Data Protection and Information Security Addendum 

Last Updated: May 27, 2025  

This Data Protection and Information Security  Addendum (“DPA”) is entered into by and between GRAIL, Inc. a Delaware corporation, having its principal place of business at 1525 O’Brien Drive, Menlo Park, CA 94025 (“GRAIL”) and the legal entity defined as Customer in the GALLERI® TESTING AGREEMENT (hereinafter “Customer”) (each a “Party,” and together, the “Parties”) and is hereby incorporated by reference into the GALLERI® TESTING AGREEMENT entered into between the Parties (the “Agreement”). 

WHEREAS, Customer and GRAIL are each a Covered Entity subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA,” as further defined below);

WHEREAS, in the performance of its roles and responsibilities under the Agreement, GRAIL will establish an Indirect Treatment Relationship with Customer’s patients (“Patients”); 

WHEREAS, in fulfillment of its Indirect Treatment Relationship with Patients, GRAIL will receive and process Protected Health Information from Customer; and

WHEREAS, the Parties wish to set forth in this DPA the requirements applicable to the protection of such Protected Health Information. 

NOW THEREFORE, in consideration of the mutual promises and agreements between Customer and GRAIL, the Parties hereto agree as follows:

  1. DEFINITIONS
    • “Business Associate” has the meaning given to it in 45 CFR §160.103.
    • “Covered Entity” has the meaning given to it in 45 CFR §160.103.
    • “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5), and the regulations promulgated thereunder by the United States Department of Health and Human Services, including the Privacy, Security, Breach Notification and Enforcement Regulations at 45 CFR Parts 160 and 164. 
    • “Indirect Treatment Relationship” has the meaning given to it in 45 CFR §164.501. 
    • “Information Security Program” means the administrative, organizational, technical, and physical safeguards GRAIL has in place to maintain the privacy and security of PHI as outlined in Section 2.4 of this DPA. 
    • “Protected Health Information” or “PHI” means electronic protected health information as defined under 45 CFR  §160.103
  2. GRAIL OBLIGATIONS
    • 2.1 Compliance with Laws. GRAIL shall comply with all applicable federal, state, regional and/or local laws, rules, and regulations relating to privacy, data security or the processing of PHI or any data or information (regardless of the medium in which it is contained and whether alone or in combination) that relates to an identified or identifiable person, including but not limited to HIPAA. 
    • 2.2 Use and Disclosure of PHI. GRAIL shall not collect, use, or disclose PHI except as permitted under the Agreement and in accordance with its Notice of Privacy Practices available at https://www.galleri.com/hipaa-notice, as it may be updated from time to time. 
    • 2.3 Subcontractors. GRAIL shall perform an appropriate security and privacy risk assessment of any subcontractor or third-party that creates, maintains, or transmits PHI on behalf of GRAIL. GRAIL shall ensure that any such subcontractor or other third-party agrees in writing to restrictions, conditions, and requirements that are at least as protective of PHI as those established in this DPA. To the extent such subcontractor or third-party constitutes a Business Associate of GRAIL, GRAIL shall enter into a Business Associate Agreement with such party that meets the requirements of 45 CFR § 164.504(e)(2). 
    • 2.4 Safeguards and Information Security Program.  GRAIL has implemented, and shall maintain, appropriate administrative, organizational, technical, and physical safeguard with respect to PHI and shall ensure the confidentiality, integrity, and availability of all PHI it creates, receives, maintains, or transmits. GRAIL shall protect against reasonably anticipated threats to the security or integrity of PHI, including reasonably anticipated, impermissible uses or disclosures of PHI. GRAIL reserves the right to update its Information Security Program as needed to address newly discovered or reasonably anticipated security threats, but shall not reduce the level of security standards established in this DPA.
      • (a) Information Security Policies and Standards. GRAIL shall maintain written information security policies, standards, and procedures addressing  administrative, organizational, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of PHI. 
      • (b) Physical Security. GRAIL shall maintain commercially reasonable security systems at GRAIL corporate sites at which an information system that uses or stores PHI is located. 
      • (c) Organizational Security. GRAIL shall maintain written information security policies and procedures addressing acceptable data use standards and incident response protocols. 
      • (d) Network Security. GRAIL shall maintain commercially reasonable information security policies and procedures addressing network security. 
      • (e) Virus and Malware Controls. GRAIL shall protect PHI from malicious code and will install and maintain anti-virus and malware protection software on GRAIL-managed devices that handle PHI. 
      • (f) Disaster Recovery. GRAIL shall maintain disaster recovery plans that are kept up to date and revised on a regular basis.
      • (g) Workforce training and management. GRAIL shall maintain an Information Security team that manages the Information Security Program. GRAIL shall maintain a security awareness program to train its workforce about their security obligations, and shall oversee workforce compliance with such obligations. All workforce members shall be required to follow established security and privacy policies and procedures and GRAIL shall apply appropriate sanctions against workforce members who violate such policies and procedures. Workforce members will receive appropriate training before accessing any PHI and such training shall be regularly reinforced through refresher training courses and other awareness materials and campaigns. GRAIL shall perform criminal and other relevant background checks on all personnel with access to PHI. (h) Security and Privacy Ownership. GRAIL has appointed and shall maintain both a security officer and a privacy officer who are responsible for coordinating and monitoring the security/privacy rules and procedures of GRAIL. These officers shall have the knowledge, experience, and authority to serve as the owners of the security and privacy functions, with responsibility and accountability for information security and privacy within the organization.
    • 2.5 Security Framework and certifications. GRAIL shall maintain a security framework that is aligned to information security established industry standards, such as ISO/IEC 27001, or an equivalent industry-recognized framework. GRAIL shall provide evidence of its then-current certifications upon Customer’s written request.
  3. MISCELLANEOUS
    • 3.1 Survival. GRAIL’s obligations under this DPA shall survive the expiration or termination of the Agreement.   
    • 3.2 Conflicts. In the event of any conflicts between this DPA and the Agreement, this DPA shall control with respect to the treatment of PHI. Any ambiguity in this Agreement shall be interpreted to permit and require compliance with HIPAA and any other applicable law.