Personal Data Processing Agreement

Scope of Application

This Personal Data Processing Agreement (hereinafter "Agreement") governs the processing of personal data to be carried out by Renourish (hereinafter, "Processor") on behalf of, and on account of, the entity, whether legal or natural person, that subscribes to the Renourish service for the purpose of providing clinical nutrition services and related nutrition services (hereinafter, "Data Controller"), together referred to as the "Parties". Thus, considering that:

1. The Parties have entered into a service provision contract, in terms better defined in Terms and Conditions, by the Processor to the Data Controller;

2. The pursuit of services by the Processor implies the processing of personal data, by the same, on behalf and on account of the Data Controller;

3. The Parties intend, through this document, to regulate in detail the obligations of the Processor, as a subcontractor of the Data Controller, for the processing of personal data.

The Parties, fully aware of the significant importance of fully complying with all requirements related to the protection of personal data, freely and mutually accept this Agreement consisting of the following terms.

Definitions and Interpretation

The expressions "data controller", "processor", "personal data" and "processing", as well as any other related expressions and terms, should be interpreted under Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation ("GDPR"), and Law No. 58/2019, of August 8, which ensures the implementation in the national legal order of the GDPR, as supplemented by national or European legislation, by interpretations and guidelines issued by European and national authorities, by standard clauses approved by the European Commission or by supervisory authorities, as well as by any relevant case law (together referred to as "Data Protection Regime").

1. The Parties agree that the terms of the GDPR will be applicable to the processing of personal data in the context of the relationship between the Parties from the date of entry into force of the service provision contract, concluded between the Parties, and throughout its validity.

2. The titles of the terms of this Agreement are included for reasons of mere convenience, not constituting support for its interpretation or integration.

3. The expressions defined above in the singular may be used in the plural, and vice versa, with the corresponding change in their meaning.

4. Depending on legal and jurisprudential evolution and recommendations issued by supervisory authorities or, also, changes to the business model, among others, the Processor may proceed with the amendment of this Agreement, ensuring, in these cases, that such changes are duly published on the Renourish website and communicated via email to the Data Controller, through the address indicated in the registration on the platform.

5. This Agreement is composed of the text of this document and the following Annexes, all of them duly accepted by the representatives of both Parties and which become an integral part of it: Annex I – Processing Terms; Annex II – Technical and Organizational Measures; Annex III - List of Subprocessors;

6. Unless the context otherwise requires, any reference made in this Agreement to a legal or contractual provision includes the amendments to which it has been and/or will be subject.

7. If any of the provisions of this Agreement is declared null or in any way invalid, ineffective or unenforceable, by an entity competent to do so, such nullity, invalidity, ineffectiveness or unenforceability will not affect the validity of the remaining provisions of the Agreement, the Parties undertaking to agree, in good faith, a provision to replace that one and which, as far as possible, produces similar effects.

Object

This Agreement aims to regulate the obligations of both Parties, regarding the processing of personal data, better described in Annex I (Processing Terms), by the Processor, on behalf and on account of the Data Controller.

Binding to these provisions

In the event of any inconsistency or conflict between this Data Processing Agreement and any other agreements or terms, regardless of whether they have been previously agreed between the Parties, the content and provisions of this Data Processing Agreement will have precedence and will govern the relations between the Parties regarding the processing of personal data within the scope of services provided by Renourish.

Obligations of the Parties

1. The Data Controller assumes full responsibility for compliance with the provisions established in the GDPR and other applicable data protection legislation, undertaking to guarantee the legality, transparency and integrity of personal data processing.

2. The Data Controller must provide the Processor with the necessary information so that the Processor can process the data on their behalf and in their name.

3. The personal data to which the Processor has access or which have been transmitted to them by the Data Controller will be processed under the terms of this Agreement, as well as in strict observance of the documented instructions of the Data Controller, identified in Annex II, or transmitted by the same during the validity of the Agreement, including with regard to transfers of data to third countries or international organizations, unless the Processor is required to do so by Union or Member State law to which they are subject (informing in that case the Data Controller of that legal requirement before the start of the transfer).

4. The Processor undertakes, namely, not to copy, reproduce, adapt, modify, change, delete, destroy, disseminate, transmit, disclose or in any other way make available to third parties the personal data to which they have access or which have been transmitted to them by the Data Controller, without prejudice to the actions and transmission resulting from the very nature of the service provision.

5. Without prejudice to the other obligations provided for in this Agreement, the Processor undertakes to comply with the provisions of applicable legislation regarding the processing of personal data and, namely, to:

   1. Taking into account the nature of the processing, as far as possible and within the limits legally required of the Processor, and without prejudice to charging additional amounts, provide assistance to the Data Controller to enable them to fulfill their obligation to respond and make available to data subjects information about their personal data and, in general, to provide data subjects with the exercise of their rights, under the Data Protection Regime;

   2. Ensure that persons authorized to process personal data have undertaken a commitment of confidentiality or are subject to appropriate legal obligations of confidentiality;

   3. Taking into account the nature of the processing, as far as possible and within the limits legally required of the Processor, and without prejudice to charging additional amounts, provide the Data Controller with the collaboration they need to clarify questions related to the processing of personal data carried out under this Agreement and keep the Data Controller informed regarding the processing of personal data, undertaking to immediately communicate any situation that may affect the processing of the data in question or that in any way may give rise to non-compliance with legal provisions regarding the protection of personal data;

   4. Inform the Data Controller, within 72 hours, of any inquiry or complaint that may concern them, from any supervisory authority, guaranteeing their cooperation with such authority;

   5. Taking into account the nature of the processing, as far as possible and within the limits legally required of the Processor, and without prejudice to charging additional amounts, provide assistance to the Data Controller, in order to ensure obligations regarding notification of personal data breaches, namely through communication to the Data Controller (and in any case never exceeding 72 hours) of any personal data breach that occurs with incidence on personal data, also providing collaboration, as far as possible and within the limits legally required of the Processor, to the Data Controller in adopting incident response measures, in investigating the same and in preparing the notifications that prove necessary under the law;

   6. Cooperate with the Data Controller, taking into account the nature of the processing and as far as possible, through the implementation of appropriate technical and organizational measures;

   7. Not communicate personal data to third parties and/or unauthorized service providers or not indicated by the Data Controller;

   8. Depending on the choice of the Data Controller, delete or return personal data upon termination of the Agreement, deleting any existing copies, except if the retention of data is required by law;

   9. Make available to the Data Controller, as far as possible and within the limits legally required of the Processor, the information necessary to demonstrate compliance with obligations arising from the law and this Agreement;

   10. Maintain records of data processing activities carried out on behalf of the Data Controller under this Agreement, according to the requirements provided in the law;

   11. If, and when, applicable, inform the Data Controller of the appointment of a Data Protection Officer;

   12. Observe the terms and conditions contained in the legalization instruments regarding the data processed (if applicable); and

   13. Comply with all other legal rules regarding the registration, transmission or any other personal data processing operation provided for in the Data Protection Regime.

Record of Processing Activities

The Processor and, if applicable, their representatives, keep, at least until the end of this Agreement, a record of all processing activities carried out, within the scope of this Agreement, under the terms and for the purposes of Article 30(2) of the GDPR. This record of processing activities must include at least the following information:

1. The name and contacts of the Processor and the Data Controller and, where applicable, the representatives of the Data Controller and the Processor and the Data Protection Officer;

2. The types of data processing carried out on behalf of the Data Controller;

3. The categories of data processed;

4. The types of data subjects covered by the data processing; and

5. If applicable, transfers of personal data to third countries or international organizations, including the identification of those third countries or international organizations and, in the case of transfers referred to in Article 49(1), second paragraph, of the GDPR, documentation proving the existence of adequate safeguards.

Security Measures

The Processor undertakes to implement the technical and organizational measures necessary to protect personal data processed on behalf of the Data Controller against their accidental or unlawful destruction, accidental loss, alteration, unauthorized dissemination or access, as well as against any other form of unlawful processing of the same personal data. These measures must ensure a level of security appropriate to the risks presented by data processing, the nature of the data to be protected and the risks, of varying probability and severity, to the rights and freedoms of natural persons, including, as appropriate:

1. Pseudonymization and encryption of personal data;

2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

4. A process to regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

Confidentiality

The Processor undertakes to keep confidential all personal data to which they have had access or which have been transmitted to them by the Data Controller within the scope of the provision of services agreed with the latter.

Processor's Staff

The Processor guarantees that their staff, regardless of the nature and validity of their relationship with the Processor (including, but not limited to, those who cooperate with the Processor based on civil law contracts, service providers, workers, agents, assistants, representatives, partners, managers, administrators, attorneys, temporary workers, suppliers, consultants, auditors and interns, here referred to as "staff" or "personnel") comply with the obligations established in this Agreement.

Liability

The Processor will be responsible for all damages caused to the Data Controller that are directly and effectively attributable to them as a consequence of the processing, by themselves and/or their staff, service providers or subcontractors [under the terms of clause 8 (Subprocessors of the Processor)], of personal data in violation of applicable legal norms and/or the provisions of this agreement.

Notification of personal data breaches

The Processor is obliged to notify the Data Controller of any breach that potentially compromises the security of personal data concerning them, such as transfer, access, loss, alteration or disclosure to third parties, accidental, unauthorized or unlawful, in violation of this Agreement or the Data Protection Regime, or any incident that directly or indirectly affects, or is likely to affect, the confidentiality, integrity or authenticity of data as soon as possible under the circumstances and without undue delay, in any case within a maximum period of 72 hours from the moment the Processor has obtained knowledge of the fact.

The notification under the previous number must include all relevant information relating to the affected personal data, namely:

1. The nature of the personal data breached, including the categories and number of data subjects affected, as well as the categories and number of personal data records concerned;

2. The name and contacts of the data protection officer or another contact point where more information can be obtained;

3. The description of the foreseeable consequences of the personal data breach; and

4. The measures adopted or proposed by the Data Controller to repair the personal data breach and to mitigate its possible negative effects.

In case of breach or incident, the Processor must investigate the incident or personal data breach, adopt appropriate measures to ensure the security of personal data and to mitigate its possible negative effects on affected subjects and prevent any future incidents or personal data breaches.

Audits

The Processor will conduct security audits of their infrastructure and computing environment used in processing personal data, as follows:

1. When a standard or framework provides for audits, an audit of that standard or control framework will be initiated at least annually.

2. Each audit will be conducted in accordance with the standards and rules of the regulatory or accreditation body for each applicable standard or control framework.

3. Each audit will be conducted by qualified and independent third-party security auditors, at the expense and selection of the Processor.

Each audit will result in the generation of an audit report, which the Processor will make available on their website or another location identified by them. The report will be considered as Confidential Information of Renourish and will clearly disclose any material findings of the auditor. The Processor will immediately correct issues raised in any report, satisfactorily to the auditor. If the Data Controller requests, the Processor will provide the Data Controller each report.

Reports may be subject to non-disclosure and distribution limitations of Renourish and the auditor.

To the extent that the Data Controller's audit requirements, under their Data Protection laws, cannot be reasonably satisfied through audit reports, documentation or compliance information that the Processor makes generally available to its customers, the Processor will respond to the Data Controller's additional audit instructions. Before the start of an audit, the Processor and the Data Controller will mutually agree on the scope, timing, duration, control and evidence requirements and audit fees, provided that this agreement requirement does not allow the Processor to unreasonably delay the execution of the audit. To the extent necessary to conduct the audit, the Processor will make available the relevant processing systems, facilities and supporting documentation for the processing of Personal Data by the Processor and its Subprocessors. This audit will be conducted by an independent and accredited auditing company, during normal business hours, with reasonable prior notice to the Processor and subject to reasonable confidentiality procedures. The Data Controller is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time the Processor spends on such audit, in addition to the fees for services performed by the Processor. If the audit report generated as a result of the Data Controller's audit includes any finding of material non-compliance, the Data Controller must share that audit report with the Processor and the Processor will immediately resolve any material non-compliance.

Nothing in this section of this Agreement varies or modifies the terms of the GDPR or affects the rights of any supervisory authority or data subject under their Data Protection laws.

Duration and termination of the agreement

This Agreement remains in force as long as the service provision relationship between the Data Controller and the Processor is maintained.

On the date of termination of this Agreement, the Processor undertakes to, depending on the choice of the Data Controller, delete or return to the Data Controller all media with personal data that have been provided to them by the latter, deleting any existing copies, except if the retention of data is required by law.

Communication of the agreement to the Supervisory Authority

The Parties are hereby authorized to communicate the content of this Agreement, as well as the elements related to it, to the competent supervisory authority.

Applicable Law

This Agreement is governed by the applicable provisions of Portuguese law.

Dispute Resolution

To judge all questions arising from this Agreement, the forum of the Porto district is established as competent, with express waiver of any other.

Means of Communication with the Processor

For the purposes of communications related to security and data protection, the Parties determine as sufficient and suitable the addresses indicated below, regarding the Processor, and the addresses indicated by the Data Controller at the time of registration. If the Data Controller wishes to address security and data protection issues with the Processor, they may do so through the following means:

Renourish Team