Exhibit 10.1

CONFIDENTIAL TREATMENT REQUESTED

DNAnexus, Inc.

 

Third Amendment to

Application Service Provider Agreement

 

This Third Amendment (“Third Amendment”) is made as of January 1,
2018 (“Amendment Effective Date”) by and between DNAnexus, Inc., a Delaware
corporation, having its principal place of business at 1975 W. El Camino Real,
Suite 101, Mountain View, CA 94040 (“Vendor”), and Natera, Inc., having its
principal place of business at 201 Industrial Road, Suite 410, San Carlos, CA
94070 (“Natera”).

Vendor and Natera agree to amend the Application Service Provider Agreement
having an effective date of September 19, 2014 (“Agreement”), as amended by the
Amendment dated June 8, 2015 and the Amendment dated December 29, 2016, as
follows:

1.



Section 1 of the Agreement is hereby amended to include the following additional
definitions, which shall apply to any use of the defined terms in the Agreement:

1.10“EU Data Protection Law” means all applicable EU law, enactments,
regulations, orders, standards, codes of practice and other similar instruments
that relate to data protection, privacy, the use of information relating to
individuals, the information rights of individuals and/or the processing of
personal data, including the Data Protection Act 1998 (until 24 May 2018), the
Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU
regulation 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (“GDPR”), and any successor legislation (on and from 25 May 2018), and
“Data Controller”, “Data Processor”, “Data Subject” and “Personal Data” or
similar expressions shall have the meaning given to them therein, with Personal
Data including sensitive personal data and special categories of personal data,
 .”

2.



Section 18.4 (Personal Data) of the Agreement is hereby amended by replacing the
reference to “EU Data Protection Directive (Directive 95/46/EEC)” with “EU Data
Protection Law”

3.



Section 5 (Services) of the Agreement is hereby amended by adding the following
to the end of this section:

“Vendor agrees to (i) deploy two copies of Natera’s infrastructure and host
Natera Content, with one copy on  Vendor’s cloud servers and system physically
located in the U.S. (the ‘U.S. Deployment’) in accordance with Statement of Work
No. 1



--------------------------------------------------------------------------------

 



hereto and the other copy on Vendor’s cloud servers and system physically
located in the European Economic Area (the ‘EEA Deployment’), and (ii) complete
the tasks as specified in all applicable Statements of Work hereto  to ensure
all Services, Deliverables, and Support Services will be provided independently
and separately to both the U.S. Deployment and EEA Deployment.  Vendor further
represents, warrants and agrees that all Content (including all EEA Personal
Data as defined in Section 18.5) relating to the Services, Deliverables, Support
Services provided to Natera’s EEA Deployment will be collected, recorded,
stored, and processed wholly within the EEA and may not be transmitted to the
U.S. Deployment or any servers or systems located outside the EEA.”

4.



Section 18.5 (Treatment of Personal Data) is hereby amended by adding the
following text to the end of this section:

“Notwithstanding the foregoing, with respect to any Personal Data originated
from a member state of the European Economic Area or otherwise subject to the EU
Data Protection Law (such Personal Data, the “EEA Personal Data”), the Personal
Data Rules as defined in this Section 18.5 shall also include the ‘EU Data
Protection Law’; and Vendor further represents and warrants that (i) it is and
will maintain its status as a participant of the EU-US Privacy Shield (and its
successor program as applicable); (ii) it will Process the EEA Personal Data in
compliance with this Agreement, including the Data Processing Addendum attached
hereto as Exhibit F, and the EU Data Protection Law, (iii) if required by the EU
Data Protection Law, it will further enter into an EU Model Clauses Contract as
a Data Processor (or Subprocessors) with Natera for Processing the EEA Personal
Data outside the EEA, and (iv) it will not Process any EEA Personal Data outside
the scope as specified in this Agreement.”

5.



Section 18.6 (Retention of Personal Data) is hereby amended by adding the
following text to the end of this section:

“Notwithstanding the foregoing, Vendor’s right and authority to retain or
destroy EEA Personal Data is defined in and subject to the Data Processing
Agreement.”

6.



Exhibit A of the Agreement is hereby amended by adding Exhibit A -- the
Statement of Work No. 2 attached hereto as the Statement of Work No. 2 to the
Agreement.  

7.



Exhibit B of the Agreement is hereby deleted and replaced with Exhibit B
attached hereto.



 

Page 2 of 8

--------------------------------------------------------------------------------

 



 

8.



The Agreement is further amended by adding Exhibit F hereto (“Data Processing
Addendum) as a new Exhibit F to the Agreement.

9. The parties agree that this Third Amendment, inadvertently not previously
executed, is intended to be effective as of the Amendment Effective Date,
pre-dating the effective date of the Fourth Amendment;  the terms of this Third
Amendment are modified by any applicable terms in the Fourth Amendment.      

 

Except as expressly provided herein, the Agreement remains in full force and
effect. If there is a conflict between this Third Amendment and the Agreement or
any earlier amendment or renewal, the terms of this Amendment will prevail.

 

IN WITNESS WHEREOF, the parties have caused this Third Amendment to be duly
executed as of the Amendment Effective Date.

 

 

 

 

 

 

 

Natera International, Inc.

DNAnexus, Inc.

 

 

 

 

 

 

 

 

By:

/s/ John Fesko

 

By:

 /s/ Richard Daly

 

Name

John Fesko

Name

Richard Daly

Title

VP, Business Development

Title

CEO

Date

8/10/2018

Date

August 8, 2018

 





 

Page 3 of 8

--------------------------------------------------------------------------------

 



Exhibit A

Statement of Work No. 2

N/A

 

 



 

Page 4 of 8

--------------------------------------------------------------------------------

 



Exhibit B

Services; Fees

DNAnexus platform license fee for additional regions

Deployed Regions, AWS

[*]

[*]

Available Regions, AWS

[*]

[*]

Available Regions, Azure

[*]

 

Per region fee

Annual license fee for deployed regions [*] and [*] is $[*].  

Each additional region is $[*].

[*] Region Resource-based pricing

The following table shall be used to calculate the weighted average price
reduction in each [*] period for each DNANexus Compute Cost Class within the [*]
region:

DNANexus Compute Cost Class

AWS Instance

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]





Page 5 of 8

 

* CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED AND FILED SEPARATELY
WITH THE SECURITIES AND EXCHANGE COMMISSION. CONFIDENTIAL TREATMENT HAS BEEN
REQUESTED WITH RESPECT TO THE OMITTED PORTION.

--------------------------------------------------------------------------------

 



All DNAnexus usage, including R&D and production pipeline execution, is charged
according to the below pricing sheet:

 

 

 

Compute

Cost Class

Cost per virtual core hour

[*]

[*]

[*]

[*]

[*]

[*]

 

 

Data Transfer & Storage

Service

Cost

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

[*]

 

Per-test pricing

A value add charge is applied to each execution of a billable production test,
based upon the following tiers of monthly production test volumes:

 

Value-add price per test

Production test monthly volume

[*]

Up to [*] production tests

[*]

Each production test over [*] up to [*]

[*]

Each production test over [*]

 

 

 



Page 6 of 8

 

* CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED AND FILED SEPARATELY
WITH THE SECURITIES AND EXCHANGE COMMISSION. CONFIDENTIAL TREATMENT HAS BEEN
REQUESTED WITH RESPECT TO THE OMITTED PORTION.

--------------------------------------------------------------------------------

 



 

Exhibit F

Data Processing Addendum

 

1.



Definition:  In this Addendum, "controller", "processor", "data subject",
"personal data", "processing" (and "process") and "special categories of
personal data" will have the meanings given in EU Data Protection Law.

2.



Relationship of the parties: Natera (the controller) appoints Vendor as a
processor to process Content containing personal data of a data subject as may
be provided for in the Agreement (the "Data") for the purposes described in the
Agreement (or as otherwise agreed in writing by the parties) (the "Permitt
Purpose").  Vendor will comply with the obligations applicable to it under
Applicable Laws, including Data Protection Law.

3.



International transfers:  Vendor will not transfer the Data outside of the
European Economic Area ("EEA") unless it has taken such measures as are
necessary to ensure the transfer is in compliance with Applicable Law.

4.



Confidentiality of processing:  Vendor will ensure that any person it authorizes
to process the Data (an "Authorized Person") will protect the Data in accordance
with Vendor's confidentiality obligations under the Agreement and Applicable
Law.

5.



Security:  Vendor will implement technical and organizational measures as set
out in Agreement to protect the Data (i) from accidental or unlawful
destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to
the Data (each, a "Security Incident"). 

6.



Third party processors:  Vendor may appoint one or more third party processors
to process the Data for the Permitted Purpose on its behalf, provided that: (i)
it engages only processors that have implemented appropriate technical and
organizational measures to protect the Data, and ensure the rights of the data
subjects, in accordance with Applicable Law; and (ii) Vendor will remain solely
liable for any breach of this Addendum or of Applicable Law that may be caused
by its processors' processing of the Data.

7.



Cooperation and data subjects' rights:  Vendor will provide reasonable and
timely assistance to Natera (at Natera's expense) to enable Natera to respond
to: (i) any request from a data subject to exercise any of its rights under
Applicable Law (including its rights of access, correction, objection, erasure
and data portability, as applicable); and (ii) any other correspondence, enquiry
or complaint received from a data subject, regulator or other third party in
connection with the processing of the Data.   In the event that any such
request, correspondence, enquiry or complaint is made directly to Vendor, Vendor
will promptly inform Natera providing full details of the same.

8.



Data Protection Impact Assessment:  If Vendor believes or becomes aware that its
processing of the Data is likely to result in a high risk to data protection
rights, it will inform Natera and provide reasonable cooperation to Natera (at
Natera's expense) in connection with any data protection impact assessment that
may be required under Applicable Law.

9.



Security incidents:  If it becomes aware of a confirmed Security Incident,
Vendor will inform Natera without undue delay and will provide reasonable
information and cooperation to Natera so that Natera can fulfill any data breach
reporting obligations it may have under (and in accordance with the timescales
required by) Applicable Law.  Vendor will further take  reasonably necessary
measures and actions to remedy or mitigate the effects of the Security Incident
and will keep Natera informed of all material developments in connection with
the Security Incident.



Page 7 of 8

--------------------------------------------------------------------------------

 



10.



Data Retention:  Upon termination or expiry of the Agreement, Vendor will delete
all Data in its possession or control.  This requirement will not apply to the
extent that Vendor is required by applicable law or contract with its financial
service partners to retain some or all of the Data, or to Data it has archived
on back-up systems, which Data Vendor will securely isolate and protect from any
further processing except to the extent required by such law.

11.



Audit:  Natera acknowledges that Vendor is regularly audited against SSAE-16 SOC
1 by independent third party auditors.  Upon request, Vendor will supply a
summary copy of its applicable certifications to Natera which reports will be
subject to the confidentiality provisions of the Agreement. Vendor will also
respond to a written security questionnaire submitted to it by Natera provided
that Natera will not exercise this right more than once per year.

 

Page 8 of 8

--------------------------------------------------------------------------------