Last updated: April 2024

A. PainChek UK Limited Company Number 12170151 (PainChek, we, our, us) owns, operates and licenses access to systems (PainChek Platform) and a mobile application (PainChek Application) through which it provides pain assessment services as described in this agreement (Services).

B. The PainChek Platform and the PainChek Application seek to improve a patient’s quality of life by providing real-time, point of care diagnostic information using facial recognition technology and other subjective measures that indicate the presence of pain.

C. The terms of this agreement (Service Terms) govern the Services offered by PainChek to you as a healthcare provider (Provider) located in United Kingdom.

D. On executing these Service Terms, you (and the entity you represent) agree to be bound by these Service Terms.

2.1 As part of the Services, PainChek offers:

• access to the PainChek Application;

• use of the PainChek Platform, in conjunction with the PainChek Application, to provide healthcare practitioners with diagnostic information;

• an agreed number of sessions of appropriate PainChek Application Training;

• PainChek E-learning Platform;

• PainChek Software Updates and Backend Support; and

• PainChek Application Expansion.

2.2 The scope and features of the Services (including part of the payment terms) are set out in Schedule 1.

3.1 When you first sign-up to receive the Services, a new user account will be created by PainChek (Your Account). After the creation of Your Account, you as a Provider, can use Your Account to access and manage the Services you have subscribed to and set up users of Your Account in accordance with these Service Terms (Your Subscription).

3.2 Your Subscription will commence on the Go-Live Date.

4.1 You must keep confidential Your Account and password and are responsible for all activities that occur under Your Account.

4.2 In accordance with the scope and features of the Services set out in the

Schedule and clause 7:

• if you alter or upgrade Your Subscription, you may be required to pay additional Fees; and

• if you cancel Your Subscription, you may not receive any refund in respect of Fees you have paid in advance for that Service.

5.1 Refer to Nourish Standard Terms and Conditions

6.1 Refer to Nourish Standard Terms and Conditions

7.1 Refer to Nourish Standard Terms and Conditions.

8.1 We may change the Fees for the Services at any time by:

8.1.1 updating these Service Terms; and

8.1.2 supplying you with a Change Notice in accordance with clause 9.1.

8.2 Any change to the Fees for the Services will not take effect until after the 30 day period and opportunity for you to terminate referred to in clause 9.2 has passed.

8.3 Fees for the Services may be increased by up to 10% per annum, except in cases of significant change to the Services. Any changes are subject to clause 8.2.

9.1 Refer to Nourish Standard Terms and Conditions

10.1 Your use of the PainChek Platform takes place through a non-exclusive and non-transferable licence to access and use the PainChek Platform we grant to you for the sole purpose of supplying the Services to you in accordance with their terms. In exchange for the grant of this licence and our supply of Services, you agree to pay the Fees applicable to Your Subscription for the Services promptly and on time.

10.2 You must, and agree to, in relation to your use of the PainChek Platform:

(a) comply with any restrictions notified by PainChek from time to time, including reasonable requirements in relation to security and data protection;

(b) comply with any terms of use for the Services which may be accessed on the PainChek Website, as amended from time to time;

(c) not:

• (i) attempt to disrupt the normal operation of the PainChek Platform, or any infrastructure operated by, or other business activities of, PainChek;
• (ii) attempt to gain unauthorised access to any aspects of the PainChek Platform;
• (iii) make any automated use of the PainChek Platform, other than in connection with linking the PainChek Platform to a website operated or controlled by you in accordance with these Service Terms, without the prior written consent of PainChek;
• (iv) impersonate any other person in using the PainChek Platform;
• (v) reverse assemble or reverse compile or directly or indirectly allow or cause a third party to reverse assemble or reverse compile the whole or any part of the PainChek Platform except to the extent permitted by UK Copyright Act the which may not be excluded by agreement; or
• (vi) use the PainChek Platform in connection with the actual or attempted contravention of any applicable Laws;

(d) comply at your own expense with all reasonable directions of PainChek to establish and/or maintain access for you to the PainChek Platform and Services, assisting PainChek to negotiate and carry out any necessary adaptations to, or integration of, the PainChek Platform and any existing application or software used by you; and

(e) only use supported devices, operating systems and/or browsers to access the PainChek Platform and the PainChek Application.

11.1 If either party receives any Confidential Information from the other, the receiving party must only use the other’s Confidential Information in a limited way to perform its respective obligations or exercise its respective rights under these Service Terms.

11.2 Each party must keep the other’s Confidential Information secret and safe, treat it as its own confidential information and return it to the other party within a reasonable time after Your Subscription to all Services which use such information has been cancelled or terminated in accordance with these Service Terms.

11.3 The obligations in clauses 11.1 and 11.2 do not:

(a) apply to Confidential Information that is:

• in the public domain otherwise than as a result of a breach of these Service Terms or another obligation of confidence;

• independently developed by the recipient; or

• already known by the recipient independently of its interaction with the other party and free of any obligation of confidence; or

(b) prevent PainChek from including your Confidential Information in any report requested by a Government Agency, provided that to the extent permitted, PainChek gives you prior notice and consults with you as to any reasonable effort to object to the inclusion.

11.4 The Services, the PainChek Application, the PainChek Platform and all materials we provide to you are and remain the intellectual property of PainChek and all rights not expressly granted to you under these Service Terms are expressly reserved to PainChek. PainChek may store, access, modify, disclose and otherwise use the Aggregated Data for any purpose, and you agree to obtain all necessary consents to facilitate the same.

11.5 PainChek shall indemnify the Provider in full against any sums awarded by a court against the Provider arising out of or in connection with any claim brought against the Provider for infringement of a third party’s rights (including any Intellectual Property Rights) arising out of or in connection with the receipt or use of the Services by the Provider.

11.6 Neither party may issue any media release, promotional material or publicity in connection with its relationship with the other party, or otherwise refer to the other party or any trade mark of the other party without the prior written approval of the other party, not to be unreasonably withheld.

12.1 PainChek confirm that, in their capacity as a data processor, the nature and the purpose of the processing is to supply services to the Provider in their capacity as a data Controller as instructed from time to time in accordance with this Agreement. Schedule 2 to this agreement sets out the categories of data subjects, categories of processing carried out by PainChek, and the purpose for which PainChek processes the Controller’s personal data.

12.2 For so long as PainChek is processing personal data on the Controller’s behalf in a capacity as data processor, the Controller will:

a. be the data controller for the purposes of Data Protection Laws;

b. provide PainChek with any details of the types of personal data that it provides to PainChek for processing from time to time (inclusive of details about any special categories of personal data);

c. ensure that it has secured all necessary appropriate consents, registrations and notifications as may be required to enable the lawful transfer of the personal data to PainChek (and to make such further transfers to third parties as envisaged under clause 12), and in order for PainChek to process such personal data to the extent required for, and for the duration of, our provision of services to the Controller;

d. provide PainChek with documented instructions for processing of the personal data; and

e. be accountable to PainChek for all costs, claims, damages and expenses (including legal costs) arising out of, or in connection with, any failure to comply with the requirements of this clause 12.

12.3 In relation to any personal data processed by PainChek where we are acting in the capacity as data processor, without prejudice to our rights and obligations where we are a data controller, we shall:

a. process that personal data only on the Controller’s reasonable and lawfully given written instructions unless we are required otherwise under any applicable law. Where we are relying on applicable law as the basis for processing personal data outside of the Controller’s instructions, we shall promptly notify the Controller of this unless such laws prohibit PainChek from doing so;

b. not process personal such data for our own purposes without the Controller’s prior written consent. For the avoidance of doubt, this shall not apply to PainChek where we are the data controller of any personal data; c. ensure that we have in place appropriate technical and organisational measures to ensure a level of security appropriate to the data security risks presented by processing such personal data, including (without limitation) the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by PainChek);

d. regularly review and update the technical and organisational measures implemented in order to demonstrate to the Controller that the processing of the personal data is performed in accordance with the Data Protection Laws upon request;

e. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;

f. put in place appropriate safeguards to protect the personal data including (without limitation), executing with the Controllers such further documentation as may be necessary for the transfers to be lawful, such as standard contractual clauses in the form approved by the European Commission as such contractual clauses are from time to time amended and updated;

g. put in place enforceable data subject rights and effective legal remedies for data subjects as required by the Data Protection Laws;

h. notify the Controller without undue delay on becoming aware of a personal data breach;

i. promptly inform the Controller of any complaints, requests or enquiries received from data subjects, including but not limited to requests to access, correct, delete, block or restrict access to their personal data or receive a machine-readable copy thereof;

j. at the Controller’s request and sole cost, assist the Controller in responding to any request from a data subject with respect to any complaints, requests or enquiries security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

k. immediately inform the Controller if, in our opinion, an instruction infringes Data Protection Laws;

l. at the Controller’s written direction, delete or return personal data and copies thereof to the Controller on termination of the agreement unless we are separately a data controller of such information or are required by applicable law to retain the personal data. Where the Controller terminates part only of the services that we provide to it, then this clause 12.4(l) shall only apply to the part of the services that have been terminated;

m. allow for limited audits, at the Controller’s sole cost (including in respect of any of our own associated costs), which shall be strictly limited to the specific documents or information or part of any document or information that are reasonably necessary (as determined by PainChek acting reasonably) to demonstrate our compliance with the obligations of the Data Protection Laws as they directly relate to personal data that the Controller is the data controller of. Such audits shall be carried out no more than once in any twelve month period by the Controller or such designated auditor that we are satisfied is not our competitor (as we determine, acting reasonably) and audits shall be on not less than 30 business days’ notice on a date agreed with PainChek and shall be carried out during normal working hours on a business day and shall not unreasonably disturb our operations; and

n. maintain a written record of processing activities to demonstrate our compliance with clause 12, for which Schedule 2 to this agreement shall constitute a part thereof as at the date that the agreement for services between PainChek and the Controller have been entered into, and which shall include, as a minimum:

• (i) the Controller’s name and contact details, the Controller’s representative and/or data protection officer or other privacy manager or officer (each where applicable);
• (ii) the categories of data that we are processing for the Controller;
• (iii) the purpose of the processing;
• (iv) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
• (v) any transfers of personal data to a third country or an international organisation (where applicable) and details of the suitable safeguards in place; and
• (vi) the technical and organisational security measures in the form of a general description.

12.4 Where the Controller submits personal data to PainChek from within the European Economic Area (EEA), such information may be transferred to countries outside the EEA. By way of example, this may happen if one or more of our third party service providers with whom we share personal data in accordance clause 12.5 are located, or have their servers located, outside the Controller’s country or the country from which the data were provided. If we transfer personal data that the Controller provides to PainChek (in our capacity as a data processor) outside the EEA then we will take steps to ensure an adequate level of protection to any personal data that is transferred. We will use our reasonable endeavours to work with the Controller to apply for and obtain any permit, authorisation or consent that may be required under Applicable Data Protection Law in respect of the implementation of this clause 12.4.

12.5 The Controller acknowledges and agrees that PainChek may in the course of providing services, process, access and/or store (permit affiliates or third party subcontractors to process, access and/or store) the Controller’s personal data in one or more countries which are outside of the EEA and for which there are not adequate safeguards otherwise in place, provided that such processing takes place in accordance with the requirements of clause 12.4 and applicable Data Protection Laws. The Controller hereby grants PainChek a mandate to enter into the Standard Data Protection Clauses with third party subcontractors or affiliates on behalf of and as agent for the Controller. Where we add or replace our third party subcontractors from we will provide written notification, which may be as part of a supplier list on our website, which the Controller should check regularly. The Controller has the right to object to any such changes that we may introduce appointed subcontractors.

12.6 As between the Controller and PainChek, we may remain liable for acts or omissions of any third-party processor appointed by PainChek pursuant to clause 12.4, however please note that where the Controller enters into contract directly with any third parties, then they may have their own privacy policies and terms and conditions, which we have no control over, accept no responsibility for, and shall have no liability for.

12.7 We may, at any time on not less than 30 days’ notice, revise this clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

12.8 Save to the extent expressly stated otherwise, the Controller shall bear all costs associated with PainChek’s compliance with the terms set out in this agreement; and shall indemnify PainChek from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities of whatever nature (whether contractual, tortious or otherwise) suffered or incurred by us which arise out of or in connection with any breach of the terms set out in this agreement.

13.1 You acknowledge and agree that:

• errors in the information on the PainChek Platform and PainChek Application may occur;

• information provided by the Services does not comprise medical advice;

• the accuracy and usefulness of that information are dependent on the skills of the user of the Services and the data they input to the Services; and

• the Services are not a substitute for independent professional care in the treatment of medical conditions.

13.2 Otherwise Refer to Nourish Standard Terms and Conditions

14.1 Refer to Nourish Standard Terms and Conditions.

15.1 Refer to Nourish Standard Terms and Conditions.

16.1 Refer to Nourish Standard Terms and Conditions.

17.1 The following definitions apply in this document (unless context requires otherwise):

The scope and features of the Services (including part of the payment terms) are as follows:

SERVICES

(a) Access to PainChek Application and Use of PainChek Platform:

• Unless otherwise agreed by parties, access to the PainChek Application and use of the PainChek Platform for up to the number of Approved Places listed on your PainChek Order Form.

• Access to the PainChek Application, running on supported devices, owned by you. The PainChek Application allows for patient

management, including creating and updating Patient records and preforming and reviewing pain assessments.

• Access to the PainChek Web Admin Portal (part of the PainChek Platform) that allows for user management, device management and reporting.

(b) PainChek Training Package:

• Training sessions (as per the number listed on your PainChek Order Form) provided for participants as nominated by you to PainChek in writing (up to a maximum of 20 participants per session).
• The training provides an overview of:

• pain associated behaviour and assessments in people with dementia; and

• the PainChek Platform and hands-on training using your supported iOS and Android devices.

(c) PainChek E-learning Platform

• The PainChek e-learning platform is available as the following packages:

• An online e-learning platform hosted by PainChek on the PainChek website; and

• A SCORM package that can be provided on request.

• If you choose to use either e-learning package, it is your responsibility to ensure compatibility for proper use. If you require customisation of either e-learning packages, these will be costed separately subject to agreement by both Parties.

• The PainChek e-learning content will be updated from time-to-time, as required at the sole discretion of PainChek, to improve functionality and/or learning outcomes. This process is the sole responsibility of PainChek.

(d) PainChek Software Updates and Backend Support:

• The PainChek Application will be updated from time to time, as required at the sole discretion of PainChek.

• The updates may be downloaded via the Apple App Store, or by other means as directed by us, and installed on your devices. It is your responsibility to perform the device updates, but we will provide remote support to assist you with the process. Not updating when the updates are available may impact on the functionality and overall use of the PainChek Application.

• The PainChek Platform (backend) will be updated from time-to-time, as required at the sole discretion of PainChek, to improve functionality and/or to address performance, security or functionality issues. This process is the sole responsibility of PainChek.

(e) PainChek Application Expansion:

• If at any time, we notice that the number of Active Patients on Your Account exceeds the total number of Active Patients agreed under Your Subscription, we will notify you of this and expand the number of Active Patients for an additional cost as specified in clause 7.1(e).
• Please note that the PainChek Platform and the PainChek Application do not limit the number of Active Patients allowed on the system. It is the sole responsibility of you to manage the number of Active Patients on Your Account to ensure additional costs are not incurred.

This Schedule on description of Processing (“Schedule 2”) is a Schedule to and forms an inseparable part of the agreement to this agreement.

The purpose of this Schedule 2 is to supplement this agreement with more detailed description of the type of personal data provided by the Controller to PainChek and categories of the Data Subjects included thereto.

Unless expressly otherwise stated, the applicable definitions provided in this agreement shall be applied to this Schedule 2.

PainChek is obliged to maintain the confidentiality and security of any personal data provided to it by the supplier, and has implemented and will maintain appropriate technical and organisational measures and information security routines intended to protect personal data.

PainChek will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data processed by PainChek as part of the services, in accordance with PainChek’s security policy which is available on request. PainChek will not materially decrease the overall security of the services provided during the term of this agreement.