Covetrus Data Processing Addendum

This Data Protection Addendum (“Addendum”, “DPA”) forms part of the applicable agreement as incorporated and referenced by such agreement (“Master Agreement”) between: (i) Covetrus Software Services, LLC, a Delaware limited liability company (“Covetrus”) and (ii) Client and its member practices (“Client”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Master Agreement. Except as specifically modified below, the terms of the Master Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Master Agreement.

1. Definitions

   1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      1. “Applicable Law” means all applicable laws in (i) the EEA or any EEA Member State and Switzerland, (ii) the UK, (iii) Australia, (iv) New Zealand, (v) the United States, and such other laws, rules and regulations to which Covetrus or any of the Subprocessors is subject to from time to time;

      2. “Approved Addendum” means the template Addendum issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of the Mandatory Clauses;

      3. “Australian Privacy Laws” means (i) the Privacy Act 1988 (Cth), including the ‘Australian Privacy Principles’ that form part of that Act; and (ii) all other laws applicable in respect of the processing of Personal Data;

      4. “Covetrus Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, Covetrus. For purposes of the foregoing, “control” means the ownership of (i) greater than fifty percent (50%) of the voting power to elect directors, or (ii) greater than fifty percent (50%) of the ownership interest;

      5. “Data Protection Laws” includes (but is not limited to), to the extent applicable, EU Data Protection Laws, Swiss Data Protection Laws, UK Data Protection Laws, Australian Privacy Laws, NZ Data Protection Laws, US Data Protection Laws, or such other applicable privacy laws as may apply from time to time;

      6. “EEA” means the European Economic Area;

      7. “EU Data Protection Laws” means the laws implementing or supplementing the GDPR in the EEA;

      8. “GDPR” means EU General Data Protection Regulation 2016/679;

      9. “Mandatory Clauses” means Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses;

      10. “NZ Data Protection Laws” means the Privacy Act 2020 and any other New Zealand laws and regulations applicable to Personal Data;

      11. “Client Group Member” means Client or any Client affiliate which means an entity that directly or indirectly controls, is controlled by, or is under common control with, Client or its member practices. For purposes of the foregoing, “control” means the ownership of (i) greater than fifty percent (50%) of the voting power to elect directors, or (ii) greater than fifty percent (50%) of the ownership interests;

      12. “Client Personal Data” means any Personal Data Processed by Covetrus on behalf of Client or a Client Group Member pursuant to or in connection with the Master Agreement;

      13. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Covetrus for Client Group Members pursuant to the Master Agreement;

      14. “Standard Contractual Clauses” means the clauses adopted by the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) C/2021/3972;

      15. “Subprocessor” means any person (including any third party and any Covetrus Affiliate, but excluding an employee of Covetrus) appointed by or on behalf of Covetrus to Process Personal Data on behalf of any Client Group Member in connection with the Master Agreement;

      16. “Swiss Data Protection Laws” means Swiss Federal Act on Data Protection of 25 September 2020, and any new or revised version of these laws that may enter into force from time to time;

      17. “UK Data Protection Laws” means the UK Data Protection Act 2018 and the UK GDPR, and any new or revised version of these laws that may enter into force from time to time;

      18. “UK GDPR” means as defined in Section 3 of the UK Data Protection Act 2018;

      19. “US Data Protection Laws” means all applicable state or federal laws, rules, regulations, and government requirements in the United States relating to the privacy, confidentiality, or security of personal data, as they may be amended or otherwise updated from time to time. US Data Protection Laws include, to the extent applicable, the California Consumer Privacy Act of 2018 and its regulations, as amended by the California Privacy Rights Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; the Virginia Consumer Data Protection Act; and the Utah Consumer Privacy Act.

   2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws (or the equivalent terms under the Data Protection Laws) and their cognate terms shall be construed accordingly. Where these terms do not have application under Data Protection Laws (e.g., Australian Data Privacy Laws), the parties’ obligations will be interpreted to align as closely as possible with the scope of those roles and concepts under the GDPR while still fully complying with the applicable Data Protection Laws.

   3. In the context of the NZ Data Protection Laws, each of the following terms shall have the same meaning as the following equivalent term that is used and defined in the NZ Data Protection Laws: “Controller” shall have the same meaning as “agency”; “Data Subject” shall have the same meaning as “individual” or “affected individual” (as the context requires); “Personal Data” shall have the same meaning as “personal information”; “Personal Data Breach” shall have the same meaning as a “privacy breach”. In addition, “Processing” means any operation performed on Personal Data, including transfer, storage, disclosure, erasure or destruction and “Processor” means the legal person who holds personal information on behalf of a Controller.

   4. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Authority

   To the extent that Covetrus processes Personal Data pursuant to the Master Agreement and this Addendum, each party acknowledges that, for the purpose of Data Protection Laws, Client processes Personal Data on behalf of its own customers, member practices and Covetrus is the Subprocessor.

3. Processing of Client Personal Data

   1. Covetrus shall:

      1. Comply with all applicable Data Protection Laws when Processing Client Personal Data applicable to Covetrus’ provision of Services under the Master Agreement; and

      2. not Process Client Personal Data other than pursuant to the Master Agreement, or on the relevant Client Group Member’s documented instructions unless Processing is required by Applicable Laws to which Covetrus or the relevant Subprocessor is subject, in which case Covetrus shall, to the extent permitted by Applicable Laws, inform the relevant Client Group Member of that legal requirement before the relevant Processing of that Personal Data. Without limiting the foregoing and unless otherwise agreed in writing, Covetrus is prohibited from:

         1. selling Client Personal Data or otherwise making Client Personal Data available to any third party for monetary or other valuable consideration except where otherwise agreed upon by the Parties;

         2. sharing Client Personal Data with any third party for cross-context behavioral advertising except where otherwise agreed upon by the Parties;

         3. retaining, using, or disclosing Client Personal Data for any purpose other than for the business purposes specified in the Master Agreement or as otherwise permitted by Data Protection Laws;

         4. retaining, using, or disclosing Client Personal Data outside of the direct business relationship between Covetrus and Client; and

         5. except as otherwise permitted by Data Protection Laws, combining Client Personal Data with Personal Data that Covetrus receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

      3. Notify Client promptly if Covetrus determines that it can no longer meet its obligations under US Data Protection Laws.

   2. Each Client Group Member:

      1. Instructs Covetrus (and authorises Covetrus to instruct each Subprocessor) to:

         1. Process Client Personal Data; and

         2. In particular, transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Master Agreement; and

      2. Warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Client Group Member.

   3. Schedule I to this Addendum sets out information regarding the duration, nature and purpose of the Processing, the categories of Data Subjects and processed Personal Data as required by Article 28(3) of the GDPR (and, to the extent applicable, equivalent requirements of other Data Protection Laws).

4. Covetrus Personnel

   Covetrus shall take reasonable steps designed to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Client Personal Data, in each case limiting access to those individuals who need to know/access the relevant Client Personal Data, as necessary for the purposes of the Master Agreement, and to comply with Applicable Laws in the context of that individual’s duties to Covetrus or Subprocessor, and subjecting all such individuals to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Covetrus shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, as set out in Schedule II to this Addendum.

   2. In assessing the appropriate level of security, Covetrus shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

   1. Each Client Group Member authorizes Covetrus to appoint (and permit each Subprocessor appointed in accordance with this section 6 to appoint) Subprocessors in accordance with this section 6 and any restrictions in the Master Agreement.

   2. Covetrus may continue to use those Subprocessors already engaged by Covetrus as at the date of this Addendum, subject to Covetrus in each case meeting the obligations set out in section 6.5. These Subprocessors are listed in Schedule III to this Addendum.

   3. Covetrus shall give Client at least fourteen (14) days prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by Subprocessor. If Client does not object to the engagement within the objection period, consent regarding the engagement shall be assumed. If, within 7 days of receipt of that notice, Client notifies Covetrus in writing of any objections (on reasonably grounds) to the proposed appointment:

      1. Covetrus shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

      2. Where such a change cannot be made within 45 days from Covetrus’ receipt of Client‘s notice, notwithstanding anything in the Master Agreement, Client may by written notice to Covetrus with immediate effect terminate the impacted services to the extent that it relates to the Services which require the use of the proposed Subprocessor.

   4. On termination of the impacted services, pursuant to section 6.3.2, Client shall be liable for any contracted fees or charges for the remainder of the term of the Master Agreement and any Order Forms thereunder, except if Client can prove the objection to the Subprocessor was due to non-compliance with relevant data protection regulation.

   5. With respect to each Subprocessor, Covetrus shall:

      1. Before the Subprocessor first Processes Client Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client Personal Data required by the Master Agreement;

      2. Ensure that the arrangement between on the one hand (a) Covetrus, or (b) the relevant intermediate Subprocessor; and on the other the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Client Personal Data as those set out in this Addendum and meet the requirements of all Applicable Laws including Article 28(3) of the GDPR; and

      3. Provide to Client for review such copies of the Client‘s agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Client may request from time to time.

   6. Covetrus shall ensure that each Subprocessor performs the obligations under sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Client Personal Data carried out by the Subprocessor, as if it were party to this Addendum in place of Covetrus.

7. Data Subject Rights

   1. Taking into account the nature of the Processing, Covetrus shall assist each Client Group Member by implementing appropriate technical and organizational measures, insofar as this is possible, to assist the Client Group Members’ obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Without limiting the foregoing, Client will inform Covetrus of any such requests that Covetrus is required to comply with and provide any information necessary for Covetrus to comply with the request. Covetrus may apply an additional charge or charges, distinct from any charges or fees payable by Client under the Master Agreement, for the provision of assistance to Client in responding to any Data Subject requests. The charge or charges associated with any assistance shall be at Covetrus’ discretion, however they shall be proportionate to any level of assistance and effort expended by Covetrus.

   2. Covetrus shall:

      1. Promptly notify Client upon becoming aware of any Subprocessor having received a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and

      2. Ensure that the Subprocessor does not respond to that request except as required by Applicable Laws to which the Subprocessor is subject, in which case Covetrus shall to the extent permitted by Applicable Laws inform Client of that legal requirement before the Subprocessor responds to the request.

8. Personal Data Breach

   1. Covetrus shall notify Client without undue delay upon Covetrus or any Subprocessor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Client with sufficient information to allow each Client Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

   2. Covetrus shall co-operate with Client and each Client Group Member and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

   Covetrus shall provide reasonable assistance to each Client Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required of any Client Group Member by Article 35 or 36 of the GDPR or similar provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.

10. Deletion or Return of Client Personal Data

    1. Subject to compliance with Data Protection Laws relating to Personal Data retention, the deletion, return or other treatment of Client Personal Data on termination of the Master Agreement shall be managed in accordance with the terms of the Master Agreement.

    2. Each Subprocessor may retain Client Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Covetrus shall ensure the confidentiality of all such Client Personal

       Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws or the Master Agreement requiring its storage and for no other purpose.

11. Audit Rights

    1. Client will have the right, if provided by applicable law, to take reasonable and appropriate steps to ensure that Covetrus uses Client Personal Data in a manner consistent with Client’s obligations under Data Protection Laws. Subject to sections 11.2 to 11.3, Covetrus shall make available to each Client Group Member on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, to the extent permitted by law by any Client Group Member or an auditor mandated by any Client Group Member in relation to the Processing of the Client Personal Data by Covetrus.

    2. Information and audit rights of the Client Group Members only arise under section 11.1 to the extent that the Master Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Laws (including, where applicable article 28(3) (h) of the GDPR).

    3. Client or the relevant Client Group Member undertaking an audit shall give Covetrus reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Covetrus’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Covetrus need not give access to its premises for the purposes of such an audit or inspection, unless:

       1. Client or the relevant Client Group Member undertaking and audit reasonably considers necessary because of genuine concerns as to the Covetrus’ compliance with this Addendum;

       2. A Client Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,

          Where Client or the relevant Client Group Member undertaking an audit has identified its concerns or the relevant requirement it shall inform Covetrus thereof in due time.

    4. Save for any disclosures required for compliance with Data Protection Laws, Client undertakes to keep, and ensure its auditors and Client or the relevant Client Group Members keep, all results or findings from any audit confidential and shall indemnify Covetrus against any and all losses incurred by Covetrus as a result of any breach of this section 11.4.

12. International Data Transfers

    1. The parties acknowledge that Covetrus processes the Client Personal Data in the United States, Australia and other locations inside and outside the EU / EEA. Unless an adequacy decision exists for the respective locations, the Parties herewith agree to the EU Standard Contractual Clauses, which shall become part of this DPA.

    2. Covetrus and Client and all relevant Client Group Members agree that the terms of the Standard Contractual Clauses (Commission Implementing Decision 2021/914 [EU]) Module Three (Processor to Processor) as further specified in Schedule IV of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Client Personal Data falling within the scope of the GDPR from Client or the relevant Client Group Member (as data exporter) to Covetrus (as data importer).

    3. To the extent that any transfers of Client Personal Data fall within the scope of the UK GDPR, from the Client (as data exporter) to Covetrus (as data importer), the Mandatory Clauses shall apply in accordance with Schedule VI.

    4. To the extent that any transfers of Client Personal Data fall within the scope of Swiss Data Protection Law, from the Client (as data exporter) to Covetrus (as data importer) the Swiss Addendum set out in Schedule VII shall apply.

    5. Covetrus will provide Client reasonable support to enable Client‘s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Covetrus will, upon Client‘s request, provide information to Client which is reasonably necessary for Client to complete a transfer impact assessment (“TIA”). Covetrus further agrees to implement the supplementary measures agreed upon and set forth in Schedule V of this DPA in order to enable Client ‘s compliance with requirements imposed on the transfer of personal data to third countries under the GDPR. Covetrus may charge Client, and Client shall reimburse Covetrus, for any assistance provided by Covetrus with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Covetrus.

13. Survival

    1. Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this agreement shall remain in full force and effect.

14. General Terms

    Governing law and jurisdiction

    1. The parties to this Addendum hereby submit to the governing law and choice of jurisdiction stipulated in the corresponding schedule which for the avoidance of doubt refers to (a) Schedule VI where the Client is established in the UK and (b) Schedule VII where the Client is established in Switzerland and (c) for all other Clients, Schedule IV to this Addendum with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity, termination or the consequences of its nullity and all non-contractual or other obligations arising out of or in connection with it.

       Order of precedence

    2. Nothing in this Addendum reduces Covetrus’ obligations under the Master Agreement in relation to the protection of Personal Data or permits Covetrus to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Master Agreement.

    3. Subject to section 13.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Master Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the following order of precedence shall apply:

       1. The Standard Contractual Clauses, including, where applicable, any addendum hereto
       2. This DPA
       3. The Master Agreement
       4. Any other agreement entered into between the parties

       Severance

    4. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.

Schedule I to Client Data Protection Addendum

Details of Processing

A list of the supervisory authorities across the EEA can be found under the following link: https://edpb.europa.eu/about- edpb/about-edpb/members_en.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR:

The competent supervisory authority is the supervisory authority of Ireland.

Schedule II to Client Data Protection Addendum

Technical and Organizational Measures

1. Pseudonymisation and Encryption, Art. 32 para 1 point a GDPR

   Pseudonymisation contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.

   • Stored data is encrypted where appropriate, including any backup copies of the data.

2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR

   Confidentiality and integrity is ensured by the secure processing of personal data, including protection against unauthorized or unlawful processing and integrity and availability by measures to protect against accidental loss, destruction or damage.

   1. Confidentiality

      1. Physical access control

         Measures that prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

         • Physical access control systems

         • Definition of authorizes persons; management and documentation of individual authorizations

         • Regulation of Visitors and external staff

         • Monitoring of all facilities housing IT systems

         • Logging of physical access

           1. System/Electronic access control

              Measures that prevent data processing systems from being used without authorization.

              • User Authentication by simple authentication methods (using username/password), including two-factor authentication where adequate

              • Secure transmission of credentials (using TLS)

              • Automatic account locking

              • Suspending inactive sessions

              • Guidelines for handling passwords and certificates

              • Definition of authorized persons

              • Managing means of authentication

              • Access control to infrastructure that is hosted by cloud service provider

              • In-time revocation of access for people who no longer need access / leave the company

              • Automated alerting on illegal attempts of logging systems directly or indirectly connected to personal data

              • Unique credentials per user

           2. Internal Access Control

              Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.

              • Automatic and manual locking

              • Access right management

              • Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to- know” principle, managing of individual access rights.

           3. Isolation/Separation Control

              Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.

              • Network separation

              • Segregation of responsibilities and duties

              • Document procedures and applications for the separation

           4. Job Control

              Measures that ensure that, in the case of commissioned processing of personal data, the data are processed strictly corresponding the instructions of the principal.

              • Training and confidentiality agreements for internal staff and external staff

              • Information security assessment for vendors/Clients

           1. Integrity

              1. Data transmission control

                 Measures ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

                 • Secure transmission between Client and server and to external systems by using industry-standard encryption

                 • Secure network interconnections ensured by Firewalls, anti-virus programs, routinely patching software etc.

                 • Logging of transmissions of data from IT system that stores or processes personal data

              2. Data input control

                 Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.

                 • Logging authentication and monitored logical system access

                 • Logging of data access including, but not limited to access, modification, entry and deletion of data

                 • Documentation of data entry rights and partially logging security related entries.

           1. Availability and Resilience of Processing Systems and Services

              Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.

              • Implementation of transport policies

              • Backup Concept

              • Protection of stored backup media

3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, Art. 32 para 1 point c GDPR

   Organizational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.

   • We have implemented continuity planning with appropriate recovery objectives.

4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, Art. 32 para 1 point d GDPR

Organizational measures that ensure the regular review and assessment of technical and organizational measures.

• Testing of emergency equipment

• Documentation of interfaces and personal data fields

• Internal assessments

Schedule III to Client Data Protection Addendum

List of Subprocessors

Schedule IV to Client Data Protection Addendum

Standard Contractual Clauses

For the purposes of the Standard Contractual Clauses:

1. Module Three shall apply in the case of the processing under section 3.1 of the DPA.

2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

3. Clause 9(a) option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.

4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 shall apply and the governing law shall be the law of the Republic of Ireland.

6. In Clause 18(b) of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.

7. For the Purpose of Annex I of the Standard Contractual Clauses, Schedule I of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.

8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule II of the DPA contains the technical and organizational measures.

9. The specifications for Annex III of the Standard Contractual Clauses, are determined by Schedule III of the DPA. The Subprocessor’s contact person’s name, position and contact details will be provided by Covetrus upon request.

Schedule V to Client Data Protection Addendum

Additional Supplementary Measures

Covetrus further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Client Personal Data in relation to the processing in a third country, as described in this Schedule V:

Encryption

☒ The personal data is transmitted (between the parties and by Covetrus between data centers as well as to a subprocessor and back) using strong encryption.

Hereby, it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of this third country, the parties involved in the communication agree on a trustworthy public-key certification authority or infrastructure, specific protective and state-of-the-art measures are used against active and passive attacks on the sending and receiving systems providing transport encryption, including tests for software vulnerabilities and possible backdoors, in case the transport encryption does not provide appropriate security by itself due to experience with vulnerabilities of the infrastructure or the software used, personal data is also encrypted end-to-end on the application layer using state-of-the-art encryption methods, the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities when data is transiting to this third country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them1, the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification, the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of the intended recipient, and revoked), by Client or by an entity trusted by Client under a jurisdiction offering an essentially equivalent level of protection.

☒ In accordance with the requirements outlined in the previous paragraph, the parties agree to implement strong end-to-end content encryption (between the parties and by Covetrus between data centers as well as to a subprocessor and back).

☒ The personal data at rest is stored by Covetrus using strong encryption.

The encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them3. The strength of the encryption and key length takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved. The encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification. The keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked).

Additional Organizational Measures

☒ Adoption and regular review by Covetrus of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.

Additional Contractual Measures

• Empowering data subjects to exercise their rights

☒ The parties commit to reasonably assist the data subject in exercising his/her rights.

Any compensation to data subjects is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Covetrus´s infringement of the GDPR.

1. For the assessment of the strength of encryption algorithms, their conformity with the state-of-the-art, and their robustness against cryptanalysis over time, Customer can rely on technical guidance published by official cybersecurity authorities of the EU and its member states. See e.g. ENISA Report « What is “state of the art” in IT security? », 2019,www.enisa.europa.eu/news/enisa-news/what-is-state-of-the-art-in-it-security; guidance given by the German Federal Office for Information Security in its Technical Guidelines of the TR-02102 series and “Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018” at www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf.

Schedule VI to Client Data Protection Addendum

UK Addendum

With respect to any transfers of Client Personal Data falling within the scope of the UK GDPR from Client (including Client Group Members) (as data exporter) to Covetrus (as data importer):

1. the Approved Addendum as further specified in this Schedule VI shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses;

2. The Standard Contractual Clauses are deemed to be amended to the extent necessary, so they operate for transfers made by Controller to Processor, to the extent that UK Data Protection Laws apply to the Controller’s processing when making that transfer and to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.

3. The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in ScheduleIV of this DPA as amended by the Mandatory Clauses.

4. Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule I of this DPA, Annex II of the Approved Addendum is further specified by Schedule II of this DPA, and Annex III of the Approved Addendum is further specified by Schedule III of this DPA.

5. Covetrus (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause 19 of the Mandatory Clauses;

6. Clause 16 of the Mandatory Clauses shall not apply.

7. Neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with UK Data Protection Laws.

8. To the extent that the UK GDPR applies, the DPA shall be governed by the laws of England and Wales and the parties submit themselves to the jurisdiction of the courts of England and Wales.

Schedule VII to Client Data Protection Addendum

Swiss Addendum

As stipulated in section 12 of the DPA, this Swiss Addendum shall apply to any processing of Client Personal Data subject to Swiss Data Protection Law or to both Swiss Data Protection Law and the GDPR.

1. INTERPRETATION OF THIS ADDENDUM

   1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule IV of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

      This Addendum	This Addendum to the Clauses
      Clauses	The Standard Contractual Clauses as further specified in Schedule IV of this DPA
      Swiss Data Protection Laws	The Swiss Federal Act on Data Protection of 25 September 2020, and any new or revised version of these laws that may enter into force from time to time.

   2. This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 16(2) of the Swiss Data Protection Laws, as the case may be.

   3. This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

   4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

2. HIERARCHY

   In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

3. INCORPORATION OF THE CLAUSES

   1. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in the schedules of this DPA to the extent necessary, so they operate:

      1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and

      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 16(2) of the Swiss Data Protection Laws, as the case may be.

   2. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in the schedules of this DPA and as required by section 2.1 of this Swiss Addendum, include (without limitation):

      1. References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs.

      2. Clause 6 Description of the transfer(s) is replaced with:

         “The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule I of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”

      3. References to “Regulation (EU) 2016/679” or “that Regulation” or ““GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

      4. References to Regulation (EU) 2018/1725 are removed.

      5. References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

      6. Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;

      7. Clause 17 is replaced to state:

         “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws”.

      8. Clause 18 is replaced to state:

         “Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

   3. To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the sections/clauses as further specified in the schedules of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by sections 3(b) and 3(d) of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under section 3(b)(vii) of this Swiss Addendum.

   4. Client warrants that it and/or Client Group Members have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.