Exhibit B β Confidentiality & Data Governance Agreement
CDGA | c-ECO Fellowship Program Contractual Framework
Instrument Context
This Confidentiality & Data Governance Agreement (CDGA) constitutes Exhibit B to the c-ECO Fellowship Participation Agreement (FPA). It establishes binding parameters for data classification, permitted use, cross-border governance, and post-termination obligations.
This instrument operates in conjunction with the Methodological Adherence Instrument (MAI), the Living Lab Engagement Protocol (LLEP), and the Case-Specific Analytical Mandate (CSAM). In case of conflict, the FPA governs.
PREAMBLE
WHEREAS, the c-ECO Fellowship Program operates within a cross-jurisdictional governance architecture involving sensitive analytical data, proprietary methodological frameworks, and institutional information;
WHEREAS, the protection of data integrity, methodological control, and institutional confidentiality is essential to the operational viability of the c-ECO system and its funding structure;
WHEREAS, this Agreement establishes binding parameters for data classification, permitted use, cross-border governance, and post-termination obligations;
NOW, THEREFORE, the parties agree as follows:
ARTICLE I β DEFINITIONS
For purposes of this Agreement, "Confidential Information" means any and all non-public, proprietary, or sensitive information disclosed by the Johann Christian Hasse Foundation, Instituto Silvio Meira, or their authorized representatives, including but not limited to:
| Category | Description |
|---|---|
| Analytical Data | Case-specific data, signal indicators, threshold metrics, and systemic analysis outputs |
| Methodological Assets | The c-ECO framework, TFP variables, sectoral architectures, and analytical protocols |
| Institutional Information | Internal discussions, strategic planning, funding negotiations, and partnership deliberations |
| Living Lab Data | Field observations, stakeholder interactions, and location-sensitive information |
| Technical Infrastructure | Platform architecture, data processing systems, and security protocols |
Β§1. "Data Subject" means any identified or identifiable natural person whose personal data is processed within the c-ECO framework.
Β§2. "Analytical Subject" or "Case Subject" means any institution, system, territory, infrastructure, operation, or stakeholder environment analyzed within c-ECO, excluding natural persons except where they are also Data Subjects.
Β§3. "Cross-Jurisdictional Data" means any data that originates in, passes through, or is stored across multiple legal jurisdictions, including but not limited to Brazil, the United States, and European Union territories.
Β§4. "Licensed Environment" means any real-world operational, contractual, regulatory, institutional, or implementation context in which use of the c-ECO framework is authorized under a separate institutional license, authorization instrument, or equivalent formal approval.
ARTICLE II β DATA CLASSIFICATION TIERS
All data within the c-ECO Fellowship Program shall be classified according to the following four-tier system. The Fellow may access only the minimum tier, dataset, and system environment reasonably necessary for the authorized task.
| Tier | Designation | Access Level | Handling Requirements |
|---|---|---|---|
| Tier 1 | Public | Unrestricted | Standard attribution |
| Tier 2 | Restricted | Fellowship participants only | Logged access, need-to-know basis, 3-year survival |
| Tier 3 | Sensitive | Authorized personnel only | Encrypted storage, access logs, indefinite survival |
| Tier 4 | Critical / Pre-Threshold | Designated custodians only | Air-gapped or equivalent, multi-factor authorization, indefinite survival |
Β§1. Tier Assignment Authority. The Johann Christian Hasse Foundation retains exclusive authority to assign, modify, reclassify, or declassify data tiers. Only the designated Data Governance Authority may authorize external release or declassification.
Β§2. Logging and Traceability. All access to Tier 3 and Tier 4 data shall be logged, including access timestamps, export records, transformation activities, and chain-of-custody documentation for sensitive datasets.
Data classified as Tier 4 ("Critical / Pre-Threshold Signals") shall be subject to additional protocols:
I β Immediate escalation to designated Foundation custodians upon detection
II β No unsupervised dissemination, external communication, or interpretive conclusions outside authorized channels
III β No independent stakeholder engagement on the basis of such signals without explicit authorization
IV β Mandatory documentation of all access instances and signal characteristics
V β Prohibition from disclosure to case subjects or external stakeholders pending institutional review
ARTICLE III β PERMITTED USE AND SCOPE
Confidential Information may be accessed and used solely for the purpose of fulfilling the Fellow's assigned analytical responsibilities within the approved case scope, as defined in the applicable Case-Specific Analytical Mandate (CSAM).
Β§1. Minimum Necessary Access. The Fellow shall access only the minimum tier, dataset, and system environment reasonably necessary for the authorized analytical task.
Without prior written authorization, the Fellow shall not:
I β Use Confidential Information for any purpose outside the authorized analytical scope
II β Reproduce, duplicate, or create derivative works from Confidential Information
III β Remove data from approved secure environments
IV β Apply c-ECO methodologies to non-authorized cases or contexts
V β Train external AI/ML systems using Confidential Information
VI β Engage subcontractors or third-party processors without authorization
Any analytical output incorporating c-ECO frameworks or Confidential Information must:
I β Maintain fidelity to the methodological architecture defined in the Methodological Adherence Instrument (MAI)
II β Include appropriate version control references (e.g., "c-ECO v4.1")
III β Avoid unauthorized methodological deviations or "adaptations"
IV β Acknowledge the Johann Christian Hasse Foundation as the source of proprietary frameworks
Where c-ECO methodologies are applied under licensed conditions, additional data governance requirements may apply based on the sensitivity, jurisdictional location, classification level, and institutional context of the Licensed Environment.
I β Fellowship-level access does not by itself authorize access to all data, systems, or environments associated with a Licensed Environment
II β Additional confidentiality, segregation, or handling conditions may apply in licensed real-world cases
III β No Fellow may assume that access granted for instructional, analytical, or Fellowship purposes automatically extends to licensed implementation environments
ARTICLE IV β CROSS-JURISDICTIONAL DATA GOVERNANCE
Data processing under this Agreement shall be conducted in a manner reasonably designed to comply with the applicable legal requirements of the relevant jurisdiction or jurisdictions, while applying a prudentially protective governance standard where c-ECO classification or institutional sensitivity requires stricter handling.
§1. Applicable frameworks include Brazil's Lei Geral de Proteção de Dados (LGPD), United States state-level privacy laws, and the European Union's General Data Protection Regulation (GDPR) where EU data subjects are involved.
Cross-border data transfers shall be governed by Standard Contractual Clauses (SCCs) for EU-Brazil and EU-US transfers, adequacy decisions where recognized, or explicit consent where required.
Where Brazilian-origin Tier 3 or Tier 4 data is involved, the Program may require localized storage, restricted mirroring, controlled access segregation, or other jurisdiction-sensitive handling measures as determined by the Foundation's designated Data Governance Authority.
Where data is processed within or in connection with a Licensed Environment, the Foundation may impose additional governance controls proportionate to the systemic sensitivity, case classification, institutional exposure, and jurisdictional obligations involved.
I β Such controls may include restricted mirroring, isolated storage, enhanced access segregation, or institution-specific handling requirements
II β Licensed Environment controls shall be binding upon the Fellow once communicated through the applicable authorization, case instrument, or data governance instruction
III β In the event of conflict between ordinary Fellowship handling conditions and a Licensed Environment control measure, the more protective requirement shall prevail unless the Foundation determines otherwise in writing
ARTICLE V β DATA SECURITY OBLIGATIONS
The Fellow shall implement industry-standard encryption for data at rest and in transit (AES-256 minimum), multi-factor authentication for all systems accessing Tier 2+ data, regular security updates, and secure backup procedures.
Upon discovery of any actual or suspected unauthorized access, data breach, loss or theft of devices, or compromise of authentication credentials:
I β Immediate notice without undue delay for Tier 4, credential compromise, or live-system exposure
II β Written incident summary within 24 hours for all other incidents
III β Immediate cessation of the activity causing the incident
IV β Preservation of all relevant logs and evidence
V β Full cooperation with investigation and remediation
ARTICLE VI β THIRD-PARTY INTERACTIONS
The Fellow may not engage subcontractors, research assistants, or third-party processors without prior written authorization from the Foundation, execution of confidentiality agreements meeting or exceeding this Agreement's standards, and disclosure of all third-party access to the Foundation.
No public statement, publication, or media interaction referencing specific case details, Tier 2+ data classifications, or institutional deliberations may occur without prior written authorization.
ARTICLE VII β CONTROL OF INFORMATION & OWNERSHIP
All Confidential Information, including proprietary methodological materials, restricted datasets, internal institutional deliberations, protected signal architectures, and controlled operational information, shall remain subject to the ownership and control of the originating party or the Program, as applicable.
Nothing in this Agreement transfers ownership of Confidential Information to the Fellow, nor grants any license other than the limited right to access and use such information strictly within the authorized Fellowship scope.
Β§1. No Fellowship-level access, analytical authorization, or instructional exposure shall be construed as granting operational, contractual, regulatory, or implementation rights within a Licensed Environment unless such rights are separately and expressly authorized.
Ownership and use rights relating to analytical contributions, authored outputs, or case-related deliverables shall be governed by the Fellowship Participation Agreement (FPA) and any applicable CSAM. This Agreement does not silently override the IP structure established in those instruments.
ARTICLE VIII β TERM AND TERMINATION
This Agreement commences upon the Fellow's execution and continues until the Fellowship Participation Agreement is terminated or the Fellow is released from confidentiality obligations in writing by the Foundation.
Post-termination obligations shall survive as follows:
| Tier/Information Type | Survival Period |
|---|---|
| Tier 1 β Public | Attribution requirements only |
| Tier 2 β Restricted | 3 years from termination |
| Tier 3 β Sensitive | Indefinite or until formally declassified |
| Tier 4 β Critical / Pre-Threshold | Indefinite or until formally declassified |
| Methodological internals | Indefinite |
Upon termination, the Fellow shall:
I β Return, destroy, or render inaccessible all Confidential Information within 15 days, as applicable
II β Provide written certification of destruction or inaccessibility
III β Cease all use of c-ECO methodologies unless separately licensed
IV β Maintain confidentiality regarding Tier 3 and Tier 4 information indefinitely
V β Comply with any additional return, destruction, segregation, or access cessation requirements applicable to data connected to a Licensed Environment
Retention Exception
Routine archival backups may persist subject to continued confidentiality restrictions and access logging, where legal retention rules or system architecture make total deletion technically impossible.
ARTICLE IX β REMEDIES AND ENFORCEMENT
The parties acknowledge that breach of this Agreement would cause irreparable harm for which monetary damages are inadequate. The Foundation shall be entitled to seek injunctive relief without bond requirement.
The Fellow shall indemnify the Foundation against all losses, damages, and expenses arising from unauthorized disclosure of Confidential Information, breach of data security obligations, violation of cross-jurisdictional data rules, or misuse of c-ECO intellectual property.
If the Fellow is legally compelled to disclose Confidential Information:
I β The Fellow must notify the Foundation promptly unless prohibited by law
II β Disclosure must be limited to what is legally required
III β The Fellow must cooperate with the Foundation's efforts to protect information
ARTICLE X β MISCELLANEOUS
This Agreement constitutes the complete understanding regarding confidentiality and data governance for the Fellowship, superseding all prior agreements. It operates in conjunction with the FPA, MAI, LLEP, and CSAM as an integrated contractual framework.
No modification shall be effective unless in writing signed by both parties.
This Agreement shall be governed by the laws and dispute resolution mechanisms specified in the Fellowship Participation Agreement.
SIGNATURE PAGE
IN WITNESS WHEREOF, the parties have executed this Confidentiality & Data Governance Agreement as of the date last written below.
|
JOHANN CHRISTIAN HASSE FOUNDATION By: _________________________________ Name: _________________________________ Title: _________________________________ Date: _________________________________ |
FELLOW By: _________________________________ Name: _________________________________ Date: _________________________________ |
Instrument Integration
This Exhibit B (CDGA) operates as part of the c-ECO Fellowship Contractual Framework alongside: the Fellowship Participation Agreement (FPA), Exhibit A (MAI), Exhibit C (LLEP), Exhibit D (CSAM), and, where applicable, the separate license or authorization instruments governing Licensed Environments. Reference to related instruments may be made via hyperlinks in the digital version or by citation in executed counterparts.