Data Processing Agreement

1. Scope

This Data Processing Agreement (hereinafter "Agreement") governs the processing of personal data by Healthium - Healthcare Software Solutions, S.A. (hereinafter, the "Data Processor") in the name of, and on behalf of, the entity, whether juridical or natural, that subscribes to the Nutrium service, through the Nutrium website, for the purpose of providing clinical nutrition and related nutrition services (hereinafter, the "Data Controller"), together referred to as the "Parties". Therefore, considering that:

1. The Parties have entered into a contract for the provision of services, in terms better defined in our Terms and Conditions, by the Data Processor to the Data Controller;
2. The provision of services by the Data Processor implies the processing of personal data by the Data Processor in the name and on behalf of the Data Controller; The Parties intend, by means of this document, to regulate in detail the obligations of the Data Processor, as a subcontracting entity of the Data Controller, for the processing of personal data.
3. The provision of services by the Data Processor implies the processing of personal data by the Data Processor in the name and on behalf of the Data Controller; The Parties intend, by means of this document, to regulate in detail the obligations of the Data Processor, as a subcontracting entity of the Data Controller, for the processing of personal data.

The Parties, fully aware of the significant importance of fully complying with all the requirements relating to the protection of personal data, freely and reciprocally accept this Agreement in the following terms.

2. Definitions and Interpretation

The expressions "controller", "processor", "personal data" and "processing", as well as any other related expressions and terms, shall be interpreted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation ("GDPR"), and Law no. º 58/2019, of August 8, which ensures the implementation in the national legal order of the GDPR, as supplemented by national or European legislation, interpretations and guidelines issued by European and national authorities, model clauses approved by the European Commission or supervisory authorities, as well as any relevant case law (together referred to as the "Data Protection Regime").

1. The Parties agree that the terms of the GDPR will apply to the processing of personal data in the context of the relationship between the Parties from the date of entry into force of the service contract concluded between the Parties and throughout its term.
2. The headings of the terms of this Agreement are included for reasons of mere convenience and do not constitute support for the interpretation or integration of this Agreement.
3. The expressions defined above in the singular may be used in the plural, and vice versa, with the corresponding change in meaning.
4. Depending on legal developments, case law and recommendations issued by supervisory authorities or changes to the business model, among others, the Data Processor may amend this Agreement, ensuring, in such cases, that such changes are duly published on Nutrium's website and communicated by email to the Data Controller, at the address indicated when registering on the platform.
5. This Agreement is composed of the text of this document and the following Annexes, all of which have been duly accepted by the representatives of both Parties and become an integral part thereof: Annex I - Terms of Processing; Annex II - Technical and Organizational Measures; Annex III - List of Subprocessors;
6. Unless the context indicates otherwise, any reference made in this Agreement to a legal or contractual provision includes the amendments to which it has been and/or will be subject.
7. Should any of the provisions of this Agreement be declared null and void or in any way invalid, ineffective or unenforceable by a body competent for that purpose, such nullity, invalidity, ineffectiveness or unenforceability shall not affect the validity of the remaining provisions of the Agreement, and the Parties undertake to agree in good faith on a provision which replaces it and which, as far as possible, produces similar effects.

3. Purpose

The purpose of this Agreement is to regulate the obligations of both Parties with regard to the processing of personal data, as described in Annex I (Terms of Processing), by the Data Processor in the name and on behalf of the Data Controller.

4. Binding to these provisions

In the event of any inconsistency or conflict between this Data Processing Agreement and any other agreements or terms, regardless of whether they have been previously agreed between the Parties, the content and provisions of this Data Processing Agreement shall take precedence and govern the relations between the Parties with regard to the processing of personal data within the scope of the services provided by Healthium.

5. Obligations of the Parties

1. The Data Controller assumes full responsibility for complying with the provisions set out in the GDPR and other applicable data protection legislation, and undertakes to guarantee the lawfulness, transparency and integrity of the processing of personal data.
2. The Data Controller must provide the Data Processor with the information necessary for the Data Processor to process the data on their behalf and in their name.
3. Personal data to which the Data Processor has access or which has been transmitted to it by the Data Controller shall be processed in accordance with the terms of this Agreement, as well as in strict compliance with the documented instructions of the Controller, identified in Annex II, or transmitted by the Data Controller during the term of the Agreement, including with regard to data transfers to third countries or international organizations, unless the Data Processor is obliged to do so by the law of the Union or of the Member State to which it is subject (in which case it shall inform the Data Controller of this legal requirement prior to the start of the transfer).
4. The Data Processor undertakes, in particular, not to copy, reproduce, adapt, modify, alter, delete, destroy, disseminate, transmit, disclose or in any other way make available to third parties the personal data to which it has access or which has been transmitted to it by the Data Controller, without prejudice to the actions and transmission resulting from the very nature of the provision of the service.
5. Without prejudice to the other obligations provided for in this Agreement, the Data Processor undertakes to comply with the provisions of the applicable legislation on the processing of personal data and, in particular, to:

1. Taking into account the nature of the processing, to the extent possible and within the limits legally required of the Data Processor, and without prejudice to the charging of additional amounts, assist the Data Controller to enable it to fulfill their obligation to respond to and make available to data subjects information about their personal data and, in general, to provide data subjects with the exercise of their rights under the Data Protection Regime;
2. Ensure that persons authorized to process personal data have undertaken a confidentiality commitment or are subject to appropriate legal confidentiality obligations;
3. Taking into account the nature of the processing, to the extent possible and within the limits legally required of the Data Processor, and without prejudice to the charging of additional amounts, to provide the Data Controller with the cooperation it requires to clarify issues relating to the processing of personal data carried out under this Agreement and to keep the Data Controller informed in relation to the processing of personal data, undertaking to immediately report any situation that may affect the processing of the data in question or that may in any way give rise to non-compliance with legal provisions on the protection of personal data;
4. Inform the Data Controller, within 72 hours, of any inquiry or complaint that may concern them, from any supervisory authority, guaranteeing their cooperation with said authority;
5. Taking into account the nature of the processing, to the extent possible and within the limits legally required of the Data Processor, and without prejudice to the charging of additional amounts, assist the Data Controller in ensuring the obligations relating to the notification of personal data breaches, in particular by notifying the Data Controller (and in any event no later than 72 hours) of any personal data breach that occurs with an impact on personal data, and by cooperating, as far as possible and within the limits legally required of the Data Processor, with the Data Controller in the adoption of measures to respond to the incident, in the investigation thereof and in the preparation of any notifications that may be necessary under the terms of the law;
6. Collaborate with the Data Controller, taking into account the nature of the processing and to the extent possible, through the implementation of appropriate technical and organizational measures;
7. Not to communicate personal data to third parties and/or service providers not authorized or indicated by the Data Controller;
8. Depending on the choice of the Data Controller, delete or return the personal data on termination of the Agreement, deleting any existing copies, except where the retention of the data is required by law;
9. To make available to the Data Controller, to the extent possible and within the limits legally required of the Data Processor, the information necessary to demonstrate compliance with the obligations arising from the law and this Agreement;
10. Keep records of the data processing activities carried out on behalf of the Data Controller under this Agreement, in accordance with the requirements of the law;
11. If and when applicable, inform the Data Controller of the appointment of a Data Protection Officer;
12. Comply with the terms and conditions contained in the legalization instruments relating to the data processed (if applicable); and
13. Comply with all other legal rules regarding the registration, transmission or any other personal data processing operation provided for in the Data Protection Regime.

6. Record of Processing Activities

The Data Processor and, where applicable, their representatives shall keep, at least until the end of this Agreement, a record of all processing activities carried out under this Agreement, pursuant to and for the purposes of Article 30(2) of the GDPR. This record of processing activities shall include at least the following information:

1. The name and contact details of the Data Processor and the Data Controller and, where applicable, the representatives of the Data Controller and the Data Processor and the Data Protection Officer;
2. The types of data processing carried out on behalf of the Data Controller;
3. The categories of data processed;
4. The types of data subjects concerned by the data processing; and
5. Where applicable, transfers of personal data to third countries or international organizations, including the identification of such third countries or international organizations and, in the case of transfers referred to in the second subparagraph of paragraph 1 of Article 49 of the GDPR, documentation proving the existence of appropriate safeguards.

7. Security measures

The Data Processor undertakes to implement the technical and organizational measures necessary to protect the personal data processed on behalf of the Data Controller against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, or any other unlawful processing of the same personal data. These measures shall ensure a level of security appropriate to the risks presented by the processing, the nature of the data to be protected and the risks of varying likelihood and severity to the rights and freedoms of natural persons, including, as appropriate:

1. The pseudonymization and encryption of personal data;
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

8. Confidentiality

The Data Processor undertakes to keep confidential all personal data to which it has had access, or which has been transmitted to it by the Data Controller in connection with the provision of the services agreed with it.

9. Data Processor's employees

The Data Processor guarantees that their employees, regardless of the nature and validity of their relationship with the Data Processor (including, but not limited to, those who cooperate with the Data Processor on the basis of civil law contracts, service providers, workers, agents, assistants, representatives, partners, managers, administrators, attorneys, temporary workers, suppliers, consultants, auditors and trainees, herein referred to as "employees" or "staff") comply with the obligations set out in this Agreement.

10. Processors of the Data Processor

The Data Processor, in order to maintain their operational efficiency, establishes contracts with other entities that may process certain personal data, identifying a list of these sub-processors in Annex III to this Agreement. The Data Controller gives general authorization to the Data Processor to subcontract the entities identified in Annex III for the processing of personal data arising from this Agreement. Whenever it subcontracts another entity, the Data Processor guarantees that they will comply with the provisions of the Data Protection Regime and other applicable legislation by entering into a written contract with such entities that it subcontracts, reflecting the same data protection obligations set out in this Agreement.

The Data Processor undertakes to inform the Data Controller of any intended changes to the number or replacement of the subprocessors it uses, and the Data Controller may oppose such changes in writing. If the Data Controller opposes the changes and does not agree with the arguments put forward and decides to keep the data processor listed, the Data Controller will be given the opportunity to terminate the subscription with immediate effect, without prejudice to the payment of a pro-rata amount corresponding to the subscription period already used.

If the data is processed by the Data Processor's subprocessor outside the European Union/European Economic Area, the requirements for international data transfers set out in the GDPR must be complied with before such processing begins.

The Data Processor’s liability towards subprocessors provided for in the preceding paragraphs covers any entities acting as subprocessors in a subcontracting chain with the Data Processor, regardless of whether their link with the Data Processor is direct or indirect.

11. Liability

The Data Processor shall be liable for all damages caused to the Data Controller that are directly and effectively attributed to it as a result of the processing by it and/or its employees, service providers or subprocessors [pursuant to clause 10 (Subprocessors of the Data Processor)] of personal data in violation of the applicable legal rules and/or the provisions of this agreement.

12. Notification of personal data breaches

The Data Processor is obliged to notify the Data Controller of any breach that potentially compromises the security of personal data concerning it, such as accidental, unauthorized or unlawful transfer, access, loss, alteration or disclosure to third parties, in violation of this Agreement or the Data Protection Regime, or any incident which directly or indirectly affects, or is likely to affect, the confidentiality, integrity or authenticity of the data as soon as possible in the circumstances and without undue delay, in any event no later than 72 hours after the Data Processor becomes aware of the fact.

The notification under the previous paragraph must include all relevant information regarding the personal data affected, namely:

1. The nature of the personal data breached, including the categories and number of data subjects affected, as well as the categories and number of personal data records concerned;
2. The name and contact details of the Data Protection Officer or other contact point where further information can be obtained;
3. A description of the foreseeable consequences of the personal data breach; and
4. The measures adopted or proposed by the Data Controller to remedy the personal data breach and to mitigate its possible negative effects.

In the event of a breach or incident, the Data Processor shall investigate the incident or breach of personal data, take appropriate measures to ensure the security of personal data and to mitigate its possible negative effects on the affected data subjects and prevent any future incidents or breaches of personal data.

13. Audits

The Data Processor will carry out security audits of their infrastructure and the computing environment it uses to process personal data, as follows:

1. Where a standard or framework provides for audits, an audit of that standard or control framework will be initiated at least annually.
2. Each audit will be carried out in accordance with the standards and rules of the regulatory or accreditation body for each applicable standard or control framework.
3. Each audit will be carried out by qualified and independent third-party security auditors at the Data Processor’s expense and selection.

Each audit will result in the generation of an audit report, which the Data Processor will make available on their website or elsewhere identified by it. The report will be considered Healthium Confidential Information and will clearly disclose any material findings of the auditor. The Data Processor shall promptly correct any problems raised in any report to the satisfaction of the auditor. If requested by the Data Controller, the Data Processor will provide the Data Controller with each report.

Reports may be subject to non-disclosure and distribution limitations by Healthium and the auditor.

To the extent that the Data Controller's audit requirements under the respective Data Protection laws cannot reasonably be satisfied through audit reports, documentation or compliance information that the Data Processor makes generally available to their customers, the Data Processor shall respond to the Data Controller's additional audit instructions. Prior to the commencement of an audit, the Data Processor and the Data Controller shall mutually agree on the scope, timing, duration, control and evidence requirements and fees of the audit, provided that such agreement requirement shall not allow the Data Processor to unreasonably delay the execution of the audit. To the extent necessary to carry out the audit, the Data Processor shall make available the processing systems, facilities and supporting documentation relevant to the processing of Personal Data by the Data Processor and their Subprocessors. Such audit shall be conducted by an independent and accredited audit firm, during normal business hours, with reasonable notice to the Data Processor and subject to reasonable confidentiality procedures. The Data Controller shall be responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time that the Data Processor spends on such audit, in addition to fees for services performed by the Data Processor. If the audit report generated as a result of the Data Controller’s audit includes any finding of material non-compliance, the Data Controller shall share such audit report with the Data Processor and the Data Processor shall promptly remedy any such material non-compliance.

Nothing in this section of this Agreement varies or modifies the terms of the GDPR or affects the rights of any supervisory authority or data subject under the respective Data Protection laws.

14. HIPAA Business Associate

If the Data Controller is a "covered entity" or a "business associate" and includes "protected health information" in Client Data or Professional Services Data, as those terms are defined in the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder (collectively, "HIPAA"), performance of the contract with the Data Controller includes performance of the HIPAA Business Associate Agreement ("BAA").

15. Duration and termination of the agreement

This Agreement shall remain in force for as long as the service relationship between the Data Controller and the Data Processor continues.

On termination of this Agreement, the Data Processor undertakes, at the choice of the Data Controller, to erase or return to the Data Controller all media containing personal data provided to it by the latter, erasing any existing copies, unless retention of the data is required by law.

16. Communication of the agreement to the Supervisory Authority

The Parties are hereby authorized to communicate the content of this Agreement and related elements to the competent supervisory authority.

17. Applicable Law

This Agreement shall be governed by the applicable provisions of Portuguese law.

18. Dispute Resolution

All matters arising from this Agreement shall be decided by the courts of the district of Braga, expressly waiving any other jurisdiction.

19. Means of Communication with the Data Processor

For the purposes of communications related to security and data protection, the Parties determine as sufficient and suitable the addresses indicated below, in relation to the Data Processor, and the addresses indicated by the Data Controller at the time of registration. If the Data Controller wishes to raise issues relating to data security and protection with the Data Processor, they may do so by the following means:

Pedro Bacelar

Data Protection Officer

dpo@nutrium.com

or

Rua Andrade Corvo, nº 242, 1º andar, Sala 106

4700-204 Braga

+351 935 455 75

Annex I

Terms of Treatment

1. Nature and purposes of processing

The Data Controller processes the personal data of their clients for the provision of healthcare and for the management of the relationship with clients and/or the personal data of their employees for the management of their relationship with them.

Under the terms of the Contract agreed between the Parties, the Data Processor undertakes to provide the Data Controller with the services described in the Terms and Conditions in force and in the Privacy Policy in force.

In this context and for this purpose, the Data Processor will have access to the personal data of the Data Controller's clients and/or employees.

2. Duration of processing

The duration of the processing depends on the validity of the aforementioned contract and will respect the retention periods established and disclosed at each moment by the Data Controller.

3. Type of data processed

Simple and special category data, namely:

• Clients’ personal data: general and demographic data; anthropometric data; sociocultural and economic data and clinical information data.
• Employees' personal data: general and demographic data;

4. Special categories of data

Data relating to a person's health.

5. Categories of data subjects

Clients and/or Employees of the Data Controller.

Annex II

Technical and organizational measures

1. Security of Processing

As described in the Agreement, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the most advanced techniques, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of data subjects.

2. Minimum requirements

In accordance with paragraph 1 of this Annex and Annex I, the Data Processor shall comply with the following minimum requirements:

1. Access Control and Authentication
   • All access to the information of the Data Controller must be made by users legitimized to do so and these users must have unique identifiers that can identify them in the information processing and storage systems;
   • Authentication in the systems must be done using credentials based on user and password, and the password must be complex (combination of letters, numbers, special characters and a minimum length of eight characters);
   • A maximum password validity period of no more than 90 days should be adopted and it should not be possible for the user to use the previous 5 passwords;
   • Technical security measures must be adopted to protect access credentials, such as blocking the password after 6 (six) consecutive failed attempts, six months without using the credentials;
   • There must be formal procedures for requesting, assigning, removing and approving access to the Data Controller's information.
2. Data Encryption and Device Management
   • All personal information must be stored on media (external hard drives, servers, USB sticks, etc.) in encrypted form;
   • All information must be transmitted using encrypted communication channels (e.g. TLS/SSL, encrypted e-mail with X509 keys or PGP);
   • All computing devices (servers and personal computers) must be properly protected against attacks and malware through the use of antivirus, intrusion detection and prevention systems;
   • All information system components (hardware, firmware and software) must be reviewed to ensure that vulnerabilities and flaws are detected and consequently updated with the latest available updates or measures installed to mitigate the flaws found.
3. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
   • The continuity of service provision to the Data Controller must be safeguarded through the use of protection mechanisms against destruction or accidental loss;
   • Information safeguarding mechanisms (e.g. backups) must comply with good business continuity practices, ensuring that:
     • At least one copy is maintained in an alternative location;
     • Physical access controls and protection are implemented for media (e.g. tapes), when stored or in transit;
   • The effectiveness of protection mechanisms must be tested at least every six months.
4. Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
   • Regular audits must be carried out to validate compliance with the security and data protection requirements contained in this Annex, at least on an annual basis;
   • A report must be prepared with details on the degree of compliance with the requirements, recommendations for compliance and made available to the Data Controller at the end.

Annex III

List of Subprocessors

1. Scope of Application

Healthium may engage and use certain third party data processors ("Subprocessors") to provide services to our customers. This appendix sets out important information about the identity, location and function of each Subprocessor.

2. List of Subprocessors

These Subprocessors may have access to personal data provided directly by our users or to which we may have access to perform the contracted services. We currently use the below list of Subprocessors to provide infrastructure, customer support, and platform services, Please note that not all Subprocessors are used in the provision of all the services we provide and some may only be involved in assisting in the provision of specific services.

Customer Support

Platforms

Infrastructures