Data Processing Agreement (DPA)

1. Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between AimwellBio, Inc. ("Processor"), a Delaware corporation, and the Customer executing the Master Service Agreement to which this DPA is attached ("Controller").

1.1 Key Definitions

• Personal Data: Any information relating to an identified or identifiable natural person subject to GDPR processing.
• Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
• Data Subject: The natural person to whom Personal Data relates.
• Sub-processor: Any natural or legal person engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Breach: Any unlawful or accidental destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended or superseded.

2. Scope and Purpose

The Processor shall process Personal Data only on documented instructions from the Controller and only to the extent necessary to provide the services described in the Master Service Agreement, including:

• Platform hosting and operational support
• Data analytics and intelligence generation for biopharmaceutical organizations
• Performance monitoring, system maintenance, and security operations
• Customer support and product development activities

The Controller retains all responsibility for determining the lawful basis for processing and ensuring compliance with applicable data protection laws.

3. Data Processing Details

3.1 Categories of Personal Data

The Controller may provide the following types of Personal Data to the Processor:

• Identification data (names, professional titles, email addresses, phone numbers)
• Professional credentials and qualifications
• Employment history and organizational affiliation
• Usage analytics and behavioral data relating to platform interactions
• Cookies and tracking identifiers
• IP addresses and device information
• Health-related professional information (industry, specialty, credentials)

3.2 Categories of Data Subjects

• Employees and contractors of the Controller
• Healthcare practitioners, clinical researchers, and industry professionals
• Contacts and business associates of the Controller's users
• End-users accessing the platform through the Controller's account

3.3 Duration of Processing

The Processor shall process Personal Data for the duration of the Master Service Agreement. Upon termination, Personal Data shall be deleted or returned to the Controller within thirty (30) days, unless applicable law requires further retention.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented written instructions from the Controller
• Not process Personal Data for any purpose other than the provision of the services
• Inform the Controller if any instruction infringes GDPR or other applicable data protection laws
• Refrain from processing if instructed to do so in violation of law

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate legal obligation of confidentiality. The Processor shall maintain strict confidentiality with respect to all Personal Data and shall not disclose such data to any third party except as authorized by the Controller or required by law.

4.3 Security Measures

The Processor implements comprehensive technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage:

• Encryption at Rest: All Personal Data is encrypted using AES-256 encryption with industry-standard key management protocols
• Encryption in Transit: All data transmission is protected using TLS 1.2 or higher protocols
• Access Controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access control (RBAC) and multi-factor authentication
• Logging and Monitoring: All access to Personal Data is logged and monitored for suspicious activity; logs are retained for a minimum of ninety (90) days
• Infrastructure Security: Systems are hosted on secure, redundant infrastructure with regular security assessments and penetration testing
• Data Minimization: Only Personal Data necessary for providing the services is retained; retention periods are established in accordance with applicable law

4.4 Sub-processors

The Processor has engaged the following Sub-processors to perform processing operations on behalf of the Controller:

• Supabase: Database and backend infrastructure services
• Vercel: Application hosting and deployment services
• Stripe: Payment processing and billing services

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance. The Controller may object to the engagement of any Sub-processor on reasonable grounds relating to data protection. The Processor shall not engage any Sub-processor without prior written authorization from the Controller. The Processor shall impose the same data protection obligations on Sub-processors as set forth in this DPA through binding contracts.

4.5 Assistance to Data Subjects

The Processor shall assist the Controller in fulfilling the Controller's obligations to respond to Data Subject requests, including requests for access, correction, deletion, restriction, portability, and objection. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to Data Subject rights requests within statutory timeframes.

4.6 Data Breach Notification

Upon becoming aware of a Data Breach affecting Personal Data processed hereunder, the Processor shall:

• Notify the Controller without undue delay and in no case later than seventy-two (72) hours after discovery of the breach
• Provide the Controller with information necessary to meet notification obligations to Data Subjects and supervisory authorities
• Cooperate with the Controller in investigating the breach and implementing remedial measures
• Document the breach and the Processor's response in a manner available for supervisory authority inspection

4.7 Deletion and Return of Data

Upon termination of the Master Service Agreement, or at the Controller's election at any time, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller. The Processor shall provide written certification of deletion within thirty (30) days. The Processor may retain Personal Data only to the extent required by applicable law, and only in a manner that maintains the security of such data.

4.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or the Controller's auditors, upon reasonable notice and frequency. The Processor shall cooperate with supervisory authorities in the performance of their tasks.

5. Obligations of the Controller

The Controller shall:

• Determine the lawfulness of processing and provide appropriate lawful basis documentation upon request
• Ensure it has obtained valid consent from Data Subjects where required by applicable law
• Notify Data Subjects and supervisory authorities of any Data Breaches involving Personal Data
• Maintain records of processing activities as required by GDPR Article 30
• Provide accurate, updated Personal Data to the Processor and notify the Processor of material changes
• Ensure that any Personal Data provided to the Processor does not violate any third-party rights

6. Sub-processors and International Transfers

6.1 Sub-processor Management

The Processor maintains current documentation of all authorized Sub-processors. The Controller may request an updated list at any time by contacting dpa@aimwellbio.com. Sub-processors may be located outside the European Economic Area. The Controller's acceptance of this DPA constitutes authorization for processing via the Sub-processors listed in Section 4.4.

6.2 International Data Transfers

The Controller acknowledges that Sub-processors and the Processor may transfer Personal Data to countries outside the European Economic Area. Where such transfers occur, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) where applicable
• Other adequacy or legal mechanisms as permitted by GDPR Article 46

The Processor shall make available copies of such legal mechanisms upon request.

7. Security and Technical Safeguards

7.1 Comprehensive Security Framework

The Processor maintains a comprehensive information security program including:

• Administrative Controls: Security policies, employee training, vendor management, incident response procedures
• Technical Controls: Encryption, firewalls, intrusion detection, vulnerability management, secure development practices
• Physical Controls: Restricted facility access, surveillance, environmental protections

7.2 Encryption Standards

• Data at Rest: AES-256 encryption with secure key storage and rotation
• Data in Transit: TLS 1.2 or higher for all communications
• Key Management: Industry-standard key derivation, rotation, and recovery procedures

7.3 Access and Authentication

• Multi-factor authentication for all system access
• Role-based access control limiting personnel to necessary data
• Periodic access reviews and revocation of unnecessary privileges

7.4 Monitoring and Logging

• Real-time security event monitoring and alerting
• Comprehensive logging of all access to Personal Data
• Log retention for minimum ninety (90) days with ability to extend
• Regular log review and analysis for suspicious activity

8. Data Breach Procedures

Upon discovery of any unauthorized access, disclosure, or loss of Personal Data:

• The Processor will immediately take action to contain the breach and prevent further unauthorized processing
• The Processor will notify the Controller within seventy-two (72) hours with details of the breach, affected data categories, likely consequences, and remedial measures
• The Processor will provide the Controller with forensic evidence and logs necessary to determine the scope and impact of the breach
• The Processor will cooperate fully with the Controller's investigation and regulatory notifications
• The Processor will maintain incident documentation for supervisory authority review

9. Term and Termination

9.1 Effectiveness

This DPA is effective as of March 30, 2026, and shall continue for the duration of the Master Service Agreement unless earlier terminated.

9.2 Termination

Upon termination of the Master Service Agreement:

• The Processor shall cease processing Personal Data within five (5) business days
• The Processor shall, at the Controller's election, delete or return all Personal Data within thirty (30) days
• The Processor shall provide written certification of deletion or return
• The Processor may retain Personal Data only as required by applicable law

9.3 Survival

The obligations under Sections 4.2 (Confidentiality), 4.6 (Data Breach Notification), and 7 (Security) shall survive termination of the Master Service Agreement with respect to any retained Personal Data.

10. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles. The parties agree that any dispute arising from this DPA shall be resolved in accordance with the dispute resolution procedures set forth in the Master Service Agreement.

11. Amendments

The Processor may amend this DPA to comply with changes in applicable law or standards. The Processor shall notify the Controller of material amendments at least thirty (30) days in advance. The Controller's continued use of the Platform constitutes acceptance of amendments.

12. Contact Information

For questions or requests related to this DPA, please contact:

• Data Protection Contact: dpa@aimwellbio.com
• Address: AimwellBio, Inc., Delaware, United States

13. Entire Agreement

This DPA, together with the Master Service Agreement and any other referenced documents, constitutes the entire agreement between the parties concerning the processing of Personal Data and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter.