Privacy FAQ and Transparency Report

1. OUR APPROACH TO PRIVACY

Medentic, LLC (“Medentic”) takes its privacy responsibility seriously and is committed to protecting and respecting the privacy of our customers and their customers. This Frequently Asked Questions document provides information that Medentic customers may use to fulfill their commitment to transparency and enable themselves to comply with their own privacy obligations, including in connection with conducting data transfer impact assessments. Note this document is meant for customers’ internal use only and does not create any kind of representation or other commitment. Medentic’s commitments are exclusively contained in its agreements with its customers.

2. DATA PROCESSING AGREEMENT

2.1 When offering its services, Medentic acts on behalf of its customers. 2.2 Medentic enters into data processing agreements with its customers to ensure that personal data is sufficiently protected by contractual arrangements. 2.3 Medentic’s standard Data Processing Agreement (“DPA”) is a global data processing agreement which also contains some country-specific terms. It contains details on the processing of personal data in the context of the provision of the Medentic services, including the types of data used and the scope of the processing. The data processed by Medentic is determined by our customer’s configuration of our services. Please see Schedule 1 of our DPA for more information.

3. GOVERNMENT REQUESTS (EU DIGITAL SERVICES ACT) TRANSPARENCY REPORT

3.1 To date, Medentic has not received any requests from EU member states under the Digital Services Act (DSA) requiring the disclosure of customer data. 3.2 If Medentic were to receive a demand for customer data from any government, Medentic has policies in place that govern how we would handle any such requests. 3.3 Specifically, Medentic would respond as follows:

• (a) Medentic will review any requests for information, including an analysis by Medentic’s legal team, to determine the appropriate response.
• (b) Where possible, Medentic will direct the requesting authorities to request the data directly from its customer.
• (c) Medentic will also notify the affected customer(s) unless the law prohibits Medentic from doing so.
• (d) Where there is a legal basis for doing so, Medentic will challenge the order.

4. INTERNATIONAL TRANSFER

4.1 For customers that are subject to the European General Data Protection Regulation (“GDPR”) or the UK GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, the DPA also incorporates the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (“SCCs”) as well as a UK addendum to safeguard the transfer of personal data to the US. 4.2 In addition to entering into the SCCs and the UK addendum as applicable, Medentic commits itself to a number of Supplementary Measures that are set out in Schedule 4 of the DPA. 4.3 Medentic has also entered into an Intra-Group Agreement that covers the various data transfers within the Medentic company group.

5. DATA SECURITY

5.1 The DPA contains a list of technical and organizational measures to which Medentic will adhere. All relevant privacy compliance and security policies and procedures are reviewed regularly and re-evaluated. Where needed, Medentic will update its policies and procedures. 5.2 Medentic personnel handling personal data will also be trained on privacy matters as well as cyber security.

6. APPOINTMENT OF SUB-PROCESSORS

6.1 Medentic has a risk assessment and management process to ensure that its engagements with vendors who process customer personal data comply with privacy requirements. 6.2 Medentic enters into appropriate data processing agreements with its vendors. 6.3 The DPA contains a list of sub-processors engaged by Medentic.

7. PRIVACY QUESTIONS?

If you have any questions regarding Medentic’s processing of personal data (including any cross-border transfer) or require further information to comply with your privacy obligations, we are happy to assist. Please do not hesitate to contact us at privacy@medentic.app.