END USER DATA PROCESSING AGREEMENT

This End User Data Processing Agreement ("Agreement") is incorporated into the Information Sharing Provisions and is attached to the License Agreement and Introduction and Order Form (collectively, "EULSA") between InterSystems ("InterSystems") and the End User ("End User"), as described in the EULSA. InterSystems and the End User are parties to this Agreement (each individually referred to as a "Party" and collectively as the "Parties"). In consideration of the mutual covenants and commitments contained herein and other good and valuable consideration, the Parties agree as follows:

All capitalized terms used in this Agreement that are not defined elsewhere in this Agreement or in the EULSA shall have the same meaning as terms used or defined in the Data Protection Law defined below. The terms of this Agreement supersede any conflicting terms in the EULSA and any other provisions related to data protection or information processing.

The Parties acknowledge that the services provided by InterSystems under this EULSA are not intended to cause InterSystems to create, receive, maintain, transmit, use, disclose, or otherwise process personal data relating to data subjects in an operating environment that constitutes End User Data as defined below; however, because the End User may in certain circumstances be required to comply with the Data Protection Law defined below, the End User requires its service providers who may come into contact with End User Data to enter into a data processing agreement with the End User, and InterSystems is willing to enter into such an agreement in circumstances where InterSystems processes End User Data, without acknowledging that InterSystems is generally a processor for the End User. The Parties agree that for other personal data processed by InterSystems that is not End User Data ("InterSystems Data"), InterSystems is the data controller, and the Parties are not joint controllers of InterSystems Data.

Definitions.

1.1. Unless otherwise provided in the applicable Data Protection Law (as defined below), the capitalized terms set forth in this section shall have the meanings set forth below:

1.2. Data Controller.

"Data Controller" means, in this Agreement, the End User, i.e., the party that is the Controller of the processing of personal data for which the End User is the Controller.

1.3. Data Owner.

For each item of personal data within the End User Data, "Data Owner" means the End User, or, if the End User is a processor for a Controller with respect to the personal data, then such Controller.

1.4. Data Processor.

"Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller, and (1) InterSystems and the End User agree that InterSystems is acting as a processor for the End User as defined in the specific and separate Rules of Engagement, and (2) InterSystems is not acting as a service provider, a third-party supplier of the End User, or a Controller.

1.5. Data Protection Legislation.

"Data Protection Legislation" means the EU General Data Protection Regulation (GDPR) and national implementing legislation; the Swiss Federal Data Protection Act (as amended and replaced from time to time); the UK Data Protection Act (as amended and replaced from time to time); and the data protection laws of the European Economic Area states (as amended and replaced from time to time, as applicable).

1.6. End User Data.

"End User Data" means any personal data provided by or on behalf of the End User to InterSystems, the purposes and means of processing of which are determined solely by the End User or (if the End User is a processor for a Controller) the Controller; provided, however, that End User Data does not include any personal data defined above as InterSystems Data.

1.7. Data Protection Law.

"Data Protection Law" means all applicable laws or regulations concerning privacy and the processing, collection, use, and protection of personal data in any jurisdiction applicable to your agreement or Customer Data, which may include, but is not limited to, the Data Protection Act 2018 (UK), the GDPR, the Gramm-Leach-Bliley Act (US), the Privacy Act (Australia), the Privacy Act 1993 (New Zealand).

Data Ownership.

2.1. End User Data processed by the Data Processor on behalf of the Data Controller shall at all times remain the property of the Data Owner.

2.2. If either Party terminates the EULSA for any reason, the End User will decide whether each item of End User Data (to the extent still retained by the Data Processor) is returned to the End User or deleted. All processing by the Data Processor will cease, except for processing required by law or necessary for the winding down of the EULSA.

2.3. The Data Controller may at any time request that the Data Processor cease processing End User Data and delete or return the End User Data to the Data Controller.

2.4. If the Data Processor determines that returning or destroying End User Data as requested under this section is not feasible, the Data Processor shall extend the protections of this Agreement to such End User Data and shall, for as long as the Data Processor retains such End User Data, limit further processing of such End User Data to the purposes for which it cannot be returned or destroyed.

Obligations and Activities of the Data Processor.

3.1. The Data Processor agrees to implement technical and organizational security measures when processing End User Data that, if the Data Processor were the Controller of such data, would comply with Data Protection Law, such as Article 32 of the GDPR "Security of processing", i.e., "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk", and to take reasonable steps to ensure compliance with these measures.

3.2. The Data Processor agrees to process such End User Data only in accordance with the instructions provided by the End User in writing from time to time.

3.3. The Data Processor agrees to comply with all obligations under Data Protection Law as if it were the Controller of such End User Data.

3.4. The Data Processor agrees that it shall ensure that all staff, agents, contractors, and others who have access to End User Data are informed that such data is confidential and shall not be disclosed to any person not bound by relevant enforceable confidentiality obligations. Only staff, etc., with a business need to access End User Data shall be authorized and (in terms of logical, physical, or other security measures) able to access End User Data.

3.5. If the Data Processor wishes to subcontract the processing of End User Data, they must impose on any subcontractor the same contractual obligations regarding data protection and security as those imposed in this Agreement.

3.6. The Data Processor agrees to notify the Data Controller promptly, in no event longer than permitted by relevant law, but no later than 72 hours after discovery by InterSystems, of any security breach related to End User Data occurring within its own organization or that of any subcontractor.

3.7. The Data Processor agrees to ensure that all personnel involved in the processing of End User Data receive adequate training regarding data protection procedures, and to identify and maintain records of the training received by such personnel and all course content. The Data Processor shall ensure that no other agents or employees of the Data Processor have access to End User Data.

3.8. The Data Processor agrees that, without the prior written approval of the End User, the Controller's data shall not be transferred to countries or territories outside the jurisdiction governed by the Data Protection Law applicable to your agreement, unless (1) such country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as determined by the appropriate data protection authority; (2) the Data Processor has entered into Standard Contractual Clauses approved by the European Commission for such transfer, in which case there shall be no implied breach of this provision; or (3) the Data Processor is subject to binding corporate rules approved or accepted by the relevant data protection authority; provided, however, that the End User may restrict such transfers under specific individual permissions in the Rules of Engagement, as long as the End User agrees that InterSystems is not in breach of its obligations under the EULSA if InterSystems determines such transfer is necessary for the provision of required services or support.

Obligations of the End User.

4.1. The End User shall provide End User Data to InterSystems only in strict compliance with Data Protection Legislation, for the purposes of this Agreement, and agrees to provide only the minimum amount of personal data necessary for the services or support provided.

4.2. The End User shall not request or require the Data Processor to process End User Data in a manner that the End User, as Controller or as a processor for a Controller, could not itself do; provided, however, that if InterSystems believes that any instruction from the End User violates Data Protection Legislation, InterSystems shall promptly notify the End User in writing, providing sufficient information to describe the objection. If the End User agrees with InterSystems' determination that the End User's instruction violates Data Protection Law, then the End User shall notify InterSystems of such, and InterSystems shall not be required to comply with that instruction and shall not be deemed in breach of the EULSA for failing to comply. If the End User objects to InterSystems' finding that the End User's instruction violates Data Protection Law, the End User shall provide a written explanation of why the instruction complies with Data Protection Law, and InterSystems may rely on such explanation in carrying out the End User's instruction.

4.3. The End User represents and warrants that it (or, where the End User is a Data Processor, the relevant Data Owner) may process the End User Data in the manner authorized by the Data Processor under this Agreement for the processing of personal data.

4.4. The End User shall be responsible at all times for maintaining and ensuring the confidentiality, privacy, and security of End User Data transmitted to the Data Processor, using administrative, physical, and technical safeguards, in accordance with the standards and requirements of Data Protection Legislation, until such End User Data is received by the Data Processor.

4.5. The End User shall obtain any consents or authorizations that may be required by applicable law for the Data Processor to provide its services under the EULSA.

Miscellaneous.

5.1. Reference. References in this Agreement to language in the GDPR refer to such language as effective or amended on the applicable compliance date.

5.2. Modifications to this Addendum. The End User agrees that InterSystems may, if necessary and in good faith, amend this Agreement or the EULSA to comply with any changes in Data Protection Legislation.

5.3. Survival. The respective rights and obligations of the Data Processor and the Data Controller under this Agreement or the EULSA shall survive termination as long as the Data Processor or the Data Controller processes End User Data under this Agreement or the EULSA.

5.4. Interpretation. Any ambiguity in this Agreement shall be resolved to allow the Parties to comply with Data Protection Legislation.

The rights and obligations set forth in this Agreement are in addition to, and not in substitution for, any rights or obligations arising under any other contract or common law between the Parties.

If any person breaches or is alleged to have breached its confidentiality obligations to any Party under this Agreement, i.e., breaches or is alleged to have breached its confidentiality obligations to any Party under this Agreement in relation to End User Data that is possessed or accessed by such person as a result of this Agreement, the Party assuming such obligation undertakes to use its best efforts to perform the relevant obligation.