DATA PROCESSING AGREEMENT (DPA)

Elionova AG
Last updated: [March 3, 2026]

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms and Conditions governing the use of the Elionova Cloud Platform (https://cloud.eliodx.com).

This DPA applies to the processing of Personal Data by Elionova AG on behalf of its customers.

1. Parties

This DPA is entered into between:

Customer
(the “Controller”)

and

Elionova AG
Passage du Cardinal 13B
1700 Fribourg
Switzerland
UID: CHE-188.353.395
(the “Processor”)

2. Purpose, Scope and Duration

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Elionova Cloud Platform and associated services.

The Cloud Platform is designed for Research Use Only (RUO).

Duration of Processing

Processing shall continue for the duration of the Controller’s use of the Cloud Platform and for any additional period necessary to:

Complete data deletion or return procedures; or
Comply with applicable legal retention obligations.

3. Definitions

For the purposes of this DPA:

“Personal Data” has the meaning given in Article 4(1) GDPR.
“Processing” has the meaning given in Article 4(2) GDPR.
“Controller” and “Processor” have the meanings given in Article 4 GDPR.
“Data Subject” means an identified or identifiable natural person.

4. Nature and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of:

Hosting research data
Providing secure cloud access
Maintaining system integrity
Security monitoring
Performing technical support services

The Processor does not determine the purposes of the research conducted by the Controller.

5. Categories of Data and Data Subjects

Categories of Personal Data may include:

User account information (name, email, organization)
IP addresses
Authentication credentials
Access logs
Research data uploaded by the Controller
User-generated identifiers entered by the Controller

Categories of Data Subjects may include:

Authorized users of the Cloud Platform
Researchers or personnel designated by the Controller
Individuals referenced in research data uploaded by the Controller

The Processor does not intentionally collect patient medical records.

6. Obligations of the Processor

The Processor shall:

a) Process Personal Data only on documented instructions from the Controller.
b) Ensure that persons authorized to process Personal Data are subject to appropriate statutory or contractual confidentiality obligations.
c) Implement appropriate technical and organizational measures in accordance with Article 32 GDPR.
d) Assist the Controller in fulfilling Data Subject rights requests, taking into account the nature of the processing.
e) Assist the Controller in ensuring compliance with Articles 32–36 GDPR where applicable.
f) Notify the Controller without undue delay upon becoming aware of a Personal Data breach.

7. Technical and Organizational Measures (TOMs)

The Processor implements appropriate safeguards including:

Hosting in AWS data centers located in the European Economic Area (EEA)
Encryption in transit (TLS)
Secure authentication mechanisms
Role-based access controls
Audit logging
Infrastructure monitoring
Network security controls
Logical segregation of customer environments

Security measures may be updated from time to time to reflect current industry standards and evolving security risks.

8. Sub-Processors

The Processor engages the following sub-processor:

Amazon Web Services (AWS), European Regions

The Processor ensures that sub-processors are bound by contractual obligations consistent with Article 28 GDPR.

The Processor remains responsible for the performance of its sub-processors in accordance with applicable data protection laws.

9. International Transfers

Personal Data is processed and hosted within AWS data centers located in the European Economic Area (EEA).

If any transfer outside the EU/EEA occurs, the Processor shall implement appropriate safeguards in accordance with Article 46 GDPR, including Standard Contractual Clauses where required.

Nothing in this DPA shall restrict the applicability of mandatory data protection provisions under EU law where such provisions apply to the processing activities.

10. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests for:

Access
Rectification
Erasure
Restriction
Data portability
Objection

Where legally permitted, the Processor may refer Data Subject requests directly to the Controller.

11. Personal Data Breach

In the event of a Personal Data breach, the Processor shall:

Notify the Controller without undue delay
Provide available information regarding the nature of the breach
Cooperate in mitigation and remediation efforts

12. Deletion or Return of Data

Upon termination of the service agreement, the Processor shall, at the choice of the Controller:

Delete Personal Data; or
Return Personal Data

unless retention is required by applicable law.

Where deletion is requested, deletion shall occur within a reasonable period consistent with backup retention cycles and technical constraints.

13. Audit Rights

The Controller may request reasonable information necessary to demonstrate compliance with this DPA.

Formal audits:

Must be conducted upon reasonable prior written notice
Must not unreasonably disrupt Processor operations
Must be subject to appropriate confidentiality obligations

The Processor may satisfy audit requests through provision of documentation, certifications, or independent audit reports where appropriate.

14. Liability

Each party’s liability under this DPA shall be subject to the liability limitations set forth in the Terms and Conditions.

Nothing in this DPA excludes liability where exclusion is prohibited by applicable law.

15. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Switzerland.

Jurisdiction shall be the competent courts of Fribourg, Switzerland.