FIRST AMENDMENT TO COLLABORATION AGREEMENT
Exhibit 10.18
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT HAVE BEEN OMITTED AND REPLACED WITH “[***]”. SUCH IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS (I) NOT MATERIAL AND (II) WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF DISCLOSED.
FIRST AMENDMENT TO
THIS FIRST AMENDMENT (this “Amendment”), dated 8TH April 2019 (the “First Amendment Effective Date”), by and between GLAXOSMITHKLINE INTELLECTUAL PROPERTY (NO.3) LIMITED, a company registered in England and Wales (registered number 11480952) with a registered office at 000 Xxxxx Xxxx Xxxx, Xxxxxxxxx, Xxxxxxxxx XX0 0XX, Xxxxxx Xxxxxxx (“GSK”) and 23ANDME, INC., a company formed under the laws of Delaware whose principal place of business is at 000 Xxxx Xxxxxx Xxx., Xxxxxxxx Xxxx, XX 00000 (“23andMe”) hereby amends the Collaboration Agreement by and between GSK and 23andMe, dated July 24, 2018 (the “Agreement”).
BACKGROUND
A. | GSK and 23andMe each have an ongoing research and development program with respect to the Target CD96 and intend to combine these programs into a Joint Development Program for which GSK will be the Lead Party; |
B. | GSK intends to exchange certain GSK Data with 23andMe and the Parties wish to incorporate the new principles for such exchange into the Data Access Plan; |
C. | GSK and 23andMe intend to generate Data derived from the combination of certain Xxxxx 0 Xxxx, Xxxxx 0 Data and Level 4 Data, which may include both 23andMe Data and GSK Data, and have further considered the plans for access to such Data, the principles for which they wish to reflect in an updated Data Access Plan. |
NOW, THEREFORE, in consideration of the mutual covenants set forth in this Amendment, and for other good and valuable consideration, the receipt of which is hereby acknowledged, GSK and 23andMe hereby agree as follows:
1 | Capitalized terms used in this Amendment shall have the meanings set forth in the Agreement and the terms and conditions of this Amendment shall be construed as set forth in Section 21.18 of the Agreement, unless otherwise specifically indicated in this Amendment. |
2 | The Agreement is hereby amended with respect to the CD96 Program as follows: |
(a) | Section 5.1(b) is deleted and replaced in its entirety with: |
“GSK Contributed Program. GSK’s (a) late pre-clinical phase program directed to [***] is hereby incorporated into the Collaboration as a Joint Development Program as of the Effective Date (the “[***] Program”) and GSK’s late pre-clinical phase program directed to [***] (the “[***] Program”) is hereby incorporated into the Collaboration as a Joint Development Program as of the First Amendment Effective Date, and in each case GSK shall be the Lead Party with respect thereto (collectively, the “GSK Contributed Programs”), subject to the terms and conditions generally applicable to all Collaboration
Programs, including as set forth in this Article 5. Joint Development Costs for each GSK Contributed Programs will be shared on [***] basis between the Parties following the date upon which the Parties agree upon the applicable plan and budget for such GSK Contributed Program under this Section 5.1(b), or in the case of [***], following the date of the [***], subject in each case to any rights of 23andMe to exercise its Opt-Out Option, Reduction Option, or Development Exit Option. The Parties shall discuss plans and budget for the GSK Contributed Programs for a period of [***] following the Effective Date in the case of the [***] Program, and following the First Amendment Effective Date in the case of the GSK [***] Program. After such [***] periods, GSK shall have [***] days to develop the applicable Joint Development Plan for the applicable GSK Contributed Program and to present such Joint Development Plan to the JDC. The JDC shall review and approve the Joint Development Plan, including any amendments mutually agreed by the Parties, and shall submit the Joint Development Plan to the JSC for approval in accordance with Section 5.4. 23andMe shall have no obligation with respect to any costs incurred for activities conducted prior to the date upon which the JSC approves the Joint Development Plan in connection with the applicable GSK Contributed Program.”;
(b) | In Sections 5.2(b) and 5.2(c) the term “the GSK Contributed Program” is deleted and replaced in each place with “any GSK Contributed Programs”; |
(c) | Section 10.3 is deleted and replaced in its entirety with: |
“Option Exercise Fees. In the event that GSK exercises an Option with respect to a 23andMe Pre-Existing Program pursuant to Section 5.1(c), then neither (i) the Option exercise with respect to the 23andMe Pre-Existing Program for which [***] is the Target (the “23andMe [***] Program”) and the first other Option exercise (chosen from the other available 23andMe Pre-Existing Programs at GSK’s discretion, and which, for clarity, may occur before or after the Option exercise with respect to the 23andMe Pre-Existing Program for which [***] is the Target) shall not require payment of an Option Exercise Fee. For each other Option exercise with respect to any 23andMe Pre-Existing Program, GSK shall pay 23andMe the following fees (each an “Option Exercise Fee”), in each case in accordance with the payment and invoicing terms and conditions set forth in Section 10.17:
(a) [***] United States Dollars ($[***]) if, at the time of the Option exercise, such 23andMe Pre-Existing Program is an LSR Program;
(b) [***] United States Dollars ($[***]) if, at the time of the Option exercise, such 23andMe Pre-Existing Program is an ESR Program; and
(c) [***] United States Dollars ($[***]) if such 23andMe Pre-Existing Program is a Pre-ESR Program.”
(d) | Schedule 1.56 is deleted and replaced in its entirety with: |
“ |
Schedule 1.56 |
GSK Contributed Programs
Part A — [***] Compounds as of the Effective Date
• | [***] |
2
• | [***] |
• | [***] |
Part B — [***] Compounds as of the First Amendment Effective Date
• | [***]” |
3 | The Parties hereby agree that pursuant to Section 5.1(c)(i) the Option with respect to the 23andMe [***] Program is deemed to have been exercised by GSK and the assumption by GSK of the role of Lead Party for the combined GSK [***] Program and the 23andMe [***] Program has been made without the need to provide any further written notice to 23andMe. |
4 | The Agreement is hereby amended with respect to the Data Access Plan as follows: |
(a) | Section 1.68 is deleted and replaced in its entirety with: |
“Data Access Plan” means the principles for access by a Party to data and information generated as a result of the use of the 23andMe Databases and 23andMe Data Mining Technologies or the GSK Additional Databases, as applicable, in connection with the Target Discovery Plan and other activities under this Agreement, as set forth on Schedule 1.68 and as amended in writing from time to time by the JRC pursuant to Section 3.2(x).”
(b) | Section 2.2 is deleted and replaced in its entirety with: |
“Mining of Data Sources to Discover Targets. As part of the Collaboration and as set forth in the applicable Plan, the Parties shall utilize the 23andMe Databases and apply the 23andMe Data Mining Technologies and their respective capabilities to discover biological Targets of potential therapeutic use. GSK may also, in its discretion and to the extent legally able to do so, bring into the Collaboration selected data sources in its possession or control, including from [***] for use in identifying Targets and validating Collaboration Targets (where any such data sources shall constitute “GSK Additional Databases”), provided that if GSK provides GSK Additional Databases for use and access thereof by 23andMe in connection with activities under this Agreement, then prior to any such use or access, the Data Access Subcommittee shall review the proposed GSK Additional Databases, and shall specify the conditions of such use and access (the “GSK Database Access Rules”). The GSK Database Access Rules shall be (a) generally aligned with the principles set forth in the Data Access Plan, and (b) in compliance with any requirements and restrictions imposed by (i) the terms of the applicable patient consents, (ii) any Third Party agreement terms applicable to the GSK Additional Databases, and (iii) any requirements imposed by applicable Law.”
(c) | a new Section 3.2(x) is inserted: |
“Responsibilities of the JRC. The JRC shall oversee, review and coordinate the conduct and progress of the discovery and Research activities described in Article 4 and Section 5.3 with the objective of identifying and validating Targets, including by designating Targets as Identified Targets, and to identify Development Candidates for Non-Clinical GLP Studies pursuant to the Early Collaboration Program Plan. The JRC shall be responsible for: ....
(x) reviewing and approving any amendments to the Data Access Plan.”
3
(d) | Section 3.11 is deleted and replaced in its entirety with: |
“Most Conservative Approach and Internal Policies. With respect to all Target Discovery Activities, Research and Development conducted by 23andMe under this Agreement, whether as the Lead Party or otherwise, 23andMe shall adhere to the GSK Specified Internal Policies and to the requirements of the Data Access Plan. With respect to any data derived from the 23andMe Databases and provided to GSK, GSK shall adhere to its standard information security policies and to the requirements of the Data Access Plan. In addition, to the extent GSK personnel directly access the 23andMe Databases, GSK shall comply with the 23andMe Specified Internal Policies with respect to such activities. For all other activities, each Party shall comply with its own Internal Policies in performing its activities under this Agreement. In the event of a conflict between the Parties’ Internal Policies in the case in which one Party is required hereunder to comply with the policies of the other Party, the Parties acknowledge and agree that the Internal Policies of the Party embodying the Most Conservative Approach will be followed by both Parties with respect to all issues relating to Joint Product Development; provided that the Most Conservative Approach may not serve as the basis for mandating the performance of additional activities hereunder (including under a Joint Development Plan) or an increase in budget. Each Party will provide the other with copies of relevant Internal Policies promptly following the Effective Date or from time-to-time as additional Internal Policies become relevant, and will provide updates of such Internal Policies as appropriate.”
(e) | Section 14.8(d) and (e) are deleted and replaced in its entirety with: |
“Information | Technology Requirements. |
……
(d) Both Parties agree to maintain reasonable security measures, in line with industry best practices for systems storing, accessing, or otherwise processing any Data (irrespective of levels or classifications as defined in the Data Access Plan) of this Agreement. Such security measures shall be subject to mutual reporting, review and oversight by the Data Access Committee. Parties agree to coordinate in good faith regarding any requested updates or modifications to the security practices of the other Party as applicable to the Collaboration, and acknowledge that the discovery of any serious security vulnerability or security incident may result in a delay or interruption in Data transfer, as set forth in the Data Access Plan.
(e) 23andMe shall seek independent third party accreditation for any system(s) accessing, storing and/or otherwise processing any level or classification of Data defined in the Data Access Plan to verify such system(s) are compliant with accepted data security standards (e.g., ISO27001, ENISA, HITRUST) no later than December 31, 2019, and shall deliver such certificates of accreditation to GSK upon request. 23andMe shall provide periodic updates to the Data Access Subcommittee regarding its progress towards achieving compliance with such accepted data security standards. Each Party may, upon reasonable notice, audit GSK systems used for the storage and/or otherwise processing any level of Data defined in the Data Access Plan to verify such system(s) are compliant
4
with accepted data security standards. Such audit (i) shall be conducted at reasonable times during regular business hours and upon at least [***] days’ prior notice to GSK no more than twice per year (with an additional audit right in response to a security incident pertaining to 23andMe Data but limited to confirming the security incident and applicable vulnerability has been remedied, as forth in the Data Access Plan), and (ii) may not be exercised with respect to Data Packages which are instead subject only to the Data Package Audit Right as set forth in Section 5.1(c)(iii).”
(f) | Schedule 1.68 is deleted and replaced in its entirety with Annexure A to this Amendment. |
(g) | Schedule 4.1 paragraph 1 is deleted and replaced in its entirety with: |
“Initial Target Discovery Plan Outline
The following outlined plan is intended to cover the first 3 months following the Effective Date (post formation of the JRC).
1. GSK members of the JRC will select GSK scientific members who will obtain access to Level 2 and Level 3 Data (as defined in the Data Access Plan). 23andMe will provide training (regarding Xxxxx 0 xxx Xxxxx 0 Xxxx) to the selected GSK scientific members.”
5 | This Amendment may be signed in counterparts, each and every one of which shall be deemed an original, notwithstanding variations in format or file designation which may result from the electronic transmission, storage and printing of copies of this Amendment from separate computers or printers. Signatures transmitted via PDF or other electronic form shall be treated as original signatures. |
6 | This Amendment and any dispute arising from the performance or breach hereof shall be governed by and construed in accordance with the laws of the State of Delaware, without reference to conflicts of laws principles. |
[Signature Page Follows]
5
IN WITNESS WHEREOF, the Parties have by duly authorized persons executed this First Amendment to Collaboration Agreement as of the date first written above.
GLAXOSMITHKLINE INTELLECTUAL PROPERTY (NO.3) LIMITED |
23ANDME INC. | |||||||
Sign: |
|
Sign: |
| |||||
Print Name: |
|
Print Name: |
| |||||
Authorised Signatory For and on behalf of The Wellcome Foundation Limited Corporate Director
Authorised Signatory For and on behalf of Edinburgh Pharmaceutical Industries Limited Corporate Director |
Title: |
|
Title: |
|
6
ANNEXURE A TO AMENDMENT
Schedule 1.68
Data Access Plan
Part A — 23andMe Data
Data Levels
“Level 1 Data” means [***].
“Level 2 Data” means [***].
“Level 3 Data” means [***].
“Level 4 Data” means [***]:
1. | [***]. |
2. | [***]. |
3. | [***]. |
“Derived Data” means [***].
• | For the avoidance of doubt, [***]. |
• | Level 4 Data associated with Collaboration Programs or Unilateral Programs |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
Access Management
• | Prior to providing access to any Data to GSK, including any Data that the Parties intend to be included in any Derived Data, 23andMe shall [***]. |
• | GSK shall [***]. |
• | GSK further agrees that [***]. |
• | GSK shall maintain [***]: |
• | [***] |
• | [***] |
• | GSK shall require that [***]. |
Identification of Individuals
GSK will not deliberately identify or attempt to identify any individual data subjects included in any data provided by 23andMe under the Agreement. If GSK receives or obtains any data from 23andMe that reveals the identity of a 23andMe Customer, GSK will promptly, within [***] of discovery, notify both 23andMe and any relevant third party vendor. GSK will then cooperate with 23andMe, at its own cost, to remedy the disclosure and minimize the risk of recurrence.
Security Breach
• | [***] |
• | [***] |
• | [***] |
• | [***] |
Data Destruction
• | Upon the expiration or termination of the Discovery Term for any reason, GSK shall only keep any Xxxxx 0 Xxxx, Xxxxx 0 Xxxx, Xxxxx 4 Data and Derived Data required for a Collaboration Program or with respect to which it otherwise has rights, and as soon as reasonably practical securely dispose of all other such information, including all copies thereof, and certify in writing to 23andMe that such information has been disposed of securely using destruction methods that meet or exceed current industry standards, to 23andMe’s reasonable satisfaction. |
• | When media or storage devices are to be disposed of or reused, GSK will implement industry-standard procedures to prevent any subsequent retrieval of 23andMe data before devices are withdrawn from the inventory. When media are to leave the physically secured premises as a result of maintenance operations, GSK will implement encryption of 23andMe Data stored on the media or storage device. |
• | Parties shall establish a mutually agreed to method and process of secure destruction through the Data Access Subcommittee with respect to [***]. |
Virus controls
• | GSK will ensure that Independent Testing is performed at least annually to verify the GSK’s information systems are free of Known Vulnerabilities that may be used to gain unauthorized access to the GSK’s Information Systems or 23andMe Data. |
• | “Known Vulnerability” means those vulnerabilities documented and compiled by independent third parties, including the NIST National Vulnerability Database, a U.S. government repository of standards based vulnerability management data found at the xxx.xxxx.xxx website, and other sites such as the Open Web Application Security Project (OWASP) found at the xxx.xxxxx.xxx website, United States Computer Emergency Readiness Team (US-CERT) found at the xxx.xx-xxxx.xxx website, and UK National Cyber Security Centre (NC SC) found at the xxx.xxxx.xxx.xx website. |
• | “Independent Testing” means testing via any automated tools, by a qualified independent third party; or alternatively, by an internal group with expertise in security vulnerability assessment and independent from the development and support organization. |
• | “GSK Information System” means all hardware, software, operating systems, database systems, software tools and network components used by or on behalf of GSK to receive or Process 23andMe Data. |
• | “Processing” (and its conjugates, including “Process”) shall mean any operation or set of operations that is performed upon any information or data, including without limitation collection, recording, retention, alteration, use, disclosure, access, transfer, storage, or destruction of 23andMe Data. |
Short-term access (1-6 months)
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | For Level 2 Data: |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
Long-term access (>6 months)
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
• | [***] |
Part B — GSK Data
1 Overview
(a) | For the purposes of this Data Access Plan and any GSK Database Access Rules the GSK information classifications will be as follows: |
(i) [***];
(ii) [***]; or
(iii) [***].
(b) | This Part B of the Data Access Plan is intended to apply rules for access to and use of Data provided by GSK to 23andMe, whether on 23andMe systems, or accessed on or downloaded from GSK systems, and classified by GSK at the time of transmission or provision to 23andMe, respectively, as [***], for use under the Collaboration and is without limitation to the obligations of 23andMe under Article 17 (Confidentiality) of the Agreement with respect to any such Data that falls within the definition of “Confidential Information” under the Agreement. |
(c) | Notwithstanding the foregoing, the Data Access Subcommittee shall have the authority, at its discretion and following consultation between the Parties, to approve the technical means to be implemented for compliance with the rules set forth in this Part B of the Data Access Plan. |
(d) | GSK shall be solely responsible, at its reasonable discretion, for determining and applying one of the classifications set forth above to GSK Data. However, for clarity, the Parties intend that: |
(i) [***];
(ii) [***].
(e) | Notwithstanding the foregoing, if 23andMe reasonably disputes the classification of any GSK Data, the dispute shall be escalated to the Data Access Subcommittee and the Data Access Subcommittee shall assign a classification to such GSK Data. In the absence of agreement at the Data Access Subcommittee, GSK shall have the right to make the final determination. |
(f) | For clarity, 23andMe may elect, at its sole discretion, not to receive or access GSK Data, including on the basis that it believes it is able to obtain the same or substantially similar data from a different source or with less restrictive access provisions. |
2 Access terms and conditions
(a) | GSK shall classify GSK Data as [***], and notify 23andMe of such classification at the time GSK makes such Data available for 23andMe access, or if GSK fails to so classify at the time of initial access, or later desires to apply a different classification, at such later time that GSK otherwise determines and notifies 23andMe of such classification. In the absence of any such classification, such Data shall be considered [***] if it falls within any of Section 1(d)(ii)(A) through (C) above, and otherwise will only be subject to the obligations of 23andMe under Article 17 (Confidentiality) of the Agreement and not be subject to any other obligations set forth in this Part B of the Data Access Plan. For clarity, if GSK first classifies any GSK Data as (i) [***] (as applicable), and later reclassifies such GSK Data under a more restrictive classification (i.e. [***] (if applicable)), 23andMe shall not be deemed to be in breach of this Part B or incur any liability with respect |
to the treatment of such GSK Data if (A) prior to such reclassification, 23andMe has complied with the obligations set forth for the initial classification (i.e. GSK Protected Information or GSK Specified Confidential Information, as applicable), and (ii) following such reclassification, 23andMe complies with the obligations set forth for the reclassification (i.e. [***], as applicable). |
(b) | [***]. |
(c) | References to “GSK Data” in this Part B or in Appendix A shall mean, collectively, all [***]. |
(d) | Access to [***] through the exchange of GSK unstructured files (e.g., Word, Excel, PowerPoint, PDF etc.) will be subject to the terms and conditions in Appendix B to this Data Access Plan. [***] |
(e) | Access to [***] through the exchange of GSK unstructured files (e.g., Word, Excel, PowerPoint, PDF etc.) will be subject to the terms and conditions in Appendix C to this Data Access Plan. [***]. |
(f) | Access to [***] through the exchange of GSK unstructured files (e.g. Word, Excel, PowerPoint, PDF etc.) will be subject to further terms and conditions. |
(g) | Access to [***] in GSK systems via GSK onsite network or using a GSK managed device (e.g. laptop) will be subject to further terms and conditions. |
(h) | For the purposes of Appendices A, B and C of this Data Access Plan: |
(i) | “23andMe Information System” means all hardware, software, operating systems, database systems, software tools and network components used by or on behalf of 23andMe to receive or Process GSK Data. |
(ii) | “Processing” (and its conjugates, including “Process”) shall mean any operation or set of operations that is performed upon any information or data, including without limitation collection, recording, retention, alteration, use, disclosure, access, transfer, storage, or destruction of GSK Data. |
(iii) | “Security Incident” means a reasonably suspected or actual unauthorized use, disclosure, modification or destruction or, or interference with GSK Data. |
3 Data privacy
(a) | Access to personal information, other than basic personal data elements of GSK personnel (e.g. name, work contact details, network or user identification number, gender and title) for the legitimate purpose of day-to-day business activities, will be subject to further terms and conditions. |
(b) | 23andMe will not deliberately identify or attempt to identify any individual data subjects included in any information provided by GSK under the Agreement. If 23andMe receives or obtains any information from GSK that reveals the identity of a patient or other individual data subject, 23andMe will promptly, within [***] of discovery, notify GSK. 23andMe will then cooperate with GSK, at its own cost, to remedy the disclosure and minimize the risk of recurrence. |
Appendix A to Data Access Plan
Remote Access to GSK Data
1 | General requirements |
(a) | [***] |
(i) | [***] |
(ii) | [***] |
(b) | [***] |
(c) | [***] |
2 | Retention and return of GSK Data |
[***]
3 | Background screening |
(a) | [***]: |
(i) | [***] |
(ii) | [***] |
(iii) | [***] |
(iv) | [***] |
(v) | [***] |
(vi) | [***] |
(b) | [***] |
4 | Access |
(a) | [***] |
(b) | [***] |
5 | Incident management |
(a) | [***] |
(i) | [***] |
(ii) | [***] |
[***]
(iii) | [***] |
(iv) | [***] |
(v) | [***] |
(vi) | [***]. |
(b) | [***] |
(i) | [***] |
(ii) | [***] |
(iii) | [***] |
6 Reviews
(a) | [***] |
(b) | [***] |
Appendix B to Data Access Plan
Exchange of [***] in Unstructured Files
1 | [***] |
2 | [***] |
3 | [***] |
Appendix C to Data Access Plan
Exchange of [***] in Unstructured Files
1 | General requirements |
(a) | [***] |
(b) | [***] |
(c) | [***] |
2 | Retention and return of GSK Data |
[***]
(a) | [***] |
(b) | [***] |
(c) | [***] |
3 | Encryption |
[***]
4 | Security Incident reporting and incident response |
(a) | [***] |
(b) | [***] |
(c) | [***] |
5 | Information protection policies |
(a) | [***] |
(i) | [***] |
(ii) | [***] |
(iii) | [***] |
(iv) | [***] |
(b) | [***] |
6 | Physical and environmental security |
(a) | [***] |
(b) | [***] |
7 | Disposal of media |
[***]
8 | Network security |
[***]
9 | Access control |
23andMe will ensure that:
(a) | [***] |
(b) | [***] |
(c) | [***] |
(d) | [***] |
(e) | [***] |
(f) | [***] |
(g) | [***] |
10 | Virus controls |
(a) | [***] |
(b) | [***] |
(c) | [***] |
11 | Personnel |
(a) | [***] |
(b) | [***] |
(c) | [***] |
12 | Security reviews |
(a) | [***] |
(b) | [***] |