Data Privacy Terms

KRIYA’S PRIVACY AND DATA PROTECTION TERMS

Effective June 1, 2025

1.         Data Privacy (United States).  To perform the Services, Provider or Consultant (collectively, “Service Provider”) and its subcontractors will need to receive and process certain patient-identifiable information (“PII”) and other information necessary for such Services. Kriya Therapeutics, Inc. (“Kriya”) is responsible for obtaining all necessary consents, including authorizations required by the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), and its implementing regulations, from patients participating in Kriya’s clinical trial(s) that allow Service Provider and its subcontractors to receive and process personally identifiable information  in relation to the Services.  Kriya and Service Provider may herein be referred to collectively as the “Parties”. Service Provider shall ensure that PII is only processed in accordance with the consents and the project plan described in the applicable Statement of Work or Project Assignment and is only used as necessary for Service Provider’s obligations as part of the Services.  Service Provider shall implement and maintain reasonably necessary technical and organizational measures to protect PII (i) against accidental or unlawful destruction, accidental loss, destruction, damage, corruption or alteration, or unauthorized disclosure or access, and (ii) against all other unlawful forms of processing.  The Parties further acknowledge and agree that the Services are being provided in support of clinical research and not patient treatment, and that the Parties’ use and disclosure of PII for the Services, has been authorized by the subjects of the information who are participants in clinical research, and such information is also defined as Identifiable Private Information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46. Accordingly, the Parties agree that (1) Service Provider is receiving PII pursuant to study subjects’ authorizations under HIPAA, and (2) such PII is exempt from applicability to Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time. Service Provider further agrees to protect the privacy and security of all information received, maintained, or transmitted in connection with the Services and will use such information solely for purposes of providing the Services.

2.         Data Privacy (European Union, EEA, United Kingdom). Words in this paragraph shall have the same meaning as given to them in Appendix A below. To perform the Services, Service Provider will process Personal Data on behalf of Kriya. Where such Processing is subject to the laws of (i) the European Union, (ii) a member state of the European Union or the European Economic Area, and/or (iii) the United Kingdom, this paragraph shall apply to the Personal Data and its Processing will be undertaken by Service Provider on behalf of Kriya in accordance with, and subject to, the Data Processing Terms in Appendix A below .

3.         Data Privacy (Australia). Words in this paragraph shall have the same meaning as given to them in Appendix A below. When performing the Services in Australia, Kriya acknowledges that Service Provider will process Personal Data on behalf of Kriya in Kriya’s capacity as an APP entity (as defined by the Privacy Act 1988 (as amended)) and that Kriya shall have and retain sole effective control over such Personal Data and in this context, (i) Service Provider shall comply with the Data Processing Terms in Appendix A  below and ensure that Personal Data is only used as necessary for Service Provider’s obligations as part of the Services, and (ii) Kriya acknowledges that it is responsible for ensuring that the processing of Personal Data by Service Provider and the sharing of Personal Data with Service Provider for the performance of the Services is at all times in compliance with applicable privacy laws.  Service Provider shall implement and maintain reasonably necessary technical and organizational measures to protect Personal Data (i) against accidental or unlawful destruction, accidental loss, destruction, damage, corruption or alteration, or unauthorized disclosure or access, and (ii) against all other unlawful forms of processing, and (ii) the provision of the Personal Data by Kriya to Service Provider shall be a use and not a disclosure of that Personal Data. 

4.         Data Privacy (other jurisdictions not identified in paragraphs 2 and 3 above). When performing the Services, Service Provider acknowledges that it will process Personal Data on behalf of Kriya and that Kriya shall have and retain sole effective control over such Personal Data and in this context, (i) Service Provider shall comply with the Data Processing Terms in Appendix A and ensure that Personal Data is only used as necessary for Service Provider’s obligations as part of the Services.

APPENDIX A

DATA PROCESSING TERMS

Schedules to this APPENDIX A: 

Schedule A – Template Record of Processing

Schedule B – Security and Assistance Requirements

Schedule C –Authorized Subprocessors

These Data Processing Terms apply to the Processing of Personal Data by Service Provider or any relevant Subprocessor, as defined below, as specified in Schedule A, Reference to “Service Provider” in these Data Processing Terms includes “Service Provider Affiliates”, as applicable.     

1)         DEFINITIONS

a)         Definitions. The following defined terms apply to these Data Processing Terms. Terms not defined in these Data Processing Terms have the meaning set out in the Agreement. Cognate terms shall be interpreted accordingly.

Authority” means the public authority or authorities competent under applicable Privacy Law, including the Irish Data Protection Commission, the UK Information Commissioner’s Office (“ICO”), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).

Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by the European Commission implementing decision (EU) 2021/914, and a “Clause” means the relevant clause in the Clauses.

Commencement Date” means, for each service, the Effective Date indicated in the Agreement, or the applicable Statement of Work or Project Assignment, designated for the commencement of such service.

Data Processing Terms” or “DPA” mean these terms, including all schedules and appendices referred to herein or documents expressly incorporated by reference in this DPA, as they may be amended or supplemented from time to time pursuant to the terms of this DPA.

Personal Information” or “Personal Data” mean any information relating to an identified or identifiable natural person and legal persons (in jurisdictions where legal persons have the benefit of, or are protected by, Privacy Law), an identifiable natural person being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as Sensitive Personal Information, which are all subject to Privacy Law.

Privacy Law” means all applicable local, domestic, state, national and/or foreign laws that relate to: (a)  the confidentiality, collection, use, handling, processing, retention, security, protection, disclosure, transfer or free movement of Personal Data, (b) data privacy, (c) trans-border data flow, or (d) data protection. Privacy Law, includes, but is not limited to, relevant national laws implementing the General Data Protection  Regulation (2016/679 of the European Parliament and of the Council of 27 April 2016) (“GDPR”), the GDPR as it forms part of the domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 as amended (“UK GDPR”), and the Swiss Federal Act on Data Protection (“FADP”), each as may be updated, amended or replaced from time to time.

Processing” or “Process” mean any operation or set of operations which is performed on or concerning Personal Data or on sets of Personal Data, whether or not by automated means, such as the production, classification, access to, reproduction, filing, evaluation, extraction, control, receipt, collation, collection, obtaining, recording, organization, structuring, storage, adaptation or alteration, updating, modification, retrieval, consultation, use, disclosure or dissemination by transmission, distribution or otherwise making it accessible or available in any other form, alignment or combination, merging, linking as well as blocking, restricting, erasure, deletion, destruction, degradation of, or rendering the Personal Data anonymous.

Security Breach” means any material breach of security that has led to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Service Provider or its Subprocessors on behalf of Kriya.

Sensitive Personal Information” means sensitive Personal Data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation).

Software” means all software programs and programming that a party is financially or operationally responsible for under the applicable supplement (and all modifications, replacements, upgrades, enhancements, documentation, materials, and media related thereto), including applications, development tools, management tools and systems software, unless a more specific reference is required by the context.

Subprocessor” means any person, consultant, representative, agent, Service Provider Affiliate or third party engaged by Service Provider, or by any other subprocessor of Service Provider, who receives Personal Data from Service Provider, or from any other subprocessor of Service Provider, to be Processed on behalf of Kriya, or to whom Service Provider has delegated or subcontracted any of its obligations regarding the Services or the Processing of Personal Data.

Service Provider Personnel” means the employees, consultants, representatives, agents, and contractors of Service Provider and its Subprocessors and any of their Affiliates who perform any Services under the Agreement or this DPA. 

System(s)” means an interconnected grouping of manual or electronic processes, including equipment, Software and associated attachments, features, accessories, peripherals and cabling, and all additions, modifications, substitutions, upgrades, or enhancements to such System, to the extent a party has financial or operational responsibility for such System or System components under the applicable supplement. System shall include all Systems in use as of the Effective Date, all additions, modifications, substitutions, upgrades or enhancements to such Systems and all Systems installed or developed by or for Kriya or Service Provider following the Effective Date.

Valid Transfer Mechanism” means a data transfer mechanism recognized by the European Commission or relevant Authority as a legitimate basis for the transfer of Personal Data outside the European Economic Area, UK, Switzerland, or other country.

2)         INCORPORATION OF THE CLAUSES

a)         Subject to section 3)a) below and the amendments set out in sections 3)b) and 3)c) below, the Clauses are hereby incorporated into this DPA and apply to the transfer and all subsequent Processing of Personal Data by Service Provider or any Subprocessor as specified in Schedule A, as appended to the relevant Statement of Work or Project Assignment. For the purposes of the Clauses:

  • i)       The parties’ signature to the Agreement or relevant Statement of Work or Project Assignment shall be considered as signature to the Clauses;
  • ii)      References to the Clauses mean references to this DPA as it incorporates, amends and supplements the Clauses;
  • iii)     References to “the contract” mean references to the Agreement or relevant Statement of Work or Project Assignment;
  • iv)     The applicable module is module 2 (transfers from controller to processor) and module 4 (transfers from processor to controller where there is no alternative appropriate safeguard applicable in respect of the relevant transfer);
  • v)      Clause 3 (Third-party beneficiaries) applies only to Personal Data originating from or otherwise subject to the Privacy Law of the EU, the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland;
  • vi)     Clause 7 (Docking clause) is included;
  • vii)    At Clause 9 (Use of subprocessors), option 1 is selected, and intended changes to the list of subprocessors shall be submitted 30 days prior to the proposed engagement of a subprocessor;
  • viii)   At Clause 11 (Redress), the optional language is excluded;
  • ix)     At Clause 13(a) (Supervision), all three options are retained and apply, as relevant, to Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA.  Personal Data originating from or otherwise subject to the Privacy Law of Switzerland or the UK shall be supervised by the applicable Authority. Personal Data originating from any other country or otherwise subject to the Privacy Law in that country, shall be supervised by the applicable Authority in that country;
  • x)      At Clause 17 (Governing law), option 1 is selected, and the governing law shall be the law of Ireland for Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA.  For Personal Data originating from or otherwise subject to the Privacy Law of another jurisdiction, the governing law shall be the law of the originating jurisdiction;
  • xi)     At Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved by the courts of Ireland for Personal Data originating from or otherwise subject to the Privacy Law of the EU or the EEA.  For Personal Data originating from another jurisdiction disputes shall be resolved by the courts of the originating jurisdiction;
  • xii)    At Annex I.A (List of parties), for the purposes of Module 2 the data exporter is Kriya acting as a controller, and the data importer is Service Provider or any subprocessor acting as a processor, and their respective details are as set out in the Agreement or relevant Statement of Work or Project Assignment;
  • xiii)   At Annex I.A (List of parties), for the purposes of Module 4 the data exporter is Service Provider or any subprocessor acting as a processor, and the data importer is Kriya, and their respective details are set out in the Agreement or relevant Statement of Work or Project Assignment;
  • xiii)   At Annex I.B (Description of transfer), the description of the transfer is as set out at Schedule A of this DPA (Record of Processing), as appended to the relevant Statement of Work or Project Assignment;
  • xiv)    At Annex I.C (Competent Supervisory Authority), the competent supervisory authority is the authority determined in accordance with Clause 13, and section 2(a)(ix) above;
  • xv)     At Annex 2 (Technical and organizational measures including technical and organizational measures to ensure the security of the data), the technical and organizational measures to ensure an appropriate level of security are those set out at Schedule B of this DPA;
  • xvi)    At Annex 3 (List of subprocessors), the list of subprocessors is as set out at Schedule C of this DPA, as appended to the relevant Statement of Work or Project Assignment;
  • xvii)   References to Regulation (EU) 2018/1725 are removed; and
  • xviii)  The footnotes are removed.

3)         AMENDMENTS FOR APPLICABLE PRIVACY LAW

a)         For the purposes of transfers of Personal Data originating from or otherwise subject to the Privacy Law of the UK, the Parties agree to comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The Parties also agree that the information included in Part 1 of the UK Addendum is as set out in sections 2)a)xii) to 2)a)xvii) above and that the key contacts are as set out in the Agreement. The Parties also agree that the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.

b)         The Clauses are amended to the extent necessary in order to provide all safeguards required under Privacy Law in relation to:

  • i)     The transfer of Personal Data by Kriya to Service Provider or a subprocessor; and
  • ii)    The subsequent Processing of Personal Data by Service Provider and subprocessors.
  • c)    Such amendments include (but are not limited to):
  • i)     References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “Privacy Law”, and references to specific article(s) of Regulation (EU) 2016/679 are replaced with the equivalent provision of each relevant Privacy Law;
  • ii)    References to the “European Union”, “Union”, “Member State”, “EU Member State” and to any specified EU Member State are replaced by reference to the jurisdiction mandated by applicable Privacy Law; and
  • iii)   References to the “supervisory authority” are replaced by “Authority”.

4)         HIERARCHY

a)         The remaining paragraphs of this DPA below supplement and particularize the Clauses as incorporated and amended. In the event of a conflict between the Clauses as incorporated and amended and the remaining provisions of this DPA, the Clauses as incorporated and amended shall prevail.

b)         In the event of a conflict between the provisions of this DPA (including the Clauses as incorporated and amended) and any other agreement, Schedule or document between the Parties including the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations.

5)         PERSONAL DATA

a)         Ownership of Data.  Personal Data is and shall remain, as between parties, the property of Kriya regardless of whether Service Provider or Kriya is in possession of the Personal Data.

b)         Safeguarding of Data. Further to Clause 8.6(a), Service Provider and Subprocessors shall comply with all other specific requirements as established in Schedule B.

c)         Security Breach Further to Clause 8.6(c):

Further to Clause 8.6(c):

  • i)     Service Provider and Subprocessors shall notify Kriya without undue delay of Service Provider or Subprocessors having confirmed a Security Breach.
  • ii)    Service Provider and Subprocessors shall:
    • (1)     immediately take steps to mitigate any harmful effects of each Security Breach; and
    • (2)     without undue delay (and in any event within forty-eight (48) hours) describe in detail to Kriya the nature and circumstances of the Security Breach (including the day or period of the Security Breach, the duration of the Security Breach and geographical spread), the type of Personal Data affected, the number of records involved and persons affected, the cause and likely consequences of the Security Breach and the measures taken by Service Provider and/or Subprocessors to contain and mitigate any adverse effects of the Security Breach.
  • iii)   Service Provider and subprocessors shall provide Kriya with the name and contact information of Service Provider Personnel who shall serve as Kriya’s primary security contact regarding the Security Breach and will be available to assist Kriya twenty-four (24) hours per day, seven (7) days per week if necessary.                                                                                     
  • iv)   For each Security Breach, Service Provider and Subprocessors shall promptly (and in any event as soon as reasonably practicable):
    • (1)     perform a root cause analysis and forensic investigation report protected by legal privilege and prepare a corrective action plan;
    • (2)     provide Kriya with written reports referred to in Section 5)d)iv)(1) above, and detailed information, including how and when such Security Breach occurred, and what actions Service Provider is taking to remedy and mitigate the impact of such Security Breach; and
    • (3)     cooperate with Kriya in any investigation, litigation, or provisions of notices that Kriya deems appropriate regarding such Security Breach, and not notify authorities without Kriya’s prior consent if legally permitted.

d)         Correction of Data.

  • i)     Further to Clause 8.4, Service Provider shall perform the correction of any errors or inaccuracies in or with respect to the Personal Data discovered by Kriya at its sole cost and expense if:
    • (1)     Service Provider is operationally responsible for inputting such data; or
    • (2)     the errors or inaccuracies are due to the failure of Service Provider or Service Provider Personnel to comply with Service Provider’s obligations under this DPA, including a Security Breach.

e)         Limitations on Processing.

  • i)     Further to Clause 8.6(b), Service Provider shall take appropriate action to ensure that only Service Provider Personnel who are strictly required to ensure it fulfills its obligations under the Agreement or relevant Statement of Work or Project Assignment or this DPA have access to Personal Data, and it shall take reasonable steps to ensure the reliability of Service Provider Personnel having access to Personal Data, including by ensuring they are appropriately trained in the handling and security of Personal Data and that they are bound by a non-disclosure agreement,  confidentiality agreement, or a code of conduct that prohibits them from Processing any Personal Data except as required for the performance of the Agreement, the relevant Statement of Work or Project Assignment, or this DPA. 

f)          Data Subject Requests and Communications.

  • i)     Further to Clause 10(b), Service Provider shall notify Kriya promptly and no later than within seventy-two (72) hours if it receives any request, objection, complaint, or communication from an individual or data subject (having the meaning given to it in the Privacy Law) or anyone acting on the individual’s or data subject’s behalf relating to Personal Data or:
    • (1)     a data subject access request;
    • (2)     a request to rectify any inaccurate Personal Data;
    • (3)     a request to have any Personal Data erased;
    • (4)     a request to restrict the Processing of any Personal Data;
    • (5)     a request to obtain a portable copy of Personal Data, or to transfer such a copy to any third party;
    • (6)     an objection to any Processing of Personal Data; or
    • (7)     any other request, complaint or communication relating to the Kriya’s or Service Provider’s obligations under Privacy Law.
  • ii)    Service Provider will provide reasonable co-operation and assistance at no cost to Kriya (within timescales reasonably required by Kriya) in relation to any of the matters covered by this DPA.

6)         CROSS-BORDER DATA SHARING RESTRICTIONS

a)         Service Provider and Subprocessors shall Process (including accessing and remotely accessing) Personal Data only at or from (i) the following location(s): See Schedule C, or (ii) any other location notified to Kriya not less than 30 days prior to the transfer.                                                                                                                                        

b)         Further to Clause 8.8, where Personal Data Processed in relation to the Services is subject to cross-border transfer restrictions under applicable Privacy Law, and provided that Kriya has not reasonably objected to such transfer after the notification in section 6(a) above, Service Provider shall, and shall procure that its agents, Subprocessors and employees:

  • i)     ensure an adequate level of protection of Personal Data transferred in accordance with the Privacy Law;
  • ii)    comply with any reasonable instructions of Kriya, including promptly entering into with Kriya a Valid Transfer Mechanism; and

iii)   maintain a detailed written record of the transfer which shall include the information referred to in Clause 8.9 and Section 9) (Record Keeping), details of the destination country or international organization and, if applicable, the safeguards put in place to ensure an adequate level of protection for the Personal Data.

7)         USE OF SUBPROCESSORS

a)         Further to Clauses 8.8 and Clause 9(a), if Kriya reasonably objects to the location in which Personal Data is to be transferred, or the engagement of a Subprocessor, then Kriya and Service Provider shall in good faith seek reasonably suitable alternatives, and any associated amendments to the relevant Statement of Work or Project Assignment failing which Kriya may discontinue using the relevant portion of the Service(s) and may terminate the relevant portion of the Service(s) with no less than thirty (30) days’ notice.

8)         CHANGES

a)         If any of the provisions in this DPA need to be updated, supplemented or revised as a result of a change of any Valid Transfer Mechanism or any Privacy Law (including any Authority-approved guidance or codes of practice that relate to the Privacy Law which come into effect after the Effective Date), then Kriya shall provide Service Provider with a written notice of the changes to the relevant Article(s) or Section(s) (the “Updated Terms”) and the Parties shall meet to negotiate and agree on the Updated Terms and/or the alternative Valid Transfer Mechanism in good faith.

11)       GOVERNING LAW / JURISDICTION

a)         Where permitted by applicable Privacy Law, and except with respect to Personal Data originating from or otherwise subject to Privacy Law of the EU, the EEA, Switzerland, or the UK:

  • i)     this DPA shall be subject to the governing law of the country specified for the same purpose as set forth in the Agreement or relevant Statement of Work or Project Assignment, without regard to principles of conflicts of law that would impose a law of another jurisdiction; and
  • ii)    the parties submit to the exclusive jurisdiction of the courts of the country specified for the same purpose as set forth in the Agreement or relevant Statement of Work or Project Assignment in respect of any dispute arising from or in relation to this DPA that is not otherwise settled by the Parties.

12)       SEVERABILITY

a)         If any provision of this DPA is held to be invalid, illegal, or unenforceable for any reason, such provision shall be deemed to be restated to reflect as nearly as possible the original intention of the Parties in accordance with Applicable Law.  The remaining provisions hereof shall remain valid and in full force and effect.

Schedule A
Record of Processing

1.         Nature and purpose of the transfer and further Processing

In furtherance of the Services (as more specifically defined in the Agreement or any relevant Statement of Work or Project Assignment), under conditions mandated by, Kriya.

2.         Duration of Processing

The Term (including any renewal term and transition periods) of the Agreement or any relevant Statement of Work or Project Assignment.

3.         Type of Personal Data

See Agreement or any relevant Statement of Work or Project Assignment.

4.         Categories of Data Subjects

See Agreement or any relevant Statement of Work or Project Assignment.

5.         Transfers of Personal Data to Authorized Subprocessors and/or to Third Countries

See Agreement or any relevant Statement of Work or Project Assignment.

6.         Frequency of transfer

            Continuous

Schedule B
Security and Assistance Requirements

1)         Specific Security requirements.

a)         Service Provider and Subprocessors that Process Personal Data shall implement at least the following measures and documents with respect to Personal Data:

  • (i)    The data security program and associated physical, technical, organizational and security measures shall be documented in writing by Service Provider and shall align with the Information Security Management System (ISMS) family of standards as published by the Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), also known as the ISO/IEC 27000 series or with National Institute of Standards and Technology (NIST) frameworks and guidelines, as each may be modified or replaced from time to time. 
  • (ii)   For administrative and remote access, provide a secondary authentication (two-factor authentication (2FA)) like a security token or biometric factor, as well as a password.
  • (iii)  Isolation of Personal Data.  The principle of least privilege shall be implemented and enforced (i.e., authorized Service Provider Personnel should only be granted the minimal data-access privileges required to complete their job functions or responsibilities). Service Provider or Subprocessor shall permit only authorized Service Provider Personnel, Kriya employees or third parties access to data locations.

b)         Viruses. 

  • (i)    Use reasonable, good faith and diligent efforts at all times to identify, screen, prevent and otherwise ensure that no viruses are coded or introduced into Service Provider’s Systems, or any Service Provider technology used to provide the Services to Kriya;

c)         Backdoors.

  • (i)    Service Provider certifies that (a) it has not purposefully created any backdoors that could be used to access the Personal Data or Systems, (b) it has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data or Systems, and (c) that national law or government policy does not require Service Provider or Subprocessor to create or maintain backdoors or to facilitate access to Personal Data or Systems.

d)         Restoring Data.

  • (i)    the restoration of any destroyed, lost or altered Personal Data shall be performed by the party that has operational responsibility for maintaining the System on which such Personal Data resides and for creating and maintaining backup copies of such Personal Data.

e)         Encryption.

  • (i)    encrypt all Personal Data at rest, and in transit, and in storage; and
  • (ii)   encrypt all Personal Data on portable devices;

using a FIPS-140-2 compliance encryption algorithm.

f)          Penetration Test.

  • (i)    Service Provider shall annually test, assess, and evaluate the effectiveness of its security measures by conducting a penetration test based on industry accepted penetration testing approaches on its systems used to store or Process Personal Data.

g)         Contingency Planning. 

  • (i)    Upon the occurrence of a Force Majeure Event that constitutes a disaster under the applicable disaster recovery/business continuity plan, Service Provider shall promptly implement, as appropriate, such disaster recovery/business continuity plan and provide disaster recovery and business continuity services as described in such plan.  The occurrence of a Force Majeure Event shall not relieve Service Provider of its obligation to implement the applicable disaster recovery/business continuity plan and provide disaster recovery and business continuity services.

h)         Backup of Data.  

  • (i)    Backup Copies.  As part of Service Provider’s implementation of the disaster recovery/business continuity plan described above, Service Provider shall generate and maintain backup copies of all Personal Data residing on its Systems.  Such backup copies shall be considered “Kriya Personal Data” as used in this DPA, and all Service Provider’s obligations in this DPA, including those related to data security and privacy, shall apply to such backup copies to the same extent such obligations apply to other Personal Data.

i)          Assistance with responding to data subject requests

  • (i)    Service Provider and Subprocessors that Process Personal Data shall implement reasonably necessary technical and organizational measures required to enable Kriya to update, erase, isolate, obtain and disclose Personal Data relating to a specific data subject.

Schedule C
Authorized Subprocessors

See Agreement or any relevant Statement of Work or Project Assignment (template table below).


 Subprocessor Legal Name (and business name, if different), registered address and contact person’s name, position, and contact details		Jurisdiction/ Location of where services are providedDescription (nature, and duration) of ProcessingTransfer mechanism in place to ensure adequate level of protection for Personal Data where the transfer is to an entity outside the EEA, UK, or Switzerland