Data Processing Agreement

Data Processing Agreement
Medical Screenings Unlimited, Inc.

Last Updated March 16, 2026

MSU Data Processing Agreement (“DPA”)

1. Definitions
   
   1. “Data Protection Legislation” means, as applicable:
      (i) Regulation (EU) 2016/679 (the “GDPR”), solely to the extent it applies to the processing of Personal Data under the Agreement;
      (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); and
      (iii) any other applicable data protection or privacy laws and regulations that apply to the processing of Personal Data under the Agreement, including any implementing, amending, or replacing legislation.
   2. “Data Processor,” “Data Controller,” “Data Subject,” “Processing,” “Subprocessor,” and “Supervisory Authority” shall have the meanings given to them under the GDPR, to the extent such terms are applicable under Data Protection Legislation.
   3. “Service Provider” shall have the meaning set forth under the CCPA/CPRA, as applicable.
   4. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by MSU on behalf of Customer in connection with the provision of the SaaS Services, where MSU acts as a Data Processor or Service Provider under applicable Data Protection Legislation.
   5. “Data Subject Request” means a request by or on behalf of the Data Subject to exercise any applicable rights relating to Personal Data under Data Protection Legislation, including requests for access, deletion, correction, restriction, or portability, as applicable.
   6. All other capitalized terms in this DPA shall have the same definition as in the Agreement.
2. Data Protection

   When MSU Processes Personal Data while providing the Services to you, MSU will:

   1. Process the Personal Data as a Data Processor and/or Service Provider solely for the purpose of providing the Services in accordance with Customer’s documented and lawful instructions, provided that such instructions are consistent with the functionalities of the Services and applicable Data Protection Legislation. If MSU is required by law to process the Personal Data for any other purpose, MSU will provide prior notice of such requirement to the extent permitted by law.
   2. notify you if, in MSU’s opinion, your instruction for the Processing of the Personal Data infringes applicable Data Protection Legislation.
   3. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to MSU’s Processing of Personal Data.
   4. implement reasonable technical and organizational measures to assist Customer in fulfilling Data Subject Requests that Customer is obligated to respond to under applicable Data Protection Legislation.
   5. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected.
   6. Upon request, provide reasonable information to assist Customer in completing data protection impact assessments or similar assessments required under applicable Data Protection Legislation.
   7. provide you, upon request, with up-to-date attestations, reports, or extracts, where available, from a source charged with auditing MSU data protection practices (e.g., external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this DPA.
   8. upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data, notify Customer as soon as commercially reasonable.
   9. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Data Subject’s Personal Data; and
   10. upon termination of the Agreement, MSU will, in accordance with applicable law and the Agreement, promptly initiate its process to delete or anonymize Personal Data processed on behalf of Customer, except to the extent retention is required or permitted by law. Upon Customer’s written request within sixty (60) days of termination, MSU will provide Customer with a copy of such Personal Data, where technically feasible.

   While providing the Services, Customer acknowledges and agrees that MSU may engage Subprocessors to process Personal Data. MSU will ensure that any Subprocessor is bound by written obligations that provide a level of data protection substantially equivalent to those set forth in this DPA. Where required by applicable law, MSU will provide notice of new Subprocessors and, if Customer has a reasonable and documented objection, the parties will work in good faith to address such objection. If the objection cannot be reasonably resolved, Customer may terminate the affected Services in accordance with the Agreement.

3. Miscellaneous
   
   1. In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall control with respect to the subject matter herein. For the avoidance of doubt and to the extent permitted by applicable law, all liability arising under this DPA, including any limitations of liability, shall be governed by the relevant provisions of the Agreement.
   2. MSU may amend this DPA from time to time by posting an updated version on MSU’s website at a designated DPA URL. Any such amendments will be effective as of the date of posting. Customer’s continued use of the SaaS Services following the effective date of an updated DPA constitutes acceptance of the amended DPA. If Customer does not agree to any amendment, Customer may discontinue use of the affected Services in accordance with the Agreement.