Master Services Agreement, dated September 1, 2018, between Evelo Biosciences, Inc. and Weatherden Ltd

Contract Categories: Business Operations - Services Agreements
EX-10.12 2 exhibit1012.htm EXHIBIT 10.12 Exhibit

Exhibit 10.2

Master Services Agreement

This Master Consultancy Services Agreement (“Agreement”) dated September 1, 2018 is made between:
WEATHERDEN LTD a company incorporated in England & Wales (registration number 09241011) whose registered office is Units 4 & 5, Swinford Farm, Eynsham, Oxford, OX29 4BL (‘the Consultancy’ or ‘Weatherden’), and
EVELO BIOSCIENCES, INC a company incorporated in Delaware whose registered office is 620 Memorial Drive, Suite 200 West, Cambridge, Ma, Massachusetts, 02139 (‘the Client’ or ‘Evelo’).
The Consultancy agrees to supply, and the Client agrees to engage the Consultancy’s Services on the following terms:
Nature of this Agreement
This is a Master Agreement and defines the terms under which the Consultancy will undertake such Services for the Client as may be agreed between the parties from time to time. No changes will apply unless in writing and signed by both parties.
Entering this Agreement does not of itself oblige the Client to offer any work to the Consultancy nor for the Consultancy to provide or the Client to accept or pay for any particular consultancy services. Neither party wishes to create or imply any mutuality of obligation between themselves either in the course of or between any performance of the services or during any notice period.
Where it is agreed between the parties that any Services are to be provided, a schedule in the form annexed to this Agreement setting out the nature of the Services, the charging basis, and any other material terms (a ‘Schedule’) will be produced by the Consultancy and provided to the Client.
On receipt of a Schedule
if the Client accepts its terms, the Client will promptly sign and return one copy to the Consultancy
if the Client does not accept its terms, the Client will promptly advise the Consultancy.
Upon a Schedule being signed by both parties, it will become a contract binding on the parties.
A contract formed on the basis of a Schedule referencing these terms is governed only by the terms of this Agreement, and by no others, except where both parties expressly agree in writing. In particular, it is agreed that any purchase order or other such document from the Client or Consultancy is intended for the Client’s own administrative purposes only, and that notwithstanding its wording, neither a Purchase Order nor its content will have any legal effect. Save to the extent expressly provided, all conditions, warranties or other terms implied by statute or common law are hereby excluded to the fullest extent permitted by law.
Either party may request change to the nature or scope of Services covered by a Schedule. Any such request shall be sufficiently detailed to enable the other party to assess the impact of the proposed change. No such change will become effective until agreed in writing between the parties and shall become a change order as discussed in Section 5.
This Agreement is not exclusive; the Client acknowledges that the Consultancy enters this Agreement in the course of its business of providing services to its customers, and the Consultancy is and remains at liberty to also provide services to third parties; it is the Consultancy’s responsibility to ensure it does not enter any third-party engagement which might cause a conflict of interest to arise or violate any of the terms herein. The Client is and remains at liberty to engage services (including similar services) from third parties. The Consultancy reserves the right to decline to provide any advice and assistance outside the scope of the Services as specified in Schedules agreed between the parties, even if the Consultancy may previously have provided such additional advice and assistance.
The Consultancy will provide Services as agreed from time to time in Schedules, so far as is reasonably practicable within any agreed timescale, in compliance with applicable laws and regulations, written instructions from Client, and with all proper skill and care.
As an independent agency,
the Consultancy will not require or be subject to supervision direction or control as to its daily activities or the manner of performance thereof, and itself accepts the responsibility for the proper provision of Services
for the avoidance of doubt, the Client shall not (and does not have the right to) exercise supervision, direction or control as to the manner of performance of the Services

it is the Consultancy’s responsibility to (and the Consultancy shall) maintain Professional Indemnity, Employer's Liability (where legally required), and Public Liability insurance reasonably sufficient to cover such liabilities and obligations of the Consultancy as may arise in connection with the provision of the Services (in each on such terms and in such amount as a reasonably prudent person would consider to be adequate).
The Consultancy is responsible for providing personnel who have sufficient qualifications and training to perform the Services herein and for maintaining reasonable continuity in personnel providing Services on its behalf,
but reserves the right to make changes to those personnel providing the Services from time to time upon written approval from Client;
no additional charge will be made for any handover period, and
the Consultancy remains responsible
for any supervision and direction of its personnel in the provision of the Services, and
in any event for all Services performed on its behalf.
Where the Consultancy’s charges are on a time and materials basis, or where any individual who will provide Services is named in a Schedule (or the Client has a reasonable expectation that the Services will primarily be provided by a specific individual), it is the Consultancy’s responsibility to ensure
that the relevant skills and experience of any replacement personnel remain commensurate with the fee rates charged, and
that any replacement personnel have the necessary skills to perform the Services without the need for additional training by the Client.
It is the Client’s responsibility
to afford the Consultancy with such reasonable access, information and staff cooperation as the Consultancy may reasonably require for the proper performance of any Services, and
where the Consultancy provides the Services at the premises of the Client, to ensure that all relevant Health and Safety policies, risks, information and relevant statutory compliance measures are disclosed to the Consultancy to the extent required by applicable law.
Consultancy will not use a subcontractor to perform the Services or otherwise subcontract its obligations hereunder without the prior written consent of Client, other than team members operating through companies as individuals as listed in the Schedules, for the agreed upon amounts as listed in the Schedules. Any permitted subcontractor will be obligated to perform in accordance with this Agreement and Consultancy will be responsible for the actions and omissions of such subcontractor as if Consultancy had made such actions or omissions itself.
Unless the parties have signed a separate agreement containing more specific provisions in relation to confidentiality (in which case the provisions of such agreement will continue to apply in lieu of this clause), each party
will keep any confidential information disclosed by the other secret, and
on termination (or sooner if required) will at the option of the owner thereof return or destroy such confidential information of the owner, however that the party may retain one (1) copy in its confidential files solely for purposes of exercising the party’s rights hereunder, satisfying its obligations hereunder or complying with any legal proceeding or requirement with respect thereto and further, provided, that the party shall not be required to erase electronic files created in the ordinary course of business during automatic system back-up procedures pursuant to its electronic record retention and destruction practices that apply to its own general electronic files. Such retained copies of confidential information shall remain subject to the confidentiality and non-use obligations herein.
shall only share confidential information with its employees and agents who are bound by confidentiality agreements with terms at least as restrictive as those herein and provided that the disclosing partner shall be responsible for any breach of this section by its employees and agents.
Neither anything contained in this Agreement, nor any delivery of any confidential information to the other Party will be deemed to grant to the Receiving Party any rights or licenses under any intellectual property rights (including, without limitation, patent applications, patents, extensions, trade secrets, trademarks, copyrights and/or rights in non-public information) of the disclosing party, except as necessary for Consultancy to perform the Services or for Client to make use of the Services, Data, Deliverables and/or any intellectual property rights.

For clarity, Client’s confidential information will further include the Data, and Materials, both as further defined herein.

Neither party may use or take advantage of any such confidential information of the other party without the discloser’s consent, even after the end of this Agreement.
This obligation does not apply to
information known to the party subject to the obligation of confidentiality before disclosure by the other party, and free of any obligation of confidentiality, or
information independently developed or acquired by the party subject to the obligation of confidentiality, without reference or access to the other party’s confidential information, and free of any obligation of confidentiality, or
information which becomes public knowledge without fault on the part of the party subject to the obligation of confidentiality.
The provisions of clause 3.1 shall not prevent a party disclosing confidential information of the other party if and to the extent such disclosure is required pursuant to any legal or regulatory requirement applicable provided advance written notice is provided to the other party where reasonably possible to allow the other party to seek a protective order or otherwise attempt to limit.

Copyright and Intellectual Property Rights
‘Deliverable’ means a work produced by the Consultancy in the course of Services for delivery to the Client.
Where Consultancy’s pre-existing works are with the knowledge and written consent of the Client incorporated in any Deliverable, Consultancy hereby grants to Client a non-exclusive, irrevocable, world-wide, royalty free licence to use, modify and distribute such pre-existing works, but only as part of the Deliverable; all other rights in the pre-existing works are reserved.
Subject thereto, all rights in any Deliverable pass to the Client upon payment of all fees not in dispute due to the Consultancy which relate to that Deliverable, and the Consultancy hereby assigns and such rights, and if necessary, will execute a formal assignment thereof on request by the Client.
Further, Consultancy agrees that, as between Consultancy and Client, Client owns all rights, title, and interest in any data generated from the Services ("Data"), Deliverables, and/or rights (including, without limitation, intellectual property rights such as patent applications, patents, extensions, trade secrets, trademarks, copyrights and/or rights in non-public information) related to the (a) Material or its uses, (b) Data, (c) Deliverables and/or (d) improvements, developments, discoveries, and designs which are conceived, recorded, and/or reduced to practice by Consultancy, alone or jointly with others, (1) in connection with the Services or (2) which are related to the Material or its uses or (3) are developed using the Material or the Confidential Information (collectively with the rights in 4.1.2, "Inventions"). Consultancy hereby assigns to Client all of Consultancy’s rights to and interest in any Inventions. If any of Client’s ownership rights contemplated under this section is not perfected, fails to arise, reverts or terminates by operation of law, then Consultancy hereby grants to Client an exclusive (even to Consultancy), irrevocable, perpetual, fully paid-up, royalty-free, transferable, sub-licensable (through multiple layers of sub-licensees), worldwide license to all rights, title and interest in the Inventions. Consultancy will act as necessary to perfect, maintain, and/or enforce (to “Protect”) Client’s rights in the Inventions, including, without limitation, reviewing, executing and delivering all requested supporting documents. Client will reimburse Consultancy’s reasonable out-of-pocket costs for such assistance.

The Consultancy will indemnify the Client against infringement of third party rights by a Deliverable, provided that the Client notifies the Consultancy of any relevant third-party rights promptly on such rights becoming known to or reasonably suspected by the Client.
Nothing shall prevent the Consultancy from using techniques, ideas, and other know-how gained during the performance of Services under this Agreement in the furtherance of its own business, provide that such techniques, ideas and other know-how do not contain or rely upon any Client Confidential Information and only to the extent that such does not result in disclosure or abuse of confidential information in breach hereof, or any infringement of any Intellectual Property Rights of the Client.

Consultancy acknowledges that, as between Consultancy and Client, Client owns any reagents, compounds, biological material, devices or other technology provided to Consultancy in connection with the Services, and any modifications, improvements, fragments, analogs or homologs thereof and/or derivatives of the foregoing (“Materials”). Consultancy will not provide or offer to provide any Material to any third-party or person not performing Services hereunder, without the prior written consent of Client. The Materials are to be used by Consultancy solely for completing the Services. Furthermore, upon Client’s request or completion of Services, any unused Material will be, at Client’s discretion and instruction, either destroyed or returned to Client.
Charges and Payment
All sums due shall be invoiced and paid as specified in the applicable Schedule.
The Client will pay the Consultancy’s invoices within 30 days of receipt of invoice, plus VAT where applicable.
Unless otherwise specified, where payment is on a time and materials basis, the Consultancy may invoice monthly.
If any of the Consultancy’s invoices becomes overdue and are not in dispute and Consultant has notified Client in writing,
the Consultancy may suspend provision of Services, and any agreed timescale will be automatically extended;
the Consultancy may also terminate this Agreement and any current Schedule for material breach whilst any payment is more than 14 business days overdue.
Unless noted otherwise in the Schedule, all invoices will be in GB Pounds Sterling and must contain an itemized breakdown of all fees and expenses (and be accompanied by relevant supporting documentation), All invoices must reference a valid Client Purchase Order Number in order for payment to be processed. All other payment terms will be included in the Schedule but under no circumstances will the total payments prior to the initiation of service exceed 20% of the total payments provided in the Schedule.
Prior to the first payment, Consultancy will submit a completed W-8 or W-9 to Client. Invoices should be sent to Client as specified in the corresponding Schedule. If the Schedule does not specify where invoices should be sent to Client, invoices should be sent to:

Evelo Biosciences, Inc.
620 Memorial Drive
Cambridge, MA 02139
United States of America
Attention: Accounts Payable

and to the email address: ***@***

Client will pay a sum equal to the full GBP invoiced value. Both parties are responsible for their own wire transfer charges by electronic transfer to the following account:
Account Number - [XXXXXXXX]
Sort code - [XXXXXX]

If Client requests any changes in the nature, scope, or cost of the Services or if pricing herein is dependent on incorrect information provided by the Client, or if any specified dependencies / facilities are not available on time not due to any fault of Consultancy, or if any equipment required to be provided by the Client fails to operate correctly (save where the engagement itself is for the repair thereof), the parties will agree on a change order. Consultancy will first notify Client in writing of the cost of such changes and will not proceed without Client’s prior written consent. Any such approved changes to Services will be considered an amendment to the applicable Schedule and governed by this Agreement and must be accompanied by a separate PO number and referenced when billing.
If while performing Services Consultancy will compensate any health care providers for their support of the Services, Consultancy will follow Client’s requirements for determining the fair market value for such health care provider support and will reasonably report such compensation and other transfers of value to health care providers to Client in a format and frequency to enable Client to comply with applicable laws and regulations.

Neither party excludes liability for death, personal injury, fraud, or otherwise where it is not lawful to do so. Subject thereto, and except for any breach of the confidentiality section or intellectual property sections herein,
each party expressly excludes liability for economic, consequential or indirect loss or damage of any kind, or for loss of profit, business, revenue, goodwill or anticipated savings.
Except for the indemnity or for claims due to its gross negligence, neither party shall be liable for any loss or damage in excess of three times the total sums payable under a Schedule, except where it may not lawfully exclude or limit liability
Consultancy shall indemnify, defend and hold harmless Client, and its respective officers, directors, employees and agents (collectively, the “Client Indemnitees”) against any third party claims, to the extent arising out of or relating to: (i) Consultancy or any of its employees or agents’ negligence or wilful misconduct in performing obligations under this Agreement; or (iii) Consultancy’s breach of this Agreement.

Either party may terminate this Agreement at any time when there is no current Schedule, by immediate written notice.
Client may terminate any Schedule upon thirty days’ written notice with or without cause.
Either party may terminate this Agreement and any current Schedule at any time if the other is in material breach or if the other becomes insolvent, by immediate written notice.
Any provision of this agreement which expressly or by implication is intended to come into or continue in force on or after termination of this agreement shall remain in full force and effect.

Force Majeure
If either party is obstructed in performing any of its obligations under a Schedule by an event outside its reasonable control, then performance to the extent obstructed is suspended for so long as the obstruction continues. Whilst performance is suspended and has been so for more than 7 days, either party may terminate that Schedule by immediate written notice.
Staff obligations and third-party rights
The Client is a client of a business undertaking carried on by the Consultancy, and it is not the intention of either to create or allow to arise any employee/employer relationship between the Client and any individual providing Services on behalf of the Consultancy.
Each party solely retains all the responsibilities and rights of an employer towards and in relation to its own employees. Neither party seconds its employees or any of them to the other. No person providing Services is expected or required to integrate into the Client’s business organisation or employed workforce.
With the exception of agreed subcontractors where it is mutually agreed that Company shall pay the subcontractor directly, the Consultancy will ensure that all remuneration it pays any personnel engaged on the Services is paid and taxed as employment income, within the meaning of the Income Tax (Earnings and Pensions) Act 2003 as amended. Consultancy shall be responsible for the payment of all taxes, for all employment, insurance and other similar taxes with respect to any compensation provided by the Client to Consultancy. Consultant will indemnify Client against any claims brought by or in relation to its own employees, whether such claims relate to employment, tax, national insurance, or otherwise
Where applicable, the Consultancy is solely responsible for complying with the requirements of the Working Time Regulations 1998 (as amended) and any other legislation relating to workers, in relation to any individual providing Services on its behalf.
Other than by general advertisement for such position or in response to an initiative by an employee responding to such general advertisement, neither party will employ, engage, or otherwise solicit any person who during the previous 6 months was an officer, employee or sub‑contractor of the other and with whom such party had material contact in connection with Services performed under any Schedule, until 6 months after that Schedule has terminated.
Other than by general advertisement for such position or in response to an initiative by an employee responding to such general advertisement neither party will solicit any person who during the previous 6 months was a client of the other and with whom such party had material contact in connection with Services performed under any Schedule, until 6 months after that Schedule has terminated, unless a fee is mutually agreed by the Consultancy and the Client, typically to be equal 33% of the remuneration of the person hired

No third-party rights are intended to be conferred or created by this Agreement or any Schedule.
In this term, ‘employees’ includes, so far as the context permits:
in the case of an LLP or partnership, its partners and employees
in the case of a company, its officers and employees.
Data Protection
The parties mutually acknowledge their respective responsibilities (a) to comply with the applicable provisions of the Data Protection Act 1998, General Data Protection Regulation 2016/679/EC  and any applicable data protection laws ("(“Data Protection Laws”) with respect to Personal Data, as defined in the Data Protection Laws, and (b) to use Personal Data provided by the other so far as necessary for the proper performance of this Agreement or any Schedule hereto, but not further or otherwise.
Consultancy shall assist and cooperate as is reasonably necessary or reasonably requested by Client to ensure Client complies with the Data Protection Laws. For Personal Data disclosed to Consultancy in connection with this Agreement (and whether disclosed by Client, data subjects or otherwise), Consultancy will only process such Personal Data as permitted by the Data Protections Laws and for purposes requested by Client and for which Consultancy has appropriate measures (including, without limitation, communicating appropriate policies to employees, managing ongoing compliance, and implementing effective information security) for the Personal Data to prevent (1) unauthorised or unlawful processing of the Personal Data and (2) accidental loss or destruction of, or damage to, the Personal Data.
Consultancy will not disclose to any third-party or provide to Client any personal data unless the individual to whom such personal data pertains has granted his or her informed written consent to such disclosure. This includes unambiguous and explicit written consent to the potential transfer of personal data outside such person’s country of residence to another jurisdiction, including, without limitation, the United States of America where different data protection rules apply. Consultancy will take all steps required and communicated in writing to Consultancy by Client that Client reasonably considers are necessary to comply with Client’s own obligations under Data Protection Laws.
Consultancy will ensure that all employees, independent contractors or agents involved in providing Services under this Agreement have granted their written consent to the processing of their personal data by Client for the purposes of this Agreement and to the possible transfer of this data outside their country of residence to another jurisdiction, including, without limitation, the United States of America where different data protection rules apply.
If either party becomes aware of any unauthorised, unlawful or dishonest conduct or activities, or any breach of the terms of this Agreement relating to Personal Data, such Party will promptly notify the other Party in writing thereof and the Parties will take such action as such party may deem reasonably necessary to prevent any further unauthorised, unlawful or dishonest conduct or activities or breach of the terms of this Agreement relating to Personal Data.
Appendix 1 shall apply if Consultancy is processing Personal Data on behalf of Client. The Schedules shall include any Personal Data being processed.
Bribery and Corruption
The parties shall each comply with all applicable legal requirements relating to bribery and corruption.
The Consultancy shall comply with any Client policies relating to bribery and corruption that may be disclosed to the Consultancy, as though such policies applied to and had been adopted by the Consultancy.

Any notice to be given by either party to the other shall be in writing and may be sent by recorded delivery to the address of the other and shall be deemed to be served 2 days following the date of posting. If to Client, a courtesy copy shall be provided to the email address: ***@***

Electronic signatures
13.1    This Agreement and any Schedule may be signed by electronic signature (whatever the form the electronic
signature takes), and that such method of signature shall be equally conclusive of the intention of each party to be bound by its terms and conditions as if signed with manuscript signatures.
13.2    Notwithstanding that this Agreement and/or a Schedule may have been signed by a form of electronic signature,
no addition, amendment to, or modification or discharge of, this Agreement and/or a Schedule shall be effective
otherwise than in writing on paper and signed with the manuscript signature of each party.
Representations and Warranties
14.1    Consultancy represents and warrants that:
(a) it is authorized to enter into this Agreement and will make every effort to supply the Services with reasonable care and skill and in compliance with all applicable laws and regulations, including but not limited to any anti-bribery laws such as the U.K. Bribery Act of 2010, as amended, and the US Foreign Corrupt Practices Act of 1977, as amended.
(b) conduct and provision of Services will not knowingly violate any patent, trade secret or other proprietary or intellectual property right of a third party.
(c)Consultancy is under no contractual or other obligation or restriction which is inconsistent with Consultancy’s obligations under this Agreement, during the term of this Agreement, Consultancy will not enter into any agreement, either written or oral, in conflict with Consultancy’s obligations under this Agreement or under any Schedule;
neither it, nor any of its management or any other employees or independent contractors or agents who will have any involvement in the Services supplied under this Agreement, have (i) been excluded, debarred, suspended or otherwise made ineligible to exercise their profession and activities; or (ii) engaged in any act that would be grounds for such exclusion, debarment or suspension. Upon learning or acquiring knowledge of any facts or circumstances that may lead to actions relating to the representations above (including, without limitation, criminal actions), Consultancy will immediately disclose such facts or circumstances to Client; and Client may immediate terminate the Agreement.

Records, Reports and Audits.
15.1     Records and Reports. Consultancy will maintain complete and accurate written records of Consultancy’s
performance of the Services for the longer of (a) three (3) years or (b) as required by applicable laws. As provided
in a Schedule or at Client’s request, Consultancy will report to Client in a written format acceptable to Client
on the progress and results of the Services. Upon completion or termination of the Services, Consultancy will
deliver to Client all Data and a final report on the Services.

15.2     Audits. Client may, during regular business hours and upon reasonable prior notice, conduct quality assurance
audits and inspections of testing, quality control, documentation, record keeping, and standard and general
operating procedures used by Consultancy about Services to monitor Consultancy’s compliance with its
obligations hereunder. Consultancy will cooperate fully in any inspections and audits conducted by Client under
this Section. Consultancy agrees to take any reasonable actions requested by Client to cure any deficiencies
noted during any such audit or inspection.

15.3     Government Inspections. Consultancy will notify Client (and when possible in advance) of any inspection of
Consultancy’s facilities by any regulatory authority which inspection or facilities may relate to the Services, the
Material or Data and will allow Client to attend the inspection. Consultancy will promptly share with Client the inspection results and/or reports. Client will have the right to review and comment upon any draft correspondence by Consultancy to the regulatory authority generated because of such inspection prior to submission by Consultancy. If a regulatory authority inspects Client relating to the Services, Client will notify Consultancy and Consultancy will reasonably cooperate with Client in responding to requests from such regulatory authorities and making records available within one (1) business day of Client’s request.


Neither Party will disclose the existence or substance of this Agreement, except as required by applicable laws or regulations. Neither Party will use the name of the other Party or of any of its employees without such Party’s prior written consent. Consultancy will not publish information (including, without limitation, by any written, oral, or electronic communication, manuscript, abstract, poster, presentation, or other publication) relating to the Services, Confidential Information, Material, Data or Inventions, in whole or in part, without the prior written consent of Client. Notwithstanding anything to the contrary in this Agreement, this Agreement may be filed by Client with the Securities

and Exchange Commission, and Client may include in any such filing descriptions of the existence and terms thereof. Client shall reasonably consider Consultancy’s timely proposed redactions before such filing.


These terms and any non-contractual disputes or claims between the parties are governed by the laws of the defending party, whose courts shall have sole jurisdiction in relation to all matters arising.

Entire Agreement. This Agreement, together with any Schedule, constitutes the entire agreement between the Parties and supersedes and supplants all prior and contemporaneous representations, agreements, and understandings, whether oral, written or otherwise, between the Parties.

----Signature Page to Follow----

Signed by the parties’ authorised representatives as follows:

On behalf of the Consultancy by Houman Ashrafian
(Authorised Signature)

/s/Houman Ashrafian
14 September 2018

On behalf of the Client by Jennifer Glennon
(Authorised Signature)

/s/Jennifer Glennon
VP, Finance and Operations
14 September 2018

Appendix 1

Processing of Personal Data

1. Capitalized words used in this section that are defined in the GDPR shall have the meanings as defined in the GDPR. The Parties agree to further amend the Agreement if and as necessary to comply with the Data Protection Laws, as may be amended over time.
2. As part of the Services, Consultancy processes Personal Data on behalf of the Client as a Data Processor. Any Schedules which includes the Processing of Personal Data shall include a Description of subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of Data Subjects. As the Data Processor, Consultancy represents and warrants that it shall:
(i) Implement and maintain appropriate technical and organisational measures to comply with the Data Protection Laws to ensure the protection of the rights of Data Subjects.
(ii) Implement and maintain appropriate measures to ensure the security of Data Processing and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including but not limited to, appropriate policies, management and review of ongoing compliance and effective security measures) to prevent any unauthorized or unlawful Processing of Personal Data and to guard against accidental loss or destruction of, or damage to or breach of Personal Data as required by Art. 32 (1) GDPR. These measures will include:
(a) the pseudonymization and encryption of the Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Research Project;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(iii) Not engage another Data Processor without prior written authorization of Client, and if approved by Client, Consultancy shall ensure that the same data protection obligations as between the Client and Consultancy are imposed on that other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws. Under each Schedule, Consultancy will provide Client with a written list of subcontractors providing Processing Services.
(iv) Process the Personal Data only on documented instructions from Client, including with regard to transfers of Personal Data to a third country or an international organization; unless required to do so by law; in such a case, Consultancy shall inform the Client of such legal requirement before processing. If Consultancy is required to use the Personal Data for another purpose by EU or Member State law to which the Consultancy is subject, Consultancy will, unless prohibited by applicable law, promptly (and in no event more than twenty-four (24) hours after receipt of such information) notify Client in writing of that legal requirement before Processing such Personal Data; and to the extent permitted by applicable EU or Member State law, Consultancy will comply with the written directions of Client, limit the nature and scope of the requested disclosure, and disclose the minimum Personal Data necessary;

(v) Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(vi) Assist Client with complying with the obligations in Article 32-36 of the GDPR specifically, including responding to requests from Data Subjects to access their data or exercising any of their rights in a timely manner as required by the GDPR, as well as responding to and notifying Data Subjects of any Personal Data Breach and conducting a data protection impact assessment.

(vii) Notify Client within 24 hours of any Personal Data Breach and as part of such notification describe the nature of the incident and, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, and provide information regarding the possible effects of such Personal Data Breach upon Client and the applicable Data Subjects. In no case will Consultancy delay notification because of insufficient information but instead, Consultancy will provide and supplement notifications as information becomes available;

(viii) In cooperation with Client and with the written consent and approval of Client, use diligent efforts to promptly investigate (1) any Personal Data Breach and take all necessary and appropriate corrective action (as approved by Client in writing) to remediate such breach and prevent a recurrence of such breach; (2) any request for information from or complaint by a data protection authority/Supervisory Authority in relation to Personal Data that Consultancy Processes for the purpose of providing the Services.

(ix) Retain Personal Data for the longer of the time period necessary to perform the Processing Services or as required by applicable law. Consultancy will, consistent with Client’s written instructions, upon expiration or termination of the applicable Schedule, return or safely destroy all Personal Data that Consultancy obtained in connection with performing the Services, including all originals and copies of such Personal Data in any medium, and any materials derived from or incorporating such Personal Data. Consultancy will promptly notify Client in writing once all such information has been returned or destroyed (as applicable in accordance with Client’s written instructions). Where continued storage is required by EU or Member State law, Consultancy will inform Client of those requirements.

(x) Assist Client in meeting its GDPR obligations in relation to the security of Processing and conducting any data protection impact assessments.
(xi) Provide Client with the necessary information to assist Client in meeting its obligations under the Data Protection Laws.
(xii) Inform Client immediately if an instruction infringes the Data Protection Laws.
(xiii) Cooperate with any supervisory authorities as required by the Data Protection Laws.

(xiv) Maintain records of its processing activities as required by the Data Protection Laws.
(xv) Employ a Data Protection Officer if required by the Data Protection Laws.
(xvi) Make available to the Client or its agents upon request any information necessary for Consultancy or Client to demonstrate compliance with the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Client or its agents.
(xvii) ensure that transfers of Personal Data outside of the European Economic Area are made only (i) to a jurisdiction deemed by the European Commission to have an adequate level of protection; (ii) subject to contractual provisions approved by the European Commission; or (c) pursuant to a framework deemed adequate and approved by the European Commission.