End User License Agreement

Standard Terms & Conditions

This End User License Agreement (“EULA”) for Quibim products (the “Software(s)”) which are accessible through any platform designed by Quibim from time to time or which are provided to you (as the ”End User”) as a standalone solution, is incorporated into the legal agreement and/or license quotation (the “Agreement”) signed between you or your organization, on the one side, and QUIBIM, S.L. (“Quibim”) and/or any Quibim Associates (as defined below), on the other side, being this EULA a binding contract which governs your use of the Software(s). Initially capitalized terms used in these EULA without definition shall have the meanings ascribed to such terms in the Agreement.

IMPORTANT – READ CAREFULLY: PLEASE READ THIS EULA CAREFULLY BEFORE PURCHASING OR ACQUIRING A LICENSE AND/OR ACCESSING OR USING THE SOFTWARE BECAUSE IT CONSTITUTES A BINDING LEGAL AGREEMENT BETWEEN YOU AND QUIBIM.

BY INSTALLING THE SOFTWARE, CLICKING ON THE “ACCEPT” BUTTON DURING THE SETUP PROCESS OF THE SOFTWARE, ENTERING AN ELECTRONIC LICENSE KEY, AGREEING TO AN AGREEMENT (AS ABOVE DEFINED) THAT REFERENCES THIS EULA OR OTHERWISE USING AND/OR ACCESSING THE SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE EULA AND AGREE TO COMPLY WITH IT BEING BOUND BY ITS TERMS. IF YOU ARE ENTERING INTO THIS EULA ON BEHALF OF AN ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND SUCH ENTITY TO AGREE TO THIS EULA.

IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS OF THIS EULA, DO NOT COMPLETE THE INSTALLATION OF THE SOFTWARE AND/OR DO NOT ACCESS THE SOFTWARE; AND (PROMPTLY CONTACT QUIBIM OR THE QUIBIM ASSOCIATE WHO GRANTED THE ACCESS TO THE SOFTWARE TO YOU FOR INSTRUCTIONS ON ITS CANCELATION.

WRITTEN APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR ENFORCEABILITY OF THE EULA AND NO SOLICITATION OF ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF QUIBIM SHALL BE CONSTRUED AS AN INFERENCE TO THE CONTRARY.

YOU ACKNOWLEDGE THAT YOU MAY NEED TO ACCEPT ADDITIONAL TERMS AND CONDITIONS THAT MAY BE REQUESTED BY QUIBIM OR BY QUIBIM ASSOCIATES OR POP UP ON YOUR COMPUTER SCREEN WHICH RELATE TO DATA COLLECTION, PRIVACY PRACTICES AND/OR FUNCTIONING OF THE SOFTWARE TO ACCESS TO OR TO USE THE SOFTWARE.

QUIBIM RESERVES THE RIGHT TO ADD, MODIFY OR OTHERWISE AMEND AT ANY TIME THE TERMS AND CONDITIONS OF THIS EULA. IF YOU DO NOT AGREE TO ANY OF THE CHANGES YOU CAN END YOUR LICENSE BY NOT RENEWING, AS OUTLINED IN THE AGREEMENT AND/OR THIS EULA, STOP USING THE SOFTWARE AND UNINSTALLING THE SOFTWARE. IF YOU RENEW YOUR LICENSE, YOU ACCEPT THE MOST RECENT VERSION OF THIS EULA. IF YOU HAVE ACCEPTED MORE THAN ONE VERSION, THE MOST RECENT VERSION WILL REPLACE ALL OLDER VERSIONS.

1. Definitions

Defined terms shall have the same meaning as given to them in the Agreement, unless specifically defined otherwise in this EULA, such as:

“Data Protection Legislation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC; Constitutional Act 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights; and any other provisions in force on the matter.
“Fees”: means the consideration to be paid by you to Quibim or to the respective Quibim Associate for use of the Software as set forth in the Agreement.
“License”: means the License granted by virtue of this EULA according to the provisions in Section 2.1.
“Medical Data”: means any medical image, information, annotation, health indicator, measurement, comment or any data in general.
“Quibim”: is a Spanish company, with registered office in Valencia (Spain), Edificio Europa, located in Avenida Aragón, 30 (13th floor), office I-J, 46021, and registered at the Valencia Commercial Registry in volume 9,539, book 6,821, sheet 185, page V-150.890 and with taxpayer identification number B-98.481.658, and/or any of its subsidiaries, including Quibim, Inc. and Quibim, Ltd.
“Quibim Associate”: means any associate, distributor, retailer or any third party authorized by Quibim to distribute, install or sell licenses of the Software.
“Software”: means the AI modules developed by Quibim or third parties and/or any proprietary platform developed by Quibim.
“Term” or “License Term“: means the period of time stipulated in the Agreement when the License will be effective.

2. License

2.1 Grant of License: Subject at all times to the limitations, prohibitions, restrictions and terms set forth in the EULA herein and in the Agreement, during the applicable License Term, Quibim hereby grants to you a limited, non-exclusive, revocable, non-transferable, non-sublicensable license to access to and use the Software only and solely in a manner consistent with the EULA, this is, limited right to access to and use the Software in the terms and scope specified in the Agreement and only for purposes of uploading, hosting and processing Medical Data (the “License”), and in accordance with the documentation and user manuals provided by Quibim for access to the Software (the “Documentation”).You may not access to the Software for any purpose or in any way not expressly permitted by the EULA, and the Agreement and/or the Documentation.

2.2 Restrictions: As a condition of the License granted in Section 2.1, you shall not: (i) access to the Software or any portion thereof, except as expressly authorized by the EULA; (ii) modify the Software or any portion thereof, create derivative works based upon Software or any portion thereof, or adapt, copy, translate, alter, or embed into any other service or product with or into the Software which is not expressly allowed in the Agreement; (iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software or any portion thereof to human-readable form or attempt to derive the source code for the Software; (iv) access to and use the Software or any portion thereof in any way that is in violation of the EULA, the Agreement and/or any applicable laws; (v) distribute, sell, license, share or otherwise provide access to the Software or any portion thereof to any third parties or in benefit of any third parties, unless expressly allowed in the Agreement ; (vi) access to the Software or any portion thereof to perform services for third parties except as otherwise expressly provided herein; (vii) release, publish, and/or otherwise make available to any third party the results of any performance, functional or security evaluation of the Software or any portion thereof without the prior written approval of Quibim; (viii) alter or remove any proprietary notices or legends contained on or in the Software or any portion thereof or (ix) engage in any activity that disrupts or otherwise interferes with the proper function of the Software as well as any servers, technology, equipment and or network infrastructure provide and/or accessible in connection with same.Any attempt to do any of the foregoing shall be deemed as a material breach under the EULA and the Agreement.

3. Intellectual Property Rights

3.1 Ownership: The Software is proprietary to Quibim and is protected under applicable copyright, patents, trademarks, know-how and trade secret laws. You further acknowledge and agree that, as between you and Quibim, Quibim owns and shall continue to own all right, title and interest in and to the Software, including any associated intellectual property right over the Software under the applicable laws.

The EULA does not grant you any ownership or interest in or to the Software and/or any associated intellectual property rights, but only a limited license to access to and use the Software that is limited, non-transferable and revocable in accordance with the terms of the EULA and the Agreement.

You acknowledge and agree that any feedback, suggestions, comments, improvements, modifications and any other information that you may provide to Quibim relating to the Software or its performance may be used, disclosed, disseminated, protected under intellectual property rights and/or published by Quibim for any purpose, including incorporating such information in improvements to the Software, without obligation of any kind to you, and that you waive any rights whatsoever in or to such information.

You also undertake to respect and ensure respect for the rights of intellectual property and industrial property owned by Quibim to which you have access by virtue of the Agreement or EULA herein, and to actively collaborate with Quibim in the preservation of its value and prestige.

3.2 Consent to Use of Data: You are the full owner of any Medical Data uploaded, submitted, stored, dropped or shared by you into or through the Software. However, you hereby grant Quibim a non-exclusive, royalty-free, transferable, sub-licensable, worldwide license in perpetuity to the maximum extent legally possible, and in particular to use, host, reproduce, copy, distribute, communicate and modify the anonymized Medical Data (as per Section 5 “Privacy”) for the purpose of operating and improving the services provided by Quibim (including marketing purposes) and the Software and for developing new or existing technologies and methodologies owned by Quibim.

3.3 Open-source software and other third-party software products: The Software may contain or may be provided with open-source libraries, components, utilities and other open-source software (collectively, “Open Source”), as well as other third-party software or developments (“Third Party Software”) which may have applicable license terms. Notwithstanding anything to the contrary herein, use of the Open Source and Third-Party Software shall be subject to the applicable license terms and conditions to the extent required by the applicable licensor (which terms may contain additional rights and/or obligations) and you agree to comply with their additional licensing terms and conditions. Quibim shall not be considered liable for any breach and/or non-compliance on your part in this regard.

4. Support and Maintenance Services

4.1 Quibim and/or Quibim Associates will be the only ones able to provide support services and will use their best efforts to provide support to you in the event incidents occur regarding the availability, functioning, performance and/or access to and use of the Software, according to the conditions set forth in the Documentation.

4.2 If an error occurs (meaning any defect which materially affects the availability, functioning and/or performance of the Software), Quibim and/or Quibim Associates will use commercially reasonable efforts to remediate the error as quickly as possible. While resolving the error, Quibim and/or Quibim Associates at their sole discretion may implement temporary workaround solutions in order to circumvent the error for the time being.

4.3 Where access to your systems is required for the purpose of performing the maintenance services, you shall ensure that such access will be granted to Quibim and/or Quibim Associates. You acknowledge that lack of access to your systems for the provision of the support and maintenance services could imply the impossibility of providing access to the Software. In those cases, Quibim shall not be considered liable to you for not providing access to the Software.

4.4 Quibim and/or Quibim Associates may implement any updates and/or upgrades in the Software that, in its sole discretion, are necessary or appropriate to enable proper functioning of the Software or to avoid any risk of infringing third parties’ rights, including intellectual property rights. For the avoidance of doubt, Quibim and/or Quibim Associates shall have no obligation to provide updates and/or upgrades to you.

5. Privacy

5.1 During the use of the Software, you are responsible for obtaining all licenses and authorizations that may be required with regards to the Medical Data to be uploaded to the Software, as well as for the compliance with all applicable legislation, including Data Protection Legislation. You shall indemnify and hold Quibim harmless from any liability arising from the infringement of this Section.

5.2 All Medical Data uploaded to the Software must be fully anonymized, thus not being considered personal data. Quibim shall be entitled to use the anonymized Medical Data for its own purposes and in particular to improve the Software and develop new or existing technologies (e.g. to train algorithms in order to keep its database permanently updated), on the basis that you have complied with all legal requisites to disclose the Medical Data to Quibim. As recognized by you, this further processing of anonymized data by Quibim results in the constant improvement of the services provided by Quibim and the Software and for developing new or existing technologies and methodologies owned by Quibim.

5.3 Notwithstanding the above, in the event that Quibim, in the context of your use of the Software, has access to personal data controlled by you, Quibim shall be considered the processor of said personal data, and such data processing activity shall be governed, in accordance with all applicable Data Protection Legislation, by the Data Processing Agreement attached hereto as Schedule 5.3.

6. Term and Termination

6.1 Term: The License granted herein with respect to the access to and use of the Software shall remain effective for the License Term as provided in the Agreement. The EULA is entered into as of the earlier of the date that you accept the Agreement (which incorporates by reference the EULA herein) and the terms herein, or first accessing or using the Software (whichever happens first).The term of the EULA may be extended for the same agreed period of time by agreement between you and Quibim through purchase of additional usage rights in any form.

6.2 Earlier termination and account suspension: If you fail to comply with any of the provisions of the Agreement and/or the EULA, Quibim may suspend or permanently disable your account, terminate your access to and use of the Software, deactivate or delate your account and all related information and files, or bar access to any of such files, and terminate the EULA. Quibim can take such decision at its own discretion, without your prior consultation, without liability to you and at any time. Where appropriate you will be informed about our decision the next time you try to access the Software.

6.3 Upon termination of the License, (i) the rights and licenses granted herein to you shall terminate and (ii) you shall immediately cease accessing to and using the Software.

6.4 Sections 7 to 10, where applicable, and all liabilities that accrue prior to termination or expiration shall survive any termination or expiration of the EULA and/or the Agreement.

7. Representations, Warranties and Disclaimers

7.1 In case the Software does not materially conform to the specifications expected or described in the relevant Documentation, your sole and exclusive remedy and the entire liability of Quibim and Quibim Associates under this limited warranty will be, at Quibim’s option, repair the Software.

7.2 Quibim represents and warrants that support and maintenance services shall be professional, workmanlike and performed in a manner conforming to generally accepted industry standards and practices for similar services. Quibim’s entire liability and your sole and exclusive remedy for any breach of the preceding warranty for support and maintenance services will be for Quibim to re-perform the nonconforming services/products, provided that Quibim must have received written notice of the non-conformity from you no later than fifteen (15) days after the original delivery of the services/products by Quibim. The express warranties specified above do not apply if the Software or any portion of the foregoing: (i) has been altered, except by Quibim; (ii) has not been used, installed, operated, repaired, or maintained in accordance with the EULA, the Agreement and/or Documentation; or (iii) is used on equipment, products, or systems not meeting specifications identified by Quibim. Additionally, the warranties set forth herein only apply when notice of a warranty claim is provided to Quibim within the applicable warranty period specified herein and do not apply to any bug, defect or error caused by or attributable to software or hardware not supplied by Quibim.

7.3 Except for the warranties expressly set forth in this Section, the Software is provided “AS IS”, “WHERE IS” and “AS AVAILABLE” and without warranties of any kind. To the maximum extent permitted by applicable law, Quibim and Quibim Associates make no representations, warranties or guarantees of any kind or nature, whether express or implied, regarding the Software, and specifically disclaim all such warranties, including without limitation any implied warranty of merchantability, fitness for a particular purpose related to the Software, it’s use or any inability to use it and non-infringement. Without limiting the previous disclaimer, Quibim and its licensors do not represent, warrant or guarantee that the Software (i) will operate in an uninterrupted, timely, secure or error-free manner, (ii) will always be available or free from all harmful components or errors or (iii) will be secure or immune (including the Medical Data, the content delivered to you or the information you provided) from unauthorized access or malicious attacks.

7.4 Quibim is under no obligation to provide any updates, upgrades, enhancements, modifications, revisions or additions to the Software. Quibim retains all rights not expressly licensed herein.

8. Payment

8.1 Fees are subject to change within sixty (60) calendar days prior notice to you. The amount charged in each renewal of the License Term will be the price of the Software (or other services quoted) at the time of renewal, which might differ from the amount you originally paid.

8.2 In the event of late payment, Quibim may impose a surcharge equal to 1.5% per month (or such maximum amount permitted by law) of the outstanding amount. If any amount of the invoice is disputed by you, you shall inform Quibim of the grounds for such dispute within seven (7) calendar days from receipt of the relevant invoice and shall pay to Quibim the value of the invoice less the disputed amount in accordance with these payment terms. With regards to the disputed amount, Quibim and you will start negotiations based on good faith to try to resolve the discrepancy.In case Quibim and you do not reach an amicable agreement within a period of ten (10) calendar days after the beginning of the negotiations, the discrepancy will be resolved according to the dispute resolution procedure set forth in the EULA.

8.3 In addition to the early termination provisions, provided for in Section 6.2, Quibim may, at any time, terminate the Agreement entered into this Quotation and cancel the License (given its revocable nature) provided it notifies this intention to you at least thirty (30) calendar days in advance of the termination date. In such an event, Quibim shall return the proportionate part of the annuity’s Fees.

9. Limitation of Liability

9.1 To the extent permitted by law, in no event shall Quibim and/or Quibim Associates be liable to you for any indirect, incidental, consequential, special, exemplary, damages or lost profits, whether in contract or tort (including negligence), even if Quibim has been advised of the possibility of such damages.

9.2 In no event shall the aggregate liability of Quibim arising out of or related to the Agreement or this EULA, including without limitation, the use of or inability to use the Software, associated services or otherwise, exceed the Fees actually paid by you to Quibim and/or Quibim Associates for the access to and use of the Software during the 12-month period before the event giving rise to the liability. This limitation will apply regardless of the theory of liability, whether breach of contract, negligence, infringement or any other theory regardless of whether or not Quibim has been advised of the possibility of such damages.

9.3 This limitation and waiver also apply to any claims you may bring against any other party to the extent that Quibim would be required to indemnify that party for such claim. Multiple claims shall not expand the limitations set forth in this Section. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, in addition to the above warranty disclaimers. Quibim disclaims all liability of any kind of Quibim Associates.

10. Indemnification

10.1 As additional consideration for your access to the Software, you agree to fully indemnify and hold harmless Quibim, Quibim Associates and its officers, employees, agents, affiliates, partners, licensors, parents, subsidiaries and distributors from and against any demand or claim, including reasonable attorneys’ fees, costs finally awarded against Quibim or amounts paid by Quibim to settle a claim, made by any third party due to or arising out of:
– Your access to and use of the Software;
– Any violation by you of the Agreement, the EULA or applicable law;
– Any of the Medical Data you upload, submit, post, transmit, storage or otherwise make available through the Software; and/or
– Any violation by you of any rights of any third party.

11. General Terms

11.1 Applicable Law: Except as otherwise set forth in the Agreement, the EULA, including all revisions and amendments thereto, is governed by, and interpreted or construed in accordance with the laws of Spain and the rules on conflict of laws shall not apply.

11.2 Jurisdiction: Except as otherwise set forth in the Agreement, the Parties expressly waive any other jurisdiction to which they may be legally entitled, and expressly submit the resolution of any issues, discrepancies, disputes or claims arising over the execution, interpretation or performance of the EULA and/or the Agreement, including those relating to any non-contractual obligations arising from or related to it, to the jurisdiction of the courts and tribunals of the city of Valencia (Spain).

11.3 Independent contractors: The Parties are independent contractors, and the Agreement and/or this EULA shall not establish any relationship of partnership, joint venture, employment, franchise or agency between the parties.

11.4 Equitable relief: The parties agree that a material breach of the Agreement and/or this EULA would cause irreparable injury to Quibim for which there may be no adequate remedy at law. Accordingly, Quibim shall have the right to apply to any court of competent jurisdiction for injunctive relief and specific performance, without prejudice to any remedies available to it at law or in equity.

11.5 Entire Agreement: The Agreement and this EULA constitutes the entire agreement between the parties with respect to the License for the access and the use of the Software. The Agreement and this EULA supersede and cancel all previous written and previous or contemporaneous oral communications, proposals, representations, and agreements relating to the subject matter contained herein. The Agreement and this EULA prevails over any pre-printed, conflicting or additional terms of any purchase order, ordering document, acknowledgement or confirmation or other document issued by you, even accepted in writing by both parties. The Agreement shall prevail over this EULA to the extent of any conflict or inconsistency between the provisions of the Agreement and this EULA.

11.6 EULA amendments and modifications: Quibim reserves the right, in its sole discretion, to amend, modify and otherwise change the terms of the EULA at any time. In the event there are material changes to the EULA, Quibim will provide notice to you either by sending you notice either via email or mail, in its sole discretion, or by posting a notice of such changes in a prominent position within the services accessed by you.

11.7 Export: The Software, including any technical data provided by Quibim hereunder, may be subject to export, re-export or import control laws under the country of origin, destination or use, including regulations under such laws. You shall comply fully with all international and national laws and regulations that apply to the Software and your use thereof. Without limiting the generality of the foregoing, you expressly agree that you shall not, and shall cause your employees to agree not to, export, directly or indirectly, re-export, divert, or transfer the Software or any technical data thereof to any destination, company or person restricted or prohibited by Spanish laws or regulations or laws or regulations of any other applicable jurisdiction.

11.8 Assignment: Quibim reserves the right, in its sole and absolute discretion, to transfer, assign, sublicense or pledge in any manner whatsoever, any of its rights and obligations under the EULA to any third party whatsoever, without your consent and without notice to you. You shall not transfer, assign, delegate, sublicense nor pledge in any manner whatsoever, any of your rights or obligations under the EULA. Any purported assignment, sale, transfer, delegation or other disposition by you, except as permitted herein, will be null and void.

11.9 Force Majeure: Quibim will not be deemed in default of the Agreement and/or this EULA to the extent that performance of its obligations or attempts to cure any breach are delayed or prevented by reason of any natural disaster, accident, riots, acts of government, acts of war or terrorism, shortage of materials or supplies, failure of transportation or communications or of suppliers of goods or services, or any other cause beyond the reasonable control of Quibim.

11.10 Severability: If any term or provision of the Agreement and/or this EULA is held to be void or unenforceable by any judicial or administrative authority, such determination shall not affect the validity of enforceability of the remaining terms and provisions of the Agreement and/or this EULA. The remaining provisions of the Agreement and/or this EULA shall remain in effect and shall be construed in accordance with its terms.

11.11 Headings: The headings contained in the Agreement and/or this EULA are for reference purposes only and shall not affect the meaning or interpretation of the Agreement and/or this EULA.

11.12 No waiver: The failure of Quibim to enforce at any time any of the provisions of the Agreement and/or this EULA , or the failure by Quibim to require at any time performance by you of any of the provisions of the Agreement and/or this EULA, shall in no way be construed to be a present or future waiver of such provisions, nor in any way affect the right of Quibim to enforce such provision thereafter. The express waiver by Quibim of any provision, condition or requirement of the Agreement and/or this EULA shall not constitute a waiver of any future obligation to comply with such provision, condition or requirement.

11.13 Confidentiality:

i. Both parties shall treat all data, information and documents provided by the other party (the “Confidential Information”) as strictly confidential. Each party also undertakes to procure that his affiliates, managers, employees, agents and advisers comply with the provisions of this clause.

ii. Each party authorizes the other party to disclose the existence of the contractual relationship formalized under the Agreement and this EULA, and to introduce in the market each other as partners and/or clients, if applicable. Said authorization in no way extends to the disclosure of the content of the Agreement itself, which information is subject to the duty of confidentiality provided in this clause.

iii. The receiving party may only disclose Confidential Information in the following cases:

- - where disclosure of the Confidential Information is required by a judicial or administrative body to which the receiving party is subject;
  - where it is necessary for the employees, professional advisers, shareholders, auditors or lenders of the receiving party to have knowledge of a certain item of the Confidential Information -provided that its knowledge shall be subject to the appropriate confidentiality agreement or duty-;
  - where the disclosing party has given its prior consent in writing to disclosure of the Confidential Information; or
  - where disclosure of the Confidential Information is necessary to enable the receiving party to enforce the rights to which it is entitled under the Agreement.

iv. The duty of confidentiality provided for in this clause shall apply for a term of TEN (10) years after the date of signature of the Agreement.

11.14 Notice: Any notice required or permitted to be given in accordance with the Agreement and/or this EULA shall be in writing. Notices to Quibim shall be sent by personal delivery, registered or certified mail (return receipt requested, postage prepaid) or commercial express courier (with written verification of receipt) to:

Quibim, S.L.
Headquarters Address: Avenida Aragón, number 30, 13^th Floor, 46021 – Valencia (Spain).
Telephone No.: +34 961 243 225
E-mail: quibimlegal@quibim.com

Schedule 5.3
Data Processing Agreement

Of the one part, you or your organization, as the “Data Controller”.

And of the other part, Quibim, S.L., as “Quibim” or the “Data Processor”.

The Data Controller and Quibim shall hereinafter be jointly referred to as the “Parties” and individually as a “Party”.

The Parties acknowledge each other’s sufficient legal capacity to execute this personal data processing agreement (the “Data Processing Agreement”) and, accordingly,

WHEREAS

The Parties have subscribed a legal agreement and/or license quotation (the “Agreement”), which incorporates this End User License Agreement (the “EULA”) -to which this Data Processing Agreement is a Schedule-, for the granting of the License to access to and use the Software and/or provision of the services described in the Agreement (the “Services”), whereby Quibim must access personal data controlled by the Data Controller to correctly perform such Services.
Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, “GDPR”), Spanish Act 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (“LOPDgdd”) and other applicable data protection legislations that may amend, supplement or replace them (altogether, the “Data Protection Legislation”), it is necessary to regulate the data protection obligations assumed by the Parties under the Agreement.
Now therefore, in light of the above, the Parties agree to enter into this Data Processing Agreement, which shall be governed by the provisions of article 28 of the GDPR and, in particular, the following:

CLAUSES

One.- Object of the Agreement
The object of this Data Processing Agreement is to regulate the Parties’ obligations with regard to the access by Quibim to personal data for which the Data Controller is responsible in order for Quibim to perform its obligations under the Agreement. Quibim may have access to the following categories of personal data:

Identifying data of patients, employees or collaborators of the Data Controller.
Special categories of data of the patients of the Data Controller (i.e., Medical Data).
Data regarding personal characteristics of patients of the Data Controller.

Quibim shall carry out the following types of processing operations on behalf of the Data Controller and following its instructions: collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, interconnection, restriction, erasure, comparison, limitation, use, anonymization and destruction.

Two.- Duration
This Data Processing Agreement shall enter into force on the date of the acceptance of the EULA by the Data Controller and shall remain in force until the Services have been fully performed.

Three.- Quibim’s obligations
Quibim, in its capacity as data processor, represents and warrants the following to the Data Controller:

It has sufficient technical capacity to comply with the obligations deriving from the Agreement in full observance of personal Data Protection Legislation and it can give an undertaking, to the extent required by the provision of the Services, to comply with the requirements of the Data Protection Legislation.
It shall maintain the secrecy and confidentiality of any personal data controlled by the Data Controller to which it will have access.
It shall process the personal data to which it has access solely on behalf of the Data Controller and, in all case, in accordance with the documented instructions given to it by the Data Controller. Equally, it undertakes to use said data during the term of this Agreement solely for the provision of the Services and, consequently, not to use them or apply them in any way that exceeds such purpose. Quibim is not responsible for compliance with any Data Protection Legislation applicable to the Data Controller or Data Controller’s industry that are not generally applicable to Quibim.
It shall not disclose to third parties, not even for their storage, any data to which it has access by virtue of the provision of the Services, or any preparations, evaluations or similar processes it may carry out with said data, nor shall it duplicate or reproduce some or all of the information, results or relationships regarding such data, save where legally required to do so.
It shall make available to the Data Controller all information necessary to evidence the fulfilment of its obligations, and for the performance of any audits or inspections carried out by the Data Controller, or any other auditor on its behalf.
Audits may be performed periodically, on a planned or “ad hoc” basis, prior notification to Quibim at least THIRTY (30) days in advance, during normal business hours and in a way that does not unreasonably interfere with the provision of services by Quibim or otherwise. that it does not unreasonably interfere with Quibim’s business (except for those interferences that can be reasonably expected, in a general and necessary way, in any audit process).The above requirements shall not apply in the event the audit is commenced by a competent authority.
It shall ensure that the persons authorized to process personal data expressly undertake in writing to respect the confidentiality thereof and to comply with the corresponding security measures, of which they shall be duly informed.
It shall ensure the necessary personal data protection training is given to the persons authorized to process personal data under its charge.
It shall assist the Data Controller in performing impact assessments relating to the personal data to which it has access, where applicable under Data Protection Legislation and so requested by the Data Controller.
It shall assist the Data Controller in submitting prior consultations to the supervisory authority, where applicable.
If Quibim considers that compliance with a specific instruction of the Data Controller could entail a breach of Data Protection Legislation, Quibim must immediately notify the Data Controller (unless prohibited from doing so under Data Protection Legislation) and ask it to withdraw, amend or confirm the instruction in question. Quibim may suspend application of the instruction in question while awaiting the Data Controller’s decision regarding the withdrawal, amendment or confirmation of the relevant instruction.
On completion of the Services, Quibim shall immediately proceed to the absolute anonymization of (i) the personal data to which it has had access, as well as (ii) the documents or media in which any of these data are recorded, in terms equivalent to its destruction in accordance with the provisions of the GDPR. Quibim shall then be entitled to use that anonymized data for its own purposes and in particular to train its algorithms in order to keep its database permanently updated, on the basis that the Data Controller has complied with all legal requisites to disclose that anonymized data to Quibim. As recognized by the Data Controller, this further processing of anonymized data by Quibim results in the constant improvement of the services provided by Quibim.
The Data Controller represents and warrants that (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Data Protection Legislation for Quibim lawfully process personal data controlled by the Data Controller to correctly perform the Services, and that (ii) it has complied with all applicable Data Protection Legislation in the collection and provisions to Quibim of such personal data.Quibim shall not destroy the data where there is a legal obligation to store the data, in which case Quibim shall return the data to the Data Controller, in the manner indicated by it, and the Data Controller must ensure the data are stored.
That Quibim, as data processor, shall notify, via email, the Data Controller without undue delay and in any event shall, were feasible, occur no later than 48 hours from Quibim becoming aware of any suspected or confirmed incident relating to protection of the data, any data processing that may be considered unlawful or unauthorized, any loss, destruction or damage to personal data within the area of responsibility of Quibim (caused by Quibim, its personnel, agents or subcontractors) and of any incident that may be considered a personal data breach, together with all relevant information in order to document and communicate the incident to the authorities or affected data subjects. In this connection, it shall, where it has it, provide the following information at minimum:

- a description of the nature of the data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Quibim shall also immediately open a full investigation into the circumstances relating to the incident and shall present its report or observations thereon to the Data Controller, collaborating fully with any investigation carried out by the Data Controller and providing the Data Controller with any assistance required for the investigation of the incident. Quibim’s notification of or response to an incident under this Section l) will not be construed as an acknowledgment by Quibim of any fault or liability with respect to the incident.

13. It shall also assist the Data Controller in the event of a personal data breach in order to ensure compliance with the obligations to notify a personal data breach in accordance with the Data Protection Legislation (in particular, articles 33 and 34 GDPR) and with any other applicable rules that may amend or supplement it or which may be enacted in the future.

14. It shall assist the Data Controller providing any kind of information and/or documentation required by the Data Controller to adequately respond to any request for exercise of the rights of access, rectification, erasure, objection, restriction of processing and/or portability it may receive from data subjects and, in all cases, sufficiently in advance to enable the Data Controller to meet the legally applicable deadlines for responding to such requests.

15. If Quibim directly receives a request for exercise of the rights of access, rectification, erasure, objection, restriction of processing and/or portability from the data subject, it undertakes to immediately convey such request to the Data Controller and, in any case in less than SEVEN (7) business days.

16. It shall not outsource the Services to any third party unless it obtains the prior written consent of the Data Controller or they are auxiliary services needed by Quibim in order to correctly provide its services, such as those needed to securely store the data.

Where Quibim needs to outsource any data processing, it must notify the Data Controller of the services and processing it intends to outsource, the identity of the subcontractor and its contact details. This notice must be served by Quibim at least ONE (1) week in advance of the signature of the outsourcing agreement, during which period the Data Controller may object to the outsourcing, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If Quibim cannot provide an alternative sub-processor, or the Parties are not able to achieve resolution as provided herein, the Data Controller as its sole and exclusive remedy, may terminate the relevant part of the Agreement, regarding those Services which cannot be provided by Quibim without the use of the sub-processor concerned, without liability to either Party (but without prejudice to any fees incurred by the Data Controller prior to suspension or termination).

Quibim shall inform the Data Controller of any intended changes concerning the addition or replacement of other subcontractors, thereby giving the Data Controller the opportunity to object to such changes.

The sub-processor shall also be subject to the obligations imposed on Quibim under this Agreement and to the instructions issued from time to time by the Data Controller. In this connection, Quibim must set out the relationship with the sub-processor and the obligations of the sub-processor in a contract to be signed by Quibim and the sub-processor, which meets the formal requirements contained in this Agreement and provides the same level of protection as herein. In the event of breach by the sub-processor of its data protection obligations, Quibim shall bear all liability to the Data Controller for such breach, as if the breach had been committed by Quibim.

17. It shall keep a written record of all categories of processing activities carried out by virtue of the Agreement, containing:

the name and contact details of Quibim and, where applicable, the representative of the Data Controller or of Quibim, and the data protection officer;
the categories of processing carried out by virtue of the Agreement; and
in the case of international data transfers (which must be regulated or authorized by the Data Controller in all cases), the identity of the third country of final destination of the data controlled by the Data Controller and documentation of the suitable safeguards.

18. It shall not carry out international transfers of the personal data to which it has access that are controlled by the Data Controller unless it obtains prior written authorization from the Data Controller and it has implemented the additional safeguards regarding international data transfers in accordance with the GDPR are adopted.

In this regard, if the Data Controller is based outside the European Economic Area (EEA) it authorizes Quibim, by virtue of this Data Processing Agreement, to internationally transfer the personal data that Quibim processes in name and on behalf of the Data Controller back to the Data Controller. Quibim undertakes to take all measures as necessary to ensure that the transfer is in compliance with this Data Processing Agreement and applicable Data Protection Legislation.

Regarding the safeguards implemented by Quibim to carry out such international transfers:

If the Data Controller is located in a third country outside the EEA which has been declared by the European Commission, via an adequacy decision, as having an adequate level of protection of personal data (see full list here), Quibim shall internationally transfer the data on the basis of such adequacy decision; and
If the Data Controller is located in any third country outside the EEA other than the ones described in point (i) above, the international transfer shall be carried out by virtue of the processor-to-controller Standard Contractual Clauses adopted by the European Commission and subscribed between Quibim and the Data Controller which are attached to this Data Processing Agreement as Appendix I. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the EULA (including this Data Processing Agreement) the Standard Contractual Clauses shall prevail to the extent of such conflict.

19. Quibim shall have a general description of the technical and organizational security measures implemented relating to: (i) the pseudonymization and encryption of personal data, as applicable; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) the process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Quibim also undertakes to implement all technical and organizational security measures applicable in accordance with the provisions of the Data Protection Legislation (in particular, Article 32 of the GDPR) and any other applicable rules that may amend, supplement or replace them. In the specific context of this relationship, Quibim shall implement the security measures indicated in Appendix II (the “Security Measures”).

These Security Measures, and any others that must be implemented, may be amended at the request of the Data Controller for the purposes of bringing them into line with regulatory changes or changes in the type of personal data to which Quibim will have access. The Data Controller is responsible for reviewing the information made available by Quibim relating to data security and making and independent determination as to whether the Security Measures meet the Data Controller’s requirements and legal obligations under Data Protection Legislation.

The Data Controller acknowledged that the Security Measures established in Appendix II are subject to technical progress and development and that Quibim may update or modify them from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services subscribed by the Data Controller.

If, following the formalization of the Agreement, the Data Controller requires Quibim to adopt or maintain security measures other than the Security Measures agreed in this clause and specified in Appendix II, or if it is compulsory to adopt them due to any rule that may be enacted in the future, and this significantly affects the cost of performing the services engaged under this Agreement, Quibim and the Data Controller shall agree on the appropriate measures to resolve the situation.

Four.- Prohibition of other uses
In accordance with the provisions of the Data Protection Legislation, and except for the provisions of Clause Three regarding anonymized data, Quibim will be considered data controller in the event that it uses the personal data for other purposes, communicates them or uses them in breach of the stipulations of this Data Processing Agreement, and shall therefore be deemed personally liable for the infractions that may have been incurred.

Five.- Information on the processing of the signatories and representatives’ personal data by the Parties
In accordance with applicable Data Protection Legislation, the Parties inform the signatories acting on behalf of the other Party to this EULA (the “Representatives“) that the personal data they provide herein or may subsequently provide, will be the responsibility of the other Party, which will process it on the basis of that Party’s legitimate interest in maintaining, complying with, developing, monitoring and enforcing the provisions of this EULA.

The Parties shall process the other Party Representative’s personal data for the duration of this EULA and may subsequently maintain such data blocked for the duration of the statute of limitations of any legal actions relating to such processing.

For the appropriate purposes, the Parties inform the Representatives that their personal data shall not be disclosed to any third party or internationally transferred except under a legal obligation and that only the Parties’ service providers in the systems and technology, legal and administrative management sectors shall have access to such data.

Should your Representatives wish to exercise their rights of access, rectification, erasure, restriction of processing and, in those cases where possible, objection, they may do so by writing to the address indicated in Clause 10.14 of the EULA or to the following addresses:

To exercise the rights before Quibim’s Data Protection Officer: dpo@quibim.com

In addition, the Representatives may also contact the Spanish Data Protection Agency to claim their rights.

Six.- Relationship with the EULA
The Parties agree that this Data Processing Agreement shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services or the Software.

This Data Processing Agreement will be governed and construed in accordance with the governing law and jurisdiction provisions in the EULA, unless required otherwise by applicable Data Protection Legislation.

Appendix I

Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

SECTION I

Clause 1 – Purpose and scope

a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

b. The Parties:

1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A (hereinafter each “data exporter”), and
2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 – Effect and invariability of the Clauses

a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 – Third-party beneficiaries

a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
2. Clause 8.1 (b) and Clause 8.3 (b);
3. Clause 13;
4. Clause 15.1 (c), (d) and (e);
5. Clause 16 (e);
6. Clause 18.

b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 – Interpretation

a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 – Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 – Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Docking clause

a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 – Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

a. The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

b. The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

c. The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

d. After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

a. The Parties shall implement appropriate technical and organizational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data[1], the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

b. The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

c. The data exporter shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

a. The Parties shall be able to demonstrate compliance with these Clauses.

b. The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9 – Use of sub-processors
Not applicable.

Clause 10 – Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11 – Redress

a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body[2] at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.

Clause 12 – Liability

a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

b. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

c. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

d. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

e. The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 – Supervision
Not applicable.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 – Local laws and practices affecting compliance with the Clauses
Not applicable

Clause 15 – Obligations of the data importer in case of access by public authorities
Not applicable

SECTION IV – FINAL PROVISIONS

Clause 16 – Non-compliance with the Clauses and termination

a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
2. the data importer is in substantial or persistent breach of these Clauses; or
3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

d. Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

c. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 – Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Spain.

Clause 18 – Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Spain.

[1] This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

[2] The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

Annex I

A. List of Parties

Data exporter(s):

Name: Quibim, S.L.

Address: Avda. Aragón 30, Edificio Europa, 13^th floor, Office I-J, 46021 Valencia (Spain)

Contact person’s name, position and contact details: Pridatect, S.L., Quibim’s Data Protection Officer: dpo@quibim.com

Activities relevant to the data transferred under these Clauses: Quibim, as the Data Controller’s data processor, shall have access to certain personal data under the Data Controller responsibility.In this sense, Quibim shall carry out the following types of processing operations on behalf of the Data Controller and following its instructions: collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, interconnection, restriction, erasure, comparison, limitation, use, anonymization and destruction.

Within the context of the service provision, Quibim shall provide access to the Data Controller to the personal data of its responsibility, which would imply carrying out an international transfer of personal data.

Signature and date: Please refer to the date and signature of the Agreement.

Role (controller/processor): Processor

Data importer(s):

Name: The Data Controller.
Address: As indicated in the Agreement.

Contact person’s name, position and contact details: As indicated in the Agreement.

Activities relevant to the data transferred under these Clauses: The Data Controller shall have access, through Quibim’s Software, to the personal data of its responsibility that Quibim is processing on the Data Controller’s behalf to provide it with the relevant services.Given that such access shall take place from a location outside the European Economic Area (EEA), Quibim shall be carrying out international data transfers.

Signature and date: Please refer to the date and signature of the Agreement.

Role (controller/processor): Controller

B. Description of Transfer

Categories of data subjects whose personal data is transferred

Data subjects include individuals about whom data is provided to Quibim via the Services, by or at the direction of the Data Controller, which shall include End Users and patients.

Categories of personal data transferred

Identifying data, special categories of data (i.e., Medical Data) and data regarding personal characteristics of patients of the Data Controller.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

Medical Data of the Data Controller’s patients. Such Medical Data is processed by Quibim on a pseudonymized basis as it is only associated with a patient code which only the Data Controller can link to a specific data subject.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

On a continuous basis, to the extent required for the provision of the Services.

Nature of the processing

Quibim transfers the data back to the Data Controller given its role as Data Processor. In this sense, Quibim allows the Data Controller to have access, via the Software, to the personal data it processes on the Data Controller’s behalf in accordance with the Agreement and the EULA. The data is processed during and for the provision of the Services.

Purpose(s) of the data transfer and further processing

Given that Quibim processes personal data on the Data Controller’s behalf to provide it with the Services, as described in the EULA and the Agreement, the Data Controller should be able to access such data under its responsibility at any time, which implies a processor-to-controller international transfer regulated by virtue of these Standard Contractual Clauses.

The purpose of the transfer is for Quibim to comply with its role as data processor.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Quibim shall process the personal data responsibility of the Data Controller and therefore carry out the international transfers for the duration of the EULA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Quibim shall not transfer the Data Controller’s personal data to sub-processors located outside the EEA (unless it obtains the prior written consent of the Data Controller or they are auxiliary services needed by Quibim in order to correctly provide its services as per Section o) of the Data Processing Agreement herein), although it may subcontract certain services to sub-processors within the EEA. Sub-processor shall mean any third party engaged by Quibim to process personal data (but shall not include Quibim employees, advisors or consultants).

Appendix II

Technical and Organizational
Security Measures

Description of the technical and organizational measures implemented by Quibim to ensure an appropriate level of security and protection of personal data (the “Security Measures”), taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of data subjects.

Confidentiality and access control

Access to personal data by unauthorized persons is to be prevented. To this end, Quibim’s internal Clean Desk Policy prevents from leaving personal data exposed to third parties. Electronic media and paper documents shall be stored in a secure place (closed cabinets or restricted access rooms). When absent from the workstation, the screen will be locked, or the session will be closed.
Physical access control is established to prevent unauthorized access to data processing systems. Quibim has implemented an automated access control system, an alarm system and other safeguards, such as security locks or a protocol for logging visitors.
Documents or electronic media (CDs, pen drives, hard disks, etc.) containing personal data will not be disposed of without guaranteeing their destruction. Nevertheless, employees shall generally not use any external storage device in accordance with Quibim’s internal Corporate-owned Device Policy and standard operating procedure (or “SOP”) regarding asset management.
No personal data or personal information will be communicated to third parties without following the procedures established in applicable personal data protection regulations. Special care will be taken not to disclose personal data during telephone inquiries, in e-mails, or similar.
A password management system is in place to ensure quality passwords are in place and, therefore, to guarantee the appropriate confidentiality and security of personal data stored in electronic systems, in accordance with Quibim’s internal Password Policy and best practices in cybersecurity SOP. Two-authentication factors must be provided for access to systems and platforms where technically possible.
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case shall passwords be shared or left written down, and access by persons other than the user shall not be allowed.
A formal user registration and de-registration process is implemented to enable assignment and revocation of access rights for all user types to all systems and services. The allocation and use of privileged access rights is restricted and controlled. Access rights are removed upon termination of employment, upon termination of the provision of services or adjusted upon change.
When it is necessary to extract personal data outside the premises where it is processed, either by physical or electronic means, end-to-end encryption methods are used to guarantee the confidentiality of personal data in the event of improper access to the information.
Quibim uses cryptographic techniques to protect the confidentiality, integrity, and authenticity of information during its storage and/or transmission. Specifically, encryption techniques are used for the following techniques: remote access via VPN, communications between developed apps and servers, encryption of information at rest (databases and storages) on the Microsoft Azure storage system using Azure Storage Service Encryption (256-bit Advanced Encryption Standard (AES) encryption), electronic signature certificates, laptop encryption or backup encryption.
Data access control is established in accordance with Quibim’s internal policies (namely, the Access Management Policy and the access control SOP), requiring, among other measures, the logging of access to applications, specifically when entering, changing, and deleting data.
Separation of processing of data collected for different purposes is implemented with the separation of development, testing and production environments (all client integrations are developed and tested in a test environment, and updates are only released to production after sufficient testing), the physical separation of systems, databases and data carriers, and the determination of database rights.
When a security breach of personal data occurs, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency shall be notified within 72 hours about such security breaches, including all the information necessary to clarify the facts that had given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address: https://sedeagpd.gob.es.

Integrity

As per Quibim’s internal Access Management Policy, access management SOP and access control SOP, there are to be as few administrator user accounts as possible following the need-to-know and least privilege principles.
When personal data is accessed by different persons, for each person with access to personal data a specific username and password will be mandatory. All users shall use a unique identifier to access all systems and applications.
Devices and laptops used for the storage and processing of personal data are kept updated to the latest available versions.
A hardware and software asset inventory is in place to identify assets associated with information systems to determine accountability and ownership of assets.
Transmission control is implemented, where applicable, by using a Virtual Private Network (VPN), logging accesses and retrievals, and deployment over encrypted connections like HTTPS or email encryption.
Entry control is implemented with event logs, which record user activities and information security events. Logging facilities and log information are protected against tampering and unauthorized access. System administrator and system operator activities are logged, and the logs are protected and regularly reviewed.
The integrity of data is ensured with the management and individualized control of every change, allocating individualized rights to enter, change and delete data on the basis of an authorization concept, the technical logging of the input, modification and deletion of data and appropriate traceability measures of input, modification and deletion of data by individual usernames, among others.
Any changes made to the source code are reviewed by Static Code Analysis prior to being put into production to ensure, among other aspects, that there are no critical vulnerabilities or security hotspots in it.

Availability and resilience

All computers and devices where the automated processing of personal data is carried out have an antivirus system or analogous measures that guarantee, as far as possible, the theft and destruction of personal information and data, detecting, preventing, and recovering control against malware.
In order to avoid undue remote access to personal data, a firewall system, which is regularly updated, is deployed in all laptops and devices (under Quibim’s management) where personal data is stored and/or processed.
Encrypted backup copies of all business, development and production information contained in Quibim’s cloud service provider’s infrastructure (hosted by Microsoft Azureâ) are taken regularly in accordance with Quibim’s internal backup procedures. Azure Backup and Azure Site Recovery services are employed to ensure a disaster recovery plan for Azure file share storage. These services enable the Geo-Redundant Storage (GRS) option to allow the storage of backups in a separate region from their source data. This allows the use of the backup in the event of a regional outage or failure. It also allows to separate backups from source data for added security.
Application files and production data are backed up in accordance with established backup policies.
A Business Continuity Plan is in place to ensure the required level of continuity for business operations during an adverse situation that may impact business continuity. As part of the Business Continuity Plan, an emergency plan specifies the procedures and actions to reestablish the operations of the essential services in the shortest possible time and under the best possible conditions.

Data subjects’ rights

All of Quibim’s employees know their obligations concerning the processing of personal data and are informed about the procedure for addressing the rights of data subjects. Quibim’s internal GDPR rights management policy clearly defines the mechanisms by which the rights can be exercised, acknowledging that the data controller shall respond to the data subjects without undue delay.

For the right of access, the interested parties will be provided with a list of the personal data in Quibim’s possession together with the purpose for which they have been collected, the identity of the recipients of the data, the storage periods, and the identity of the person responsible to whom they can request rectification, deletion, and opposition to the processing of the data.
For the right of rectification, the data controller will proceed to modify the data of the interested parties that were inaccurate or incomplete according to the purposes of treatment.
For the right of erasure, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to the consent for the processing of their data, and there is no legal duty to prevent it.
For the right of portability, data subjects must communicate their decision and inform the data controller, where appropriate, about the identity of the new data controller to whom to provide their personal data.
For the right of objection, the data of the interested parties will no longer be processed according to the purposes for which objection of processing is requested by the data subjects.
For the right of not being subject to automated individual decision-making, the data controller will inform of the lack of processing of the data subject’s data in this regard, providing appropriate evidence.

Procedures for regular review, assessment, and evaluation

Quibim has been granted the following certifications:
- ISO/IEC 27001:2013 and UNE-EN ISO/IEC 27001:2017 – Information Security Management System
- ISO 13485:2016 and EN ISO 13485:2016 – Quality Management system
- Cyber Essentials Scheme.
All software is developed under Quibim’s Quality Management System, certified under ISO 13485.
An annual review is carried out, through independent internal audits, of all secure development provisions, established under the ISMS framework, and Quibim will periodically review the effectiveness of the Security Measures herein.
Quibim conducts post-market surveillance activities regularly to monitor the safety and performance of all of Quibim’s products and services.
All employees are trained regularly on data protection and are obliged under confidentiality and data secrecy obligations, which survive the termination and expiration of employees’ employment relationship with Quibim.
Quibim enters into data processing agreements with all contractors outlining their data protection and security requirements, with a prior hiring process that involves due diligence concerning data security.
In accordance with articles 37, 38, and 39 of GDPR, Quibim has appointed a Data Protection Officer (dpo@quibim.com) that monitors Quibim’s compliance with Data Protection Legislation.

Quibim may update or modify this Security Measures from time to time, provided such updates and modifications do not result in the degradation of the overall security.