Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into as of the Effective Date set forth in the Order, by and between the medical group or medical practice identified in the Order (“Controller” or “Business”) and Bioscope.ai, Inc. (“Processor” or “Service Provider”).

Recitals

WHEREAS, Controller and Processor have entered into a SaaS Agreement (the “Agreement”) pursuant to which Processor provides certain software services and related services to Controller;

WHEREAS, in connection with such services, Processor may process Personal Information on behalf of Controller;

WHEREAS, certain states have enacted comprehensive privacy laws regulating the processing of Personal Information, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and similar laws (collectively, “State Privacy Laws”);

WHEREAS, the parties desire to comply with applicable State Privacy Laws and to protect the privacy rights of individuals whose Personal Information is processed under the Agreement;

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this DPA, the parties agree as follows:

1. Definitions

Terms used, but not otherwise defined, in this DPA shall have the same meaning as those terms in applicable State Privacy Laws or, if not defined therein, in the Agreement.

1.1 “Applicable Law” means any statute, law, regulation, ordinance, rule, judgment, order, decree, directive, guideline, policy, requirement, or other governmental restriction or any similar form of decision of, or determination by, any governmental authority, in each case as amended, that is binding upon a party.

1.2 “Consumer” or “Individual” means a natural person who is a resident of a state with an applicable State Privacy Law, as defined in such State Privacy Law.

1.3 “Consumer Health Data” means Personal Information that is identified as consumer health data under the My Health My Data Act (Washington) or Nevada’s consumer health data privacy law, or similar definitions under other state laws, including:

Individual’s health conditions, treatment, diseases, or diagnosis;
Social, psychological, behavioral, and medical interventions;
Health-related surgeries or procedures;
Use or purchase of prescribed medication;
Bodily functions, vital signs, measurements, or symptoms;
Diagnoses or diagnostic testing, treatment, or medication;
Gender-affirming care information;
Reproductive or sexual health information;
Biometric data;
Genetic data;
Precise location information that could reasonably indicate an individual’s attempt to acquire or receive health services or supplies;
Data that identifies an individual seeking health care services; or
Any information that is derived from or inferred from such data.

1.4 “Controller” or “Business” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information. For purposes of this DPA, “Controller” includes the entity defined as “Business” under the CCPA.

1.5 “De-identified Data” means information that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, provided that the party possessing such information: (a) takes reasonable measures to ensure that such information cannot be associated with a natural person or household; (b) publicly commits to process such information only in a de-identified fashion and not attempt to re-identify such information; and (c) contractually obligates any recipients of such information to satisfy the criteria set forth in this definition.

1.6 “Genetic Data” means Personal Information concerning an individual’s genetic characteristics including raw sequence data from whole genome sequencing, processed variant data, genetic test results, and any information derived from the analysis of such genetic information.

1.7 “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household, as defined under applicable State Privacy Laws. Personal Information includes, without limitation, Consumer Health Data and Genetic Data.

1.8 “Processing” or “Process” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.9 “Processor” or “Service Provider” means a natural or legal person who Processes Personal Information on behalf of the Controller. For purposes of this DPA, “Processor” includes the entity defined as “Service Provider” under the CCPA and similar terms under other State Privacy Laws.

1.10 “Sale” shall have the meaning given to such term under applicable State Privacy Laws, generally meaning the exchange of Personal Information for monetary or other valuable consideration.

1.11 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.

1.12 “Sensitive Personal Information” means Personal Information that reveals an individual’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email, and text messages unless the business is the intended recipient; genetic data; biometric information processed for the purpose of uniquely identifying an individual; personal information collected and analyzed concerning an individual’s health, sex life, or sexual orientation; and Consumer Health Data, as defined under applicable State Privacy Laws.

1.13 “Share” or “Sharing” means to release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, as defined under applicable State Privacy Laws.

1.14 “State Privacy Laws” means comprehensive state privacy laws including but not limited to: California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. §§ 42-515 et seq.), Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.), Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 et seq.), Washington My Health My Data Act (RCW 19.373), Nevada consumer health data privacy law (NRS 439.), and any similar successor legislation or implementing regulations.

1.15 “Subprocessor” means any third party engaged by Processor to Process Personal Information on behalf of Controller in connection with the Services.

2. Scope and Applicability

2.1 Scope. This DPA applies to Processor’s Processing of Personal Information on behalf of Controller in connection with the Services, to the extent such Processing is subject to State Privacy Laws.

2.2 Roles. The parties acknowledge and agree that:

Controller is the Controller or Business with respect to Personal Information Processed under the Agreement;
Processor is the Processor or Service Provider with respect to such Personal Information;
Controller shall determine the purposes and means of Processing Personal Information;
Processor shall Process Personal Information only as a Processor or Service Provider on behalf of Controller.

2.3 Categories of Personal Information. Processor may Process the following categories of Personal Information on behalf of Controller:

Identifiers (name, contact information, government-issued identifiers);
Personal information as defined in Cal. Civ. Code § 1798.80(e) (signature, physical characteristics or description, contact information);
Protected classification characteristics (age, sex, gender, race, ethnicity, national origin);
Health and medical information (medical conditions, diagnoses, treatments, procedures, medications, test results, vital signs, symptoms);
Genetic Data (whole genome sequences, variant data, genetic test results, family health history, pharmacogenomics data);
Biometric information (physical characteristics from photographs, body composition data, fingerprints or other unique biological identifiers if collected);
Internet or other electronic network activity information (usage data, device information, IP address, browsing history within the Software Service);
Geolocation data (if collected through the Software Service);
Professional or employment-related information (medical practice information, professional licenses);
Education information;
Inferences drawn from any of the above to create a profile about health status, preferences, or characteristics;
Sensitive Personal Information, including Consumer Health Data and Genetic Data.

2.4 Purposes of Processing. Processor shall Process Personal Information solely for the following purposes:

Providing the Software Service as described in the Agreement;
Performing genetic data analysis and generating health insights;
Enabling AI-powered analysis of genetic and health data;
Integrating with electronic health records as requested by Controller;
Providing technical support and customer service;
Maintaining and improving the Software Service;
Ensuring security and integrity of the Software Service;
Complying with legal obligations;
Detecting and preventing fraud, security incidents, and illegal activity;
Other purposes expressly authorized in writing by Controller.

2.5 Data Subjects. Personal Information Processed under this DPA relates to the following categories of data subjects:

Patients of Controller who have authorized genetic testing and health analysis;
Authorized Users of Controller (physicians, clinicians, and other healthcare professionals);
Other individuals whose Personal Information is provided by Controller in connection with the Services.

3. Processor’s Obligations

3.1 Processing Instructions. Processor shall:

Process Personal Information only on documented instructions from Controller, including with respect to transfers of Personal Information to jurisdictions outside the United States, unless required to do so by Applicable Law;
Immediately inform Controller if, in Processor’s opinion, Controller’s instructions violate State Privacy Laws or other Applicable Law;
Not Process Personal Information for any purpose other than as necessary to provide the Services or as otherwise permitted under this DPA or the Agreement.

3.2 Compliance with State Privacy Laws. Processor shall:

Comply with all applicable obligations of Processors or Service Providers under State Privacy Laws;
Not Sell Personal Information;
Not retain, use, or disclose Personal Information outside of the direct business relationship with Controller, except as otherwise permitted under State Privacy Laws;
Not combine Personal Information received from Controller with Personal Information received from other sources, except as permitted by State Privacy Laws;
Certify that Processor understands the restrictions in this Section 3.2 and will comply with them.

3.3 Prohibited Processing of Sensitive Personal Information. Processor shall not:

Use or disclose Sensitive Personal Information (including Consumer Health Data and Genetic Data) for any purpose other than providing the Services;
Sell Sensitive Personal Information;
Process Sensitive Personal Information for purposes of inferring characteristics about Consumers, except as necessary to provide the Services;
Retain, use, or disclose Sensitive Personal Information for any commercial purpose other than providing the Services.

3.4 Security Measures. Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Information against Security Incidents and to ensure a level of security appropriate to the risk, including:

(a) Technical Measures:

Encryption of Personal Information at rest using AES-256 or equivalent;
Encryption of Personal Information in transit using TLS 1.3 or higher;
Secure key management practices;
Network security controls including firewalls, intrusion detection/prevention systems;
Secure authentication mechanisms including multi-factor authentication;
Secure software development practices;
Regular vulnerability assessments and penetration testing;
Secure logging and monitoring of system access and activities.

(b) Organizational Measures:

Access controls limiting access to Personal Information to authorized personnel with legitimate need-to-know;
Workforce training on data protection and security;
Confidentiality agreements with personnel who have access to Personal Information;
Incident response procedures;
Business continuity and disaster recovery plans;
Regular security assessments and audits;
Vendor management program for Subprocessors;
Data retention and deletion procedures.

Additional encryption and access control measures given the sensitive nature of genetic information;
Separation of genetic data from other Personal Information where technically feasible;
Audit logging of all access to genetic data;
Procedures to prevent unauthorized re-identification of de-identified genetic data.

3.5 Confidentiality. Processor shall ensure that all personnel who have access to Personal Information are subject to confidentiality obligations and are trained on the requirements of this DPA and applicable State Privacy Laws.

3.6 Subprocessors.

(a) Controller hereby provides general authorization for Processor to engage Subprocessors to Process Personal Information, subject to the requirements of this Section.

(b) Processor shall enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA.

(c) Processor maintains a current list of Subprocessors at https://security.bioscope.ai/legal, which Processor shall update prior to engaging any new Subprocessor or replacing an existing Subprocessor. Controller may raise concerns regarding any Subprocessor by contacting Processor, and Processor shall consider such concerns in good faith.

3.7 Assistance with Consumer Rights Requests. Processor shall, taking into account the nature of the Processing:

(a) Provide reasonable assistance to Controller in responding to requests from Consumers to exercise their rights under State Privacy Laws, including rights to:

Know what Personal Information is collected, used, disclosed, or Sold;
Access their Personal Information;
Delete their Personal Information;
Correct inaccurate Personal Information;
Opt-out of the Sale or Sharing of Personal Information;
Limit the use and disclosure of Sensitive Personal Information;
Not be subject to automated decision-making;
Data portability.

(b) Notify Controller within five (5) business days if Processor receives a request directly from a Consumer to exercise any rights under State Privacy Laws.

(d) Provide Controller with the information and assistance necessary to respond to Consumer requests within the time periods required by State Privacy Laws (generally 45 days with a possible 45-day extension).

3.8 Assistance with Compliance Obligations. Processor shall provide reasonable assistance to Controller in:

(a) Conducting data protection impact assessments where required by State Privacy Laws;

(b) Implementing appropriate technical and organizational measures to comply with State Privacy Laws;

(d) Preparing for and responding to regulatory audits or investigations.

3.9 Data Breach Notification.

(a) Processor shall notify Controller without unreasonable delay, and in no event later than forty-eight (48) hours after the confirmation of a Security Breach that affects Personal Information.

(b) Such notification shall include, to the extent available:

A description of the nature of the Security Incident, including the categories and approximate number of Consumers affected and the categories and approximate number of Personal Information records affected;
The contact information of Processor’s data protection officer or other relevant contact;
A description of the measures taken or proposed to be taken to address the Security Incident and to mitigate its possible adverse effects;

Investigate the Security Incident promptly and thoroughly;
Take reasonable steps to mitigate the effects of the Security Incident;
Cooperate with Controller in Controller’s investigation and response to the Security Incident;
Preserve all evidence relating to the Security Incident;
Provide Controller with periodic updates on the investigation and remediation efforts;
Implement measures to prevent similar Security Incidents in the future.

(d) Controller shall be responsible for determining whether notification to affected Consumers, regulatory authorities, or other parties is required under Applicable Law, and for making any such notifications.

3.10 Deletion of Personal Information.

(a) Upon termination or expiration of the Agreement, or upon Controller’s written request, Processor shall, at Controller’s option:

Delete all Personal Information in Processor’s possession or control; or
Return all Personal Information to Controller in a commonly used and machine-readable format; or
If deletion or return is not technically feasible, de-identify all Personal Information in accordance with State Privacy Laws.

(b) Processor shall complete the deletion or return of Personal Information within sixty (60) days of the termination date or Controller’s request.

(c) Processor shall certify in writing to Controller that it has completed deletion or return of Personal Information in accordance with this Section.

(d) Processor shall ensure that all Subprocessors delete or return Personal Information in accordance with this Section.

(e) Processor may retain Personal Information to the extent required by Applicable Law, provided that Processor shall:

Isolate and protect such Personal Information from any further Processing except as required by Applicable Law;
Implement appropriate technical and organizational measures to ensure the security of such Personal Information;
Delete such Personal Information as soon as the legal retention requirement expires.

3.11 Audits and Inspections.

(a) Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and State Privacy Laws.

(b) If an audit reveals non-compliance with this DPA, Processor shall remediate such non-compliance within thirty (30) days or such other timeframe as agreed by the parties.
3.12 Records and Documentation. Processor shall maintain accurate and up-to-date records of:

Categories of Personal Information Processed;
Purposes of Processing;
Categories of Consumers whose Personal Information is Processed;
Categories of recipients to whom Personal Information is disclosed;
Security measures implemented to protect Personal Information;
Security Incidents and responses thereto;
Consumer rights requests and responses thereto;
Data retention and deletion practices.

3.13 Training. Processor shall provide regular training to its personnel on State Privacy Laws, data protection principles, and the requirements of this DPA.

3.14 Designated Contacts. Processor shall designate and maintain a data protection officer or other appropriate contact person responsible for overseeing compliance with this DPA and State Privacy Laws.

4. De-Identification

4.1 Authorization to De-identify. Subject to any limitations set forth in the Order, Processor may de-identify Personal Information in accordance with State Privacy Laws, provided that Processor:

(a) Takes reasonable measures to ensure that the information cannot be associated with a Consumer or household;

(b) Publicly commits to maintain and use the information in de-identified form and not attempt to re-identify the information;

(c) Contractually obligates any recipients of the de-identified information to comply with all provisions of this Section.

4.2 Use of De-identified Data. Once Personal Information is properly de-identified in accordance with Section 4.1:

(a) The de-identified information is no longer subject to the restrictions of this DPA;

(b) Processor may use and disclose de-identified information for any lawful purpose, including:

Research and development;
Quality assurance and improvement;
Algorithm training and improvement;
Training of artificial intelligence and machine learning models;
Scientific publication;
Development of new products and services;
Benchmarking and analytics;
Any other lawful commercial purpose.

4.3 Patient Communications Regarding Research Opportunities. Controller acknowledges that Processor may, from time to time, contact Data Subjects to inform them of voluntary opportunities to participate in scientific research, clinical studies, or similar programs that may advance understanding of genetic conditions and treatments. Such contact shall:

(a) Be limited to Data Subjects who have provided consent to receive such communications;
(b) Clearly identify the communication as coming from Processor;
(c) Not obligate the Data Subject to participate in any program;
(d) Not condition access to Services on participation; and
(e) Comply with applicable laws regarding electronic communications.

5. Controller’s Obligations

5.1 Lawful Processing Instructions. Controller shall ensure that its Processing instructions comply with State Privacy Laws and other Applicable Law.

5.2 Consumer Consents and Notices. Controller shall be responsible for:

(a) Providing Consumers with all required notices regarding the collection, use, and disclosure of Personal Information, including Consumer Health Data and Genetic Data;

(b) Obtaining all necessary consents from Consumers for the Processing of their Personal Information, including explicit consent for the Processing of Sensitive Personal Information where required by State Privacy Laws;

(d) Ensuring that Consumers have the ability to exercise their rights under State Privacy Laws.

5.3 Lawful Collection. Controller represents and warrants that:

(a) Controller has collected Personal Information lawfully and in compliance with State Privacy Laws;

(b) Controller has the necessary legal basis to disclose Personal Information to Processor for Processing in accordance with this DPA;

(c) Controller’s disclosure of Personal Information to Processor does not violate any rights of Consumers or any third parties.

5.4 Changes to Processing Instructions. Controller shall notify Processor of any changes to Processing instructions that may affect Processor’s obligations under this DPA.

5.5 Notification of Restrictions. Controller shall notify Processor of any Consumer requests to opt-out of Sale or Sharing, limit use of Sensitive Personal Information, or impose other restrictions on Processing, to the extent such restrictions affect Processor’s Processing of Personal Information.

6. Washington and Nevada Specific Provisions

6.1 Applicability. This Section applies to the Processing of Consumer Health Data of residents of Washington and Nevada.

6.2 Additional Definitions.

(a) For Washington residents, the terms “Collect,” “Consumer,” “Consumer Health Data,” “Deidentified Data,” “Disclose,” “Geofencing,” “Homepage,” “Person,” “Process,” “Regulated Entity,” “Sale,” “Share,” “Small Business,” and “Valid Authorization” shall have the meanings set forth in the Washington My Health My Data Act (RCW 19.373).

(b) For Nevada residents, applicable terms shall have the meanings set forth in Nevada’s consumer health data privacy law (NRS 439.).

6.3 Washington-Specific Requirements. With respect to Consumer Health Data of Washington residents, Processor shall:

(a) Not Collect, Share, or use Consumer Health Data except:

With valid authorization from the Consumer obtained by Controller;
To provide a product or service that the Consumer requested from Controller;
To effectuate a product or service request transaction;
For treatment activities conducted by or at the direction of a health care provider;
As otherwise permitted under RCW 19.373.

(b) Not Sell Consumer Health Data to a third party;

Marketing or advertising to a Consumer based on the Consumer seeking health care services;
Discriminating against a Consumer in the provision of lawful products or services based on the Consumer seeking health care services;
Engaging in the unauthorized practice of medicine under RCW 18.71;

(d) Not use any geofencing technology around any entity that provides in-person health care services;

(e) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices including, at minimum:

Conducting data security risk assessments;
Limiting access to Consumer Health Data to individuals with authorized access;
Establishing, implementing, and complying with a data retention policy;
Disposing of Consumer Health Data in accordance with the data retention policy;
Establishing, implementing, and complying with a data disposal policy;

(f) Obtain valid authorization from Consumers (obtained by Controller) before sharing Consumer Health Data, which includes disclosure for any of the following purposes:

Marketing;
Sale of Consumer Health Data;
Licensing, renting, trading, or other exchange of Consumer Health Data to or with a third party for monetary or other valuable consideration.

6.4 Nevada-Specific Requirements. With respect to Consumer Health Data of Nevada residents, Processor shall comply with all applicable requirements of Nevada’s consumer health data privacy law, including restrictions on collection, use, and disclosure of Consumer Health Data.

6.5 Consumer Requests. For Washington and Nevada residents, Processor shall assist Controller in responding to Consumer requests to:

Confirm whether Consumer Health Data is being Collected, Shared, or Sold;
Access their Consumer Health Data;
Withdraw consent to further Collection, Sharing, or Sale of Consumer Health Data;
Delete Consumer Health Data.

7. California-Specific Provisions

7.1 Applicability. This Section applies to Personal Information of California residents subject to the CCPA.

7.2 Service Provider Certification. Processor certifies that it understands the restrictions in this DPA and Section 1798.140(ag) of the CCPA and will comply with them.

7.3 Prohibited Uses. Processor shall not:

(a) Sell or Share Personal Information;

(b) Retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services;

(c) Retain, use, or disclose Personal Information outside of the direct business relationship between Processor and Controller.

7.4 Sensitive Personal Information. With respect to Sensitive Personal Information, including Consumer Health Data and Genetic Data, Processor shall:

(a) Only use or disclose Sensitive Personal Information for purposes of providing the Services and as otherwise permitted by CCPA § 1798.121;

(b) Not use or disclose Sensitive Personal Information to infer characteristics about Consumers except as necessary to provide the Services;

7.5 Automated Decision-Making. If Processor uses Personal Information for automated decision-making, including profiling, Processor shall:

(a) Provide meaningful information about the logic involved;

(b) Disclose the significance and envisioned consequences of such Processing for Consumers;

8. Term and Termination

8.1 Term. This DPA shall commence on the Effective Date of the ORDER and shall remain in effect for as long as Processor Processes Personal Information on behalf of Controller.

8.2 Termination for Cause. Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof.

8.3 Effect of Termination. Upon termination or expiration of this DPA:

(a) Processor shall cease all Processing of Personal Information;

(b) Processor shall delete or return Personal Information in accordance with Section 3.10;

(c) The obligations set forth in Sections 3.10 (Deletion of Personal Information), 3.11 (Audits), 8.3 (Effect of Termination), 9 (Liability and Indemnification), and 10 (General Provisions) shall survive termination.

9. Liability and Indemnification

9.1 Limitation of Liability.
Notwithstanding any provision in this DPA to the contrary, Processor’s maximum aggregate liability to Controller under this DPA shall be subject to the limitations of liability set forth in the Agreement, except for claims arising under Section 9.1(a) and 9.1(b) below, which shall not be subject to the monetary cap set forth in the Agreement but shall remain subject to the exclusions of liability set forth in the Agreement (e.g., exclusion of indirect or consequential damages).

(a) Security Incidents resulting from Processor’s breach of this DPA;
(b) Violations of State Privacy Laws caused by Processor;
(c) Unauthorized Sale or Sharing of Personal Information by Processor;
(d) Claims by Consumers or regulatory authorities arising from Processor’s failure to comply with this DPA or State Privacy Laws.

9.2 Indemnification.
Processor shall indemnify, defend, and hold harmless Controller from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from or relating to:

(a) Processor’s breach of this DPA;
(b) Processor’s violation of State Privacy Laws;
(c) Security Incidents in Processor’s possession or control;
(d) Claims by Consumers arising from Processor’s improper Processing of Personal Information;
(e) Regulatory fines, penalties, or sanctions resulting from Processor’s non-compliance with State Privacy Laws;
(f) Any claim that Processor Sold or Shared Personal Information in violation of this DPA or State Privacy Laws.

Notwithstanding the foregoing, Processor shall have no indemnification obligation to the extent a claim arises from or is attributable to Controller’s or its Authorized Users’ breach of the Agreement or this DPA, or Controller’s negligence or willful misconduct.

9.3 Notice and Cooperation.
Controller shall promptly notify Processor of any claims subject to indemnification under this Section and shall reasonably cooperate with Processor in the defense of such claims. Processor shall have sole control over the defense and settlement of any such claims, provided that Processor shall not settle any claim that admits fault on behalf of Controller without Controller’s prior written consent, which shall not be unreasonably withheld or delayed.

10. General Provisions

10.1 Relationship to Agreement. This DPA supplements and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Information, this DPA shall prevail.

10.2 Amendments. The parties agree to amend this DPA from time to time as necessary to comply with changes in State Privacy Laws or other Applicable Law. Processor shall provide Controller with notice of any such changes at least thirty (30) days prior to the effective date of the changes, except where immediate compliance is required by law.

10.3 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect and shall be construed to give effect to the parties’ intent as reflected in the invalid, illegal, or unenforceable provision.

10.4 Waiver. No waiver of any provision of this DPA shall be effective unless it is in writing and signed by the party against whom the waiver is sought to be enforced. No waiver shall be deemed a continuing waiver or a waiver of any other provision.

10.5 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral.

10.6 Assignment. Neither party may assign this DPA without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of all or substantially all of its assets.

10.7 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of Indiana, without regard to its conflicts of law principles, and the applicable State Privacy Laws.

10.8 Notices. All notices under this DPA shall be in writing and shall be sent to the addresses specified in the Agreement or as otherwise designated by either party in writing.

10.9 No Third-Party Beneficiaries. This DPA is for the sole benefit of the parties and does not create any third-party beneficiary rights, except that Consumers may enforce their rights under State Privacy Laws as expressly provided by such laws.

Last Updated: 12/05/2025

For questions about this Data Processing Agreement, please contact privacy@bioscope.ai