Ni_Vanuatu_Omni2.5

Every data access request will be reviewed by the EVOVAN Data Access Commitee, after the Recipient's Institution has signed the Data Access Agreement. The data reported in this project must be used only for academic research purposes. The reported data must not be used for any purpose of re-identification of individual participants. The Recipient and its Institution agrees to preserve, at all times, the confidentiality and security of the data.

DATA ACCESS AGREEMENT TERMS AND CONDITIONS 1. Definitions In addition to the terms “Agreement”, “Data” and “Research” defined above, the following definitions shall apply for the purpose of this Agreement: • “Confidential Information” is any information communicated by one Party to the other Party that can reasonably be considered confidential or was identified as such. It shall not include information for which the receiving Party can duly demonstrate that it was: i. generally known to the public at the time of disclosure, or thereafter through no act or failure on the part of the receiving Party, ii. already in the receiving Party’s possession at the time of disclosure to by the disclosing Party, iii. disclosed to the receiving Party on a non-confidential basis by a third party having the right to make such disclosure, iv. independently developed by the receiving Party without the use of Confidential Information, v. required to be disclosed by law or governmental rule or regulation or a judicial decision. • “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of data on the free movement of such data. • “Project” means “Evolutionary History and Population Genetics of Melanesian Populations: The case of Vanuatu” performed by IP. • “Personal Data Legislation” means any and all regulation pertaining to privacy and data protection and in particular the GDPR, rules, guidelines and regulatory requirements in force from time to time, and as updated from time to time, which apply to a Party relating to the use of data and the privacy of electronic communications. • “UE Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and in particular the standard contractual clauses applicable to Data transfer from a data controller to a controller (link). 2. Purpose and scope of use of Data 2.1. Data will be provided to Recipient under the terms and conditions set forth in this Agreement. This Agreement is formed by the following documents: - These terms and conditions; - The contents of the application form; - Exhibit 1 (data processing description); - Exhibit 2 (security measures); - Exhibit 3 (description of the Research). 2.2. Data shall be used: - By Recipient solely to perform the Research the scope of which cannot be extended without prior written consent of IP; - By Recipient institution and on an individual level by Recipient Scientist and the approved scientists listed in Exhibit 3 and the case being third party processors (appointed by Recipient and in accordance with this Agreement). No other right or license is granted or implied herein. 2.3. Data shall not be distributed to third parties without IP’s prior written authorization. The Recipient shall not use the Data for commercial purposes. Recipient further agrees not to use, or offer to use, the same for research collaboration or services of any kind with any for-profit or non-for-profit entity. Recipient shall promptly inform IP of any request or offer from any for-profit or non-for-profit entity to have the Data used for research collaboration or services of any kind. 2.4. During the term of this Agreement, the Applicant shall provide IP with: 1. a report (with a summary section) setting out in reasonable detail the progress of the Research at the term of this Agreement (from the last date of signature of this Agreement) which shall include the results has made which in its reasonable view may be: (a) published or pending publication; (b) disclosed in a published patent; or (c) otherwise of significance (in the context of medical research); and 2. a summary (and a copy of the application if requested) of any patents whose claims cover, or are intended to cover, an invention within two (2) months of their publication. 3. Compliance with applicable regulations – data protection 3.1. Recipient shall use Data in compliance with any applicable regulation in particular the Data Protection Legislation. 3.2. For the purpose of this Agreement, the Parties are independent data controllers. As such, each Party shall be individually and separately responsible for complying with the Data Protection Legislation. 3.3. In the case where Recipient is located outside of (i) the European Union or (ii) a territory which ensures an adequate level of protection as recognized by the European Union, the parties shall execute the EU Clauses, along with the Data transfer. Such EU Clauses shall be incorporated to this Agreement. In case of contradiction between the terms of this Agreement and the terms of the EU Clauses, the latter shall prevail. In accordance with the GDPR and the European Commission guidelines, the Parties agree to put in place any additional or supplementary measures where appropriate. This clause is a material provision of this Agreement. 3.4. Recipient shall perform the Research in compliance with any and all applicable laws, regulations, guidelines and approvals including any approval required by a research ethics committee (national ethics committee and/or Institutional review board). 3.5. Upon request of IP, Recipient shall promptly communicate any document demonstrating its compliance with the above clauses. 3.6. Recipient shall not use the Data, either alone or in concert with any other information/dataset, to identify or contact individual participants from whom Data were collected. 3.7. Recipient shall not use the Data or publish any Research results in a way that might promote the discrimination or stigmatization of a social or ethnic group, including indigenous peoples and local communities who participated in the study. This clause is a material provision of this Agreement. 4. Confidentiality Subject to clause 5, any Confidential Information shall be treated as confidential and maintained in confidence by the receiving Party during the term of this Agreement and for a period of five (5) years after the termination or expiration of this Agreement. Recipient Scientist may only disclose Confidential Information to those Recipient employees who need it to perform the Research. 5. Results and publications 5.1. Subject to the rights of third parties, IP shall remain the sole holder of rights and interests related to Data as well as any intellectual property rights. 5.2. Recipient will own the results of its Research. Recipient hereby grants a perpetual, irrevocable, worldwide, fully paid up, royalty free, fully sub-licensable non-exclusive license to IP to use, reproduce, distribute, publish, store and otherwise disseminate the Research results. 5.3. Notwithstanding the foregoing, Recipient acknowledges that Data has been generated during the Project using charitable and public funding and with the ethics approval of the competent national ethics committee, which allows the sharing of Data to conduct health-related research with public interest purposes. 5.4. Considering clause 5.3, Recipient shall not file any patent or claim any intellectual property rights in the Data provided by IP or which has been generated by Recipient. 5.5. Recipient shall make its best efforts to publish the Research results within eight (8) months following the end of the Research in an academic journal. 5.6. In the event Recipient chooses to publish or in any way publicly disclose Research results, the Recipient shall provide IP with a copy of a manuscript or presentation at least thirty (30) days prior to submitting the said manuscript for publication or presentation in order to allow IP an opportunity to protect its Confidential Information or intellectual property rights. IP’s failure to respond within thirty (30) days shall constitute consent for the purpose of this article. 5.7. Recipient agrees to acknowledge IP as the supplier of the Data and shall credit all IP contributions to the Research and results, including by co-authorship where appropriate. In addition, Recipient shall follow the publication rules as agreed with the competent authorities and ethics committees in relation with the sharing of Data generated during the Project, in particular the acknowledgement of all the cultural communities engaged in the Project. 6. Waivers, warranties and representations The Data is provided to the Recipient for the sole purpose of performing the Research. The Data is experimental in nature, may not be safe and may have unknown characteristics. IP makes no representation and provides no warranties, express or implied, regarding the Data, including without limitation, warranties of merchantability and fitness for a particular purpose. IP disclaims all express or implied warranties that the Data do not infringe patents or other proprietary rights of third parties or that the Data or that the results of the Research can be subject to intellectual property protection. To the extent permitted by applicable law, (i) the Recipient assumes all liability for damages that may arise from its use, storage, or disposal of the Data and (ii) IP will not be liable to the Recipient for any loss, claim or demand made by the Recipient, or made against the Recipient by any other party, due to or arising from the same, except when and to the extent caused by the gross negligence or willful misconduct of IP. 7. Miscellaneous 7.1. The Agreement supersedes any prior agreement, written or oral, between the Parties on the same subject matter. 7.2. This Agreement, together with documents referred to herein, are binding upon the Parties and their respective legal successors. 7.3. This Agreement may be amended only by a written amendment signed by the Parties. 7.4. If any term, provision or condition of this Agreement shall be held by a court of competent jurisdiction to be invalidated, unenforced or rendered void, the remainder of this Agreement shall remain in full force and effect. 7.5. The failure or neglect of a Party, at any time, to require performance from another Party of any provision hereof, shall not in any way affect the right to require such performance at any time thereafter. The waiver by a Party to denounce any breach of any provision hereof shall not be held to be a waiver to denounce any subsequent breach of the same provision or of any other provisions hereof. 7.6. No Party shall be liable to the other Parties for any failure under this Agreement, if such failure arises from, directly or indirectly, out of causes reasonably beyond the direct control or foreseeability of such Party, including but not limited to, acts of the public enemy, labor, fire, flood, epidemic, pandemics, such as the pandemic of Covid-19 and its variants, and strikes. The Party prevented from fulfilling its obligations must inform the other Parties hereof in writing and the Parties will jointly agree on necessary actions due to the non-fulfilment. 7.7. The Parties are independent contractors. Nothing contained in this Agreement or the performance thereof is intended to or shall be construed to create any relationship of agency, partnership, or joint venture between the Parties. 7.8. The Parties may sign and deliver this Agreement by electronic transmission. Each Party agrees that the delivery of this Agreement by electronic transmission shall have the same force and effect as delivery of original signatures and that each Party may use such electronic signatures as evidence of the execution and delivery of this Agreement by the Parties to the same extent that an original signature could be used. The signature of a Party via a scanned image of a handwritten signature (scan in PDF format) shall have the same force and effect as an original handwritten signature for the purposes of validity, enforceability and admissibility. 8. Termination 8.1. IP shall have the right to terminate this Agreement at any time if Recipient breaches any of the terms, covenants or conditions of this Agreement. 8.2. Upon termination or expiration of this Agreement, Recipient shall immediately discontinue its use of the Data and destroy any Data. A certificate of destruction shall be sent to IP duly signed by Recipient’s legal representative. Confidential Information must also be returned or destroyed, except for one archival copy. 9. Dispute resolution, applicable law and competent jurisdiction 9.1. This Agreement shall be governed and construed in accordance with the laws of France, without reference to conflict of laws principles. 9.2. The Parties shall attempt in good faith to settle any disputes relating to this Agreement, its interpretation or enforceability. Should this attempt fail to be amicably settled within three (3) months from the notification of the dispute by a Party to the other Party, such dispute shall be submitted to the competent court of Paris, France. DATA SECURITY MEASURES The Recipient must: • Use the downloads platform provided and validated by IP. • Respect the instructions given by IP to use the downloads platform. • Protect the passwords and secrets (encryption key, etc.) provided by IP, among other things: o The account granted by IP is private and cannot be shared with another person; o A password is private and must never be shared, including with an administrator; o Access to a secret must be limited to authorised persons only; o A password or a secret stored must be encrypted in conformity with the Référentiel Général de Sécurité (RGS) published by the ANSSI (French information system security agency). • Notify IP as soon as the data necessary for the conduct of the research are downloaded from the download platform. • Notify IP whenever a Recipient leaves the research project/the Institution through which he/she was granted access to the download platform. • Download the data from a secure workstation: o The workstation must be up to date and kept up to date; o The workstation must have software that contributes to its security (firewall, antivirus, etc.); o The workstation must be protected against unwanted access (authentication , password policy, automatic session locking, encryption, etc.). Storage and processing The recipient must store and use the data in a secure environment to ensure their availability, confidentiality and integrity, and protect them from unauthorised use and disclosure. To protect the information system and data against attacks that could affect its availability, integrity and confidentiality, a risk analysis must be conducted to identify and implement appropriate measures. The Recipient must: • Ensure that all the Recipient scientists are informed of the terms of this Agreement. • Make Recipient scientists aware of the risks associated with information systems and the data they process, and maintain this awareness over the long term. • Keep the information system up to date and apply the necessary security patches • Restrict data access to the approved Recipient scientists listed in Exhibit 3 and the case being third party processors (appointed by Recipient and in accordance with this Agreement), among other things: o Authenticate users accessing the information system. The authentication methods must comply with the state of the art2; o Limit the privileges of users in accordance with their accreditation; o Review the access rights and accreditations of users accessing the data, in the event of departure or change of function. • Ensure that the Licensed Dataset are not stored on any mobile device (a laptop, smartphone, or hard drive) unprotected. Mobile devices and workstations must be: o Encrypted in conformity with the Référentiel Général de Sécurité1 (RGS) published by the ANSSI o Protected against unwanted access (authentication2, automatic session locking, etc.). o Stored in a secure location, limiting access to authorised persons only. • Exchange data with a system ensuing a secured protocol with data encrypted and users authenticated. • Never share the data downloaded with other people not approved, including other entities and partners of the project. They must download the data via their own account. • Notify IP in case of a security incident that may have an impact on the Data. • Require and control the level of security implemented by its subcontractors, as well as the protection and respect of data confidentiality, so that the level of security implemented by its subcontractors is not inferior to its own. It is not possible to use subcontractors without IP’s prior written authorization. • Immediately discontinue, upon termination or expiration of this Agreement, its use of the Data and destroy any Data. A certificate of destruction must be sent to IP duly signed by Recipient’s legal representative. Data must be deleted from all back up. • Do never make any copy of the data. All the rules mentioned above apply to any modified versions of the data.