GDPR
Learn more about our eClinical apps → Request a Demo

SureClinical GDPR Policy

SureClinical is committed to complying with the EU General Data Protection Regulations, effective May 25, 2018 (GDPR) for our Cloud application and platform services.  This GDPR policy is intended to  explain how SureClinical will be complying with GDPR with respect to its services involving the data of EU citizens or where such services are subject to the GDPR.  Per GDPR compliance definitions, SureClinical is a Data Processor.  As a data processor, we don’t access your data or records as this data is physically and electronically secured in our data centers.  Only customers can enter, view, modify, share or delete their Customer Personal Data.  SureClinical does not access any Customer Personal Data unless such access is specifically authorized and physically granted with a customer support request.  In these instances, customer support requests provide temporary access for the purpose of fixing or remediating a customer issue or for training. As a means of meeting the adequacy and security requirements of the GDPR, we are implementing the following GDPR policy, the terms and conditions of which (the Terms) will apply to the provision of services for a customer under the customer’s Master Services Agreement (MSA) with SureClinical.  The terms below will become effective on or after May 25 2018:

1. Introduction

These Terms govern the processing and security of Customer Data under the MSA per policies established under the GDPR.

2. Definitions

2.1 Capitalized terms used but not defined in these Terms have the meanings set out in the MSA. In these Terms, unless stated otherwise:

Additional Security Controls

Means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines, including the web or desktop client, and other features and/or functionality of the Services such as archive encryption, user activity logging, security settings and security policy monitoring, identity and access management, visibility rules and other security policies and settings available to the Customer.

Agreed Liability Cap

Means the maximum monetary or payment-based amount at which a party’s liability is capped under the MSA, either per annual period or event giving rise to liability, as applicable.

Alternative Transfer Solution

Means a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).

Audited Services

Means the Services indicated as being in-scope for the relevant certification or audited service compliance report as may be updated by SureClinical from time to time.

Customer Data

Has the meaning given in the MSA or, if no such meaning is given, means data provided by or on behalf of Customer or Customer End Users via the Services under the Account.

Customer End Users

Has the meaning given in the MSA or, if not such meaning is given, has the meaning given to “End Users” in the MSA.

Customer Personal Data

Means the personal data contained within the Customer Data.

Data Incident

Means a breach of SureClinical’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by SureClinical. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

EEA

means the European Economic Area.

European Data Protection Legislation

Means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

GDPR

Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

SureClinical’s Third Party Auditor

Means a SureClinical-appointed, qualified and independent third party auditor, whose then-current identity SureClinical will disclose to Customer.

Model Contract Clauses

Or MCCs mean the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.

Non-European Data Protection Legislation

Means data protection or privacy legislation other than the European Data Protection Legislation.

Notification Email Address

means the email address(es) designated by Customer in as System Administrators, captured in the User Management console, or in the Order Form or Ordering Document (as applicable), to receive certain notifications from SureClinical.

Security Documentation

Means all documents and information made available by SureClinical under Section 7.5.1 (Reviews of Security Documentation).

Security Measures

Has the meaning given in Section 7.1.1 (SureClinical’s Security Measures).

SOC 2 Report

Means a confidential Service Organization Control (SOC) 2 report (or a comparable report) on SureClinical’s systems examining logical security controls, physical security controls, and system availability, as produced by SureClinical’s Third Party Auditor in relation to the Audited Services.

SOC 3 Report

Means a Service Organization Control (SOC) 3 report (or a comparable report), as produced by SureClinical’s Third Party Auditor in relation to the Audited Services.

Subprocessors

Means third parties authorized under these Terms to have logical access to and process Customer Data in order to provide parts of the Services.

Term

means the period from the Terms Effective Date until the end of SureClinical’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which SureClinical may continue providing the Services for transitional purposes.

Terms Effective Date

Means, as applicable: 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Terms prior to or on such date; or The date on which Customer clicked to accept or the parties otherwise agreed to these Terms, if such date is after 25 May 2018. 2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these Terms have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

3. Duration of these Terms

These Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Data by SureClinical as described in these Terms.

4. Scope of Data Protection Legislation

4.1 Application of European Legislation. The parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of Customer Personal Data if, for example: the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA; and/or the Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA. 4.2 Application of Non-European Legislation. The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data. 4.3 Application of Terms. Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Customer Personal Data.

5. Processing of Data

5.1 Roles and Regulatory Compliance; Authorization. 5.1.1 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that: the subject matter and details of the processing are described in Appendix 1; SureClinical is a processor of that Customer Personal Data under the European Data Protection Legislation; Customer is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Legislation; and each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data. 5.1.2 Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of SureClinical as another processor, shall have been authorized by the relevant controller. 5.1.3 Responsibilities under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data. 5.2 Scope of Processing. 5.2.1 Customer’s Instructions.  SureClinical shall process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified via Customer’s use of the Services (including the Admin Console and other functionality of the Services); (c) as documented in the form of the MSA, including these Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by SureClinical as constituting instructions for purposes of these Terms. 5.2.2 SureClinical’s Compliance with Instructions. SureClinical will comply with the instructions described in Section 5.2.1 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which SureClinical is subject requires other processing of Customer Personal Data by SureClinical, in which case SureClinical will inform Customer (unless that law prohibits SureClinical from doing so on important grounds of public interest) via the Notification Email Address.

6. Data Deletion

6.1 Deletion by Customer. SureClinical will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to SureClinical to delete the relevant Customer Data from SureClinical’s systems in accordance with applicable law. SureClinical will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage. 6.2 Deletion on Termination. On expiry of the Term, SureClinical shall delete all Customer Data (including existing copies) from SureClinical’s systems in accordance with applicable law. SureClinical will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.

7. Data Security

7.1 SureClinical’s Security Measures, Controls and Assistance. 7.1.1 SureClinical’s Security Measures. SureClinical will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of SureClinical’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. SureClinical may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. 7.1.2 Security Compliance by SureClinical Staff. SureClinical will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 7.1.3 Additional Security Controls. In addition to the Security Measures, SureClinical will make the Additional Security Controls available to: (a) allow Customer to take steps to secure Customer Data, such as through application-level encrypted export; and (b) provide Customer with information about securing, accessing and using Customer Data. 7.1.4 SureClinical’s Security Assistance.  SureClinical will (taking into account the nature of the processing of Customer Personal Data and the information available to SureClinical) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

  • implementing and maintaining the Security Measures in accordance with Section 7.1.1 (SureClinical’s Security Measures);
  • making the Additional Security Controls available to Customer in accordance with Section 7.1.3 (Additional Security Controls);
  • complying with the terms of Section 7.2 (Data Incidents); and
  • providing Customer with the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) and the information contained in the MSA including these Terms.

7.2 Data Incidents 7.2.1 Incident Notification. If SureClinical becomes aware of a Data Incident, SureClinical will: (a) notify Customer and the Controller or such person required to be notified under the GDPR of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data. 7.2.2 Details of Data Incident. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps SureClinical recommends Customer take to address the Data Incident. 7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at SureClinical’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid. 7.2.4 No Assessment of Customer Data by SureClinical. SureClinical will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s). 7.2.5 No Acknowledgement of Fault by SureClinical. SureClinical’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by SureClinical of any fault or liability with respect to the Data Incident. 7.3 Customer’s Security Responsibilities and Assessment. 7.3.1 Customer’s Security Responsibilities. Customer agrees that, without prejudice to SureClinical’s obligations under Section 7.1 (SureClinical’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents): Customer is solely responsible for its use of the Services, including:

  • making appropriate use of the Services and the Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
  • securing the account authentication credentials, systems and devices Customer uses to access the Services;
  • backing up any Customer Personal Data; and
  • SureClinical has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of SureClinical’s and its Subprocessors’ systems (for example, offline or on-premises storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.

7.3.2 Customer’s Security Assessment. Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and SureClinical’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Unless Customer advises SureClinical to the contrary in writing, it shall be assumed that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by SureClinical as set out in Section 7.1.1 (SureClinical’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data. 7.4 Security Certifications and Reports. SureClinical will do the following to evaluate and help ensure the continued effectiveness of the Security Measures:

  • Update the SOC 2 Report at least once every 24 months.
  • Provide a copy of the SureClinical’s confidential GDPR Compliance SOP for Customer’s internal review. SOPs may not be

7.5 Reviews and Audits of Compliance 7.5.1 Reviews of Security Documentation. In addition to the information contained in the Agreement (including these Terms), SureClinical will make available for review by Customer the following documents and information to demonstrate compliance by SureClinical with its obligations under these Terms:

  • The then-current SOC 2 and/or SOC3 Report, following a request by Customer in accordance with Section 7.5.3(a).
  • SureClinical’s confidential GDPR Compliance SOP for Customer’s internal review. SureClinical confidential compliance documents and SOPs may not be shared with third parties without SureClinical’s express written consent.

7.5.2 Customer’s Audit Rights. If the European Data Protection Legislation applies to the processing of Customer Personal Data, SureClinical will provide Customer or an independent auditor appointed by Customer to conduct SureClinical audits with the documents to verify SureClinical’s compliance with its obligations under these Terms in accordance with Section 7.5.3 (Additional Business Terms for Reviews and Audits). SureClinical will contribute to such audits as described in Section 7.4 (Security Certifications and Reports) and this Section 7.5 (Reviews and Audits of Compliance). For all audits, SureClinical will provide auditors with access to its compliance documents on SureClinical’s compliance web portal. If Customer has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data Out of the EEA), SureClinical will, without prejudice to any audit rights of a supervisory authority under such Model Contract Clauses, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Model Contract Clauses in accordance with Section 7.5.3 (Additional Business Terms for Reviews and Audits). Customer may also conduct an audit to verify SureClinical’s compliance with its obligations under these Terms by reviewing the Security Documentation (which reflects the outcome of audits conducted by SureClinical’s Third Party Auditor). 7.5.3 Additional Business Terms for Reviews and Audits. Customer must send any requests for reviews of the SOC 2 or SOC3 Report under Section 7.5.1(c) or audits under Section 7.5.2(a) or 7.5.2(b) to SureClinical’s Cloud Data Protection Team as described in Section 12 (Cloud Data Protection Team; Processing Records). Following receipt by SureClinical of a request under Section 7.5.3(a), SureClinical and Customer will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of the SOC 2 Report under Section 7.5.1(c); and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.5.2(a) or 7.5.2(b). SureClinical may charge a fee (based on SureClinical’s reasonable costs) for any review of:

  • SureClinical’s compliance documents, including SOPs, certifications or processes
  • Interviews or inspections of SureClinical staff or facilities
  • Audit or compliance related services

SureClinical will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. SureClinical may object in writing to an auditor appointed by Customer to conduct any audit under Section 7.5.2(a) or 7.5.2(b) if the auditor is, in SureClinical’s reasonable opinion, not suitably qualified through relevant data center, security, or data systems audit certifications; a competitor of SureClinical, or otherwise unsuitable. Any such objection by SureClinical will require Customer to appoint another auditor or conduct the audit itself. 7.5.4 No Modification of MCCs. Nothing in this Section 7.5 (Reviews and Audits of Compliance) varies or modifies any rights or obligations of Customer or SureClinical under any Model Contract Clauses entered into as described in Section 10.2 (Transfers of Data Out of the EEA).

8. Impact Assessments and Consultations

Customer agrees that SureClinical will (taking into account the nature of the processing and the information available to SureClinical and subject to SureClinical charging in its discretion a service fee for its assistance) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:

  • providing the Additional Security Controls in accordance with Section 7.1.3 (Additional Security Controls) and the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation); and

providing the information contained in the MSA including these Terms.

9. Data Subject Rights; Data Export

9.1 Access; Rectification; Restricted Processing; Portability. During the Term, SureClinical will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Personal Data, including via the deletion functionality provided by SureClinical as described in Section 6.1 (Deletion by Customer), and to export Customer Personal Data. 9.2 Data Subject Requests 9.2.1 Customer’s Responsibility for Requests. During the Term, if SureClinical receives any request from a data subject in relation to Customer Personal Data, SureClinical will advise the data subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. 9.2.2 SureClinical’s Data Subject Request Assistance. SureClinical will (taking into account the nature of the processing of Customer Personal Data, and subject to SureClinical charging in its discretion a service fee for its assistance) assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:

  • providing the Additional Security Controls in accordance with Section 7.1.3 (Additional Security Controls); and
  • complying with the commitments set out in Section 9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2.1 (Customer’s Responsibility for Requests).

     

    10. Data Transfers

10.1 Data Storage and Processing Facilities Customer may select where certain Customer Data will be stored (the “Data Location Selection”), and SureClinical will store it there in accordance with the Service Specific Terms.  If Customer selects a Data Location Selection that is outside of SureClinical’s Service Specific Terms for the Customer, an additional service fee may be charged to the customer.  If a Data Location Selection is not covered by the Service Specific Terms (or a Data Location Selection is not made by Customer in respect of any Customer Data), SureClinical may, subject to Section 10.2 (Transfers of Data Out of the EEA), store and process the relevant Customer Data anywhere SureClinical or its Subprocessors maintains facilities. 10.2 Transfers of Data Out of the EEA. 10.2.1 SureClinical’s Transfer Obligations. If the storage and/or processing of Customer Personal Data (as set out in Section 10.1 (Data Storage and Processing Facilities)) involves transfers of Customer Personal Data out of the EEA, and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), SureClinical will: if requested to do so by Customer, ensure that SureClinical assists Customer with the export of such data, using an encrypted portable format.  SureClinical may charge a fee for this export service. 10.2.2 Customer’s Transfer Obligations. In respect of Transferred Personal Data, Customer shall:

  • if under the European Data Protection Legislation SureClinical reasonably requires Customer to enter into Model Contract Clauses in respect of such transfers, Customer will do so, subject to a reasonable fee for attorney review; and
  • if under the European Data Protection Legislation SureClinical reasonably requires Customer to use an Alternative Transfer Solution offered by SureClinical, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.

10.3 Data Center Information. Due to Customer Data security and anti-terrorism policies, physical addresses of SureClinical’s datacenters is confidential and is not published.  Upon request SureClinical will make available a list of datacenters by City, State, Country. 10.4 Disclosure of Confidential Information Containing Personal Data. If Customer has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data Out of the EEA), SureClinical will, notwithstanding any term to the contrary in the MSA, ensure that any disclosure of Customer’s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.

11. Subprocessors

11.1 Consent to Subprocessor Engagement. SureClinical’s Affiliates may be engaged as Subprocessors, as well as any other third parties may be engaged as Subprocessors (“Third Party Subprocessors”). If Customer has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data Out of the EEA), the above authorizations will constitute Customer’s prior written consent to the subcontracting by SureClinical of the processing of Customer Data if such consent is required under the Model Contract Clauses. 11.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://cloud.sureclinical.com/terms/third-party-suppliers (as may be updated by SureClinical from time to time in accordance with these Terms). 11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, SureClinical will:

  • ensure via a written contract that:
  • the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the MSA (including these Terms) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by SureClinical as described in Section 10.2 (Transfers of Data Out of the EEA); and
  • if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in these Terms, are imposed on the Subprocessor; and
  • remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

11.4 Opportunity to Object to Subprocessor Changes. When any new Third Party Subprocessor is engaged during the Term, SureClinical will, at least 30 days before the new Third Party Subprocessor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) either by sending an email to the Notification Email Address or via the Admin Console. Prior to any engagement with a new Third Party Subprocessor, SureClinical will conduct adequate due diligence and a Third Party Subprocessor selection process to ensure that Third Party Subprocessor meets or exceeds applicable GDPR regulations.

12. Cloud Data Protection Team; Processing Records

12.1 SureClinical’s Cloud Data Protection Team. SureClinical’s Cloud Data Protection Team can be contacted at support@SureClinical.com (and/or via such other means as SureClinical may provide from time to time). 12.2 SureClinical’s Processing Records. SureClinical is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which SureClinical is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to SureClinical via the Admin Console or other means provided by SureClinical, and will use the Admin Console or such other means to ensure that all information provided is kept accurate and up-to-date.

13. Liability

13.1 Liability Cap. If Model Contract Clauses have been entered into as described in Section 10.2 (Transfers of Data Out of the EEA), the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement and such Model Contract Clauses combined will be limited to the Agreed Liability Cap for the relevant party, subject to Section 13.2 (Liability Cap Exclusions). 13.2 Liability Cap Exclusions. Nothing in Section 13.1 (Liability Cap) will affect the remaining terms of the MSA relating to liability (including any specific exclusions from any limitation of liability).

14. Third Party Beneficiary

Notwithstanding anything to the contrary in the MSA, where SureClinical is not a party to the Agreement, SureClinical will be a third party beneficiary of Section 7.5 (Reviews and Audits of Compliance), Section 11.1 (Consent to Subprocessor Engagement) and Section 13 (Liability) of these Terms.

15. Effect of These Terms

Notwithstanding anything to the contrary in the MSA, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the MSA, these Terms will govern.

Appendix 1: Subject Matter and Details of the Data Processing

Subject Matter SureClinical’s provision of the Services to Customer. Duration of the Processing The Term plus the period from the expiry of the Term until deletion of all Customer Data by SureClinical in accordance with the Terms. Nature and Purpose of the Processing SureClinical will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Terms. Categories of Data Data relating to individuals provided to SureClinical via the Services, by (or at the direction of) Customer or by Customer End Users. Data Subjects Data subjects include the individuals about whom data is provided to SureClinical via the Services by (or at the direction of) Customer or by Customer End Users.

Appendix 2: Security Measures

As from the Terms Effective Date, SureClinical will implement and maintain the Security Measures as set out in SureClinical’s Cloud Operations SOP.