Quality Policy

The Genialis Quality Policy aims to ensure a framework for maintaining the highest standards of quality and compliance with applicable requirements that are aligned with our company’s vision, purpose, and mission and with the company’s articulated strategic objectives. We are dedicated to continuous improvement, innovation, and fostering a culture of excellence in everything we do. Our Quality Management system is a collection of business processes that enable us to create and deliver high-quality products and services that meet stakeholders’ and regulatory requirements.

The objectives of the Quality Management system are:

• Customer Focus: We are committed to understanding our customers’ needs and exceeding their expectations. We strive to deliver data science solutions that address their unique challenges, improve patient outcomes, and contribute to advancing precision medicine.
• Compliance: We are dedicated to meeting all applicable requirements, including those defined by ISO 9001, statutory or regulatory bodies, and our customers. We continuously monitor and evaluate our processes, practices, and systems to ensure compliance and proactively address deviations or non-conformities.
• Continuous Improvement: We foster a culture of continuous improvement, where every employee is encouraged to contribute to enhancing our processes, products, and services. We embrace data-driven decision-making, regularly analyze performance metrics, identify areas for improvement, and implement necessary actions to optimize quality and efficiency.
• Competence and Development: We recognize that our employees are the driving force behind our success. We provide a supportive and empowering work environment that promotes ongoing learning, professional development, and knowledge sharing. By nurturing the skills and expertise of our data science team, we ensure our ability to deliver high-quality services and remain at the forefront of innovation.
• Risk Management: We proactively identify, assess, and manage risks associated with our operations to minimize their impact on quality and customer satisfaction. We integrate risk management into our processes and decision-making, employing appropriate methodologies to anticipate and mitigate potential issues that may arise.

The Quality Policy follows the ISO 9001:2015 standard recommendations and complies with ISO 9001:2015 standard provisions. Quality Policy provisions apply to all employees and external entities.

By managing and continuously advancing the Quality Policy, the CEO aspires to raise awareness among employees and external entities in the quality field and supports the efficiency of the Quality Management system.

Following ISO 9001:2015 standard requirements, the CEO ensures the accessibility of necessary human resources, financial resources, and infrastructure for planning, implementation, monitoring, maintenance, and introducing actions.

Although the CEO has ultimate responsibility for Quality, all employees have a responsibility within their work areas to help ensure that Quality is embedded within the whole company.

Sustainability Policy

At Genialis, we recognize that sustainability is crucial for our future and integral to our mission of advancing precision medicine. We are committed to honoring our planet and its inhabitants by embedding sustainable practices into all aspects of our business operations. We aim to positively impact global sustainability goals and enhance the well-being of our communities, employees, and the environment.

This policy underscores our strong commitment to sustainability. We aim to minimize our environmental footprint, cultivate a sustainable organizational culture, and ensure that our business practices actively support environmental, social, and economic well-being.

The following principles guide Genialis’s Sustainability Policy:

Environmental Stewardship
We commit to enhancing our environmental impact through the following initiatives:

• Waste Management: Actively recycling and reducing waste. We prioritize digital communications and reuse and recycle electronic equipment responsibly.
• Energy Conservation: Using energy-efficient lighting and ensuring all electronics are powered down when not in use.
• Sustainable Sourcing: Selecting products made from recycled materials and those with lower environmental impacts, such as eco-friendly cleaning supplies and fair trade coffee.
• Transportation: Promoting low-impact transportation options, including public transit, cycling, carpooling, and minimizing travel through virtual communication tools.

Social Responsibility
Our commitment to social responsibility is manifested through these initiatives:

• Community Engagement: Actively participating in and supporting local educational and social initiatives.
• Inclusive Workplace: Fostering a workplace that promotes well-being, diversity, and inclusion. We provide continuous training, development opportunities, and mental health support, ensuring all employees can thrive.
• Ethical Conduct: Maintaining the highest standards of integrity and transparency in all business dealings, adhering to fair labor practices, and opposing all forms of discrimination and human rights abuses.

Economic Sustainability
We are dedicated to:

• Sustainable Value Creation: Generating economic value through sustainable practices that meet current needs without compromising future generations.
• Innovation: Driving innovation in products and services that contribute to sustainable healthcare solutions.
• Risk Management: Systematically identifying, assessing, and managing potential environmental and social risks associated with our operations.

Governance and Compliance
To ensure effective governance and compliance, we are committed to:

• Regulatory Adherence: Strictly adhering to all relevant local, national, and international environmental and social regulations.
• Continuous Improvement: Regularly evaluating and improving our sustainability efforts based on stakeholder feedback and emerging challenges and opportunities.

Risk Management Policy

We are committed to meeting the requirements of quality and information security management systems to ensure the systematic and effective management of the company’s risks in all areas and levels of operations.

Comprehensive risk management at Genialis ensures the company successfully implements its mission, vision, and strategic and business goals. Monitoring and managing changes in a rapidly changing environment is the key to the company’s smooth operation. At Genialis, the risk is the likelihood of an event or series of events with negative consequences on the company’s business operations. The company deals with risks that harm achieving goals and opportunities that enable more successful attainment of goals.

The company’s leadership adopts a risk management policy that supports the risk management process as a strategic orientation, which is essential for long-term successful operations.

The following principles guide Genialis’s risk management policy:

• Risk management applies to all aspects of the Company’s business and activity.
• Risk management is a shared responsibility of all personnel.
• Risk management is a continuous improvement process in which the company strives to reduce and manage the likelihood and negative impact of risks.
• We provide training and other support to employees to help them manage the risks in their roles.
• We adapt our Risk management to Genialis’s external and internal context; based on changes, we identify new risks, address them, and reject irrelevant risks.
• We involve various competent stakeholders who enable better awareness and informed risk management through their knowledge, views, and perceptions.
• We use available information and learn from experience, taking into account possible changes in the future.
• We make decisions based on facts and clear and timely information available to all stakeholders. 
• We create a culture that encourages recognition and risk management among all employees.
• We systematically review and improve our risk management. 
• We follow modern trends in risk management, knowledge transfer, and culture and promote risk management within and among other company stakeholders.

Data Privacy and Security Policy

Genialis is committed to protecting the privacy and security of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). This policy outlines our practices for collecting, using, disclosing, and safeguarding PHI in compliance with regulations and our principles to ensure data privacy and security in machine learning.

Information Covered by HIPAA and GDPR Rules: 

• Personal health information
• Personally identifiable information (including genetic information)
• Treatment information
• Other information related to an individual’s health

We use and disclose PHI for the following purposes:

• Research purposes
• In collaborations as business associates

Our organization has implemented administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability. These safeguards include:

• Access controls
• Audit controls
• Integrity controls
• Transmission security
• Device security

Our organization has implemented HIPAA and GDPR breach notification procedures in case of a breach of unsecured PHI.

As data processors, we don’t have direct contact with the individuals. However, we commit to complying with HIPAA and GDPR requirements by providing individuals access to their health information and allowing them to request corrections if needed.

Machine Learning Data Privacy and Security Policy

The following principles guide Genialis’ Data Privacy and Security Policy in machine learning:

• Data Anonymization: We anonymize sensitive data by removing personally identifiable information (PII), safeguarding the privacy of individuals involved in drug development. This process ensures that individual identities cannot be traced to the data used in ML models.
• Secure Data Storage: We implement robust security measures for data storage, including encryption techniques for data at rest and in transit, access controls to restrict unauthorized access, and regular backups to prevent data loss.
• Consent and Transparency: Except for data in the public domain, we always use data for which informed consent has been obtained from individuals whose data will be used.
• Data Minimization: We collect and utilize only necessary data for ML models to minimize privacy risks and reduce the potential exposure of sensitive data.
• Robust Cybersecurity Measures: We implement strong cybersecurity practices, such as firewalls, intrusion detection systems, and regular security audits, to protect against unauthorized access, data breaches, and cyber-attacks while staying updated with the latest security protocols.
• Compliance with Regulations: We adhere to relevant data protection regulations, laws, and guidelines governing data privacy and security, such as GDPR and HIPAA.
• Secure Collaboration and Sharing: We establish secure mechanisms for data collaboration and sharing, including secure data-sharing protocols, non-disclosure agreements, and strict access controls to ensure data is only accessible to authorized parties.
• Regular Risk Assessments and Audits: We conduct periodic risk assessments and audits to identify vulnerabilities and potential privacy or security gaps and proactively maintain compliance.
• Employee Training and Awareness: We educate employees about data privacy, security best practices, and responsible ML use through training programs to ensure they understand their roles and responsibilities in safeguarding data.
• Ethical Considerations: We address the ethical implications of ML in drug development by considering fairness, bias, transparency, and responsible AI/ML use through ethical frameworks, guidelines, and committees.

Information Security Incident Management Policy

Genialis is committed to maintaining the confidentiality, integrity, and availability of personal health information, personally identifiable information, and other sensitive data in compliance with the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and ISO/IEC 27001. This policy outlines our procedures for incident management in case of a security breach or other incident affecting this information’s confidentiality, integrity, or availability.

Our organization will comply with all applicable requirements of HIPAA, GDPR, and ISO/IEC 27001 related to incident management, including: 

• Reporting incidents to regulatory authorities and affected individuals as required by law
• Conducting investigations and implementing remediation measures to prevent future incidents
• Maintaining appropriate documentation of incidents and incident management procedures
• Regularly reviewing and updating incident management procedures to ensure compliance with changing regulatory requirements.

Genialis’s Security Incident Management procedure includes the following steps:

• Detection: We detect security incidents from various sources, depending on their nature and location. These may be reported by staff or software tools or by third parties such as partners, customers, vendors, law enforcement, and regulatory authorities.
• Identification: We promptly identify security breaches or other incidents that may affect the confidentiality, integrity, or availability of personal health information, personally identifiable information, or other sensitive data. We conduct a thorough incident scope and impact assessment, including determining the types of information affected and the potential harm to individuals.
• Containment: We take immediate action to contain the incident and prevent further unauthorized access or disclosure of the affected information.
• Eradication: We conduct a root cause analysis of the incident to determine corrective actions and prevent future incidents.
• Recovery: We take actions to remediate the incident, including implementing additional safeguards and controls to prevent future incidents. The affected device(s) or system(s) are restored and returned to the business environment.
• Lessons Learned: We thoroughly analyze how the incident was detected, communicated, and handled. The incident process is updated to improve monitoring and response times, optimizing our response to future incidents.
• Communication with Stakeholders: We communicate with affected individuals, regulatory authorities, and other stakeholders, providing incident notification as required by HIPAA, GDPR, and ISO/IEC 27001.

Business Continuity Planning Policy

This Business Continuity Planning Policy outlines Genialis’s commitment to maintaining essential operations during unforeseen disruptions, ensuring the well-being of employees, and safeguarding critical assets. This policy aims to establish a framework for effective response and recovery, thereby minimizing the impact of disruptions on our business operations, reputation, and stakeholders.

Business Impact Analysis
Recognizing and understanding the risks that could affect businesses helps us create a comprehensive business continuity plan. Here are some risks we considered when developing a Business Continuity Plan:

• Natural Disasters: Building resilience against natural disasters means implementing a robust BCP and risk management system. Natural events cannot be controlled, so businesses must be prepared for any scenario. This includes geological events such as earthquakes, landslides, tsunamis, and volcanoes, as well as meteorological events such as hurricanes, floods, and snowstorms.
• Human-caused risks: There are many types of risks, all of which come in varying degrees of severity and can be accidental or intentional. Accidental risks include structural collapses, transportation incidents, and resource shortages. Intentional risks include threats of terrorism, arson, cyber security attacks, and product contamination.
• Technological risks: Technological risks impact business and are increasingly common, given society’s growing reliance on technology. Technological risks include hardware, software, network connectivity interruption, disruption, failure, utility interruption, disorders, or failure.
• Supply Chain Risks: Supply chain risks refer to the disruptions that can occur in the supply chain due to natural disasters or other factors.

Business Continuity Plan
With a Business Continuity Plan (BCP), we prepare the organization to respond to and recover from unforeseen disruptions effectively.
The key objectives of the BCP are outlined as follows:

• Prioritize Critical Functions for Recovery: This entails identifying and listing the organization’s vital functions, prioritizing them based on their criticality to operations, and establishing a clear order for recovery.
• Define Activation Procedures and Roles: Refine activation procedures and applications. This includes providing comprehensive documentation of the procedures to initiate a BCP, assigning specific roles and responsibilities to employees, and ensuring a well-coordinated response.
• Define Agreed Response Actions: This encompasses a detailed outline of the predefined actions to be taken once a disruption occurs. It involves a step-by-step guide on addressing the situation, minimizing downtime, and mitigating potential organizational damage.

Ensuring preparedness and resilience
We deploy the following practices to enhance company readiness for potential disruptions and minimize the impact on critical operations:

• Work With Reliable IT Companies: We emphasize the importance of collaborating with trustworthy IT companies to ensure the availability and security of our systems.
• Conduct Risk Assessment: We commit to performing a thorough risk assessment during our business continuity planning process. This will help us identify potential vulnerabilities and develop appropriate mitigation strategies.
• Set Up A Communication Procedure: We have a clear and effective communication procedure to ensure the timely and accurate dissemination of information during a crisis.
• Establish A Crisis Management Team: We understand the significance of creating a dedicated crisis management team responsible for coordinating and executing our business continuity plan. This team has clearly defined roles and responsibilities.
• Test Our Plan: We regularly test our business continuity plan through tabletop exercises or live drills. This enables us to identify any gaps or areas for improvement.
• Motivate Our Staff: We are committed to fostering a culture of preparedness and resilience among our employees. We provide training, resources, and incentives to encourage active participation in our business continuity efforts.
• Regularly Update And Improve The Plan: Recognizing the dynamic nature of business environments, we understand the crucial need to review and update our business continuity plan regularly. This ensures it reflects changes in technology, processes, or external factors.

Access Policy

We are committed to ensuring secure access to sensitive information within our organization. This policy aims to protect the confidentiality, integrity, and availability of sensitive data in accordance with the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and ISO/IEC 27001 standard. Access must also be granted to authorized personnel.

• User Authentication: Access to company systems and data requires authentication through secure and unique credentials. Multi-factor authentication (MFA) is mandatory for accessing sensitive information.
• Authorization: Access rights are granted based on the principle of least privilege, ensuring that individuals have the minimum level of access necessary to perform their job functions. Authorization requests must be submitted formally and approved by the appropriate authority.
• Data Classification: All data is classified based on its sensitivity and criticality. Access controls are tailored to the data classification level, with more stringent controls for highly sensitive information.
• Monitoring and Logging: Access to sensitive data is monitored and logged for auditing purposes. Security teams regularly review access logs to detect and respond to unauthorized access attempts.
• Physical Access Controls: Physical access to data centers, server rooms, and other critical areas is restricted and monitored. Access is granted based on job responsibilities and requires authorization from appropriate management.
• Remote Access: Access to the company’s network and systems is only allowed through secure connections. Employees must use company-approved solutions and adhere to additional security measures outlined in the Information Security Manual. 
• Training and Awareness: All employees are regularly trained on access policies and security protocols. This ensures they are aware of the latest security threats and best practices for safeguarding sensitive information.
• Review and Revision: We regularly review and update this policy to ensure that it reflects changes in regulations, technologies, and business practices.

Data Retention Policy

We are committed to retaining only data necessary to conduct our activities and work to fulfill our mission effectively. The need to have data varies widely depending on the type of data and the purpose for which it was collected. Genialis strives to ensure that data is only kept for the period necessary to fulfill its collected purpose and is entirely deleted when no longer required.

Reasons for Data Retention
Genialis retains only the data necessary to effectively conduct its activities, fulfill its mission, and comply with applicable laws and regulations. Reasons for data retention include:

• Business reasons for retaining specific data
• Compliance with applicable laws and regulations associated with financial and programmatic reporting by Genialis to its investors
• Compliance with applicable labor and tax laws
• Other regulatory requirements
• Security incident or other investigation
• Intellectual property preservation

Determining a retention period

• Legal obligations: We identify legal requirements or industry-specific regulations that mandate specific retention periods for certain data types and consider those obligations when setting our retention policy.
• Purpose limitation: We determine the data’s purpose for collection and processing. Once the purpose has been fulfilled, we consider whether there is a legitimate reason to retain the data further. If there is no longer a valid purpose, it’s generally advisable to delete or anonymize the data.
• Data subject rights: We respect the rights of data subjects, such as the right to erasure (also known as the right to be forgotten), and ensure our retention policy allows for the timely deletion of personal data upon request unless there are lawful grounds for retaining it.
• Storage costs and security: We consider the costs and risks associated with storing and securing the data. Keeping data beyond necessary can increase the potential for data breaches or unauthorized access. We regularly review and delete data that is no longer required.

Data Duplication
Genialis seeks to avoid duplication in data storage whenever possible. However, there may be instances where data must be held in more than one place for programmatic or other business reasons. This policy applies to all data in Genialis’s possession, including duplicate copies of data.

Retention Requirements
We establish the retention period for retaining all personal data as defined in the Data Privacy and Security Policy and Documentation Control standard operation procedure in the GDPR Inventory of Processing Activities.

Data Destruction
Data destruction ensures that Genialis manages and processes the data it controls efficiently and responsibly. When the retention period for the data as outlined above expires, Genialis will actively destroy the data covered by this policy. Genialis’s data protection officer must approve any exceptions to this data retention policy in consultation with legal counsel. In rare circumstances, a litigation hold may be issued by legal counsel prohibiting the destruction of certain documents. A litigation hold remains in effect until released by legal counsel and prohibits the destruction of data subject to the hold.