Data Processing Agreement

Version 1.0 — April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between HyperVerum, c/o Hyper38 GmbH ("Processor") and the Client organisation ("Controller") using HyperVerum's pharmaceutical authentication services. It supplements and is incorporated into the applicable service agreement.

1. Definitions

• "Controller" — the entity that determines the purposes and means of processing personal data.
• "Processor" — HyperVerum, c/o Hyper38 GmbH, processing personal data on behalf of the Controller.
• "Personal Data" — as defined in Article 4(1) GDPR.
• "Processing" — as defined in Article 4(2) GDPR.
• "GDPR" — Regulation (EU) 2016/679.
• "Sub-processor" — any processor engaged by the Processor to carry out specific processing activities on behalf of the Controller.

2. Subject Matter and Nature of Processing

The Processor provides pharmaceutical authentication services including NFC tag issuance, cryptographic verification, and audit ledger management. In providing these services, the Processor may process personal data on behalf of the Controller as instructed in the applicable service agreement.

3. Categories of Personal Data and Data Subjects

Depending on deployment configuration, processing may involve:

• Data subjects: Pharmacists, healthcare professionals, supply chain personnel, and patients (limited to authentication event metadata)
• Data categories: Authentication event timestamps, geographic region of scan events, device type information (aggregated), and any fields explicitly configured by the Controller

No sensitive personal data (Article 9 GDPR) is stored on NFC tags. Patient identity information is not collected by default.

4. Duration

Processing continues for the term of the service agreement and any additional period required by applicable law. Upon termination, data is handled in accordance with Section 10 of this DPA.

5. Controller Obligations

• Ensure a lawful basis exists for any personal data the Controller instructs the Processor to process
• Provide all information necessary to demonstrate compliance with applicable data protection law
• Notify the Processor promptly if any instruction would, in the Controller's view, infringe applicable law

6. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorised to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 9)
• Assist the Controller in responding to data subject rights requests under Articles 15–22 GDPR
• Assist the Controller in ensuring compliance with Articles 32–36 GDPR
• Notify the Controller without undue delay upon becoming aware of a personal data breach
• Make available all information necessary to demonstrate compliance with this DPA

7. Sub-processors

The Controller grants general authorisation to engage sub-processors. The Processor shall give prior notice of any intended addition or replacement, providing the Controller a reasonable opportunity to object. The current sub-processor list is available on request at privacy@hyperverum.com. All sub-processors are bound by data protection obligations at least equivalent to those in this DPA.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission under Article 46(2)(c) GDPR where applicable.

9. Security Measures

The Processor implements and maintains appropriate technical and organisational measures, including:

• Encryption of personal data in transit and at rest
• Cryptographic signing of all authentication events
• Access controls and least-privilege principles for all personnel
• Regular security assessments and vulnerability management
• Incident response and breach notification procedures

10. Return and Deletion of Data

Upon termination of the service agreement, the Processor shall, at the Controller's election, delete or return all personal data processed under this DPA, and delete existing copies unless retention is required by applicable law. Written confirmation of deletion is provided upon request.

11. Audit Rights

The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall support audits conducted by the Controller or a mandated auditor. Reasonable advance notice is required, and the Processor may recover reasonable costs incurred in connection with such audits.

12. Liability

Each party's liability under this DPA is subject to the exclusions and limitations set out in the applicable service agreement between the parties, to the extent permitted by applicable law.

13. Governing Law

This DPA is governed by the same law as the applicable service agreement, provided this is not inconsistent with applicable data protection law.

14. Contact

HyperVerum, c/o Hyper38 GmbH
Email: privacy@hyperverum.com