DATA PROCESSING AGREEMENT​

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into between Patsnap (UK) Ltd, on behalf of itself and its affiliates, an entity incorporated in the United Kingdom having offices at Building 3 Chiswick Business Park, 566 Chiswick High Road, London, England, W4 5YA (“Patsnap”), and the undersigned entity (“Customer”). This DPA is effective on the date that the applicable Agreement has been duly executed by both parties. In signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required by Data Protection Law, its affiliates. Capitalized terms not otherwise defined herein shall have the meanings set forth in Section 1.

HOW THIS DPA APPLIES

This DPA is only valid and legally binding if the Customer is: (a) a party to an Agreement subject to which Patsnap is a data Processor or Controller of Personal Data for the purposes of GDPR and/or a Service Provider for the purposes of CCPA; and (b) a data Controller to which Article 3 of GDPR applies, or a Business for the purposes of CCPA. This DPA forms part of such Agreement. If multiple Agreements exist between the parties, a separate instance of this DPA shall apply with respect to each Agreement.

1. DEFINITIONS

“Agreement” means any agreement between Patsnap and the Customer or between the Customer and a Patsnap-authorized partner under which Products are provided by Patsnap and/or a Patsnap-authorized partner to the extent Patsnap is Processing Personal Data un[der such agreement between Customer and such Patsnap-authorized partner.

“CCPA” means the California Consumer Privacy Act of 2018.

“Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, “Processor”, and “Supervisory Authority” have the same meanings as in GDPR. “Business” and “Service Provider” shall have the same meanings as in CCPA.

“Customer Personal Data” means Personal Data that is uploaded to a Product, the Platform and/or submitted or otherwise made available to Patsnap by Customer and Processed by Patsnap and/or its Sub-processors (as hereinafter defined) for the purposes of providing the Products to Customer, with the exception of the Personal Data described in section 2.4(b).

“Data Protection Law” means GDPR, UK GDPR, CCPA, Data Protection Act 2018, any and all applicable national data protection laws and regulations, and any and all laws and regulations of the European Union and/or the European Economic Area the (“EEA”) or elsewhere, to the extent applicable to the Processing of Personal Data under the Agreement, as amended or replaced from time to time.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Patsnap under this DPA.

“Platform” means Patsnap’s web application (web app) and Patsnap’s database, which is an organized collection of structured data stored electronically on a remote server and accessed through our web application. “Products” means the Patsnap services and products ordered, subscribed, or licensed by Customer in an Agreement, including software, technical support and professional services as set out in the applicable Agreement.

“Standard Contractual Clauses” or “Clauses” means the Standard Contractual Clauses based on the Commission Decision (EU) 2021/915 Standard Contractual Clauses or any such clauses amending, replacing or superseding those by a European Commission decision or by a decision made by any other authorized body.

“UK GDPR” means the GDPR as incorporated into the laws of the United Kingdom.

“UK IDTA” means the Standard Data Protection Clauses issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018.

2. DATA PROCESSING

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Patsnap is the Processor and that Patsnap will engage Processors or Sub-processors respectively pursuant to the requirements set forth in Section 4 below.

2.2 The parties acknowledge and agree that with regards to the Processing of other categories of Personal Data, Patsnap may be acting as an independent Controller of that Personal Data.

2.3 The term in Section 2.5 of this DPA shall apply to Patsnap’s Processing of Personal Data as both a Controller and Processor of Customer Personal Data. The terms in Sections 2.6 – 8 of this DPA shall only apply to Patsnap’s Processing of Customer Personal Data as Processor.

2.4 The parties agree that they shall comply with Data Protection Law as applicable to them in their roles which shall be construed as follows:

(a) Each Party shall be a Controller of Personal Data comprising the other Party’s business contact data required for managing the business relationship;

(b) Customer acknowledges that Patsnap is a Controller of user login credentials which are Processed in order to provide secure access to the Platform. In addition, with respect to any Personal Data already compromised in or accessible through the Platform (for example, names associated with patent filings), Patsnap has collected and compiled such data as an independent Controller; and

(c) Patsnap shall be the Processor and Customer shall be Controller of any Customer Personal Data.

2.5 Processing of Personal Data. Each Party shall Process Personal Data in connection with this Agreement in accordance in all material respects with the requirements of applicable Data Protection Law. In respect of Customer Personal Data, Customer shall have sole responsibility for the accuracy, quality and legality of such Personal Data and the means by which Customer acquired Personal Data and transferred such Personal Data to Patsnap.

2.6 Patsnap Processing of Customer Personal Data. As Customer’s Processor, Patsnap shall only Process Customer Personal Data for the following purposes: (a) Processing in accordance with the Agreement; (b)Processing initiated by Customer or its authorized users in their use of the Products; and (c) Processing to comply with other reasonable documented instructions of Customer (e.g. via email or via the support portal) that are consistent with the terms of the Agreement (individually and collectively the “Purpose”). Patsnap shall inform Customer immediately upon becoming aware that, in Patsnap’s opinion, an instruction provided by Customer violates applicable Data Protection Law.

2.7 Details of the Processing. The purpose, nature and subject matter of Processing of Customer Personal Data by Patsnap is described in the Purpose set out in Section 2.6. The duration of the Processing, the types/categories of Personal Data and the categories of Data Subjects Processed under this DPA are furher specified in Exhibit A (Details of the Processing) to this DPA.

3. RIGHTS OF DATA SUBJECTS

3.1 Patsnap shall, to the extent legally permitted, promptly notify Customer if Patsnap receives any requests from a Data Subject to exercise the following individual rights under Data Protection Law in relation to the Customer Personal Data it is Processing as Customer’s Processor:

(a) right of access;

(b) right to rectification;

(c) restriction of Processing;

(d) erasure;

(e) data portability;

(f) objection to the Processing; and

(g) right not to be subject to an automated individual decision making

(each a “Data Subject Request”), each only to the extent such individual rights apply to a Data Subject under applicable Data Protection Law. Taking into account the nature of the Processing, Patsnap will assist Customer insofar as such assistance is commercially reasonable for the fulfilment of Customer’s obligation to respond to a Data Subject Request. To the extent that Customer, in its use of the Products, does not have the ability to adequately address a Data Subject Request, Patsnap shall, upon Customer’s written request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Patsnap is legally permitted to do so and the response to such Data Subject Request is required by applicable Data Protection Law. To the extent legally permitted, Customer shall be responsible for any cost arising from Patsnap’s provision of such assistance including costs or fees associated with the provision of additional functionality.

4 SUB-PROCESSORS

4.1 Use of Sub-processors. Customer acknowledges and agrees that Patsnap shall use third-party sub-contractors to Process Customer Personal Data in some circumstances to deliver services, which may include Patsnap’s affiliates (“Sub-processors”). Customer consents to Patsnap’s use of existing Sub-processors. Patsnap shall give notice of the appointment of any new Sub-processors to Customer with details of the Processing to be undertaken. Customer shall have 30 days of receipt of that notice to notify Patsnap in writing of any objections (on reasonable grounds) to the proposed appointment. Upon receipt of such notification, Parties shall work together towards a common and acceptable solution. For clarity, whenever Patsnap uses third-party sub-contractors to Process Customer Personal Data in some circumstances to deliver services,Patsnap shall limit its processing to fulfilling the Purposes set out in this DPA and to improve its Services, only, and commits to not sell, distribute or in any other way share Customer Personal Data with third parties.

4.2 Liability for Sub-processors.

Patsnap will:

(a) enter into a written agreement with any Sub-processor containing terms that are no less protective of Customer Personal Data than those contained in this DPA; and

(b) be liable for the acts and omissions of its Sub-processors to the same extent Patsnap would be liable if performing the services of each of those Sub-processors directly under the terms of this DPA.

5. SECURITY

Patsnap shall maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data against a Personal Data Breach as set forth in Exhibit B. Such measures will take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk to the rights and freedoms of natural persons so as to ensure a level of security that is appropriate to the risk. Patsnap regularly monitors compliance with these technical and organizational measures and may amend them from time to time provided that Patsnap maintains at least an equivalent level of protection. Upon Customer’s written request, Patsnap will provide an updated description of Patsnap’s technical and organizational measures, to the extent applicable, in the form presented in Exhibit B. All Patsnap personnel who Process Customer Personal Data shall be adequately trained with respect to their data protection, security and confidentiality obligations, and shall be subject to written obligations to maintain confidentiality.

6. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

Patsnap shall notify the Customer promptly after confirming the occurrence of a Personal Data Breach relating to Customer Personal Data.(. Patsnap shall provide commercially reasonable cooperation and assistance in identifying the cause of the Personal Data Breach and take commercially reasonable actions to mitigate the effects of the Personal Data Breach and remediate the cause, to the extent such remediation is within Patsnap’s control. Except as required by applicable Data Protection Law, this shall not apply to Personal Data Breaches that are caused by Customer, Customer’s authorized users, and/or any products or services not provided by Patsnap.

7. RETURN AND DELETION OF CUSTOMER PERSONAL DATA

Upon termination of the Agreement, Patsnap shall delete the Customer Personal Data from its systems in accordance with the terms of that Agreement and at all times subject to applicable Data Protection Law. If immediate deletion is not possible (e.g. because some data is archived or stored in back up files), Patsnap shall ensure that no further Processing of such data takes place after termination of the Agreement and shall move it for full deletion as soon as possible, no later than 45 days following termination of the Agreement. Patsnap may maintain one copy of any Customer Personal Data which is required by law to be kept for the length of any applicable retention period, for example for the purposes of auditing financial records.

8. EU SPECIFIC PROVISIONS

8.1 Assistance. Patsnap will Process Customer Personal Data in accordance with GDPR requirements directly applicable to Patsnap’s provision of the Products sold, licensed or provided to Customer. Upon Customer’s written request, Patsnap shall provide Customer with commercially reasonable cooperation and assistance reasonably necessary to fulfil Customer’s obligation under GDPR to carry out:

(a) a data protection impact assessment related to Customer’s use of the Products; and

(b) a prior consultation to a Supervisory Authority, to the extent that Customer does not already have access to the relevant information, Patsnap does have access to the relevant information, and the data protection impact assessment or prior consultation is required by Data Protection Law.

8.2 International Data Transfers. The Customer acknowledges and agrees that regardless of the location in which Customer Personal Data is stored, Customer Personal Data may be transferred to other jurisdictions (including outside of the EEA):

(a) in order to provide technical and customer support, account management, billing and other ancillary functions, and

(b) as expressly described in the Agreement or this DPA. Patsnap shall not transfer Customer Personal Data to (nor permit Customer Personal Data to be Processed in or from) a country outside of the EEA unless it takes such measures as are necessary to ensure that the transfer is in compliance with applicable Data Protection Law. Where Customer Personal Data is transferred from a Processor within the EEA to a Processor outside of the EEA in any country:

(i) not recognized by the European Commission as providing an adequate level of protection for Customer Personal Data (as described in the applicable Data Protection Law); and

(ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Customer Personal Data, any required local transfer mechanism including the Standard Contractual Clauses, UK IDTA and/or any other mechanism or amendments required by local law shall apply to such transfer.

8.3 Audits. Patsnap shall allow for and contribute to audits in the form of Customer requesting information and/or documents to evidence compliance with its obligations in respect of Patsnap’s processing of Customer Personal Data not more than on an annual basis, unless the conduct of Patsnap constitutes a breach of this DPA and therefore requires additional information to be requested by Customer.

9. CALIFORNIA SPECIFIC PROVISIONS

9.1 CCPA. This Section 9 applies to Patsnap’s processing of Personal Data that is subject to CCPA.

9.2 Permitted Use. Patsnap shall not retain, use or disclose Personal Data for any purpose other than the Purpose, or as otherwise permitted by CCPA, including retaining, using or disclosing the Personal Data for a commercial purpose other than providing the Services specified in the Agreement.

9.3 Patsnap shall not sell Customer’s Personal Data as the term “sell” is defined by CCPA.

10. GENERAL

10.1 Term and Termination. This DPA will remain in force until (i) it is replaced or repealed by mutual agreement of Customer and Patsnap, or (ii) the Processing of Customer Personal Data and Personal Data is terminated or expires.

10.2 Modification. Any modification to this DPA shall be invalid unless made in writing and signed by both Parties.

10.3 Liability. Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement. The total liability of Patsnap and its affiliates for all claims by Customer arising out of or related to the Agreement and this DPA shall apply in aggregate for all claims under both the Agreement and this DPA and not exceed the fees paid by the Customer for the previous twelve (12) months.

10.4 Governing Law.

(a) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

(b) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

10.5 Counterparts. This DPA may be executed in any number of counterparts, each of which will be deemed to be an original and all of which taken together will comprise a single instrument. This DPA may be delivered by electronic document format (e.g. PDF), and electronic copies of executed signature pages will be binding as originals.

10.6 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties and supersedes any other prior or contemporaneous agreements or terms and conditions, written or oral, concerning the Processing of Customer Personal Data by Patsnap on behalf of Customer. In case of conflict or inconsistency between this DPA and the Agreement, the following order of precedence shall govern to the extent of any conflict or inconsistency:

(a) this DPA; and

(b) the Agreement.

10.7 Severability. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed, and the remainder of terms will remain in full effect.

Exhibit A
Details of Processing

Duration of the Processing of Customer Personal Data:

During platform subscription and up to three months after subscription expiry at which point it is deleted through cryptographic wiping. Limited basic PII such as contract signatories and contract contacts are stored indefinitely for accounting purposes.

The categories of Customer Personal Data:

1) PII: name, email, business phone number, IP address.

2) Data generated and/or stored in our web application. 2.1) List meta-data: Data on what patents are stored together by the customer. 2.2) Custom patent meta-data: Annotations, comments or custom categorization of patent data stored. Please note that Patsnap does not permit hosting of documents or import of non-publicly available patent information. When you import a patent in Patsnap, we simply match the patent number with an already existing patent record in our database.

3) patents viewed, search queries, analysis conducted.

The categories of data subjects Processed by Patsnap:

1) employees of customers who are registered and authorized users of the patsnap platform

2) employees of customers who are designated by the customer to act as contact persons to Patsnap for account management and billing purposes

Exhibit B
Patsnap Technical and Organizational Measures

1. INTRODUCTION

This Technical and Organizational Data Security Measures document articulates the technical and organizational security measures implemented by Patsnap in support of its Security Framework.

2. ACCESS CONTROL

2.1 ACCESS CONTROL OF PROCESSING AREAS (PHYSICAL)

Web applications, communications and database servers of Patsnap are located in secure data centers. Patsnap has implemented suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (telephones, database, application servers and related hardware) where Personal Data are processed or used, which includes the following:

• Establishing security areas.

• Protection and restriction of access paths.

• Securing the data processing equipment and personal computers.

• Establishing access authorizations for employees and third parties, including the respective documentation.

• Regulations and restrictions on card keys and fobs.

• Restricting physical access to the servers by using locked doors and separate cages within co-location facilities.

• Access to the data center where Personal Data are hosted is logged, monitored and tracked via electronic and CCTV video and/or electronic identity cards with users’ photographs.

2.2 ACCESS CONTROL TO DATA PROCESSING SYSTEMS (LOGICAL)

Patsnap has implemented suitable measures to prevent its data processing systems from being used by unauthorized persons, which includes the following:

• Establishing the identification of the connected device to and/or the users of the Patsnap systems.

• Automatic session time-out when an admin user connection is left idle, which implies that identification and password are required to reopen.

• Automatic lock out of the admin user ID when several erroneous passwords are entered.

• Events are logged and logs are reviewed on a regular basis.

• Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end servers.

• Continuously monitoring infrastructure security.

• Regularly examining security risks by internal employees and third party auditors.

• Role-based access control implemented in a manner consistent with the principle of least privilege.

• Remote access to Patsnap’s hosted network infrastructure is secured using two factor authentication.

• Access to host servers, applications, databases, routers, switches, etc. is logged.

• Access and account management requests must be submitted through internal approval systems.

• Access must be approved by an appropriate approving authority. In most cases, the approval for a request requires two approvals at minimum: the employee’s manager and the role approver or “owner” for the particular system or internal application.

• Passwords must adhere to the Patsnap password policy, which includes minimum length requirements, enforcing complexity and regular periodic resets.

Patsnap maintains Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS) and Security Incident and Event Management (SIEM) systems.

2.3 ACCESS CONTROL TO USE SPECIFIC AREAS OF DATA PROCESSING SYSTEMS

Persons entitled to use the data processing system are only able to access Personal Data within the scope and to the extent covered by their respective access permission (authorization), and that Personal Data cannot be read, copied, modified or removed without authorization.

• Employee policies and training with respect to each employee’s access rights to Personal Data.

• Patsnap users have unique login credentials and role-based access control are used to restrict access to particular functions.

• Effective and measured disciplinary action against individuals who access Personal Data without authorization.

• Controlling access to account data and customer Personal Data via role-based access controls (RBAC) in compliance with the security principle of “least privilege”.

• Internal segmentation and logical isolation of Patsnap’s employees to enforce least privilege access policies.

• Authorization of access rights by system owner as well as monitoring and logging.

• Ongoing review of accounts and privileges (typically every 2-4 months depending on the particular system and sensitivity of data to which it provides access).

• Controlled and documented destruction of data.

• Developers have access to fictitious test data.

3. AVAILABILITY CONTROL

Patsnap has implemented suitable measures to ensure that Personal Data is protected from accidental destruction or loss.

• Global and redundant service infrastructure that is set up with full disaster recovery sites.

• Constantly evaluating data centers and Internet Service Providers (ISPs) to optimize performance for its customers in regards to bandwidth, latency and disaster recovery isolation.

• Situating data centers in secure co-location facilities that are ISP carrier-neutral and provide physical security, redundant power and infrastructure redundancy.

• Service level agreements from data center providers and ISPs to ensure high levels of availability.

• Patsnap maintains full capacity disaster recovery (DR) sites and annually tests its DR plan.

4. TRANSMISSION CONTROL

Patsnap has implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

• Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels.

• Sensitive Personal Data is encrypted during transmission using up-to-date versions of TLS and/or other security protocols (HTTPS) using strong encryption algorithms and keys.

• End-to-end encryption of screen sharing for remote access, support and real-time communication.

• Use of integrity checks to monitor the completeness and correctness of the transfer of data (e.g. SFTP).

5. INPUT CONTROL

Patsnap has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed.

• Authentication of the authorized personnel.

• Segregation and protection of all stored Personal Data via database schemas, logical access controls and/or encryption.

• Utilization of user identification credentials.

• Physical security of data processing facilities.

• Session time outs.

6. SEPERATION OF PROCESSING FOR DIFFERENT PURPOSES

Patsnap has implemented suitable measures to ensure that Personal Data collected for different purposes can be processed separately. Personal data are permitted to be used only for the purpose for which they were originally collected.

7. DOCUMENTATION

Patsnap keeps documentation of technical and organizational measures in case of audits and for the conservation of evidence. Patsnap takes reasonable steps to ensure that persons employed by it and other persons at the place of work are aware of and comply with the technical and organizational measures set forth in this document. Patsnap, at its election, may make non-confidential portions of audit reports available to customers to verify compliance with the technical and organizational measures undertaken in this document.

8. MONITORING

Patsnap does not access Customer Personal Data, except to provide services to the Customer which Patsnap is obligated to perform in support of the Customer experience as required by law, or on request by Customer. Patsnap has implemented suitable measures to monitor access restrictions of Patsnap’s system administrators and to ensure that they act in accordance with instructions received.

This is accomplished by:

• Individual appointment of system administrators.

• Adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep them secure, accurate and unmodified for a reasonable period of time.

• Regular audits of system administrators’ activity to assess compliance with assigned tasks.

9. DEFINITIONS

“Patsnap” means Patsnap (UK) Ltd and all of its direct and indirect subsidiaries.

“Customer” means any purchaser of any Patsnap offering.

“Personal Data” means any information directly or indirectly relating to any identified or identifiable natural person.

“Security Framework” refers to the collection of Patsnap’s policies and procedures governing information security, including but not limited to, policies, trainings, education, monitoring, investigation and enforcement of its data management and security efforts.