Third Amendment to Application Service Provider Agreement, dated January 1, 2018, by and between Registrant and DNAnexus, Inc
Exhibit 10.1
CONFIDENTIAL TREATMENT REQUESTED
DNAnexus, Inc.
Third Amendment to
Application Service Provider Agreement
This Third Amendment (“Third Amendment”) is made as of January 1, 2018 (“Amendment Effective Date”) by and between DNAnexus, Inc., a Delaware corporation, having its principal place of business at 1975 W. El Camino Real, Suite 101, Mountain View, CA 94040 (“Vendor”), and Natera, Inc., having its principal place of business at 201 Industrial Road, Suite 410, San Carlos, CA 94070 (“Natera”).
Vendor and Natera agree to amend the Application Service Provider Agreement having an effective date of September 19, 2014 (“Agreement”), as amended by the Amendment dated June 8, 2015 and the Amendment dated December 29, 2016, as follows:
| 1. | Section 1 of the Agreement is hereby amended to include the following additional definitions, which shall apply to any use of the defined terms in the Agreement: |
1.10“EU Data Protection Law” means all applicable EU law, enactments, regulations, orders, standards, codes of practice and other similar instruments that relate to data protection, privacy, the use of information relating to individuals, the information rights of individuals and/or the processing of personal data, including the Data Protection Act 1998 (until 24 May 2018), the Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and any successor legislation (on and from 25 May 2018), and “Data Controller”, “Data Processor”, “Data Subject” and “Personal Data” or similar expressions shall have the meaning given to them therein, with Personal Data including sensitive personal data and special categories of personal data, .”
| 2. | Section 18.4 (Personal Data) of the Agreement is hereby amended by replacing the reference to “EU Data Protection Directive (Directive 95/46/EEC)” with “EU Data Protection Law” |
| 3. | Section 5 (Services) of the Agreement is hereby amended by adding the following to the end of this section: |
“Vendor agrees to (i) deploy two copies of Natera’s infrastructure and host Natera Content, with one copy on Vendor’s cloud servers and system physically located in the U.S. (the ‘U.S. Deployment’) in accordance with Statement of Work No. 1
hereto and the other copy on Vendor’s cloud servers and system physically located in the European Economic Area (the ‘EEA Deployment’), and (ii) complete the tasks as specified in all applicable Statements of Work hereto to ensure all Services, Deliverables, and Support Services will be provided independently and separately to both the U.S. Deployment and EEA Deployment. Vendor further represents, warrants and agrees that all Content (including all EEA Personal Data as defined in Section 18.5) relating to the Services, Deliverables, Support Services provided to Natera’s EEA Deployment will be collected, recorded, stored, and processed wholly within the EEA and may not be transmitted to the U.S. Deployment or any servers or systems located outside the EEA.”
| 4. | Section 18.5 (Treatment of Personal Data) is hereby amended by adding the following text to the end of this section: |
“Notwithstanding the foregoing, with respect to any Personal Data originated from a member state of the European Economic Area or otherwise subject to the EU Data Protection Law (such Personal Data, the “EEA Personal Data”), the Personal Data Rules as defined in this Section 18.5 shall also include the ‘EU Data Protection Law’; and Vendor further represents and warrants that (i) it is and will maintain its status as a participant of the EU-US Privacy Shield (and its successor program as applicable); (ii) it will Process the EEA Personal Data in compliance with this Agreement, including the Data Processing Addendum attached hereto as Exhibit F, and the EU Data Protection Law, (iii) if required by the EU Data Protection Law, it will further enter into an EU Model Clauses Contract as a Data Processor (or Subprocessors) with Natera for Processing the EEA Personal Data outside the EEA, and (iv) it will not Process any EEA Personal Data outside the scope as specified in this Agreement.”
| 5. | Section 18.6 (Retention of Personal Data) is hereby amended by adding the following text to the end of this section: |
“Notwithstanding the foregoing, Vendor’s right and authority to retain or destroy EEA Personal Data is defined in and subject to the Data Processing Agreement.”
| 6. | Exhibit A of the Agreement is hereby amended by adding Exhibit A -- the Statement of Work No. 2 attached hereto as the Statement of Work No. 2 to the Agreement. |
| 7. | Exhibit B of the Agreement is hereby deleted and replaced with Exhibit B attached hereto. |
Page 2 of 8
| 8. | The Agreement is further amended by adding Exhibit F hereto (“Data Processing Addendum) as a new Exhibit F to the Agreement. |
9. The parties agree that this Third Amendment, inadvertently not previously executed, is intended to be effective as of the Amendment Effective Date, pre-dating the effective date of the Fourth Amendment; the terms of this Third Amendment are modified by any applicable terms in the Fourth Amendment.
Except as expressly provided herein, the Agreement remains in full force and effect. If there is a conflict between this Third Amendment and the Agreement or any earlier amendment or renewal, the terms of this Amendment will prevail.
IN WITNESS WHEREOF, the parties have caused this Third Amendment to be duly executed as of the Amendment Effective Date.
| Natera International, Inc. | DNAnexus, Inc. | ||||
|
|
|
|
| ||
|
|
|
|
| ||
| By: | /s/ John Fesko |
| By: | /s/ Richard Daly |
|
| Name | John Fesko | Name | Richard Daly | ||
| Title | VP, Business Development | Title | CEO | ||
| Date | 8/10/2018 | Date | August 8, 2018 | ||
Page 3 of 8
Exhibit A
Statement of Work No. 2
N/A
Page 4 of 8
Exhibit B
Services; Fees
DNAnexus platform license fee for additional regions
Deployed Regions, AWS
[*]
[*]
Available Regions, AWS
[*]
[*]
Available Regions, Azure
[*]
Per region fee
Annual license fee for deployed regions [*] and [*] is $[*].
Each additional region is $[*].
[*] Region Resource-based pricing
The following table shall be used to calculate the weighted average price reduction in each [*] period for each DNANexus Compute Cost Class within the [*] region:
| DNANexus Compute Cost Class | AWS Instance |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
Page 5 of 8
* CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED AND FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. CONFIDENTIAL TREATMENT HAS BEEN REQUESTED WITH RESPECT TO THE OMITTED PORTION.
All DNAnexus usage, including R&D and production pipeline execution, is charged according to the below pricing sheet:
| Compute | |
| Cost Class | Cost per virtual core hour |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| Data Transfer & Storage | |
| Service | Cost |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
| [*] | [*] |
Per-test pricing
A value add charge is applied to each execution of a billable production test, based upon the following tiers of monthly production test volumes:
| Value-add price per test | Production test monthly volume |
| [*] | Up to [*] production tests |
| [*] | Each production test over [*] up to [*] |
| [*] | Each production test over [*] |
Page 6 of 8
* CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED AND FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. CONFIDENTIAL TREATMENT HAS BEEN REQUESTED WITH RESPECT TO THE OMITTED PORTION.
Exhibit F
Data Processing Addendum
| 1. | Definition: In this Addendum, "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" will have the meanings given in EU Data Protection Law. |
| 2. | Relationship of the parties: Natera (the controller) appoints Vendor as a processor to process Content containing personal data of a data subject as may be provided for in the Agreement (the "Data") for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the "Permitt Purpose"). Vendor will comply with the obligations applicable to it under Applicable Laws, including Data Protection Law. |
| 3. | International transfers: Vendor will not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Law. |
| 4. | Confidentiality of processing: Vendor will ensure that any person it authorizes to process the Data (an "Authorized Person") will protect the Data in accordance with Vendor's confidentiality obligations under the Agreement and Applicable Law. |
| 5. | Security: Vendor will implement technical and organizational measures as set out in Agreement to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (each, a "Security Incident"). |
| 6. | Third party processors: Vendor may appoint one or more third party processors to process the Data for the Permitted Purpose on its behalf, provided that: (i) it engages only processors that have implemented appropriate technical and organizational measures to protect the Data, and ensure the rights of the data subjects, in accordance with Applicable Law; and (ii) Vendor will remain solely liable for any breach of this Addendum or of Applicable Law that may be caused by its processors' processing of the Data. |
| 7. | Cooperation and data subjects' rights: Vendor will provide reasonable and timely assistance to Natera (at Natera's expense) to enable Natera to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Vendor, Vendor will promptly inform Natera providing full details of the same. |
| 8. | Data Protection Impact Assessment: If Vendor believes or becomes aware that its processing of the Data is likely to result in a high risk to data protection rights, it will inform Natera and provide reasonable cooperation to Natera (at Natera's expense) in connection with any data protection impact assessment that may be required under Applicable Law. |
| 9. | Security incidents: If it becomes aware of a confirmed Security Incident, Vendor will inform Natera without undue delay and will provide reasonable information and cooperation to Natera so that Natera can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Law. Vendor will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and will keep Natera informed of all material developments in connection with the Security Incident. |
Page 7 of 8
| 10. | Data Retention: Upon termination or expiry of the Agreement, Vendor will delete all Data in its possession or control. This requirement will not apply to the extent that Vendor is required by applicable law or contract with its financial service partners to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Vendor will securely isolate and protect from any further processing except to the extent required by such law. |
| 11. | Audit: Natera acknowledges that Vendor is regularly audited against SSAE-16 SOC 1 by independent third party auditors. Upon request, Vendor will supply a summary copy of its applicable certifications to Natera which reports will be subject to the confidentiality provisions of the Agreement. Vendor will also respond to a written security questionnaire submitted to it by Natera provided that Natera will not exercise this right more than once per year. |
Page 8 of 8
