Base5 Genomics, Inc.

DATA PROCESSING AGREEMENT

 

This Data Processing Agreement (“DPA”) forms a part of the Terms of Use (“Agreement”) between Base5 Genomics, Inc. dba Benthic Genomics, a Delaware corporation with offices at 950 Page Mill Road, Suite 203, Palo Alto, CA 94304 (“Benthic”), and the user (“User”) of the hosted, software-as-a-service Angler Imputation™ analysis platform (the “Services”).  This DPA is entered into as of the date of User’s use of the Services (the “Effective Date”).  User’s use of the Services is deemed to be a binding agreement to this DPA.  All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA consists of the following:

​

A.         The main body of this Data Processing Addendum

B.         Schedule 1: Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, Module Two: Transfer controller to processor

C.         SCC Annex I: Details of the Processing of Personal Data

D.         SCC Annex II: Security Measures

E.         SCC Annex III: List of Sub-Processors

​

​1. DEFINITIONS

​

1.1. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sec. 1798.100 et seq. and its implementing regulations as amended, including the California Privacy Rights Act (“CCPA”).

​

1.2. “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

​

1.3. “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

 

1.4. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their member states, Switzerland, the United Kingdom, and the United States and its States applicable to the Processing of Personal Data under the Agreement.

 

1.5. “Data Subject” means the individual to whom Personal Data relates.

 

1.6. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation or “GDPR”) and for the purposes of this DPA includes the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018). GDPR is a Data Protection Law and Regulation.

 

1.7. “Personal Data” shall have the meaning given by Data Protection Laws and Regulations, generally including any information relating to an identified or identifiable natural person, submitted or otherwise transferred to Processor or a Sub-Processor in the course of providing the Services.

 

1.8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

 

1.9. “Security Incident” means any unauthorized or unlawful breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

 

1.10. “Services” means any product or service provided by Benthic to User pursuant to the Agreement.

 

1.11. “Standard Contractual Clauses” or “SCCs” means the standard contractual clause set out in the annex to the commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Module Two: Transfer controller to processor, with the elections set forth in Schedule 1.

 

1.12. “Sub-Processor” means any Data Processor engaged by Benthic to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

 

1.13. “Supervisory Authority” means an independent public authority, which is established by an EEA or EU Member State, or the United Kingdom, pursuant to the GDPR.

​​

2. PROCESSING OF PERSONAL DATA

​

2.1. Role of the Parties. During the course of providing the Services, Data Processor may obtain, access or otherwise Process Personal Data. The Parties acknowledge and agree that with regard to Processing Personal Data, User will act as the Data Controller and Benthic will act as the Data Processor under this Addendum.

 

2.2. User’s Processing of Personal Data.  User agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws and Regulations in respect of its Processing of Personal Data and any processing instructions it issues to Benthic; (ii) it shall have sole responsibility for the accuracy of Personal Data made available to Benthic and the means by which Data Controller acquired Personal Data; and (iii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws and Regulations for Benthic to Process Personal Data and provide the Service pursuant to the Agreement and this DPA. User will indemnify Benthic for any breach of the foregoing obligations.

 

2.3. Benthic’s Processing of Personal Data.  Benthic shall Process this Personal Data only for the purposes described in this DPA and only in accordance with User’s documented lawful instructions. The parties agree that this DPA and the Agreement set out User’s complete and final instructions to Benthic in relation to the Processing of Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement of User and Benthic. Benthic shall notify User promptly if an instruction for the Processing of Personal Data infringes applicable Data Protection Laws and Regulations. Benthic shall monitor the Processing of Personal Data to ensure that Processing is carried out consistent with this DPA and in compliance with applicable Data Protection Laws and Regulations.

 

2.4. Details of the Processing.  The subject matter of Processing Personal Data by Benthic is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 to the SCC.

 

2.5. Confidentiality of Personal Data.  Benthic shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of Personal Data, have received appropriate training on their responsibilities, and have executed written agreements containing confidentiality obligations that survive the termination of their engagement with Benthic. In addition, Benthic shall take commercially reasonable steps to limit access to Personal Data to those personnel who require such access to perform the Agreement.

 

2.6. Retention Policy. Upon expiration or termination of the Agreement, Benthic will delete all Personal Data (if any) upon User’s request via email to legal@benthic.bio.

​

3. SUB-PROCESSORS

​

3.1. Authorized Sub-Processors.  User acknowledges and agrees that Benthic may engage the Authorized Sub-Processors as set forth in Annex III to the SCC (the “List”) to access and Process Personal Data in connection with the Agreement. The current version of the List is available at https://benthic.bio/dpa/subprocessors. Benthic shall enter into a written agreement with each Authorized Sub-Processors containing data protection obligations no less protective than those in this DPA (including confidentiality obligations) with respect to the protection of Personal Data.

 

3.2. Notification of new Sub-Processors.  At least thirty (30) days before enabling any third party other than Authorized Sub-Processors to access or participate in the Processing of Personal Data, Benthic will add such third party to the List.  User is responsible for checking the List for updates.  User may request that it be notified by email of any changes to the List by emailing legal@benthic.bio.  User may object to any changes in writing within five (5) business days of receipt of the aforementioned notice by Benthic.

 

3.2.1. User Objections.  In the event that User reasonably objects to an engagement in accordance with Section 3.2, Benthic shall provide User with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Benthic, in its sole discretion, cannot provide any such alternative(s), or if User does not agree to any such alternative(s) if provided, then User may terminate the applicable Order Form(s) with respect to those Services which cannot be provided by Benthic without use of the objected-to new Sub-Processors, by providing written notice to Benthic. Termination shall not relieve User of any fees owed to Benthic under the Agreement.

 

3.2.2. No Objections.  If User does not object to the engagement of a third party in accordance with Section 3.2 within five (5) business days of notice by Benthic, that third party will be deemed an Authorized Sub-Processors for the purposes of this Addendum.

 

3.3. Liability for Authorized Sub-Processors.  Benthic shall be liable to User for the acts and omissions of Authorized Sub-Processors to the same extent that Benthic itself would be liable under this Addendum had it conducted such acts or omissions.

​

4. RIGHTS OF DATA SUBJECTS

​

4.1. Data Subject Request.  Benthic shall, to the extent permitted by law, promptly notify User upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision making (such requests individually and collectively “Data Subject Requests”). If Benthic receives a Data Subject Request in relation to User’s Personal Data, Benthic shall advise the Data Subject to submit their request to the User, and User shall be responsible for responding to such request, including where necessary by using the functionality of the Services.

 

4.2. Benthic assistance to User for Data Subject Request(s).  Benthic shall, at the request of User, and taking into account the nature of the Processing applicable to any Data Subject Request, apply technical and organizational measures to assist User in complying with the User’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) User is itself unable to respond without Benthic’s assistance and (ii) Benthic is able to do so in accordance with all applicable laws, rules, and regulations. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Benthic.

 

4.3. Complaints or Notices related to Personal Data. In the event Benthic receives any official complaint or notice that relates to Benthic’s Processing of Personal Data or either Party's compliance with Data Protection Laws and Regulations in connection with Personal Data, to the extent legally permitted, Benthic shall promptly notify User and, to the extent applicable, Benthic shall provide User with commercially reasonable cooperation and assistance in relation to any such complaint or notice. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Benthic.

​

5. SECURITY MEASURES.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Benthic shall maintain appropriate technical and organizational measures, as set forth in Annex II to the SCC to ensure a level of security appropriate to the risk of Processing Personal Data.

​

6. SECURITY BREACH NOTIFICATIONS AND AUDITS

​

6.1. Notification of a Security Incident.  Upon becoming aware of a Security Incident, Benthic shall notify User without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by User.

 

6.2. Assistance with a DPIA.  Benthic shall, taking into account the nature of the Processing and the information available to it, provide User with reasonable cooperation and assistance where necessary for User to comply with a mandatory obligation to conduct a data protection impact assessment (“DPIA”) under applicable Data Protection Laws and Regulations, and/or to demonstrate compliance with Data Protection Laws and Regulations, provided that User does not otherwise have access to the relevant information. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Benthic.

 

6.3. Assistance in Cooperation with Supervisory Authorities.  Benthic shall, taking into account the nature of the Processing and the information available to it, provide User with reasonable cooperation and assistance with respect to User’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by applicable Data Protection Laws or Regulations. User shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Benthic.

 

6.4. Records.  Benthic shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3) years after the termination of the Agreement. User shall, with reasonable notice to Benthic, have the right to review, audit and copy such records at Benthic’s offices during regular business hours.

 

6.5. Audits.  Benthic’s data center is hosted by Amazon Web Services, Inc.  Upon User’s request, Benthic shall, no more than once per calendar year, allow User or its authorized representative, upon reasonable written request, subject to written confidentiality agreement(s), and at a mutually agreeable data and time, to conduct an audit or inspection of Benthic’s data security infrastructure that is sufficient to demonstrate Benthic’s compliance with its obligations under this DPA, provided that User shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Benthic’s business. User shall be responsible for the costs of any such audits or inspections. Upon receipt of a written request to audit, and subject to User’s agreement, Benthic may satisfy such audit request by providing a confidential copy of Benthic’s then most recent third party audit report or certification demonstrating the technical and organizational security measures Benthic has in place to ensure compliance with its obligations under this DPA.

 

6.6. Notice of Failure to Comply. After conducting an audit or after receiving a third party audit report or certification under Section 6.5, User shall notify Benthic in writing of the specific manner, if any, in which User alleges Benthic does not comply with an obligation under this DPA. Any such information will be deemed Confidential Information of Benthic. Upon such notice, Benthic will utilize commercially reasonable efforts to make any necessary changes to ensure compliance with such obligations.  If Benthic is unable or unwilling to undertake or implement the necessary changes, Benthic may terminate the Agreement and any applicable Order Forms upon written notice and refund User any prepaid Fees for the prorated portion of unused Subscription Term.

​

7. TRANSFER MECHANISMS FOR DATA TRANSFERS

​

7.1. Application of the Standard Contractual Clauses. The SCCs, Module Two: Transfer Controller to Processor, the options noted in Schedule 1, and the terms of this Section 7 apply to any transfer of Personal Data made subject to this DPA from member states of the European Union, Iceland, Liechtenstein, Norway, United Kingdom, or Switzerland, either directly or via onward transfer, to any country or recipient that is: (i) not recognized by the European Commission as providing an adequate level of protection for personal data under the GDPR, and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing adequate protection for personal data, and shall be deemed entered into and incorporated into this DPA. Any enforcement of the SCCs in accordance with Clause 3 by a Data Subject or an association or other body on a Data Subject’s behalf, will be subject to the terms of this DPA by reference. With regard to Clause 14(a) of the SCCs, the parties acknowledge and agree that Benthic can meet its obligations under the SCCs considering the laws of the receiving country as well as the limited volume and categories of data, the non-sensitive nature of the data, and Benthic’s history indicating (to Benthic’s knowledge) that it and similar organizations are not a target for government information requests or surreptitious surveillance.  On this basis, additional, supplemental measures are not required for the transfers envisaged under the SCCs other than the contractual safeguards contained therein and the security measures employed by Benthic reflected in Annex II to the SCC.

 

7.2. Instructions. For purposes of Clause 8.1 of the SCCs, the following is deemed an instruction by the Controller to Process Personal Data: (a) at the request of Controller, including requests made in connection with the Services; and (b) at the request of Controller’s employees in their use of the Services.

 

7.3. Audits and Certifications. The Parties agree that the audits described in Clause 8.9 of the Standard Contractual Clauses will be carried out in accordance with the specifications described in Sections 6.5 and 6.6 herein.

 

7.4. Certification of Deletion. The Parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 shall be provided to Controller by Processor only upon Controller’s request.

 

7.5. Conflict.  In the event of any conflict or inconsistency between this DPA and Schedule 1, between this DPA and Schedule 2, and/or between this DPA and Schedule 3, then Schedule 1, Schedule 2 and/or Schedule 3, where applicable, shall prevail.

 

7.6. Execution of the SCCs.  The parties hereby agree that: (a) execution of an Order Form for the Services; (b) Benthic’s receipt of a purchase order or similar document referencing an Order Form; (c) Benthic’s receipt of User’s payment for the Services pursuant to an Order Form; or (d) User’s use of the Services is deemed to be a binding agreement to this DPA and the SCCs, Module Two: Transfer Controller to Processor, with the options noted in Schedule 1, and all SCC Annexes.  This DPA and its Schedule 1, which incorporates the SCC with the options noted in Schedule 1, and all SCC Annexes, are hereby incorporated by reference into the Agreement.

​

8. LIMITATION OF LIABILITY.  Each party’s liability taken together and in the aggregate arising out of or related to this DPA whether in contract, tort, or under any theory of liability, is subject to the “Limitation of Liability” clause of the Agreement, and any reference in such clause to the liability of a party means the aggregate liability of that party under the Agreement and the DPA together. ​

​