Terms of Service
Data Use Addendum
Effective Date: July 26th, 2023
This Data Use Addendum (“Addendum”) supplements the Terms of Service (the “Terms”) entered into by and between you (“Customer”) and Crunchbase, Inc. (“Crunchbase”). Crunchbase enters into this Addendum on behalf of itself and, to the extent required under Applicable Privacy Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This Addendum incorporates the terms of the Terms, and any terms not defined in this Addendum shall have the meaning set forth in the Terms. In the event of a conflict between the terms and conditions of this Addendum and the Terms, the terms and conditions of this Addendum shall supersede and control.
ARTICLE I – DEFINITIONS
“Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
“Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
“Applicable Privacy Law(s)” means the CCPA, GDPR, and any other data protection, privacy, data breach, or similar or related laws applicable to a party’s use or other processing of Personal Data.
“CCPA” means the California Consumer Privacy Act of 2018, as amended, together with its implementing regulations.
“Controller” means any person who would fall under the definition of a “Controller” as set forth in the GDPR, a “Business” as set forth in the CCPA, or any similar definition under any other Applicable Privacy Law.
“Content” has the same meaning as it does in the Terms of Service excluding User Submissions.
“Data Subject” means an identified or identifiable person to whom Personal Data relates.
“Data Exporter” means Customer.
“Data Importer” means Crunchbase.
“EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time).
“ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
“ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
“GDPR” means EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Included Data” means any Personal Data included in the Content and provided to or otherwise accessed by Customer under the Terms.
“Personal Data” means any information relating to a Data Subject which is subject to Applicable Privacy Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Process” or “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” means any person who would fall under the definition of a “Processor” as set forth in the GDPR, a “Service Provider” as set forth in the CCPA, or any similar definition under any other Applicable Privacy Law.
“Protected Data” means any Personal Data which Crunchbase Processes in its capacity as a Processor on behalf of Customer, and, for clarity, excludes Included Data, Anonymous Data and Personal Data collected, used, and shared in accordance with Crunchbase’s Privacy Policies.
“Services” means the Service (as defined in the Terms).
“Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
“Supervisory Authority” means an independent public authority which is established by a member state of the European Union, United Kingdom, Iceland, Liechtenstein, or Norway.
“UK SCCs” means the International Data Transfer Agreement approved by the United Kingdom Information Commissioner’s Office for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the United Kingdom, as approved by the United Kingdom Information Commissioner’s Office under S119(A)(1) of the Data Protection Act of 2018, dated 12 March 2022 (as amended and updated from time to time) (“UK Controller-to-Processor SCCs”).
The parties acknowledge that in the context of the Services, Crunchbase determines the purposes and means of Processing of certain types of Personal Data, in particular but not limited to business contact details of Customer’s and Customer Affiliates’ personnel and contractors in order to allow Crunchbase to administer and perform the Services. When Processing Personal Data in this manner, Crunchbase is a Controller of such Personal Data and the terms of this Addendum shall not apply to such Processing. Depending on the Services, Crunchbase may also process Protected Data in the capacity of a Processor. The provisions of Article II below shall apply when Crunchbase Processes such Protected Data in a capacity of a Processor. The parties acknowledge that each party Processes Included Data in a capacity as a Controller, and that with respect to such Processing they Process such Included Data as independent controllers, not joint controllers. The provisions of Article III below shall apply to such independent Processing of Included Data.
ARTICLE II – PROCESSING OF PROTECTED DATA
Rights & Obligations.
Customer shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Protected Data, in compliance with all Applicable Privacy Laws. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Protected Data, and that the Processing of Protected Data in accordance with such instructions will not cause Crunchbase to be in breach of any Applicable Privacy Law. Crunchbase shall immediately notify Customer if an instruction, in Crunchbase’s opinion, violates any Applicable Privacy Law; however, Customer is solely responsible for the accuracy, quality, and legality of (i) the Protected Data provided to Crunchbase by or on behalf of Customer, (ii) the means by which Customer acquired any such Protected Data, and (iii) the instructions it provides to Crunchbase regarding the Processing of such Protected Data. Customer shall not provide or make available to Crunchbase any Protected Data in violation of the Terms or otherwise inappropriate for the nature of the Services, and shall indemnify Crunchbase from all claims and losses in connection therewith.
The subject matter, nature, purpose, and duration of Crunchbase’s Processing of Protected Data, as well as the types of Protected Data Processed and categories of Data Subjects, are described in Exhibit A to this Addendum. Crunchbase shall not Process Protected Data: (i) for purposes other than those set forth in the Terms and/or Exhibit A; (ii) in a manner inconsistent with the terms and conditions set forth in this Addendum or any other documented instructions provided by Customer, unless required to do so by a Supervisory Authority to which Crunchbase is subject; or (iii) in violation of Applicable Privacy Laws. Customer hereby instructs Crunchbase to Process Protected Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Services.
Following completion of the Services, at Customer’s choice, Crunchbase shall return or delete the Protected Data, unless further storage of Protected Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Crunchbase shall take reasonable measures to block such Protected Data from any further Processing. If Customer and Crunchbase have entered into Standard Contractual Clauses as described below (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK SCCs and Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Crunchbase to Customer only upon Customer’s request.
Authorized Employees and Sub-Processors.
Crunchbase shall take commercially reasonable steps to ensure the reliability and appropriate training of any employee authorized to access Protected Data in connection with this Addendum or the Terms (each, an “Authorized Employee”). Crunchbase shall ensure that all Authorized Employees are made aware of the confidential nature of Protected Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Crunchbase, any Protected Data except in accordance with their obligations in connection with the Services.
Customer acknowledges and agrees that Crunchbase may (1) engage its affiliates and the sub-processors set forth on the list attached as Exhibit B and incorporated herein by this reference (the “List”), as such List may be updated from time to time in accordance with this Section (“Authorized Sub-Processors”) to access and Process Protected Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Protected Data. By way of this Addendum, Customer provides general written authorization to Crunchbase to engage sub-processors as necessary to perform the Services.
The List may be updated by Crunchbase from time to time. At least ten (10) days before enabling any third party other than Authorized Sub-Processors to access or participate in the Processing of Personal Data, Crunchbase will add such third party to the List and provide Customer with notice of this addition. Customer may reasonably object to such an engagement on legitimate grounds by informing Crunchbase in writing within ten (10) days of receipt of the aforementioned notice by Customer. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Crunchbase from offering the Services to Customer. If Customer reasonably objects to an engagement in accordance with this paragraph, and Crunchbase cannot provide a commercially reasonable alternative within a reasonable period of time, Crunchbase may terminate this Addendum. Termination shall not relieve Customer of any fees owed to Crunchbase under the Terms.
Crunchbase will enter into a written agreement with each Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Crunchbase under this Addendum with respect to the protection of Protected Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Crunchbase, Crunchbase will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.
The above authorizations will constitute Customer’s prior written consent to the subcontracting by Crunchbase of the processing of Protected Data if such consent is required under the Standard Contractual Clauses, and the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Crunchbase to Customer pursuant to the Standard Contractual Clauses may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Crunchbase beforehand, and that such copies will be provided by Crunchbase only upon request by Customer.
Security of Protected Data.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Crunchbase shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Protected Data.
Transfers of Personal Data.
The parties agree that Crunchbase may transfer Protected Data processed under this Addendum outside the EEA, the UK, or Switzerland in order to perform its obligations and exercise its rights under this Addendum and the Agreement. Customer acknowledges that Crunchbase’s primary processing operations take place in the United States, and that the transfer of Protected Data to the United States is necessary for the provision of the Services to Customer. If Crunchbase transfers Protected Data to a jurisdiction for which the European Commission has not issued an adequacy decision, Crunchbase will ensure that appropriate safeguards have been implemented for the transfer of Protected Data in accordance with Applicable Privacy Laws.
Ex-EEA Transfers.
The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Crunchbase is processing Protected Data for Customer as a processor pursuant to Article II of this Addendum.
Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and Crunchbase is processing Protected Data on behalf of Customer as a sub-processor.
For each module, where applicable the following applies:
In Clause 7, the optional docking clause does not apply;
In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Article II of this Addendum;
In Clause 11, the optional language does not apply;
In Clause 13, all square brackets are hereby removed;
In Clause 17 (Option 1), the EU SCCs will be governed by Irelandlaw; and
In Clause 18(b), disputes will be resolved before the courts of Ireland.
The parties acknowledge and agree that if any of the EU SCCs are replaced or superseded by new standard contractual clauses (“New EU SCCs”), the Data Importer may give notice to the Data Exporter and, with effect from the date set forth in such notice, the application of the EU SCCs set forth in this Addendum shall be amended so that the EU SCCs cease to apply to ex-EEA Transfers, and the New EU SCCs specified in such notice shall apply going forward. To the extent that the use of the New EU SCCs require the parties to complete additional information, the parties shall reasonably and promptly work together to complete such additional information.
Ex-UK Transfers.
The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and completed as set forth in Exhibit C. The parties shall reasonably and promptly work together to complete additional information required to be included in the UK SCCs as required by applicable law.
Transfers from Switzerland.
The parties agree that transfers from Switzerland are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this Addendum by reference, and completed as follows:
The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP;
Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed; and
The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and Crunchbase is processing Protected Data for Customer as a processor pursuant to Article II of this Addendum.
Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and Crunchbase is processing Protected Data on behalf of Customer as a sub-processor.
For each module, where applicable the following applies:
In Clause 7, the optional docking clause does not apply;
In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Article II of this Addendum;
In Clause 11, the optional language does not apply;
In Clause 13 all square brackets are hereby removed;
In Clause 17 (Option 1), the EU SCCs will be governed by Swiss law; and
In Clause 18(b), disputes will be resolved before the courts of Switzerland.
Supplementary Measures.
In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
If, after the date of this Addendum, the Data Importer receives any government agency requests (“Government Agency Requests”) relating to Protected Data, Crunchbase shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Crunchbase may provide Customer’s basic contact information to the government agency. If compelled to disclose Protected Data to a law enforcement or government agency, Crunchbase shall give Customer reasonable notice of the demand and reasonably cooperate to allow Customer to seek a protective order or other appropriate remedy unless Crunchbase is legally prohibited from doing so. Crunchbase shall not voluntarily disclose Protected Data to any law enforcement or government agency. In the event of such Governmental Agency Requests, Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Protected Data pursuant to this Addendum should be suspended;
Data Importer warrants that (i) it has not purposefully created back doors or similar programing that could be used to access Protected Data; (ii) it has not purposefully created or changed its business processes in a manner that facilitates unauthorized access to Protected Data; (iii) no law or government policy to which Data Importer is subject requires the Data Importer to create or maintain back doors to use or access Protected Data; and (iv) it will notify Data Exporter if, at any time, it is unable to continue complying with this commitment;
Data Exporter shall use strong encryption before transmitting any Protected Data to Data Importer. Such encryption will be based on an algorithm and parameters (including without limitation its key length) that conform with industry best practices and that are considered robust against cryptanalysis that may be performed by law enforcement or other public authorities. The keys for such encryption will be reliably managed by both Data Exporter and Data Importer; and
The Data Exporter and Data Importer will meet regularly, upon their mutual agreement, to consider whether:
The protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
New data transfer mechanisms apply to the transfer of Personal Data from the EEA, UK or Switzerland as it relates to the relationship between Data Exporter and Data Importer;
Additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
It is still appropriate for Protected Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Protected Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Applicable Privacy Laws.
If either (i) any of the means of legitimizing transfers of Protected Data outside of the EEA or UK set forth in this Addendum cease to be valid or (ii) any Supervisory Authority requires transfers of Protected Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Applicable Privacy Laws.
Rights of Data Subjects.
Crunchbase shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making, in each case, with respect to Protected Data (such requests individually and collectively “Data Subject Request(s)”). If Crunchbase receives a Data Subject Request in relation to Protected Data, Crunchbase will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of consent to Processing of any Protected Data are communicated to Crunchbase, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.
Crunchbase shall, at the request of Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Crunchbase’s assistance and (ii) Crunchbase is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.
Actions and Access Requests.
Crunchbase shall, taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment relating to Crunchbase’s Processing of Protected Data and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.
Crunchbase shall, taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by the GDPR in relation to Crunchbase’s Processing of Protected Data. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Crunchbase.
Crunchbase shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Terms. Customer shall, with reasonable notice to Crunchbase, have the right to review, audit and copy such records at Crunchbase’s offices during regular business hours.
Upon Customer’s request, Crunchbase shall, no more than once per calendar year, either (i) make available for Customer’s review copies of certifications or reports demonstrating Crunchbase’s compliance with prevailing data security standards applicable to the Processing of Protected Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Applicable Privacy Law, allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Crunchbase’s data security infrastructure and procedures that is sufficient to demonstrate Crunchbase’s compliance with its obligations under this Addendum, provided that Customer shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Crunchbase’s business. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Crunchbase for any time expended for on-site audits. If Customer and Crunchbase have entered into the Standard Contractual Clauses, the parties agree that the audits described in the Standard Contractual Clauses shall be carried out in accordance with this Section.
In the event of a Personal Data Breach of Protected Data, Crunchbase shall (a) without undue delay, inform Customer of the Personal Data Breach and take reasonable steps to remediate such violation (to the extent that remediation is within Crunchbase’s reasonable control); and (b) taking into account the nature of the Processing and the information available to Crunchbase, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Privacy Law, including with respect to notifying any persons as required.
ARTICLE III – PROCESSING OF INCLUDED DATA
For purposes of the GDPR, the parties acknowledge that they are each a separate and independent Controller of any Included Data. The parties do not and will not Process Included Data as joint Controllers. Each party shall comply with the obligations that apply to it as a Controller under the GDPR, and each party shall be individually and separately responsible for its own compliance.
Customer shall Process Included Data only for the purposes set forth in the Terms or as otherwise agreed in writing by the parties, provided such processing strictly complies with all applicable privacy laws and Customer’s obligations under this Addendum. To the extent legally required, Customer shall maintain a publicly-accessible privacy policy on any applicable mobile applications and/or websites that satisfies all transparency and notice requirements set forth in any Applicable Privacy Law with respect to Customer’s Processing of Included Data. Notwithstanding anything to the contrary in the Terms, Customer shall immediately delete or destroy all Included Data in its possession upon the conclusion of Customer’s purpose for Processing such Included Data.
In the event that Customer receives a request from a Data Subject relating to the Processing of Personal Data by Crunchbase, Customer will (i) promptly notify Crunchbase of such request, (ii) direct the Data Subject to Crunchbase in order to enable Crunchbase to respond directly to the request, and (iii) reasonably cooperate with Crunchbase in responding to such request. Without limiting the foregoing, Customer agrees that it will promptly notify Crunchbase of any request pursuant to Article 16 (Right to rectification), Article 17 (Right to erasure), or Article 18 (Right to restriction of processing) of the GDPR that relates in any way to the Content.
Customer acknowledges that, from time to time, Included Data may be updated, modified, augmented, or removed from the Content. Customer shall regularly check such Content and ensure that it is using the most up-to-date version of the Included Data. Without limiting the foregoing, Customer agrees to promptly delete and, if applicable, cease all sales of, any Included Data for which Crunchbase notifies Customer (including by updating the Content) that Crunchbase has received a deletion, opt-out, or similar request, and will indemnify Crunchbase for any claims relating to Customer’s breach of the foregoing.
Each party shall implement appropriate technical and organisational measures to protect the Included Data.
In the event that Customer suffers any actual or suspected Personal Data Breach with respect to the Included Data, Customer shall notify Crunchbase without undue delay and the parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected individuals, comply with each party’s obligations under Applicable Privacy Law, and mitigate or remedy the effects of such Personal Data Breach.
If and to the extent Customer transfers any Included Data to any third party, Customer shall first enter into contractual arrangements with such third party obligating such third party to process the Included Data in accordance with the requirements of Applicable Privacy Law. Customer shall comply with Applicable Privacy Law in connection with its transfer (including any sale) of Included Data to third parties.
EXHIBIT A
Details of Processing
Nature and Purpose of Processing: See Terms
Duration of Processing: Duration of Customer’s use of the Services
Categories of Data Subjects: Customer employees and Data Subjects
Type of Personal Data: Personal identifiers, address and other Personal Data
EXHIBIT B
Authorized Sub-Processors
Customer acknowledges and agrees that the following types of entities shall be deemed Authorized Sub-Processors that may Process Personal Data pursuant to this Addendum:
Fundamental infrastructure (including AWS, Snowflake, Google Tag Manager, Sendgrid, Split, Zuora, Hightouch)
Web analytics (including Google Analytics, Heap, FullStory)
Communication (including Marketo, Iterable, Slack, Zoom, Pendo, Gong, Outreach)
Support (including Drift, Zendesk, Aha, Airtable, Google Suites, JIRA, Notion, DataGrail)
Retargeting/Advertising (including Facebook Ads, Comscore, Google Ads)
Product Analytics (including Delighted, Periscope)
Account Management (including Salesforce)
EXHIBIT C
UK SCC Addendum
PART 1: Tables
Table 1: Parties and Signatures
| Start Date | The effective date of the Addendum to which this Exhibit is attached. | The effective date of the Addendum to which this Exhibit is attached. |
| Parties | Data Exporter | Data Importer |
| Parties’ Details | Crunchbase, Inc. 564 Market Street, Suite 500, San Francisco, CA 94104 | |
| Key Contact | privacy@crunchbase.com | |
| Importer Data Subject Contact | privacy@crunchbase.com | |
| Signatures | By transferring personal data from the UK (as applicable) to the Data Importer, the Data Exporter will be deemed to have signed this Exhibit C. | By processing personal data from the UK received from the Data Exporter, the Data Importer will be deemed to have signed this Exhibit C. |
Table 2: Transfer Details
| UK country’s law that governs the IDTA: | England and Wales |
| Primary place for legal claims to be made by the Parties | England and Wales |
| The status of the Exporter | In relation to the Processing of the Transferred Data: Exporter is a Controller |
| The status of the Importer | In relation to the Processing of the Transferred Data: Importer is the Exporter’s Processor |
| Whether UK GDPR applies to the Importer | UK GDPR applies to the Importer’s Processing of the Transferred Data |
| Linked Agreement | The Terms of Service agreed to and accepted by the Exporter that govern the relationship between Exporter and Importer |
| Term | The Importer may Process the Transferred Data for the following time period: The period for which the Linked Agreement is in force. |
| Ending the IDTA before the end of the Term | the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing. |
| Ending the IDTA when the Approved IDTA changes | Which Parties may end the IDTA as set out in Section 29.2: Importer |
| Can the Importer make further transfers of the Transferred Data? | The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). |
| Specific restrictions when the Importer may transfer on the Transferred Data | The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: There are no specific restrictions. |
| Specific restrictions when the Importer may transfer on the Transferred Data | The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: As more fully set forth in the Linked Agreement to which this Annex C is attached. |
| Review Dates | The Parties must review the Security Requirements at least once: Each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment. |
Table 3: Transferred Data
Please see Exhibit A.
Table 4: Security Requirements
Please see Linked Agreement section titled Security of Protected Data
PART 2: Extra Protection Clauses
Please see Linked Agreement section titled Supplementary Measures
PART 3: Commercial Clauses
None