Trusted Research Environment (“TRE”) Addendum

TRE Standards and Requirements

This Addendum sets forth the standards and requirements for an information technology environment to be accredited as a Trusted Research Environment or TRE under the Agreement. Defined terms used but not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

Notwithstanding anything to the contrary in the Agreement, Customer agrees that under no circumstances may it receive, store, process, access, or use any Licensed Data in connection with an environment that is not: (a) maintained by or on behalf of Customer, and (b) then currently accredited by NashBio as a meeting the requirements of a TRE. Customer may seek accreditation of an environment as a TRE by submitting to NashBio a Self-Assessment Questionnaire and/or Security Assessment Report (each as defined below) as requested by NashBio, and providing such other information/documentation as may be reasonably requested by NashBio to demonstrate compliance with this Addendum. Accreditation will be effective upon review of such materials and approval of such environment by NashBio or its designated assessment firm. Further, Customer acknowledges that each TRE must be re-accredited at least annually in order to meet the requirements of this Addendum.

1. Security Program Generally. Without limiting any confidentiality obligations or restrictions on the use or disclosure of Licensed Data set forth in the Agreement and for so long as Customer, its Affiliates, or its or their contractors (which includes any sub-service organizations) or Agents, have any Licensed Data in their possession or under their control, Customer shall implement, maintain and adhere to a written information security program covering all In Scope Systems (addressing all applicable organizational, technical, security and administrative processes and systems, including, for example, processes for data import, export, storage and processing, and applicable human resource processes) that, at a minimum, is consistent with then current industry standards for security, and that, without limitation, addresses the following elements: (a) is designed to ensure the security and confidentiality of such Licensed Data; (b) protects against any anticipated or foreseeable (through use of reasonable care in accordance with then current industry standards) threats or hazards to the security or integrity of such Licensed Data; (c) protects against unauthorized access to or use of such Licensed Data; (d) provides for secure disposal of Licensed Data; (e) includes routine periodic use of up-to-date industry standard tooling to evaluate the systems on which such Licensed Data is stored or processed for known security exploits (e.g. CVE Program); (f) if appropriate given the nature of the environment, requires periodic and routine penetration testing and/or security audits consistent with industry standards; (g) provides that all relevant systems of Customer’s Affiliates and Third Parties engaged by Customer with Licensed Data in their possession comply with all of the foregoing, and (h) sets forth procedures for continual assessment and re-assessment of the risks to the security of Licensed Data (and updating of the security program to provide appropriate protection against such risks), including: (i) identification of internal and external threats that could reasonably be expected to result in a data breach; (ii) assessment of the likelihood and potential damage or harm of such threats, taking into account the sensitivity of such Licensed Data; and (iii) assessment of the sufficiency of Customer’s policies, procedures, and information systems and other arrangements in place. The scope of such security program must include, and this Addendum applies to, all system(s) of Customer, its Affiliates, and all Third Party organizations or Agents on which any Licensed Data is stored or processed, or through which any Licensed Data is accessed, transmitted or received (“In-Scope Systems”). Customer shall be responsible for its Affiliates’, and its and their Third Parties’ and Agents’ compliance with these requirements.
2. Minimum Requirements. Without limiting the foregoing, Customer shall have in place at least the minimum measures set forth in this Section 2 with respect to In Scope Systems to protect Licensed Data against accidental, unauthorized, or unlawful access, alteration, copying, damage, destruction, disclosure, display, distribution, loss, modification, processing, or storage; provided, however, that NashBio, in consultation with Customer and acting reasonably, may adjust such minimum measures (but only to the extent consistent with then current industry standards) based on evaluation of Customer’s compensating controls or overall security program and Security Assessment Report (e.g., encryption standards may be relaxed for air-gapped systems). Any determination by NashBio of industry standards shall be made in good faith.
   1. Implementing appropriate personnel security and integrity procedures and practices;
   2. Providing appropriate information security training to all Customer employees, Agents and Third Parties having access to In-Scope Systems;
   3. Limiting access to the Licensed Data to Authorized Users, and maintaining a disciplinary process to address any unauthorized access to, or use or disclosure of, Licensed Data by Customer’s employees, Agents, or Third Parties;
   4. Promptly revoking an Authorized User’s access to the Licensed Data upon (i) learning that such Authorized User violated the data restrictions or use limitations of the Agreement; (ii) the exclusion or disbarment of an Authorized User; or (iii) the separation or disassociation of the Authorized User from Customer or its Affiliate;
   5. Securing facilities, data centers, hard-copy files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability, where Licensed Data is stored or otherwise located;
   6. Implementing network, device application, database, and platform security on In-Scope Systems with standards that are at least consistent with then current industry standards, and otherwise securing transmission, storage and disposal of Licensed Data;
   7. Implementing secure authentication and access controls within all media, applications, operating systems, and equipment comprising In-Scope Systems;
   8. Encrypting Licensed Data stored on any mobile media using current industry standard algorithms, but at least NIST acceptable algorithms;
   9. Encrypting Licensed Data stored at rest using current industry standard algorithms, but at least NIST acceptable algorithms, specifically AES 256-bit encryption or other industry standard for key-based encryption protocol;
   10. Encrypting all Licensed Data transmitted over public or wireless networks, using current SSL/TLS or successor or other appropriate protocol providing security consistent with then current industry standards;
   11. Except as expressly authorized under the Agreement, strictly segregating Licensed Data from information of Customer, its Affiliates and information of other Third Parties Customer has access to so that Licensed Data is not commingled with any other types of information;
   12. Timely deploying all applicable system security patches to all In Scope Systems that process, store, or otherwise support the Licensed Data, including, without limitation, operating system, application software, database software, and web server software as necessary to maintain security of the Licensed Data in accordance with then current industry standards and in accordance with its own information security policies;
   13. Taking industry standard steps to protect In-Scope Systems from having, and In Scope Systems from introducing into NashBio’s systems, any type of software routines or other element which is designed to or capable of permitting any of the following: (i) unauthorized access to or intrusion upon; (ii) disabling of; (iii) erasure of; or (iv) interference with any hardware, software, data or peripheral equipment (collectively, “Malicious Code”). Upon discovery, Customer will promptly notify NashBio and take industry standard steps to investigate, contain, identify, and remove such Malicious Code;
   14. Not using in In Scope Systems any material system (or element thereof) not currently supported by the applicable manufacturer;
   15. Reasonably acquiring and implementing new or updated information technology systems within In-Scope Systems as may be necessary to maintain security of Licensed Data in accordance with then current industry standards (which may, include without limitation, systems designed to monitor hardware and software);
   16. Securing its In-Scope Systems using then current industry standard identity, access management and other controls and systems to protect against unauthorized access, and securing access to and from such systems by disabling remote communications if no business need exists or by restricting access through management approvals, reasonable controls, logging, and monitoring access;
   17. Identifying In Scope Systems that reasonably warrant security event monitoring and logging, and reasonably maintaining and analyzing log files;
   18. Hosting (or, if applicable, obligating Third Party hosting service providers to host) all Licensed Data on servers that are physically located in the United States, unless otherwise agreed in writing by NashBio and Customer; and
   19. Requiring any Third Parties who have access to the Licensed Data to be bound by necessary and appropriate contractual obligations to protect the confidentiality of Licensed Data in accordance with the Agreement, including this Addendum. Customer will be responsible for the acts or omissions of the Third Parties for any breach of obligations hereunder.

   For purposes of clarity, and without limiting the applicability of any other terms of the Agreement, the restrictions set forth in Section 2.5 of the Terms shall continue to apply.

3. Assessments. In connection with seeking TRE accreditation (whether initial or renewal), and as otherwise reasonably requested by NashBio, but no more often than once per 12 month period (which includes the accreditation process) (unless NashBio reasonably believes (a) a Security Incident (as defined below) has occurred or is occurring, or (b) Customer is not in compliance with the requirements of this Addendum), Customer shall submit to NashBio or its designated assessment firm a Security Assessment Questionnaire and/or Security Assessment Report as requested by NashBio. In the event that responses to a Self-Assessment Questionnaire or a Security Assessment Report do not demonstrate compliance with this Addendum to the reasonable satisfaction of NashBio or its designated assessment firm, Customer shall promptly implement any reasonable safeguards or remediation as identified and requested by NashBio as a condition to initial or continued TRE accreditation.
   1. For purposes of this Addendum, a “Self-Assessment Questionnaire” consists of responding to a self-assessment questionnaire provided by NashBio, and providing such responses to NashBio or its designated assessment firm via a mutually acceptable secure transfer protocol. Where appropriate, responses may consist of references to specific portion(s) of a Security Assessment Report.
   2. For purposes of this Addendum, a “Security Assessment Report” consists one of the following:
      1. A certification from an industry recognized Third Party auditing firm that certifies compliance with ISO 27001 (or other similar industry recognized standards such as ISAE 3000, SOC2 Type 2, HITRUST, FISMA moderate, NIST 800-53, or COBIT 5), together with the related auditor’s report – or executive summary thereof that includes all relevant information – (noting all exceptions, exception responses and remediation plans).
      2. (In the event that Customer is in the process of seeking a Third Party certification described in paragraph (i) above but has not yet completed the certification process, NashBio may, in its discretion, accept as a Security Assessment Report other documentation that demonstrates (to the satisfaction of NashBio or its designated assessment firm) that Customer’s In Scope Systems meet the requirements for TRE accreditation.
      3. A security assessment report generated by NashBio’s designated assessment firm, or another industry recognized IT auditing firm reasonably selected by Customer, reflecting the results of its assessment of all areas of technical security relevant to Customers end-to-end processes pertaining to the Licensed Data and In-Scope Systems, including those of any sub-service organizations (including any exceptions or deficiencies identified in the assessment) demonstrating that Customer’s In-Scope Systems meet the requirements for TRE accreditation under this Addendum. Customer will be provided with opportunity to review and comment on all relevant Security Assessment Reports, including sub-service organization Security Assessment Reports, and will inform NashBio of all exception responses and remediation plans noted in any such reports within ten (10) Business Days of such report being issued.
   3. Self-Assessment Questionnaires, Security Assessment Reports, and other non-public information provided by or on behalf of Customer in connection with the TRE accreditation process are Confidential Information of Customer. Additionally, for information that Customer reasonably considers sensitive or otherwise reasonably believes would have an adverse impact on the security of its systems or information, Customer may redact or limit access to such information (e.g., providing access via video conference rather than delivering copies), provided that no such redaction or limitation shall limit access to information that would reasonably be expected to have an adverse effect on the assessment of In Scope Systems. Further, Customer acknowledges that TRE accreditation is dependent upon receipt of (or access to) sufficient documentation demonstrating compliance with this Addendum, and, accordingly, excessive redactions/limitations may adversely affect the accreditation process.
4. Systems Changes. In the event that Customer desires to modify or change its security environment to deviate from the information provided in seeking TRE accreditation with respect to an In Scope System, Customer will provide advance written notice to NashBio of such changes for assessment of the continued security of the Licensed Data, and Customer shall not make such modification or change without NashBio’s prior written approval, not to be unreasonably withheld. Should NashBio reasonably determine that specific changes to such security environment pose a risk to the security of the Licensed Data, then NashBio and Customer will discuss how to address such gap to the reasonable satisfaction of NashBio. Further, in the event that any In-Scope System no longer meets the requirements of this Addendum, or the information submitted in connection with the application for TRE accreditation becomes no longer accurate, Customer shall promptly notify NashBio.
5. Security Vulnerabilities. In the event that Customer discovers (whether through independent investigation, receiving notice from NashBio or a Third Party, through a published report or otherwise) a security vulnerability related to the In-Scope Systems, Customer shall, (a) within reasonable time (at least consistent with then current industry standards) of discovery, conduct an assessment of the vulnerability and its related risks, and (b) mitigate the vulnerability in accordance with then current industry standards and Customer’s documented security program. Additionally, if requested by NashBio with respect to one or more specific vulnerabilities, Customer shall report the results of such assessment, and the mitigation efforts taken (or planned to be taken) to NashBio within such reasonable time. Without limiting anything in the Agreement, Customer shall promptly install a patch or update that addresses the vulnerability in accordance with Customer’s security program and then current industry standards (whichever is shorter).
6. Security Incidents. Customer shall promptly notify NashBio of any Security Incident with respect to any In Scope Systems or Licensed Data, other than insignificant incidents that would not be expected to lead to any significant accidental or unauthorized, or unlawful access, alteration, copying, disclosure, display, distribution, loss, modification, processing, or storage of Licensed Data. Customer shall provide such details as NashBio may reasonably request regarding the Security Incident, including, without limitation, (a) a description of the nature of the Security Incident and the Licensed Data involved; (b) the likely consequences; and (c) a description of the measures taken, or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects. Customer shall give NashBio updates as additional information regarding the incident becomes available and will provide reasonable cooperation and assistance to NashBio in relation to any remedial action to be taken in response to the incident. In any event, Customer will use reasonable efforts to recover any Licensed Data that has been compromised. For purposes hereof, a “Security Incident” includes, without limitation, any confirmed (or that is likely to be confirmed based on information known to a Party at the time) (i) unauthorized system compromise of an In-Scope System, (ii) corruption, loss or destruction of Licensed Data, (iii) impermissible access to, or use or disclosure of, Licensed Data, or (iv) circumstances indicating a significant likelihood that any of the foregoing will occur or has occurred.
7. Access and Download Logs. Customer shall create and maintain access and download logs regarding the Licensed Data. Such logs shall, at a minimum, capture and provide reporting on (a) all Authorized Users (identified by name or unique user ID) and their access rights (including date of creation and, if applicable termination or suspension); (b) which users are active in the Licensed Data at any given time; (c) access attempts (both authorized and unauthorized); and (d) any ingress of Licensed Data to and egress of Licensed Data from the TRE, including, without limitation, the date, time, user identity and destination. Without limiting the foregoing, such logs shall include a time-based record of system activities sufficient to enable the reconstruction and examination of the sequence of events or changes in an event, including without limitation, who accessed a system and what operations the person has performed during a given period. Customer will retain any such access and download logs for at least one (1) year from the time of the applicable entry. Customer will share access and download logs with NashBio, and/or its designated Third Party auditor upon reasonable request, provided, however, that Customer may redact from such logs (i), confidential or sensitive information that is not identified in (a) – (d) above, and (ii) confidential system access information such as passwords.
8. Accreditation – Renewal/Suspension/Revocation.
   1. Accreditation of a TRE must be renewed annually. Customer may apply for renewal by submitting Self-Assessment Questionnaire in accordance with Section 2 above and/or a current Security Assessment Report in accordance with Section 3 above (as requested by NashBio) no less than 90 days prior to expiration of the then current period of accreditation.
   2. In the event that NashBio has evidence indicating that a Security Incident has occurred or that  Customer’s In-Scope Systems do not meet the requirements for TRE accreditation as provided in this Addendum, then NashBio may suspend or limit the scope of the TRE accreditation for the applicable In-Scope System(s) upon notice to Customer, such notice including all applicable facts supporting NashBio’s assessment of the issues concerning Customer’s In-Scope System(s).  Any such suspension or limitation shall be limited (in both scope and duration) to the minimum extent necessary to address the applicable issue(s) (e.g., for multiple TREs or TREs consisting of multiple In-Scope Systems, the suspension or limitation may be limited to a single In-Scope System), and shall be lifted upon resolution of such issue(s).  Immediately upon suspension of TRE accreditation, and for the duration of any such suspension, Customer shall secure the Licensed Data in a manner that addresses the basis for such suspension and that is reasonably acceptable to NashBio, which may include, among other things, if reasonable, limiting or suspending access to, or use of, the Licensed Data, segregating the applicable In-Scope System from other systems, and/or transferring Licensed Data to a different system/storage system that meets the requirements of this Addendum.  
   3. In the event that Customer does not seek renewal of accreditation or Customer does not promptly implement any identified remedial change necessary to meet the requirements for TRE accreditation in accordance with this Addendum, NashBio may revoke accreditation for the applicable TRE upon notice to Customer.  
      
9. Effects of Termination. Upon the earlier of (i) the end of the License Term, or (ii) the termination of the applicable Order Form or the Agreement, Customer shall promptly delete and destroy all Licensed Data in its possession, custody or control as of the effective date of termination and provide NashBio with written certification of such destruction.