Whole-transcriptome characterization of cell-free RNA (cfRNA) in cancer and non-cancer patients

GRAIL Data Access Agreement

DATA ACCESS AGREEMENT These terms and conditions govern access to and processing of the managed access datasets (details of which are set out in Appendix I) to which the User Institution has requested access. The User Institution agrees to be bound by these terms and conditions and any appendices or addenda hereto, which are hereby incorporated (collectively, the “Agreement”). Definitions Authorised Personnel: Only those individuals employed at the User Institution to whom the GRAIL Data Access Review Committee grants access to the Data. This is limited to the User, the individuals listed in Appendix II and any other individuals at User Institution for whom the User Institution subsequently requests access to the Data and to whom GRAIL Data Access Review Committee agrees in writing to grant access. Data: The managed access datasets to which the User Institution has requested access. Data Producer: GRAIL, which is responsible for the development, organization, and oversight of these Data through the GRAIL Data Access Review Committee. External Collaborator: A collaborator of the User, working for an institution other than the User Institution. GRAIL: Means GRAIL, Inc. a Delaware company, with offices at 1525 O’Brien Drive, Menlo Park, CA 94025 GRAIL Data Access Review Committee: Means the access committee consisting of representatives from GRAIL to govern and decide whether to approve access to the Data for a particular Project. Project: The project for Research Purposes for which the User Institution has requested access to these Data, as set out expressly in Appendix II. Publications: Includes, without limitation, articles published in print journals, electronic journals, reviews, books, posters and other written and verbal presentations of research. Representative: An individual on the GRAIL Data Access Review Committee, or his or her designee, as may be specified in Appendix I. Research Participant: An individual whose data form part of these Data. Research Purposes: Shall mean research that is seeking to advance the understanding of genetics and genomics, including the treatment of disorders, and work on statistical methods that may be applied to such research. User: The principal investigator for the Project. User Institution(s): The Institution that has requested access to the Data. 1. The User Institution agrees to not to use these Data except for the purpose of the Project, which, for clarity is only for Research Purposes. The User Institution further agrees that it will only use these Data for Research Purposes. For clarity, Research Purposes expressly excludes use of any Data for any activity undertaken for or directed to commercial gain, including product development. 2. The User Institution agrees to preserve, at all times, the confidentiality of these Data. In particular, it undertakes not to use, or attempt to use these Data to compromise or otherwise infringe the confidentiality of information on Research Participants. Without prejudice to the generality of the foregoing, the User Institution agrees to perform in accordance with the Privacy and Data Security Addendum set out in Attachment 1 (the “Data Addendum”) with respect to any Processing (as defined in the Addendum) of Data. 3. The User Institution agrees to protect the confidentiality of Research Participants in any research papers or publications that User Institutions prepares by taking all reasonable care to limit the possibility of identification of Research Participants. 4. The User Institution agrees not to link or combine these Data to other information or archived data available in a way that could re-identify the Research Participants, even if access to that data has been formally granted to the User Institution or is freely available without restriction. 5. The User Institution agrees not to transfer or disclose these Data, in whole or part, or any material derived from these Data, except to the Authorised Personnel. User Institution shall not share these Data with an External Collaborator. Any External Collaborator must complete a separate application for access to these Data. 6. The User Institution agrees that the Data Producer, and all other parties involved in the creation, funding or protection of these Data: a) make no warranty or representation, express or implied as to the accuracy, quality or comprehensiveness of these Data; b) exclude to the fullest extent permitted by law all liability for actions, claims, proceedings, demands, losses (including but not limited to loss of profit), costs, awards damages and payments made by the Recipient that may arise (whether directly or indirectly) in any way whatsoever from the Recipient’s use of these Data or from the unavailability of, or break in access to, these Data for whatever reason and; c) bear no responsibility for the further analysis or interpretation of these Data. 7. The User Institution agrees to follow the Fort Lauderdale Guidelines (http://www.wellcome.ac.uk/stellent/groups/corporatesite/@policy_communications/documents/web_document/wtd003207.pdf ) and the Toronto Statement (http://www.nature.com/nature/journal/v461/n7261/full/461168a.html). This includes but is not limited to recognising the contribution of the Data Producer and including a proper acknowledgement in all reports or publications resulting from the use of these Data. 8. The User Institution agrees to follow the Publication Policy in Appendix III. This includes respecting the moratorium period for the Data Producer to publish the first peer-reviewed report describing and analyzing these Data. 9. The User Institution agrees not to make intellectual property claims on these Data and not to use intellectual property protection in ways that would prevent or block access to, or use of, any element of these Data, or any discovery or conclusion drawn directly or indirectly from these Data. In the event User Institution does make such claims or uses in the ways prohibited in this section above, the User Institution hereby grants to GRAIL a non-exclusive, worldwide, royalty-free, fully sublicensable license to any resulting or related intellectual property rights, including in any such Data related claims and in any such discoveries or conclusions. 10. The User Institution will notify Representative within 30 days of any changes or departures of Authorised Personnel. 11. Without limiting anything in the Addendum, the User Institution will notify Representative if it desires to make any significant changes to the Project. 12. The User Institution will notify Representative as soon as it becomes aware of a breach of the terms or conditions of this Agreement. 13. GRAIL or Representative may terminate this Agreement by written notice to the User Institution. 14. The User Institution accepts that it may be necessary for the Data Producer to alter the terms of this Agreement from time to time. As an example, this may include specific provisions relating to the Data required by Data Producer other than GRAIL. In the event that changes are required, the Data Producer, or Representative, or a designee will contact the User Institution to inform it of the changes and the User Institution may elect to accept the changes or terminate the Agreement. 15. The User Institution agrees to distribute a copy of these terms to the Authorised Personnel. The User Institution will procure that the Authorised Personnel comply with the terms of this Agreement. 16. This agreement (and any dispute, controversy, proceedings or claim of whatever nature arising out of this agreement or its formation) shall be construed, interpreted and governed by the laws of the State of California and shall be subject to the exclusive jurisdiction of the courts located in the State of California. APPENDIX I – DATA DETAILS Dataset reference (EGA Study ID and Dataset Details): EGAS00001004704 The dataset is comprised of primary sequencing data as well as phenotypic data. The files include collapsed bams for plasma and tissue samples. Name of project that created the Data: A comprehensive characterization of the cell-free transcriptome reveals tissue- and subtype-specific biomarkers for cancer detection Name of Representative: Matthew Larson Specific limitations on areas of research: GRAIL Data Access Review Committee may specify additional limitations on areas of research with respect to the Data from time to time. User Institution will be informed of any such limitations and the User Institution may elect to accept the limitations or terminate the Agreement. Minimum protection measures required: File access: Data can be held in unencrypted files on an institutional compute system, with Unix user group read/write access for one or more appropriate groups but not Unix world read/write access, behind a secure firewall. Laptops holding these data should have password protected logins and screenlocks (set to lock after 5 min of inactivity). If held on USB keys or other portable hard drives, the data must be encrypted. APPENDIX II – PROJECT DETAILS (to be completed by the Requestor) Details of Data requested i.e., EGA Study and Dataset Accession Number Brief abstract of the Project in which the Data will be used (500 words max) All Individuals who the User Institution to be named as registered users All Individuals that should have an account created at the EGA APPENDIX III – PUBLICATION POLICY GRAIL intends to publish the results of its analysis of this Data and do not consider its deposition into public databases to be the equivalent of such publications. GRAIL anticipates that the Data could be useful to other qualified researchers for a variety of purposes. However, some areas of work are subject to a publication moratorium. The publication moratorium covers any publications that describe the use of the dataset, and neither User Institution nor any User shall make any disclosures (including press releases) or publications (including abstract, poster, or oral communications) that describe the use of the Data or results of the Project, except as permitted herein. For research papers, abstracts, or poster/oral communications, submission for publication or presentation by User Institution and/or User shall not occur until 18 months after these Data and analyses therefrom are first made public in manuscript by GRAIL (at which point the moratorium is deemed to have ended), unless the Representative has provided written consent to earlier submission. In any publications based on these Data, please describe how the Data can be accessed, including the name of the hosting database (e.g., The European Genome-phenome Archive at the European Bioinformatics Institute) and its accession numbers (e.g., EGAS00001004704), and acknowledge its use in a form reviewed and approved by the User Institution via the Representative prior to publication. Privacy and Data Security Addendum This Privacy and Data Security Addendum (this “Addendum”) is made a part of the GRAIL Data Access Agreement entered into by and between GRAIL and User Institution(the "Underlying Agreement"). Capitalized terms used in this Addendum and not otherwise defined shall have the meaning set forth in the body of the Underlying Agreement. To the extent this Addendum and the Underlying Agreement contain any terms that conflict regarding the Processing of Data (as each term is defined below), this Addendum will govern with regard to such conflict. RECITALS WHEREAS, User Institution endeavors to use Data to perform the Project and GRAIL has agreed to make Data available to User Institution for use in conducting, or in furtherance of, the Project subject to the terms and conditions set forth below. NOW, THEREFORE, in consideration of the above, and of the mutual covenants and promises contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: 1. DEFINITIONS 1.1. “Applicable Privacy and Data Security Laws” means laws, orders, regulations, or other requirements with similar effect of any governmental authority that limit, restrict, or otherwise govern the collection, use, disclosure, security, storage, protection, or disclosure of Data. 1.2. “Data Breach” means any: (i) compromise of the security, confidentiality or integrity of, unauthorized access to, unauthorized acquisition of, or unauthorized or unlawful Processing of Data; (ii) unauthorized intrusion into, control of, access to, modification of, or use of any System used by User Institution to secure, defend, protect or Process Data; or (iii) event leading User Institution to suspect that either (i) or (ii) has occurred. 1.3. “User Institution Systems” means any System owned, licensed, operated, or controlled by or on behalf of User Institution that Processes Data. 1.4. “Process,” “Processed” or “Processing” means any operation or set of operations which is performed upon Data, such as creation, collection, access, disclosure, recording, organization, storage, maintenance, use, retrieval, transmission, erasure, retention, or destruction. 1.5. “System” means any file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment, or domain. 2. CONFIDENTIALITY 2.1. Compliance with Laws. User Institution hereby represents, warrants, and covenants that it is and will remain at all times during the term of this Agreement, and at all times after the term of this Agreement to the extent it Processes any Data, in compliance with all Applicable Privacy and Data Security Laws. 2.2. Use of Data. User Institution will not Process Data for any purpose other than as minimally necessary to conduct the Project, as expressly granted in the Underlying Agreement, or as otherwise required by applicable law. 2.3. Disclosure of Data. User Institution will not disclose Data to any person other than its Authorized Personnel, except as expressly permitted in this Addendum. 2.3.1. Access Restrictions. User Institution will implement and maintain technical access limitations subject to logging and auditing to ensure only Authorized Personnel have access to Data. User Institution agrees GRAIL may request at any time the list of individuals authorized to have access to Data, including their level of access. If any of User Institution's System containing Data is backed up, that backup will maintain similar levels of access controls. 2.3.2. Disclosures by User Institution to Permitted Subcontractors. User Institution may disclose Data to subcontractors that have a need to Process that Data in order to conduct the Project, provided that each permitted subcontractor that receives Data is contractually bound to comply with privacy, confidentiality and data security terms no less restrictive than the terms set forth in this Addendum. In the event that User Institution provides Data to any permitted subcontractor, User Institution will not be relieved of any of its obligations under this Agreement with regard to that Data, will remain liable and responsible for the performance of all of its obligations under this Agreement with regard to that Data, and will be liable to GRAIL for any acts or omissions of its subcontractors in relation to that Data. 2.3.3. Disclosures Required by Law. User Institution may disclose Data to a governmental authority if that disclosure is required by law, provided that: (i) to the extent permitted by law, User Institution provides prior written notice of such disclosure to GRAIL; (ii) User Institution takes all reasonable and lawful actions to avoid, and minimize the extent of, that disclosure; and (iii) before disclosing Data to the governmental authority User Institution reasonably cooperates with GRAIL to resist that disclosure if GRAIL chooses to do so. 2.4. Return or Destruction of Data. Upon GRAIL’s request, the termination or expiration of the Underlying Agreement, or whenever User Institution no longer needs to retain all or part of Data, unless prohibited under applicable law, User Institution will immediately destroy that Data including any Data maintained in backup form. User Institution will destroy Data using a final, secure and complete method that will render that Data permanently unrecoverable. 2.5. Re-Identification. User Institution acknowledges and agrees that Data will not contain any individually identifiable health information. User Institution will not attempt to re-identify any individuals whose health related information is contained within the Data. To the extent Data contains any individually identifiable health information, User Institution will notify GRAIL immediately at privacy@grailbio.com. 2.6. Survival. This Section will survive any termination or expiration of the Underlying Agreement for so long as User Institution retains or otherwise Processes Data. 3. DATA SECURITY 3.1. Data Security Program. User Institution will implement, maintain, and comply with comprehensive information and network security programs, practices and procedures (collectively, “Data Security Program”). User Institution will ensure that the Data Security Program at all times: (i) meets current leading industry standards; and (ii) complies with all Applicable Privacy and Data Security Laws. User Institution will document its Data Security Program in written form and will make those documents available to GRAIL for review upon GRAIL’s request from time to time. User Institution will keep its Data Security Program current and up-to-date in order to continually improve the security of the Data Security Program, but in no event will User Institution render the Data Security Program less comprehensive, secure, or robust. 3.2. Safeguards. Without limiting the generality of subsection 3.1, User Institution represents, warrants, and covenants that it has adopted and implemented, and will continue to maintain, physical, administrative, and technical safeguards and other security measures to: 3.2.1. maintain the security and confidentiality of Data and protect it from threats or hazards to its security and integrity, as well as accidental loss, alteration, disclosure, and all other unlawful forms of Processing; 3.2.2. require Authorized Personnel to receive annual training regarding: (i) how to protect User Institution's Systems from security threats, (ii) their responsibilities regarding the protection of research data; and (iii) industry standard protocols for Processing research data; 3.2.3. prevent, detect, contain, recover, remediate, and respond to a Data Breach; 3.2.4. enforce the use of secure authentication protocols and access control measures, consistent with industry standards, on any User Institution Systems that protect, defend, secure, or Process Data; 3.2.5. implement regular and timely software security patches on any User Institution Systems that protect, defend, secure, or otherwise Process Data; 3.2.6. require the use of encryption for all storage and transmission of Data; and 3.2.7. include automated security measures, including, but not limited to, standard perimeter monitoring and protection systems, auditing systems, firewalls, and security agent software capable of detecting and mitigating threats from viruses, spyware, and other malicious code on any User Institution Systems. 3.3. Survival. This Section will survive any termination or expiration of the Underlying Agreement for so long as User Institution retains or otherwise Processes Data. 4. DATA BREACH OBLIGATIONS 4.1. Notice. User Institution will notify GRAIL at it-sec@grailbio.com immediately, but in no event more than five (5) business days, after it is notified of or discovers a Data Breach. The notification to GRAIL will include the following, to the extent known by User Institution, and will be supplemented on an ongoing basis: (i) the general circumstances and extent of any unauthorized Processing of Data or intrusion into Systems used by User Institution to protect or Process Data; (ii) the types and volume of Data that were involved; (iii) User Institution’s plans for corrective actions to respond to the Data Breach; (iv) steps taken to secure Data and preserve information for any necessary investigation; and (v) any other related information reasonably requested by GRAIL. 4.2. Remediation. User Institution will immediately detect, respond to, and contain all vulnerabilities, activities, or other circumstances that caused or gave rise to the Data Breach. User Institution will promptly and without unreasonable delay take all necessary and advisable corrective actions, and will reasonably cooperate with GRAIL in all reasonable and lawful efforts to prevent, eradicate, mitigate, and rectify such Data Breach. 4.3. Notice to Other Parties. User Institution will not notify any parties other than GRAIL and, to the extent required by law, relevant law enforcement agencies of any Data Breach unless such notification is agreed to in advance by GRAIL in writing. 4.4. Investigation. User Institution will investigate the causes of each Data Breach at User Institution’s expense. Upon GRAIL’s request, User Institution will provide GRAIL with in-depth supplementary reports regarding its investigation of the Data Breach and results of findings. 4.5. Survival. This Section will survive any termination or expiration of the Underlying Agreement for so long as User Institution retains or otherwise Processes Data. 5. AUDITS AND INSPECTIONS 5.1. Audit Records. User Institution will retain System audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information System activity and ensure that the actions of individual users of User Institution Systems can be uniquely traced. 5.2. Annual User Institution Audit Report. User Institution hereby represents, warrants, and covenants that: (i) User Institution will undergo annual (or more frequent) audits of User Institution Systems, facilities, policies, practices, controls, and practices (each, a “User Institution Audit”) and that audit will include in its scope all User Institution Systems and all of User Institution’s practices, controls, policies, and procedures relating to the protection, security, defense, or Processing of Data; and (ii) the User Institution Audits will include, at a minimum, risk assessments, security control effectiveness, credentialed vulnerability scans, and security controls map to an industry standard (such as NIST, HITRUST, ISO, or SOC2). 5.3. Ongoing Inspections. User Institution will, consistent with best industry practices, continuously monitor and inspect all User Institution Systems to identify security vulnerabilities (“Ongoing Inspections”). 5.4. Audit Remediation. To the extent that a User Institution Audit or Ongoing Inspection identifies any "material", "critical", or "high" security vulnerabilities, User Institution will remediate those vulnerabilities as promptly as reasonably possible not to exceed ninety (90) days. If security vulnerabilities cannot be remediated or contained by the User Institution within that period, User Institution should promptly notify GRAIL at it-sec@grailbio.com of the increased risk. 5.5. Survival. This Section will survive any termination or expiration of the Underlying Agreement for so long as User Institution retains or otherwise Processes Data. 6. INDEMNIFICATION 6.1. Indemnity. Notwithstanding any provisions of this Agreement to the contrary, including but not limited to any limitation of liability or indemnity set forth in the Underlying Agreement, User Institution will defend, indemnify, and hold harmless GRAIL and its respective officers, directors, employees, and agents from and against all liabilities, obligations, losses, damages, costs, fees, penalties, fines, charges, or other expenses of any kind (including but not limited to costs and in-house or outside attorneys’ fees) resulting or arising from, relating to, or in connection with any actual or alleged: (i) Data Breach; or (ii) breach of this Addendum. 6.2. Additional Expenses. In addition to its indemnification obligations above, User Institution will pay for all costs and expenses reasonably incurred by GRAIL in connection with a Data Breach as they are incurred, including but not limited to forensics services and costs associated with investigating and responding to investigations and inquiries related to the Data Breach from federal and state regulatory authorities. 6.3. Survival. This Section will survive the termination or expiration of the Underlying Agreement.