EU-U.S. PRIVACY SHIELD PRIVACY POLICY STATEMENT OF NOVELLA CLINICAL

It is Novella’s policy to respect and protect Personal Information collected or maintained by or on behalf of Novella Clinical LLC and our subsidiaries and affiliates (collectively, “Novella”), therefore, Novella adheres to the EU-U.S. Privacy Shield Principles. In furtherance of this commitment, Novella has certified to the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use and retention of Personal Information from Citizens in support of Novella’s human resources, Client and Supplier operations (collectively, Novella’s “Operations”). To learn more about Privacy Shield, and to view Novella’s certification, please visit https://www.privacyshield.gov. We also use model contractual clauses and other mechanisms approved by the European Union and Switzerland, respectively, for transfers of Personal Information from the EEA and Switzerland.

Scope

This Policy applies to all Personal Information of Citizens, either in electronic or paper format, received by Novella in the U.S. from the EEA or Switzerland, including Personal Information of Novella Personnel, consumers, healthcare professionals, patients, medical research subjects, clinical investigators, customers, suppliers, vendors, business partners and investors.

Definitions

The following capitalized terms are used throughout this document and are defined as follows:

“Agent” or collectively, “Agents” means any third party that uses Personal Information provided to it by Novella to perform tasks on behalf of and under the instructions of Novella or to which Novella discloses Personal Information for use on its behalf.

“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of any EEA country or Switzerland and includes Personnel, Clients and Suppliers.

“CRO” means clinical research organization.

“EEA” means the European Economic Area which is composed of the following thirty-one (31) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.

“Novella” or the “Company” collectively refers to Novella Clinical LLC, a Delaware company, and any and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.

“Personal Information” means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).

“Personnel” includes, but is not limited to, any Personnel (permanent or temporary), director, officer, contractor, worker, temporary worker, job applicant, retiree of Novella and any and all of their respective dependents.

“Privacy Shield Principles” collectively means the following seven (7) privacy principles as described in the Privacy Shield: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability, as well as the supplemental privacy principles and the associated guidance which can be found at https://www.privacyshield.gov.

“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions or sex life, or information relating to the commission of a criminal offense.

“Statement” or “Policy” means this EU-U.S. Privacy Shield Privacy Policy Statement.

Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.

Privacy Shield Principles

1. Notice: In the event that Novella collects Personal Information from a Citizen, Novella will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) and the choices and means, if any, Novella offers Citizens for limiting the use and disclosure of Personal Information about them. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Novella discloses the Personal Information or uses such information for a purpose materially different than that for which the Personal Information was originally collected or Processed. Where Novella receives Personal Information from its subsidiaries, affiliates or other entities, including when acting as a CRO processing Personal Information under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the choices made by the Citizens to whom such Personal Information relates.

Types of Personal Information collected, Purposes of Collection and Uses of Personal Information:

• Research Studies-Related Information. For Citizens participating in research studies being managed by Novella as a CRO, including patients, their spouses/partners, care givers, and relatives, clinical investigators or other study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the study sponsor and its corporate affiliates, business partners and third-party service providers, Personal Information may be used in order to carry out the applicable studies and other study-related services and/or pharmacovigilance. This may include the transfer of such Personal Information to the applicable study sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).

• Human Resources-Related Information. For Citizens who are Personnel, we will process Personal Information to carry out and support our human resources functions and activities, including but not limited to, employment opportunities, Personnel recruitment and onboarding, administration of Personnel participation in benefits, compensation and human resources plans and programs, management of Personnel performance, and implementation, investigation and reporting on compliance and discipline procedures and matters. Novella may provide Personal Information to Agents to support Novella in performance of these human resources-related activities.

• Customers and Program Participant Information. For Citizens sharing Personal Information with Novella in order to inquire about or otherwise make use of our services or purchase, receive or seek information, including about any health care products and services, opportunities to participate in clinical research, health care education and patient support programs which may be available through Novella, we will use such Personal Information in order to provide the requested information, products, and/or services. Such uses may include processing requested transactions, improving the quality of our services, sending communications about the products and services available through Novella, and enabling our business partners and Agents to perform certain activities on our behalf.

Novella may also use the Personal Information collected above to comply with our legal and regulatory obligations, policies and procedures, and for internal administrative purposes.

2. Choice: Novella will offer Citizens the opportunity to choose whether their Personal Information is (a) to be disclosed to a third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Citizen.

Novella will not process Sensitive Personal Information about Citizens for purposes other than those for which the information was originally obtained or subsequently authorized by the Citizen unless the Citizen explicitly consents to the processing (“opt-in”), or as required or permitted, or where not prohibited by law or regulation.

In some cases, even if an Citizen opts-out of disclosures of their Personal Information, Novella may still disclose such Personal Information (i) if required to do so by law, (ii) if disclosure is required to be made to law enforcement authorities, or (iii) if we believe disclosure is necessary or appropriate to prevent physical harm to an Citizen or financial loss or in connection with an investigation of suspected or actual illegal activity. Novella also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, Novella will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Policy. Novella will provide Citizens with reasonable mechanisms to exercise their choices to the extent required by applicable law.

3. Accountability for Onward Transfer: Transfers to third parties are covered by the provisions in this Policy regarding notice and choice.

Novella may also share a Citizen’s Personal Information with Agents in connection with services that these Citizens or entities perform for, or with, Novella. Novella may, for example, provide a Citizen’s Personal Information to Agents for hosting our databases, for data processing services, or to send to that Citizen the information that he or she requested.

Novella may transfer Personal Information for specified, limited purposes, to an Agent and will endeavor to obtain assurances that such Agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Policy and will notify Novella if it makes a determination it can no longer meet this obligation.

Where Novella knows that any third party to whom it has provided Personal Information is using or disclosing Personal Information in a manner contrary to this Policy, Novella will take reasonable steps to prevent or stop the use or disclosure. With respect to such onward transfers to Agents, and to the extent Novella is responsible for the event, Novella shall remain liable should its Agents process Personal Information in a manner inconsistent with the Privacy Shield Principles and this Policy.

4. Security: Novella will employ reasonable and appropriate technical, administrative and physical safeguards designed to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information Novella is processing.

5. Data Integrity and Purpose Limitation: Novella endeavors to use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Citizen. Novella will take reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by Novella for as long as Novella retains possession of such information. Novella’s Personnel have a responsibility to assist Novella in maintaining accurate, complete and current Personal Information. When acting as a CRO, Novella endeavors only to process Personal Information that is relevant to the services it provides, and only for purposes compatible with those for which the Personal Information was collected; wherever possible, such Personal Information is de-identified. Where Novella processes Personal Information as a CRO under the direction of its customers, Novella works with such customers so that the customers can provide a way for Citizens to correct or update their Personal Information.

6. Access: Novella will, on request, provide a Citizen with confirmation regarding whether Novella is processing Personal Information about them. In addition, upon request of a Citizen, Novella will take reasonable steps to correct, amend, or delete their Personal Information that is found to be inaccurate, incomplete or processed in a manner non-compliant with this Policy or the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to that Citizen’s privacy, where the rights of persons other than the Citizen would be violated or where doing so is otherwise consistent with Privacy Shield Principles. Unless prohibited by applicable law, Novella reserves the right to charge a reasonable fee to cover costs for providing copies of Personal Information requested by Citizens. Novella, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such Citizens who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Information to Novella for processing.

7. Recourse, Enforcement and Liability:

Novella encourages Citizens covered by this Policy to raise questions about the processing of Personal Information about them by contacting Novella through the contact information provided below. Any Personnel that Novella determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, where applicable.

Any questions or concerns regarding the use or disclosure of Personal Information should also be directed to Novella through the contact information given below. Novella will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy.

In addition, Novella has agreed to cooperate with the JAMS EU-US Privacy Shield Program (“JAMS”) with respect to complaints of Citizens that are not Personnel of the Company and with the local data protection authorities with respect to Personnel and human resources related information. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under Privacy Shield. The Federal Trade Commission has jurisdiction over Novella’s compliance with the Privacy Shield.

Limitation on Scope of Privacy Shield Principles

Adherence to these Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.

CONTACT INFORMATION: Questions, comments, concerns or complaints regarding this Policy or Novella’s processing of Personal Information should be submitted to Novella at data.protection@novellaclinical.com.

RESERVATION OF RIGHTS: Novella reserves the right to share an Individual’s Personal Information and contracts with Agents as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.

CHANGES TO THE PRIVACY POLICY: This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Information is maintained. All amendments will be posted on this website http://novellaclinical.com/novella-privacy-page/. Please check back periodically for updates to this Policy.