Data Processing Amendment

1. Definitions & Interpretation

1.1 Data Controller

The entity that enters into the Agreement with Lens Health Technologies and determines the purposes and means of the processing of Personal Data (the "Controller").

The Controller may designate Lens Health Technologies as a technical contact for operational matters related to processing; however, this does not affect the Controller's role or responsibilities under Data Protection Laws.

1.2 Data Processor

Organisation: Lens Health Technologies Ltd
Hereafter referred to as the "Processor"

The Processor shall process Business and Personal Data on behalf of the Controller strictly in accordance with the Controller's documented instructions and in compliance with applicable Data Protection Laws.

1.3 Roles of the Parties

For the purposes of applicable Data Protection Laws:

Customer = Controller — The Customer determines the purposes and means of the processing of Personal Data.
Lens Health Technologies (SaaS Provider) = Processor — Lens Health Technologies processes Personal Data solely on behalf of the Customer and in accordance with the Customer's documented instructions.

1.4 Details of Processing

(a) Nature of Processing

The Processor provides a software-as-a-service platform that enables the Customer to:

Record, store, manage, and analyse operational and care-related information
Support administrative, operational, and decision-support workflows within care environments
Facilitate communication and reporting functions within the Customer's organisation

Processing activities include the collection, storage, organisation, structuring, retrieval, consultation, and transmission of Business and Personal Data.

(b) Purpose of Processing

Personal Data is processed solely for the purpose of:

Delivering and maintaining the SaaS platform and its core functionality
Enabling the Customer to manage business and operational workflows
Providing technical support, security, and service improvements (where authorised)
Complying with applicable legal and regulatory obligations

The Processor shall not process Personal Data for any purpose other than as instructed by the Customer.

(c) Duration of Processing

Processing shall continue for the duration of:

The Customer's subscription to the SaaS platform; and
Any additional retention period required for legal, regulatory, or agreed backup purposes following termination; and
Where applicable, until the Customer deletes the uploaded data within the platform or disconnects the relevant data source integration.

Upon termination or expiry of the Agreement, Personal Data shall be deleted or returned in accordance with the Agreement and applicable Data Protection Laws.

(d) Categories of Data Subjects

The Personal Data processed may relate to any individuals whose data is uploaded, submitted, generated, or otherwise processed by the Customer through the SaaS platform, including but not limited to residents, employees, contractors, family members, healthcare professionals, and other third parties associated with the Customer's operations.

(e) Types of Personal Data

The Processor may process any Personal Data that is uploaded, input, transmitted, or otherwise made available by the Customer through the SaaS platform or connected systems.

This may include, without limitation:

Identity and contact data
Employment and organisational data
Operational, administrative, and care-related records
Communications and notes
Technical and usage data

Such Personal Data may include Special Category Data under Article 9 UK GDPR, including health-related information and other sensitive data relating to individuals' physical or mental health, care needs, wellbeing, or treatment.

All Personal Data is processed solely on the documented instructions of the Controller and only to the extent necessary to provide the services.

2. Purpose of this Amendment

This Data Processing Amendment ("DPA") governs the processing of Personal Data by Lens Health Technologies (the "Processor") on behalf of the Customer (the "Controller") in connection with the Lens FocusAI system, a healthcare data retrieval and operational support platform that utilises natural language processing (NLP) and structured and unstructured data indexing.

The Processor shall process personal data only in accordance with:

Documented instructions from the Controller
This Agreement
Applicable UK GDPR and Data Protection Act 2018 requirements

3. Processor Obligations

The Processor shall process Personal Data only in accordance with:

The documented instructions of the Controller
This Agreement (including all applicable annexes)
Applicable UK Data Protection Laws, including the UK GDPR and the Data Protection Act 2018

The Processor provides a healthcare data retrieval and decision-support platform that enables authorised healthcare professionals to query and access healthcare information across multiple connected data sources.

For the purposes of providing the service, the Processor may carry out the following processing activities strictly on behalf of the Controller:

Extraction and ingestion of structured and unstructured healthcare data
Transformation and normalisation of data to enable interoperability and search functionality
Generation of vector embeddings to support semantic search and retrieval
Storage, indexing, and organisation of healthcare datasets within the platform
Processing of natural language queries to retrieve relevant information across datasets

Purpose of Processing

All processing of Personal Data is carried out solely for the purpose of:

Enabling secure and efficient access to care and operational data
Reducing administrative burden within healthcare environments
Supporting operational, clinical governance, and regulatory reporting requirements as directed by the Controller

The Processor shall not process Personal Data for any purpose other than those expressly documented in this Agreement or otherwise instructed in writing by the Controller.

General Processor Obligations

The Processor shall:

Process Personal Data solely in accordance with this Agreement and documented instructions from the Controller
Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations. Confidentiality applies to employees, contractors, and temporary staff and obligations survive termination of employment
Ensure that all relevant personnel receive appropriate training in data protection, information security, and confidentiality requirements
Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage
Not disclose Personal Data to any third party except as expressly permitted under this Agreement or with the prior written authorisation of the Controller
Not use Personal Data for any purpose other than providing the Services under this Agreement
Not use Personal Data for model training, machine learning improvement, product development, analytics, profiling, or any secondary purpose not explicitly instructed by the Controller
Not sell, rent, or commercially exploit Personal Data in any form

The Processor shall not be required to follow any instruction from the Controller that, in its reasonable opinion, would result in a breach of applicable Data Protection Laws or other applicable law, and shall promptly inform the Controller where such instruction is identified and may suspend the relevant processing until the instruction is confirmed or amended in writing.

Regulatory Cooperation

The Processor shall provide reasonable assistance to the Controller in relation to any enquiries, investigations, audits, or requests from supervisory authorities, including the Information Commissioner's Office (ICO), where such matters relate to the processing of Personal Data under this Agreement.

This includes assisting with information requests, providing relevant documentation, and supporting compliance demonstrations.

The Processor shall promptly notify the Controller of any direct request or investigation from a supervisory authority relating to Personal Data, unless legally prohibited from doing so.

4. Data

The Processor may process Personal Data that is uploaded, transmitted, or otherwise made available to the platform by the Controller from a combination of structured and unstructured data sources.

All Personal Data is treated as sensitive and subject to appropriate technical and organisational security measures, reflecting the potential inclusion of Special Category Data.

4.1 Special Category Data (Article 9 UK GDPR)

The platform may process Special Category Data where such data is included in source systems or uploaded by the Controller, including but not limited to:

Health records and medical information
Care notes and observations
Incident and safeguarding reports
Clinical assessments and related healthcare documentation

4.2 Other Personal Data

The platform may also process limited Personal Data relating to healthcare professionals and other individuals where such data is included in the Controller's source systems, including identifiers, contact details, and role or organisational information.

All Personal Data processed by the Processor, regardless of format or source, is subject to the highest applicable level of security controls and is processed solely in accordance with the Controller's documented instructions and this Agreement.

4.3 Processing Instructions

The Processor shall:

Process Personal Data only on documented instructions from the Customer, including as set out in this Agreement and any applicable contract between the Parties
Ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations
Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage

4.4 Customer Responsibilities

The Customer is responsible for:

Ensuring it has a valid legal basis for processing Personal Data, including Special Category Data where applicable
Compliance with all applicable Data Protection Laws and regulatory requirements
Providing all required notices and obtaining any necessary consents from data subjects (including Patients or Service Users, where applicable)

4.5 Use of Data

The Processor shall not:

Use Customer Data for its own purposes
Use Customer Data to train, develop, or improve machine learning or artificial intelligence models

unless expressly agreed in writing with the Customer.

4.6 Sub-processors

The Customer acknowledges and authorises the Processor to engage third-party sub-processors to support the provision of the Service, including for hosting, infrastructure, analytics, and support functions.

The Processor shall ensure that any sub-processor is subject to written data protection obligations that are no less protective than those set out in this Agreement, and shall remain fully responsible for their performance.

5. Security Measures (Technical & Organisational)

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing of Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

At a minimum, the Processor's security measures shall include:

Encryption: Encryption of Personal Data in transit and at rest using industry-standard encryption protocols
Access Controls: Role-based access control (RBAC) and enforcement of least privilege principles for all system access
Logging and Monitoring: Audit logging of system access and data processing activities, with appropriate monitoring for suspicious or unauthorised activity
Secure Development Practices: Implementation of secure software development lifecycle (SDLC) practices, including vulnerability management and regular security testing
Incident Detection and Response: Mechanisms for detecting, responding to, and escalating security incidents in a timely manner

The Processor shall regularly review and update these measures to ensure ongoing compliance with applicable Data Protection Laws and alignment with industry best practices.

6. Subprocessors

The Controller provides general written authorisation for the Processor to engage Subprocessors for the purpose of providing the Services under this Agreement.

The Processor shall maintain an up-to-date list of Subprocessors used in connection with the processing of Personal Data. This list shall be made available to the Controller upon request.

The Processor shall provide the Controller with prior written notice of any intended addition or replacement of Subprocessors. The Controller shall have the right to object to such changes on reasonable data protection grounds within thirty (30) days of receipt of such notice.

Where the Processor engages any Subprocessor, the Processor shall ensure that:

The Subprocessor is subject to a written agreement imposing data protection obligations equivalent to those set out in this Agreement;
The Subprocessor processes Personal Data only on documented instructions from the Processor (and indirectly the Controller);
Appropriate technical and organisational measures are implemented to protect Personal Data;

The Processor shall remain fully liable to the Controller for the performance of any Subprocessor's obligations in relation to the processing of Personal Data under this Agreement.

7. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom unless such transfer is carried out in compliance with applicable Data Protection Laws, including the UK GDPR and the Data Protection Act 2018.

Where Personal Data is transferred internationally in the course of providing the Services, the Processor shall ensure that appropriate safeguards are in place, including the use of:

The UK International Data Transfer Agreement (UK IDTA), or
The UK Addendum to the EU Standard Contractual Clauses (SCCs), as applicable

The Processor shall also ensure that appropriate transfer risk assessments (including Transfer Impact Assessments or equivalent assessments) are completed where required by applicable law.

Where feasible and appropriate, the Processor will apply data minimisation techniques prior to any international transfer, including the use of anonymisation or pseudonymisation, such that Personal Data is not directly identifiable when processed outside the United Kingdom. However, such measures shall not be relied upon where full Personal Data is required for the delivery of the Services as instructed by the Controller.

All international transfers shall be subject to appropriate technical and organisational safeguards designed to ensure a level of protection essentially equivalent to that required under UK Data Protection Laws.

8. Data Subject Rights Assistance

Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable Data Protection Laws, including but not limited to:

Right of access (Subject Access Requests)
Right to rectification
Right to erasure (right to be forgotten), where applicable
Right to restriction of processing
Right to data portability

Where the Processor receives any request directly from a data subject in relation to Personal Data processed under this Agreement, the Processor shall not respond to such request except to confirm that it relates to the Controller, and shall promptly notify the Controller of the request.

The Processor shall provide such assistance using appropriate technical and organisational measures and in accordance with the Controller's documented instructions. Where necessary, the Processor shall assist the Controller in ensuring compliance with applicable statutory timeframes for responding to such requests.

9. Data Breach Notification

Definition of Personal Data Breach and Security Incident

The Processor shall notify the Controller without undue delay upon becoming aware of any Personal Data Breach affecting Personal Data processed under this Agreement.

Where reasonably possible, the Processor shall provide an initial notification within 24–72 hours of becoming aware of the breach.

Such notification shall include, to the extent information is available at the time:

The nature of the Personal Data Breach, including the categories and approximate number of data subjects affected
The categories and approximate volume of Personal Data involved
The likely consequences of the Personal Data Breach
The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall provide ongoing updates to the Controller as further information becomes available and shall cooperate fully with the Controller in investigating, mitigating, and remediating the breach, including providing reasonable assistance to support any required notifications to supervisory authorities or affected data subjects.

10. Audit and Compliance

The Processor shall make available to the Controller, upon reasonable request, such information as is necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws.

This may include, where applicable:

Relevant security and data protection policies and procedures
Certifications (including ISO 27001 or equivalent, where held)
Summary results of independent penetration testing
Evidence of compliance with the Data Security and Protection Toolkit (DSPT), where applicable
Other reasonable audit evidence relating to the Processor's technical and organisational measures

The Controller shall have the right to conduct audits of the Processor's compliance with this Agreement, subject to the following conditions:

Any audit shall be conducted on reasonable prior notice
Audits shall be limited in scope, frequency, and duration so as not to unreasonably disrupt the Processor's business operations
The Controller shall use audit rights only where strictly necessary and shall first seek to rely on provided audit evidence and documentation

Where the Processor provides up-to-date audit reports, certifications, and security documentation, the Parties agree that such materials shall satisfy the Controller's audit requirements in most circumstances.

11. Personal Data Breach

The Controller may, at any time during the term of this Agreement, request the deletion or return of specific Personal Data processed under the Services. The Processor shall comply with such request without undue delay, unless retention is required by applicable law.

Upon termination or expiry of the Services, the Processor shall, at the choice of the Controller:

Return Personal Data to the Controller in a commonly used, machine-readable format; or
Delete all Personal Data processed under this Agreement

The Controller shall be responsible for specifying its preferred option within a reasonable timeframe following termination.

Where deletion is requested, the Processor shall securely delete Personal Data from active systems without undue delay and in accordance with applicable Data Protection Laws and industry best practices.

Backups and Retention

Notwithstanding the above, Personal Data may remain in secure backup systems for a limited period following deletion or termination, provided that:

Such data is subject to appropriate technical and organisational safeguards
It is not accessed or actively processed except where required for disaster recovery purposes
It is permanently overwritten or deleted in accordance with the Processor's standard backup retention cycles

The Processor shall ensure that backup deletion is completed within a commercially reasonable period in line with its documented retention and disaster recovery policies.

Confirmation

Upon completion of deletion or return (as applicable), the Processor shall provide written confirmation to the Controller that Personal Data has been processed in accordance with this clause.

12. Assistance with Data Protection Impact Assessments (DPIAs)

Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) where required under applicable Data Protection Laws.

Such assistance may include providing relevant information regarding:

The nature, scope, context, and purposes of the processing
The types of Personal Data processed and categories of data subjects
The technical and organisational measures implemented to mitigate risks
The security, confidentiality, and integrity controls applied to the processing

Where required, the Processor shall also provide reasonable assistance to the Controller in relation to prior consultations with supervisory authorities or regulators, including the Information Commissioner's Office (ICO), insofar as such assistance relates to the Processor's processing activities under this Agreement.

The Processor shall provide such assistance only to the extent reasonably necessary and in accordance with the Controller's documented instructions.

13. Liability and Indemnity (Data Protection Specific)

Each Party is responsible for its own compliance with applicable Data Protection Laws.

The Controller is responsible for ensuring it has a lawful basis for processing Personal Data and for all instructions provided to the Processor.

The Processor is responsible for processing Personal Data only in accordance with this Agreement, the Controller's documented instructions, and applicable Data Protection Laws.

To the maximum extent permitted by law, each Party is liable for its own breaches of Data Protection Laws. The Processor shall not be liable for any loss or claim arising from the Controller's unlawful or incorrect instructions.

This clause is subject to the limitation of liability set out in the Master Services Agreement.

14. Contact and Data Protection Officer

The Controller and Processor shall designate appropriate points of contact for all matters relating to data protection under this Agreement.

Processor Contact:
The Processor shall provide a dedicated data protection contact email for the purposes of privacy and security matters relating to the processing of Personal Data.

Email: amar.sandhu@lenstechnologies.ai

Where applicable, the Processor shall also appoint a Data Protection Officer (DPO) in accordance with Article 37 of the UK GDPR. If a DPO is appointed, their contact details shall be made available to the Controller upon request.

15. Governing Law

This Data Processing Agreement, and any dispute or claim arising out of or in connection with it, shall be governed by and construed in accordance with the laws of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction over any dispute arising from or in connection with this Agreement.