EU-US/Swiss-US Privacy Shield Policy

Vecna Robotics, Inc. (“Vecna”) complies with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, as sort forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Vecna has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification, please visit http://www/privacyshield.gov/.

Definitions

“Data Subject” means the individual to whom any given Privacy Shield Personal Data refers.

“Personal Data” means any information relating to an individual residing in the European Economic Area or Switzerland that can be used to identify that individual either on its own or in combination with other readily available data.

“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, sexual life, or criminal record.

Scope and Responsibility

This EU-U.S. and Swiss-U.S Privacy Shield Policy (the “Policy”) applies to all Personal Data received by Vecna in the United States from the EU or Switzerland, in any format, including electronic, paper, or verbal.

All employees of Vecna that have access to such EU/Swiss Personal Data in the U.S. are responsible for conducting themselves in accordance with this Policy. Adherence by Vecna to this Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but EU/Swiss Personal Data shall not be collected, used, or disclosed in a manner contrary to this policy without the prior written permission of Vecna’s Legal Department.

Vecna employees responsible for engaging third parties to handle EU/Swiss Personal Data covered by this Policy on behalf of Vecna (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Policy, including any applicable contractual assurances required by Privacy Shield.

Failure of a Vecna employee to comply with this Policy may result in disciplinary action up to and including termination.

Privacy Shield Principles

Notice

Vecna commits to comply with the Privacy Shield Principles with respect to Personal Data Vecna receives from Switzerland and the EU in reliance on the Privacy Shield. The Privacy Shield List can be found at: https://www.privacyshield.gov/list

Depending on requirements and purchased modules/services, Vecna software may receive, process, store, and/or transmit personally identifying information (PII) and personal health information (PHI). This PII/PHI may include: names, medical record numbers (MRNs) or other identifying numbers, Social Security numbers, insurance policy information, addresses, phone numbers, responses to medical questionnaires, electronic signatures, and other data, either originating with client [customer] record systems or input to Vecna systems by users, whether patient users, staff users, or otherwise.

Choice

Vecna offers individuals the right to choose whether their personal information is (i) to be disclosed to a third party or, (ii) to be used for a purpose that is materially different from the purpose we originally collected it. In order to opt-out of disclosure of your information, please contact Vecna at the address or email address listed below.

For sensitive personal information like, for example, personal information specifying medical or health conditions, race, and/or ethnic origin, Vecna will not disclose this information without receiving affirmative consent from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which Vecna originally collected or was subsequently authorized by the individual. Vecna also treats sensitive information it receives from third parties as sensitive.

Accountability for Onward Transfer

(transfers to affiliates and/or other third parties)

In the event Vecna transfers EU/Swiss Personal Data covered by this Policy to an affiliate or other third parties, it will do so consistent with any notice provided to Data Subjects and any consent they have given. Vecna will transfer Personal Data to such third parties only if the transfer is for limited and specified purposes and the third party will provide at least the same level of privacy protection as is required by this Policy and the Privacy Shield Principles. When Vecna has knowledge that a third party is using or sharing Personal Data in a way that is contrary to this Policy, Vecna will take reasonable steps to prevent or stop such use or sharing.

With respect to transfers to its agents, Vecna remains responsible under the Privacy Shield Principles if an agent processes Personal Data in a manner inconsistent with the Principles, except where Vecna is not responsible for the event giving rise to the damage.

Data Integrity and Purpose Limitation

Vecna does not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Vecna has internal processes in place to ensure that personal data is reliable for its intended use, accurate, complete and current. Vecna will adhere to this Principle for as long as the company retains such information.

Subject to applicable law, Vecna retains Personal Data only for as long as it serves a purpose that is compatible with the purposes for which the Personal Data was collected or subsequently authorized by the Data Subject.

Access

EU and Swiss Individuals have the right to access their personal information. Upon request, and with the consent of our clients, Vecna will grant individuals access to personal information that it holds about them. In addition, Vecna will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

Recourse, Enforcement, and Liability

Vecna has mechanisms in place designed to help assure compliance with the Privacy Shield Principles. Like all Privacy Shield companies, Vecna must conduct an annual self-assessment of its Personal Data practices to verify that Vecna is in compliance with the Privacy Shield Principles.

If you have inquiries or complaints regarding Vecna’s use of your confidential information, you can write to:

Vecna Robotics, Inc.

Attn: Vecna Legal Department

36 Cambridgepark Drive

Cambridge, MA

02140,

or email Vecna at legal@vecnarobotics.com. In the event an inquiry or complaint cannot be resolved between Vecna and a Data Subject, the Data Subject may contact Vecna’s independent recourse mechanism, the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA), to use their EU/Swiss Privacy Shield Dispute Procedure. Data Subjects can find the ICDR/AAA’s contact information at http://go.adr.org/privacyshield.html.

Should a complaint remain fully or partially unresolved after a review by Vecna and the applicable independent recourse mechanism, Data Subjects may be able to, under certain conditions, seek binding arbitration before the Privacy Shield Panel. For more information, please visit www.privacyshield.gov.

Vecna is also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Changes to this Policy

This Policy may be amended from time to time consistent with the requirements of the Privacy Shield Principles. Appropriate notice will be given concerning such amendments.

Contact Information

Questions, comments, or complaints pertaining to this Policy
should be submitted by mail or e-mail to:

Vecna Robotics, Inc.

ATTN: Legal Department

36 Cambridgepark Drive

Cambridge, MA 02140

Phone: 240-965-4500

Email: legal@vecnarobotics.com

Amendments Vecna reserves the right to amend this EU-US/Swiss-US Privacy Shield Policy without prior notice to reflect technological advancements, legal and regulatory changes, and good business practices. If Vecna changes its privacy practices, a new Privacy Policy will reflect those changes and the effective date of the revised Privacy Policy will be set forth in this paragraph. This Privacy Policy was last updated on January 9, 2018, and is effective as of that date.