EX-10.15 4 ea021875107ex10-15_ydbio.htm MAIN SERVICE AGREEMENT, DATED MAY 31, 2023, BY AND BETWEEN NOVARTIS (TAIWAN) CO., LTD. AND YONG DING BIOPHRAM CO., LTD.

Exhibit 10.15

Main Service Agreement for Clinical Trial Items and Pharmaceutical Products

Parties to the Agreement:

Novartis (Taiwan) Co., Ltd. located at 8th Floor, No. 2, Section 3, Minsheng East Road, Zhongshan District, Taipei City (hereinafter referred to as the “Novartis”);

And

Yong Ding Biopharm Co., Ltd located at 12th Floor, No. 101, Section 2, Nanjing East Road, Zhongshan District, Taipei City (hereinafter referred to as the “Supplier”).

Preamble

A. The Novartis engages in the research, development, manufacturing, and distribution of various medical products in diverse medical fields. The Novartis and its affiliated companies (as defined below) require specific related services in the course of their business operations.

B. The Supplier possesses expertise in providing certain services, and the Novartis intends to designate the Supplier to provide the related services in accordance with this Agreement.

The Parties hereby agree as follows:

1. Definitions and Interpretation

1.1 Definitions

(a) Adverse Event refers to any undesirable medical occurrence experienced by a patient following the use of a pharmaceutical product, regardless of whether there is a causal relationship with the treatment. An Adverse Event can include any unfavorable or unexpected symptoms (including abnormal laboratory test results), signs, or diseases that are temporally associated with the use of a pharmaceutical product, regardless of whether they are related to the product.

(b) Control means ownership of more than 50% of the issued share capital/equity, acting as a general partner in any partnership, or having any other arrangement that enables a party to control or direct the board of directors or equivalent governing body of a company or entity, or to direct its operations or policy decisions. The term Change of Control shall have a corresponding meaning.

(c) Approved Subcontractor refers to any affiliate or subcontractor of the Supplier approved under Clause 15.2, authorized to provide services under this Agreement or any Statement of Work (as defined below).

(d) This Agreement refers to the main service agreement entered into between the Supplier and the Novartis regarding the provision of services by the Supplier to the Novartis, including all terms, appendices, and Statements of Work herein.

(e) Background Rights refer to intellectual property rights that meet the following conditions:

(i) Owned or licensed by either party as of the Effective Date of this Agreement; or

(ii) Acquired or created by either party during the Term of this Agreement (as defined below), excluding any Third-Party Rights (as defined below) or Created Materials (as defined below).

(f) Confidential Information refers to all contractual documents (as defined below) or other information disclosed or otherwise provided by either party or its affiliates to the other party in connection with matters related to this Agreement, in any form, but does not include:

(i) Information that enters the public domain or becomes publicly known other than through a breach of this Agreement; or

(ii) Information independently developed by the receiving party, with evidence of such independent development verifiable in writing; or

(iii) Information obtained by the Supplier from a third party, where such third party has not directly or indirectly obtained the information from the Novartis under confidentiality obligations.

(g) Created Materials refer to all contractual documents and other intellectual property created or prepared under this Agreement, excluding Third-Party Rights.

(h) Deliverables refer to the items specified as deliverables under this Agreement or any Statement of Work.

(i) Contractual Documents include software, documents, or any other materials existing in written, electronic, digital, video, or audio form, whether in draft or final versions.

(j) Contractual Fees refer to the amounts payable by the Novartis to the Supplier for the services provided under this Agreement (including third-party expenses agreed upon by both parties), as specified in this Agreement and the Statement of Work.

(k) Intellectual Property Rights include:

(i) Registered or unregistered trademarks, patents, designs, or inventions;

(ii) Trade names, company names, domain names, and product names;

(iii) Copyrights, moral rights, know-how, and confidential information;

(iv) Database rights; and

(v) Any similar rights existing worldwide or rights to apply for the registration of such rights.

(l) Losses refer to all losses, claims, liabilities, costs, expenses, legal fees, and damages of any nature.

(m) Novartis Personal Data refers to personal data disclosed or created in connection with this Agreement, relating to the personnel, customers, or clients of the Novartis.

(n) Novartis Order refers to the confirmation document issued by the Novartis to the Supplier regarding the contractual services, intended for invoicing and payment purposes.

(o) Novartis Resources refer to any resources, facilities, software, data, databases, and materials (if any) provided by the Novartis to support the contractual services in accordance with this Agreement, as specified in the Statement of Work.

(p) Personal Data is defined in accordance with the definition provided in Privacy Laws (as defined below) and detailed in Appendix 2.

(q) Performing Personnel refers to the respective employees, workers, directors, managers, licensees, subcontractors, and agents of either party and its affiliates involved in performing obligations under this Agreement.

(r) Privacy Laws refer to data protection laws regarding the personal data and personally identifiable information of data subjects, as specified in Appendix 2.

(s) Processing is defined in accordance with the definition provided in Privacy Laws.

(t) Contractual Products refer to items related to clinical trials, including pharmaceuticals, instruments, medical devices, laboratory equipment and consumables, and laboratory reagents.

(u) Contractual Services refer to the services provided by the Supplier and/or its approved subcontractors, as described in the Statement of Work.

(v) Statement of Work refers to the description of the contractual services outlined in Appendix 1(a) of this Agreement.

(w) Contractual Territory refers to all or part of the following region (as the context requires): the Republic of China (Taiwan).

(x) Third-Party Rights refer to intellectual property rights owned by any individual or legal entity other than the Supplier, the Novartis, or their respective affiliates.

1.2 Interpretation

In this Agreement:

(a) The table of contents and clause headings are provided for convenience only and shall not affect the interpretation of this Agreement;

(b) All variations of defined terms (capitalized terms in the English version) shall have corresponding meanings;

(d) References to singular terms also include their plural forms, and vice versa;

(e) References to “include” or “including” shall be interpreted as illustrative and not exhaustive;

(f) Unless restricted by applicable law, references to “written” or “in writing” include fax, email, letters, digital signatures, or certificates, or other legally recognized forms of writing;

(g) If a specified time period is calculated from a specific day or the occurrence of an action or event, that day shall be included in the calculation;

(h) References to monetary amounts are in the currency specified in the Statement of Work unless otherwise explicitly stated in the Statement of Work;

(i) References to either party shall, as the context requires, include their affiliates, personnel, subcontractors, or agents, but the rights under this Agreement may only be exercised or enforced by the parties expressly identified in the Agreement or the Statement of Work;

(j) In the event of any inconsistencies between the clauses of this Agreement, its appendices, or other referenced documents, the order of precedence shall be: the content of the Statement of Work first, followed by the clauses of this Agreement, then its appendices, and finally, any referenced documents incorporated into this Agreement.

2. Designation and Use of Contractual Services by Affiliates

2.1 During the term of this Agreement, the Novartis designates the Supplier as its non-exclusive provider of Contractual Services within the Contractual Territory. Nothing in this Agreement shall prevent the Novartis or its affiliates from supplying services identical or similar to the Contractual Services or from designating third parties to provide the Contractual Services.

2.2 The Novartis signs this Agreement on behalf of itself and its affiliates located within the Contractual Territory. All Contractual Services involving affiliates shall be detailed in separate, independent Statements of Work, which shall be incorporated into the terms of this Agreement. To enable affiliates to benefit from this Agreement, the Novartis may share or transfer the results of the Contractual Services with or to its affiliates. References to the Novartis in this Agreement shall also be interpreted as including the affiliates that sign the Statements of Work (where applicable). However, only the Novartis may directly exercise the rights under this Agreement on behalf of itself or its affiliates.

3. Term of Agreement

This Agreement shall become effective on the date of the last signature (“Effective Date”) and, unless terminated earlier, shall remain in effect until December 31, 2028. The term of this Agreement may be extended upon mutual written agreement by both parties.

4. Performance of Contractual Services

4.1 General Obligations of the Supplier:

(a) The Supplier shall comply with (and assist the Novartis in complying with) all applicable professional or industry standards, including making public disclosures and transparently revealing its relationship and dealings with the Novartis.

(b) The Supplier shall perform the Contractual Services in a manner that does not cause the Novartis to violate any laws, regulations, codes, or industry guidelines, thereby avoiding any significant adverse impact on the Novartis’s reputation.

(c) The Supplier shall, in compliance with applicable laws and regulations, obtain and maintain all necessary licenses required for providing the Contractual Services, including all internal, governmental, and industry association consents or approvals.

(d) The Supplier shall assign appropriately qualified and competent personnel to perform the Contractual Services in accordance with applicable professional or industry standards.

(e) The Supplier shall ensure that its personnel, in performing obligations under this Agreement, comply with all applicable laws, regulations, guidelines, or standards (including the Taiwan Research-Based Pharmaceutical Manufacturers Association Code of Conduct for Marketing, as applicable to the Contractual Services).

(f) The Supplier shall ensure that its personnel are familiar with the Contractual Products relevant to the Contractual Services.

(g) During the term of this Agreement, the Supplier shall not “headhunt” or solicit the Novartis’s personnel, who the Supplier has direct contact with due to this Agreement, to accept employment with the Supplier or its affiliates. This prohibition does not apply if the Novartis gives prior written consent. Additionally, this clause does not prohibit individuals from voluntarily submitting their resumes to the Supplier.

(h) The Supplier possesses the right, authority, and authorization to enter into this Agreement and perform its obligations.

(i) The Supplier has the necessary facilities, experience, and expertise required to provide the Contractual Services.

(j) The Supplier shall collaborate with any other third-party contractors or service providers for the purposes of this Agreement.

(k) The Supplier shall provide the Contractual Services in a timely manner with diligence, care, and professionalism.

(l) The Supplier shall deliver the Contractual Services in accordance with the service standards or key performance indicators outlined in this Agreement or the Statement of Work.

4.2 No Minimum Volume Requirement

The Novartis makes no representation or warranty regarding the minimum volume of Contractual Services required during the term of this Agreement.

4.3 Approval of Deliverables

(a) The Supplier shall, within a reasonable timeframe, deliver the Deliverables to the Novartis in accordance with this Agreement and the Statement of Work, providing the Novartis an opportunity to review and approve each Deliverable. The Novartis shall make every effort to promptly complete the review upon receipt of the Deliverables from the Supplier.

4.4 Novartis Resources

(a) During the term of this Agreement, the Novartis shall provide the agreed-upon Novartis Resources to the Supplier.

(b) The Supplier shall review all documents or information provided or designated by the Novartis to ensure the accuracy and sufficiency of such information required for delivering the Contractual Services.

4.5 Novartis Affiliates

At the request of the Novartis, the Supplier shall provide Contractual Services to any Novartis Affiliate under the terms and conditions of this Agreement. Requests, Statements of Work, or Orders submitted by Novartis Affiliates shall be subject to the terms and conditions of this Agreement, with references to the Novartis interpreted as referring to the relevant Novartis Affiliate.

4.6 Contractual Services as Outlined in the Statement of Work

(a) This Agreement serves as the master agreement between the Novartis and the Supplier.

(b) The content of the Statement of Work shall include:

(i) General Services and Fee Structure: Appendix 1(a), detailing the mutually agreed services and fee structure applicable to all project Statements of Work.

(ii) Project Statements of Work: Appendix 1(b), or documents with similar terms, shall be completed for each project related to the Contractual Services.

(c) Existing Statements of Work (including those signed by either Party or their Affiliates as Appendices 1(a) and 1(b)) shall be considered part of this Agreement.

4.7 Contractual Services Confirmed by Novartis Orders

(a) Unless otherwise agreed in writing by the Novartis, Contractual Services shall be confirmed through Novartis Orders to facilitate payment and invoicing.

(b) Any standard legal terms attached to or referenced in the Statements of Work, Novartis Orders, or Supplier’s proposed standard legal terms shall not apply.

4.8 Changes to the Contractual Services

(a) Additional or new Contractual Services shall be mutually agreed upon and documented in writing (including through Statements of Work).

(b) The Novartis may cancel any agreed-upon Contractual Services with at least thirty (30) days’ prior written notice to the Supplier. Upon issuance of such notice, the relevant Statement of Work shall be deemed amended accordingly.

(c) If the Novartis cancels the Contractual Services under this clause, the Novartis shall pay for reasonable and verified actual expenses or fees incurred prior to the cancellation date that cannot be avoided. Such payment shall not exceed the originally agreed-upon fees for the Contractual Services.

4.9 Non-performance of Contractual Services

If the Supplier’s performance of the Contractual Services fails to meet the Novartis’s reasonable satisfaction, and without prejudice to the Novartis’s other rights or remedies, the Supplier shall, at the Novartis’s discretion:

(a) Re-perform the Contractual Services at its own expense to rectify the non-performance;

(b) Rectify the Contractual Services to a standard that meets the Novartis’s reasonable satisfaction at its own expense; or

(d) Refund the Novartis for fees paid in relation to defective Contractual Services.

4.10 Third-party Risk Management

(a) The Novartis has implemented a third-party risk management framework to promote the social and environmental values of the United Nations Global Compact alongside specific third parties.

(b) The Supplier shall comply with the Novartis’s Third-Party Guidelines (https://www.novartis.com/esg/reporting/codes-policies-and-guidelines) as updated from time to time. The Supplier may request a copy of the guidelines free of charge.

(c) In accordance with Article 12.6 of the Novartis’s Third-Party Guidelines, the Supplier shall provide data/documents to the Novartis or its representatives upon reasonable request to verify compliance with the guidelines.

(d) The Supplier shall address and remedy any breaches of the Novartis’s Third-Party Guidelines and, upon request, report progress on remediation to the Novartis.

(e) The Supplier warrants that any Affiliates and/or subcontractors approved by the Novartis to deliver services/deliverables under this Agreement will comply with the Novartis’s Third-Party Guidelines. This obligation extends to all Affiliates, subcontractors, or other representatives of the Supplier involved in delivering Contractual Services.

(f) At the Novartis’s reasonable request and at the Supplier’s expense, the Supplier shall cooperate fully with the Novartis and its representatives to complete and submit any third-party questionnaires (and updates as requested during the Agreement term). The Supplier guarantees that all data provided in such questionnaires is accurate and complete, both before and during the term of this Agreement. Such data shall be considered part of this Agreement. For clarity, this clause applies only to the Supplier and not to subcontractors involved under this Agreement.

(g) The Supplier agrees and acknowledges that the Novartis’s Third-Party Guidelines form an integral part of this Agreement.

4.11 Legal and Policy Compliance

When exercising rights or performing obligations under this Agreement, the Supplier shall ensure (and cause its representatives to ensure) compliance with:

4.11.1 The Supplier shall not promise, offer, pay, arrange for payment, accept payment, induce payment, or take any action that could be construed as bribery.

4.11.2 The Supplier shall comply with all applicable laws and regulations, including those related to bribery and corruption (e.g., but not limited to, the U.S. Foreign Corrupt Practices Act and the UK Bribery Act).

4.11.3 The Supplier shall adhere to industry standards.

4.11.4 During the term of this Agreement, the Supplier shall comply with all policies and guidelines referenced in or incorporated into this Agreement, including updates to such policies and guidelines or those provided in writing (including electronically) by the Novartis.

4.11.5 The Supplier shall maintain appropriate and effective ethical, risk, and compliance systems, organizations, and policies (considering its size, scope, and nature of business activities) to ensure ethical business practices.

4.12 Assessment and Notification of Organizational Changes

4.12.1 The Supplier acknowledges and agrees that the Novartis may require the Supplier to complete a third-party questionnaire as part of its third-party risk management process. The Supplier shall cooperate fully (at its own expense) with the Novartis and/or its representatives to complete and return any such questionnaire (and any updates required during the term of this Agreement) in accordance with reasonable instructions. The Supplier represents and warrants that all information provided in the third-party questionnaire (whether submitted before or during the Agreement term, including updates) is accurate and complete, and such information shall be considered part of this Agreement.

The Supplier shall promptly notify the Novartis in writing of:

(i) Any material changes to the information provided in the questionnaire; and

(ii) Any significant changes to the Supplier’s organization.

Both notifications must be made as soon as reasonably practicable after the changes occur.

4.12.2 This Section 4.12 applies solely to the Supplier and not to any subcontractors engaged under the terms of this Agreement.

4.13 Computer Virus Screening

The Supplier shall make commercially reasonable efforts to ensure that electronic files of Contractual Documents delivered under this Agreement:

(a) Have undergone rigorous virus scans using commercially available software; and

(b) Are free from any harmful encrypted code.

4.14 Adverse Event Reporting

If the Supplier or its personnel become aware of any adverse event related to a patient using the Novartis’s product, they shall report the event to the Novartis’s pharmacovigilance department without considering its relevance, severity, labeling, and/or the type of reporter.

When making the report, the Supplier or its medical personnel should provide the Novartis with information about the patient’s use of the product, including personal health information necessary for the Novartis to document and report the adverse event according to legal requirements.

Adverse Event Reporting Details:

●

PVI Reporting Link: www.report.novartis.com

●

Email: tw.safety@novartis.com

●

Phone: 0800-205165

4.15 Insurance

The Supplier shall purchase and maintain adequate insurance coverage sufficient to cover all losses caused by the Supplier or its authorized subcontractors. Upon the Novartis’s request, the Supplier shall provide proof of such insurance.

5. Obligations of the Novartis

The Novartis shall:

(a) Pay the contract fees as specified under this Agreement;

(b) Comply with all applicable laws and regulations in fulfilling its obligations under this Agreement;

(c) Provide training to the Supplier’s personnel as outlined in the work statement (if mutually agreed). The Novartis’s obligations under this section are limited to providing trainers, scheduling, and training materials;

(d) Provide the Supplier with any Novartis resources (if available); and

(e) Respond to the Supplier’s information requests within a reasonable time frame.

6. Contract Fees, Invoicing, and Payment

6.1 Contract Fees

Unless otherwise specified in the work statement:

(a) All contract fees are exclusive of value-added tax (VAT). The Novartis (or any Novartis affiliate receiving the contract services under the work statement) will pay the VAT separately, according to the tax rate and method required by law. The Supplier will be responsible for any other taxes;

(b) The contract fees are fixed amounts and may not be changed without the prior written consent of the Novartis;

(c) Any third-party charges agreed by both parties must comply with the Novartis’s travel policy and must be invoiced to the Novartis at cost without any markup, fixed costs, or administrative fees. These charges must be approved by the Novartis in advance; and

(d) The contract fees cover all matters required to fulfill the obligations of this Agreement.

6.2 Issuance of Invoices

(a) Unless otherwise specified in the work statement, the Supplier shall issue invoices monthly for the contract services delivered in the previous month. The invoices must reference the Novartis’s order number;

(b) The Supplier must provide supporting documentation to verify the invoice amount as requested by the Novartis and in accordance with the invoicing procedure set out in the work statement.

6.3 Payment

(a) The Novartis (or the relevant Novartis affiliate receiving the contract services under the work statement) will pay the invoice amount within ninety (90) days from the invoice date, provided the relevant deliverables have been completed to the Novartis’s satisfaction;

(b) The Novartis will pay the undisputed portion of the invoice, withholding payment for the disputed portion until the dispute is resolved;

(c) The Novartis will pay interest on any undisputed contract fees at the rate and in the manner stipulated by applicable Taiwan laws.

7. Confidentiality

7.1 Confidentiality Obligations

Both parties shall:

(a) Disclosure to authorized personnel, agents, affiliates, or approved subcontractors who have a “need to know” for the purpose of fulfilling obligations under this Agreement, provided that such individuals are bound by confidentiality obligations at least as stringent as those in this Agreement;

(b) Disclosure required by law, regulation, court order, government agency, or any applicable securities exchange listing rules. If such disclosure is required, the disclosing party will promptly notify the other party and cooperate with the other party’s reasonable instructions to limit the scope of disclosure; and

8. Privacy Rights

8.1 The Supplier, in performing its obligations under this Agreement and providing the Novartis with any cluster or anonymized data under its responsibility and control, shall comply with applicable data protection and privacy laws related to the processing of personal data.

8.2 Both the Novartis and the Supplier anticipate that this Agreement may involve the processing of personal data in any form (including electronic files and paper records) that relates to individuals who are identifiable or can be identified (as defined under local laws and regulations). Additionally, the Supplier shall comply with the additional information security requirements set forth in Appendix 2.

9. Intellectual Property Rights

9.1 Background Rights

(a) The terms of this Agreement will not affect the background rights of either party.

(b) The Novartis grants the Supplier a non-exclusive, non-transferable, royalty-free license to use the Novartis’s background rights solely for the purpose of fulfilling this Agreement during the term of the Agreement.

(c) The supplier grants the other party a non-exclusive, non-transferable, royalty-free license to the supplier’s background rights, enabling the other party and its affiliates to use, modify, or translate the created materials for their business purposes and to gain the benefits from the contracted services.

9.2 Other Party’s Resources

All intellectual property contained within the other party’s resources is owned by the other party and shall be granted to the other party. The other party is responsible for obtaining the necessary waivers related to the resources to ensure the supplier can utilize such information to supply the contracted services.

9.3 Created Materials

(a) The intellectual property rights to all created materials are immediately granted to the other party upon creation. The supplier shall provide all reasonable assistance to the other party to ensure that such intellectual property rights are transferred to the other party as per this provision.

(b) To the extent permitted by applicable law, the supplier hereby waives any moral rights they may hold in the created materials, both current and future, and grants such moral rights to the other party.

(c) Unless otherwise agreed in the statement of work or other written documents from the other party, the supplier shall obtain for the other party and its affiliates a non-exclusive, non-transferable, royalty-free, permanent license to use, modify, or translate the created materials. This includes any third-party rights arising from user testimonials, photos, images, sounds, music, and other intellectual property.

(d) If the supplier is unable to comply with the provisions of Section 9.3(c), the supplier must notify the other party and obtain prior written consent from the other party regarding the conditions and limitations of the third-party rights usage (e.g., media, region, costs, exclusivity, duration, etc.). This consent must be obtained before incorporating such third-party rights into the created materials.

(e) If the created materials infringe or potentially infringe third-party rights, the supplier will cooperate with the other party to modify the created materials to avoid infringing any third-party rights.

(f) If the created materials contain logos, the other party is responsible for registering the trademark (if necessary). If the other party decides to register a trademark for a specific logo:

(i) The other party will prepare all the application and certification documents and pay all related fees for trademark registration.

(ii) The supplier shall, according to this provision and at the other party’s request, provide all necessary assistance.

10. Warranty

The supplier warrants that:

(a) As of the commencement date, there is no actual or apparent conflict of interest that could negatively affect its ability to fulfill its obligations under this agreement;

(b) If a conflict of interest arises during the term of the contract, the supplier will notify the other party and follow any reasonable instructions provided by the other party to resolve the conflict;

(c) The supplier will not promise, offer, pay, arrange to pay, accept payment, or demand payment of any amount, nor take any actions that would be considered bribery;

(d) The supplier will comply with all applicable laws and regulations, including those related to bribery and corruption (e.g., but not limited to, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, and privacy laws);

(e) The supplier has the right to grant or obtain intellectual property rights under this agreement on behalf of the other party;

(f) The use or exploitation of the supplier’s background rights, third-party rights, and created materials by the other party will not infringe on any third-party intellectual property rights, now or in the future;

(g) The contract fees (including all fees paid by the other party to any healthcare professionals or third parties) represent the fair market value of the contracted services. The supplier agrees that payment of the contract fees will not create any obligation to provide, supply, administer, recommend, or purchase the other party’s products, nor will it constitute any past or future business kickbacks. All invoiced amounts are for legitimate expenses, reimbursements, compensations, or contract fees incurred in the performance of the contracted services;

(h) The supplier will collect relevant data and submit it to the other party in accordance with the other party’s policy regarding fees and expenses for healthcare professionals, healthcare institutions, and patient organizations related to the contracted services, which must be publicly disclosed to the appropriate regulatory authorities;

(i) The supplier has obtained all necessary employer, industry, or government approvals required to provide the contracted services;

(j) Its personnel have not been disqualified, removed, or otherwise prohibited from providing contracted services within the contract area or the United States;

(k) If, during the term of this agreement, the supplier becomes aware that any of its personnel have been disqualified, removed, or prohibited, the supplier will promptly notify the other party and agrees to cease assigning such personnel to fulfill their obligations under this agreement as soon as the situation is known.

(l) The applicable laws prohibit bribery or the payment of money or provision of anything of value to individuals, companies, government officials, political parties, or candidates for public office for the purpose of obtaining or maintaining business;

(m) To the best of its knowledge, there is no improper inducement, and the supplier will not take any actions on behalf of the other party that would violate anti-bribery or anti-corruption laws;

Both parties agree to expressly exclude any implied warranties under the law, unless such warranties cannot be excluded under applicable law.

11. Liability and Indemnification

11.1 Exclusion of Consequential Losses

Neither party shall be liable for any indirect, consequential, special, or incidental losses arising from this agreement.

11.2 Limitation of Liability

(a) Subject to the provisions of Section 11.1, nothing in this agreement limits the liability of either party for the following:

(i) Any type of loss that cannot be limited under applicable law;

(ii) Death or personal injury caused by negligence;

(iii) Liability arising from a breach of confidentiality obligations or privacy laws, or any related indemnification liabilities; or

(iv) Liability arising from the supplier’s breach of Section 10(e) or 10(f), or any related indemnification liabilities.

11.3 Supplier Indemnification

Subject to the provisions of Section 11.1 and Section 11.5, the supplier agrees to indemnify the other party and its affiliates for any loss arising from the supplier’s breach of Sections 7, 8, and 10 of this agreement.

11.4 Deduction of Attributable Losses

Any liability (including indemnification) under this agreement shall be reduced by the portion of the loss attributable to the other party.

11.5 Conditions for Indemnification

In order to make a claim for indemnification, the party requesting indemnification (the indemnified party) must:

(a) Immediately notify the other party of all indemnification claims;

(b) Not assume liability without the written consent of the indemnifying party;

(d) Cooperate with the indemnifying party in defending or settling the claim, as determined by the indemnifying party, including allowing the indemnifying party to take over the defense of the claim.

12. Supplier Personnel

(a) The other party is not the employer of the supplier’s personnel. The supplier shall be solely responsible for:

(i) The hiring and appointment of the supplier’s personnel;

(ii) The payment of salary, benefits, severance, termination, pension, and taxes to the supplier’s personnel;

(iii) Any losses caused by the supplier’s personnel; and

(iv) Any damage claims made by the supplier’s personnel against the other party for any losses;

(v) The other party may reasonably request the replacement of any key personnel of the supplier named in this agreement or the statement of work (including project managers, account managers, or other individuals). Unless the other party believes that such personnel have engaged in unlawful conduct or negligence requiring immediate removal, the other party will provide the supplier with a reasonable opportunity to address any concerns.

13. Records and Audits

(a) The supplier will maintain appropriate records related to the provision of the contracted services and shall, upon written request from the other party, promptly provide copies of such records or reports to the other party.

(b) After providing reasonable prior notice, the other party may audit the supplier’s books and records to ensure the supplier is complying with this agreement, confirm the payments made by the other party, verify public disclosure reports, patient safety reporting obligations, and other Good Manufacturing Practices (GxP). Any auditors appointed by the other party shall be obligated to maintain confidentiality regarding the supplier’s confidential information.

(c) Upon receiving written notice from the other party regarding its intent to conduct an audit, the supplier shall immediately cooperate fully and provide all contract documents reasonably requested. If the supplier refuses or evades the audit, this will be considered a material breach of Section 14.2.

(d) Without violating applicable laws, the supplier shall notify the other party about any inspections, audits, or search warrants related to this agreement conducted by regulatory authorities, and shall follow any reasonable instructions from the other party regarding such inspections. If the other party receives notice of inspections or audits, or search warrants related to the supplier, the other party will provide reasonable notice as possible. The supplier acknowledges that the other party may not receive such prior notice.

14. Termination or Expiry of the Agreement

14.1 Mutual Right of Termination

Both parties have the right to terminate this agreement or the statement of work immediately by written notice if the other party experiences any of the following:

(a) Bankruptcy, insolvency, or failure to pay any due obligations; or

(b) A material breach of this agreement that cannot be corrected; or

(c) A material breach of this agreement that has not been corrected within thirty (30) days after written notice demanding correction from the other party.

14.2 Additional Termination Rights for the Other Party

14.2.1 If the supplier experiences any of the following, the other party may immediately terminate this agreement or the statement of work by written notice:

(a) A change in control that would have a significant negative impact on the performance of this agreement;

(b) A material violation of the other party’s third-party guidelines or requirements;

(d) A material breach of Section 4.10 (Third-Party Risk Management), Section 4.11 (Legal and Policy Compliance), Section 4.12 (Organizational Changes and Notification), Section 13(c) (Records and Audits), Section 15, or Section 16 (Prohibition on Assignment).

14.2.2 A violation of Section 14.2.1(b) or Section 14.2.1(d) shall constitute a material breach of this agreement, and the other party has the right to immediately terminate this agreement without any liability for damages.

14.3 Convenience (No-Cause) Termination

The other party may terminate this agreement or statement of work for convenience by providing written notice to the supplier at least forty-five (45) calendar days in advance. In such cases, the other party will pay for any reasonable and verified actual expenses, or any costs incurred due to contractual matters that cannot be canceled before the termination date.

14.4 Effects of Termination or Expiry of the Agreement

(a) Termination or expiration of the agreement will not affect any rights or obligations of either party that have accrued prior to the termination or expiration;

(b) Termination or expiration of the agreement will not affect the validity of the provisions of this agreement that should survive after termination or expiration (including Sections 7, 8, 9, and 11);

(c) The other party will pay the contract fees pro-rata for the services provided before the termination or expiration of the agreement;

(d) The supplier will no longer have any rights to the other party’s background rights or created materials;

(e) Upon termination or expiration of this agreement, the supplier shall, upon the other party’s request, immediately return or destroy all of the other party’s materials, resources, confidential information, and created materials, except for any backup copies of confidential information that must be retained in accordance with applicable regulations;

(f) The termination of a particular statement of work will not affect any rights or obligations under this agreement or any other statement of work.

15. Subcontracting

Without the prior written consent of the other party, the supplier shall not have the right to subcontract or re-assign any of its obligations under this agreement. By entering into this agreement, the supplier represents and warrants to the other party that it has conducted reasonable and appropriate due diligence to assess any potential subcontractors or re-assignees, and that such due diligence procedures have been applied to those subcontractors or re-assignees who are applying to the other party, with no negative findings.

15.1 The supplier will be fully responsible for the actions or inactions of any approved subcontractors or re-assignees, as well as for any breaches or failures to perform under this agreement;

15.2 The supplier will include in any subcontract agreement with any approved subcontractor provisions consistent with the obligations under this agreement;

15.3 The supplier will be fully responsible for all costs related to any such re-assignment or subcontracting arrangements.

15.4 Furthermore, the supplier agrees to implement and maintain an ongoing supervision plan for any approved subcontractors during the term of this agreement. If any irregularities arise during the supervision process, the supplier shall promptly notify the other party in writing and shall notify the other party within seven (7) days of the occurrence of such irregularities.

16. Transfer Restrictions

16.1 This agreement shall not be transferred without the prior written consent of the other party. The other party shall not unreasonably withhold such prior written consent. Any attempt to transfer in violation of this section shall be null and void. Notwithstanding the foregoing, the other party has the right to decide, without requiring further written consent from the supplier (the supplier hereby confirms that such written consent has been provided to the other party), to:

(a) Transfer this agreement and/or any rights or obligations related to this agreement to an affiliate of the other party; and

(b) Transfer this agreement and/or any rights or obligations related to this agreement in relation to any situation involving capital increase or decrease, including but not limited to mergers, company splits, company consolidations, restructurings, stock sales, asset sales, joint ventures.

For the avoidance of doubt, any (approved) transferee will assume all rights and obligations of the transferor under this agreement (if it is a partial transfer, the transferee will assume the rights and obligations related to the transferred portion of the agreement).

16.2 In the following circumstances:

(a) An affiliate receiving contract services/deliverables no longer qualifies as an affiliate under this agreement due to any form of disinvestment, including but not limited to mergers, company splits, company consolidations, restructurings, stock sales, asset sales, or joint ventures (hereinafter referred to as “former affiliates”); or

(b) Any assets related to the other party’s business are transferred or sold to a third-party buyer (hereinafter referred to as “buyer”).

Upon the entity ceasing to be an affiliate or the asset being transferred to the buyer, the supplier shall, upon request by the other party, continue to provide the relevant contract services/deliverables to the former affiliate or buyer during the transition period according to the other party’s individual transition services or other commitments. The contract services/deliverables provided to the former affiliate or buyer shall be provided under the terms and conditions of this agreement.

17. Miscellaneous

17.1 Party Relationship

The parties are independent entities, and nothing in this agreement shall establish any partnership, agency, joint venture, or employment relationship between the parties or their affiliates or personnel.

17.2 Governing Law

This agreement, as well as any disputes or claims arising out of or related to this agreement, shall be governed by the laws of Taiwan, excluding its conflict of laws principles.

17.3 Dispute Resolution and Jurisdiction

(a) Before initiating litigation or formal dispute resolution, both parties shall attempt to resolve any dispute arising from or related to this agreement through negotiation. Even if a dispute arises, both parties shall continue to fulfill their obligations under this agreement. This provision shall not prevent either party from seeking interim relief in court.

(b) Without limiting any right of appeal, the Taipei District Court in Taiwan shall have exclusive jurisdiction.

17.4 Notifications

All notifications must be in writing and shall be deemed officially delivered at the following times: if delivered in person, at the time of delivery; if sent electronically, at the time shown on the proof of delivery; if sent by registered mail, two business days after the mailing date. All notifications should be sent to the following recipients and addresses unless either party notifies the other of a change in contact information in writing:

To Novarti: Yap Swee Yoong, Novartis Malaysia Sdn. Bhd. Level 18, lmazium, No. 8, Jalan SS21/37, Damansara Uptown, 47400 Petaling Jaya, Selangor, Malaysia. Email: sweenovartis.com

To the supplier: Lin Mei-Ling

Address: Yong Ding Biopharm Co., Ltd, 12th Floor, 101 Section 2, Nanjing East Road, Zhongshan District, Taipei City. Email: purchase-order@udn-pham1.com

17.5 Amendments

Any changes to the terms of this agreement must be in writing and signed by both parties to be effective. Contract services may be modified according to Section 4.8.

17.6 Entire Agreement

This agreement, its appendices, and any documents referenced within it, constitute the complete and exclusive agreement between the parties with respect to the subject matter of this agreement and supersede all prior agreements and understandings between the parties on this subject.

17.7 Severability

If a court with jurisdiction finds any part of this agreement to be invalid, such finding will not render the remainder of the agreement invalid. The parties shall negotiate in good faith to modify the invalid parts.

17.8 Third-Party Beneficiaries

Unless explicitly stated otherwise, no provision of this agreement is intended for the benefit of any third party, nor may any third party exercise any rights under it.

17.9 Agreement Storage and Digital Signatures

The parties may sign and exchange multiple counterparts of the signature page of this agreement, each of which shall be considered an original. If this agreement is signed with digital signatures, the parties agree that such signatures shall be binding upon both parties.

17.10 Costs

Each party shall bear its own costs incurred in preparing, negotiating, signing, stamping, or otherwise making this agreement legally effective.

17.11 Publicity and Use of Name

Except as required by applicable laws, neither party shall use the name, logo, trademark, or products of the other party or its affiliates in any public statements, publicity, advertisements, public relations, or marketing materials without prior written approval from the other party.

17.12 Waiver

Any waiver of rights must be made in writing by the waiving party to be effective. The failure or delay of either party to exercise any right or remedy shall not prevent the future exercise of such right or remedy. A partial or single waiver does not constitute a waiver of future rights or remedies.

Thus, the parties execute this agreement by signing or affixing their seals through their authorized representatives, as proof of their consent.

Novartis (Taiwan) Co., Ltd.

Signature:

Representative:

Title:

Yong Ding Biopharm Co., Ltd

Signature:

Representative:

Title:

Appendix 1(a) - Work Statement

Work Statement Overview: (a) General Services and Contract Fee Structure: This Appendix 1(a) is applicable from the effective date. It details the contractual services and fees agreed upon by both parties under Clause 4.6 of the main agreement, covering all project-specific work statements. (b) Project Work Statement: Appendix 1(b) or any document containing similar terms should be filled out for each specific project related to the contract services.

Discrepancies: (a) The work statement only modifies the main agreement to the extent expressly specified. All other clauses in the main agreement shall remain in full effect. (b) If any discrepancies exist between Appendix 1(a) and Appendix 1(b) for a specific project, Appendix 1(b) shall take precedence. (c) The work statement and the main agreement shall replace the standard commercial terms attached or referenced in the project’s Appendix 1(b) and any standard commercial terms proposed by the supplier; such terms shall have no effect.

Contract Services and Fees: 3.1 The supplier shall deliver to the other party the clinical trial comparator drugs, related medical devices, instruments and equipment, laboratory equipment and consumables, and related testing reagents (hereinafter referred to as “deliverables”) according to the terms of the main agreement. 3.2 The supplier shall deliver the deliverables to the other party no later than the delivery date. If the supplier fails to deliver the deliverables by the delivery date, the supplier shall be liable for any delays. 3.3 After delivering the deliverables to the other party, the supplier shall provide a correct and valid invoice to the other party. The other party will pay the invoiced amount within ninety (90) days from the date of the correct and valid invoice.

Schedule 1

Items To Be Delivered	Delivery Date	Costs/Fees (NTD)	Delivery Quantity
ZOLADEX 3.6MG (GOSERELIN)	2023/12/31	587,873 (price per box 4,111)	36 boxes in April
XELODA 500MG (Capecitabine)	2023/12/31	294,500 (price per box 15,500)	10 boxes in April
NAVELBINE 20MG	2023/12/31	154,800 (price per box 4,300)	18 boxes in April
NAVELBINE 30MG	2023/12/31	1,360,800 (price per box 6,300)	108 boxes in April
ZOLADEX 3.6MG (GOSERELIN)	2023/12/31	587,873 (price per box 4,111)	36 boxes in April

4. Invoice Issuance Procedures

(a) For the Novartis, the Supplier should send the correct invoice to Novartis Taiwan Ltd. (8th Floor, No. 2, Section 3, Minsheng East Road, Zhongshan District, Taipei City). If the Novartis’s affiliated company is receiving the contract services according to the Work Order, the relevant invoice issuance requirements will be specified in the respective Work Order (if such requirements differ from those stated in this clause).

(b) The Supplier must include the applicable project, service completion date, payable amount, and Novartis contact person in the invoice; the Novartis may designate/change the contact person from time to time.

(d) Expenses related to the contract fees, agreed upon in advance by the Novartis or its affiliated company, can be reimbursed by the Supplier.

(e) The Supplier must attach the corresponding receipts or other payment proof when submitting the invoice to the Novartis.

(f) The invoice must include:

(i) The name and address of the Supplier;

(ii) The related contract services and the Novartis’s project/order number;

(iii) The invoiced amount; and

(iv) The Supplier’s unified business registration number (if applicable).

(g) The Supplier may not request any other payments or compensation from the Novartis for the contract services.

5. Novartis Policies

The Supplier must comply with the following Novartis policies when performing the contract services (based on the latest version, which may be updated periodically): https://www.novartis.com/about-us/corporate-responsibility/resources-news/codes-policies-guidelines

(a) The Novartis Third-Party Guidelines (link), including the basic information security and privacy regulations specified therein;

(b) The Novartis’s travel policy, which outlines the reimbursement limits and principles for the accommodation, meals, travel, and expenses for suppliers, healthcare professionals, or consultants;

(c) The Novartis Anti-Bribery Policy, Third-Party Guidelines, Novartis Code of Ethics, and Novartis Privacy Policy (link);

(d) The Novartis Global P3 Policy (link) regarding the following matters:

Policy on payments for fair market value fees and reasonable expenses;

Prior approval for activities, gifts, expenses, travel support, and all internal or external content or promotional materials during the provision of contract services or representing the Novartis;

Public disclosure policies and guidelines for collecting, obtaining consent, and reporting information related to activities, expenses, and costs involving healthcare professionals, healthcare organizations, and patient organizations;

Prior approval requirements for external investments, reputation assessments, outsourcing, donations, and sponsorships made on behalf of the Novartis;

If applicable, obtaining all necessary privacy rights and intellectual property consent from individuals involved in the contract services, regarding their personal data, deliverables, and other related information;

Management and Key Personnel

Novartis (Taiwan) Co., Ltd.

To: Chuang Ping
Address: 8th Floor, No. 2, Section 3, Minsheng East Road, Zhongshan District, Taipei
City
Phone: +886223227979
Email: ping.chuang@novartis.com

Yong Ding Biopharm Co., Ltd

To: Lin Mei-ling
Address: 12th Floor, No. 101, Section 2, Nanjing East Road, Zhongshan District, Taipei
City
Phone: +8862821-7099
Email: purchase-order@udn-pharm.com

Appendix 2 - Novartis Information Security Supplementary Guidelines

Appendix 2 - Information Security Supplementary Guidelines

This Information Security Supplementary Guidelines (hereinafter referred to as “Supplementary Guidelines”) is intended to supplement the terms and conditions of any other information security guidelines set forth in the main contract or any independent data processing agreements, including but not limited to the basic information security controls cited in the Novartis Third-Party Guidelines (defined below) (collectively referred to as the “Basic Guidelines”). In the event of any conflict between the Basic Guidelines and these Supplementary Guidelines, the stricter standard (from an information security perspective) shall prevail. The Supplier agrees and acknowledges that these Supplementary Guidelines form part of the main contract.

In these Supplementary Guidelines, the terms in boldface, unless the context otherwise requires, shall have the following meanings:

●

“Data Protection Laws” refers to all laws, rules, regulations, and orders regarding the privacy rights, data security, confidentiality, and/or integrity of personal data (defined below) applicable to the Supplier and the Novartis’s business, services, or products in any jurisdiction or region, including but not limited to Taiwan’s Personal Data Protection Act, the U.S. Health Insurance Portability and Accountability Act (HIPAA, codified in 45 U.S. Code § 164.508(b); hereinafter referred to as the “HIPAA Privacy Rule”), the applicable laws in this Appendix and the main contract, and/or the European Union’s General Data Protection Regulation (EU GDPR 2016/679);

●

“Best Industry Practices” refers to the professional methods that should be adopted by service providers with equivalent technical skills, training, and experience in performing similar services, using reasonable skills and care, following industry standards, ensuring efficiency, safety, punctuality, timeliness, and diligence, including but not limited to information security industry practices;

●

“Information Security Controls” refers to the basic information security controls for suppliers published on Novartis’s internal network, which are part of the Novartis Third-Party Guidelines;

●

“Novartis Data” refers to all data, documents, or records related to the Novartis’s business, regardless of the nature (including personal data and confidential Novartis information) and form, including customer, employee, or other information, whether generated before or after the signing of the main contract, whether created or processed in the performance of the contract services, and whether provided to the Supplier by the Novartis (or a third party representing the Novartis) in connection with the main contract;

●

“Novartis Environment” refers to all Novartis systems, Novartis data centers, third-party systems owned or authorized by the Novartis, infrastructures managed by the Novartis, Novartis affiliates, or Novartis subcontractors, or any other systems, interfaces, or infrastructures as notified from time to time by the Novartis.

●

“Novartis Third-Party Guidelines” refers to the Novartis Third-Party Guidelines (Novartis Third Party Code) mentioned in Article 4.10 of this agreement;

●

“Both Parties” refers to both the Novartis and the Third Party collectively;

●

“Personal Data” refers to any information relating to an identified or identifiable individual, including but not limited to electronic data and paper files directly or indirectly processed by the Supplier or the Supplier’s subcontractors on behalf of the Novartis and following the Novartis’s instructions. Personal data can include names or abbreviations, home addresses or other physical addresses, mobile/cell phone or landline numbers, photographs, and/or any data or information subject to data protection laws. Personal data also includes special/sensitive personal data (defined below).

●

“Recovery Point Objective” (RPO) refers to the specific point in time to which Novartis data must be restored following an event that causes business interruption. This objective aims to ensure the recovery of business activities following such an interruption.

●

“Recovery Time Objective” (RTO) refers to the maximum time allowable for the restoration of business activities, relevant resources, or products and services before unacceptable levels of impact occur following a business interruption event. This goal must be constrained to ensure that the negative impact of the disruption does not reach unacceptable levels.

●

“Security Incident” refers to any actual or potential event that may impact the confidentiality, integrity, availability, or resilience of Novartis data.

●

“Information Security Industry Practices” refers to the practices defined by international standards such as ISO/IEC 27001, ISO/IEC 27002:2013, SSAE-16, ISAE3402, the U.S. National Institute of Standards and Technology (NIST) standard NIST 800-44, the Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications, and standards from the Center for Internet Security (CIS), or any other applicable industry information security standards agreed upon by both parties.

●

“Special/Sensitive Personal Data” refers to:

(i) the physical, physiological, or psychological characteristics of a natural person, economic status, ethnicity or race, political opinions, philosophical beliefs, religious views or faiths, union membership, health or medical information (including information on healthcare payments), sexual life or sexual orientation, genetic material or information, biological samples or cells, unique biometric data, or personality profiles;

(ii) a natural person’s name or abbreviation, combined with any of the following: (1) Social Security Number (ID number); (2) Alien Resident Certificate number; (3) Driver’s license number; (4) Passport number, visa number, or other government-issued identification code; (5) Credit card, debit card, or other financial account numbers, whether or not they include related access codes or passwords; or (6) Mother’s maiden name. Special/Sensitive Personal Data is a subset of Personal Data.

●

“Supplier” includes (unless otherwise specified in context) the Supplier’s affiliates and their respective subcontractors and agents.

Supplier Evaluation: Article 10.6 of the Novartis Third-Party Guidelines shall be supplemented as follows:

1.1

The Novartis or its designated third party has the right to monitor, inspect, and assess the organizational, technical, and administrative safeguards established by the Supplier, as well as any corresponding measures taken to ensure the security, availability, integrity, and resilience of Novartis data. This includes, but is not limited to, relevant processes, policies, systems, business continuity test reports, and infrastructure. The Supplier shall provide records and supporting documentation of the above measures in accordance with the Novartis’s reasonable requests regarding form and schedule. The Supplier shall cooperate with and assist the Novartis or its designated third party in conducting the above evaluation. Without prejudice to the Novartis’s rights mentioned above, the Supplier shall (or shall require its service provider) to maintain the following third-party certifications or audit reports:

Supplier Certification/Audit Report	Version/Date
[To be completed by Supplier]

1.2

The Novartis has the right to perform a detailed on-site or off-site technical evaluation to assess the effectiveness of implemented measures to ensure the confidentiality, availability, integrity, and resilience of the platform. Reports of such evaluations will be provided to the Supplier, and the Supplier shall correct any deficiencies identified as outlined in Section 1.5 of Appendix 3 (if any).

1.3

The Supplier shall regularly perform penetration and security testing according to best industry practices. The scope should cover known vulnerabilities in the environment used to process Novartis data in order to identify deficiencies and improve security.

1.4

(If previous penetration tests, independent assessments, or other Novartis evaluations did not require third-party penetration testing due to the identification of deficiencies), the Novartis may (at its own cost or through contractors) perform penetration testing on applications and infrastructure, but such evaluations may only be conducted once per calendar year. Reports from such evaluations will be provided to the Supplier, and the Supplier shall correct any deficiencies identified as described in Section 1.5.

1.5

The Supplier shall immediately correct any identified deficiencies without unnecessary delay, and no later than the deadline set in the remediation plan. Both parties agree that if a second evaluation finds significant non-compliance, or the Supplier fails to remedy the deficiencies according to the remediation plan, it will be considered a material breach of the main contract that cannot be remedied.

Supply of Contract Services shall be in accordance with recognized standards. Article 1 of the Information Security Control Standards shall be amended and supplemented as follows:

2.1

The Supplier shall process, treat, and handle Novartis data in accordance with best industry practices.

Minimum Standards for Encryption and Business Continuity: Article 2 of the Information Security Control Standards shall be amended and supplemented as follows:

3.1

The Supplier shall, at a minimum, adopt 256-bit AES (symmetric) or 4096-bit (asymmetric) RSA encryption algorithms, approved by the Novartis, and at least comply with the TLS 1.2 standard or equivalent latest encryption technology.

3.2

If the contract services may negatively impact any of the Novartis’s business operations, both parties must agree in writing to specify the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) that the Supplier shall ensure. If not explicitly required in the main contract, the RTO and RPO shall be as listed in the following table:

Objective	Maximum Time Limit to Meet (Unit: Hours)
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)

Production Data Handling: Article 2 of the Information Security Control Standards shall be amended and supplemented as follows:

4.1

If the Supplier is allowed to process or store Novartis data, both parties shall mutually agree in the main contract and specify the data location, as well as the locations from which the Supplier may access and use Novartis data. If the main contract does not explicitly specify the above locations, they should be provided in the following table:

	Location
Novartis Data Physical Location
Supplier’s Allowed Locations to Access Novartis Data

4.2

The Supplier shall only process Novartis production data at the following locations:

(a)

A secure production environment; or

(b)

An environment mutually agreed upon by both parties, where the security measures are equivalent to those applied in the secure production environment.

Novartis Environment: Articles 4, 7, and 15 of the Information Security Control Standards shall be amended and supplemented as follows:

5.1

The Supplier acknowledges and agrees that any connection, interaction, or integration with the Novartis’s environment must be approved in writing by the Novartis in advance (such provision may already exist in the main contract). The connection to the Novartis’s environment must be maintained, protected, and tested according to mutually agreed information security industry practices, and the Novartis may, at any time, decide to terminate or request the termination of such connections.

5.2

The Supplier shall ensure that neither it nor its personnel will use the following to intrude into the Novartis’s environment:

(a)

Any virus or other harmful code aimed at disabling, damaging, or facilitating unauthorized access to the Novartis’s environment;

(b)

Any code used for keylogging or software used to enforce authorization restrictions;

(c)

Any code that provides functionality not authorized in writing by the Novartis (in all three of these cases, including but not limited to those resulting from failure to follow the requirements defined in Appendix 3, Section 5.1).

5.3

The Supplier may only extract and access data defined by the Novartis. If the Supplier identifies data that has not been defined by the Novartis but is accessible, it shall immediately notify the Novartis. The notification should be made in accordance with the information security incident notification provisions outlined in Appendix 3, Section 8.

Personnel with Access to the Novartis’s Environment: Article 8 of the Information Security Control Standards shall be amended and supplemented as follows:

6.1

If Supplier personnel:

(i)

Are provided with access cards (or other access mechanisms) by the Novartis to enter its premises;

(ii)

Are provided with personalized network access accounts (e.g., Novartis 5-2-1 accounts) and Novartis laptops;

(iii)

Are provided with Novartis email accounts; or

(iv)

Are granted other types of access rights to the Novartis’s environment, the Supplier shall ensure that such personnel comply with the applicable Novartis information security policies and participate in Novartis training, with no costs to be borne by the Novartis. If there are any changes in Supplier or Supplier subcontractor personnel that may affect the access rights to the Novartis’s environment, the Supplier shall immediately notify the Novartis, without undue delay. Personnel changes may include, but are not limited to, termination of employment contracts, changes in job locations or duties, or termination of subcontractor appointments.

Return of Novartis Data: Article 10 of the Information Security Control Standards shall be amended and supplemented as follows:

7.1

In addition to the disposal provisions outlined in Article 10 of the Information Security Control Standards, the Novartis also has the right to retrieve Novartis data in the format and timeline it specifies.

Information Security Incidents: Article 12 of the Information Security Control Standards shall be amended and supplemented as follows:

8.1

The Supplier shall monitor, analyze, and respond to information security incidents defined in this Section 8. If any actual or suspected information security incident occurs that may impact the Novartis or Novartis data, the Supplier shall report it to the Novartis and cooperate with the Novartis. Confirmed security incidents shall be treated as the highest priority.

8.2

If the Supplier discovers a security incident, it must notify the Novartis through the following contact methods:

Phone: +420 225 775 050 (Backup number: +420 225 850 012)

Email: soc@novartis.com.

8.3

If the Novartis discovers a security incident, it must notify the Supplier through the following contact methods: [To be provided by the Supplier].

8.4

The Supplier shall, in any case, at a minimum, follow the below security incident management process:

8.4.1

After discovering a security incident, the Supplier must notify the Novartis within twenty-four (24) hours without undue delay.

8.4.2

Once a security incident is confirmed, the Supplier shall consult with the Novartis and take appropriate measures to minimize further impact on the Novartis’s data, without undue delay. Appropriate actions must be implemented no later than forty-eight (48) hours after the security incident confirmation. These actions should include, but are not limited to:

8.4.2.1

Stopping improper access to or any other improper activity involving the Novartis’s data;

8.4.2.2

Proposing corrective action plans to prevent the recurrence of the same security incident;

8.4.2.3

Restoring normal operations of contract services; and

8.4.2.4

Regularly reporting progress on the implementation of corrective actions to the Novartis.

After implementing the corrective actions to prevent the recurrence of the security incident, the Supplier must submit a written report to the Novartis detailing the corrective actions taken and the security measures implemented.

Patch Management: Article 14 of the Information Security Control Standards shall be amended and supplemented as follows:

9.1

The Supplier must monitor available patches, assess and test them, and promptly implement them in all systems supporting contract services or processing the Novartis’s data.

9.2

If the assessment concludes that a specific patch should not be applied, the Supplier must ensure:

Alternative controls or protective measures are implemented to ensure the confidentiality, integrity, and availability of all systems supporting contract services or processing the Novartis’s data; or

Provide supporting documentation for the assessment results and explain the potential risks the patch might cause and the reasons for not applying it.

Violations of this supplement shall be considered a material breach of the main contract, subject to the termination clauses of the main contract for material breaches.

Appendix 3 – Purchase Order

Third-Party Risk Management

The Novartis expects you to adhere to ethical business practices and comply with the Novartis Third-Party Guidelines as well as any other applicable guidelines, policies, and instructions issued by the Novartis.

You hereby agree that, in providing the contract services/deliverables under this purchase order, you will:

Comply with the Novartis Third-Party Guidelines (according to the latest version updated periodically). You may visit https://www.novartis.com/esg/reporting/codes-policies-and-guidelines to view or download them. You may request a copy from the Novartis at no cost.

Upon reasonable request by the Novartis, its affiliates, and their respective agents, provide information/documents in the format required by the Novartis to verify your compliance with the Novartis Third-Party Guidelines.

Use best efforts to correct and remedy any violations of the Novartis Third-Party Guidelines and report on the remedial progress as requested by the Novartis, its affiliates, and their respective agents.

Guarantee that any affiliates, subcontractors, or other representatives of the Supplier directly involved in providing the contract services/deliverables under this purchase order will also be required to comply with all the aforementioned requirements.

Upon reasonable request by the Novartis, at your own expense, fully cooperate with the Novartis, its affiliates, and their respective agents to complete and submit any questionnaires related to compliance that you may receive at any time, including updates to these questionnaires (hereinafter referred to as “Third-Party Questionnaires”), which form part of the Novartis’s third-party risk management process. You commit and guarantee that, whether before or after the date of this purchase order (including any amendments), the information provided in such Third-Party Questionnaires is correct and complete, and the information will be considered an integral part of the valid and effective contract formed between you and the Novartis under this purchase order. For clarity, this provision applies only to you and not to any subcontractors or agents engaged or employed by you in connection with this purchase order.

Upon written request from the Novartis, within seven business days of receiving the request, you will permit Novartis personnel or any third-party auditor designated by the Novartis to appropriately access your company/facility/operating premises and any documents/records related to this purchase order to conduct an audit for compliance with the aforementioned obligations.

Failure to comply with any of the above matters will entitle the Novartis to terminate the valid and effective contract between you and the Novartis formed under this purchase order. The termination will take effect immediately, and the Novartis will not be obligated to provide any compensation or indemnity.

You confirm that you have fully read and understood the latest version of the Novartis Third-Party Guidelines.