Lumen Clinical Assessments

THIS DATA PROCESSING AGREEMENT (the “Agreement”) is entered into by and between:

Polygon Digital, [Insert Company Registration Number], having its principal place of business at [Insert Address] (“Data Processor”); and

Designated Buyers (“Data Controller”);

Each a “Party”, and together the “Parties”.

Recitals

(A) The Data Controller is a controller of personal data.

(B) The Data Processor provides certain platforms and services to the Data Controller as detailed in the underlying service agreement (the “Principal Agreement”).

(D) The Parties intend this Agreement to govern the processing of that personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Irish Data Protection Act 2018.

NOW, THEREFORE, the Parties agree as follows:

1. Definitions

Unless otherwise defined in this Agreement, capitalised terms shall have the meaning given to them in the GDPR.

1.1. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, “Supervisory Authority”: shall have the meanings ascribed to them in the GDPR.

1.2. “GDPR”: means the General Data Protection Regulation (EU) 2016/679.

1.3. “Data Protection Laws”: means the GDPR, the Irish Data Protection Act 2018, and any other applicable EU or Irish data protection or privacy law as amended or replaced from time to time.

1.4. “Instructions”: means the written instructions provided by the Data Controller to the Data Processor for the Processing of Personal Data, which shall initially be set out in this Agreement and the Principal Agreement.

1.5. “Permitted Purposes”: means the processing necessary to perform the services under the Principal Agreement or as otherwise agreed to in writing by the Parties.

1.6. “Sub-processor”: means another processor engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

2. Obligations of the Data Processor

The Data Processor agrees to:

2.1. Process only on Instructions: Process the Personal Data only on the documented Instructions of the Data Controller for the Permitted Purposes, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2. International Transfers: Not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Data Controller and only on the basis of appropriate safeguards in accordance with Data Protection Laws (e.g., Standard Contractual Clauses).

2.3. Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.4. Security of Processing: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate the measures described in Article 32 of the GDPR (e.g., pseudonymisation, encryption, confidentiality, integrity, availability, and resilience). A summary of security measures is available at [Link to Polygon Digital Security Documentation].

2.5. Sub-processing: Not engage another processor (Sub-processor) without prior specific or general written authorisation of the Data Controller.

2.5.1. The Data Processor provides a general authorisation for the engagement of Sub-processors. A current list of Sub-processors is available at [Link to Polygon Digital Sub-processor List].

2.5.2. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Data Controller the opportunity to object to such changes.

2.5.3. Where the Data Processor engages a Sub-processor, it shall do so by way of a contract which imposes on the Sub-processor the same data protection obligations as set out in this Agreement. The Data Processor shall remain fully liable to the Data Controller for the performance of the Sub-processor’s obligations.

2.6. Data Subject Rights: Assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR (right of access, rectification, erasure, restriction, etc.).

2.7. Assistance with Compliance: Taking into account the nature of processing, assist the Data Controller in ensuring compliance with its obligations relating to security of processing (Art. 32), notification of Personal Data Breaches (Arts. 33, 34), and data protection impact assessments (Art. 35), as necessary and reasonable.

2.8. Breach Notification: Notify the Data Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting the Data Controller’s data. Such notification shall include, at a minimum, the information required under Article 33(3) of the GDPR.

2.9. Engagement with Supervisory Authority: Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

3. Obligations of the Data Controller

The Data Controller undertakes to:

3.1. Lawful Processing: Ensure that the instructions for the processing of Personal Data comply with Data Protection Laws. The Controller shall be solely responsible for the lawfulness of the data processing under this Agreement.

3.2. Data Subject Information: Ensure that data subjects have been informed of the processing of their Personal Data as required by Articles 13 and 14 of the GDPR.

3.3. Retention Periods: Determine and communicate to the Processor the retention periods for the Personal Data, taking into account its obligations under applicable law. Any instructions for deletion must be provided in writing.

4. Term and Termination

4.1. Term: This Agreement shall remain in full force and effect for the duration of the Principal Agreement, or until the Processing of Personal Data under the Principal Agreement has ceased, whichever is later.

4.2. Return or Deletion of Data: Upon termination of the Principal Agreement or upon the Controller’s written request, the Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller and delete existing copies unless EU or Member State law requires storage of the data. The Processor shall provide written certification of such deletion to the Controller.

5. Limitation of Liability

The liability of each Party under or in connection with this Agreement (including for breach of Data Protection Laws) shall be subject to the limitations of liability set out in the Principal Agreement, provided that nothing in this Agreement shall exclude or limit the liability of either Party for fines incurred by the other Party as a result of a breach of this Agreement or applicable Data Protection Laws.

6. Miscellaneous

6.1. Hierarchy: In the event of any conflict or inconsistency between the terms of this Agreement and the Principal Agreement, the terms of this Agreement shall prevail with respect to the subject matter of data protection.

6.2. Amendment: The Parties agree to review and amend this Agreement from time to time as necessary to ensure ongoing compliance with Data Protection Laws.

6.3. Governing Law: This Agreement shall be governed by and construed in accordance with the laws of Ireland.

Signatories

For and on behalf of Polygon Digital

Signature: __________________________

Name: ______________________________

Title: _______________________________

Date: ________________________________

For and on behalf of Designated Buyers (the Data Controller)