ESSAY ASSAY, INC. COPYRIGHT POLICY LAST UPDATED: MAY 7TH, 2019 Copyright for the entire content of this website (www.ecree.com) belongs to Essay Assay, Inc. (the “Company”). The Company owns the copyright and all other rights in this website and the materials on it and you are responsible for obeying all applicable laws relating to the intellectual property laws as they pertain to this site and the materials on it. The Company allows you to print or store a reasonable amount of material from the website for your personal use or for use within your firm or organization, but material should not be copied, used or re-published in whole or in part without the prior written permission of the Company and without acknowledging the source, either by the use of appropriate words or by use of our copyright notice © Essay Assay, Inc., 2019. Where permission for use is granted by the Company the following conditions apply: When such information is distributed or reproduced, it must appear accurately and the Company must be cited as the source. Where the information is incorporated in documents that are sold (regardless of the medium), the natural or legal person publishing the information must inform buyers, both before they pay any subscription or fee and each time they access the information taken from Company’s website, that the information may be obtained free of charge through the Company's website. Pursuant to the Digital Millennium Copyright Act of USA (17 U.S.C. § 512), the procedures for receiving written notification of claimed infringements have been implemented. If you believe in good faith that your copyright has been infringed, you may contact the owner of the website providing the following details: An electronic or physical signature of the person authorized to act on behalf of the owner of the copyright interest; A description of the copyrighted work that you claim has been infringed; A description specifying the location on our website of the material that you claim is infringing; Your email address and your mailing address and/or telephone number; A statement by you that you have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law; and A statement by you, made under penalty of perjury, that the information in your notice is accurate and that you are the copyright owner or authorized to act on the copyright owner’s behalf. Any inquiries and claims should be addressed via available means of communication available on the website.
ESSAY ASSAY, INC. DATA PROCESSING AGREEMENT LAST UPDATED: MAY 7TH, 2019 You are as a customer of our services (hereinafter the “Data Controller”) available on the website www.ecree.com (hereinafter the “Website”) and other related services, and Essay Assay, Inc. (hereinafter the “Data Processor”), have entered into our Terms of Service (available on the Website) under which the Data Processor has agreed to provide you Services (as defined in the Terms of Service) and related technical support to Data Controller (the "Agreement"). This Agreement is a part of the Terms of Service and your agreement with the Terms of Service means the agreement with the Agreement. BACKGROUND (A) This Agreement is to ensure the protection and security of data passed from Data Controller to the Data Processor. (B) This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation. (C) The parties wish to record their commitments under this Agreement. IT IS AGREED AS FOLLOWS: 1. DEFINITIONS AND INTERPRETATION In this Agreement: "Data Protection Laws" means any national data protection law, together with legislation incorporating GDPR; "Data" means personal data passed under this Agreement; “GDPR” means the General Data Protection Regulation; "Services" means services which are provided by the Data Processor to the Data Controlled and which are available and offered on the website or any related services offered by the Data Processor. 2. DATA PROCESSING The Data Controller is the data controller for the Data and the Data Processor is the data processor for the Data. The Data Processor agrees to process the Data only in accordance with Data Protection Laws and in particular on the following conditions: The Data Processor shall only process the Data (i) on the written instructions from Data Controller (ii) only process the Data for completing the Services and (iii) only process the Data in the EU/EEA or any country which has an adequacy decision (particularly, the Data Processor is based in the USA and uses a subprocessor, certified according to the EU-U.S. Privacy Shield, for storage which is based in the USA) (Article 28, para 3(a) GDPR); ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement, internal security policies, and instructions, and (ii) have received instructions/training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR); The Data Controller and the Data Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part B of the Annex to this Agreement (Article 28, para 3(c) GDPR); the Processor shall not involve any third party in the processing of the Data without the consent of Data Controller. (Article 28, para 3(d) GDPR); taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfillment of Data Controller’ obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making, etc. (Article 28, para 3(e) GDPR); assist Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national data protection authorities, taking into account the nature of processing and the information available to the Data Processor (Article 28, para 3(f) GDPR); at Data Controller’ choice safely delete or return the Data at any time. It has been agreed that the Data Processor will in any event securely delete the Data at the end of the Services. Where the Data Processor is to delete the Data, deletion shall include the destruction of all existing copies unless otherwise a legal requirement to retain the Data (Article 28, para 3(g) GDPR); make immediately available to Data Controller all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required by Data Controller from time to time (Article 28, para 3(h) GDPR); arrangements relating to the secure transfer of the Data from Data Controller to the Data Processor and the safekeeping of the Data by the Data Processor. maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and contact the Data Controller within 36 hours if there is any personal data breach or incident where the Data may have been compromised. 3. Termination The Data Controller may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without the written consent of Data Controller. 4. General This Agreement may only be varied with the written consent of both parties. This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under the Data Protection Laws. ANNEX Part A Details of personal data being passed and method of secure data transfer arrangements: The Purpose To provide services Data E-mail address of Data Controller’s users and other information which may identify a user of the Data Controller Data subjects Users of the Data Controller Third parties and recipients with access to the Data The Data Processor uses servers which are located in the United States. The recipients of Data are the highest management of the Data Processor. Data retention period Data will be retained until the Data Controller asks for the erasure, deletes its account, or terminates the Terms of Service of the Data Processor. ANNEX Part B Compliance with Article 32, para 1 of GDPR The Data Processor uses anonymization and encryption techniques to protect personal data. The Data Processor ensures the ongoing confidentiality, integrity, availability, and resilience of processing systems and related services. The Data Processor has a non-disclosure agreement with all its employees and other personnel. The data is shared only with management employees who need it to provide services. The Data Processor has a security policy and instructions for employees on how to handle GDPR requests. The Data Processor, depending on the technical possibility of its subprocessor, may restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. The Data Processor provides processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing. Compliance with Article 32, para 2 of GDPR The Data Processor assesses the appropriate level of security, in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data transmitted, stored or otherwise processed. Compliance with Article 32, para 3 of GDPR There is no approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) which may be used as an element by which to demonstrate compliance with the requirements. Compliance with Article 32, para 4 of GDPR The Data Processor processes the Data only on behalf of the Data Controller.