White Diagnostic Data Processor Addendum

Effective Date. 5/25/2018

1. The terms and conditions in this Data Processing Addendum ("DPA") are entered into between White Diagnostic on behalf of itself and any Affiliates that are providing services to Customer ("White Diagnostic"); and You ("Customer"), pursuant to the terms of the Agreement (defined below).

2. This DPA together with the Agreement, constitute a legally binding agreement and governs Your use of the White Diagnostic Platform. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Controller Affiliates (defined below). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Controller Affiliates. If Customer does not agree to the terms of this DPA, Customer may not use the Services. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

3. Background

3.1. White Diagnostic and Customer have entered into a service agreement, together with one or more connected agreements (collectively the "Agreement"), pursuant to which WhiteDiagnostic has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to the White Diagnostic’s provision of Services to Customer.

4. Data Protection Obligations

4.1. Definitions: In this Clause, the following terms shall have the following meanings:

(a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and

(b) "Applicable Data Protection Law" shall mean the EU General Data Protection Regulation (Regulation 2016/679), together with any other laws applicable to the processing of personal data.

4.2. Relationship of the parties: Customer (the controller) appoints White Diagnostic as a processor to process the personal data described in the Agreement (the "Data") for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the "Permitted Purpose").

Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If White Diagnostic becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.

4.3. Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to White Diagnostic for processing.

4.4. Data processing locations: As part of White Diagnostic’s processing functions for Customer, users information may be processed using our data centers in the United States and the Netherlands.

4.5. Confidentiality of processing: White Diagnostic shall ensure that any person it authorizes to process the Data (an "Authorized Person") shall protect the Data in accordance with White Diagnostic’s confidentiality obligations under the Agreement.

4.6. Security: The processor shall implement technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a "Security Incident").

4.7. Sub-processing.

4.7.1. The Data Controller authorizes the Data Processor to appoint Sub-processors in accordance with this Paragraph 4.7.

4.7.2. The Data Processor may continue to use those Sub-processors already engaged by the Data Processor as of the Addendum Effective Date, subject to the Data Processor in each case as soon as reasonably practicable meeting the obligations set out in Paragraph 4.8.

4.7.3. The Data Processor shall give the Data Controller prior written notice of the appointment of any new Sub-processor, including reasonable details of the Processing to be undertaken by the Sub-processor. If, within ten (10) Business Days of receipt of that notice, the Data Controller notifies the Data Processor in writing of any objections (on reasonable grounds) to the proposed appointment:

a. The Data Processor shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

b. where:

i. such a change cannot be made within sixty (60) days from the Data Processor’s receipt of the Data Controller’s notice;

ii. no commercially reasonable change is available; and/or

iii. the Data Controller declines to bear the cost of the proposed change, notwithstanding anything in the Agreement, the Data Processor and/or the Data Controller may, by written notice to the other Party with immediate effect, terminate the Agreement either in whole or to the extent that it relates to the Services, which require the use of the proposed Subprocessor.

4.8. With respect to each Sub-processor, the Data Processor shall:

a. before the Sub-processor first Processes the Data Controller’s Personal Data (or, as soon as reasonably practicable, in accordance with Paragraph 4.9), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for the Data Controller’s Personal Data required by this DPA; and

b. ensure that the arrangement between the Data Processor and the Sub-processor is governed by a written contract including terms, which:

i. offer at least an equivalent level of protection for the Data Controller’s Personal Data as those set out in this DPA (including, in particular, those set out in Paragraph 4 above); and

ii. meet the requirements of Article 28(3) of the GDPR.

4.9. Cooperation and data subjects’ rights: White Diagnostic shall provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to White Diagnostic, White Diagnostic shall promptly inform Customer providing full details of the same.

4.10. Data Protection Impact Assessment: White Diagnostic shall and provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

4.11. Security incidents: If it becomes aware of a confirmed Security Incident, White Diagnostic shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. White Diagnostic shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

4.12. Deletion or return of Data: Upon termination or expiry of the Agreement, White Diagnostic shall (at Customer's election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that White Diagnostic is required by applicable law to retain some or all of the Data, or to Data it has archived on backup systems, in which event White Diagnostic shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible.

This Data Processor Addendum was last updated on 25 May 2018

© 2018 White Diagnostic inc. All rights reserved. White Diagnostic Data Processing Agreement

© 2018 White Diagnostic All rights reserved