Safe Harbor Privacy Statement

We self-certify compliance with

www.export.gov/safeharbor

This Safe Harbor Privacy Statement (this “Statement”) sets forth the principles followed by CEDRA Corporation and its subsidiary CEDRA Clinical Research, LLC (“CEDRA” or “Company”) in connection with the transfer and protection of personal data received from the European Union (“EU”) in support of the Company’s laboratory and clinical trial operations, as more specifically set forth below.

Introduction

CEDRA adheres to the Safe Harbor privacy principles agreed to by the European Commission and the United States, implemented in accordance with the guidance set forth in the Frequently Asked Questions (“FAQs”) issued by the U.S. Department of Commerce on July 21, 2000. See www.export.gov/safeharbor. This Statement sets forth the principles under which CEDRA manages the processing of certain categories of Personal Data, referred to hereafter as “Covered Personal Data.”

Scope

This Statement sets forth in manner in which CEDRA manages the processing of Covered Personal Data.

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”), received by CEDRA from the EU, and recorded in any form. It does not include information that has been anonymized, pseudonymized, encoded, or otherwise stripped of its identifiers, nor does it include publicly available information unless combined with other non-public personal information.

“Covered Personal Data” means: (1) Personal Data relating to clinical trial subjects and specimen donors that is collected by CEDRA in the EU; and (2) Personal Data relating to clinical trial subjects and specimen donors that is both: (a) collected in the EU by; and (b) transferred to CEDRA from the EU by, companies with whom CEDRA contracts to provide laboratory and/or clinical trial services.

An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.

An “Agent” means any third party that uses Covered Personal Data provided to CEDRA to perform tasks under the instructions of, and solely for, CEDRA, or to whom CEDRA discloses personal data for use on CEDRA’s behalf.

“Sensitive Personal Information” means Covered Personal Data about an EU citizen specifying medical or heath conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual.

Safe Harbor Privacy Principles

The following privacy principles (the “Privacy Principles”) apply to the transfer, collection, use, and disclosure of Covered Personal Data.

1. Notice

When Covered Personal Data is data CEDRA collects directly from clinical trial subjects or specimen donors in the EU, CEDRA will inform such individuals about the purposes for which it collects and uses the Covered Personal Data, the types of third parties with whom CEDRA shares the Covered Personal Data, and the choice and means CEDRA offers for limiting the use and disclosure of that individual’s Covered Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Covered Personal Data to CEDRA, or as soon as practicable thereafter, and in any event before CEDRA uses the information for a purpose other than that for which it was originally collected or processed, and before CEDRA discloses such Covered Personal Data for the first time to a non-Agent third party. CEDRA does not currently, and does not intend to, directly collect any Personal Data within the EU; however, if in the future CEDRA does directly collect Personal Data relating to clinical trial subjects or specimen donors within the EU, such Personal Data shall be Covered Personal Data in accordance with definition number (1) of Covered Personal Data above.

When Covered Personal Data is Personal Data CEDRA receives relating to clinical trial subjects and specimen donors that is both collected in the EU by, and transferred to CEDRA from the EU by, companies with whom CEDRA contracts to provide laboratory and/or clinical trial services, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Covered Personal Data relates.

2. Choice

CEDRA will offer individuals the opportunity to choose (opt-out) whether their Covered Personal Data is (a) to be disclosed to a non-Agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. CEDRA will ensure that individuals are provided clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

For Sensitive Personal Information, CEDRA will give EU individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a third party and to the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual through an opt-in choice. CEDRA will treat any information about an EU citizen that is received from a third-party as sensitive if the third-party from whom CEDRA receives the information identifies it and treats it as sensitive. However, opt-in consent is not required and will not be provided when the processing of such Sensitive Personal Information is in the vital interest of the Data Subject or another person; necessary for the establishment of legal claims or defenses; required to provide medical care or diagnosis; necessary to carry out CEDRA’s obligations in the field of employment law; or related to data that is manifestly made public by the Data Subject.

There are certain limitations on the right to opt-out, such as those that apply in the clinical research situation. In that situation, CEDRA will continue to rely upon and process Covered Personal Data already provided by clinical research participants who choose to discontinue participation in a clinical trial, but will not collect any additional Covered Personal Data about that individual once the written request to withdraw from participation is received.

3. Onward Transfer

CEDRA will not transfer any Covered Personal Data of an EU individual to a third party without applying the Notice and Choice principles to such transfer. CEDRA will only transfer Covered Personal Data of an EU individual to third parties where: (a) the third-party has entered into a written agreement with CEDRA that provides the same level of protection for the information as is required by the Privacy Principles; (b) is located in the EU or a country whose laws provide adequate assurance of protection, as determined by the European Commission; or (c) the third-party has certified to its compliance with the Safe Harbor privacy principles, and is accordingly independently responsible for compliance with the Safe Harbor requirements.

4. Security

CEDRA will take reasonable precautions to protect Covered Personal Data of an EU individual from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. Data Integrity

CEDRA seeks to ensure that any Covered Personal Data about EU individuals is relevant for the purposes for which it is to be used. CEDRA will not utilize any Covered Personal Data about EU individuals in a way that is incompatible with the purposes for which it has been collected or subsequently authorized. CEDRA will ensure that the Covered Personal Data of EU individuals is reliable for its intended use, accurate, complete, and current.

6. Access

CEDRA will provide EU individuals reasonable access to their Covered Personal Data held by CEDRA for the purposes of verifying its accuracy, and exercising their right to have inaccurate information corrected, amended, or deleted. Such access will not be provided when the burden or expense of providing access would be disproportionate to the risks to the EU individual’s privacy, or where the rights of other persons would be violated. Moreover, an EU individual’s access to their own Covered Personal Data may be restricted for a period of time (during the laboratory or clinical trial operation and while the results of such operation are being analyzed) in order to not jeopardize the integrity of the research effort for which such Covered Personal Data was collected and is being utilized.

Access may also be denied under the circumstances set forth in response to Question No. 5 of FAQ 8. Specifically, access may be denied to the extent disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where the Covered Personal Data is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are:

1. interference with execution or enforcement of the law, including the prevention, investigation or detection of offenses or the right to a fair trial;
2. interference with private causes of action, including the prevention, investigation or detection of legal claims or the right to a fair trial;
3. disclosure of personal information pertaining to other individual(s) where such references cannot be redacted;
4. breaching a legal or other professional privilege or obligation;
5. breaching the necessary confidentiality of future or ongoing negotiations, such as those involving the acquisition of publicly quoted companies;
6. prejudicing employee security investigations or grievance proceedings;
7. prejudicing the confidentiality that may be necessary for limited periods in connection with employee succession planning and corporate re-organizations;
8. prejudicing the confidentiality that may be necessary in connection with monitoring, inspection or regulatory functions connected with sound economic or financial management; or
9. other circumstances in which the burden or cost of providing access would be disproportionate or the legitimate rights or interests of others would be violated.

If access is denied or limited, CEDRA will provide you the reasons for denying or limiting such access, and will provide you a contact point for further inquiries.

7. Enforcement

CEDRA has established internal mechanisms to verify its ongoing adherence to this Statement. Any EU individual who has a reasonable concern about CEDRA’s handling of their Covered Personal Data may raise those concerns with CEDRA by contacting CEDRA at the address below. CEDRA will seek to reasonably resolve such concerns. If CEDRA does not reasonably resolve such concerns, you should contact the American Arbitration Association at 1633 Broadway, 10th Floor, New York, New York 10019, Telephone 212-716-5800, Fax: 212-716-5905.

Limitation on Scope of Principles

CEDRA adheres to these Privacy Principles except where statute, regulation, or case-law (collectively, “Applicable Law”) creates conflicting obligations or provide explicit authorizations. Where Applicable Law creates conflicting obligations, CEDRA will comply with the Applicable Law. Where Applicable Law provides explicit authorizations, CEDRA may deviate from these Privacy Principles; however, any such deviation will be limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization.

How to Contact Us

Please contact CEDRA with any questions concerning this Statement at:

CEDRA Corporation

8605 Cross Park Drive
Austin, Texas 78754
(phone) 512.834.7766
(fax) 512.834.1165
(toll-free) 1 800.735.5022 Email: kfern@cedracorp.com

CEDRA Clinical Research, LLC

8501 North MoPac Expressway, Suite 200
Austin, Texas 78759
(phone) 512.345.7776
(fax) 512.345.8685
(toll-free) 1 800.580.2183 Email: kfern@cedracorp.com

Changes to this Privacy Statement

This privacy statement may be amended consistent with the requirements of the Safe Harbor arrangement. When we do update the privacy statement, we will also revise the “Last Updated” date at the bottom of this document. Any material changes to this privacy statement will also be posted on www.cedracorp.com/safeharbor and www.cedraresearch.com/safeharbor.

Last Updated: August 31, 2009