1. INTRODUCTION

1.1 When UgenTec performs Services, it shall (i) have access to Personal Data (as defined hereinafter); (ii) will have to Process Personal Data for which the Customer is responsible as a Controller in accordance with the Privacy Legislation (as defined hereinafter).

1.2 This Data Processing Agreement (“DPA”) applies to the Processing of Personal Data by UgenTec and determines (i) how UgenTec will manage, secure and process the Personal Data, and (ii) Parties’ obligation to comply with the Privacy Legislation.

Relying on the Services of UgenTec entails the approval of the Customer with this Data Processing Policy and consequently of how UgenTec processes the personal data of the Customer. In case of any contradictions between this DPA and the Agreement or any other documents regarding the same subject matter, such provision in this DPA shall prevail to the extent the corresponding provisions are irreconcilable.

2. SPECIFIC DEFINITIONS

In addition to the definitions under the Agreement and/or the UgenTec’s GT&C, the following concepts have the meaning described in this article (when written with a capital letter):

Assignment	All activities, such as but not limited to the Services, performed by UgenTec, and any other form of cooperation whereby UgenTec Processes Personal Data, regardless of the legal nature of the agreement under which this Processing takes place;
Business Days	Any day – other than Saturday, Sunday or legal holidays in Belgium. For purposes of clarification, legal holidays observed are: ● New Year’s Day (January 1) ● Easter Monday ● Labour Day (May 1) ● Ascension Day ● Whit Monday ● Belgian National holiday (July 21) ● Assumption Day (August 15) ● All Saints’ Day (November 1) ● Armistice Day (November 11) ● Christmas Day (December 25)
Business Hours	From 8.00 AM to 5.00 PM (CET) on Business Days.
Controller	The entity, which determines the purposes and means of the Processing of Personal Data
Data Breach	any event leading to (potential) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.
Data Processing System	any system that is used or has been used or is relevant for processing the Personal Data by UgenTec or its subcontractors, including supporting documentation.
Data Subject	the natural person to whom the Personal Data relate.
DPA	the current data processing agreement, including its recitals and Schedules thereto.
Employees	the employees and other persons (such as freelancers, consultants and self-employed) engaged by a Party for the performance of the Agreement, who fall under such Party’s responsibility.
Governmental Authority	a governmental authority of any country that is related to the processing of Personal Data under the Agreement.
Personal Data	any data relating to an identified or identifiable living natural person, processed on behalf of the Customer by UgenTec or its subcontractors in relation to the execution of the Agreement.
Personal Medical Data	Personal data that constitutes PCR-data and derived results of a third-party
Privacy Legislation	the law(s) or any other (local) regulations applicable to the processing of the Personal Data under the Agreement, including any amendments, replacements, updates or other later versions thereof. To the extent this refers to regulations in countries outside of the European Union, such regulations will only constitute “Privacy Legislation” to the extent the Customer has informed UgenTec about such requirements conform this DPA and to the extent such requirements are mandatory and/or of public order and apply to the contractual relationship between the Parties.
Process/ Processing	Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data
Processor:	The entity which Processes Personal Data on behalf of the Controller
Schedule	an attachment to the DPA, which forms part of the DPA.
Services	the services (to be) performed by UgenTec under the Agreement
Sub Processor	Any processor engaged by UgenTec

3. ROLES OF THE PARTIES

3.1 Although the Parties acknowledge that their respective status is determined by the Privacy Legislation, the Parties are of the view that in the context of the Services and this DPA the Customer is a Data Controller and UgenTec shall be a Data Processor in respect of the Processing of Personal Medical Data during the course of the provision of the Services. The Parties acknowledge that the Customer alone determines all the purposes and essential means of the Processing of said Personal Medical Data and qualifies as Controller and UgenTec shall Process Personal Medical Data on behalf of the Customer, as Processor.

3.2 Notwithstanding the foregoing, UgenTec is also a Data Controller in respect of certain processing activities, of which an overview is provided in Annex A to this DPA.

4. PRIMARY SUBJECT OF THE AGREEMENT

4.1 The Parties acknowledge that given the provision of the Services, UgenTec will, as mentioned in the Agreement, process Personal Data on behalf of the Customer. When and where UgenTec acts as a Processor, it purely acts as a facilitator of the Services. Hence, the Controller shall be solely responsible on how it makes use of the Services.

4.2 The Parties guarantee that they (as well as their Employees) will process the Personal Data in accordance with the Privacy Legislation.

4.3 Both Parties will mutually support each other in the performance of their obligations under the Privacy Legislation and the Customer will inform UgenTec about any specific provisions of the Privacy Legislation that deviate from the legislation of the European Union regarding the protection of Personal Data (e.g. in correlation to the identity and thus location of the End Users).

4.4 Each Party, when and where it acts as a Controller, owns and retains full control concerning (i) the types of Processing of the Personal Data, (ii) the types of Personal Data to be Processed, (iii) the purposes of the Processing and (iv) the fact whether such Processing is proportionate.

4.5 Moreover, each Party, when and where it acts as a Controller, is solely responsible to comply with all (legal) obligations under the Privacy Legislation in its capacity as Controller and will have the sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which it acquired such Personal Data.

4.6 Irrespective of its roles (be it Controller or Processor), UgenTec shall solely disclose the Personal Data to those Employees who need (access to) the Personal Data for the performance of its obligations under the Agreement, and for the remainder keep them confidential, unless the Customer has given its prior consent to such disclosure or such disclosure is required by law or by court order or other governmental decision (of any kind).

4.7 UgenTec shall ensure that its Employees are informed about the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements (which obligations shall survive the termination of such Employee’s engagement).

5. ANONYMIZED AND AGGREGATED DATA

5.1 The Parties acknowledge that UgenTec may use anonymized and aggregate data, such as data generated by the UgenTec-Platform for a.o. the following purposes:

a) to provide summaries and insights on the use of the UgenTec-Platform and the assays for the UgenTec-Platform to the Customer (to the extent these Services are included in the Agreement),

b) to perform statistic (non-clinical) analyses and to create demographic overviews of test results in order to detect or predict epidemics, spread of illnesses, etc.,

c) to create fully anonymized demo data, and

d) to improve or increase the services offered by UgenTec.

5.2 Strictly related to these purposes, UgenTec may also provide the anonymized and aggregate data to third parties, it being noted that UgenTec is solely responsible to ensure full compliance thereof with Privacy Legislation.

5.3 As these anonymized and aggregate data cannot in any manner be linked to a corresponding data subject, these data do not constitute Personal Data in the context of the Agreement. The other provisions of this DPA do not apply to these anonymized and aggregate data. . After the data has been fully anonymized and aggregated by UgenTec, the other provisions of this DPA do not apply to this anonymized and aggregated data. In this respect, UgenTec is sole controller.

6. SUB-PROCESSORS

6.1 Schedule B lists the Sub Processors UgenTec may engage in the processing of the Personal Data.

6.2 UgenTec ensures that all Sub Processors engaged by it in the processing of the Personal Data are obliged to comply with at least the same level of protection of Personal Data as mentioned in this DPA.

6.3 Where a Sub Processor fails to fulfil its data protection obligations, UgenTec shall remain fully liable to the Customer for the performance of that Sub Processor's obligations.

6.4 UgenTec may update the list of Sub Processors from time to time and shall inform the Customer of any changes to this list where they are relevant to data processing activities where Customer is Controller and UgenTec is Processor. The Customer is entitled to reasonably oppose to the appointment of a new Sub Processor by UgenTec, which will be taken into consideration by UgenTec. If the Customer wishes to exercise this right to object, the Customer shall notify UgenTec in writing and in a reasoned manner ultimately within ten (10) days upon receipt of UgenTec’s notice. If no objection is raised during this period, the changes are deemed to be accepted by the Customer.

6.5 In the event the Customer reasonably objects to the engagement of a new Sub Processor, UgenTec will use reasonable efforts to (i) find another Sub Processor of whom the Customer approves or (ii) ensure that the Sub Processor guarantees to act according to the (additional) reasonable requirements and conditions set by the Customer.

6.6 UgenTec shall not transfer Personal Data to a Sub Processor located outside of the European Economic Area to a country not adducing an adequate level of data protection without the Customer's prior specific authorization and without that such transfer is covered by appropriate safeguards in accordance with the Privacy Legislation.

7. SECURITY OF THE PROCESSING

7.1 In accordance with the essence of the right to data protection, the fundamental rights and the interests of a data subject, the contractual agreements between the Parties (e.g. service level agreements) and taking into account the state of the art in data security, costs of implementation and the nature of the data (e.g. genetic data) and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, UgenTec implements appropriate technical and organizational measures for the protection, confidentiality and integrity of the Personal Data, including protection against Data Breach, such as:

a) the pseudonymisation and encryption of Personal Data,

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services,

c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and

d) process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

7.2 The Parties agree that with regard to article 7.1 and in order to meet the reliability requirements set by the Customer, UgenTec will implement the technical and organizational security measures as described in Schedule C.

7.3 UgenTec will regularly review its technical and organizational security measures, and update them where necessary.

8. SECURITY REPORTS AND AUDIT RIGHT

8.1 As part of the review and evaluation of the security measures, UgenTec will once every year have a security audit performed by an independent third party (expert), according to generally accepted audit standards which will be documented in a written security report. The Customer may request a copy of this security report.

8.2 UgenTec shall take reasonable measures in order to adequately recover the observed critical threats, weaknesses and other identified problems, and promptly implement the necessary improvements identified in the security report.

8.3 UgenTec shall make available to the Customer all information reasonably required to allow verification by the Customer of UgenTec's compliance with the provisions of this DPA and allow for and reasonably participate to reasonable inspections, including audits, conducted by the Customer or by an auditor mandated by the Customer, which will be announced at least three (3) weeks in advance and occur at the Customer sole expense and with a maximum of once (1) a year.

9. LOCATION OF PROCESSING AND POSSIBLE TRANSFERS

9.1 Irrespective of the processing location chosen by the Customer, UgenTec will process all Personal Data (or have Personal Data processed by Sub Processors) related to logging in to the UgenTec-Platform (including authentication) in the European Economic Area.

9.2 UgenTec will not transfer such Personal Data outside of the European Economic Area, unless:

a) the Customer has given its express consent thereto and

b) the country to which the Personal Data are transferred falls under an adequacy decision issued by the European Commission, or such transfer is governed by the terms of an agreement, containing either standard contractual clauses as published in the Decision of the European Commission of 4 June 2021 (Decision 2021/914) or other mechanisms foreseen by the Privacy Legislation.

9.3 The Customer nor End Users shall not access the UgenTec-Platform from a country outside the European Economic Area, unless agreed otherwise in writing.

10. DATA BREACH NOTIFICATION

10.1 Both Parties maintain reasonable procedures designed to detect and respond to Data Breaches, including procedures for preventive and corrective actions, and also to avoid recurrence of any Data Breaches.

10.2 Irrespective of the roles of Parties (be it controller or processor), both Parties acknowledge and agree to support each other if either Party detects a Data Breach or has established that a Data Breach has occurred in the Processing operations related to this DPA, such Party shall notify the other Party as soon as possible and this within the legal timeframe as stipulated by Privacy Legislation and this, by e-mail and by telephone to the (backup) contact person(s) of the other Party referred to in Schedule D. Should such Party not reach the other Party’s contact persons immediately, it shall use all reasonable efforts to contact an appropriate person within the other Party directly.

10.3 When and where UgenTec acts as Processor and the Customer is Controller, UgenTec shall provide reasonable feedback and support to the Customer upon discovery or reasonable suspicion of a Data Breach where UgenTec is involved.

10.4 UgenTec shall notify the Customer in writing about the following: (i) the date of discovery or reasonable suspicion of a Data Breach, (ii) a description of the (potential) Data Breach, (iii) the names of the Data Subjects whose Personal Data might possibly have been affected as well as (iv) a description of the type of the affected Personal Data. In such case, UgenTec shall with all reasonable assistance (i) thoroughly investigate the potential Data Breach, (ii) take appropriate measures to remedy the situation / to avoid a recurrence or occurrence of a similar situation, and (iii) support the other Party in compliance with the Privacy Legislation in relation to its Data Breach notification duties towards affected Data Subjects or authorities.

11. REQUESTS OF DATA SUBJECTS

11.1 UgenTec shall at all times reasonably cooperate with the Customer to enable it to fully comply with its obligations as Data Controller if a Data Subject exercises any of its rights under the Privacy Legislation.

11.2 UgenTec shall notify the Customer in writing if it receives a request from a Data Subject as set forth in the previous clause no later than five (5) Business Days after receiving such request, and shall provide the Customer with copies of all the correspondence it has received in this respect. Upon timely provision of this information by UgenTec, solely the Customer is responsible to respond to the Data Subject’s request in accordance with the Privacy Legislation.

11.3 Upon express request by the Customer, UgenTec shall correct, delete or otherwise amend the Personal Data, in accordance with the reasonable instructions of Customer and to the extent permitted under the Privacy Legislation.

11.4 The Customer is not responsible for costs arising from UgenTec’s provision of regular assistance, which are considered as the costs involved with enabling the Customer to comply with its legal obligations towards Data Subjects or Governmental Authorities (such as correcting, deleting or amending Personal Data of Data Subjects or assistance in relation to Data Breaches). If the costs are the result of the Customer’s instructions with a broader scope, such costs will be borne by the Customer.

12. REQUESTS OF GOVERNMENTAL AUTHORITIES

12.1 In case UgenTec receives a request from a Governmental Authority relating to (inspection of) the Personal Data, UgenTec shall as soon as possible – to the extent reasonable prior to providing (inspection of) Personal Data – inform the Customer thereof in writing, and provide the Customer with copies of all the correspondence it has received in this respect. UgenTec shall solely respond to such request in case of a legal obligation under the Privacy Legislation. The Customer may provide UgenTec with reasonable instructions in this respect which UgenTec shall follow, unless this would impede the fulfillment of the aforementioned legal obligation under Privacy Legislation.

12.2 To safeguard the protection of Personal Data, UgenTec shall not provide more Personal Data to the Governmental Authority than strictly necessary to meet the request of such Governmental Authority.

13. TERM, TERMINATION AND RETURN AND DELETION OF PERSONAL DATA

13.1 This DPA remains in effect for the duration of the Agreement. In the event the Agreement is terminated, this DPA is terminated as well. Early termination of this DPA alone is not possible.

13.2 Unless UgenTec is required by the Privacy Legislation to retain the Personal Data, UgenTec shall upon termination of this DPA or on such earlier date that the Customer determines the Personal Data or any part of it is no longer required to provide the Services, ensure that, at the Customer’s choice, communicated to UgenTec in writing, (i) the Personal Data will be returned or provided to the Customer or an alternative service provider appointed by the Customer by download or at the expense of the Customer on a data carrier that the Customer deems to be suitable, or (ii) the Personal Data will be destroyed.

13.3 UgenTec commits to immediately cease and desist all Processing of (the relevant) Personal Data upon providing, returning or destroying the Personal Data, except to the extent these Personal Data may be part of backups which cannot for technical reasons be removed. UgenTec shall provide the Customer with a statement in writing and a guarantee, and allow Customer to verify that the (relevant) Personal Data will no longer be processed (save for storage) by UgenTec or a subcontractor engaged by UgenTec.

13.4 If the Customer, upon termination of the Agreement, has expressed its wish to continue the Processing of the Personal Data, and it is not reasonably possible to return the Personal Data to the Customer or a replacing service provider in such a manner that the Processing of the Personal Data can be continued without any irregularities, UgenTec will, upon the request and at the expense of the Customer, continue the Processing of the Personal Data during a reasonable term as an emergency plan, under similar conditions which have been laid down in this DPA and the Agreement, until the Customer or another service provider reasonably can take care of the Processing of the Personal Data and the Personal Data can be provided in an appropriate manner.

13.5 Any obligation arising from this DPA that by nature has post-contractual effect shall continue to be in effect after the termination of this DPA.

14. LIABILITY

14.1 The Parties shall each be responsible and liable for their own actions.

14.2 Without detriment to the fact that the liability of Parties is regulated within the framework of the Agreement, it is expressly agreed that the Customer as Controller shall reimburse and indemnify UgenTec as Processor for all claims, actions, demands by third parties and for all direct damage and direct losses (also including fines imposed by the data protection authority) resulting from situations for which the Controller is liable and the Processor was involved in a unlawful or unnecessary manner.

14.3 The Parties shall ensure sufficient cover of their liability in this particular respect.

Schedule A: Overview of the Processing Activities
Ugentec as a Processor

Types of (Personal) Data processed by UgenTec

Ways, purposes and means of the data processing activities

Duration of the data processing

Categories of Data subjects

Personal Medical Data: PCR-data and derived results

(Patient pseudonymized test data including but not limited to raw data, genetic data, results, subject-information, used assay plugins …)

Laboratory information
(including but not limited to laboratories, devices)

Store, process, visualize.
To improve and/or expand the products and services offered by UgenTec, if so requested by Controller.
Project management
Support services

All PCR data and derived results are stored within the selected region.

Stored for 10 years, or the complete product lifecycle period of the product as a medical device (required by ISO 13485)

Patient
(pseudonymized)

End User

Ugentec as a Controller

Types of (Personal) Data processed by UgenTec	Ways, purposes and means of the data processing activities	Duration of the data processing	Categories of Data subjects
Anonymized and aggregate non-personal data (i.e. information that has been stripped of subject-information and aggregated with information of others or anonymized so that the subject cannot reasonably be identified as an individual)	May be shared with third-parties e.g. through anonymized demo data, epidemiology analyses or summary reports.	Stored for up to 100 years	Patient (pseudonymized)
User identification information I.e. personal (e-)identification data such as e-mail address, name, title, geography, IP address, cookies, session information	Store, process, visualize To improve and/or increase the products and services offered by UgenTec. Support services (including personalised follow-up regarding old and new features) User information is stored within the Admin module in the West-European region.	Stored until 5 years after license expiry	End User
CRM-information I.e. financial identification data: name, geography, identification number, etc.	Used for accounting and compliance purposes Used for customer due diligence, embargo, and sanctions screening To provide summary reports to diagnostic companies where applicable	Customer and accounting information is stored for 10 years.	Customer

Schedule B: Subcontractors & Third-party Software

Sub processor:
Microsoft	Hosting the FastFinder platform
Third party software:
HubSpot	Customer relationship management platform
ZenDesk	Support management platform
Teamleader	Electronic resource planning platform
Atlassian	Project management & product development tool

Schedule C: Technical & Organizational Security Measures

Reliability requirements and security measures

Elaboration of specific technical and organizational measures implemented by UgenTec
Organizational measures:
Good practices to keep overview on the organization with an adequate governance framework.
User level access control for all software/systems that can contain Personal Data.
User-access-level requests with multiple reviewers to guarantee user access control policy.
Strict infrastructure & security policy.
Strict password management.
Advanced training for every new employee in the infrastructure & security policy.
Access control for every room who is used to store Personal Data..
Certified supplier for the hosting of the FastFinder product.
Recurrent risk analysis to detect potential product risks (f.e. in regards to data processing).
Clear procedures to protect Personal Data..
Clear procedure when access to Personal Data need to revoked.
Clear resources/asset management for all electronic devices
Dedicated security officer who is responsible to maintain the security policy and make sure the policy is followed
Strict supplier management with recurring review and a advanced supplier assessment before selection of a new supplier
Clear incident management plan
all employees are adequately informed about the security controls of the IT system that relate to their everyday work.
The organization ensures that all employees understand their responsibilities and obligations related to the processing of Personal Data. Roles and responsibilities are clearly communicated.
Full backups are carried out regularly.
During the development lifecycle best practices, state of the art and well acknowledged secure development practices, frameworks or standards are followed.
Specific security requirements are defined during the early stages of the development lifecycle.

Technical measures

SSL encrypted connections between client & server side.
Dedicated databases per laboratory.
Proven SSL certificates for the back-end services.
Strict access control towards to database & storage management.
Software development is done on a development environment, and in no case on the production environment with Personal Data.
Copies of the backup are securely stored in different locations.

Schedule D : Contacts & Back ups

UgenTec	Name and job title	Telephone numbers	Other information, including email addresses
Primary contact	Wouter Uten, COO	003278484479	Wouter.uten@ugentec.com
Back up contact 1	Willem Geerts, support engineer	078484655	Willem.geerts@ugentec.com
Back up contact 2	Steven Verhoeven, CEO	003278484479	Steven.verhoeven@ugentec.com

Data Protection Agreement.