Definitions

1.1 “CCPA” means the California Consumer Privacy Act, as amended, including as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code §1798.100 et. seq. and its implementing regulations. 

1.2 “Company” means the company on whose behalf the registration for the Platform as a customer has been completed and in connection therewith this Service Provider Agreement was entered into.

1.3 “Consumer” means “consumer” as defined in applicable U.S. Data Privacy and Protection Laws including the CCPA and the VCDPA. 

1.4 “Gilion” means Gilion AB reg. no. 559264-9726.

1.5 “Personal Information” means information that identifies, relates to, describes, is linked to, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly with an identified or identifiable natural person, as defined by applicable Data Privacy and Protection laws and to which Gilion has access to from time to time in connection with performance of Services for the Company.

1.6 “Platform” means the digital platform provided by Gilion to which the Company is granted access in accordance with the Platform’s Terms of service. 

1.7 "Portfolio Companies" means the prospective or existing portfolio companies of the Company analyzed through the Platform.

1.8 “Process,” “Processing,” or “Processed,” means any operation or set of operations that are performed on Personal Information or sets of personal information, whether or not by automated means, such as collection, retention, use, storage, disclosure, analysis, deletion, or modification of Personal Information.

1.9 “Services” means the Platform and its content including the Result (as defined in the Terms of Service and the Services Agreement), features, functionalities, tools, data, software and services related thereto provided by Gilion.

1.10 “Services Agreement” means the operative contract Gilion has entered into with the Company that describes the Services to be provided (e.g., Services Contract, Statement of Work, Services Agreement, etc.).

1.11 “U.S. Data Privacy and Protection Laws” means all laws and regulations of the United States of America, including the CCPA and the VCDPA, applicable to the processing of Personal Information. 

1.12 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code. Ann. § 59.1-571 et seq. 

2. Processing Requirements

2.1 Company’s Role. The Company will provide or make available to Gilion or permit Gilion to access, create, collect, process, and/or disclose Personal Information for the purposes of providing services described in the Services Agreement. The Company will determine the purpose and means of processing such Personal Information. 

2.2 Gilion’s Role. Gilion will provide the Services and will process Personal Information in accordance with the Company’s instructions, with the business and commercial purposes enumerated in this Service Provider Agreement, and with the Services Agreement.

2.3 Processing Instructions. Gilion undertakes to process Personal Information only for the purposes set out in this Services Provider Agreement, and as necessary to provide the Services requested by the Company through its use of the Platform, unless otherwise required by applicable U.S. Data Privacy and Protection Laws.

2.4 Nature and Purposes for Processing. The Company is disclosing Personal Information and Gilion is processing such Personal Information only for the following limited business purposes:

1. Provide the Services;

2. enable the Company to analyze the performance and outlook of its Portfolio Companies, including through the calculation, aggregation, and presentation of metrics and analyses relating to Portfolio Companies; and 

3. provide analytical support for forecasting and metric purposes in connection with the Company’s use of the Platform. 

2.5 Gilion agrees and warrants that with respect to all Personal Information that it Processes on behalf of the Company, it will Process Personal Information only as required and as necessary for the purposes enumerated above or as otherwise permitted by applicable U.S. Data Privacy and Protection Laws and in order to provide the services as detailed in the Services Agreement, unless otherwise instructed by the Company in writing. Gilion shall not retain, use, or disclose the Personal Information it collects pursuant to this Service Provider Agreement for any purpose other than those specified in this contract. 

2.6 Gilion will have in place appropriate processes to assist the Company in responding to Consumer requests to exercise their rights under applicable U.S. Data Privacy and Protection Laws. This includes, but is not limited to processes that enable Gilion to provide, collect, or delete, Personal Information of Consumers upon request of the Company. As relevant, the Company will inform Gilion of any Consumer request pursuant to applicable U.S. Data Privacy and Protection Laws and will provide the information necessary for Gilion to comply with the request. If Gilion receives a request submitted by a Consumer to exercise a right under applicable U.S. Data Privacy and Protection Laws, it will provide a copy of the request to the Company. The Company will be responsible for handling and communicating with Consumers with respect to such requests. 

2.7 Gilion will not retain, use, or disclose Personal Information that it collected pursuant to this Service Provider Agreement outside the direct business relationship between Gilion and the Company, unless permitted by applicable U.S. Data Privacy and Protection Laws. Gilion shall not combine the Personal Information it receives from or on behalf of the Company with Personal Information which it receives from or on behalf of another person or persons, or collects from its own interactions with the Consumer unless expressly permitted by applicable U.S. Data Privacy and Protection Laws. 

2.8 Gilion shall not sell or share (as those terms are defined by applicable U.S. Data Privacy and Protection Laws) Personal Information that it collects pursuant to this Service Provider Agreement. 

2.9 Subcontractors. If Gilion engages a third party as a subcontractor to engage in the Processing of Personal Information, Gilion will notify the Company and ensure that the subcontractor has entered into a written agreement that is no less protective than this Service Provider Agreement and that is compliant with applicable U.S. Data Privacy and Protection Laws. Gilion shall notify any subcontractors who may have accessed Personal Information of any requests from Consumers to exercise their rights under applicable U.S. Data Privacy and Protection Laws.

2.10 Gilion will comply with applicable U.S. Data Privacy and Protection Laws, in its performance of this Service Provider Agreement, including providing the same level of privacy protection as required of the Company by such laws. Upon reasonable request of the Company, Gilion will make available to the Company all information in its possession necessary to demonstrate Gilion's compliance with its obligations under applicable U.S. Data Privacy and Protection Laws.

2.11 Audit and Assessment. The Company shall have the right to take reasonable and appropriate steps to ensure Gilion uses Personal Information that it collected pursuant to this Service Provider Agreement in a manner consistent with the Company’s obligations under applicable U.S. Data Privacy and Security Laws. Such steps may include ongoing manual reviews and automated scans of Gilion’s system. It may also include regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months. Gilion will cooperate with such reasonable assessments by the Company. With respect to requirements under the VCDPA, Gilion may arrange for a qualified and independent assessor to conduct an assessment of Gilion’s policies and technical and organizational measures in support of its obligations under the VCDPA using an appropriate and accepted control standard or framework and assessment procedure. Gilion shall provide a report of such assessment to the Company upon request.

2.12 Gilion shall notify the Company after it makes a determination that it can no longer meet its obligations under applicable U.S. Data Privacy and Protection Laws. 

2.13 The Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate Gilion’s unauthorized use of Personal Information. 

3. Confidentiality 

3.1 Without impacting any existing contractual arrangement between the parties, Gilion will treat all Personal Information as confidential and it will inform all of its employees, agents, contractors, and any approved sub-processors, sub-providers, or subcontractors engaged in the processing of Personal Information that it should be treated as confidential. Gilion will ensure that all such persons are bound to a duty of confidentiality.

4. Information Security

Gilion will implement reasonable administrative, technical, and physical data security procedures and practices appropriate to the volume and nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. This includes, where applicable, encryption of Personal Information in transit (minimum TLS 1.2) and at rest (minimum AES-256).

5. Termination 

At the Company’s direction, Gilion will delete or return all Personal Information to the Company as requested at the end of the provision of Services, unless retention of the Personal Information is required by law.