Systematic Review Robot
Data Processing Agreement

This Data Processing Agreement for Systematic Review Robot Services ("DPA") forms a part of the software subscription agreement or other written agreement between Systematic Review Robot and Customer ("Agreement") regarding Systematic Review Robot's subscriptions, products and/ or services provided by Systematic Review Robot and ordered by the Customer in accordance with the Agreement. All contacts regarding this DPA must be made to: systematicreviewrobot@gmail.com.

1. DEFINITIONS

Capitalized terms shall have the meaning set out below.

"Breach Event": a breach of security leading to the accidental or unlawful loss, alteration, unauthorized disclosure of, destruction, or access to the Personal Data transmitted, stored, or otherwise processed by Systematic Review Robot.

"Controller" refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Customer" refers to the entity using the Systematic Review Robot Services that has executed an Agreement, which references this DPA.

"Personal Data": refers to any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be directly or indirectly identified in particular by reference to an identifier, which may be supplied to and Processed by Processor on behalf of the Controller pursuant to or in connection with the Agreement.

"Processor": Systematic Review Robot as the legal person who processes the Personal Data on behalf of the Customer.

"Processing": any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Standard Contractual Clauses": (i) the Standard Contractual Clauses approved by the Commission Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR") and (ii) the International Data Transfer Agreement issued by the Information Commissioner's Office in the United Kingdom ("UK SCCs").

"Sub-Processor": an entity engaged by the Processor exclusively for the Processing activities to be carried out pursuant to or in connection with the Agreement on behalf of the Controller and in accordance with its instructions, as transmitted by the Controller.

2. DURATION AND APPLICABLE LAWS

2.1. Unless otherwise agreed in writing, from the date of the Agreement's effective date this DPA will take effect notwithstanding its expiry, remain in effect until, and automatically expire upon, deletion of all Personal Data by Systematic Review Robot as described in this DPA.

2.2. When Personal Data is Processed by Systematic Review Robot as part of the provision of the Service, this DPA applies.

2.3. The parties acknowledge and agree that the European data protection legislation, such as GDPR will apply to the processing of Controller Personal Data if, for example: i) the processing is carried out in the context of the activities of an establishment of Controller in the territory of the EEA; and/or ii) the Controller provides data that is personal data relating to Data Subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA.

2.4. The Parties acknowledge and agree that non-European data protection legislation may also apply to the processing of Controller Data.

2.5. The effective application of the terms of this DPA is irrespective of whether the European data protection legislation or non-European data protection legislation applies to the processing of Controller data.

3. DATA PROCESSING

3.1. Systematic Review Robot is the Processor to the Customer, who can act either as the controller or processor of Personal Data, as those or analogous terms are defined under applicable legislation. This applies to the extent that the GDPR or other privacy Laws and regulations with analogous terms apply to Systematic Review Robot's Processing of Personal Data on behalf of the Customer under the Agreement.

3.2. The parties acknowledge and agree that: (a) Customer is the "Business" and Systematic Review Robot is the "Service Provider"; (b) Systematic Review Robot will Process Personal Data solely on behalf of Customer and for the specific business purposes set forth in the Agreement; and (c) Systematic Review Robot will not retain, use, disclose, or otherwise Process such Personal Data for any purpose other than for the specific purpose of performing the Service as specified in the Agreement. These conditions applies to the extent that the CCPA applies to Systematic Review Robot Processing of Personal Data on behalf of Customer under the Agreement.

3.3. Systematic Review Robot will process the Personal Data in accordance with the Customer's instructions and applicable laws: (a) to provide the Service, (b) as documented in the Agreement, including this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged by Systematic Review Robot as constituting instructions for purposes of this DPA. Systematic Review Robot will comply with all lawful and reasonable Controller instructions. If Systematic Review Robot cannot comply with an instruction, it will notify the Customer without undue delay.

3.4. The nature and purpose of the Processing and the type of Personal Data and categories of Data Subjects about whom Personal Data shall be processed are determined by Customer, based on Customer's use of the Services and the Personal Data that Customer chooses to upload to the Service(s) or otherwise provide to Systematic Review Robot for the purpose of Processing.

3.5. Systematic Review Robot will reasonably support the Customer or any Data Controller in dealing with requests from Data Subjects or regulatory authorities regarding Systematic Review Robot's processing of Personal Data under this DPA, at Customer's request,. Where requested to do so by the Customer, Systematic Review Robot shall disclose the information reasonably required to demonstrate compliance with the applicable data protection Laws, including the necessary information for the Customer to carry out a privacy impact assessment of the Services and implement mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.6. Upon request, Systematic Review Robot shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and/or the necessary information for the Controller to carry out a privacy impact assessment of the Service and in implementing mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.7. Systematic Review Robot will (as applicable) return to Customer or destroy all Personal Data, upon termination of the Agreement for whatever reason, and upon Customer's written request made within thirty (30) days after such termination. Systematic Review Robot will destroy such Personal Data after such 30-day period.

3.8 The transferred Personal Data is and will be subject of basic processing functions such as: (a) use of Personal Data to set up, operate, monitor and provide the Service; (b) upload any fixes or upgrade to the Service;(c) communication to authorized users; (d) in accordance with the Agreement, the realization of instructions of Customer. The frequency of the transfer of Personal Data will be continuous.

4. DATA SECURITY

4.1. To protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access ("Security Measures"), Systematic Review Robot will implement and maintain technical and organizational measures. From time to time and at its discretion, Systematic Review Robot may update or modify the Security Measures, provided that such updates and modifications do not cause the degradation of the overall Service's security.

4.2. Regarding Systematic Review Robot's employees, contractors, and Sub-processors, Systematic Review Robot will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. In respect of security of Personal Data and Breach Events, Systematic Review Robot will assist Customer in ensuring compliance with any of its obligations.

4.3. Without undue delay but in no event later than seventy-two (72) hours after becoming aware of any Breach Event, Systematic Review Robot shall notify Customer.

5. SUB-PROCESSORS

5.1. Customer acknowledges and agrees that may engage Sub-Processor(s) in the performance of the Service(s) on Customer's behalf. All Sub-Processors to whom Systematic Review Robot transfers Personal Data are bound by substantially the same material obligations as Systematic Review Robot undertakes under this DPA and provide adequate guarantees of security and compliance. Systematic Review Robot will be liable for the acts and omissions of its Sub-Processors to the same extent that Systematic Review Robot would be liable if performing the Service directly, under the terms of the Agreement.

5.2. The current Sub-Processors are listed as per Section 4.2 above. Systematic Review Robot may use new Sub-Processors provided it notifies the Customer in advance of any changes to the list of Sub-Processors in place on the effective date. If Customer has a legitimate reason, Customer may object to Systematic Review Robot's use of a Sub-Processor, by notifying Systematic Review Robot in writing within thirty days after receipt of Systematic Review Robot's notice. If the Customer objects to the use of the Sub-Processor, the parties will come together in good faith to discuss a resolution. Systematic Review Robot may choose to: (i) not use the Sub-Processor or (ii) take the corrective steps requested by Customer in its objection and use the Sub-Processor. If none of these options is reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days' written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Sub-Processor.

6. DISCLOSURE TO COMPETENT AUTHORITIES

6.1 if required by law or a subpoena or other judicial or administrative order or if Systematic Review Robot deems the disclosure necessary to protect the safety and rights of any person, or the general public, Systematic Review Robot may disclose Personal Data.

6.2 In the event that Systematic Review Robot receives a legally binding request for access to the Personal Data by a public authority, Systematic Review Robot will:

6.2.1. promptly notify Customer of such request to enable Customer to intervene and seek relief from such disclosure, unless Systematic Review Robot is otherwise prohibited from providing such notice. If Systematic Review Robot is so prohibited: i) It will use its reasonable efforts to obtain the right to waive this prohibition, to communicate as much information as it can, and be able to demonstrate that it did so; ii) In the event hat, despite having used its reasonable efforts, Systematic Review Robot is not permitted to notify Customer, it will make available general information, on an annual basis, and as allowed by law (such as a transfer impact assessment or other transparency report ), concerning the requests it received to the Customer and/or the competent supervisory authority of the Customer.

6.2.2. not make any disclosures of the Personal Data, to any public authority, that are determined to be massive, disproportionate, and indiscriminate in a manner that it would go beyond what is

necessary in a democratic society; and

6.2.3 upon request from the Customer, provide general information on the requests from public authorities it received in the preceding twelve (12) month period relating to the Personal Data.

7. APPLICABLE LAW AND JURISDICTION

The governing clause established in the Agreement shall govern, construe, and enforce this DPA.