TurboRegs™ Terms and Conditions of Use

Effective as of Sep 01, 2019

Welcome to the TurboRegs^TM service, a collaborative regulatory document tool to facilitate and expedite processing between sponsor or sponsor delegate and investigative site. The following terms and conditions of use (together with any documents referred to herein, the “ Agreement”) apply to your use of the TurboRegs application located at www.turboregs.com (“TurboRegs”). You must acknowledge you have read and agree to the terms and conditions of this Agreement prior to creating an account with TurboRegs. If you do not agree to the terms and conditions of this Agreement, you may NOT use TurboRegs.

1. Binding Contract; Acknowledgements.

This Agreement is a legally binding agreement between you and Sharma Consulting, a New Jersey LLC (“Sharma Consulting”, “ we,” or “us”), the owner of TurboRegs. By creating an account with TurboRegs, you signify that you agree to this Agreement and agree to receive notices from and otherwise transact business with Sharma Consulting electronically. You further agree that you have read, understand and consent, without limitation, to the information disclosed in the TurboRegs privacy policy (the “ Privacy Policy”), which is incorporated herein by reference. You further confirm that you are 18 years of age or more, that you have your residence in the United States, that any registration information that you submit to TurboRegs is true, accurate and complete, and that you will update such information in order to keep it current. If you are using this website on behalf of your employer, you represent that you are authorized to accept these terms and conditions on your employer’s behalf.

2. Changes to the Agreement and Notices.

TurboRegs may modify or amend this Agreement at any time at our sole discretion. Changes will be communicated to you by posting a new version of the Agreement on the TurboRegs website at www.turboregs.com/terms or as otherwise determined by us in our sole discretion. Your continued use of TurboRegs after such notification of changes to this Agreement will constitute your acceptance of such changes. You may also be asked to re-acknowledge and reaccept this Agreement following certain material changes.

3. Registration; Authorization.

You can create an account with TurboRegs by visiting www.turboregs.com. You will provide an E-mail address, and will then will be prompted to set up your profile, including a user information and password (the “ Credentials”). These will be your Credentials for accessing TurboRegs. You agree that Sharma Consulting may use your Credentials to authenticate you on TurboRegs. You, not Sharma Consulting, shall be responsible for maintaining and protecting your Credentials and your Sensitive Information (as defined in Section 1.B of the Privacy Policy). If your contact information or other information relating to your account changes, you must notify us promptly and keep your information current. You are responsible for all activity on TurboRegs using your Credentials, including use by others to whom you have given your Credentials, whether or not you authorized such activity. You should immediately notify us of any unauthorized use of your account or if your E-mail or password has been hacked or stolen. If you discover that someone is using your password or account without your consent, or you discover any other breach of security, you agree to notify us immediately at help@turboregs.com

4. Limited License.

Subject to your compliance with the terms and conditions of this Agreement, you are granted a limited, non-exclusive, non-transferrable, and revocable license to make use of TurboRegs. You do not have a right to transfer or sublicense your rights under this Agreement. Third party components included in TurboRegs are licensed to you either under this Agreement or under the relevant third party component license terms, as applicable. In addition, certain open-source software included in TurboRegs is licensed to you pursuant to applicable open-source licenses. Your use of the licenses described herein is subject to the restrictions set forth in Section 9 below. Sharma Consulting reserves all rights not expressly granted herein.

5. Information Collected.

Use of TurboRegs requires you to electronically submit a suite of forms (the “Regulatory Packet”), which will be used to produce and complete a Statement of Investigator Form FDA 1572 to comply with 21 CFR 312.53(c). The Regulatory Packet includes, among other forms, curriculum vitae of listed personnel, medical licenses of listed personnel, financial disclosures in sponsor by listed personnel, IRB Membership list or DHHS#, local lab normal range, local lab certification, and local lab director curriculum vitae. For more information about information collected, you are directed to the Privacy Policy [LINK].

You agree that you will not upload or submit any information that you do not have the legal right to upload or submit, including without limitation Sensitive Information that contains third-party copyrighted material used without permission or Sensitive Information that violates other third-party proprietary rights.

6. Intellectual Property.

Content displayed on TurboRegs’ website (including, but not limited to, original works of authorship, text, graphics, logos, button icons, images, audio clips, data compilations, and software, and the compilation thereof) is the exclusive property of Sharma Consulting, our affiliates, our partners or our licensors, and is protected by patents, trademarks, service marks, copyrights, trade secrets or other intellectual property rights and laws, as applicable. You agree to abide by and maintain all copyright and trademark notices, information, and restrictions contained in any content accessed through TurboRegs.

The trademarks, logos, slogans, and service marks displayed on the TurboRegs website (collectively, the “Trademarks”) are the registered or unregistered marks of Sharma Consulting, our affiliates, our licensors or our partners, in the United States and other countries, and are protected by United States and international trademark laws. All other trademarks not owned by us, our affiliates, our partners or our licensors that appear on TurboRegs are the property of their respective owners, who may or may not be affiliated with or connected to Sharma Consulting. Except as set forth herein, or as required or permitted under applicable law, no portion of the TurboRegs website may be used, reproduced, duplicated, copied, sold, resold, accessed, modified, or otherwise exploited, in full or in part, for any purpose without our prior written consent.

7. Consent To Communication With You By E-Mail.

By establishing an account with us, you grant permission for TurboRegs to contact you at your e-mail address. To stop receiving our marketing emails, send an E-mail to us at support@TurboRegs.com or follow the opt-out procedures set forth in such marketing emails. Please note that TurboRegs will still need to communicate with you via email regarding your transactions and other account related issues, and that these emails are not marketing emails and are not eliminated through the foregoing opt-out procedures.

8. Execution of Agreements on TurboRegs.

You hereby agree to that TurboRegs provides the site as a location for you to execute the documents relating to the Regulatory Packet. When you execute your documents through TurboRegs, only you have rights and duties with respect to such documents. TurboRegs is not a party to any agreement, and shall not have any liability or responsibility whatsoever with respect to the validity or enforceability of any documents. The sole customer support function provided by TurboRegs is to answer questions regarding the functions of the site.

By delivering to TurboRegs copies of documents, you are authorizing TurboRegs to imprint thereon your signature and to distribute the executed version of such documents to the appropriate party. TurboRegs will not make any other use of such documents without your prior written authorization.

By signing documents on TurboRegs, you are consenting to electronic signatures. You are not required to use TurboRegs to execute documents. To withdraw your consent to electronic transactions and electronic signatures, stop using TurboRegs or print and sign your documents manually. Any decision to consent or not consent to current or future document execution does not have an effect on the legality of documents previously executed on TurboRegs.

ANY STATEMENTS MADE BY TURBOREGS ABOUT THE VALIDITY OF ELECTRONIC SIGNATURES ARE GENERAL IN NATURE AND ARE NOT INTENDED, AND SHOULD NOT BE CONSTRUED, AS LEGAL ADVICE. TURBOREGS HEREBY DISCLAIMS ANY RESPONSIBILITY FOR ENSURING THAT DOCUMENTS ELECTRONICALLY EXECUTED THROUGH TURBOREGS ARE VALID OR ENFORCEABLE UNDER THE LAWS OF ANY PARTICULAR STATE OR OTHER JURISDICTION. IF YOU WISH TO VERIFY THE VALIDITY OR ENFORCEABILITY OF ELECTRONIC SIGNATURES YOU SHOULD CONSULT A LICENSED ATTORNEY FOR APPROPRIATE LEGAL ADVICE.

9. Restrictions on Use.

You may use TurboRegs only for lawful purposes and in accordance with this Agreement. You are responsible for all of your activity in connection with TurboRegs. Any unauthorized use of TurboRegs by you or anyone under your control terminates the limited license set forth in Section 4 above, without prejudice to any other rights and remedies provided herein. For the avoidance of doubt, you agree that you may not (without limitation):

1. Use TurboRegs in any way that violates any federal, state, local or international law or regulation (including, without limitation, any law regarding the export of data or software to or from the US or other countries).
2. Use TurboRegs in any manner that could disable, overburden, damage, or impair it or interfere with any other party’s use of TurboRegs.
3. Use any other person’s or organization’s Credentials without their express authorization;
4. Reverse-engineer, decompile, disassemble, modify or create derivative works based on TurboRegs or any part thereof;
5. Circumvent any technology used by Sharma Consulting, its licensors, or any third party to protect data accessible through TurboRegs;
6. Rent or lease any part of TurboRegs;
7. Use TurboRegs in any way that violates the terms of this Agreement or any other Sharma Consulting policy;
8. Circumvent any territorial restrictions applied by TurboRegs;
9. Use any manual process to monitor or copy any of the material on TurboRegs or for any other unauthorized purpose without the prior written consent of Sharma Consulting.
10. Use any device, software or routine that interferes with the proper working of TurboRegs.
11. Introduce any viruses, trojan horses, worms, logic bombs or other material that is malicious or technologically harmful to TurboRegs.
12. Attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of TurboRegs, the server on which TurboRegs is stored, or any server, computer or database connected to TurboRegs.
13. Attack TurboRegs via a denial-of-service attack or a distributed denial-of-service attack or otherwise attempt to interfere with the proper working of TurboRegs.

10. Audit Trail Management.

TurboRegs maintains an audit trail of all information processed through the application. An audit trail is a chronological record of the sequence of actions and events that occur within the application, and in particular within a specific Regulatory Packet. Audit trails include, among other things, recordation of creations, modifications and deletions, automatic time stamps, identification and prevention of modification. Audit trails are automatically added every time an action is taken within the application and cannot be modified.

11. Use of Computational Resources.

As consideration for your rights under this Agreement, you agree that Sharma Consulting has a right to allow TurboRegs to utilize the processor, bandwidth and storage hardware on your computer or other relevant device for the limited purpose of facilitating the communication and transmission of data to you and other TurboRegs users, and to facilitate the operation of the network on which TurboRegs runs. You are referred to the settings of your device for additional information relating to device performance in connection with your use of TurboRegs.

12. Term and Termination.

This Agreement will become effective immediately upon your creation of a TurboRegs account and acceptance of this Agreement by checking the box marked “I have read and agree to the ‘Terms and Conditions of Use/Privacy Policy’” prior to logging in to TurboRegs for the first time, and will remain effective until cancellation of your account by you or termination by Sharma Consulting pursuant to this Agreement. You may cancel your TurboRegs account at any time by sending an E-mail to [help@turboregs.com]. Sharma Consulting reserves the right to terminate this Agreement or suspend your TurboRegs account at any time in case of unauthorized, or suspected unauthorized use of TurboRegs whether in contravention of this Agreement or otherwise. If Sharma Consulting terminates this Agreement, or suspends your account for any reason, Sharma Consulting shall have no liability or responsibility to you.

13. Representations and Warranties; Limitation of Liability.

Your use of TurboRegs is at your sole risk. The services provided by TurboRegs are provided on an “as is” and “as available” basis. To the fullest extent possible under applicable law, Sharma Consulting disclaims and gives no warranty, express or implied, including without limitation any warranty as to the quality, accuracy and availability or fitness for a specific purpose of TurboRegs or warranty of title or non-infringement.

Sharma Consulting does not warrant that: (i) the service will meet your specific requirements; (ii) the service will be uninterrupted, timely, secure, or error-free; (iii) the results that may be obtained from the use of the service will be accurate or reliable; (iv) the quality of any products, services, information, or other material obtained by you through the service will meet your expectations; OR (v) any errors in the service will be corrected.

You agree that Sharma Consulting will not be responsible, under any circumstances, for: (a) inability to use TurboRegs; (b) loss of profits; (c) business interruption; (d) corruption of files; (e) loss of business information; (f) loss of data; (g) service interruption; (h) computer viruses or device failure; (i) pecuniary loss; (j) unauthorized access to or alteration of your transmissions or data; (k) statements or conduct of any third party; (l) loss of communication between TurboRegs and any third party multimedia; or (m) any other events beyond our control.

FURTHER, TO THE MAXIMUM EXTENT PERMITTED BY LAW SHARMA CONSULTING WILL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) RELATED TO TURBOREGS REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL OUR MAXIMUM AGGREGATE LIABILITY EXCEED ONE HUNDRED DOLLARS ($100).

14. Indemnification.

You agree to defend, indemnify and hold harmless Sharma Consulting, its affiliates and licensors and their respective officers, directors, employees, contractors, agents, licensors and suppliers from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses or fees (including but not limited to reasonable attorneys’ fees) resulting from your violation of any laws or regulations, this Agreement, or your use of TurboRegs.

15. Technology Limitations; Connection to the Internet.

Sharma Consulting will make reasonable efforts to keep TurboRegs operational. However, certain technical difficulties or maintenance may, from time to time, result in temporary interruptions. Sharma Consulting reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, functions and features of TurboRegs with or without notice.

16. Dispute Resolution and Choice of Law.

With respect to any dispute regarding TurboRegs or this Agreement, your rights and obligations and all actions contemplated by this Agreement shall be governed by the laws of the State of New York, as if the Agreement were a contract wholly entered into and wholly performed within New York. Any dispute relating in any way to TurboRegs shall be submitted to confidential arbitration in New York, except that, to the extent you have in any manner violated or threatened to violate our intellectual property rights, we may seek injunctive or other appropriate relief in New York, and you consent to exclusive jurisdiction and venue in such courts. Arbitration under this agreement shall be conducted under the rules then prevailing of the American Arbitration Association. The arbitrator’s award shall be binding and may be entered as a judgment in any court of competent jurisdiction. To the fullest extent permitted by applicable law, no arbitration under this Agreement shall be joined to an arbitration involving any other party subject to this Agreement, whether through class arbitration proceedings or otherwise.

17. Privacy.

You agree that Sharma Consulting has a right to collect and process your personal information in accordance with the Privacy Policy, the terms of which are incorporated herein by reference.

18. No Agency Relationship.

Neither this Agreement nor any content, materials or features of TurboRegs create any partnership, joint venture, employment, or other agency relationship between you and Sharma Consulting. You may not enter into any contract on our behalf or bind us in any manner.

19. Assignment.

Sharma Consulting may assign this Agreement or any part of it without restrictions. You may not assign this Agreement or any part of it to any third party.

20. Entire Agreement.

This Agreement, which includes by reference the Privacy Policy, constitutes all the terms and conditions agreed upon between you and Sharma Consulting and supersedes any prior agreements in relation to the subject matter of these Agreements, whether written or oral. Any additional or different terms or conditions in relation to the subject matter of these Agreements in any written or oral communication from you to Sharma Consulting are void. You agree and accept that you have not accepted the terms and conditions of this Agreement in reliance of or to any oral or written representations made by Sharma Consulting not contained in this Agreement.

21. Severability.

Should any provision of this Agreement be held invalid or unenforceable, for any reason or to any extent, such invalidity or enforceability shall not in any manner affect or render invalid or unenforceable the remaining provisions of this Agreement and TurboRegs shall be enforced to the extent permitted by law.

22. Contacting Us.

If you have any questions concerning TurboRegs or this Agreement, please let us know by sending an E-mail to info@turboregs.com.

Copyright © 2019 Sharma Consulting LLC. All rights reserved.
Sharma Consulting LLC, 102 Christopher Columbus Dr., Apt 909, Jersey City, NJ 07302

TurboRegs™ Privacy Policy

Effective as of Sep 01, 2019

Sharma Consulting Corporation, a New York corporation (“Sharma Consulting”, “we” or “ us”), develops and provides TurboRegs™, a collaborative regulatory document tool between sponsor and investigative site. In order to allow investigative sites to create, update, track and store FDA form 1572s with supplemental documentation for clinical trial initiation and compliance, Sharma Consulting will require users to upload certain sensitive information and will automatically collect other information in connection with your use of TurboRegs (unless defined herein, all capitalized terms shall have the meaning set forth in the TurboRegs Terms and Conditions of Use). This privacy policy (the “ Privacy Policy”) describes our privacy practices and what information we may collect from you and what we will and will not do with that information.

1. Collection and Utilization of Information.

A. User Information. When you create a TurboRegs account is created for you, we will request and you will provide us with certain information such as your name, discipline, contact names, postal addresses, phone numbers, E-mail addresses, and the URL from which you are signing into TurboRegs.

B. Regulatory Packet. Further Use of TurboRegs requires you or your sponsor to electronically submit a suite of forms (the “Regulatory Packet”), which will be used to produce and complete a Statement of Investigator Form FDA 1572 to comply with 21 CFR 312.53(c). The Regulatory Packet includes, among other forms, curriculum vitae of listed personnel, medical licenses of listed personnel, financial disclosures in sponsor by listed personnel, IRB Membership list or DHHS number, local lab normal range, local lab certification, and local lab director curriculum vitae.

Necessarily, the Regulatory Packet will include sensitive personal, professional, financial and other data typically provided in Form FDA 1572 (the “Sensitive Information”). All Sensitive Information will be uploaded to TurboRegs’ servers for access by you or your sponsor and shall be stored and/or backed-up on TurboRegs’ secure servers or on servers of trusted third parties as necessary, and in accordance with TurboRegs’ then-current storage practices.

As part of the Regulatory Packet, TurboRegs does not require or request that users provide social security or tax identification numbers. If users choose to include such information in documents included in the Regulatory Packet, TurboRegs will take all necessary precautions to protect and prevent unauthorized disclosure or access to such information pursuant to this Privacy Policy. Should you choose to provide such information as part of a Regulatory Packet, you are consenting to transmission as set forth herein.

We will not share Sensitive Information with others without your permission. We are working to offer the ability to export data and other information from your account to a readable format at any time during or after the Term of this Agreement.

C. Automatic Collection. In addition, when you use TurboRegs, we will automatically receive information relating to your use of TurboRegs, including all data inputted into TurboRegs’ fields, all inputted and uploaded Sensitive Information (as defined in Section 1.B above), your internet protocol address, data relating to performance of your network and computer or device, language and identifying information, and your operating system.

D. Cookies. We may also store information about you using cookies (files which are sent by us to your computer or other access device) that we can access when you visit TurboRegs. We do this to help improve the user experience of TurboRegs. If you want to delete any cookies that are already on your computer or device, please refer to the instructions for your file management software to locate the file or directory that stores cookies. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of TurboRegs.

E. Additional. We may also, from time to time, collect information from you through surveys in which you may choose to participate.

F. Our Usage. We will use your information and the data we collect: (i) to prepopulate an FDA form 1572 with forms to supplement a complete Regulatory Package; (ii) to communicate with you concerning your account, customer service issues and TurboRegs; (iii) to personalize and improve the services provided through TurboRegs; (iv) to ensure the technical functioning of TurboRegs; (v) to develop new products and services; and (vi) as otherwise stated in this Privacy Policy.

2. Sharing Information with Third Parties.

Unless you give us your explicit approval and except as outlined in Section 1 above, we will only share your information as is necessary to:

a. Enforce the TurboRegs Terms and Conditions of Use.

b. Comply with laws, regulations and any applicable court orders or to respond to requests from governmental or administrative bodies or to comply with litigation matters or other legal process, and/or to establish or exercise our legal rights or defend against legal claims.

c. Allow for a change of ownership of TurboRegs (including but not limited to an acquisition by or merger with another company) and related transfer of all personal information to the new owner in which case any information remains protected in accordance with this Privacy Policy. See Section 10 below.

d. Allow us to use a third party to perform surveys measuring your experiences and use of TurboRegs (not permitting the third party to use your Sensitive Information for any other purpose).

e. Allow us to share aggregated statistics and information with parties with whom we do business.

3. Service Providers, Business Partners and Others.

TurboRegs may also use certain trusted third party companies and individuals to help provide, analyze, and improve TurboRegs (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of TurboRegs’ features). These third parties may have access to your information only for purposes of performing these tasks on TurboRegs’ behalf and under obligations similar to those in this Privacy Policy. As of the date this policy went into effect, Sharma Consulting uses Amazon Web Services to store and manage your information.

4. Transfer of Personal Information to other Countries.

Should Sharma Consulting transfer and process your information on a server outside the United States, we will use our best efforts to do so in accordance with this Privacy Policy and applicable law. By approving the Privacy Policy, you consent to such transfer of your personal information.

5. Security.

We know the value of your information, and we take security extremely seriously. We take a number of steps to keep your information secure from unauthorized access. For example, we ask you to use a unique and strong password and not to share this information with anyone. In addition, we use secure encryption with open SSL and x509 certificates to limit access to the systems that store your personal information. Further, we respect and comply with applicable laws and regulations on data protection. Additionally TurboRegs makes every reasonable effort to maintain compliance with the requirements of 21 CFR Part 11, including but not limited to, the internal security and audit trail requirements thereof, as discussed in more detail in Section 10 of the TurboRegs Terms and Conditions of Use.

You are responsible for maintaining the security of your user access name and related password. While we work extremely hard to safeguard your information once we receive it, please be aware that no transmission of data over a public network or storage of data on a cloud network can be guaranteed to be 100% secure.

6. Personal Information and Corrections.

You can access and update by sending a request to help@turboregs.com. We will endeavor to respond to your request upon verification of your identity within a reasonable period of time, and to the maximum extent practical.

7. Changes to this Privacy Policy and Notices.

Sharma Consulting reserves the right to make changes to this Privacy Policy in its sole discretion. If we make any changes to this policy we will notify you by posting the new version of the policy at www.turboregs.com/privacy. It is your sole responsibility to periodically monitor the website for such postings. You may also be asked to re-acknowledge and reaccept this policy following any material changes.

Please note that by accepting the TurboRegs Terms and Conditions of Use, you consent to the collection and processing of your personal information as described herein. Your continued use of TurboRegs following the posting or other notice of changes to this Privacy Policy will constitute an acceptance of such changes.

8. Third Party Websites.

TurboRegs may contain links to third party websites. Please be aware that we are not responsible for the privacy practices of other websites. This Privacy Policy applies only to the information we collect through TurboRegs. We encourage you to read the privacy policies of other websites you link to from our website or otherwise visit.

9. Opt-out.

Subject to Section 7 of the TurboRegs Terms and Conditions of Use, you may opt out of receiving future E-mail communications from us by E-mailing us at support@turboregs.com.

10. Ownership Changes.

In the event that TurboRegs becomes owned or controlled by other individuals or entities, the information we have collected about you through TurboRegs or otherwise may be transferred to such other individuals or entities. In such an event, this Privacy Policy will continue to apply to the information gathered about you through TurboRegs until you are notified otherwise or a change is made to this policy and posted or notified as provided above.

11. Contacting Us.

If you have any concerns, questions or thoughts on how we can improve the Privacy Policy, please let us know by sending an E-mail to help@turboregs.com.

Copyright © 2019 Sharma Consulting LLC. All rights reserved.
Sharma Consulting LLC, 102 Christopher Columbus Dr. Apt 909, Jersey City, NJ 07302

The EU General Data Protection Regulation("GDPR")

–Information to Principal Investigator

(Effective as of 01 Sep 2019)

TurboRegs™/Study Budget Pro™ GDPR Compliance Statement

Introduction

You are receiving this information because you are a Principal Investigator (study team),affiliated within the European Economic Area("EEA"),currently engaged in a clinical trial supported by TurboRegs™.Therefore,the EU General Data Protection Regulation(GDPR) will apply to the collection of trial data performed as part of this clinical trial. The purpose of this communicationis to clarify how GDPR applies to clinical research,and to request your collaboration in executing the actions described below.

The GDPR replaces the current Data Protection Directive 95/46/EC as of 25th May,2018. It was designed to harmonize data privacy laws across Europe, to strengthen the privacy rights of EU residents,and to reshape the way organizations across the region approach data privacy protection.

You as Principal Investigator (study team), as well as your institution, and we,as Supporters of this clinical trial,have committed in our mutual Clinical Trial Agreement to comply with applicable data protection laws. In particular,when processing Personal Information 1 of your investigation staff and of trial subjects,that data should be protected in accordance with applicable laws and regulations, including the GDPR.

The information in this document is intended for you,as Principal Investigator and for your investigational staff.It is not to be provided to trial subjects, although it provides guidance to you and your investigational staff on how to respond to questions from trial subjects.

Requested actions

1 Personal Information(a/k/a"personal data") is defined as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier such as a name, an identification number,location data,an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,cultural or social identity of that natural person.

Key additional responsibilities under GDPR

Transparency obligations under GDPR

One of the core building blocks of GDPR's enhanced rights for individuals is the requirement for greater transparency with respect to the purpose and use of the personal data collected about them.Information must be provided to data subjects in a concise,transparent,and easily accessible form,using clear and plain language.The Supporter has developed the following process to address this requirement.

Providing Trial Subjects (if applicable)with additional information as required under GDPR:

The Supporter/CRO will provide the Clinical Site with a Notice of Privacy Rights for Clinical Trial Participants With few exceptions,the Principal Investigator or his/her investigational staff must provide a physical copy of this Notice to Trial Subjects that are currently engaged in the Trial.Typically,this is done at the next time the trial subject is visiting the clinical site

Once the trial subject receives the Notice, this is documented using the Notice Log. See Appendix 4.See Appendix 1–Frequently Asked Questions.

Providing investigational staff with additional information as required under GDPR:

Provide a copy of the Privacy Notice towards Principal Investigator and investigational staff to all current staff members.See appendix 2.

Data Subject Rights (If applicable)

GDPR provides data subjects within the European Economic Area(EEA) with expanded rights intended to strengthen and enhance the data subjects’ abilities to control how their personal information is processed. However,it should be recognized that the applicability of these rights depends on the legal basis for the processing,as well as limitations that may be introduced by other laws.See Appendix 1 – Frequently Asked Questions for more information on how to address data subject right request from Trial Subjects.

Incase of a Data Breach/Privacy Incident2

GDPR is introducing a mandatory data breach notification requirement as specified in GDPR article 33.We recognize that this Data Breach notification requirement may apply to the Supporter, third parties performing activities on behalf of the Supporter, as well as the Principal Investigator or Institution, depending on the nature of the data breach and the data that is impacted.Consequently, we would appreciate your timely notification to use of any Privacy Incident that may result in a breach.See Appendix 1 – Frequently Asked Questions for information on how to handle a Privacy Incident.

Data Protection Impact Assessments

GDPR introduced a requirement to perform a data protection impact assessment(DPIA) for certain types of processing activities, for example, when processing Personal Information using new technologies. The DPIA should also take into account the nature,scope,context and purposes of the processing.,In the event the data protection impact assessment indicates that the processing would result in a high risk,in the absence of measures taken by the controller to mitigate the risk,the supervisory authority should be consulted before the processing of Personal Information. See appendix 1–Frequently Asked Questions on how this requirement may apply to an ongoing Clinical Trial.

2 A breach of security leading to the accidental or unlawful destruction, loss, alteration,unauthorized disclosure of,or access to,Personal Information data transmitted, stored or other wise processed.

Appendix 1– Frequently Asked Questions

A. Data Subject Rights(N/A for current use case of TurboRegs™)

What do I do if a Trial Subject asks for access to his/her coded information,which has been provided to the Supporter?

The right to access may apply, but may be limited while the study is ongoing, providing access to data may not be permitted,considering regulations and laws that apply to clinical research.E.g.some data may not be provided until after the study is completed. You may reach out to the Project Manager for guidance and support as may be required.

What should I do if a Trial Subject requests a copy of their Personal Information(including any coded data)in a commonly used electronic format?

The right to portability is dependent on the legal basis for the processing of data. We recognize that this right may apply, depending on the local position of the data protection authority. If this right applies, the right is limited in that all in formation cannot be provided until the trial is completed, due to regulatory requirements that apply in Clinical Research.You may contact the Project Manager for guidance and support as may be necessary.

What should I do if a Trial Subject requests that his/her data be corrected?

Any correction of data should be done in accordance with Good Clinical Practice3 on how changes to clinical data should be carried out.The standard processes how to manage data changes at the Clinical Site should be applied.In case of questions you may contact the Project Manager for additional guidance. 3 See ICH GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R1)Section4.9.3.

What should I do if a Trial Subject asks that his/her data(including any coded data) to be deleted?

Data that is collected and processed per the Clinical Study Protocol cannot be deleted due to laws and regulations that apply in clinical research. For situations where Personal Information of the Trial Subject is processed and such processing is not required by the clinical study protocol,the deletion right may apply and should be assessed on a case by case basis.Please contact Supporter/CRO in such situations.

What should I do if a Trial Subject objects to the processing of his/her Personal Information?

A Trial Subject may have the right to object to certain processing of his/her data.

If a Trial Subject objects to all processing of his/her data,it may be required that he/she withdraw from participating in the trial,since the processing of some personal data is a critical part of any trial.

Any objection from a Trial Subject should be forwarded to the Project Manager,to ensure that the Supporter can appropriately evaluate such an objection and provide guidance to the site.

What do I do if a Trial Subject would like to get a copy of the safeguards that the Supporter is using for any transfer of the coded data to parties based outside of the European Economic Area?

Contact the Project Manager.The Project Manager may need to engage the Supporter’s Data Protection Officer to respond to the request.

B. Privacy Notice/Informed Consent(N/A for current use case of TurboRegs™)

I understand that the Trial Subject may have the right to receive additional information about the processing of their Personal Information(including any coded data).How will this be managed?

The Supporter has developed a Notice of Privacy Rights for Clinical Trial Participants document that must be provided to all Trial Subjects,as described in the section about "Providing Trial Subjects with additional information as required under GDPR" above.

Further guidance may be provided by the Project Manager considering that the situation may be different per country,and there is a dependency with the local ethic committees and the position of the local data protection authority.

Will Trial Subjects need to sign this Notice of Privacy Rights for Clinical Trial Participants?

No, the Trial Subject does not need to sign the Notice.However,when the Trial Subject is provided the Notice of Privacy Rights for Clinical Trial Participants,it must be documented using the Notice Log.See Appendix 4.

Do I need to provide this Notice of Privacy Rights for Clinical Trial Participants to Trial Subjects that have completed their last visit,and there is no additional data that will be collected from the Trial Subject?

No; however,you must use the Notice Log, in Appendix 4 to document that the Trial Subject will not receive the Notice of Privacy Rights for Clinical Trial Participants because he/she has completed the trial.

How do I handle Trial Subjects who will not have any more visits,but where additional data will be collected e.g.via phone or similar?

The Notice of Privacy Rights for Clinical Trial Participants should be sent by mail to the Trial Subject. This must be documented in the Notice Log. See Appendix 4.

Will Trial Subjects need to sign a new Informed Consent Form due to GDPR?

We do not believe this will be required.Rather, Trial Subjects will be provided with a Notice of Privacy Rights for Clinical Trial Participants that will inform them of their rights under GDPR.However, we recognize that the situation may be different from country to country,and there is a dependency with the local ethic committees and the position of the local data protection authority. Further guidance may be provided by the Project Manager. C.Other

What is the legal basis for the processing of Personal Information about Trial Subjects?

On16th of April2018,he Article29 Working Party 4 issued a guidance on consent (wp259rev.01),in which it was stated that the consent obtained in clinical research from Trial Subjects is not necessarily the legal basis for processing their Personal Information.

The Supporter’s position is that processing of Personal Information concerning Trial Subjects is based on the regulations and laws that apply to clinical research.Such regulations require the study site to collect and the Supporter to analyze such data before they are submitted to regulatory authorities.In addition,the legal basis can be the performance of the scientific research that is referenced in the consent form signed by the Trial Subject.

There are other legal grounds that may apply as well in certain situations,such as that the processing is required for the vital interest of the subject e.g.in case of a significant patient safety concern,or due to a public interest in the area of public health.

We recognize that there are still discussions about this topic with in the industry and realize that the local positions may potentially differ. 4 The article29 working party is an advisory body made up of a representative from the data protection authority of each EU Member State,the European Data Protection Supervisor and the European Commission.

What do I do in case of a Privacy Incident?

For any privacy incident that relates to data where the owner is the Supporter as defined in the Clinical Trial Agreement,you should immediately inform the Project Manager.The information to the Project Manager should include the nature of the privacy incident,the categories and approximate number of Trial Subjects whose data was compromised,and Personal Information records impacted by such privacy incident.We request you as Principal Investigator and the Institution to fully cooperate with the Supporter,to investigate and resolve any such privacy incident and provide Supporter any information necessary to provide notifications to the impacted Trial Subjects.

Incase a privacy incident relates to a system,or processing activity under the sole control of the Institution,the Institution will be responsible for managing such Incident.However,you should also inform the Project Manager incase any source data that may relate to the Clinical Trial may be impacted in such a privacy incident.

Is there a need to do a Data Protection Impact Assessment,and will the Clinical Site need to be engaged in such an activity?

The Data Protection Impact Assessment requirement does not apply retrospectively,so it is not likely that the Clinical Site will need to support such an effort for any processing of Personal Information under the Clinical Trial Agreement.However,incase new technology, such as a wearable device collecting health data,is introduced in an ongoing trial, such change may require a Data Protection Impact Assessment.You will be requested by the Supporter incase there is a need for the Clinical Site to support the execution of any Data Protection Impact Assessment.

Who is the data controller and for what kind of data?

The Supporter is a data controller for any processing the data that is provided to the Supporter,and that may be specifically processed as instructed by the Supporter using tools that is provided by the Supporter to perform the research.

The Clinical Site is a data controller for data processing activities under the sole responsibility of the site such as entering of data in the Electronic Medical Record System,and processing data for the care of the patient.

The Clinical Site may be seen as a data processor for processing activities that is specifically executed as required by the Study Protocols instructed by the Supporter using tools provided by the Supporter.Entering key‐coded data in the eCRF would be an activity,where the Clinical Site is acting as a data processor.

Appendix 2– Privacy Notice for Principal Investigator and investigational staff (“Notice”)

This Notice explains the personal information handling practices of Supporter with respect to information about the Principal Investigator and any investigational staff.It explain show Supporter collects personal information,and with whom Supporter may share it.It also explains the rights the Principal Investigator and any investigational staff have with regard to this personal information.This Notice applies to all personal information,regardless of whether the information is stored electronically or in hard copy.

This Privacy Notice should be provided by the Principal Investigator to any investigational staff.

Privacy Notice–Principal Investigator and investigational staff

Personal Information Collection

Supporter and agents processing personal information on behalf of Supporter,collect and process personal information about you.This information may come directly from you,from the Institution that you are affiliated with for purposes of this clinical research,or from public or third‐party information sources.

The types of personal information that Supporter collects depends on the role you have with Supporter and/or its affiliates,as well as applicable laws,and may include the following categories of information:

Name;

Contact information(e.g.address,telephone number,e‐mail address);

Age and/or date of birth;

Government identification number(if applicable);

Training and qualifications,including information that you have a valid,active medical or professional license,as applicable,and are not debarred by a competent health authority;

Organizational or institutional affiliations;

Professional programs and activities in which you may have participated;

Financial information relating to,among other matters,compensation and reimbursement payments for clinical trial activities;

Engagement or interaction with Supporter or its affiliates,or their products and services;

Information obtained via survey sand other direct interactions with you.

How Supporter Uses and Discloses Personal Information

Personal information about you will be processed for the following purposes to meet Supporter’sand/or its affiliates’ obligations under applicable laws and regulations, and as necessary to fulfill the Clinical Trial Agreement:

To assess if you are suitable for acting as Principal Investigator or investigational staff in relation to the clinical trial;

To provide training,and access to tools and other resources that may be required for the execution of the clinical trial;

To manage the clinical trial, including to monitor and audit clinical trial activities;

To prepare and submit regulatory filings,correspondence,and communications to government authorities concerning the clinical trial;

To conduct safety reporting and pharmacovigilance activities relating to the clinical trial;

To publish results of the clinical trial as defined in the Clinical Trial Agreement;

investigational staff in order to comply with transparency reporting laws,including but not limited to the US Physician Payments Sunshine Act and implementing regulations,as well as industry codes of practice or standards to which Supporter and/or Supporter’s affiliates are subjector

As other wise required under applicable law,or necessary to fulfill the Clinical Trial Agreement.

Personal information about you will be processed for the following purposes based on Supporter’ sand its affiliates’ legitimate interest under law:

To consider,from time to time,potential sites and investigators for future clinical trials;and To conduct surveys,manage internal studies,improve processes and practices related to the execution of clinical trials and other activities related to medical research.

To accomplish the above mentioned purposes,personal information is made available to:

Other affiliates of the TurboRegs Family of Companies and the irrespective agents.;

Government Authorities and ethics committees in jurisdictions around the world;

Agents,such as contract research organizations or other third‐party service providers,processing Personal Information on behalf of Supporter.

Cross Border Transfer

Your personal information may be stored and processed in any country where Supporter and its affiliates have facilities or agents, including the United States. Some non‐European Economic Area (EEA) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here:https://www.littler.com/gdpr/EEA.For transfers from the EEA to countries not considered adequate by the European Commission,Supporter has ensured that adequate measures are in place,including by ensuring that the recipient is bound by the EU Standard Contractual Clauses,or has certified to the EU‐US Privacy Shield, or has implemented an EU‐approved code of conduct or certification, to protect personal information.You may obtain a copy of these measures by contacting our EU Data Protection Officer in accordance with the “Contacting Supporter” section below.

Data Subject Rights

If you would like to review,correct,update,restrict,or delete personal information that Supporter may have inits systems,or if you would like to request to receive an electronic copy of your personal information for purposes of transmitting it to an other company(to the extent these rights are provided to you by applicable law),you may contact Supporter as specified in the “Contacting Supporter”section.Supporter will respond to the request in accordance with applicable law.Please note,however,that certain personal information may be exempt from requests pursuant to applicable data protection laws,or other laws and regulations.

Retention Period

Supporter will retain your personal Information for as long as needed or permitted considering the purpose(s)for which it was obtained.The following criteria are used to determine the proper retention period:(i) the length of time Supporter has an ongoing relationship with you;(ii)whether there is a legal obligation to which Supporter or its affiliates are subject;and(iii) whether retention is advisable in light of Supporter’s legal position(such as in regard to applicable statutes of limitations,litigation,or regulatory investigations).

Contacting Supporter

The Supporter can be contacted as specified below:

info@turboregs.com

You may also contact the Data Protection Officer responsible for the relevant country or region,if applicable,at swadesh@turboregs.com.Incase of contacting the Data Protection Officer,information such as country location,as well as clinical trial number/name should be included to allow the request to be managed appropriately.

Lodging a Complaint with a Regulator

You may lodge a complaint with a supervisory authority competent for your country or region.Contact information can be located here: http://ec.europa.eu/justice/data‐protection/article‐29/structure/data‐protection‐authorities/index_en.htm