DATA PROCESSING ADDENDUM

How this DPA applies

This Data Processing Addendum (“DPA”) forms part of the written Agreement or Purchase Order between Novocure GmbH (or a Novocure Affiliate as defined and described below) and Service Provider to which this DPA is referenced (hereinafter “Principal Agreement”). This DPA applies to the extent the Service Provider Processes Personal Data on behalf of Novocure GmbH or Novocure Affiliate in connection with the Services.

Except as otherwise expressly provided in the Principal Agreement, this DPA is effective and will become legally binding as of the effective date of the Principal Agreement.

Where Novocure GmbH is a party to the Principal Agreement, this DPA binds the same entities. Where a Novocure Affiliate is party to a Principal Agreement, this DPA applies between that Affiliate and the Service Provider. Novocure GmbH or a Novocure Affiliate, as applicable, are hereinafter referred to as “Novocure.”

This DPA consists of the main body of the DPA, and the following Schedules: Schedule 1 (Europe Specific Provisions), Schedule 2 (2021 EU SCCs Annexes), Schedule 3 (Swiss Addendum), Schedule 4 (UK Addendum) and Schedule 5 (U.S. Specific Provisions).

To the extent Personal Data from the European Economic Area (EEA), the United Kingdom or Switzerland are Processed by Service Provider, Novocure’s acceptance of the Principal Agreement, shall be deemed to constitute acceptance of the applicable Transfer Mechanism (as defined below) and such Transfer Mechanism will be incorporated by reference into this DPA.

Any inquiry regarding the Processing of Personal Data under this DPA can be referred to Novocure’s data privacy team at dataprotection@novocure.com.

Data Processing Terms

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity, or the right to direct the affairs of a subject entity.

“Applicable Law” shall mean all regional, national and international applicable laws, orders, statutes, codes, regulations, ordinances, decrees, rules, subordinate legislation, treaties, directives, bylaws, standards or other requirements with similar effect of any governmental or regulatory authority, which apply to Novocure GmbH or Service Provider in the circumstances governed by this DPA, including Data Protection Laws.

“Service Provider” means the Service Provider entity which is a party to this DPA, as specified in the section “How this DPA applies” above.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Novocure Personal Data transmitted, stored or otherwise Processed by Service Provider or its Sub-processors.

“Data Protection Laws” means all laws and regulations (including, without limitation, European Data Protection Laws), which are applicable to Service Provider’s or a Sub-processor’s Processing of Personal Data under the Principal Agreement.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Europe” means the European Union (“EU”), the European Economic Area and/or their member states (“EEA”), Switzerland and the United Kingdom (“UK”).

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

“European Data Protection Laws” means Data Protection Laws applicable in Europe, including, without limitation:

• Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);
• applicable national implementations of the GDPR;
• the Swiss Federal Act on Data Protection of September 25, 2023 (“FADP”); and
• the United Kingdom Data Protection Act 2018 and the GDPR as saved into the United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

“Novocure Affiliate” means any “Affiliate” (as defined above) of Novocure GmbH.

“Novocure Data” means what is defined in the Principal Agreement as “Novocure Data”, provided that such data is electronic data and information submitted by or for Novocure to the Services.

“Personal Data” means any information relating to an identified or identifiable natural person contained within Novocure Data, to the extent such information is protected under Data Protection Laws and Processed by Service Provider or a Sub-processor under the Principal Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” (or “Processed” or “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Services” shall mean Service Provider’s services as defined in the Principal Agreement, or ancillary services rendered to Novocure by Service Provider, to which Novocure is being granted access under the Principal Agreement.

“Sub-processor” shall mean any third-party Processor engaged by Service Provider to Process Personal Data in order to provide the Services under the Principal Agreement.

“Supervisory Authority” means (a) an independent public authority which is established by an EU member state pursuant to the GDPR, (b) for the United Kingdom, the Information Commissioner’s Office, or (c) other independent competent public authority established or recognized under Data Protection Laws.

“Worker” shall mean any employee, staff member, agency worker or other full time or temporary, paid or unpaid person working for Service Provider.

2. Introduction

(a) This DPA governs the manner in which Personal Data shall be Processed. Service Provider is the Processor of Personal Data and Novocure is the Controller of Personal Data under this DPA and the Principal Agreement. Where Novocure acts as a Processor on behalf of a third-party Controller, the Service Provider shall act as Novocure’s Sub-processor, as applicable.

(b) For the Services provided by Service Provider under the Principal Agreement Novocure largely controls the upload and use of Novocure Data within the Services. Service Provider does not monitor Novocure Data or Novocure’s use of any such Novocure Data, unless Novocure submits an explicit written request to Service Provider to access. Novocure is responsible for Novocure Data being collected and transmitted to Service Provider in compliance with applicable Data Protection Laws and, in particular, to have a legal basis for Processing and to properly inform Data Subjects of the collection and Processing of their Personal Data.

(c) The subject-matter of Processing of Personal Data, the duration of the Processing of Personal Data, the nature and purpose of the Processing of Personal Data, and the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 to this DPA.

3. General Personal Data Obligations

(a) The parties shall comply with the terms of this DPA, and each party is responsible for compliance with its respective obligations under applicable Data Protection Laws.

(b) Service Provider shall Process Personal Data on behalf of Novocure only in accordance with this DPA and documented instructions received from Novocure. Novocure hereby instructs Service Provider to Process Personal Data: (i) in accordance with the Principal Agreement and applicable Order Form(s), including to provide, support, and maintain the Services; (ii) to comply with documented reasonable instructions received from Novocure (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement; and (iii) where required by Applicable Law. For clarification: The Processor shall not use any Personal Data for its own purposes, including but not limited to product improvement, analytics, profiling, marketing, or any commercial purpose not expressly instructed by the Controller. This prohibition includes the use of Personal Data to train algorithms, models, or other machine learning systems, regardless of whether the data is pseudonymized or aggregated. Novocure’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Service Provider shall notify Novocure about any instruction from Novocure which, in Service Provider’s opinion, infringes Data Protection Laws.

(c) If Service Provider is legally required to Process Personal Data otherwise than as instructed by Novocure, it shall inform Novocure before such Processing occurs, unless the law requiring such Processing prohibits Service Provider from informing Novocure on an important ground of public interest, in which case it shall notify Novocure as soon as that law permits it to do so.

(d) Additional instructions outside the scope of this DPA (if any) shall require prior written agreement between Service Provider and Novocure, including agreement on any additional fees payable by Novocure to Service Provider for carrying out such instructions.

(e) Service Provider agrees that Service Provider Workers who have access to Personal data: (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (ii) shall Process Personal Data only as instructed to by Novocure, unless otherwise required to do so by Data Protection Laws; and (iii) shall be provided training as necessary from time to time with respect to Service Provider’s obligations under this DPA and under Data Protection Laws.

(f) Service Provider will not publish, disclose, divulge or otherwise permit third parties to access any Personal Data, except, in each case, in accordance with the Principal Agreement and this DPA (including as necessary to maintain and provide the Services and to Sub-processors in accordance with this DPA), with Novocure’s consent or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).

(g) Upon Novocure’s request, Service Provider shall provide Novocure with reasonable cooperation and assistance needed to fulfil Novocure’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Novocure’s use of the Services or with any prior consultation that Novocure is legally required to make under Data Protection Laws in respect of Personal Data, taking into account the nature of the Processing and to the extent Novocure does not otherwise have access to the relevant information, and to the extent such information is available to Service Provider.

(h) Upon Novocure’s written request, Service Provider will provide reasonable assistance to Novocure in the event of an investigation by or request from any regulator, including a Supervisory Authority, or similar authority, if and to the extent that such investigation or request relates to Personal Data. Service Provider will take steps reasonably requested by Novocure to assist Novocure in complying with any obligations in connection with such an investigation or request.

4. Sub-processors

(a) Novocure agrees that Service Provider may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services. Service Provider will share via email to dataprotection@novocure.com the list of its Sub-processors that are currently engaged by Service Provider to carry out Processing activities on Personal Data on behalf of Novocure immediately upon the effectiveness of this agreement. The list shall include information about Sub-processor’s legal entity name, address, service provided and further relevant information.

(b) Service Provider shall inform Novocure in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving Novocure sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). If, within 30 days of receipt of that notice, Novocure notifies Service Provider in writing of any reasonable objections to the proposed appointment based on reasonable grounds relating to data protection or Data Protection Laws, the parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within two months of the objection, Novocure may terminate the Principal Agreement with respect only to the Services which cannot be provided by Service Provider without the use of the objected-to new Sub-processor by providing written notice to Service Provider, with any such termination to be effective upon the conclusion of the then current billing cycle as set forth in the applicable Order Form(s).

(c) Where Service Provider engages a Sub-processor to carry out specific Processing activities (on behalf of Novocure), it shall do so by way of a written contract that provides for substantially similar data protection obligations as those binding Service Provider under this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Service Provider shall conduct reasonable due diligence on its Sub-processors in line with industry standards for a Service Provider of similar size and resources.

(d) Service Provider shall remain fully responsible to Novocure for the performance of the Sub-processor’s obligations under its contract with Service Provider and for any acts or omissions of the Sub-processors that cause Service Provider to breach any of Service Provider’s obligations under this DPA.

5. Data Transfers

(a) Where Personal Data is transferred from Europe to a country outside of Europe, the parties acknowledge that steps must be taken to ensure that such data transfers comply with European Data Protection Laws. The parties acknowledge that similar obligations can apply for international transfers of Personal Data from a non-European country and shall in good faith take the steps required where necessary under Data Protection Laws to ensure the transfer complies with Data Protection Laws.

(b) To the extent Novocure’s use of the Services requires an onward transfer mechanism to lawfully transfer European Data from Europe to Service Provider or a Sub-processor located outside of Europe, the terms set forth in Schedule 1 (Europe Specific Provisions) of this DPA will apply to the Processing of European Data.

(c) Novocure Data is hosted in the region Novocure requests at the time the Principal Agreement is signed. Service Provider will not host Novocure Data in a different region, except with Novocure’s prior authorization, as necessary to provide the Services initiated by Novocure or as necessary to comply with the law or binding order of a governmental body. Service Provider and its Sub-processors may Process Novocure Data from outside the hosting region in accordance with the Principal Agreement and this DPA. Any such cross-border Processing is hereby authorized by the Novocure, provided it is in compliance with Data Protection Laws.

6. Notification of Access Requests and Complaints

(a) Service Provider shall, to the extent legally permitted, promptly notify Novocure of any Data Protection Communication it receives. “Data Protection Communication” shall mean (i) any request received by Service Provider from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws (e.g., right of access or have copies of Personal Data, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making pertaining to his or her Personal Data); or (ii) any complaint or allegation made to Service Provider relating to Personal Data, either from a Data Subject, a Supervisory Authority or other third party.

(b) Service Provider shall not respond to a Data Protection Communication it receives, unless Service Provider is authorized to do so by Novocure or Service Provider is legally compelled to respond.

(c) Where Service Provider is compelled to respond to a Data Protection Communication, unless prohibited by law, it shall permit Novocure to make representations and/or participate in the response process to ensure compliance with Data Protection Laws.

(d) Novocure is responsible for responding to a Data Protection Communication received directly by Novocure by using its own access to the relevant Personal Data. If Novocure is unable to access the relevant Personal Data after reasonable efforts, Service Provider will, at Novocure’s request, provide reasonable assistance to Novocure in responding to any such Data Protection Communication directly received by Novocure to the extent the response to such Data Protection Communication is required under Data Protection Laws.

(e) For the avoidance of doubt, Data Protection Communications do not include legally binding requests or orders from governmental bodies, which are governed exclusively by Section 11.

7. Data Security Requirements

(a) Service Provider shall implement, maintain and comply with comprehensive information and network security programs, practices and procedures that govern the Services to ensure a level of security appropriate to the risk. Such programs, practice and procedures shall be in line with industry standards and while considering costs of implementation, the nature, scope, context and purposes of the Processing and the risk of varying likelihood and severity for the rights and freedoms of individuals.

(b) In assessing the appropriate level of security, Service Provider shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

(c) Service Provider will implement, prior to the processing of Novocure Data, appropriate technical and organizational measures for the protection of Personal Data as detailed in Schedule 2.

(d) Service Provider will (a) ensure that all of its employees, contractors, and permitted Sub-processors are fully aware of their responsibilities to protect Personal Data in accordance with this Data Processing Addendum and (b) take appropriate measures to ensure compliance with the Security Measures by its employees, contractors, and permitted Sub-processors.

8. Data Breach

(a) Service Provider shall notify Novocure without undue delay after becoming aware of a Data Breach. Such notification shall, to the extent possible, include: (a) a description of the nature of the Data Breach, including, where applicable, the categories and approximate number of affected Data Subjects and personal data records concerned; (b) the likely consequences of the Data Breach; and (c) the measures taken or proposed to be taken by Service Provider to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. In the event of a Data Breach, Service Provider shall provide Novocure with all reasonable assistance in investigating and mitigating the adverse effects of any such Data Breach. Service Provider will also provide all reasonable assistance to Novocure to enable Novocure to comply with its obligations under Data Protection Laws to notify the competent Supervisory Authority and the affected Data Subjects, taking into account the nature of Processing and the information available to Service Provider.

(b) Unless legally required by Data Protection Laws, Service Provider will not disclose Novocure’s identity in any communication about the Data Breach to any third party without obtaining Novocure’s prior written consent.

9. Certification and Audits

(a) Service Provider is certified under ISO 27001 and attested to SSAE 18 / ISAE 3402 audit standards and agrees to maintain an information security program for the Services that complies with the ISO 27001 standards or such other alternative standards that are substantially equivalent to these standards for the establishment, implementation, control and improvement of Service Provider security standards.

(b) Service Provider uses external auditors to validate the adequacy of its security standards and controls. Audit activities: (i) will be performed at least annually; (ii) will be performed according to ISO 27001 / SSAE 18 / ISAE 3402 standards or such other alternative standards that are substantially equivalent to ISO 27001; (iii) will be performed by independent third-party security professionals at Service Provider’s selection and expense; and (iv) will result in the generation of an audit report, which will be deemed Service Provider’s confidential information.

(c) At Novocure’s written request, Service Provider will provide Novocure with a confidential report summarizing the records set forth in Section 9. b) above so that Novocure can reasonably verify Service Provider’s compliance with its obligations under this DPA.

(d) Novocure may audit Service Provider’s compliance with its obligations under this DPA up to once per year; additionally, to the extent required by Data Protection Laws, including where mandated by Supervisory Authority, Novocure may perform more frequent audits of the procedures relevant to the protection of Novocure’s Personal Data (collectively, “Novocure Audit”). Service Provider will contribute to such Novocure Audits by providing Novocure with the information and assistance reasonably necessary to conduct the Novocure Audit, including any relevant records of Processing activities applicable to the Services ordered by Novocure.

(e) If a third party is to conduct the Novocure Audit, the third party must be mutually agreed to by Novocure and Service Provider (except if such third party is a competent Supervisory Authority). Service Provider will not unreasonably withhold its consent to a third-party auditor requested by Novocure. The third party must execute a written confidentiality agreement acceptable to Service Provider or otherwise be bound by a statutory confidentiality obligation before conducting the Novocure Audit.

(f) If the requested audit scope is addressed in a SSAE 18/ISAE 3402, ISO or similar audit report or certification issued by a qualified third party auditor within the prior twelve months and Service Provider provides such report or certification to Novocure confirming there are no known material changes in the controls audited, Novocure agrees to accept the findings presented in the third party audit report or certification in lieu of requesting an audit of the same controls covered by the report or certification.

(g) The Novocure Audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Service Provider’s health, safety, security or other relevant policies, and may not unreasonably interfere with Service Provider’s business activities or operations. Nothing in this Section 9 shall require Service Provider to breach its obligations under Applicable Law or breach its confidentiality, security or privacy obligations to any customers, employees or third parties.

(h) Novocure will provide Service Provider any audit reports generated in connection with any Novocure Audit, unless prohibited by Applicable Law or otherwise instructed by a Supervisory Authority. Novocure may use the audit reports only for the purposes of meeting Novocure’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Principal Agreement.

(i) Any Novocure Audits are at Novocure’s expense, unless the Novocure Audit has to be performed due to a Data Breach at the Service Provider or where mandated by Supervisory Authority. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Service Provider to provide assistance with a Novocure Audit that requires the use of resources different from or in addition to those required for the provision of the Services. Before the commencement of a Novocure Audit, Novocure and Service Provider shall mutually agree upon the reimbursement rate for which Novocure shall be responsible for any time expended for any such Novocure Audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Service Provider.

10. Return and Deletion of Personal Data

Service Provider will, at Novocure’s option, delete or return all Novocure Data, including Personal Data, within reasonable time of termination or expiration of the Principal Agreement in accordance with the Principal Agreement, and provide certification thereof to Novocure. Until all Personal Data is deleted or returned, Service Provider shall continue to ensure compliance with this DPA. If Applicable Law prohibits the return or deletion of Personal Data, Service Provider will continue to ensure compliance with this DPA and will only Process Personal Data to the extent and for as long as required under Applicable Law.

11. Requests for Personal Data from Governmental Bodies

(a) If Service Provider receives a valid and binding order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Personal Data, Service Provider will, to the extent permitted by Applicable Law, use every reasonable effort to redirect the Requesting Party to request Personal Data directly from Novocure. As part of this effort, Service Provider may provide Novocure’s basic contact information to the Requesting Party.

(b) If compelled to disclose Personal Data to a Requesting Party, Service Provider will give Novocure reasonable notice of the Request to allow Novocure to seek a protective order or other appropriate remedy, unless Service Provider is legally prohibited from doing so. If Service Provider is prohibited from notifying Novocure about the Request, Service Provider will (a) use all reasonable and lawful efforts to obtain a waiver of prohibition, to allow Service Provider to communicate as much information to Novocure as soon as possible; and (b) to the extent permitted by Applicable Law, challenge any overbroad or inappropriate Request (including where such Request conflicts with the law of Europe).

(c) If, after exhausting the steps described above in this Section, Service Provider remains compelled to disclose Personal Data to a Requesting Party, Service Provider will disclose only the minimum amount of Personal Data necessary to satisfy the Request.

(d) Nothing in this Section restricts Novocure’s Data Subjects from exercising their rights under the GDPR, including their rights to compensation from Service Provider for material or non-material damage under, and in accordance with, Article 82 of the GDPR.

12. Liability

Each party and each of their affiliates’ liability, taken in aggregate, arising out of or related to this DPA, will be subject to the limitations and exclusions of liability set out in the Principal Agreement to the extent that such limitations and exclusions are allowed under the applicable law.

13. Miscellaneous

• In the event of any conflict or inconsistencies between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail.
• This DPA will remain in effect until, and will automatically expire upon, return or deletion of all Personal Data by Service Provider and any applicable Sub-processors.
• If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Schedule 1 – Europe Specific Provisions

This Schedule 1 is supplemental to the DPA and sets out the terms that apply to the extent that Novocure’s use of the Services requires an onward transfer mechanism to lawfully transfer European Data from Europe to Service Provider or a Sub-Processor in a country located outside of Europe that does not ensure an adequate level of data protection within the meaning of European Data Protection Laws.

1. Definitions

“2021 EU SCCs” means the Standard Contractual Clauses sections I, II, III and IV (as applicable) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf, subject to the terms in this Schedule 1.

For transfers from Novocure as Controller, Module Two (Controller-to-Processor) shall apply. For transfers where Novocure acts as a Processor on behalf of an Affiliate or third-party Controller, and Service Provider acts as its Sub-processor, Module Three (Processor-to-Sub-processor) shall apply. All relevant provisions of this DPA and Schedule 2 shall apply accordingly to Module Three, mutatis mutandis.

“UK International Data Transfer Addendum” or “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner under section 119A(1) of the Data Protection Act 2018, Version B1.0, in force 21 March 2022, as currently set out at https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf, subject to Schedule 1 and Schedule 4.

“Swiss SCCs” means the 2021 EU SCCs, as amended by the Swiss Addendum in Schedule 3, subject to the terms in this Schedule 1.

“Transfer Mechanism” means, depending on the circumstances unique to Novocure, any of the following:

(a) the 2021 EU SCCs, (b) the Swiss SCCs, and/or (c) the UK IDTA.

2. Transfer Mechanisms for European Data Transfers

(a) 2021 EU SCCs. The 2021 EU SCCs will apply to European Data that is transferred from the EEA to any country or recipient outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for European Data. For European Data transfers from the EEA that are subject to the 2021 EU SCCs, the 2021 EU SCCs will be deemed entered into (and incorporated into this DPA by this reference).

(b) UK International Data Transfer Addendum. The UK IDTA will apply to European Data that is transferred from the UK to any country or recipient outside the UK that is not recognized by the competent UK regulatory authority or governmental body for the UK as providing an adequate level of protection for European Data. For European Data transfers from the UK that are subject to the UK IDTA, the UK IDTA will be deemed entered into (and incorporated into this DPA by this reference).

(c) Swiss SCCs. The Swiss SCCs will apply to European Data that is transferred from Switzerland to any country or recipient outside Switzerland that is not recognized by the competent authority for Switzerland as providing an adequate level of protection for European Data. For European Data transfers from Switzerland that are subject to the Swiss SCCs, and pursuant to the statement issued 27 August 2021 by the FADP, the Swiss SCCs will be deemed entered into (and incorporated into this DPA by this reference).

(d) If the Service Provider relies on a data transfer mechanism other than 2021 EU SCC, UK IDTA or Swiss SCC for the transfer of personal data outside the European Economic Area, the Service Provider shall provide Novocure with appropriate evidence of such mechanism, including, where applicable, documentation evidencing the approval of Binding Corporate Rules (BCR) or any other legally recognized data transfer mechanism under applicable data protection laws.

(e) Invalid Transfer Mechanism. In the event that a Transfer Mechanism is no longer a valid mechanism for transfer of European Data, the parties shall, as required by European Data Protection Laws, negotiate in good faith a mutually acceptable alternative, valid mechanism. If the parties are unable to agree on such an alternative mechanism within thirty (30) days of commencing negotiations, the parties shall implement the Standard Contractual Clauses (or any successor mechanism approved by the responsible data protection authorities) as a fall-back option to ensure the continued lawful transfer of European Data.

(f) Notice & Conflicts. Any notice to be given under a Transfer Mechanism will be made in accordance with this DPA and the Principal Agreement. In the event of any conflict or inconsistency between the body of this DPA and a Transfer Mechanism, the Transfer Mechanism shall prevail.

3. Terms for the 2021 EU SCCs

(a) Docking Clause. In Clause 7 of the 2021 EU SCCs, the optional docking clause will apply.

(b) Redress. In Clause 11 of the 2021 EU SCCs, the optional language will not apply.

(c) Supervision. Where Novocure is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Novocure in accordance with Schedule 2 of this DPA.

(d) Governing Law. In Clause 17 (Option 1), the 2021 EU SCCs will be governed by the law of Germany.

(e) Jurisdiction. In Clause 18(b) of the 2021 EU SCCs, disputes will be resolved before the courts of Germany.

(f) Annex I and II. See Schedule 2 for the information in Annex I and Annex II of the 2021 EU SCCs.

(g) Instructions. This DPA and the Principal Agreement are Novocure’s complete and final documented instructions to Service Provider for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Principal Agreement. For the purposes of Clause 8.1(a) of the 2021 EU SCCs, the instructions by Novocure to Process Personal Data are set out in this DPA and the Principal Agreement and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services in accordance with this DPA and the Principal Agreement.

(h) New Sub-processors and List of current Sub-processors. Option 2 under Clause 9 shall apply. For the purposes of Clause 9(a), Service Provider has Novocure’s general authorization to engage Sub-processors in accordance with this DPA. Service Provider shall make available to Novocure the current list of Sub-processors in accordance with this DPA. Pursuant to Clause 9(a), Novocure acknowledges and expressly agrees that Service Provider may engage new Sub-processors as described in this DPA. Service Provider shall inform Novocure of any changes to Sub-processors following the procedure provided for in this DPA.

(i) Copies of Sub-processor Agreements. The parties agree that the copies of the Sub-processor agreements that must be provided by Service Provider to Novocure pursuant to Clause 9(c) of the 2021 EU SCCs may have all commercial information, or clauses unrelated to the 2021 EU SCCs or their equivalent, removed by Service Provider beforehand; and, that such copies will be provided by Service Provider, in a manner to be determined in its discretion, only upon written request by Novocure.

(j) Audits and Certifications. The parties agree that the audits described in Clause 8.9 of the 2021 EU SCCs shall be carried out in accordance with this DPA.

(k) Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 and 16(d) of the 2021 EU SCCs shall be provided by Service Provider to Novocure only upon Novocure’s written request.

(l) Security of Processing. For the purposes of Clause 8.6(a) of the 2021 EU SCCs, Novocure is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in this DPA meet Novocure’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Service Provider provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of Clause 8.6(c) of the 2021 EU SCCs, Personal Data breaches will be handled in accordance with this DPA.

(m) Notification of Government Access Requests. For the purposes of Clause 15(1)(a) of the 2021 EU SCCs, Service Provider shall notify Novocure (only) and not the Data Subject(s) in case of government access requests. Novocure shall be solely responsible for promptly notifying the Data Subject as necessary.

Schedule 2 – 2021 EU SCCs Annexes

ANNEX I

LIST OF PARTIES

Data exporter(s):

[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data importer(s):

[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data exporter may submit Personal Data to the Services provided by data importer, the extent of which is determined and controlled by data exporter. Such data may include Personal Data relating to data exporters’ employees, patients, contractors, business partners or other individuals whose Personal Data is stored in the Services.

Categories of personal data transferred

Data exporter may submit Personal Data to the Services provided by data importer, the extent of which is determined and controlled by data exporter. Such data may include the following categories of Personal Data:

• Basic data (e.g. first and last name)
• Employment data (e.g. title, position, employer, professional qualifications)
• Contact details (e.g. company, email, phone, physical business address)
• Business relationship data (e.g. details on the current, past and future relationship to the data exporter)

Sensitive data transferred (if applicable)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The parties do not anticipate the transfer of sensitive data, unless the Services provided by the data importer relate to Novocure patients, in which case health and disability information may be processed by the Service Provider.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis given the use of the Services as determined by the data exporter

Nature of the processing

Processing of Personal Data in connection with the provision of the Services and Novocure’s use of the Services under the Principal Agreement. It may include collection, recording, modification, structuring, storage, retrieval, consultation, disclosure, dissemination, combination, comparison, restriction, erasure and communication of Personal Data.

Purpose(s) of the data transfer and further processing

The data importer is Processing Personal Data for the purpose of providing, supporting, maintaining the Services (in accordance with the DPA).

Data importer will Process Personal Data in accordance with the Principal Agreement and where required by Applicable Law.

Data importer will Process Personal Data to comply with other documented reasonable instructions received by data exporter (e.g., via email) where such instructions are consistent with the terms of the DPA and the Principal Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Data importer will generally Process Personal Data for the duration of the Principal Agreement, unless otherwise agreed upon in writing.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As per the “purpose(s) of the data transfer and further processing” section above, the Sub-processor will Process Personal Data as necessary to provide the Services and perform the services pursuant to the Principal Agreement.

Subject to the terms of the DPA, the Sub-processor will Process Personal Data for the duration of the Principal Agreement, unless otherwise agreed in writing.

Data importer may transfer Personal Data to its Sub-processors in accordance with the DPA.

The subject matter, nature and location of the Processing of Personal Data by Sub-processors is provided separately by Service Provider.

COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Novocure maintains an ISO 27001:2022 certification via regular and surveillance audits conducted via a 3rd party, and expects a similar level of data privacy and protection from its vendors.

Technical Measures

Pseudonymization and Encryption

Rendering personal data unreadable or difficult to attribute to an individual without further information, both in transit and at rest (e.g., encrypting laptops, databases, and backups).

• A.8.11 Data masking shall be used in accordance with the organization’s topic-specific policies, and business requirements, taking applicable legislation into consideration
• A.8.24 Rules for the effective use of Cryptography, including cryptographic key management shall be defined and implemented.

Access Control

Mechanisms to ensure only authorized individuals can access personal data (e.g., secure logins, multi-factor authentication (MFA), role-based permissions, and timely removal of access for former employees).

• A.5.11 Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
• A.5.15 Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
• A.5.16 The full life cycle of identities shall be managed.
• A.5.17 Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handing of authentication information.
• A.8.2 The allocation and use of privileged access rights shall be restricted and managed.
• A.8.3 Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control
• A.8.5 Secure authentication technologies and procedures shall be implemented based on information access restrictions and topic-specific policy on access control

System Integrity and Resilience

Using measures like firewalls, regular security audits, and vulnerability assessments to protect systems against unauthorized access or network vulnerabilities.

• The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
• A.5.3 Conflicting duties and conflicting areas of responsibility shall be segregated.
• A.5.33 Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
• A.7.13 Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
• A.8.8 Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
• A.8.22 Groups of information services, users and information systems shall be segregated in the organization’s networks.
• A.8.26 Information security requirements shall be identified, specified and approved when developing or acquiring applications.
• A.8.32 Changes to information processing facilities and information systems shall be subject to change management procedures.

Input and Transmission Control

Tracking who is changing data and when (detailed logging/audit trails), and protecting data during transfer using secure methods (e.g., HTTPS, VPNs).

• A.8.1 Information stored on, processed by or accessible via user end point devices shall be protected.
• A.8.12 Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
• A.8.15 Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Availability Control

Implementing regular data backups and testing a disaster recovery plan to ensure systems and data remain available even after an incident.

• A.5.29 The organization shall plan how to maintain information security at an appropriate level during disruption.
• A.8.13 Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
• A.8.14 Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Organizational Measures

Internal Policies and Procedures

Clearly defined responsibilities and policies for data handling and security with a security officer or a designated member of senior management appointed to be responsible for the coordination and monitoring of information security rules and procedures.

• A.5.1 Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
• A.5.4 Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
• A.5.10 Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
• A.5.12 Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
• A.5.19 Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
• A.5.31 Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
• A.5.34 The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
• A.5.36 Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
• A.5.37 Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
• A.6.6 Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

Staff Training

Providing ongoing and appropriate data protection and security training to all employees.

• A.6.3 Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
• A.8.7 Protection against malware shall be implemented and supported by appropriate user awareness.

Physical Security

Measures to ensure the physical security of paper files and hardware, such as secure offices and locked cabinets.

• A.7.1 Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
• A.7.2 Secure areas shall be protected by appropriate entry controls and access points.
• A.7.3 Physical security for offices, rooms and facilities shall be designed and implemented.
• A.7.4 Premises shall be continuously monitored for unauthorized physical access.
• A.7.5 Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
• A.7.14 Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Audit and Review Processes

A documented procedure for the periodic review, assessment, and evaluation of the effectiveness of all implemented measures to ensure ongoing compliance.

• A.5.35 The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
• A.8.34 Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

Incident Response Plan

A clear strategy for responding to data breaches or security incidents.

• A.5.24 The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
• A.5.25 The organization shall assess information security events and decide if they are to be categorized as information security incidents.
• A.5.26 Information security incidents shall be responded to in accordance with the documented procedures.
• A.5.27 Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
• A.6.8 The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
• A.8.16 Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Data Minimisation and Storage Limitation

Policies to ensure only necessary data is collected and is not stored for longer than required for its specific purpose.

• A.8.10 Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

Schedule 3 – Swiss Addendum

This Schedule 3 (“Swiss Addendum”) shall apply only if Service Provider, in the performance of the Services, transfers European Data from Switzerland to a country that has not been recognized by the relevant authorities as providing an adequate level of protection of European Data, to the extent such transfers are subject to the Swiss Data Protection Laws, pursuant to the statement issued 27 August 2021 by the FDPI Commissioner.

1. Interpretation of this Addendum

Where this Swiss Addendum uses terms that are defined in the Clauses, those terms shall have the same meaning as in the 2021 EU SCCs. In addition, the following terms have the following meanings:

This Swiss Addendum shall be read and interpreted in the light of the provisions of the FADP, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.

This Swiss Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in the FADP.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this Swiss Addendum has been entered into.

2. Hierarchy

In the event of a conflict or inconsistency between this Swiss Addendum and the provisions of the Clauses or other related agreements between the parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects shall prevail.

3. Incorporation of the Clauses

(a) In relation to any processing of personal data subject to Swiss Data Protection Law, this Swiss Addendum amends the Clauses to the extent necessary, so they operate:

• for transfers made by the data exporter to the data importer, to the extent that the FADP applies to the data exporter’s processing when making that transfer; and
• to provide appropriate safeguards for the transfers in accordance with the FADP.

(b) The amendments to the Clauses as required by Section 3. a) above, include (without limitation):

• In Clause 2, the words: “and, with respect to data transfers from controller to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679” are deleted.
• Clause 6 Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where the FADP applies to the data exporter’s processing when making that transfer.”
• References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “the FADP” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of the FADP.
• References to Regulation (EU) 2018/1725 are removed.
• References to the “European Union”, “Union”, “EU”, “EEA”, “EU Member State”, “Member State of the EU”, “Member State of the EEA” and “member state” are all replaced with the “Switzerland”.
• Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner;
• Clause 17 is replaced to state “These Clauses are governed by the laws of Switzerland”.
• Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts.”
• The footnotes to the Clauses do not form part of the Swiss Addendum.

Schedule 4 – UK Addendum

This Schedule 4 (“UK Addendum”) shall apply only if Service Provider, in the performance of the Services, transfers European Data from the United Kingdom to a country that has not been recognized by the relevant authorities as providing an adequate level of protection of European Data, to the extent such transfers are subject to UK Data Protection Laws.

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Schedule 5 – U.S. Specific Provisions

This Schedule 5 (“U.S. Addendum”) shall apply solely to the extent that Service Provider, in the provision of the Services to Novocure, Processes Consumer Personal Information.

The terms used in this U.S. Addendum shall have the meanings set forth in this U.S. Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the DPA. The terms and conditions of this U.S. Addendum are in addition to those of the DPA, thus both the DPA and this U.S. Addendum shall apply; provided, however, that in the event of a conflict between the terms and conditions of the DPA and those of this U.S. Addendum, this Addendum shall prevail.

1. Definitions

“CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.

“Consumer Personal Information” means any information that relates to an individual that falls within the definition of “personal information”, “personal data” or other comparable term as defined by U.S. Data Protection Laws, to the extent such information is protected under U.S. Data Protection Laws and contained within Novocure Data.

“CPA” means the Colorado Privacy Act, together with all implementing regulations.

“CTDPA” means the Connecticut Act Concerning Data Privacy and Online Monitoring.

“UCPA” means the Utah Consumer Privacy Act.

“U.S. Data Protection Laws” means all state and federal data privacy regulations of the United States of America (including, without limitation, the CCPA, VCDPA, CPA, CTDPA and UCPA), which are applicable to Service Provider’s or a Sub-processor’s Processing of Consumer Personal Information under the Principal Agreement.

“VCDPA” means the Virginia Consumer Data Protection Act.

For the purposes of this U.S. Addendum only, “Controller”, “Processor”, “Service Provider”, “Processor”, “Sell”, “Share”, “Business,”, “Business Purpose”, “Commercial Purpose”, “Consumer” and “Processing” shall have the meanings given to these terms in U.S. Data Protection Laws.

2. Roles of the Parties

The parties agree that for the purposes of U.S. Data Protection Laws, Service Provider acts as a Service Provider or Processor for Consumer Personal Information with respect to the provision of the Services under the Principal Agreement.

3. Definitions in the DPA

• The definition of “Data Protection Laws” in the DPA includes “U.S. Data Protection Laws” as defined in this U.S. Addendum.
• The definition of “Personal Data” in the DPA includes “Consumer Personal Information.”
• The definition of “Data Subject” in the DPA includes “Consumer.”
• The definition of “Controller” in the DPA includes “Business.”
• The definition of “Processor” in the DPA includes “Service Provider.”
• The definition of “Processing” in the DPA includes “Processing” as defined in U.S. Data Protection Laws.

4. Data Processing Terms

By executing the Principal Agreement:

• Service Provider will comply with all obligations applicable to it as a Service Provider or Processor under U.S. Data Protection Laws. Service Provider will provide Consumer Personal Information with the same level of privacy protection as is required by U.S. Data Protection Laws.
• Service Provider will not Sell or Share Consumer Personal Information.
• Service Provider will not retain, use, or disclose Consumer Personal Information for any purpose other than for the Business Purposes specified in the DPA and the Principal Agreement, including retaining, using, or disclosing Consumer Personal Information for a Commercial Purpose other than the Business Purposes specified in the DPA and the Principal Agreement, or as otherwise permitted by Applicable Law.
• Service Provider will not retain, use, or disclose Consumer Personal Information outside of the direct business relationship between Service Provider and Novocure, unless otherwise permitted by Applicable Law.
• Except as otherwise permitted by Applicable Law, Service Provider will not combine Consumer Personal Information with other personal information that it receives from other sources, including the information collected from Service Provider’s independent interaction with a Consumer. This does not include combining Consumer Personal Information in the context of the business purpose of providing the Services.
• Service Provider will ensure that it has a written agreement in place with all Sub-processors which contains obligations on the Sub-processor which are no less protective of Consumer Personal Information than the obligations on Service Provider under this U.S. Addendum.
• If Service Provider makes a determination that it can no longer meet its obligations under this U.S. Addendum, it shall notify Novocure of that determination within the time period required under U.S. Data Protection Laws and cease the Processing of Consumer Personal Information or take other reasonable and appropriate steps to remediate.
• Novocure has the right to take reasonable and appropriate steps in accordance with the DPA and the Principal Agreement (e.g., Section 9 – Certification and Audits) to help ensure that Service Provider uses Consumer Personal Information in a manner consistent with Novocure’s obligations under U.S. Data Protection Laws.
• Upon notice, Novocure will have the right to take reasonable and appropriate steps in accordance with the DPA and Principal Agreement to stop and remediate unauthorized use of Consumer Personal Information.
• Service Provider certifies that it has read and understands this U.S. Addendum and will abide by it.
• Novocure is responsible for ensuring that it has complied, and will continue to comply, with the requirements of U.S. Data Protection Laws in its use of the Services and its own Processing of Consumer Personal Information.
• Novocure specifically acknowledges that its use of the Services will not violate the rights of any Consumer that has opted-out from Sales, Sharing or other disclosures of Consumer Personal Information, to the extent applicable under U.S. Data Protection Laws.