Exhibit 10.16

Master Service Agreement

This Master Service Agreement (hereinafter referred to as the “Agreement”) is entered into as of [January 1, 2024] (hereinafter referred to as the “Effective Date”) by and between ALCON SERVICES AG, TAIWAN BRANCH (SWITZERLAND) (located at 11F., No. 99, Sec. 2, Ren’ai Rd., Zhongzheng Dist., Taipei City, hereinafter referred to as “ALCON”) and Yong Ding Biopharm Co., Ltd (located at 9F., No. 510, Sec. 7, Zhongxiao E. Rd., Nangang Dist., Taipei City , hereinafter referred to as the “Supplier”). The parties agree as follows:

Article 1: Term and Termination

1.01 Term

The term of this Agreement (hereinafter referred to as the “Agreement Term”) shall commence on the Effective Date and expire on December 31, 2026. If any Statement of Work (SOW) signed under this Agreement during the Agreement Term requires services to be performed after the expiration or termination of this Agreement, the terms of this Agreement shall continue to apply to such SOW until the SOW expires or is terminated.

1.02 Termination

The termination provisions of this Agreement are as follows:

(i) ALCON may terminate this Agreement at any time for any reason by providing 30 days’ prior written notice; or

(ii) If either party breaches any material provision of this Agreement and fails to remedy such breach within 15 business days after receiving written notice from the other party, the non-breaching party may terminate this Agreement by written notice. Upon termination of this Agreement for any reason, the Supplier shall be entitled to payment for all qualified work completed before the effective date of termination.

1.03 Post-Termination Obligations

Upon expiration or termination of this Agreement, the Supplier shall terminate the services in the most cost-effective manner. If this Agreement is terminated:

(a) By ALCON under Clause 1.02(i), ALCON shall pay the Supplier for all reasonable performance-related expenses incurred and non-cancelable commitments made before termination, and the Supplier shall deliver all work products produced prior to the termination to ALCON.

(b) Due to the Supplier’s breach under Clause 1.02(ii), ALCON shall have no obligations to the Supplier under this Agreement, and termination shall not affect ALCON’s right to make claims or seek damages for the Supplier’s breach.

1

Article 2: Services and Deliverables

2.01 Statement of Work (SOW)

During the term of this Agreement, the Supplier and ALCON may execute Statements of Work (SOWs) in the form attached as Exhibit A to specify the following:

(i) Services to be provided by the Supplier (hereinafter referred to as the “Services”) and deliverables (hereinafter referred to as the “Deliverables”) (collectively, “Work Products”);

(ii) Supplier’s fees and expenses;

(iii) The service period (hereinafter referred to as the “Service Period”), if applicable; and

(iv) Any additional terms and conditions.

All SOWs shall form part of this Agreement and be governed by its terms. The first SOW issued under this Agreement shall be numbered Exhibit A-1, and so forth. The Supplier shall not commence any work related to the Services or Deliverables without a valid procurement instruction from ALCON.

2.02 Purchase Orders

For transactions below the threshold specified in ALCON’s internal procurement policy, ALCON may choose to issue purchase orders (hereinafter referred to as “Purchase Orders”) in lieu of SOWs. Such Purchase Orders must:

(i) Contain content similar to the aforementioned SOWs, and

(ii) Explicitly state that they are governed by the terms of this Agreement.

2.03 Changes to SOWs or Purchase Orders

ALCON may, at any time, make reasonable requests for changes to the scope of work described in an SOW or Purchase Order. If such changes result in increased or decreased costs or time required for the Supplier’s performance, reasonable adjustments shall be made to the corresponding fees and/or delivery schedule.

2

2.04 Affiliates

Any affiliate of ALCON may, under the terms of this Agreement, procure the Services and Deliverables by executing SOWs or issuing Purchase Orders to the Supplier. Each SOW or Purchase Order must explicitly state that it is governed by the terms of this Agreement. For such transactions:

(i) All references to “ALCON” in this Agreement shall be deemed to refer to the specific affiliate;

(ii) The affiliate shall be solely and fully responsible for its contractual obligations, including payment for all costs incurred under the SOW or Purchase Order; and

(iii) Each SOW or Purchase Order, together with the terms of this Agreement, shall constitute an independent and enforceable agreement between the Supplier and the specific affiliate. Any terms in the Purchase Order beyond the scope of this Agreement’s Services and Deliverables shall be considered invalid and excluded.

For the purposes of this Agreement, any entity controlling, controlled by, or under common control with a party (whether a corporation or other entity) shall be considered an “Affiliate.” “Control” refers to direct or indirect ownership of more than 50% of the equity interest in the controlled entity or having significant influence over its operational decisions.

2.05 Priority

In the event of any conflict between the provisions of this Agreement and the content of an SOW, the terms of this Agreement shall prevail, unless the SOW explicitly modifies specific provisions of this Agreement. Any unilateral confirmation documents issued by the Supplier shall have no effect and the terms of this Agreement shall prevail.

2.06 Acceptance

ALCON shall, within a reasonable time, either accept or reject any Services or Deliverables provided by the Supplier. Failure to promptly accept or reject any Services or Deliverables, or failure to discover defects during acceptance, shall not relieve the Supplier of its obligations to meet the quality and standards required under this Agreement. ALCON shall not bear any liability for undiscovered defects. If any Service or Deliverable is found to be defective or fails to meet the requirements (including applicable specifications), ALCON may, at the Supplier’s expense, choose to:

(a) Reject and return the Deliverables;

(b) Require the Supplier to re-perform the Services or replace the Deliverables to meet the requirements of this Agreement; and/or

(c) Take necessary measures to correct all defects and bring the Services and/or Deliverables into compliance with the requirements of this Agreement.

2.07 Communication and Information

Both parties shall communicate regularly regarding all matters related to the Services and/or Deliverables. If any unforeseen outcomes, issues, or difficulties arise concerning the Services and/or Deliverables, the Supplier shall promptly notify ALCON.

3

Article 3: Warranties

3.01 General Provisions

The Supplier represents and warrants that all services under this Agreement and all deliverables produced shall be executed in a good and professional manner in accordance with recognized industry standards. The Supplier warrants that all services and deliverables under this Agreement shall conform to the specifications, designs, and other requirements approved or adopted in the relevant Statement of Work, including quality and performance standards. The Supplier further warrants that it is a legally established, validly existing, and operational entity (corporation, limited company, or limited liability partnership) under the laws of its jurisdiction, with full power and authority to conduct its current business operations.

3.02 Animal Protection

For services involving the use of animals, the Supplier warrants:

(a) All such services shall be conducted solely under the Supplier’s direct supervision and within its facilities;

(b) The care, use, and handling of animals shall comply with the strictest applicable animal testing regulations and ethical standards;

(c) Facilities, equipment, housing, management, veterinary services, and infrastructure used for the animals during the performance of services shall be suitable for the type of animals and the nature of the services;

(d) All activities described in the Statement of Work have been approved by the Institutional Animal Care and Use Committee (IACUC) as defined under Taiwan’s Animal Protection Act and equivalent laws in other countries. The care, use, housing, management, and disposal of the animals shall be supervised by the IACUC throughout the service period;

(e) The animals shall never be used as food for humans or animals under any circumstances;

(f) If ALCON issues specific instructions regarding the use, care, handling, or disposal of animals, the Supplier shall comply with such instructions while providing services under this Agreement for ALCON or its affiliates; and

(g) ALCON reserves the right to inspect the Supplier’s facilities and records during normal working hours to ensure compliance with Clause 3.02.

4

3.03 Prohibition, Exclusion, Licensing, and Investigations

(a) The Supplier represents and warrants that it is not currently excluded, debarred, suspended, or otherwise ineligible under the laws of Taiwan (R.O.C.) or any other country from participating in healthcare-related governmental or corporate programs.

(b) The Supplier shall promptly notify ALCON upon becoming aware that any governmental authority, agency, professional licensing or certification body, or healthcare payer or provider connected to the Supplier’s services under this Agreement is conducting an investigation into the Supplier or its affiliates.

(c) The Supplier shall immediately inform ALCON upon receiving formal notice that any governmental authority, agency, licensing or certification body, or healthcare payer or provider intends to suspend, revoke, or terminate the Supplier’s license, certification, or qualifications necessary to provide the services under this Agreement.

(d) The Supplier acknowledges that any breach of this clause constitutes a material breach of this Agreement, entitling ALCON to terminate the Agreement immediately without providing an opportunity for rectification.

3.04 Product Warranty

If the products provided by the Supplier qualify as medical devices under applicable laws, the Supplier warrants that such products comply with all relevant regulations, possess valid pharmaceutical licenses and product permits, and include Chinese labeling and instructions as required. The Supplier shall provide ALCON with products that meet national standards and ensure that the quality, packaging, trademarks, and usage instructions conform to relevant international and industry standards. The Supplier shall be fully responsible for any losses incurred by ALCON due to quality issues with the products, including but not limited to packaging defects.

5

Article 4: Service Fees, Payments, and Taxes

4.01 Service Fees

For all services and deliverables (if any) provided under this Agreement, ALCON shall pay the Supplier the corresponding service fees (“Service Fees”) as specified in the fee schedule of each relevant Statement of Work.

4.02 Payment

The Supplier shall issue invoices to ALCON for all amounts payable under this Agreement. ALCON shall make payment within 90 days of receiving and verifying the accuracy of the invoices.

4.03 Taxes

ALCON shall not be responsible for any income taxes levied on the Supplier, or any taxes arising from the employment relationship between the Supplier and its managers, directors, employees, agents, or subcontractors (“Personnel”).

If any payments under this Agreement are subject to withholding tax by law, ALCON may deduct such taxes from the amounts payable and remit them on behalf of the Supplier to the competent tax authority. ALCON shall issue a withholding tax certificate to the Supplier for all such deductions.

Notwithstanding any contrary provisions in this Agreement, ALCON shall not be liable for any taxes, fees, assessments, or other charges based on the Supplier’s capital or net income, including but not limited to income taxes or similar levies imposed by any country or region.

6

Article 5: Confidentiality Obligations

5.01 Confidential Information

During the term of this Agreement, the Supplier may obtain, access, or become aware of information, data, or materials deemed confidential by ALCON or its affiliates, including trade secrets, product plans, marketing and sales data, customer lists, proprietary technology, or other proprietary information (collectively, “Confidential Information”). For all such Confidential Information, the Supplier agrees to:

(i) Strictly maintain confidentiality;

(ii) Use the Confidential Information solely for purposes within the scope of this Agreement;

(iii) Not disclose such Confidential Information to any third party; and

(iv) Take reasonable confidentiality measures to prevent unauthorized disclosure of such information.

If the Supplier needs to disclose any Confidential Information to a third party, it must first obtain ALCON’s prior written consent and execute a written agreement with the third party that contains confidentiality provisions substantially similar in effect to this Agreement, thereby ensuring ALCON’s interests are protected. Notwithstanding the foregoing, if compelled by a court or administrative authority with jurisdiction, the Supplier may disclose Confidential Information but must promptly notify ALCON in writing, enabling ALCON to seek protective orders or other remedies. The Supplier shall disclose only the portions of Confidential Information deemed necessary by legal counsel.

5.02 Subpoenas and Other Requests

If the Supplier receives any subpoena, court order, or request from a third party seeking access to Confidential Information, the Supplier must immediately notify ALCON’s legal department. The Supplier shall inform such third parties that access to Confidential Information may only be obtained directly from ALCON. To the extent permitted by law, the Supplier shall refuse any third-party request for such access without ALCON’s prior written consent and cooperate with ALCON in asserting its rights to prevent the disclosure of Confidential Information, including seeking legal remedies from the court.

5.03 Supplier Personnel

The Supplier shall inform all personnel with access to Confidential Information of its confidential nature and instruct them not to disclose such information to any unauthorized third party or employee without ALCON’s prior written consent. The Supplier must enforce strict compliance with this Agreement by its personnel.

7

5.04 Exceptions

The obligations regarding confidentiality and non-use of Confidential Information shall not apply to the following:

(i) Information that becomes publicly known without any unauthorized disclosure by the Supplier;

(ii) Information that the Supplier knew prior to disclosure by ALCON, as evidenced by contemporaneous written records; or

(iii) Information lawfully obtained by the Supplier from a third party not bound by confidentiality obligations to ALCON.

5.05 Remedies

The Supplier agrees that monetary damages may not be a sufficient remedy for any breach or potential breach of confidentiality obligations. Therefore, ALCON shall be entitled to seek injunctive relief, specific performance, or other equitable remedies without the need to post any bond. This provision does not preclude ALCON from pursuing any other rights or remedies under law or this Agreement. If ALCON initiates litigation to enforce confidentiality obligations and prevails, ALCON shall be entitled to reasonable attorneys’ fees and related litigation expenses.

5.06 Use of Name

Except as required by law or court order, neither party nor its agents may, without the other party’s prior written consent, use the other party’s or its affiliates’ names, logos, symbols, trademarks, trade names, or identifying marks in any press release or promotional material, nor disclose the existence of this Agreement (except to affiliates and advisors) or make any statement having the same effect.

5.07 Publications

During the term of this Agreement and after its termination or expiration, the Supplier shall not publish, present, or disseminate (orally or in writing) any materials containing Confidential Information or referencing the services or deliverables under this Agreement without ALCON’s prior written consent.

5.08 Insider Information

The Supplier acknowledges that certain Confidential Information of ALCON may constitute material, non-public information. If the Supplier possesses such information, it shall not trade in the securities of (i) ALCON Inc. or (ii) any other company related to such Confidential Information. The Supplier shall inform its employees and contractors that they are also prohibited from trading in such securities. Both parties confirm this provision as an explicit agreement to maintain the confidentiality of insider information to comply with Taiwan’s Securities Exchange Act (as amended) and any other applicable laws protecting non-public material information.

8

Article 6: Ownership of Deliverables

6.01 Ownership of Deliverables

All deliverables created and provided by the Supplier for ALCON under any Statement of Work pursuant to this Agreement shall be the sole and exclusive property of ALCON.

6.02 Intellectual Property Rights

(a) Newly Created Intellectual Property

Subject to Clause 6.02(b), all intellectual property rights included in or arising from deliverables under this Agreement shall be the sole property of ALCON (“Newly Created Intellectual Property”). The Supplier hereby assigns all such rights to ALCON. For clarity, if any such intellectual property is eligible for copyright protection (including but not limited to software), it shall be deemed a “work for hire” under copyright law and shall belong exclusively to ALCON. The Supplier warrants that it will disclose and transfer any Newly Created Intellectual Property arising during the performance of this Agreement or any Statement of Work. If any portion of the Newly Created Intellectual Property is owned by individuals or entities other than the Supplier, the Supplier shall obtain full rights and transfer them to ALCON, ensuring unencumbered ownership. The Supplier shall execute all necessary documents and provide reasonable assistance to secure ALCON’s ownership at no additional cost to ALCON.

(b) Pre-existing Intellectual Property of the Supplier

Intellectual property owned or controlled by the Supplier prior to the Effective Date of this Agreement (“Pre-existing Intellectual Property”) shall remain the Supplier’s exclusive property. If any Pre-existing Intellectual Property is included in deliverables, the Supplier grants ALCON a perpetual, worldwide, irrevocable, royalty-free, non-exclusive, non-transferable (except to ALCON’s affiliates), and sub-licensable license to:

(i) Manufacture, use, sell, and import deliverables (including future updates) and products incorporating them (whether by ALCON or any third party); and

(ii) Reproduce, distribute, display, perform, transmit, and create derivative works based on the Supplier’s Pre-existing Intellectual Property (whether by ALCON or third parties).

6.03 Definition of Intellectual Property Rights

For the purposes of this Agreement, “Intellectual Property Rights” refer to all rights and interests associated with patents, designs, inventions, technologies, trademarks, trade dress, packaging, copyrights, know-how, trade secrets, specifications, formulas, equipment, systems, methods, applications, processes, documents, databases, results, and any other proprietary rights, information, or materials (whether registrable or not).

9

Article 7: Indemnification and Compensation

7.01 Supplier’s Indemnification and Compensation Obligations

If any third party asserts a legal claim or initiates a lawsuit against ALCON or its affiliates arising from, incidental to, or directly or indirectly caused by the following matters, the Supplier shall defend, indemnify, and hold ALCON and its affiliates harmless from any and all costs, liabilities, losses, or damages incurred, including attorneys’ fees. These matters include:

(i) Any deliverables (or their components or features) or services performed under this Agreement that infringe upon any patent, copyright, trademark, trade secret, or other intellectual property rights;

(ii) Actions or work performed by the Supplier (including but not limited to its employees, agents, and subcontractors) under this Agreement;

(iii) Any claims from Supplier personnel related to labor or co-employment relationships, including but not limited to employer misconduct or claims for ALCON-related benefits; or

(iv) The Supplier’s breach of any warranties, duties, or obligations under this Agreement.

The Supplier shall cooperate with ALCON in defending against such lawsuits. ALCON reserves the right to decide whether to transfer control of such lawsuits to the Supplier, while providing reasonable assistance during the defense process, at the Supplier’s expense.

If ALCON is prohibited from using any services or deliverables under this Agreement, or the Supplier reasonably believes such services or deliverables may be subject to infringement claims, the Supplier shall:

(i) Secure ALCON’s continued use of the services or deliverables; or

(ii) Replace or modify the services or deliverables to ensure they are non-infringing but retain equivalent functionality.

If the Supplier, after commercially reasonable efforts, cannot achieve the results outlined in (i) or (ii), ALCON may return the services or deliverables to the Supplier, and the Supplier shall fully refund all amounts paid by ALCON for such items.

10

Notwithstanding the foregoing, the Supplier shall not be liable for infringement claims caused by:

(i) Use of the services or deliverables not in accordance with Supplier-provided or approved documentation or instructions;

(ii) Unauthorized modifications of the services or deliverables by ALCON; or

(iii) Combination or integration of the services or deliverables with materials not provided or approved by the Supplier.

7.02 General Indemnification and Compensation Obligations

If the Supplier’s performance of services at ALCON’s premises results in the following damages due to the intentional act, negligence, or omission of any party under this Agreement or their employees:

(i) Loss, damage, or destruction of tangible property belonging to the other party or third parties; and/or

(ii) Death or personal injury to any individual, The responsible party shall indemnify, defend, and hold the other party harmless from all claims, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising therefrom.

11

Article 8: Insurance

8.01 Insurance Coverage

Throughout the entire duration of services under this Agreement and any additional periods stipulated below, the Supplier shall, at its own expense, procure and maintain the insurance coverage required herein and ensure that its subcontractors also procure and maintain such coverage. These policies shall be purchased from ALCON-approved insurers with authority to operate in the service coverage areas and hold an A.M. Best A-VIII or higher credit rating (if applicable). If any subcontractor’s insurance coverage does not meet the minimum standards listed below, the Supplier’s insurance shall cover the shortfall. Any deductibles shall be borne by the Supplier or its subcontractors at their own expense.

(a) Workers’ Compensation Insurance: Compliant with applicable laws in the jurisdiction of employment, including occupational hazard coverage.

(b) Employer’s Liability Insurance: Coverage for a single bodily injury incident not less than [NT$ ], for a single illness-related bodily injury not less than [NT$ ], and total coverage for injury or illness not less than [NT$ ].

(c) Comprehensive General Liability Insurance: Including contractual liability with coverage for each bodily injury, personal injury (including death), or property damage incident not less than [NT$ ], and a total coverage amount not less than [NT$ ].

Commercial Automobile Liability Insurance: Covering owned, leased, and non-owned vehicles used in service performance, with per-incident coverage for bodily injury (including death) and property damage not less than [NT$ ], and total coverage not less than [NT$ ]. If hazardous materials or waste are transported, relevant policy endorsements must be included.

(d) Professional Liability Insurance: If the Supplier provides specialized professional services, coverage must include errors and omissions during service provision, with per-claim coverage not less than [NT$ ], and total coverage not less than [NT$ ].

(e) Excess Liability Insurance: Per-incident coverage not less than US$2,000,000, bodily injury (including death) and property damage coverage not less than [NT$ ], and total coverage not less than [NT$ ].

(If unspecified, these amounts shall be deemed sufficient to cover foreseeable damages related to the risks involved in the Supplier’s performance of services under this Agreement.)

12

8.02 Scope of Coverage

All insurance policies procured or maintained by the Supplier or its subcontractors under this Agreement shall serve as primary and non-contributory to any insurance or self-insurance program held by ALCON. Insurers shall have no recourse to ALCON’s policies or programs. The coverage amounts do not limit or affect the Supplier’s liability under this Agreement or applicable laws. The Supplier shall waive all subrogation rights or other claims against ALCON and its subcontractors and ensure its insurers do the same.

8.03 Insurance Certificates

Before commencing services under this Agreement, the Supplier shall provide ALCON with insurance certificates issued by an authorized representative of the insurer in a format acceptable to ALCON. These certificates shall be sent to ALCON’s Taiwan office or another designated address and must:

(i) Confirm that all required insurance is in full force and effect;

(ii) State that no cancellation, non-renewal, or material modification will occur without at least 30 days’ prior written notice to ALCON; and

(iii) Include ALCON, its employees, directors, managers, subcontractors, representatives, and agents as additional insureds for coverage other than workers’ compensation insurance.

8.04 Subcontractors

Upon ALCON’s request, the Supplier shall provide copies of insurance certificates for all subcontractors’ policies and coverage limits. The Supplier shall not engage any subcontractor to perform services under this Agreement without ALCON’s prior written consent. If any Statement of Work under this Agreement specifies named subcontractors and their assigned tasks, execution of such Statement of Work by ALCON shall be deemed prior written consent.

Any prior consent by ALCON under this section shall neither relieve the Supplier of its obligations or liabilities under this Agreement nor impose any obligations or liabilities upon ALCON.

13

Article 9: Compliance with Laws

9.01 Responsible Procurement

ALCON requires its suppliers to conduct their business in a fair and ethical manner, adhering strictly to all applicable laws, industry standards, and the ALCON Supplier Code of Conduct (hereinafter referred to as the “Supplier Code of Conduct”) (accessible at: https://www.ALCON.com/about-us/responsible-business-practice). The Supplier covenants and agrees to:

(i) Familiarize itself with and comply with the Supplier Code of Conduct and all applicable ALCON policies communicated to the Supplier during the term of this Agreement (collectively referred to as “ALCON Policies”);

(ii) At its own cost, provide training to its personnel (including any ALCON-approved subcontractors) on relevant laws, industry standards, and ALCON Policies applicable to the performance of the services under this Agreement and, upon ALCON’s request, furnish all relevant training materials and attendance records;

(iii) Promptly provide ALCON, upon request, any documentation or evidence reasonably required to demonstrate the Supplier’s compliance with ALCON Policies and training obligations;

(iv) Grant ALCON (or its designated third-ALCONuditor) reasonable access to audit the Supplier’s compliance with the Supplier Code of Conduct and ALCON Policies; and

(v) Promptly identify and remediate any violations of the Supplier Code of Conduct and ALCON Policies and report progress on such remediation to ALCON upon request. In the event ALCON determines, at its sole discretion, that the Supplier has failed to comply with the Supplier Code of Conduct or ALCON Policies, ALCON reserves the right to terminate this Agreement immediately without further notice or opportunity to cure and without any liability to compensate the Supplier for such termination.

9.02 Anti-Corruption

The Supplier acknowledges and agrees to comply with all applicable anti-corruption and anti-bribery laws, regulations, and standards, including but not limited to those set forth in the Supplier Code of Conduct. The Supplier is strictly prohibited from engaging in any conduct constituting bribery or corruption, whether involving public officials or private parties, and shall not offer, provide, solicit, or accept any improper payments or benefits on behalf of ALCON. The Supplier further covenants that it will not offer any monetary or other benefits to third parties on behalf of ALCON, except where expressly authorized in writing under a work plan or other agreement duly executed by ALCON.

14

9.03 Transparency

ALCON is committed to compliance with applicable transparency reporting obligations in certain jurisdictions, requiring disclosure of benefits provided to specific third parties. The Supplier acknowledges that monetary payments, gifts, hospitality, or other advantages provided to third parties on behalf of ALCON may be subject to such obligations. Upon ALCON’s request, the Supplier agrees to collect and deliver all required information related to such benefits to ALCON within thirty (30) days following their provision, in accordance with ALCON’s instructions.

9.04 Supplier Information

The Supplier represents and warrants that all information provided to ALCON under this Agreement, including information submitted in pre-contract questionnaires or forms, is true, accurate, and complete in all material respects. The Supplier further agrees to notify ALCON in writing, without undue delay, of any material changes to such information or any significant changes in its organizational structure, ownership, or executive management during the term of this Agreement.

9.05 Personnel

When the Supplier performs services on ALCON’s premises or at locations specifically designated for ALCON under this Agreement, the Supplier agrees to comply with and ensure its personnel adhere to the ALCON Code of Business Conduct (available at: https://www.ALCON.com/about-us/responsible-business-practice) and ALCON’s Health, Safety, and Environmental Requirements (available at: https://www.ALCON.com/sites/www.ALCON.com/files/ALCON_Health_Safety_Environmental_Requirements_Final.pdf). The Supplier shall be fully responsible for ensuring its personnel comply with ALCON’s reasonable instructions, including safety guidelines, and shall hold such personnel accountable for any breach. The Supplier further acknowledges and agrees that certain duties under this Agreement may expose its personnel to hazardous materials or conditions. The Supplier shall provide all necessary safety information and training to its personnel and, upon ALCON’s request, require such personnel to undergo specified medical examinations and complete any additional training deemed necessary by ALCON.

15

9.06 Personal Data

ALCON may process and store basic contact information of the Supplier within its internal systems and related applications for purposes of issuing purchase orders, receiving goods or services, and processing payments. The Supplier expressly consents to ALCON’s collection, processing, and use of such data for classification, management, and reporting purposes. Additionally, if the Supplier gains access to personal data during the provision of services under this Agreement, it shall protect such data in accordance with the data protection provisions set forth in Annex B and Annex C of this Agreement.

9.07 Audit Rights

ALCON shall have the right, upon providing reasonable prior written notice and during normal business hours, to audit the Supplier’s books and records to verify the Supplier’s compliance with the terms of this Agreement. Such audit rights shall remain in effect for two (2) years following the expiration or termination of this Agreement.

9.08 Compliance with Sanctions Laws

The Supplier represents and warrants that neither it, its parent company, subsidiaries, nor any of their directors, officers, agents, employees, or affiliates are currently subject to sanctions imposed by the U.S. government (including but not limited to the Office of Foreign Assets Control, U.S. Department of Commerce, or U.S. Department of State), Switzerland, the United Nations Security Council, the European Union, or the United Kingdom. The Supplier further represents that it does not conduct business or maintain operations in any jurisdiction subject to such sanctions.

9.09 Supply Chain Security

The Supplier shall ensure that it and its subcontractors, freight forwarders, and carriers are certified under security programs established under the World Customs Organization’s (WTO) <Framework of Standards to Secure and Facilitate Global Trade> or, at a minimum, comply with the applicable security guidelines and requirements of such programs, including but not limited to the U.S. Customs-Trade Partnership Against Terrorism (C-TPAT) and Authorized Economic Operators (AEO), if applicable. Upon ALCON’s request, the Supplier shall provide written confirmation and supporting evidence of compliance.

16

Article 10: Background Checks

10.01 Restrictions

If any provision under this Article conflicts with the applicable laws of the jurisdiction where the Supplier operates or provides services under this Agreement, such provision shall be deemed unenforceable to the extent of such conflict.

10.02 Language

At any ALCON location, if any personnel assigned by the Supplier are unable to communicate effectively in Mandarin, the Supplier shall arrange for a managerial-level representative to be present at all times to facilitate communication. This representative must have the ability to communicate with all Supplier personnel and accurately convey their expressions in Mandarin to ALCON representatives. All Supplier personnel assigned to ALCON premises must be at least 18 years old.

10.03 Criminal Background Checks

To the extent permitted by law, the Supplier shall ensure that all personnel authorized to access ALCON premises or systems have no criminal convictions for felonies within the last seven (7) years. Upon request by ALCON, the Supplier shall provide supporting documentation to substantiate this. The Supplier shall assess personnel with convictions within the last seven (7) years for offenses such as physical harm, possession of controlled substances and/or weapons, theft/aggravated theft, or driving under the influence/unsafe driving, as well as individuals with felony convictions older than seven (7) years, to determine if such criminal history poses any reasonable risk to ALCON or its employees. The Supplier shall indemnify and hold ALCON harmless from and against any claims, demands, liabilities, damages, or expenses (including attorneys’ fees) arising from or related to the assignment of any personnel with a criminal record to ALCON.

10.04 Drug Testing

To the extent permitted by law, before assigning any personnel to perform work for ALCON, the Supplier shall require all such personnel to undergo drug testing for marijuana, cocaine, opiates, amphetamines, and phencyclidine (PCP). The drug test results must be valid within thirty (30) days of the commencement of the Supplier’s engagement with ALCON. Personnel who test positive for controlled substances or other prohibited drugs without a valid current prescription shall not be permitted to perform any services for ALCON.

If ALCON reasonably suspects that any of the Supplier’s personnel are under the influence of any substances, including but not limited to alcohol, while providing services to ALCON, ALCON may require the Supplier to conduct a drug or alcohol test on the individual in question.

17

Article 11: General Provisions

11.01 Notices

All notices required or permitted under this Agreement shall be deemed properly delivered when sent via regular mail or courier to the other party’s address listed below or to another address provided in writing from time to time by the receiving party. Notices sent via regular mail shall be deemed delivered three days after being correctly addressed, stamped, and posted. Notices may also be sent electronically, provided the receiving party confirms receipt in writing. Such notices shall be deemed delivered upon confirmation of receipt by the recipient.

To ALCON:

ALCON SERVICES AG, TAIWAN BRANCH (SWITZERLAND)

11F., No. 99, Sec. 2, Ren’ai Rd., Zhongzheng Dist., Taipei City

Attn: Byron Han

To the Supplier:

Yong Ding Biopharm Co., Ltd

9F., No. 510, Sec. 7, Zhongxiao E. Rd., Nangang Dist., Taipei City

Attn: Ms. Mei-Ling Lin

11.02 Severability

If any section, sentence, clause, or term of this Agreement is held to be invalid, void, or unenforceable by a court or administrative body of competent jurisdiction, the remaining provisions of this Agreement shall remain valid and enforceable.

11.03 Setoff

Any amounts payable by ALCON to the Supplier under this Agreement or any future due amounts may be offset or deducted against any amounts owed by the Supplier to ALCON arising from this transaction or any other transaction between the parties.

11.04 Governing Law

This Agreement shall be governed by and interpreted under the substantive and procedural laws of Taiwan (Republic of China), excluding any conflict of laws principles.

18

11.05 Assignment

ALCON may assign its rights and/or obligations under this Agreement. The Supplier may not assign any of its rights or obligations under this Agreement without prior written consent from ALCON. Any attempted assignment in violation of this provision shall be void.

11.06 Subcontracting

The Supplier shall not subcontract any of its obligations under this Agreement without ALCON’s prior written consent. If subcontracting is permitted:

(i) The Supplier shall remain fully responsible for the performance of all its obligations under this Agreement;

(ii) Any costs or requirements associated with the subcontracting arrangements shall be the Supplier’s sole responsibility; and

(iii) The Supplier shall incorporate contractual obligations in its agreements with approved subcontractors equivalent to those outlined in Article 9 (Compliance with Laws) of this Agreement.

11.07 Entire Agreement

This Agreement constitutes the entire understanding and agreement between the parties regarding its subject matter, superseding all prior written or oral agreements or understandings. Any standard or general terms and conditions of the Supplier shall only apply if expressly acknowledged in this Agreement. Any amendments or modifications to this Agreement must be made in writing and signed by both parties. All attachments and appendices to this Agreement are integral parts of the Agreement.

11.08 Counterparts

This Agreement may be executed in multiple counterparts, each of which shall be deemed an original and together shall constitute a single document. Signed copies of this Agreement may be delivered electronically and shall be equally binding.

11.09 Waiver

Failure by either party to enforce any provision of this Agreement shall not constitute a waiver of that provision or the right to enforce it at a later date. Any waiver of rights under this Agreement must be made in writing and signed by the waiving party.

19

11.10 Independent Contractor

The Supplier shall perform all services under this Agreement as an independent contractor. The Supplier and its employees, agents, or representatives are not employees of ALCON. The Supplier shall have sole discretion regarding the hiring, discipline, evaluation, and termination of its employees, as well as decisions concerning working hours, benefits, salaries, and other employment-related terms and conditions, provided they comply with applicable laws. The Supplier shall ensure compliance with all employer-related requirements under the Labor Standards Act, Labor Insurance Act, and other applicable laws in Taiwan.

The Supplier’s employees or agents shall not be entitled to any employee benefits provided by ALCON to its employees, such as salaries, overtime pay, paid leave, labor insurance, health insurance, unemployment insurance, pensions, stock-related benefits, or plans. For any claims, liabilities, or assessments arising from employment-related laws or obligations regarding Supplier personnel, the Supplier agrees to defend, indemnify, and hold harmless ALCON and its affiliates, along with their directors, officers, employees, agents, successors, and approved assigns.

11.11 Survival of Obligations

The rights and obligations of the parties under the following provisions shall survive the expiration or termination of this Agreement: Article 4 (Fees, Payments, and Taxes), Article 5 (Confidentiality Obligations), Article 6 (Ownership of Deliverables), Article 7 (Indemnification and Compensation), Article 9 (Compliance with Laws), and this Article 11 (General Provisions).

11.12 Jurisdiction and Litigation

Any disputes arising from or related to this Agreement shall be subject to the exclusive jurisdiction of the Taipei District Court, Taiwan, as the court of first instance. The losing party in such disputes shall bear the legal fees, litigation costs, and associated expenses of the prevailing party, including reasonable and verifiable attorneys’ fees.

11.13 Force Majeure

Neither party shall be liable for failure or delay in performing its obligations under this Agreement due to circumstances beyond its reasonable control, such as fire, floods, accidents, riots, wars, government interventions, rationing, embargoes, strikes, labor shortages, delays in material deliveries, or similar events.

11.14 Headings

The headings in this Agreement are for reference purposes only and shall not affect the interpretation or modification of its terms.

20

Signatories

ALCON SERVICES AG, TAIWAN BRANCH (SWITZERLAND)

Authorized Representative

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

Yong Ding Biopharm Co., Ltd

Authorized Representative

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

21

Annex A

Swiss-based company ALCON SERVICES AG, TAIWAN BRANCH (SWITZERLAND) (hereinafter referred to as “ALCON”) and [Yong Ding Biopharm Co., Ltd.] (hereinafter referred to as “Supplier”) entered into the following Work Plan on [date].

Work Plan

This Work Plan serves as an attachment to the Master Services Agreement and is governed by its terms. The Work Plan becomes effective on the date of execution by both parties (hereinafter referred to as the “Effective Date”).

Overview of Scope of Services:

The Supplier shall provide [medical supply services], with detailed service content specified in Appendix 1 of the Supplier’s proposal. Any content in the appendices shall only apply to the description of the services to be provided. Any other terms in the appendices, including but not limited to legal provisions or terms that conflict with this agreement, shall be excluded.

Planned Start Date: [January 1, 2024], but no earlier than the date ALCON receives and issues a valid purchase order.

Planned End Date: [December 31, 2026]. ALCON may extend the Planned End Date by written notice to the Supplier if the extension does not alter the scope of services or the cost and expenses.

Service Fees:

[Option 1:] In consideration of the services to be provided by the Supplier under this Work Plan, ALCON shall pay the Supplier [NT $ 2,746,695].

Specification: [ALCON Purchase Order Specification].

Warranty Period: [January 1, 2024 – December 31, 2026]

This Work Plan is subject to all terms and conditions of the Master Services Agreement. In the event of any conflict or inconsistency between this Work Plan (including any appendices) and the Master Services Agreement, the terms of the Master Services Agreement shall prevail.

Each party to this Work Plan represents that it has the full right and authority to enter into and perform this Work Plan. The representatives signing this Work Plan on behalf of the parties are duly authorized and have the authority to execute this Work Plan.

22

Signatories

ALCON SERVICES AG, TAIWAN BRANCH (SWITZERLAND)

Authorized Representative

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

Yong Ding Biopharm Co., Ltd

Authorized Representative

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

23

Annex B

Information Security Controls for Third Parties

These information security controls for third parties are intended to supplement the terms and conditions of this Agreement or any other applicable individual data processing agreements that may include additional information security requirements, including but not limited to the Data Protection Requirements Annex of this Agreement (refer to Annex C). This Annex forms an integral part of the Agreement and is incorporated therein.

In this Annex, unless otherwise stated in the Agreement or unless the context otherwise requires, the following capitalized terms shall have the meanings set forth below:

● “Agreement” refers to the agreement to which this Data Protection Annex is attached (i.e., the Master Service Agreement).

● “ALCON” refers to the ALCON entity and/or its Affiliates specified in the Agreement.

● “ALCON Data” refers to any and all data, documents, or records of any nature (including but not limited to personal data and special categories of personal data) and in any format related to ALCON’s business, whether such data existed prior to or after the Effective Date of the Agreement, and whether such data is created or processed as part of the Services or provided by ALCON (or a third party acting on its behalf) to the Supplier in connection with the Agreement or the Services.

● “ALCON Environment” refers to any systems, data centers, third-party systems, and infrastructure owned or licensed by ALCON or managed by ALCON, its Affiliates, or subcontractors, or any other systems, interfaces, or infrastructure as notified by ALCON from time to time.

● “Supplier” refers to the entity specified in the Agreement as responsible for providing goods or services to ALCON.

● “Process, Processed, Processing” refers to any operation performed on ALCON Data in any way, including but not limited to collection, reading, receipt, use, transmission, retrieval, manipulation, recording, organization, storage, disposal, maintenance, hosting, adaptation, modification, possession, sharing, disclosure (via transmission, dissemination, or otherwise making available), interception, erasure, destruction, or authorization.

24

● “Security Incident” refers to an actual or suspected security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to ALCON Data that may negatively impact the confidentiality, integrity, availability, or recoverability of ALCON Data.

● “Industry Security Practices” refers to current applicable practices as outlined in standards such as ISO/IEC 27001, ISO/IEC 27002:2013 by the International Organization for Standardization (ISO/IEC), the NIST Cybersecurity Framework and related standards (e.g., NIST 800-44) by the National Institute of Standards and Technology (NIST), the OWASP Guide for Building Secure Web Applications by the Open Web Application Security Project (OWASP), the CIS Standards by the Center for Internet Security (CIS), or any other security standards agreed upon by both parties.

● “Industry Security Certifications” refers to certifications based on the latest versions of standards such as Statement on Standards for Attestation Engagements No. 16 (SSAE-16), No. 18 (SSAE-18), International Standard on Assurance Engagements No. 3402 (ISAE 3402), or any other industry-recognized security certification agreed upon by the parties.

● “Personal Data,” “Special Categories of Personal Data,” and “Personal Data Protection Laws” have the meanings set forth in the Data Protection Requirements Annex (refer to Annex C) of this Agreement.

Article 1. Supplier’s Information Security Policies and Standards

1.1 The Supplier shall implement information security policies and standards aligned with Industry Security Practices (including, but not limited to, the standards and requirements confirmed by the Supplier in Schedule 1, “Supplier Information Security Standards”) and ensure compliance with these policies and standards. The Supplier shall designate appropriate personnel responsible for ensuring technical and organizational compliance with the security and privacy controls required by this Agreement and the Supplier’s internal policies.

1.2 When processing any Personal Data, the Supplier shall comply with additional mandatory control measures and requirements (as outlined in the Data Protection Annex (Annex C) of this Agreement).

25

Article 2. Supplier’s Information Security Assurance

2.1 ALCON or its designated third party may monitor, inspect, and evaluate the organizational, technical, and administrative security measures implemented by the Supplier, as well as any measures taken to ensure the security, availability, integrity, and recoverability of ALCON Data, including but not limited to processes, policies, systems, business continuity test reports, and infrastructure. The Supplier shall provide records and evidence of such measures in the form and timeframe reasonably requested by ALCON. The Supplier shall cooperate and assist ALCON or its designated third party in conducting the aforementioned evaluations. Without prejudice to ALCON’s rights above, the Supplier (or its hosting suppliers) shall maintain required third-party certifications or audit reports as specified in Schedule 2, “Supplier Certifications and Audit Reports.” Annual audit reports shall be provided by the Supplier.

2.2 ALCON may conduct comprehensive remote technical assessments to evaluate the effectiveness of implemented measures to ensure the confidentiality, availability, integrity, and recoverability of platforms, including compliance with applicable Personal Data Protection Laws. ALCON shall provide the Supplier with a report of such assessments. Within 30 days of receiving the assessment report, the Supplier shall develop a remediation plan and timeline, submit it to ALCON, and rectify the vulnerabilities identified in the report.

2.3 The Supplier shall ensure that regular penetration and security tests are conducted in accordance with Industry Security Practices and shall ensure that the standards and requirements described in Schedule 1 take into account any known vulnerabilities within the environments used to process ALCON Data.

2.4 ALCON may conduct or engage third parties to perform penetration testing of applications and infrastructure, at ALCON’s expense, up to once per calendar year. If vulnerabilities are identified in prior penetration tests, independent assessments, or other ALCON evaluations, or in the event of a Security Incident, ALCON may conduct additional such evaluations. ALCON shall provide the Supplier with reports of the penetration tests.

2.5 The Supplier shall remediate any vulnerabilities identified under Sections 2.2, 2.3, and 2.4 without undue delay but no later than the timelines specified in the remediation plan. The Supplier shall provide ALCON with an annual summary of penetration test results and related remediation plans.

26

Article 3. Minimum Encryption and Continuity Standards:

The Supplier shall ensure that all ALCON Data exchanged over external connections (or across non-ALCON or non-Supplier networks) is protected by encryption methods conforming to Industry Security Practices. The Supplier shall ensure that all authentication and authorization data used in relevant systems is encrypted during transmission and while at rest. All Personal Data must be encrypted both in transit and at rest. The Supplier shall utilize encryption technology equivalent to or more stringent than the AES 256-bit encryption standard (symmetric) or RSA 4096-bit encryption standard (asymmetric) and/or TLS 1.2-grade encryption.

Article 4. Processing of Production Data:

4.1 When the Supplier processes or stores ALCON Data, the Parties shall specify and agree upon the location of ALCON Data and the location where the Supplier may access ALCON Data in this Agreement. If no such locations are specified in this Agreement, they shall be indicated below:

	Location
Physical location of ALCON Data:
Location where the Supplier may access ALCON Data:

4.2 The Supplier shall only process ALCON production data in the following environments: (a) a secure production environment; or (b) any other environment mutually agreed upon by the Parties that provides security measures equivalent to those in the applicable production environment.

Article 5. ALCON Environment:

5.1 The Supplier acknowledges and agrees that any interfacing, connection, or communication with the ALCON Environment shall only occur with ALCON’s prior written approval (such approval may be incorporated into this Agreement). Any such connection with the ALCON Environment shall be maintained, protected, and tested in accordance with industry-standard security practices, including but not limited to the standards and requirements outlined in Appendix 1. ALCON reserves the right to terminate such connections at its sole discretion.

5.2 The Supplier shall use commercially reasonable efforts consistent with industry-standard security practices to ensure that:

(a) There is no introduction of viruses or other harmful code intended to disable, harm, or provide unauthorized access to any function;

(b) There is no software used for keystroke recording or enforcing unauthorized restrictions; and

(c) Neither the Supplier nor its personnel introduce any other unauthorized code into the ALCON Environment without ALCON’s written approval of its functionality (including but not limited to scenarios where failure to comply with the requirements in Clause 5.1 results in such situations).

5.3 The Supplier shall retrieve and access ALCON Data only as required for the Services under this Agreement. If the Supplier is able to read or extract data other than ALCON Data, the Supplier shall immediately notify ALCON.

27

Article 6. Information Security Training:

6.1 The Supplier shall ensure that all employees, subcontractors, and third-party users involved in operating or processing ALCON Data are adequately trained and informed about applicable laws (including data protection laws), information security threats and their implications, and their respective responsibilities and obligations. They shall be equipped with appropriate tools to support the organization’s security policies during their duties.

6.2 When transmitting or transferring ALCON Data and/or Personal Data, the Supplier shall ensure that its personnel use the company’s or organization’s official email accounts and prohibit the use of personal email accounts for transmitting ALCON Data.

6.3 If any Supplier Personnel receives the following, the Supplier shall ensure that they comply with any applicable ALCON information security policies and participate in ALCON training (at no cost to ALCON):

(i) Identification badges (or other access mechanisms) issued by ALCON to allow entry into ALCON premises;

(ii) Personalized ALCON network access accounts (e.g., ALCON5-2-1 account);

(iii) ALCON laptops;

(iv) ALCON email accounts; and/or

(v) Any other type of access to the ALCON Environment.

If the identity or role of any Supplier Personnel or subcontractor personnel changes in a manner that may affect their ability to access the ALCON Environment, the Supplier shall notify ALCON without undue delay. Such changes may include, but are not limited to, termination of employment, changes in job scope, or cessation of subcontractor engagement.

Article 7. Protection and Disposal of ALCON Data:

7.1 The Supplier shall ensure that its security policies include appropriate data retention and destruction policies, which shall align with industry-standard security practices, including but not limited to the standards and requirements outlined in Appendix 1.

7.2 The Supplier shall implement appropriate control measures to prevent the loss, damage, or tampering of records during the retention period.

7.3 Upon ALCON’s reasonable request or upon termination of this Agreement, the Supplier shall dispose of all ALCON Data held by the Supplier, its Affiliates, or subcontractors, such as by erasing, destroying, or rendering it unreadable. This excludes any ALCON Data copies stored on the Supplier’s standard backup media, provided that such backup media are protected in accordance with recognized, up-to-date data privacy and industry-standard security practices, including but not limited to those described in Appendix 1. Upon ALCON’s reasonable request, the Supplier shall provide ALCON with a report detailing the ALCON Data stored on backup media with appropriate details.

7.4 Upon ALCON’s request, the Supplier shall provide written certification confirming completion of the foregoing actions.

7.5 The Supplier may retain ALCON Data for a period required by applicable laws (including data protection laws).

7.6 As an alternative to disposing of ALCON Data, ALCON may, in its specified form and timeline, obtain such ALCON Data.

28

Article 8. Information Security Incident:

8.1 The Supplier shall monitor, analyze, and respond to Information Security Incidents in accordance with these provisions. In the event of an Information Security Incident, the Supplier shall communicate with and report to ALCON.

8.2 ALCON Contact Person for reporting Information Security Incidents identified by the Supplier:

● Phone: +886-2-2322-9303 (Report the issue involving “Information Security Incident” to escalate to ALCON SOC).

● Email: IT.Taiwan@alcon.com.

8.3 Supplier Contact Person for reporting Information Security Incidents identified by ALCON:

● Email: purchase-order@udn-pharm.com [Contact information to be provided by the Supplier].

8.4 The Supplier shall, at a minimum, adhere to the following Information Security Incident management process:

8.4.1 Notification: The Supplier shall notify ALCON without undue delay, but no later than 24 hours after discovering the Information Security Incident.

8.4.2 Mitigation: If the Information Security Incident is confirmed, the Supplier shall, in consultation with ALCON, take appropriate measures without undue delay to minimize further damage to ALCON Data. Such measures shall include, but are not limited to:

8.4.2.1 Preventing unauthorized access to or any other inappropriate handling of ALCON Data;

8.4.2.2 Developing remediation measures to prevent the recurrence of such Information Security Incidents;

8.4.2.3 Restoring normal execution of the Services; and

8.4.2.4 Regularly updating ALCON on the progress of the remediation measures.

Following the implementation of measures to prevent recurrence of Information Security Incidents, the Supplier shall issue a written report to ALCON detailing the actions taken and the security protections implemented.

29

Article 9. Remediation Management:

9.1 The Supplier shall monitor available remediation solutions and promptly evaluate, test, and implement those solutions in the systems supporting the Services or processing ALCON Data.

9.2 If the Supplier determines not to implement a specific remediation solution following an evaluation, the Supplier shall:

(a) Implement alternative controls or security protections to ensure the confidentiality, integrity, and availability of systems supporting the Services or processing ALCON Data; or

(b) Provide ALCON, upon its reasonable request, with sufficient evidence explaining the Supplier’s decision not to implement the remediation solution.

Article 10. Non-compliance with the provisions of this Annexx shall constitute a material breach of this Agreement and may trigger the termination provisions related to material breaches under this Agreement.

Article 11. Notification:

11.1 Any notifications or other communications related to this Annex shall be made in writing and delivered to:

● To ALCON: IT.Taiwan@alcon.com

● To the Supplier: purchase-order@udn-pharm.com [Supplier’s Information Security Department Contact Person]

11.2 Clause 11.1 shall not apply to the service of legal process, or any documents in legal proceedings, arbitration (if applicable), or other dispute resolution mechanisms.

30

Annex B: Appendix 1

Supplier Information Security Standards

Supplier shall indicate and select the applicable information security frameworks in use:

[To be completed by the Supplier]

( ) ISO/IEC ISO27001/27002
( ) NIST Cybersecurity Framework Version 1.1
( ) NIST SP 800-53
( ) CIS Critical Security Controls
( ) COBIT 5
( ) HITRUST CSF

31

Annex B: Appendix 2

Supplier Certifications and Audit Reports

Supplier Certifications and Audit Reports

[To be completed by Supplier]

Please select the corresponding audit reports provided by Supplier:

( ) SSAE-16 SOC2 Type II
( ) SSAE-18 SOC2 Type II
( ) ISAE 3402 Type II
( ) Any other certification or audit report must be approved by ALCON’s Information Security Officer or Chief Information Officer.

32

Annex C

Data Protection Requirements

Article 1: Conflicts and Continuity

This Data Protection Requirements Annex (“Data Protection Annex”) constitutes an integral part of this Agreement and is incorporated herein by reference. The provisions of this Data Protection Annex, as well as any relevant Data Transfer Agreements, shall remain in full force and effect following the expiration or termination of this Agreement for as long as the Data Processor continues processing Personal Data. In the event of a conflict or inconsistency between this Data Protection Annex and any other part of this Agreement, the order of precedence shall be as follows:

a. This Data Protection Annex;

b. The Agreement.

Article 2: Definitions

Terms not otherwise defined herein shall have the meaning set forth in the Agreement (including its annexes). In the event of a conflict, the definitions in this Annex shall prevail.

“Agreement” refers to the Agreement to which this Data Protection Annex is attached (i.e., the Main Services Agreement).

“ALCON” refers to the ALCON entity and/or its Affiliates specified in this Agreement.

“ALCON Data” means all data, documents, or records of any nature (including but not limited to Personal Data and Special Categories of Data) and in any format, related to ALCON’s business, whether existing before or after the Effective Date of this Agreement, provided by ALCON (or a third party acting on its behalf) under or in connection with this Agreement, or created or processed as part of the Services.

“Business Day” means any day other than Saturday, Sunday, or a public holiday in the Republic of China.

“Data Controller” refers to the ALCON entity/entities identified on the first page of this Agreement.

33

“Data Processor” refers to the Supplier.

“Data Protection Laws” refers to all laws, rules, regulations, and orders concerning the processing of Personal Data in any jurisdiction or its subordinate political units, including but not limited to: the Personal Data Protection Act of the Republic of China, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the US Health Insurance Portability and Accountability Act of 1996 (“HIPAA Privacy Rule”) (including Title 45, Section 164.508(b) of the Code of Federal Regulations), the Swiss Federal Act on Data Protection, and/or the applicable laws specified in this Agreement.

“Data Subject” means any identified or identifiable natural person whose Personal Data is processed by the Supplier on behalf of ALCON in accordance with ALCON’s instructions. “Identifiable natural person” refers to any individual who can be identified, directly or indirectly, particularly by reference to an identification number, or to one or more physical, physiological, mental, economic, cultural, or social identifiers.

“Data Transfer Agreement” refers to any agreement stipulating the standards and requirements applicable to the lawful transfer of Personal Data to certain individuals or entities in countries where the laws do not provide adequate data protection. For Data Subjects located in Switzerland or the European Economic Area (EEA), these terms include EU Model Clauses or EU Standard Contractual Clauses. Where necessary, the Data Controller and Data Processor shall implement additional safeguards.

“Personal Data” refers to any information relating to an identified or identifiable natural person processed directly or indirectly by the Supplier or its subcontractors in the performance of Services under this Agreement or in connection with it. Personal Data includes Special Categories of Data and other classifications as defined by applicable Data Protection Laws (e.g., household data under the California Consumer Privacy Act (CCPA), if applicable).

“Processing, Processed, or Processes” means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to: collection, reading, receipt, use, transmission, retrieval, handling, recording, organization, storage, sale, maintenance, hosting, adaptation, modification, retention, sharing, disclosure (via transmission, dissemination, or otherwise making available), interception, erasure, destruction, or authorization.

“Data Breach Incident” means any actual or suspected security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed Personal Data.

34

“Special Categories of Data” means:

(i) Data relating to a natural person’s physical, physiological, or psychological characteristics; economic status; race or ethnicity; political or ideological opinions; religious or philosophical beliefs; trade union membership; health or medical information (including information about the payment for healthcare services, sexual life or orientation, genetic materials or information, human biological specimens or cells, biometric data, or personality profiling information);

(ii) Foreign national registration numbers;

(iii) Driver’s license numbers;

(iv) Passport numbers, visa numbers, or other government identification numbers;

(v) Credit card, debit card, or other financial account information, whether or not combined with passwords or other access credentials;

(vi) Mother’s maiden name;

(vii) “Protected Health Information” (PHI) as defined under the HIPAA Privacy Rule and its implementing regulations; and/or

(viii) Other sensitive personal data classifications as identified under applicable Data Protection Laws.

“Supplier” refers to the party performing or providing Services under this Agreement, as specified on the first page of this Agreement.

“Supplier Subcontractor” refers to any third party engaged by the Supplier, including Affiliates and direct or indirect subcontractors, to assist in performing the Supplier’s obligations under this Agreement.

35

Article 3: Regulation of Personal Data and Processing Activities

3.1 Nature and Purpose of Processing

The nature and purpose of the Supplier’s processing of Personal Data are set forth in this Agreement.

3.2 Types and Categories of Personal Data

The types and categories of Personal Data are specified in Appendix 1 to this Annex.

3.3 No Monetary Consideration for Personal Data

Both parties agree that Personal Data is not deemed consideration under this Agreement.

3.4 Roles and Responsibilities

The parties acknowledge that, for the purposes of Data Protection Laws, ALCON is the Data Controller and the Supplier is the Data Processor unless otherwise specified in this Agreement or any applicable documentation (including any Statement of Work).

36

Article 4: Technical and Organizational Measures

4.1 The Supplier shall process Personal Data solely for the purposes set forth in this Agreement and/or as instructed by ALCON. The Supplier may process Personal Data as required by applicable laws, provided the Supplier notifies ALCON unless such notification is prohibited by law. The Supplier shall inform ALCON immediately if it believes any of ALCON’s instructions violate Data Protection Laws. Access to Personal Data shall be limited to individuals who need it to fulfill the Supplier’s obligations and shall adhere to the principle of “need-to-know.” All individuals granted access to Personal Data must maintain its confidentiality, use it only for specified purposes, and receive appropriate privacy and information security training, updated periodically in accordance with applicable laws, regulations, and industry standards. The Supplier shall not use, process, sell, or disclose any Personal Data created, received, maintained, or transmitted in connection with its obligations unless expressly permitted or required by this Agreement.

4.2 The Supplier shall implement the following measures, adopting the stricter of the two standards:

(a) The minimum technical and organizational measures outlined in Annex B: Information Security Controls for Third Parties, which is incorporated into this Data Protection Annex; or

(b) Measures required under Data Protection Laws. The technical and organizational measures shall evolve with advancements in technology. The Supplier may implement alternative measures as long as they meet or exceed the minimum security standards required.

4.3 Throughout the term of this Agreement, the Supplier shall maintain and monitor a comprehensive, written privacy and information security program, including data protection policies and procedures consistent with any established privacy compliance programs between the parties. This program shall include administrative, technical, and physical safeguards to protect the security, confidentiality, availability, and integrity of Personal Data against reasonably anticipated threats and unauthorized processing. The Supplier shall regularly assess risks to the security, confidentiality, and integrity of Personal Data in electronic, paper, or other records and evaluate and enhance, as necessary, the effectiveness of the measures used to mitigate such risks.

Article 5: Correction, Restriction, and Erasure of Personal Data

5.1 The Supplier shall not correct, erase, or restrict the processing of Personal Data without ALCON’s prior written instructions. If the Supplier receives any communication from a Data Subject regarding their right to access, amend, or rectify their Personal Data, the Supplier shall notify ALCON immediately (and in any case within five (5) Business Days of receipt) and comply with ALCON’s instructions regarding the response to such communications.

5.2 The Supplier shall, in accordance with ALCON’s written instructions and to the extent required by applicable Data Protection Laws, assist Data Subjects in exercising their rights, including the right to erasure, the right to be forgotten, the right to correction, the right to data portability, the right of access, or any other applicable rights (if applicable), without undue delay.

37

Article 6: Supplier’s Quality Assurance and Other Responsibilities

6.1 To facilitate direct communication, the Supplier shall provide ALCON with the contact details of its Data Protection Officer (if required by local laws) and specify them in Article 10. The Supplier shall promptly notify ALCON of any changes to the designated Data Protection Officer.

6.2 If any government, law enforcement, or regulatory authority requests access to or information about Personal Data, the Supplier shall notify ALCON in writing without undue delay (and no later than one (1) Business Day following the request), unless prohibited by Data Protection Laws or other applicable legal, regulatory, or judicial orders. The Supplier shall make commercially reasonable efforts to cooperate fully with ALCON in responding to such requests.

6.3 To the extent permitted by applicable law, if a Data Protection Authority or other competent authority initiates an inspection, takes enforcement action, or conducts an inquiry related to the processing of Personal Data under this Agreement, the Supplier shall notify ALCON immediately (and in any case within three (3) Business Days). This obligation also applies if the Supplier is under investigation or subject to proceedings for breaches of civil, criminal, or administrative laws or regulations concerning Personal Data related to this Agreement.

6.4 The Supplier shall provide ALCON with all necessary information to demonstrate compliance with its obligations under applicable Data Protection Laws and shall allow and facilitate audits as described in this Agreement and/or Annex B: Information Security Controls for Third Parties, including inspections conducted by ALCON or its authorized auditors. Where ALCON reasonably believes a Data Breach Incident has occurred, is occurring, or the Supplier has materially breached its obligations under this Agreement or applicable Data Protection Laws, ALCON may conduct an audit upon three (3) Business Days’ notice.

6.5 When processing Personal Data subject to the GDPR and acting as a Data Processor, the Supplier shall, considering the nature of the processing and the information available to the Supplier, provide ALCON (as the Data Controller) reasonable cooperation and assistance to ensure compliance with Articles 32 to 36 of the GDPR.

6.6 When the California Consumer Privacy Act of 2018 (CCPA) or its successor applies to the Personal Data processed under this Agreement, the Supplier shall act as a “service provider” for such Personal Data. The Supplier represents that it understands its obligations under the CCPA and shall comply with them.

38

Article 7: Subcontracting by the Supplier

7.1 For the purposes of this Data Protection Annex, subcontracting shall mean the delegation of services directly related to fulfilling the Supplier’s primary obligations involving the processing of Personal Data under this Agreement. Ancillary services such as telecommunications, postal, or transportation services are not considered subcontracting.

7.2 The Supplier acknowledges and agrees that the confidentiality, privacy, and security requirements under this Agreement shall also apply to any authorized Supplier subcontractors, temporary staff, or other third parties who receive Personal Data pursuant to this Agreement. Subcontracting agreements executed by the Supplier shall contain data protection provisions no less stringent than those outlined in this Data Protection Annex. The Supplier remains fully liable to ALCON for its subcontractors’ performance of obligations. If a Supplier subcontractor is involved in a Data Breach Incident, the Supplier shall, upon ALCON’s written request, provide a copy of the relevant subcontracting agreement within five (5) Business Days. The Supplier may redact confidential commercial terms, including pricing. ALCON may (a) oversee and inspect any subcontractor involved in the Data Breach Incident upon reasonable notice and (b) request information regarding the purpose and data protection obligations of the subcontract relationship at any time.

7.3 The Supplier shall not engage any additional subcontractors to process Personal Data subject to the GDPR without prior specific or general written authorization from ALCON. By executing this Agreement, ALCON grants general written authorization to the Supplier to engage the subcontractors listed in Appendix 2 for services provided under this Agreement.

7.4 The Supplier shall notify ALCON of any planned additions or replacements of subcontractors, allowing ALCON the opportunity to object to such changes. Notifications shall be submitted in electronic or written form to the ALCON contact designated in Article 10 of this Agreement. If ALCON objects to the proposed subcontractor assignment or replacement within twenty (20) Business Days of receiving prior written notice, the Supplier may propose commercially reasonable modifications to the service delivery to exclude the subcontractor from involvement. If ALCON does not accept such proposals, ALCON may terminate this Agreement pursuant to its termination provisions without incurring fault or liability.

7.5 If the Supplier’s subcontractors process Personal Data outside the jurisdiction of the Data Subject, the Supplier shall ensure compliance with applicable Data Protection Laws by implementing appropriate measures, including conducting due diligence and oversight and executing data transfer agreements incorporating the EU Standard Contractual Clauses (if applicable).

39

Article 8: Data Breach Incidents

8.1 During the processing of Personal Data, the Supplier shall notify ALCON in writing, pursuant to Article 10, without undue delay. For Data Breach Incidents, notification shall occur within forty-eight (48) hours (including any breach involving the facilities, systems, or equipment of Supplier subcontractors). The Supplier shall assist and cooperate with ALCON concerning notifications to affected parties, government agencies, or regulatory authorities and any other remedial measures requested by ALCON or required by law. The Supplier shall implement mutually agreed measures to prevent the continuation or recurrence of such Data Breach Incidents.

8.2 Except as required by applicable Data Protection Laws or other legal, regulatory, or judicial orders, the Supplier shall not disclose Data Breach Incidents to affected parties or government, law enforcement, or regulatory authorities without ALCON’s instruction. Notwithstanding the foregoing, in cases of physical damage to facilities or theft of equipment or documents, the Supplier may contact local police authorities.

8.3 The Supplier shall provide commercially reasonable assistance and cooperation to ALCON in making any required disclosures to affected parties or authorities, including notifying Data Subjects of the Data Breach Incident and offering credit monitoring services within a timeframe agreed upon with ALCON. The costs of such services shall be borne by the Supplier.

40

Article 9: Deletion and Return of Personal Data

9.1 The Supplier shall not make copies or duplicates of Personal Data without ALCON’s knowledge, except for backup copies necessary to ensure proper data processing or data retained to meet regulatory retention requirements.

9.2 Upon termination or expiration of this Agreement, or at ALCON’s written request at any time, the Supplier shall, at its own cost, either:

(a) promptly return all Personal Data to ALCON; or

(b) destroy all documents, materials, and other media containing Personal Data to the extent reasonably practicable, except for backup copies retained to comply with applicable laws or regulations, provided such copies are maintained in compliance with the confidentiality and security requirements of this Agreement.

Within twenty (20) Business Days following the termination or expiration of this Agreement or ALCON’s request, the Supplier shall provide a destruction certificate signed by an authorized Supplier representative overseeing the destruction process. If Data Protection Laws mandate longer retention periods, the Supplier shall inform ALCON accordingly.

Article 10: Notifications

10.1 Any notifications or communications related to this Annex, or addressed to the other party, shall be made in writing and submitted to the following:

● To ALCON: IT.Taiwan@ALCON.com

● To the Supplier: purchase-order@udn-pharm.com [Supplier’s Information Security Department Contact]

10.2 The provisions of Article 10.1 shall not apply to the service of legal process or to any documents related to legal proceedings, arbitration (if applicable), or other dispute resolution mechanisms.

41

ANNEX C - Appendix 1

Categories/Types of Data Concerning Data Subjects Subject to Processing:

Personal Data	Alcon Employees	Healthcare Professionals	Patients	Supplier Employees	Others: [Please specify]
Name	[    ]	[    ]	[    ]	[    ]	[    ]
Personal Contact Information (e.g., phone, email, social media accounts)	[    ]	[    ]	[    ]	[    ]	[    ]
Date of Birth / Age	[    ]	[    ]	[    ]	[    ]	[    ]
Nationality	[    ]	[    ]	[    ]	[    ]	[    ]
Credit Card / Bank Account Information	[    ]	[    ]	[    ]	[    ]	[    ]
Identification Numbers (e.g., passport number)	[    ]	[    ]	[    ]	[    ]	[    ]
Employment History / CV / Recruitment Information	[    ]	[    ]	[    ]	[    ]	[    ]
Marital Status / Civil Status	[    ]	[    ]	[    ]	[    ]	[    ]
Photos / Videos / Recordings	[    ]	[    ]	[    ]	[    ]	[    ]
Health Data (e.g., medical history, exams, diagnoses, health status, prescriptions, medical device information)	[    ]	[    ]	[    ]	[    ]	[    ]

42

Personal Data	Alcon Employees	Healthcare Professionals	Patients	Supplier Employees	Others: [Please specify]
Patient ID / Medical Record or Code ID / Clinical Trial Subject Code	[     ]	[     ]	[     ]	[     ]	[     ]
Physical Characteristics (e.g., height, weight)	[     ]	[     ]	[     ]	[     ]	[     ]
Genetic Data	[     ]	[     ]	[     ]	[     ]	[     ]
Biological Samples (e.g., blood, tissue, urine)	[     ]	[     ]	[     ]	[     ]	[     ]
Human Specimens (e.g., sample IDs)	[     ]	[     ]	[     ]	[     ]	[     ]
Biometric Features (e.g., fingerprints, retina scans)	[     ]	[     ]	[     ]	[     ]	[     ]
Meeting Attendance Records	[     ]	[     ]	[     ]	[     ]	[     ]
Dietary Preferences (e.g., halal, kosher)	[     ]	[     ]	[     ]	[     ]	[     ]
Criminal Background Checks / Legal Proceedings	[     ]	[     ]	[     ]	[     ]	[     ]
Geographic Location (e.g., location data, GPS data)	[     ]	[     ]	[     ]	[     ]	[     ]

43

Personal Data	Alcon Employees	Healthcare Professionals	Patients	Supplier Employees	Others: [Please specify]
Online Activities (e.g., browsing history, cookies, data analytics)	[     ]	[     ]	[     ]	[     ]	[     ]
Lifestyle Information (e.g., alcohol consumption habits)	[     ]	[     ]	[     ]	[     ]	[     ]
Personality Traits / Profiling Data	[     ]	[     ]	[     ]	[     ]	[     ]
Political Views or Activities	[     ]	[     ]	[     ]	[     ]	[     ]
Trade Union Membership, Opinions, or Activities	[     ]	[     ]	[     ]	[     ]	[     ]
Sexual Orientation / Life Preferences	[     ]	[     ]	[     ]	[     ]	[     ]
Race or Ethnicity	[     ]	[     ]	[     ]	[     ]	[     ]
Disabilities, Mobility & Special Needs	[     ]	[     ]	[     ]	[     ]	[     ]
IP Address / Device ID / Other Electronic IDs	[     ]	[     ]	[     ]	[     ]	[     ]
Others [Please specify]	[     ]	[     ]	[     ]	[     ]	[     ]

44

ANNEX C - Appendix 2

Authorized Subcontractors as of the Effective Date of this Agreement

45