Data Processing Agreement (DPA)

Draft — subject to final review by counsel. Effective 3 June 2026. This template is offered to customers whose use involves personal data; it is incorporated into the MSA/Order where applicable.

1. Roles and scope This DPA applies where Mishale ("Processor") processes personal data on behalf of a customer ("Controller") in providing the service. Each party complies with applicable data protection law, including the UK/EU GDPR and US state privacy laws.

2. Processing details (Annex I) - Subject matter: provision of the Computational Feasibility Memo service. - Duration: the term of the MSA/Order plus any legally required retention. - Nature & purpose: hosting, computation, generation and delivery of reports, support. - Types of personal data: Controller account contacts (name, email); any personal data contained in Controller-submitted inputs (Controller should avoid submitting personal/patient data, which is not required to use the service). - Categories of data subjects: Controller's authorised users.

3. Processor obligations The Processor shall: (a) process personal data only on the Controller's documented instructions, including this DPA and use of the service; (b) ensure persons authorised to process are bound by confidentiality; (c) implement appropriate technical and organisational security measures (Annex II); (d) respect the conditions for engaging sub-processors (§4); (e) assist the Controller, taking into account the nature of processing, in responding to data subject requests and in meeting its security, breach-notification, and impact-assessment obligations; (f) notify the Controller without undue delay after becoming aware of a personal data breach; (g) at the Controller's choice, delete or return personal data at the end of the services and delete existing copies unless legally required to retain them; and (h) make available information necessary to demonstrate compliance and allow for reasonable audits.

4. Sub-processors The Controller authorises the Processor to engage the sub-processors listed in the Sub-processor List. The Processor will inform the Controller of intended changes and remain responsible for its sub-processors' performance under equivalent data-protection terms.

5. International transfers Where the Processor transfers personal data across borders, it will rely on a valid transfer mechanism (e.g. the EU Standard Contractual Clauses and the UK IDTA/Addendum), incorporated by reference.

6. Security measures (Annex II — summary) Access controls and least-privilege access; encryption of data in transit; network isolation of databases; logging and monitoring; vendor due diligence; and incident response procedures.

7. Liability Each party's liability under this DPA is subject to the limitations of liability in the MSA.

8. Governing law This DPA is governed by the law specified in the MSA, and otherwise by the laws of the State of Delaware, USA. Contact: jambo@mishale.bio.