Licence Agreement 
entered into within the framework of the CarnaLife System pilot implementation

entered into on [●], in Kraków by and between:

MEDAPP S.A with its registered office in Kraków, 31-514 Kraków, ul. Władysława Beliny Prażmowskiego 60, NIP [Tax ID]: 7010264750, REGON [statistical ID]: 142641690, KRS [National Court Register] number 00000365157, whose registration documents are kept by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register, with fully paid-up share capital of PLN 23,919,094.30 PLN,
represented by:
- Krzysztof Mędrala – President of the Management Board, 
hereinafter referred to as “MedApp” or “Licensor”

and

[●], address: [●], [●]NIP [●], REGON [●], whose registration documents are kept by the District Court in [●], [●] Commercial Division of the National Court Register, KRS number [●], with fully paid-up share capital of PLN [●]; 
represented by [●] - [●],
hereinafter referred to as “Licensee”

referred to individually as the “Party” and collectively as the “Parties”.

Whereas the Licensee is interested in the operation of the System, prior to potentially entering into a target licence agreement for the System, the Parties have agreed to enter into this Agreement for the purpose of a pilot implementation of the System through which Licensee will be able to learn about the operation of the System and its functionalities.

Now, therefore, the Parties agree as follows: 


§ 1. Definitions
1.	System – means an advanced telemedicine platform (application with the status of a medical device), consisting of a computer program within the meaning of the Copyright Law, and other works within the meaning of the Copyright Law (including the Manual) and the Licensor’s Database, supporting the diagnosis of Patients by Users on the basis of Examination or Analysis results, assessment and monitoring of the health of Patients/Clients suffering from various diseases (specified in the Manual) and supporting remote consultations with Patients/Clients in the online mode. The system is adapted to collect strictly medical data of the Patients, as well as data of a near-medical nature, including data concerning wellbeing, the implemented diet, progress in physical activity, including on the basis of completed questionnaires, etc. 
The Licensee is given access (login and password) to Administrator account and after logging in the Administrator can create accounts of other Users and/or Patients/Clients. Full functionality of the Software, including communication of Users with Patients / Clients requires:
a)	the installation of CarnaLife Lite by the Patient/Client on their Carrier and providing the Patient/Client with the login and password for the Patient/Client account generated by the Licensee, and 
b)	 the installation of the CarnaLife System by the User on the User’s Carrier and providing the User with the login and password to the User account generated by the Licensee. 
The installation of CarnaLife Lite by the Patient/Client requires the acceptance of the terms of the CarnaLife Lite Software User Licence Agreement. The installation of CarnaLife System by the User requires the acceptance of the terms of the CarnaLife System Software User Licence Agreement. 
The Patient/Client performs Examinations at any place and at any time using compatible devices, either their own or those provided to them by the Licensee or a third party, or enters the results of the measurements by themselves into CarnaLife Lite, which automatically sends them to the Licensee and authorized Users.  
CarnaLife System has the functionality to communicate the results entered or recorded by means of the device by the Patient to the User and the Licensee.
The System collects the Patients’ medical data (including Examination results, diagnosed diseases, administered medications) in the Licensor’s Database and analyzes them using algorithms based on artificial intelligence (AI), sending specific types of alerts, as specified in the Manual, to authorized Users. 
2.	Carrier – means a device such as a desktop computer, laptop, Android or iOS smartphone or tablet on which Patients/Users will install CarnaLife Lite/ CarnaLife System;
3.	Client or Patient – means a natural person, in possession of CarnaLife Lite, whom the Administrator has provided with a login and password to their account;
4.	CarnaLife Lite – means the CarnaLife application created for Patients/Clients as a module of the System, permitting communication between the Patient/Client and the User, including automatic sending of saved Examination results by the Patient to the Licensee; 
5.	CarnaLife System – means the CarnaLife System application created for Users, being a module of the System, permitting communication between the User and the Patient, including automatic sending of saved Examination reports by the Licensee to the Patient; 
6.	User – means a natural person bound by agreement with the Licensee, in particular an employee or associate of the Licensee, including those having the status of a physician, nurse, psychologist, dietician, personal trainer, in possession of CarnaLife System, for whom the Administrator has created an account and made available to them the login and password to this account;
7.	Examination – means the type of examination as specified in the Manual;
8.	Manual – means a document containing detailed information on the System, CarnaLife Lite and CarnaLife System, in particular a description of functionality and the way of using the System and technical requirements for proper functioning of the System – being an integral part of the System – which means that the Licensee, after the Implementation, and the User/Patient/Client, after logging in, have access to it;
9.	Upgrade – means a subsequent version of the System, which the Licensor makes available to the Licensee, during the term of the Licence, without the obligation to pay any additional licence fee/remuneration; 
10.	Copyright Law – means the Act of 4 February 1994 on copyright and related rights (consolidated text – Polish Journal of Laws [Dz.U.] of 2019, item 1231 as amended);
11.	Chain – means the Licensee’s medical facilities, as defined in Attachment 1, whose operations are covered by the Agreement;
12.	Administrator – means a natural person bound by agreement with the Licensee and having the authorizations set forth in the Manual, allowing the Administrator to manage the System under the Agreement, in particular to create the scope of access/authorizations to individual elements of Patient/Client Databases covered by the System according to a key established by the Licensee, as well as to create individual accounts for Patients/Clients and Users; 
13.	Server – means the Microsoft Azure server subscription owned by MedApp (the server is located in the Netherlands) which hosts the Patient/Client Database dedicated to the Licensee and the System replicated for the Licensee. The Licensor warrants that the Patient/Client Database will not be stored on servers located outside the European Economic Area without a separate written consent of the Licensee;
14.	Remuneration – means any remuneration payable by Licensee to Licensor as set out in this Agreement;  
15.	Licensor’s Database – means database created by the Licensor on the basis of the data entered by System licensees, their Users and Patients/Clients into the System, including the results of Examinations, which are anonymized on the day of their entry into the System at 00:00 hrs;
16.	Patient/Client Database – means a database of Patients/Clients created on the basis of the data of the Licensee’s Patients/Clients entered by the Licensee, Users and Patients/Clients into the System, including results of Examinations; the Licensee’s Patient/Client data set entered into the System and stored within the Patient/Client Database remains the property of the Licensee as an entity that bears the risk of the investment outlay in the creation of this database, within the meaning of the Act of 27 July 2001 on the protection of databases (consolidated text – Polish Journal of Laws [Dz.U.] of 2019 item 2134 as amended). The Licensee authorizes the Licensor to use this data set under the terms described in this Agreement, within the limits of a data processing agreement.
17.	Fault – means a Failure or Error, constituting non-conformance of the System with the Agreement or the Manual and a malfunction of the System which prevents the uninterrupted use of all System functionalities;
18.	Implementation – means all of the activities performed by the Licensor in performance of the Agreement in order to launch and achieve a fully functional System, completed by the Parties by preparing a System acceptance report in the form of a document. The implementation includes in particular the installation and parametrization of the System, testing of the System and provision of post-implementation documentation in the Manual. 
19.	Failure – means a Fault causing complete stoppage or serious disturbance of the System operation for which there is no alternative method to perform a given operation in the System, preventing uninterrupted use of the System;
20.	Error – means a Fault causing disruption in the System’s operation, which, however, does not prevent the normal use of the System’s basic features, consisting in particular in the limitation in or issues with the performance of one of the System's functionalities;
21.	Repair time – means the time counted from the moment of submitting the Fault Notification to the moment of repair, i.e. sending an email to support@medapp.pl and a screenshot (if possible) of a detailed description of the Fault, the User who is logged in, the path to the Fault, the device on which the Fault appears, information about the operating system and its version, and other additional information which may help to determine the cause of the Fault;
22.	Price List – a document specifying the amount of fees covered by this Agreement and constituting Attachment 2.

 § 2. General provisions
1.	This Agreement sets forth the terms and conditions of Licensee’s use of the System, including the terms and conditions of storing Patient/Client medical data (Patient/Client Database) during the Agreement and after its termination. 
2.	The Parties agree that at the end of this Agreement they will jointly analyze the tested System and decide, each on its own, on further cooperation.
3.	The Licensor represents that:
a)	System, CarnaLife System and CarnaLife Lite are protected by Copyright Law,
b)	the Licensor’s Database is subject to protection pursuant to the Act of 27 July 2001 on the protection of databases (consolidated text – Polish Journal of Laws [Dz.U.] of 2019 item 2134 as amended),
c)	the Licensor is the owner of the author’s economic rights to the System and CarnaLife System and CarnaLife Lite as well as the author of the Licensor’s Database, 
d)	the Licensor is entitled to license the System, CarnaLife System and CarnaLife Lite,
e)	the system is a module of the analytical telemedicine system which is certified as a medical product supporting diagnostics with a CE certificate, Class IIb by TÜV NORD Polska Sp. z o.o., a notified body authorized by the Ministry of Health,
f)	the use of the System under this Agreement does not violate any intellectual property rights of any third party, and in particular does not require any authorization/licence from the third party by the Licensor,
g)	System, CarnaLife System and CarnaLife Lite are not encumbered by any rights or claims of third parties,
h)	the Licensor is aware that the System may store the Licensee’s and Patient/Client medical data, and therefore specifically takes the necessary measures to prevent unauthorized access to the System’s data, 
i)	the System complies with the legal requirements that should be met by IT systems that process medical data, 
j)	The system was developed in compliance with the standards applicable in the IT industry for this type of systems, in particular it complies with the requirements indicated in the Recommendations of the National Centre for Healthcare Information Systems (CSIOZ) in the area of security and technological solutions used in the processing of medical records in electronic form.  
4.	The Licensee represents that the Licensee is a legal user of software required for proper operation of the System, based on separate, valid licence agreements.

§ 3. Licence
1.	The Licensor authorizes the Licensee to use the System, i.e. the Licensor grants the Licensee a non-exclusive, limited, paid licence under the conditions stipulated in the Price List, without the right to grant sublicences, non-transferable to third parties – under the terms and conditions of this Agreement (“Licence”).
2.	The Licence includes the right to use the System in the following field of use:
a)	making the System available by providing login data on the Server, 
b)	enabling the Licensee to create Administrator, User and Patient/Client accounts with a diversified range of authorizations for each type of Administrator, User and Patient/Client,
c)	using the System in the territory of the Republic of Poland and abroad, 
d)	using the System only for the intended purpose of the System as described in the definition of the System and in the Manual,
e)	using the System only for the time period specified in the Agreement, 
f)	using the System only as specified in the Agreement and subject to the provisions of the Manual. 
3.	The Licensee is not entitled to use the System in a broader scope than specified in Section 2 above, and in particular to 
a)	use the System contrary to its purpose, 
b)	permanently or temporarily reproduce the System in whole or in part by any technique, to make copies of the System except for a backup copy in accordance with Section 4 below, provided that the backup copy may not be used concurrently with the copy of the System provided to the Licensee by Licensor, 
c)	interfere with the System, including making any modifications, changes, improvements, additions or attempts to reverse engineer the System, 
d)	reproduce the System’s code or to translate it, insofar as this goes beyond the scope of the law, 
e)	disclose or make public the System’s code in any way and to any person,
f)	make changes in the elements of the System’s appearance, 
g)	make the System available to third parties on any basis, including, but not limited to trading the System by marketing, lending or renting it, sublicensing it to third parties or transferring the rights and obligations under this Agreement to third parties,
h)	use the System to create other computer programs or works or incorporate the System or its elements into other computer programs, 
i)	decompile, disassemble, or otherwise obtain information about the internal structure or operating principles of the System, 
j)	translate, adapt, rearrange the System or make any changes to the System; disseminate the System, including but not limited to lending, renting, leasing or selling the System; provide access to the System and its databases (Licensor’s Databases) to third parties; transfer and disclose the data obtained from the System, or any part of the data, to third parties in any form unless such obligation is required by law or with the express written permission of the Licensor,
k)	disseminate the System by public performance, exhibition, screening, reproduction, broadcasting and re-broadcasting, as well as making the System available to the public in such a way that everyone can have access to it at a place and time chosen at their discretion,
l)	duplicate the System, tamper with the computer records, transmit the information obtained from the System to other entities, download and store the data obtained from the System on the devices used to collect such data. For the avoidance of doubt, the Parties confirm that this provision does not apply to the Patient/Client Database, in respect of which the Licensee, as an authorized entity, is fully entitled to download data and reuse them in whole or in substantial part, in quality or in quantity, without any restrictions. 
4.	The Licensee may, without the Licensor’s consent, make one backup copy of the System for archival purposes. This backup copy may not be used concurrently with the System. These provisions do not affect the Licensee’s rights under Article 75 of the Copyright Law. For the avoidance of doubt, the Parties confirm that this provision does not apply to the Patient/Client Database, in respect of which the Licensee, as an authorized entity, is fully entitled to download data and reuse them in whole or in substantial part, in quality or in quantity, without any restrictions. 
5.	Moving the System to a server other than the Server is possible only with the consent and participation of the Licensor with the intention of “replacement”; after moving the System, the Parties completely remove the System from the first server. 
6.	The Licensee is not authorized to sublicense or give the System or Manual for use to any third party on the basis of any legal title, except that this provision does not apply to Users and Patients/Clients who use the System in accordance with the Agreement, whereby both the Patient/Client and the User are obliged to accept the terms of the CarnaLife Lite User Licence Agreement (in the case of the Patient/Client) and the CarnaLife System User Licence Agreement (in the case of the User).
7.	The Licensee may not circumvent the limitations and technical safeguards of the System by any means.
8.	The Licence is granted only within the scope of the activities of the Chain. Making the System available to another facility within the Chain requires an amendment to the Agreement and may involve a change in the amount of the Remuneration. The use of the System by more facilities than specified in Attachment 1 constitutes a breach of the Agreement. 
9.	Any behaviour fulfilling the prerequisites specified in Sections 3–8 will be treated as a gross breach of the Agreement and a valid reason for termination of the Agreement in accordance with the provisions of § 6 hereof.
10.	If the Licensee breaches any of the Licence terms set forth in Sections 2–8 above, the Licensor may demand that the Licensee pay liquidated damages in the amount of PLN 10,000 (ten thousand) for each breach. The Licensor’s right to claim liquidated damages does not preclude the possibility of claiming damages in excess of the liquidated damages in order to rectify the damage incurred. The liquidated damages will be payable within 7 days of delivery of the debit note to the Licensee.

§ 4. Implementation
1.	The Licensor will make the System available to the Licensee on the date agreed by the Parties, but no later than within 14 days of the date of entering into the Agreement by the Implementation of the System on the Server, creating an Administrator account and enabling the Licensee to create User and Patient/Client accounts along with diversified authorizations for each type of User and Patient/Client, and providing the Manual. The fee for Implementation is specified in the Price List.
2.	The Licensor will train the persons indicated by the Licensee in System functionalities. The Licensee should read the Manual prior to the training.
3.	Training time will be no more than 2 clock hours per User as requested by the Licensee for each facility (“Limit”).  The number of Users within the Limit is set forth in the Price List. The training sessions will take place according to the schedule agreed by the Parties. The training can take place onsite in the facility or remotely using remote communication applications.  
4.	The Remuneration for training conducted outside the Limit is specified in the Price List. The Remuneration is payable on the basis of a VAT invoice issued to the Licensee covering a monthly settlement period, i.e. all training sessions held within a given month, issued on the last working day of the month. The Remuneration will be payable within 14 days of delivery of the VAT invoice to the Licensee. The date of payment of the Remuneration will be the date on which the Remuneration is credited to the account of Licensor. Along with the VAT invoice, the Licensor will send a summary of the conducted training sessions: the facility, the number of hours and the date of the training. 
5.	The Parties agree that the completion of the Implementation will be confirmed by them in the form of a document.


§ 5. Maintenance, technical support and assistance
1.	During the Agreement, the Licensor will provide the Licensee with support and technical assistance as described below (hereinafter referred to as “Maintenance”). 
2.	Within the scope of the Maintenance, the Licensor undertakes to remove Faults by restoring the proper operation of the System. 
3.	MedApp undertakes to provide maintenance services consisting in ongoing maintenance to the extent necessary to maintain and operate the System in order to achieve the objectives specified in the subject matter of the Agreement.

Type of Fault	Required Repair Time
Failure	4 working days after the delivery of the notification
Error	9 working days after the delivery of the notification

4.	The Repair Time specified in Section 3 does not include the time for verification or validation of changes made in connection with the repair of a Fault by the manufacturer or entities acting on behalf of the manufacturer of the operating system used by the Licensee or Users. 
5.	Maintenance does not cover troubleshooting or restoration of proper operation of the System due to improper use of the System or use of the System inconsistent with the Agreement or Manual or other reasons to blame on the Licensee or due to malfunction or lack of operation of the Server service. 
6.	The Licensee may instruct the Licensor to debug or restore the System as described in Section 5 above as part of its technical support service against additional Remuneration (“Technical Support”). Technical Support will be performed by the Licensor or third parties on behalf of the Licensor and upon the Licensee’s express request as well as upon the Licensee’s acceptance of the cost or preliminary estimate. 
7.	The Licensor’s remuneration for Technical Support is specified in the Price List.  The Remuneration referred to in the previous sentence is payable on the basis of a VAT invoice issued to the Licensee covering a monthly settlement period, i.e. the completed Technical Support provided within a given month, whereas the VAT invoice is issued on the last working day of the month. The Remuneration will be payable within 14 days of delivery of the VAT invoice to the Licensee. The date of payment of the Remuneration will be the date on which the Remuneration is credited to the account of Licensor. Along with the VAT invoice, the Licensor will send a summary of the completed Technical Support: the facility, the number of hours and the date of Technical Support.

§ 6. Licence term. Duration of the Agreement
1.	The Agreement is valid from the moment of its signing for the whole Licence term, subject to the provisions of § 8–10 and § 12 of the Agreement, which are valid also after termination or expiration of the Agreement. The Licence is granted for a definite period, i.e. for 12 (twelve) months starting from the date of System Implementation (“First Settlement Period”). The Licence will be renewed for a further period of 12 months (“Subsequent Settlement Period”) unless either Party notifies the other Party in writing at least 2 weeks before the end of the First Settlement Period that it is not renewing the Licence for a Subsequent Settlement Period. The above applies to each Subsequent Settlement Period. After 5 years from System Implementation, the Licence will be automatically renewed for an indefinite period, and each Party will have the right to terminate this Agreement at 12 months’ notice. The aforementioned Licence term will be treated as a Subsequent Settlement Period. 
2.	The Licensor may terminate the Agreement with immediate effect, i.e. as of the date of submission of the termination notice to the Licensee in writing, in the following cases: 
a)	The Licensee uses the System contrary to the law or this Agreement, including but not limited to cases of gross violation of the Agreement, 
b)	The Licensee uses the System for activities that violate the law or the principles of community life, 
c)	The Licensee is more than 30 days in arrears with the payment of the Remuneration,
d)	The Licensee will assert civil-law claims against the Licensor in proceedings before a common court of law,
e)	The Licensor will be unable to continue to perform the Agreement for reasons beyond the Licensor’s control, including force majeure, commencement of liquidation or declaration of bankruptcy. 
3.	The Agreement may be terminated as a result of the circumstances set out in Sections 2(a)–(b) above after a prior written request of the Licensee to remove the indicated (described) violations and after granting the Licensee an additional 30-day period to cease the violations. 
4.	The Agreement may be terminated as a result of the circumstances referred to in Sections 2(c)–(d) above after a prior written request of the Licensee to remove the indicated (described) violations and after granting the Licensee an additional 14-day period to do so. 
5.	The termination of the Agreement due to the circumstances described in Section 2 above does not relieve the Licensee of its obligation to settle any amounts due to the Licensor under this Agreement, in particular the Remuneration, and the Licensor will not be obliged to return to the Licensee the Remuneration that has already been collected.
6.	The Licensee has the right to terminate the Agreement with immediate effect, i.e. as of the date of submission of the termination notice to the Licensor in writing, in the event of gross violations of the Agreement by the Licensor, provided that the Licensor has first been requested to cease such gross violations within 14 days of being served with such request. 
7.	In the event of termination or expiration of this Agreement, the Licensor will deactivate the access of the Licensee, its Administrator, Users and Patients to the System. In such a case, CarnaLife Lite and CarnaLife System will not interact with the System or be able to retrieve data from the Licensor’s Database or Patient/Client Database through the System, subject, however, to the provisions of this Section and § 8 below.
§ 7. Remuneration and payment terms
1.	The Licensor will be entitled to the Remuneration specified in the Price List from the Licensee for granting the Licence and for the provision of additional services to the Licensee as specified in the Agreement. After the end of the first 6 months of the Agreement, the Licensor may amend the Price List by sending the Licensee a written statement of the amendment to the Price List at least 3 months in advance (“Information”). If the Licensee does not accept the new Price List, the Licensee may, within one month of receiving the Information, terminate this Agreement effective as of the expiration of the three-month period from the date of receipt of such Information by sending the Licensor a written statement. If no notice of termination is served by the Licensee, the new Price List will become effective and binding upon the Parties 3 months after the date of receipt of the Information by Licensee.  
2.	The Remuneration indicated in this Agreement is net remuneration, which should be increased by the appropriate amount of the value added tax (VAT).
3.	The Licensee hereby represents that it is a VAT payer and authorizes the Licensor to issue VAT invoices without the Licensee’s signature.
4.	VAT invoices issued by the Licensor will be sent electronically to the following email addresses: [●]. 

§ 8. Use of Patient/Client Database
1.	During the Agreement (validity of the Licence), subject to the provisions of the Data Processing Agreement, the Licensor is entitled to use the Patient/Client Database free of charge and without territorial restrictions to the full extent for the purposes of providing Maintenance and Technical Support Services. In particular, the Licensor is entitled to download data,  reuse them in whole or in substantial part, either in quality or in quantity, copy and process them – with the proviso, however, that any Patient data downloaded by the Licensor other than the backup copy of the Patient/Client Database and the copy of the System, as well as within the scope of the Maintenance and Technical Support Services used by the Licensee will be anonymized as of the date of their entry.  
2.	After termination or expiration of the Agreement, the Licensor is entitled to use the anonymized data (preventing the identification of a specific Patient/Client) within the Patient/Client Database for its own purposes, including the development of the System and improvement of its functionality, free of charge, without time and territorial restrictions. In particular, the Licensor is entitled to retrieve anonymized data, to reuse them in whole or in substantial part, either in quality or in quantity, to copy and to process the data. The Licensor declares that it is aware that its possible use of non-anonymized data will constitute a breach of the law unless the Licensor has another legal title to collect and process the data. At the same time, the Licensor indicates that by downloading the Application and accepting the licence terms and conditions of the Application, the Patients agree that MedApp may use the anonymized data entered into the System in accordance with the provisions above. 
3.	The Licensee is obliged to ensure that the Licensor is able to use the Patient/Client Database in accordance with Sections 1 and 2. The Licensee waives the right to revoke the rights granted to the Licensor under Sections 1 and 2 above. 
4.	In particular, the Licensee is obliged to have a legal basis for processing Patients’ data, including for the purpose of providing services to Patients/Clients by the Licensee. The Licensor is obliged to properly secure the integrity of the data in the Patient/Client Database against unauthorized access by third parties. 
5.	In the event of termination or expiration of the Agreement, the Licensor will, at the request of the Licensee, make a backup copy of the Patient/Client Database and transmit it encrypted and secured against unauthorized access within 7 days of termination or expiration of the Agreement in a form agreed by the Parties. The Licensee is obliged to pay the Licensor the Remuneration for making a backup copy of the Patient/Client Database in accordance with the Price List. The Remuneration will be payable within 14 days of delivery of the VAT invoice to the Licensee. The date of payment of the Remuneration will be the date on which the Remuneration is credited to the account of Licensor.

§ 9. Business secrecy Confidential information
1.	The Parties agree that for the purposes of this Agreement, the concept of business secret or confidential information includes any information, regardless of its form of expression or the carrier/medium on which it is recorded, related to or obtained in connection with the conclusion or performance of this Agreement or any other agreement entered into in performance of the Agreement, or which is marked as confidential or the confidential nature of which is known to the receiving Party or the receiving Party could reasonably consider the confidential nature of the information to be known, including, but not limited to, information related knowledge, know-how, financial, commercial, technical information, including System information or the Licensor’s Database, operational, public relations information, as well as studies, analyses and plans relating to the Parties’ business, the contents of the Agreement, and all other information except that which, at the time of disclosure or transfer to the other Party, is clearly identified as information not being Business Secret or is generally known. For the avoidance of any doubt, the Parties unambiguously declare that the business terms and conditions of this Agreement as well as all information regarding the System, CarnaLife Lite and CarnaLife System (principles of their operation, principles of their interaction not available to the public) are business secrets of the Licensor and cannot be disclosed to third parties.
2.	The Parties undertake to comply with the provisions of the Act of 16 April 1993 on combating unfair competition in respect of maintaining the business secrecy of the other Party, and in particular to maintain the secrecy of information covered by business secrecy that was entrusted to them by the other Party or obtained in connection with performance of the Agreement, to process the information provided exclusively for the purpose for which it was entrusted to them, to protect it against unauthorised access or loss, and not to disclose or transfer such information to any third party without an express, prior consent of the other Party, expressed in writing.
3.	The obligation of confidentiality also extends to all collective works, compilations, studies and other documents to the extent that they contain or are based on any information covered by business secrecy.
4.	The Parties also agree that in the event that any of them acts in relation to other parties involved in or related to the performance of the Agreement or any third parties, also in the capacity of an attorney of a party, information covered by business secrecy or constituting confidential information will be provided to such third parties in compliance with the provisions of Sections 1–3. The Parties are entitled to communicate information within the confidentiality obligation to their advisers and contractors provided that they are bound by a respective obligation to keep the said information confidential; however, the Parties are liable for their acts and omissions as for their own.
5.	The confidentiality obligation applies throughout the term of the Agreement as well as for a period of 5 years after its termination or expiration for any reason.
6.	The aforementioned obligation does not concern information which:
a)	has been made publicly available in a way that does not constitute a breach hereof;
b)	is known to the Party from other sources, without the obligation to keep it confidential, and without a breach hereof.
7.	The Parties are entitled to communicate information within this confidentiality obligation: 
a)	to competent state authorities on the basis of applicable legal regulations, or
b)	in performance of the reporting obligations imposed on them under the applicable regulations.
8.	The Licensor emphasizes that, as a publicly traded company, it is subject to a number of reporting obligations towards other participants of the capital market arising from applicable regulations, including in particular the obligation to report to the Electronic Information Transfer System ESPI. Compliance with reporting obligations is not a violation by Licensor of the confidentiality rules detailed in this section. 
9.	In the event of a breach by either Party of its confidentiality obligation, it will pay the other Party liquidated damages of PLN 10,000 (say: ten thousand zlotys) for each breach. The Party’s right to claim liquidated damages does not preclude the possibility of claiming damages in excess of the liquidated damages in order to rectify the damage incurred. The liquidated damages will be payable within 7 days of delivery of the debit note to the Party obliged to pay the liquidated damages.
10.	During the Agreement, as well as within 12 months of its termination or expiration, the Licensee agrees not to undertake any actions aiming to create or develop functionalities in line with the System within in the scope:
a)	algorithms that analyze biomedical data, 
b)	an application based on artificial intelligence, 
c)	an application that uses ECG signal analysis. 
In the event of any breach of the aforementioned obligation, the Licensee is obliged to pay the Licensor liquidated damages in the amount of PLN 10,000 (say: ten thousand zlotys) for each case of breach, payable within 7 days of receiving the debit note. The obligation to pay liquidated damages does not limit the Licensor’s right to claim from the Licensee the compensation for the damage in the full amount in excess of the liquidated damages, including lost opportunity costs. 

§ 10. Protection of the Parties’ signage, including trademarks
1.	The Parties agree to place their names, verbal and figurative signs and logotypes (as specified in Attachment 3 to the Agreement) in reference and marketing materials related to the cooperation of the Parties under this Agreement, after prior agreement on the details of such publications, during the Agreement. 
2.	The verbal and figurative sign of the System, i.e. “CarnaLife Lite” and “CarnaLife System” as well as “MedApp” are protected by law, including the protection of copyright and industrial property rights. The Licensee’s violation of the Licensor’s rights in the foregoing constitutes a gross breach of this Agreement. 
3.	During the Agreement, the Licensee is obliged to indicate: a) on the websites maintained for individual facilities the information on its cooperation with the Licensor, and b) cooperation at the facilities themselves, by marking at least the entrance door/hallway to the facility with a prominent notice with the following content: “[facility/Chain name] uses the CarnaLife System telemedicine application” along with the “CarnaLife System” trademark as set forth in Attachment 3. 

§ 11. Liability
1.	The Licensor declares and the Licensee acknowledges that the System provides diagnostic support for assessing the health or wellbeing of the Patient/Client and does not constitute a medical service. The Licensor definitely does not provide medical services, neither to the Licensor, nor to Patients/Clients, and the correct analysis or diagnosis of any data concerning the Patient/Client requires consultation with a medical specialist, an analysis of strictly medical nature or consultation with another specialist. The system is a tool supporting communication between the User and the Patient/Client as well as supporting the diagnosis of the Patient’s/Client’s diseases; however, it cannot replace medical consultation with a physician or another specialist or the diagnostic process.
2.	The system is not a substitute for professional medical or psychological counselling, diagnosis, treatment or emergency intervention. The System does not diagnose the medical/health condition of the Patient/Client, and the responsibility for the diagnosis/analysis of the health and actions taken towards the Patient/Client will be borne by the Licensee within the scope of the services provided to the Patient/Client, including medical services or any injuries that the Patient/Client may suffer as a result of decisions made on the basis of information presented or displayed via the System. 
3.	The Licensee is fully responsible for the use of this System towards Patients/Clients and Users. The Licensor will not be liable for the accuracy of the data placed in the Patient/Client Databases by Patients/Clients, Users or other persons acting for and on behalf of or at the request of the Licensee unless the inaccuracy of the data placed in the Patient Database results from reasons attributable to the Licensor that are beyond the control of the Licensee. 
4.	The Licensee acknowledges that the System is a computer program, a work as defined by the Copyright Law, and a database, the functioning of which is influenced by a number of factors requiring the coexistence of the computer program/work with other computer programs, computer component drivers, internet browsers, other devices including computer networks or telecommunications operators’ infrastructure.
5.	The Licensee acknowledges that there may be circumstances affecting the operation of the System that are beyond the Licensor’s responsibility, which cannot be fully investigated, and the malfunction of the System cannot be prevented.
6.	To the extent permitted by the applicable law, the Licensor will not be held liable for any damage arising from the use of the System by the Licensee, Users or Patients/Clients as a result of using the System in accordance with the Licence, and in particular will not be held liable for the suitability of the System for the business conducted by the Licensee, including the provision of medical services. 
7.	The Licensor will not be held liable for any damage caused by improper or inconsistent use of the System, as well as the use of the System by unauthorized persons without the skills or knowledge regarding the use of the System or resulting from tampering with the System. 
8.	The Licensor will not be held liable for the accuracy of the data entered into the System by the Licensee, Users or Patients, as well as for the accuracy of the results of calculations performed with the use of these data unless the inaccuracy of the data results from reasons attributable to the Licensor that are beyond the control of the Licensee. 
9.	Within the limits permitted by generally applicable law, the Licensor’s liability towards the Licensee will in no event exceed half of the amount of the Remuneration received during the Agreement. The Licensor’s liability does not include lost opportunity costs. 
10.	The above limitations do not apply to damage caused by wilful misconduct. 

§ 12. Personal data protection
1.	In order to perform the Agreement, each Party may process personal data of the other Party (if it is a natural person), representatives of the other Party, its employees and associates, which may take place in particular on the occasion of conducting correspondence, making settlements, including by entering them into the accounting system, issuing invoices or debit/credit notes, and in the event of failure to obtain payment by transferring the necessary data to entities representing the Party in the pursuit of claims arising from the concluded Agreement. 
2.	Each Party undertakes to provide the persons referred to in Section 1 with the other Party’s privacy notice. The Parties’ privacy notices are Attachments 4 and 5 hereto. 
3.	The processing of personal data in the form of an email address mutually provided by the Parties may also be used to send information of a commercial nature provided that the natural person using the email address has previously given their consent required by applicable law to receive such commercial information.  
4.	The data processing agreement for the personal data of Patients/Clients and Users by the Licensee, including the Administrator on the part of the Licensor constitutes Attachment 6 hereto. 

§ 13. Transfer of rights and obligations
1.	The Licensor is entitled to transfer its rights and obligations under this Agreement without the consent of the Licensee. 
2.	The Licensee is entitled to transfer its rights and obligations under this Agreement upon the written consent of the Licensor. 

§ 14. Notifications 
1.	All representations, declarations, notices, notifications, instructions and other information exchanged between the Parties (“Notices”) hereunder will be made in writing under pain of nullity unless the Agreement expressly indicates another form for a given act, and will be drawn up in the Polish language and delivered to the addressee personally against a written acknowledgement of receipt, or by courier (messenger) against a written acknowledgement of receipt, or sent by registered mail or registered letter against an acknowledgement receipt to the addresses set out in the recitals of the Agreement.
2.	For the purposes of the Agreement, Notices will be deemed delivered on the following dates:
a)	on the date of delivery if the delivery is effected in person;
b)	on the date of confirmation of delivery by courier;
c)	on the date of the acknowledgement of receipt;
d)	on the date of the refusal to collect the Notice;
e)	upon the expiry of the advice note for the Notice.
3.	Each of the Parties may change its address for service by way of a written notification sent to the other Party, which does not constitute an amendment to the Agreement, and the change of the address for service towards a given Party will be effective from the first working day following the day of delivery of such notification to a given Party and provided that the new address for service is located in the territory of Poland. 
4.	The Licensee hereby consents to the Licensor sending commercial information to the following email address: ___________________ .

§ 15
Final provisions
1.	The Parties will work in good faith to resolve amicably any disputes that may arise out of the Agreement or its interpretation. The above provision is not synonymous with an arbitration clause.
2.	All supplements or amendments hereto will be held invalid unless made in writing.
3.	In matters not covered by this Agreement, the provisions of law shall apply, in particular the Act of 23 April 1964 – The Civil Code (i.e. (Polish Journal of Laws [Dz.U.] of 2019 item 1145 as amended) and Copyright Law.
4.	This Agreement has been drafted and executed in two counterparts, one for each Party.
5.	The Attachments form an integral part of the Agreement.


For the Licensor:	For the Licensee:


______________________________
Krzysztof Mędrala – President of the Management Board

	
______________________________


______________________________


 
Attachment 1 – List of facilities being part of the Chain

LOCATION 1 - 
LOCATION 2 - 
LOCATION 3 - 


The Parties agree that the Licensee may, but is not required to, activate all of the above LOCATIONS. The fact of not activating any of the Locations does not entail the reduction of Remuneration. The Licensee will indicate in writing or via email which LOCATIONS are to be active at any given time during the term of the Agreement. However, at least one LOCATION must always be active.



For the Licensor:	For the Licensee:


______________________________
Krzysztof Mędrala – President of the Management Board

	
______________________________


______________________________






 
Attachment 2 – Price List
NET MONTHLY REMUNERATION DUE TO THE LICENSOR ON ACCOUNT OF THE LICENCE FEE FOR THE SYSTEM (FIXED FEE)
PLN [ ● ] ([ ● ]) net for each month of the First Settlement Period, payable by bank transfer to the Licensor’s bank account indicated in the VAT invoice within 14 days of delivery to the Licensee of a VAT invoice issued on the first day of each month of the First Settlement Period.

PLN [ ● ] ([ ● ]) net for each month of the Subsequent Settlement Period, payable by bank transfer to the Licensor’s bank account indicated in the VAT invoice within 14 days of delivery to the Licensee of a VAT invoice issued on the first day of each month of the First Settlement Period.

Each monthly settlement period is equal to a calendar month. If a given settlement period is not equal to a calendar month, the fee is calculated on a pro rata basis. 


NET MONTHLY REMUNERATION DUE TO THE LICENSOR ON ACCOUNT OF THE LICENCE FEE RELATED TO THE CREATION OF USER/PATIENT ACCOUNTS AND THE LAUNCH OF ADDITIONAL LOCATIONS (VARIABLE FEE) – payable by bank transfer to the Licensor’s bank account indicated in the VAT invoice, within 14 days of delivery to the Licensee of the VAT invoice issued on the first day following the end of each month within each (First and Subsequent) Settlement Period.
ADDITIONAL LOCATION	PLN 1,000	For each additional location not listed in Attachment 1 
USER ACCOUNT	PLN 0	Per package of 3 (three) User Accounts of the type: physician, nurse, administrator, receptionist or technician (accounts created by the Licensee are counted)
	PLN 250	For the 4th (fourth) and each next User Account of the type: physician, nurse, administrator, receptionist or technician (the Accounts of active Users in a given month being the settlement period are counted; an active User is understood as a User who has logged into the System at least once)
PATIENT ACCOUNT	PLN 0	Per package of one hundred (100) Patient Accounts (accounts created by the Licensee are counted)
	PLN 1	For the 101st (one hundred and first) and every next created Patient Account (Accounts of active Patients in a given month being the settlement period are counted; an active Patient is understood as a Patient who has logged into the System at least once)
NET MONTHLY REMUNERATION DUE TO THE LICENSOR ON ACCOUNT OF THE VIDEO CONSULTATIONS CONDUCTED BY THE USERS – payable by bank transfer to the Licensor’s bank account indicated in the VAT invoice, within 14 days of delivery to the Licensee of the VAT invoice issued on the first day following the end of each month within each (First and Subsequent) Settlement Period.

ACTIVITY	NET PRICE	DETAILS
VIDEO CONSULTATIONS	PLN 200	For a package of one hundred video consultations of standard duration (in accordance with the consultation time assumed by the User) 
THE LICENSOR’S REMUNERATION ON ACCOUNT OF OTHER TITLES SPECIFIED IN THE AGREEMENT
ACTIVITY	NET PRICE	DETAILS
ONLINE OR ONSITE TRAINING 
PROVIDED AT NO EXTRA COST
“LIMIT”	PLN 0.00 	for 3 Users, for each User 2 hours of training
ONLINE TRAINING	PLN 200.00	For each commenced 1h of training, for Users exceeding the Limit or next training for Users trained within the Limit

ONSITE TRAINING	PLN 400.00	For each commenced 1h of training, for Users exceeding the Limit or next training for Users trained within the Limit

TECHNICAL SUPPORT	PLN 400.00	For each commenced 1h of activities performed as part of Technical Support
MAKING A BACKUP COPY OF THE PATIENT DATABASE	PLN 1.000,00 	One-off fee
	PLN 0,00	Where the Agreement will be valid for at least 18 months
SYSTEM IMPLEMENTATION FEE	PLN 0,00 	One-off fee 


For the Licensor:	For the Licensee:

_____________________________
Krzysztof Mędrala – President of the Management Board

	______________________________


______________________________


 
Attachment 3 – Logotypes Signage

Logotypes and Signage belonging to the Licensor:

 
 

 

Logotypes and Signage belonging to the Licensee:




For the Licensor:	For the Licensee:


______________________________
Krzysztof Mędrala – President of the Management Board
	
______________________________


______________________________


 
Attachment 4 – The Licensor’s GDPR Privacy Notice

Data Controller The Data Controller is MEDAPP S.A. with its registered office in Kraków, 31-514 Kraków, ul. Władysława Beliny Prażmowskiego 60, NIP [Tax ID]: 7010264750, REGON [Statistical ID]: 142641690, KRS [National Court Register] number 00000365157, whose registration documents are kept by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register, with fully paid-up share capital of PLN 23,919,094.30 PLN, hereinafter referred to as MEDAPP.
Purpose of and basis for the processing of personal data Personal data of contractors’ representatives (including, without limitation, employees and associates of contractors) will be processed for the following purposes:
•	contact, including for the purpose of establishing and maintaining business contacts and ensuring the performance of agreements entered into with contractors (pursuant to Article 6(1)(f) of the GDPR* – the legitimate interest of the data controller, which is to ensure contact with the contractor and ensure the performance of agreements entered into with Contractors)
•	fulfilment of obligations arising from applicable laws (in particular resulting from the Accounting Act and the VAT Act) (pursuant to Article 6(1)(c) of the GDPR* – processing is necessary to fulfil a legal obligation imposed on the data controller)
•	[where appropriate consent has been given] sending commercial information to the indicated e-mail address (pursuant to Article 6(1)(a) of the GDPR* – the consent you have given)
•	defence against claims as well as establishing and pursuing claims (pursuant to Article 6(1)(f) of the GDPR* – the legitimate interest of the data controller in establishing and pursuing claims, and defending claims)
Source of data | Voluntary / mandatory provision of data Your personal data were obtained directly from you or from your employer/principal. If the data are collected directly from you, their provision is voluntary; however, the data must be provided to execute/perform an agreement between your employer/principal and MEDAPP.
Data recipients The data may be made available to entities authorized by law. Access to the data on the basis of relevant agreements may also be granted to entities supporting MEDAPP within the scope of IT services (in particular, hosting providers) and other entities supporting MEDAPP in connection with the fulfilment of the purposes described in the paragraph “Purpose of and basis for the processing of personal data” (in particular couriers or external auditors).
Storage period The personal data of contractor representatives will be stored until the purposes specified in the paragraph “Purpose of and basis for the processing of personal data” are fulfilled and then for the period required by law/until the claims expire.
Data protection rights You have the right, as applicable, to the following: 
•	the right to request access to, rectification of and erasure of personal data as well as the right to data portability, the right to limitation on data processing
•	the right to withdraw your consent at any time (if given). Withdrawal of your consent does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal.
•	the right to object to the processing of your personal data  
•	the right to lodge a complaint with a supervisory authority (PUODO – President of the Personal Data Protection Office).
Contact point All inquiries and statements regarding the above rights should be addressed as follows:

Contact details of the data controller: 
MEDAPP S.A with its registered office in Kraków, 31-514 Kraków, ul. Władysława Beliny Prażmowskiego 60
E-mail: biuro@medapp.pl

Contact details of the data protection officer:
E-mail: iodo@medapp.pl

* - GDPR = REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)


For the Licensor:	For the Licensee:


______________________________
Krzysztof Mędrala – President of the Management Board

	
______________________________


______________________________

 
Attachment 5 – The Licensee’s GDPR Privacy Notice



For the Licensor:	For the Licensee:


______________________________
Krzysztof Mędrala – President of the Management Board

	
____________________________


____________________________

 
Attachment 6 – Data Processing Agreement (“Agreement”)

entered into on [●]  by and between: 

MEDAPP S.A with its registered office in Kraków, 31-514 Kraków, ul. Władysława Beliny Prażmowskiego 60, NIP [Tax ID]: 7010264750, REGON [Statistical ID]: 142641690, KRS [National Court Register] number 00000365157, whose registration documents are kept by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register, with fully paid-up share capital of PLN 23,919,094.30 PLN,
represented by:
- Krzysztof Mędrala – President of the Management Board, 
hereinafter referred to as “MedApp” or “Licensor”

and

[●], address: [●], [●], NIP [●], REGON [●], whose registration documents are kept by the District Court in [●], [●] Commercial Division of the National Court Register, KRS number [●], with fully paid-up share capital of PLN [●]; 
represented by [●] - [●],
hereinafter referred to as “Data Controller”

referred to individually as the “Party” and collectively as the “Parties”.

1.	Definition and interpretation
The following terms and phrases used in this Agreement will have the following meanings, unless otherwise indicated and unless the context otherwise requires:
1.1.	 “Processing” has the meaning given in Article 4(2) of the General Data Protection Regulation,
1.2.	“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
1.3.	“Data Protection Law” means the laws and regulations governing the processing of personal data in the country where the processor provides services,
1.4.	“Data Subject” means an identified or identifiable natural person who uses the Services in any scope and whose Personal Data are processed as part of the Services,
1.5.	“Personal Data” has the meaning given in Article 4(1) of the General Data Protection Regulation,
1.6.	“Services” means the subject matter of the Master Agreement,   
1.7.	“Data Subprocessing Agreement” and “Subprocessing” means the process by which Processor engages a third party to perform Processing on the Processor’s behalf, 
1.8.	“Subprocessor” means a third party entrusted with the processing of Personal Data within the scope of Subprocessing,  
1.9.	“Technical and Organizational Security Measures” means measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and any other unlawful forms of processing so that it can be demonstrated that the Processing is carried out in accordance with the applicable Data Protection Law and the General Data Protection Regulation,
1.10.	“Software” means the System as defined in the Master Agreement,
1.11.	“Master Agreement” means the agreement concerning the Software, entered into by the Parties on [●],  
1.12.	“CarnaLife Lite” means the CarnaLife application created for Patients as a module of the Software, permitting communication between the Patient and the User, including automatic sending of saved Examination results by the Patient to the Licensee,
1.13.	“Database” means the Patient/Client Database as defined in the Master Agreement.

Terms not defined above and which are defined in the Master Agreement shall have the same meaning under the Agreement. 
2.	Description of processing 
2.1.	The Data Controller declares that it is the controller of personal data of Patients/Clients, for whom the Controller provides certain services, and Users, and has full rights to their processing, including their further entrustment. The Data Controller entrusts the Processor to process: 
- Patients’/Clients’ personal data placed in the Database as a result of being entered by the Data Controller or persons acting for or on behalf of the Data Controller, including medical personnel and physicians, or entered by Patients/Clients through CarnaLife Lite,
- personal data of Users (trainers, psychologists, physicians, medical staff), to the extent necessary to perform the Master Agreement. 
2.2.	The purpose of this Agreement is to set out the terms and conditions for the Processing by the Processor of Personal Data provided to it for Processing by the Data Controller. 
2.3.	The Parties agree that in providing the Services, the Data Controller will process Personal Data in order to provide the Services, i.e. to process the relevant Personal Data of Data Subjects and make them available remotely, and to ensure the proper functioning of equipment, technology and infrastructure required to provide the Services, by means of, i.a., periodic maintenance, incident response, troubleshooting and technical support for the Controller and Data Subjects, including Patients/Clients.
2.4.	 The Data Controller entrusts the Processor with the processing of the following Personal Data:
(a)	In terms of the Client’s Patient: 
i.	Personal data: first and last name(s), age, date of birth, address of residence, personal identification number PESEL, telephone number, email address, data to contact persons (their first and last names, telephone number, email address);
ii.	Patient’s/Client’s consultation data, data concerning Patient’s/Client’s payments, information about which devices compatible with the System the Patient / Client uses; 
iii.	Data concerning the Patient’s health, in particular:
- Medication taken;
- Past medical history;
- ECG;
- Spirometry;
- Pulse oximetry;
- Body temperature;
- Weight;
- Height;
- Weight including body composition analysis;
- Sugar levels;
- Blood pressure;
- Blood saturation;
- Glycemic levels;
- Monitoring water/calorie intake throughout the day;
- Analysis of weight and body composition;
- Results of the following tests: CT, MRI, hearing test, CTG, dermatology tests;
- Lab tests: cholesterol, blood count, urine;
- Other test results, including laboratory and imaging tests and examinations;
- Patient’s wellbeing;
 
(b)	- With regard to the User: first and last name(s), personal identification number PESEL, telephone number, email address, address of residence, licence to practise medicine PWZ.
2.5.	The subject of data processing entrusted to the Processor by the Data Controller will be:
(a)	storage of Personal Data on the Server;
(b)	aggregation and processing of Personal Data to the extent necessary to ensure the correct presentation and distribution of such data within the Software;
(c)	transmission of Personal Data from devices owned by Patients;
(d)	taking the actions specified in the Master Agreement;
(e)	deletion of Personal Data.

3.	Obligations of the Processor 
3.1.	The Processor will only process Personal Data for the above purposes and in accordance with generally applicable law and the requirements of the relevant data protection authority, if applicable.
3.2.	The Processor will process the data only in accordance with the documented instructions or directions of the Data Controller. Documented instructions/directions should be understood as, in particular, data processing activities requested under this Agreement and the Master Agreement, as well as in other documented ways (in particular in writing/via email).
3.3.	The Processor will not disclose Personal Data Processed on behalf of the Data Controller, and will take all reasonable steps to ensure that Personal Data are Processed by reliable personnel authorized to Process Personal Data. The Processor will ensure that such persons undertake an obligation of confidentiality or are subject to an appropriate statutory obligation of confidentiality, including after the termination of the Agreement.
3.4.	The Processor will take all measures required under Article 32 of the General Data Protection Regulation, including but not limited to pseudonymization, anonymization and encryption of data where appropriate.
3.5.	The Processor will promptly assist the Data Controller in responding to requests from Data Subjects (including requests for access, rectification, erasure, restriction and portability of data, and other data protection related requests) or inquiries or complaints that may be made by Data Subjects and/or data protection authorities, and will promptly notify the Data Controller if the Processor receives the aforementioned request, inquiry or complaint in relation to Personal Data processed on behalf of the Data Controller.
3.6.	Under no circumstances will the Processor disclose the Personal Data to any third party for any purpose other than as provided for in the Agreement. Disclosure may be made only as required by the Agreement or if required by applicable law. The Processor will comply with reasonable requests concerning the Personal Data of relevant employees and representatives of law enforcement agencies, judicial authorities, government administration bodies and offices, including competent data protection authorities. In any case, the Processor will notify the Data Controller of such a request, unless this is prohibited due to an obligation of confidentiality imposed by the aforementioned employee, representative, agency, body, office or service.
3.7.	The Processor will notify the Data Controller without undue delay, but no later than 48 hours after becoming aware of a security breach that has resulted in an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed in connection with the Services and will provide at least the information that would be required under the provisions of the General Data Protection Regulation.
3.8.	The Processor will make available to the Data Controller all information necessary to demonstrate the Processor’s compliance with the obligations set out in Article 28 of the General Data Protection Regulation and will allow the Data Controller or a third party authorized by the Data Controller to carry out audits, including inspections, and will contribute to the said audits and inspections. The Processor will immediately inform the Data Controller if, in the Processor’s opinion, the instruction given to the Processor constitutes a breach of the General Data Protection Regulation or the Data Protection Law. The Data Controller may conduct an audit or inspection with prior notice of no less than five (5) business days prior to the scheduled audit or inspection, and only during the Processor’s normal business hours. If the need for an inspection or audit arises due to a culpable breach of the Agreement by the Processor, or due to recommendations or inspection of a state authority supervising personal data, the limitations indicated in this clause will not apply, and the Parties are obliged to immediately find an appropriate solution ensuring the implementation of the Data Controller’s rights under the Agreement or generally applicable laws.
3.9.	The Processor will, taking into account the nature of the processing and the information available to the Processor, assist the Data Controller in complying with the duties and obligations set out in Articles 32 to 36 of the General Data Protection Regulation. 
3.10.	The Processor undertakes to assist the Data Controller by appropriate technical and organizational measures so that the Data Controller can fulfil its obligation to respond to requests from the Data Subject in exercising the Data Subject’s rights as set out in Chapter III of the General Data Protection Regulation.
3.11.	The Processor guarantees the application of adequate technical and organizational measures (including, if applicable, all and any Technical and Organizational Security Measures as defined and required by the Data Controller) in order to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and any other unlawful forms of Processing so that it can be demonstrated that the Processing is carried out in accordance with the applicable Data Protection Law and the General Data Protection Regulation, including but not limited to:
(a)	protection against unauthorized access to personal data processing systems (physical access control),
(b)	securing systems processing personal data against unauthorized use (logical access control),
(c)	ensuring that persons authorized to use the system for processing Personal Data have access only to the Personal Data to which they have been authorized, in accordance with their access rights, and that during Processing or use and storage of Personal Data they may not be read, copied, modified or deleted without authorization (data access control); for the avoidance of doubt, the Parties agree that the process of managing Users’ authorizations is the responsibility of the Licensee,
(d)	ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on data carriers, and that those receiving any transfer of personal data through data transmission facilities can be identified and verified (data transmission control, including encryption),
(e)	ensuring that the system has the functionality to verify whether and by whom Personal Data have been entered or deleted, 
(f)	ensuring that Personal Data are processed only in accordance with the Data Controller’s instructions (control of instructions),
(g)	ensuring that Personal Data is protected against accidental destruction or loss, and ensuring backup and continuity (availability control).

4.	Obligations related to security 
Both Parties will take Technical and Organizational Security Measures, taking into account the nature of the Processed Personal Data and any security and confidentiality obligations. 

5.	Support
5.1.	Each Party agrees to promptly inform the other Party of any investigation conducted by a data protection authority or other judicial or administrative body into the Processing of Personal Data carried out under the Agreement.
5.2.	Nothing in the Agreement will prevent either Party from complying with legal obligations imposed by the data protection authority or other judicial or administrative bodies. To the extent permitted by law, each Party agrees to do the following in writing or in the form of a document (e-mail) using the following email addresses: ______  (for the Data Controller) and iodo@medapp.pl (for the Processor) to inform the other Party as soon as possible of requests or instructions from a regulatory authority, data protection authority or any other judicial or administrative body. 

6.	Subprocessing
6.1.	The Processor may engage Subprocessors to perform the Personal Data Processing tasks specified in the Agreement based on the Data Controller’s general consent. The Processor will provide the Data Controller with all relevant information related to planned changes regarding the establishment of new Subprocessors or replacement of the existing ones. The Data Controller will be entitled to object to the intended change of the Subprocessor within 3 working days of the date of notification of the intended change. The Data Controller will object in writing (to the Processor’s registered office address) or in the form of a document at the following email address iodo@medapp.pl. If the Data Controller does not object within the time limit referred to in the preceding sentence, the Data Controller will be deemed to have approved the change. 
6.2.	At the time of signing the Agreement, the Processor uses the following Subprocessors, which the Data Controller agrees to use:
(a) Microsoft Ireland Operations, Ltd., Microsoft Ireland Operations Limited, The Atrium Building Block B, Carmanhall Road Sandyford Business Estate, Dublin 18 (Use of Microsoft’s Azure server (located in the Netherlands) which hosts the Patient Database);
(b) 4 B Sp. z o.o.  with its registered office in Kraków, ul. Pachońskiego 5d/87, NIP: 6762470090, REGON: 122982939, entered in the Register of Businesses of the National Court Register maintained by the District Court for Kraków – Śródmieście in Kraków, 11th Commercial Division of the National Court Register, KRS no. 0000485534 (Use of Outsourcing IOD services).
6.3.	The Processor complies with the terms of use of Subprocessors under the General Data Protection Regulation. In the course of Subprocessing, the Processor is obliged to provide sufficient guarantees to implement appropriate technical and organizational measures so that the Processing complies with the requirements of the General Data Protection Regulation. Entrusting the Processing of Personal Data does not involve the transfer of Personal Data to a third country. 

7.	Termination of the Data Protection Agreement
7.1.	This Agreement will automatically terminate upon termination or expiration of the Master Agreement. 
7.2.	Upon termination, the Processor will return to the Data Controller or destroy all Personal Data in accordance with the Data Controller’s written instructions except when and to the extent that the Processor has a legal obligation to retain a copy of the Personal Data or the Processor processes Personal Data as the Data Controller. The Data Controller undertakes to inform the Processor of its decision regarding the Personal Data within 7 days from the date of termination of the Agreement. Upon the ineffective expiry of the set time limit, the Processor will be entitled to delete the entrusted Personal Data and copies thereof. Personal Data contained in backup copies of the Patient Database may be retained for a maximum of 3 months from the date of termination or expiration of the Master Agreement. 


For the Processor:	For the Data Controller:


______________________________
Krzysztof Mędrala – President of the Management Board

	
______________________________


______________________________