Data Processing Agreement (DPA)

Version 1.0 – 26th January 2026

TABLE OF CONTENTS:

  1. Purpose and Scope

  2. Definitions

  3. Description of the Processing

  4. Controller Obligations

  5. Processor Obligations

  6. Anonymisation, Service Improvement and Market Metrics

  7. Sub-Processing

  8. International Transfers

  9. Security of Processing

  10. Personal Data Breach Notification

  11. Data Subject Rights

  12. Audits

  13. Deletion or Return of Data

  14. Liability

  15. Governing Law

  16. Appendices

Appendix 1 – Description of the Processing

Appendix 2 – Technical and Organisational Measures

Appendix 3 – Sub-Processors

Appendix 4 – Operational and Derived Data

Appendix 5 – Norwegian Healthcare Legislation Addendum

  1. Purpose and Scope

    This Data Processing Agreement (“DPA”) forms an integral part of the agreement governing access to and use of the MedCube Platform (the “Agreement”) entered between the Partner identified in the Agreement (the “Controller”) and MedCube AS, org. no. 933 336 883, with registered address at Kongleveien 27, 1804 Bodø, Norway (“MedCube” or the “Processor”).


    This DPA governs the Processing of Personal Data by MedCube on behalf of the Partner in connection with the provision of the MedCube Platform and related services.


    The DPA is intended to ensure compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable national data protection laws within the European Economic Area (EEA).


    Where the Processing involves health data or activities subject to sector-specific healthcare legislation, additional requirements may apply as set out in Appendix 5.


    This DPA applies to all Processing of Personal Data performed by the Processor on behalf of the Controller under the Agreement and satisfies the requirements of Article 28(3) GDPR.

  2. Definitions

    Capitalised terms not defined in this DPA shall have the meaning given to them in the GDPR.

  3. Description of the Processing

    The subject matter, nature, purpose and duration of the Processing, as well as categories of Personal Data and data subjects, are described in Appendix 1.

  4. Controller Obligations

    The Controller is responsible for ensuring a lawful basis for Processing, providing lawful and documented instructions, complying with transparency obligations, and ensuring compliance with applicable healthcare legislation where relevant.

  5. Processor Obligations

    The Processor shall Process Personal Data only on behalf of and in accordance with documented instructions from the Controller and solely to the extent necessary to provide the services under the Agreement. The Processor shall ensure the confidentiality of Personal Data, implement appropriate technical and organisational measures, and assist the Controller in meeting its obligations under Articles 32–36 GDPR.

  6. Anonymisation, Service Improvement and Market Metrics

    MedCube may Process Personal Data to generate anonymised and aggregated data sets for service optimisation, quality assurance, safety analysis, operational planning, development of the Services, and the creation of aggregated market measurement, benchmarking, and performance metrics. Such metrics may be made available to Partners to allow each Partner to assess its own

    performance relative to anonymised platform-wide data. Once anonymised, such data no longer constitutes Personal Data under the GDPR.

  7. Sub-Processing

    Given the cloud-based nature of the MedCube Platform and the operational requirements of delivering a scalable, continuously available service, the Controller grants the Processor a general authorisation to engage Sub-processors to assist in fulfilling its obligations under the Agreement.


    The current list of Sub-processors is set out in Appendix 3. The Processor shall notify the Controller at least thirty (30) days in advance of any intended changes to that list concerning the addition or replacement of Sub-processors, thereby giving the Controller sufficient opportunity to object to such changes prior to the engagement of the relevant Sub-processor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object. If the Controller does not object within such period, the new Sub-processor shall be deemed accepted.


    If the Controller objects on reasonable grounds relating to the protection of Personal Data, the Parties shall negotiate in good faith to resolve the matter. If no resolution is reached within thirty

    (30) days of the objection being raised, the Controller may: (a) terminate the Agreement in accordance with its terms; (b) cease using the specific service for which the Sub-processor was engaged; or (c) where applicable, migrate the relevant Personal Data to another region where the Processor does not use the objected-to Sub-processor. If the Controller objects but does not pursue any of the options set out in (a), (b) or (c) above and the Processor has not received any notice of termination within the thirty (30) day period, the Controller shall be deemed to have accepted the new Sub-processor. Any termination under this Section 7 shall be deemed to be without fault by either Party and shall be subject to the terms of the Agreement.


    Where the Processor engages a Sub-processor to carry out specific Processing activities on behalf of the Controller, the Processor shall impose on that Sub-processor, by way of a written contract, data protection obligations equivalent to those set out in this DPA, in particular requiring the Sub-processor to provide sufficient guarantees to implement appropriate technical and organisational measures such that the Processing meets the requirements of the GDPR. Where the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

  8. International Transfers

    Any transfer of Personal Data to a third country or an international organisation by the Processor shall be made only on the basis of documented instructions from the Controller, or in order to fulfil a specific requirement under EU or Member State law to which the Processor is subject, and shall take place in compliance with Chapter V of the GDPR.

  9. Security of Processing

    The Processor shall at least implement the technical and organisational measures specified in Appendix 2 to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.


    The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  10. Personal Data Breach Notification

    MedCube shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. For the purposes of this Section, MedCube shall be deemed to have become aware of a Personal Data Breach when its security personnel have confirmed that an incident constitutes a Personal Data Breach. The notification shall include, to the extent then known:

    1. the nature of the Personal Data Breach, including the categories and approximate number of data subjects and Personal Data records concerned

    2. the likely consequences of the Personal Data Breach

    3. the measures taken or proposed to address the Personal Data Breach; and

    4. the contact point for further information.

    Where full information is not immediately available, MedCube may provide information in phases as it becomes available.


    The Controller shall remain solely responsible for any notifications to supervisory authorities required under Article 33 GDPR and to data subjects required under Article 34 GDPR. Upon request, MedCube shall provide reasonable assistance to the Controller in preparing and fulfilling such notification obligations.


    MedCube shall maintain records of Personal Data Breaches in accordance with Article 33(5) GDPR and shall make such records available to the Controller upon reasonable request.

  11. Data Subject Rights

    MedCube shall assist the Controller with data subject rights requests and forward any such requests received directly without undue delay.

  12. Audits

    The Controller may, at its own cost, conduct audits with reasonable prior notice, limited to once per twelve (12) months unless a material breach is identified, and shall not unreasonably disrupt operations.

  13. Deletion or Return of Data

    Upon termination of the Agreement, Personal Data shall be returned or deleted at the Controller’s choice, unless retention is required by applicable law.

  14. Liability

    Liability under this DPA shall be subject to the limitations set out in the Agreement unless mandatory law requires otherwise.

  15. Governing Law

    This DPA shall be governed by the law specified in the Agreement.

  16. Appendices

Appendix 1 – Description of the Processing

Appendix 2 – Technical and Organisational Measures Appendix 3 – Sub-processors

Appendix 4 – Operational and Derived Data

Appendix 5 – Norwegian Healthcare Legislation Addendum

Appendix 1 – Description of the Processing

  1. Purpose

    • Provision of a secure cloud-based platform for coordination, execution, documentation, and administration of medical transport missions and related healthcare services.

  2. Categories of Data Subjects

    • Patients, relatives, healthcare professionals, medical escorts, Partner employees, authorised users, and representatives of Network Providers.

  3. Categories of Personal Data

    • Identification and contact details, professional credentials, booking and mission data, logistics and routing data, communications, and health and medical information (special category data).

  4. Duration of Processing

    • For the duration of the Agreement and in accordance with the Controller’s instructions.

Personal Data is not processed for analytics, benchmarking, or training purposes beyond what is necessary for service provision; such activities are performed only on anonymised data as described in Appendix 4.

Appendix 2 – Technical and Organisational Measures

MedCube implements appropriate technical and organisational measures including:

Role-based access control and least-privilege access

Strong authentication and secure session management

Encryption of data in transit (TLS 1.2+) and at rest

Logging, monitoring, and audit trails

Backup, disaster recovery, and business continuity

Incident detection, response, and breach notification

Secure development and change management

Appendix 3 – Sub-Processors

  1. Use of Sub-processors

    MedCube may engage third-party sub-processors to Process Personal Data on behalf of the Controller in connection with the provision, operation, maintenance, and support of the MedCube Platform.


    All sub-processors are engaged in accordance with Section 7 of this DPA.

  2. Categories of Sub-processors

    Sub-processors may include providers within the following categories:

    • Cloud infrastructure and hosting providers

    • Data storage and backup providers

    • Software development, maintenance, and operational support providers

    • Security, monitoring, and incident management service providers

    • Customer support and communication service providers

  3. Approved Sub-processors at the Time of Entry into This DPA

    As of the effective date of this DPA, MedCube uses the following sub-processors that may Process Personal Data:

    • Amazon Web Services (AWS) – cloud infrastructure and hosting,

    • Onedb Service Delivery Ltd – software development and operational support

  4. Updates to Sub-processors

MedCube shall maintain an up-to-date list of sub-processors and shall notify the Controller in advance of any intended material changes to that list, including the addition or replacement of sub-processors, in accordance with Section 7 of this DPA.


The Controller may object to such changes on reasonable data protection grounds within the period specified in Section 7.

Appendix 4 – Operational and Derived Data

Purpose

To enable service optimisation, safety analysis, quality assurance, benchmarking, analytics, and development of the MedCube Platform.

Derived Data

Derived anonymised and aggregated data may include, for example:

  • Mission categories and transport types

  • Equipment classes and staffing models

  • Routing, timing, and cost bands

  • Outcome and performance metrics

Safeguards

MedCube applies safeguards to ensure that derived data:

  • is irreversibly anonymised

  • cannot be used to identify individuals, Partners, or specific missions

  • is not combined with other data to enable re-identification

Permitted Use

Derived data may be used solely for:

  • analytics and reporting

  • benchmarking and performance comparison

  • service improvement and development

  • development, testing, and training of models using anonymised data only

Appendix 5 – Norwegian Healthcare Legislation Addendum

Applicable where Processing is subject to Norwegian healthcare legislation. Includes compliance with the Norwegian Personal Data Act, Patient Records Act, and Health Data Filing Systems Act.


Health data processing shall observe heightened access controls, logging, retention, and security measures, representing a high-water mark of data protection.