Clause). The Parties agree to Clause 7 of the Standard Contractual Clauses.
   2. Clause 9a (Sub-Processor Authorisation). The Data Importer has the Data Exporter’s general authorisation for the engagement of Sub-processor(s) from an agreed list. The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). The Data Importer shall provide the data exporter with the information necessary to enable the Data Exporter to exercise its right to object.
   3. Clause 11 (Redress). The Importer shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a Data Subject.
   4. Personal Data received from the Importer is combined with Personal Data collected by the Exporter.
3. Table 3. Table 3 is completed as follows:
   1. Annex 1A (List of Parties). As set forth in the DPA.
   2. Annex 1B (Description of Transfer). As set forth in the DPA.
   3. Annex II (Technical and Organizational Measures). As set forth in the DPA.
   4. Annex III (List of Sub-Processors). As set forth in the DPA.
4. Table 4. The Parties elect that neither Party may end this Attachment E with respect to Section 19 of the IDTA.
5. Governing Law. Consistent with Clause 12 of the IDTA, this IDTA is governed by the law of England and Wales, and any dispute arising hereunder shall be resolved through the courts of England and Wales, unless the laws or courts of Scotland and Northern Ireland have been expressly selected by the Parties.

ATTACHMENT F

U.S. ADDENDUM

To the extent Personal Data originating from the United States is Processed by Reify, Reify and Customer shall comply with all applicable United States privacy laws and regulations, as amended, supplemented, or replaced from time to time (collectively, “U.S. Privacy Laws”) throughout the period that Reify processes Personal Data pursuant to the DPA.

This Attachment G is incorporated by reference into and forms part of the DPA. Acceptance of the DPA constitutes acceptance of this Attachment G, to the extent applicable.

The Parties agree as follows:

1. Definitions. Capitalized terms used but not otherwise defined in this Attachment G shall have the meanings assigned to such terms under the applicable U.S. Privacy Laws, as reasonably interpreted to effectuate the purposes of this Attachment G.
   1. "Controller," "Data Subject," “Personal Information,” "Processor," and “Sub-processor” shall be construed to include, as applicable, "Business," "Consumer," “Personal Data,” "Service Provider," and “Subcontractor,” respectively, as those terms are defined under applicable U.S. Privacy Laws.
2. Identification of Parties. As between the Parties, Reify is the Processor and Customer is the Controller.
3. Compliance with U.S. Privacy Laws. Each Party shall comply with all applicable requirements of U.S. Privacy Laws with respect to the collection, use, disclosure, retention, protection, and disposal or destruction of Personal Data.
4. Contractual Requirements. The Parties acknowledge and agree that the restrictions, limitations, and obligations set forth in the DPA are intended to satisfy, and shall be deemed to satisfy, the requirements applicable to Service Provider or Processor agreements under U.S. Privacy Laws, including restrictions relating to the sale, sharing, retention, use, disclosure, and combination of Personal Data.
5. Certification. Reify certifies that it understands and agrees to comply with the requirements of this Attachment F.

Prefer a signed copy? Sign here.