Data Processing Addendum - June 2025

This Data Processing Addendum (“Addendum”) supplements the Master Services Agreement (the “Agreement”) entered into by and between Customer (“Customer”) and Ketryx Corporation (“Ketryx”). This Addendum incorporates the terms of the Agreement, and any terms not defined in this Addendum shall have the meaning set forth in the Agreement.  

1. Definitions

1.1 “Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protections Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements, and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”).

1.2 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.3 “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).

1.4 “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.5 “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.

1.6 “Technical and Organizational Measures Documentation” means the technical and organizational measures documentation applicable to the Services purchased by Customer, as described in summaries of the then-current ISO 13485, ISO 14971, IEC  62304 and SOC 2 audit reports (or comparable industry-standard successor report) that Ketryx generally makes available to its customers as updated from time to time, or otherwise made reasonably available by Ketryx.

1.7 “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Ketryx.

1.8 “Services” means any and all services that Ketryx performs under the Agreement.

2. Processing of Data

2.1 The rights and obligations of the Customer with respect to this Processing are described herein. Customer shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with the Data Protection Laws. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Customer’s instructions will not cause Ketryx to be in breach of the Data Protection Laws.  Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Ketryx by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Ketryx regarding the Processing of such Personal Data. Customer shall not provide or make available to Ketryx any Personal Data in violation of the Agreement.

2.2 Ketryx shall not Process Personal Data (i) for purposes other than those set forth in the Agreement, (ii) in a manner inconsistent with the terms and conditions set forth in this Addendum or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization and (iii) in violation of the Data Protection Laws. Customer hereby instructs Ketryx to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Services.

2.3 The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Addendum.

2.4 Following completion of the Services, at Customer’s choice, Ketryx shall return or delete the Personal Data, unless further storage of Personal Data is required by applicable law. If Customer and Ketryx have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Ketryx to Customer only upon Customer’s request.

3. CCPA

‍The parties acknowledge and agree that Ketryx is a service provider for the purposes of the CCPA. Ketryx shall not sell any personal information received from customer that is subject to the CCPA and will not retain, use or disclose any such personal information except as necessary for the specific purpose of performing the services as set forth in the agreement with customer, or otherwise as set forth in the agreement or permitted by the CCPA. Ketryx certifies that it understands the rules, restrictions, requirements and definitions of the CCPA.

4. Authorized Employees

4.1 Ketryx shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.

4.2 Ketryx shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Ketryx, any Personal Data except in accordance with their obligations in connection with the Services.

4.3 Ketryx shall take commercially reasonable steps to limit access to Personal Data to only Authorized Employees.

5. Authorized Sub-Processors

5.1 Customer acknowledges and agrees that Ketryx may (i) engage the authorized sub-processors listed in Exhibit B to this Addendum (“Authorized Sub-Processors”) to access and Process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data (“Sub-Processors”). By way of this Addendum, Customer provides general written authorization to Ketryx to engage Sub-Processors as necessary to perform the Services.

5.2 In addition to Authorized Sub-Processors, Ketryx may add other Sub-Processors by providing the customer with at least ten (10) days prior notice before enabling any Sub-Processor other than Authorized Sub-Processors to access or participate in the Processing of Personal Data. Customer may reasonably object to such an engagement on legitimate grounds by informing Ketryx in writing within ten (10) days of receipt of the aforementioned notice by Customer. Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Ketryx from offering the Services to Customer.

5.3 If Customer reasonably objects to an engagement in accordance with Section 5.2, and Ketryx cannot provide a commercially reasonable alternative within a reasonable period of time, either party may terminate the Agreement.  

5.4 If Customer does not object to the engagement of a third party in accordance with Section 5.2 within ten (10) days of notice by Ketryx , that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.

5.5 Ketryx will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Ketryx under this Addendum with respect to the protection of Personal Data.  In case an Authorized Sub-Processors fails to fulfill its data protection obligations under such written agreement with Ketryx, Ketryx will remain responsible to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.

5.6 If Customer and Ketryx have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Ketryx of the processing of Personal Data if such consent is required under the Standard Contractual Clauses.

6. Security of Personal Data

‍Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ketryx shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

7. Transfers of Personal Data

7.1 The parties agree that Ketryx may transfer Personal Data processed under this Addendum outside the European Economic Area (“EEA”) or Switzerland as necessary to provide the Services. If Ketryx transfers Personal Data protected under this Addendum to a jurisdiction for which the European Commission has not issued an adequacy decision, Ketryx will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

7.2 For the purposes of any transfer of Personal Data to countries which are not deemed to provide an adequate level of data protection, the parties agree to enter into the Standard Contractual Clauses which are incorporated into this DPA by reference as set forth in Exhibit C to this Addendum (“EU SCC”).

7.3 UK Transfer Mechanism. To the extent the Personal Data is subject to UK Data Protection Laws (i.e. all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018), Parties agree to process such Personal Data in compliance with the EU SCCs and the International Data Transfer Addendum to the EU SCC issued by the UK Information Commissioner´s Office (“UK Addendum”), which are incorporated herein by reference and form an integral part of this DPA, with the following modification:

(a) The EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;

(b) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in this DPA, including the exhibits hereto (as applicable);

(c) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.

7.4 Swiss Transfer Mechanism. To the extent the Personal Data is subject to the Swiss new Federal Act on Data Protection (“nFADP”), the Parties shall take all such measures as are necessary to ensure that the processing is in compliance with the nFADP. Parties agree to subject all data processing to the GDPR standard, and process such Personal Data in compliance with the EU SCCs, which are incorporated herein in full by reference and form an integral part of this DPA, with the following modification:

(a) If the data transfers are subject to the nFADP, the competent supervisory authority is the Federal Data Protection and Information Commissioner (Feldeggweg 1, CH - 3003 Bern, Switzerland) (FDPIC).

(b) The term “Member State” may not be interpreted in such a way that affected persons in Switzerland are excluded from the possibility of claiming their rights at their habitual residence in accordance with Clause 18 (c) of the EU SCC, therefore the Swiss courts are the alternative place of jurisdiction for persons with habitual residence in Switzerland.

8. Rights of Data Subjects

Ketryx  shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise one or more of the following  Data Subject’s rights: (i) access, (ii) rectification, (iii) erasure, (iv) data portability, (v) restriction or cessation of Processing, (vi) withdrawal of consent to Processing, and/or (vii) objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Ketryx receives a Data Subject Request in relation to Customer’s data, Ketryx will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of consent to Processing of any Personal Data are communicated to Ketryx, and for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.

9. Audit, Cooperation and Compliance

9.1 Ketryx shall, taking into account the nature of the Processing and the information available to Ketryx, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information.

9.2 Ketryx shall, taking into account the nature of the Processing and the information available to Ketryx, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Ketryx.

9.3 Ketryx shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Customer shall, with reasonable notice to Ketryx, have the right to review, audit and copy such records at Ketryx’s offices during regular business hours.

9.4 Ketryx will make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under the Data Protection Laws. Ketryx has obtained the third-party certifications and audits set forth in the Technical and Organizational Measures Documentation. Upon Customer’s written request at reasonable intervals, Ketryx shall provide a copy of Ketryx ’s then most recent summaries of third-party audits or certifications, as applicable, that Ketryx generally makes available to its customers at the time of such request. The parties agree that the audit rights described in Article 28 of the GDPR shall be satisfied by Ketryx ’s provision of such summaries. If Customer and Ketryx have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data), the parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with this Section 9.4.

9.5 Ketryx shall without undue delay notify Customer if an instruction, in the Ketryx ’s opinion, infringes the Data Protection Laws or Supervisory Authority.

10. Security Incident

10.1 In the event of a Security Incident, Ketryx shall, without undue delay, inform Customer of the Security Incident and take such steps as Ketryx in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Ketryx ’s reasonable control).

10.2 In the event of a Security Incident, Ketryx shall, taking into account the nature of the Processing and the information available to Ketryx, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Security Incident without undue delay.

10.3 The obligations described in Sections 10.1 and 10.2  shall not apply in the event that a Security Incident results from the actions or omissions of Customer. Ketryx ’s obligation to report or respond to a Security Incident under Sections 10.1  and 10.2   will not be construed as an acknowledgement by Ketryx  of any fault or liability with respect to the Security Incident.

‍

Exhibit A - Details of Processing

‍

Exhibit B - Authorized Sub-Processors

Customer acknowledges and agrees that the following entities shall be deemed Authorized Sub-Processors that may Process Personal Data pursuant to this Addendum:

‍

Exhibit C - Standard Contractual Clauses Elections

1. The EU SCCs are hereby incorporated into this DPA by reference as follows:

(a) Customer is the “data exporter” and Ketryx is the “data importer”.

(b) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Ketryx is Processing Customer Personal data as a Processor.

(c) Module Three (Processor to Processor) applies where Customer is a Processor of Customer Personal Data and Ketryx is Processing Customer Personal Data as another Processor.

(d) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Agreement.

2. For each Module, where applicable:

(a) In Clause 7, the optional docking clause applies.

(b) In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 5 (Authorized Sub-Processors) of this DPA.

(c) In Clause 11, the optional language does not apply.

(d) In Clause 17, Option 1 applies, and the EU SCCs are governed by German law.

(e) In Clause 18(b), disputes will be resolved before the courts of Germany.

(f) The Appendix of EU SCCs is populated as follows:

i) The information required for Annex I(A) (LIST OF PARTIES) is located in the Agreement and/or relevant Orders.

ii) The information required for Annex I(B) (DESCRIPTION OF TRANSFER) is located in Exhibit A (Details of Processing) of this DPA.

iii) The competent supervisory authority in Annex I (C) (COMPETENT SUPERVISORY AUTHORITY) shall be:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit der Freien und Hansestadt Hamburg,

Ludwig-Erhard-Str. 22,

20459 Hamburg, Germany

iv) The information required for Annex II (TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA) is as detailed below:

(1) Pseudonymization and encryption of personal data

(2) Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

(3) Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

(4) Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

(5) Measures for user identification and authorization

(6) Measures for the protection of data during transmission

(7) Measures for the protection of data during storage

(8) Measures for ensuring physical security of locations at which personal data are processed

(9) Measures for ensuring events logging

(10) Measures for ensuring system configuration, including default configuration

(11) Measures for internal IT and IT security governance and management

(12) Measures for certification/assurance of processes and products

v) The information required for Annex III (LIST OF SUB-PROCESSORS) is located in the Exhibit B to this DPA (Authorized Sub-Processors)

‍