Data Processing Agreement — Tamarind Bio

This Data Processing Agreement ("Agreement") is incorporated into the Contract for Services ("Principal Agreement") between Tamarind Bio (the "Company") and each client or entity utilizing the provided services (each referred to as the "Customer").

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Company.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

(E) This Agreement is supplementary to the Company's existing Privacy Policy, Terms of Service, and other applicable documentation as referenced herein.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 "Agreement" means this Data Processing Agreement and all Schedules;

1.1.2 "Customer Personal Data" means any Personal Data processed by Company on behalf of Customer pursuant to or in connection with the Principal Agreement;

1.1.3 "Contracted Processor" means a Subprocessor;

1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 "EEA" means the European Economic Area;

1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;

1.1.8 "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Processing", "Supervisory Authority" shall have the meanings given in the GDPR;

2. Processing of Customer Personal Data

2.1 Company shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;

2.1.2 not Process Customer Personal Data other than on the relevant Customer's documented instructions;

2.1.3 only process the following types of personal data: names, email addresses, and phone numbers (optional) of Company's customers or users, as described in the Company's Privacy Policy;

2.1.4 only process personal data for the purposes explicitly set out in the Principal Agreement and in accordance with Tamarind Bio's existing Privacy Policy and Terms of Service.

3. Data Retention and Deletion

3.1 The Company shall retain Customer Personal Data only for as long as necessary to provide the Services outlined in the Principal Agreement and in accordance with the following principles:

3.1.1 Personal Data shall be retained for no longer than 12 months after the termination of the relationship with the Data Subject, unless a shorter period is requested or required by applicable law.

3.1.2 Upon the Customer's written request, or upon termination of the Principal Agreement, the Company shall:

a) Delete all Customer Personal Data within 30 days, unless retention is required by applicable law;

b) Provide written certification of deletion upon request;

c) Ensure any Subprocessors also comply with these deletion requirements.

3.1.3 The Company may maintain anonymized data for analytical purposes after the retention period, provided all personal identifiers are permanently removed.

4. Logging and Documentation

4.1 The Company shall maintain detailed logs of all Processing activities involving Customer Personal Data, including:

4.1.1 Date and time of Processing operations;

4.1.2 Categories of Processing performed;

4.1.3 Any transfers of personal data to a third country;

4.1.4 Records of access to Personal Data, including the identity of persons who accessed the data and the purpose;

4.1.5 Security incidents or data breaches, including details of the breach, its effects, and remedial action taken.

4.2 Company shall make these logs available to the Customer upon reasonable request and to Supervisory Authorities when required by law.

4.3 Logs shall be retained for a minimum of 36 months and shall be protected against tampering and unauthorized access.

5. Personnel

5.1 Company shall ensure that its personnel engaged in the Processing of Customer Personal Data are:

5.1.1 informed of the confidential nature of the Personal Data and are under obligations of confidentiality;

5.1.2 have received appropriate training on their responsibilities;

5.1.3 have access only to such Personal Data as is strictly necessary for the performance of their duties.

6. Security

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1.1 the pseudonymization and encryption of Personal Data;

6.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

6.1.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

6.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6.2 In assessing the appropriate level of security, Company shall take account of the risks presented by the Processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data.

7. Subprocessing

7.1 Company shall not appoint any Subprocessors without the prior written consent of the Customer.

7.2 Company shall ensure that any Subprocessor it engages to provide processing services in connection with this Agreement does so only on the basis of a written contract which imposes on such Subprocessor terms no less protective than those imposed on Company in this Agreement.

7.3 Company shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts and omissions were performed by Company.

8. Data Subject Rights

8.1 Taking into account the nature of the Processing, Company shall assist the Customer by implementing appropriate technical and organizational measures for the fulfillment of the Customer's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

8.2 Company shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data within 48 hours of receipt.

8.3 Company shall not respond to a Data Subject request without Customer's prior written consent except to confirm that such request relates to the Customer.

9. Personal Data Breach

9.1 Company shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any case within 24 hours, providing sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

9.2 Company shall cooperate with the Customer and take reasonable steps as directed by Customer to assist in the investigation, mitigation and remediation of each Personal Data Breach.

10. Audit rights

10.1 Subject to this section 10, Company shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.

10.2 Company shall immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws.

11. Compliance with Existing Documents

11.1 This Agreement supplements and does not replace Tamarind Bio's existing documentation. The Data Processor agrees to comply with:

11.1.1 Tamarind Bio's Privacy Policy, available on the Company website;

11.1.2 Tamarind Bio's Terms of Service, available on the Company website;

11.1.3 Tamarind Bio's Information Security Policy, as provided separately;

11.1.4 Any additional written instructions provided by Tamarind Bio regarding the processing of Personal Data.

11.2 In case of any inconsistency between this Agreement and the documents listed in section 11.1, the provisions of this Agreement shall prevail with regard to the Parties' data protection obligations.

12. Term and Termination

12.1 This Agreement shall commence on the date of the Principal Agreement and shall continue in force until the termination or expiry of the Principal Agreement or until all Personal Data is deleted or returned as specified in section 3.

12.2 The Customer may terminate this Agreement and any Principal Agreement immediately by written notice to Company if Company commits a material or persistent breach of this Agreement.