Addendum to the Sensing Tex contractual agreement

WHEN USING ONE SENSING TEX PLATFORM sensinghealth.cloud and ai.sensingtex.com member area

This Data Processing Agreement (hereinafter referred to as the "Agreement" or “Addendum”), dated on digital signature, forms part of the latest contractual sale agreement (hereinafter referred to as the "Principal Agreement") Sensing Tex kits.

Between:

“Practitioner” (hereinafter referred to as the "Controller")

AND

SENSING TEX, (hereinafter referred to as the “Processor”), (hereinafter together referred to as the “Parties”).

Article 1 – Purpose

The purpose of the Agreement is to define the conditions to which the Processor undertakes to carry out, on the Controller’s behalf, the personal data processing operations defined below.

As part of their contractual relations, the Parties shall undertake to comply with the applicable regulations on personal data processing and in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation which is applicable from 25 May 2018 (hereinafter referred to as the “GDPR”).

Article 2 – Definitions

In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

"Process/Processing/Processed", "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Special Categories of Personal Data", “Processing activities” and any further definition not included under this Agreement shall have the same meaning as in the GDPR.

• “Patients” means Practitioner’s patients.

• “EU” means European Union.

• "EEA" means the European Economic Area.

• “Product”: Sensing Tex Kit.

"Third country" means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.

"Services" means the services to be supplied by the Processor to the Controller following the purchase of the Product.

Article 3 – Duration of the Agreement

This Agreement enters into force on digital signature of this document (hereinafter referred to as the "Agreement Effective Date") and as long as the Product is used.

The Controller has commissioned the Processor to provide Services as long as the Product is in use.

Article 4 – Nature and purpose of the Processing

The personal data processing services provided by the Processor are operated to provide the Practitioner with the walking profile of Patients using the Sensing Tex Kit.

Article 5 – Description of the processing being subcontracted

The Controller has commissioned the Processor to provide, on his behalf, for the following services:

1. Management of Patient Identification Data;

2. Management of biomechanical parameters of Patient mobility.

The nature of operations carried out on the data for the purpose of (i) and (ii) are:

• Collection, storage and modification of the Practitioner's personal information for connection to the application, use of the Services and customer relation management;

• Collection, storage and modification of the personal information of the Patient required by the Practitioner for the use of the Services;

• Searching the Patient's account using one of the stored personal data;

• Data import into the Services using structured data provided by the Practitioner;

• Exploitation of anonymous biomechanical data for statistical purposes and Product improvements by Processor;

• Automated data backup.

The Processor shall undertake to process the data solely for above mentioned purposes.

The category of data subject is: Patients, Practitioner.

In order to provide the services mentioned under (i) and (ii), the Processor is authorized to process, on behalf of the Controller, the following necessary personal data information categories, depending on the data provided by the Controller and/or the Data Subject:

• Personal identification data: surname, first name, profession, email, address, telephone number (mobile, private, professional), identifiers assigned by the Controller;

• Personal details: sex, date of birth, weight, height, foot size, data of identification: social security number, health insurance provider;

• Care data: biomechanical measurements and parameters collected as a result of the use of the Product;

• Data of electronic identification: IP addresses, cookies, moments of connection, electronic signature;

• Pseudonymization: controls to protect Confidentiality, Integrity and Availability of data (e.g. hashed credentials).

Article 6 – Controller’s obligations

In accordance with Article 28.3 of the Regulation, the Controller is responsible for the processing of personal data and he has the rights defined in Article 28 of the aforementioned Regulation.

The Controller has primary responsibility and undertakes to:

• Provide the Processor with the data mentioned in this document, data obtained legally and in accordance with the applicable legislation;

• Document, in writing, any instruction bearing on the processing of data by the Processor;

• Provide the Processor with the data mentioned under point 5 of the Agreement;

• Keep a register of the Processing activities under his/her own responsibility;

• Implement from his/her side all technical and organizational security measures to ensure a sufficient level of protection for Personal Data processed using the Processor’s Services;

• Ensure before and throughout the processing, compliance with the obligations set out in the GDPR;

• Respect the rights of the Data Subject;

• Notify any security incidents to the Processor regarding the provided Services;

• Supervise the processing, including by conducting audits and inspections with the Processor when deemed necessary.

It is also the responsibility of the Controller to provide the information to the persons involved in the processing operations at the time of data collection.

Article 7 – Processor’s obligations

As long as the Processor processes Personal Data for the Controller, the following conditions apply in accordance with Article 28 of the GDPR:

7.1 Obligations of the Processor towards the Controller

The Processor undertakes to comply with all statutory provisions of the GDPR and national law regarding data protection. Any form of relocation of the data processing (including the transfer of the place of business of the Processor) to a third country (outside the EU or the EEA) will be communicated ahead of time, allowing the Controller enough time to contest this change.

The Processor shall undertake to process the data in accordance with the documented instructions from the Controller. Where the Processor is obliged to transfer personal data to third country or an international organization, under EU Law or Member State law to which the Processor is subject, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

If the Processor considers that a directive issued by the Controller violates the GDPR or other data protection laws of the EU or a Member State, the Processor must inform the Controller without delay and in bona fide.

The Controller is entitled to check compliance with all applicable data protection regulations and compliance with the contractual provisions themselves or through third parties with the Processor and any subcontractors. For this purpose, the Processor provides the Controller with the necessary documentation for allowing the Controller, or any other third party it has authorized, to conduct audits, including inspections, and contributes to such audits.

The Processor shall provide the Controller with all the necessary information to demonstrate compliance with its obligations imposed in the Agreement.

All employees and collaborators of the Processor are contractually bound to secrecy.

7.2 Records of processing activities

The Processor shall implement the data processing in a documented manner, unless he is required to do differently by the law of the EU or of the Member States to which the Processor is subject; in such a case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the law in question prohibits such communication because of a significant public interest.

According to Article 30 of the GDPR, the Processor maintains a written record of all categories of processing activities carried out on behalf of the Controller, containing:

• The name and contact details of the Controller on behalf of which the Processor is acting, any other processors and, where applicable, the Data Protection Officer;

• The categories of processing carried out on behalf of the Controller;

• Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1) of the GDPR, the documentation of suitable safeguard;

• Where possible, a general description of the technical and organizational security measures, including inter alia:

• The pseudonymization and encryption of personal data;

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

7.3 Technical and organizational measures

The Processor shall undertake to take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.

The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (taking technical and organizational measures, security breach notification, compilation of a privacy impact assessment). The Processor assists the Controller in carrying out privacy impact assessment on Data Protection. The Processor assists the Controller with regard to prior consultation of the competent supervisory authority.

The Processor shall implement a reasonable set of technical and organizational measures in order to ensure a level of security for the Data and/or Data Processing that is appropriate to the risks identified including inter alia:

• The pseudonymisation and encryption of personal data;

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The security measures are intended to protect Personal Data from destruction or accidental or unlawful loss, alteration, unauthorized disclosure or access.

7.4 Data Protection Officer

The Processor shall communicate to the Controller the name and contact details of its Data Protection Officer, if it has designated one in accordance with Article 37 of the GDPR.

Contact info of DPO: Legal Manager

Email: admin@sensingtex.com

7.5 Sub-contracting

The commissioning or use of subcontractors (hereinafter referred to as “subcontractors”) is in principle permitted to the Processor. The Controller will be informed beforehand of any intended commissioning or use of subcontractors and the Controller is free to object to this commission within 14 days after this announcement has been sent.

The Processor must oblige all subcontractors within the meaning of Article 28 paragraph 4 of the GDPR to commit to their contractual obligations and to transfer to the subcontractor all the obligations that the Processor has to meet. The subcontractors are forbidden to process or transfer data in a third country.

7.6 Confidentiality and Security

The Processor shall ensure that authorized persons who process or have or can obtain access to the data processed, have committed themselves to confidentiality prior to processing or accessing to such data, unless they are nevertheless subject to an obligation of confidentiality, as well as ensuring the appropriate data protection awareness and training.

The Processor shall undertake all reasonable steps to protect the personal data processed hereunder.

7.7 Data subject’s rights to information

At the time data are collected, the Processor must provide the Data Subjects concerned by the processing operations with information about the data processing it carries out.

7.8 Exercise of Data subject’s rights

If an affected Data Subject turns to the Processor or a subcontractor instead of the Controller, the Processor will inform the Data Subject to send their request directly to the Controller. The Processor will not forward these requests to the Controller.

The Processor shall assist the Controller, insofar as possible, with appropriate technical and organizational measures for the fulfilment of its obligation to respond to requests of Data Subject exercising their rights referred to in Chapter III of the GDPR (inquiry, right of access, to rectification and erasure, information, data portability, opposition, and automated decision-making in individual case including profiling) within a reasonable time.

7.9 Notification of personal data breaches

The Processor shall notify the Controller of any personal data breach not later than 48 hours after having become aware of it and via the following means: email.

The said notification shall be sent along with any necessary documentation to enable the Controller, where necessary, to notify this breach to the competent supervisory authority.

Article 8 – Fate of the Personal Data

At the termination of the Agreement, all personal data will be removed. The Controller is required to export its personal data before the termination of the contract to ensure no loss of data.

The Processor will, 10 years after the last use of the Product, permanently destroy the data unless there is an obligation under EU or national law to store the personal data.

The data from database backups will only be permanently removed after a complete backup cycle of 3 months.

The Controller is given the option to configure the data retention period. By default, all data is kept for 5 years which can be reduced up to 1 year according to the Controller’s needs.

Article 9 – Additional agreements

In accordance with Article 83 of the GDPR a fine may be imposed on the Controller or the Processor who violates certain data protection obligations, in particular those arising from the GDPR requirements.

This Agreement shall be valid upon explicit online approval of the Controller and for the duration of the Principal agreement.