Tumor-derived cell lines as pharmacogenomic models to predict therapeutic vulnerabilities in hepatocellular carcinoma

DATA ACCESS AGREEMENT These terms and conditions govern access to the managed access datasets to which the Data Recipient has requested access. The Data Recipient agrees to be bound by these terms and conditions. Definitions GDPR: This DAA ensures that both parties comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council, known as the General Data Protection Regulation (herein referred to as the ‘GDPR’). Data: Data means pseudonymised research data, related metadata and associated documentation provided under this Agreement. Data Access/Transfer: Refers to an Institution’s right to request access to the Data and retrieve it from the Data Controller’s Institution upon approval of this DAA by the corresponding Data Access Committee (DAC) within the Data Controller’s Institution. Data Handling: Refers to an Institution’s ability to analyse and manipulate the Data within its own computer network. Data Controller(s): The Institution responsible for data generation and pseudonymization. Data Subject: Refers to any individual who is the source of any Data covered by this Agreement. Data Recipient (‘You’): The Institution that requests access to the Data through this Agreement. Authorized Personnel: The individual(s) at the Institution requesting Access to the Data. Research Project: The Project for which You have requested Access to the Data. Publications: Refers, without limitation, to any and all articles published in print journals, electronic journals, reviews, books, posters, and other written and verbal presentations of Research that have been accepted by peer review. FunGeST: This Data Access Agreement (DAA) has been developed for the FunGeST functional genomics projects, with the Centre de Recherche des Cordeliers (CRC) in Paris, France serving as the Data Controller. Terms and Conditions 1. Data Usage: The Data Recipient shall use the Data solely for the Research Project identified in this Agreement and strictly for research purposes, and shall not use the Data for any profit-making or commercial activities. 2. Confidentiality and Data Protection: The Data Recipient shall maintain the confidentiality of all information and Data relating to Data Subjects and shall not use the Data in any manner that compromises or violates the confidentiality or privacy of Data Subjects. The Data Recipient shall comply with all applicable data protection laws (including the GDPR and the French Data Protection Act) and the security measures set out in Clause 6. 3. Data Subject No Re-Identification: The Data Recipient shall not attempt to identify any Data Subject. 4. No Data Linking for Re-identification: The Data Recipient shall not link or combine the Data with other information in a way that could (re)identify Data Subjects, even where such other information is formally accessible or publicly available. 5. Usage Restrictions (Consent / Law / Policy): The Data Recipient shall comply with any use restrictions arising from informed consent, applicable law or regulation, and the Recipient’s institutional policies. 6. IT Security Measures: The Data Recipient shall implement and maintain up-to-date technical and organizational measures, including at a minimum: a) logging and auditing access to the Data and networks. b) password protection and/or strong encryption at rest and in transit; c) protection against viruses and malware; d) secure and tested backup procedures; e) role-based access control, least-privilege, and (where available) multi-factor authentication; f) incident response procedures (including containment, eradication, recovery, and post-incident review). 7. Project Duration: Access to the Data is granted only for the duration of the Research Project. Any new or different use requires prior written approval and a separate agreement. 8. Intellectual Property: No intellectual property rights in the Data are transferred under this Agreement. The Data Recipient shall not assert IP rights over the Data or use IP to restrict access to or use of the Data. The Data Recipient may generate results, analyses, or discoveries based on the Data and may seek IP over such results, provided that any licensing aligns with OECD principles and does not impede further academic research. 9. Warranties and Disclaimer: The Data are provided “as is”. The Data Controller makes no representations or warranties (express or implied) as to accuracy, completeness, fitness for a particular purpose, or non-infringement. 10. Liability and Indemnity: To the maximum extent permitted by law, neither Party shall be liable to the other for indirect, consequential, or incidental losses arising from use of the Data. Nothing in this Agreement excludes or limits liability for fraud, wilful misconduct, gross negligence, or breach of applicable data protection law. The Data Recipient remains responsible for its use of the Data and shall indemnify and hold harmless the Data Controller and Data Subjects from losses and claims arising from the Recipient’s breach of this Agreement, misuse of the Data, or violation of law. 11. Publication and Acknowledgement: The Data Recipient agrees that any publications, presentations, or disclosures based on the Data must appropriately cite the Data source. All papers or outputs must include the citations/acknowledgements specified for the relevant EGAD dataset ID. The list of required citations and acknowledgements will be provided along with the dataset and must be followed. 12. Personnel Compliance and Data Confidentiality: Use of the Data is restricted to the Data Recipient’s Institution and Authorized Personnel who are informed of and comply with this Agreement. The Data Recipient shall not disclose Data to third parties except where expressly permitted by the Research Project or with the Data Controller’s prior written consent. The Data shall not be transferred outside the Institution without prior written approval. External collaborators must first enter into a separate Data Access Agreement. 13. Amendments: No modification or waiver of this Agreement is valid unless in writing and signed by duly authorized representatives of both Parties. 14. Security Incidents: In the event of a personal-data breach or security incident affecting the Data, the Data Recipient shall notify the Data Controller without undue delay and in any event within 72 hours of becoming aware, provide all relevant information, cooperate in containment and remediation, and maintain appropriate records. The notification shall include: (i) a description of the nature of the incident, (ii) categories and approximate number of data subjects and records concerned, (iii) likely consequences, (iv) measures taken or proposed to address the incident, and (v) a contact point for further information (e.g., the Recipient’s DPO). Notifications shall be sent to: Jessica.zucman-rossi@inserm.fr. 15. Termination and Post-Termination Duties: This Agreement may be terminated immediately for material breach, or upon completion or termination of the Research Project. Upon termination or expiry, the Data Recipient shall cease all use of the Data and, at the Data Controller’s option, securely delete or return the Data and all copies, subject to mandatory retention laws. Within 30 days of termination or expiry, the Data Recipient shall return or securely destroy all Data and certify destruction in writing (name, role, date, method), unless retention is required by mandatory law (and then only for the minimum period and securely archived). Clauses 2–6, 8–12, 14–18 survive termination. 16. Use of Name and Logos: Neither Party shall use the other’s name, trademarks, or logos in any publicity, or advertising, or news release without prior written approval. Each Party may disclose factual information about the existence and purpose of this Agreement, provided such statements are accurate, describe the relationship of the parties and do not imply endorsement. 17. Dispute Resolution; Urgent Relief: The Parties shall first seek to resolve disputes amicably within 60 days of written notice. Nothing in this clause prevents either Party from seeking urgent injunctive or equitable relief in any court of competent jurisdiction. 18. Governing Law and Jurisdiction: This Agreement, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of France. The courts of Paris, France shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement. 19. Cross‑Border Data Transfers: Any transfer of Data outside the EU/EEA or the UK shall rely on appropriate safeguards under applicable law (including EU Standard Contractual Clauses and/or the UK IDTA/Addendum, as applicable). The Data Recipient shall not engage any subprocessor or external service provider for Data hosting or processing without the Data Controller’s prior written consent and a written agreement imposing security and confidentiality obligations no less protective than this Agreement. 20. Boilerplate 20.1 Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior understandings. 20.2 Severability. If any provision is held invalid or unenforceable, the remainder shall continue in full force and effect. 20.3 Assignment. Neither Party may assign this Agreement without the other Party’s prior written consent, except to a successor in connection with a merger or reorganization that assumes all obligations herein. 20.4 Notices. Notices under this Agreement shall be in writing and delivered by email and/or registered mail to the notice contacts most recently notified in writing by each Party to the other. Each Party’s initial notice details shall be those specified in the Section I or in the signature block. Either Party may update its notice details by written notice; such update is effective upon receipt. 20.5 Governing Language. If this Agreement is translated, the English version shall prevail.