Data processor contract under the Organic Law on Personal Data Protection.

HEALTH IN CODE, S.L., with address: Edificio O Fortín, As Xubias, s/n. 15006, A Coruña and VAT Number: B70058375 (hereinafter referred to as “Data processor”), provides the client or user, hereinafter FILE CONTROLLER, the computer application called TreeStudio according to the conditions and description stipulated in the contract or, in the case of the free demo version, the conditions stated on the website.

As the use of the aforementioned platform involves the processing of personal data, in order to comply with the provisions on data protection, and in particular with the provisions of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights(Spanish abbr.: LOPDGDD). We inform that your data will be treated with utmost confidentiality, and it is necessary to sign this Data Processor Contract based on the following.

CLAUSES:

FIRST – Purpose of data processing.

1.1 THE DATA PROCESSOR hereby agrees to perform exclusively the data processing requested by the FILE CONTROLLER, of which the only purpose is to deliver technical maintenance services for the computer application.

SECOND – Safety of personal data.

2.1. THE DATA PROCESSOR will take the necessary measures to ensure the confidentiality of the Files while they are stored in or transmitted through the systems and devices owned by the DATA PROCESSOR in order to perform the Services.

2.2. THE DATA PROCESSOR agrees to keep the strictest confidentiality regarding codes, user credentials and/or access keys to the Systems provided by the FILE CONTROLLER, as well as the rest of safety measures that are applicable regarding the Files that constitute the object of this agreement.

2.3. THE DATA PROCESSOR guarantees the effective control of access and use of any user credentials and access keys to the Systems at the disposal of the DATA PROCESSOR with the only purpose of delivering the Services.

2.4. THE DATA PROCESSOR agrees to guard the provided information under due security and protection measures against third parties and within the existing security regulations. THE DATA PROCESSOR agrees to apply to the Files the security regulations provided by Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights(Spanish abbr.: LOPDGDD), and Royal Decree 1720/2007, of December 21, on the approval of the implementing regulation for the LOPDGDD corresponding to a HIGH level of security.

2.5. THE DATA PROCESSOR reminds THE FILE CONTROLLER that the inclusion of their data in the application owned by THE DATA PROCESSOR does not exempt them from their obligation to comply with the legal requirements in this matter made compulsory by data protection laws; e.g.: File registration, keeping a security document, etc.

THIRD – Employees of THE DATA PROCESSOR.

3.1. THE DATA PROCESSOR will allow access to the Files solely to those employees who need to access them in order to perform their duties in relation to the Services. THE DATA PROCESSOR agrees not to disclose the information contained in the Files, either partially or totally, to personnel who do not need to access them.

3.2. THE DATA PROCESSOR will communicate and demand compliance with the obligations contained in this contract to the personnel performing the services. Nevertheless, THE DATA PROCESSOR shall warn said employees of the confidential nature of the information contained in the Files and of their responsibility in the event of illegal disclosure.

FOURTH – Communication of personal data and subcontracting.

4.1. THE DATA PROCESSOR agrees to keep the secrecy of all the Files provided by the FILE CONTROLLER and to not disclose, transfer, or communicate them in any way to third parties, not even for their conservation, unless said communication is performed under prior expressly written consent by the FILE CONTROLLER.

4.2. Notwithstanding the stated in the previous paragraph, THE DATA PROCESSOR warns the FILE CONTROLLER, and the latter agrees, that the aforementioned “SaaS” computer application is hosted at the servers of the company: “R Cable y Telecomunicaciones Galicia, S.A.”, with VAT number: A 1547428, a company located within the European Union; and that this company, through the corresponding contract, is responsible for guarding and maintaining the security measures applicable as a Data Hosting company.

FIFTH – Backup copies.

5.1. THE DATA PROCESSOR agrees not to copy or reproduce the information provided by the FILE CONTROLLER, except when necessary for its treatment and within the terms provided in the present agreement. Each copy or reproduction shall be subjected to the agreements and obligations stipulated in this document.

SIXTH – Validity of the Agreement.

6.1 The present Agreement will be valid for one year from the date of signature, automatically renewable for identical periods unless expressly communicated otherwise by any of the parties at least 30 days in advance of the end of the corresponding validity period. Likewise, this contract will be rendered invalid at the time of termination of the aforementioned services by any other cause. In the case of the free demo version, the termination stipulated on the website shall be observed.

6.2. THE DATA PROCESSOR, pursuant to the provisions in article 12.3 of LOPDGDD, agrees to destroy or return the data provided by the FILE CONTROLLER once the delivery of the Services has been completed. Likewise, any medium or document containing any personal data subjected to processing shall be destroyed or returned. Once this obligation has been fulfilled, THE DATA PROCESSOR, through an authorized signatory, shall issue a formal communication stating that it has been verifiably carried out.

Nevertheless, THE DATA PROCESSOR shall return all those data under any legal obligation of conservation to the FILE CONTROLLER while the legal conservation period is still in place.

Notwithstanding the foregoing, THE DATA PROCESSOR can conserve, duly blocked, those data belonging to the FILE CONTROLLER that are necessary to the effect of possible responsibilities regarding their relationship, pursuant to the provisions in article 22.2 of Royal Decree 1720/2007.

SEVEN – Responsibilities.

7.1. THE DATA PROCESSOR guarantees full compliance of the aforementioned obligations as contained in the present agreement.

7.2. Likewise, pursuant to the provisions in article 12.4 of LOPDGDD, in the event that THE DATA PROCESSOR, as Data Processor, uses the data for a different purpose, discloses them, or uses them in any way not in compliance with the stipulations of this agreement, THE DATA PROCESSOR will be held responsible for the processing, taking direct responsibility for any directly committed violations.

7.3. THE FILE CONTROLLER agrees that all the data introduced in the application owned by THE FILE CONTROLLER shall be lawfully obtained and used in compliance with the applicable regulations and that, in the event of a complaint or penalty resulting from their lack of compliance, THE FILE CONTROLLER shall hold THE DATA PROCESSOR harmless.

EIGHT – Period of data storage.

We also inform you that your data will be kept for the duration of the relationship established with the entity and for a minimum of five years after this relationship has ended, or until you exercise your rights of withdrawal or erasure.

NINTH– General clauses.

9.1. The lack of demand by any of their parties of any of their rights as stated in the present Contract shall not be deemed to constitute a renunciation to said rights in the future.

9.2. If any stipulation in this Contract is deemed void, unlawful, or otherwise unenforceable, the validity, legality, and enforceability of the remaining stipulations shall not be affected or harmed.

9.3. The present Contract and the relationship between THE FILE CONTROLLER and THE DATA PROCESSOR shall not constitute partnership, joint venture, agency, or employee-employer relationship between the parties.

9.4. The headings of the different clauses are for informative purposes only and shall not affect, qualify, or expand the interpretation of this Contract.

TENTH – Applicable law and jurisdiction.

10.1. You may also pursue your rights before the Spanish Data Protection Agency.

10.2. Any issue not foreseen in this Contract, as well as the interpretation and resolution of any conflicts that may arise between the parts as a consequence of it, shall be governed by the laws of Spain.

10.3. For the settlement of any disputes that may arise from the present Contract, both parties expressly agree to abide by the jurisdiction of the Courts and Tribunals of A Coruña, expressly renouncing any other jurisdiction that could be applicable.